Computational security in cryptography has a risk that computational assumptions underlying the security are broken in the future. One solution is to construct information-theoretically-secure protocols, but many cryptographic primitives are known to be impossible (or unlikely) to have information-theoretical security even in the quantum world. A nice compromise (intrinsic to quantum) is certified everlasting security, which roughly means the following. A receiver with possession of quantum encrypted data can issue a certificate that shows that the receiver has deleted the encrypted data. If the certificate is valid, the security is guaranteed even if the receiver becomes computationally unbounded. Although several cryptographic primitives, such as commitments and zero-knowledge, have been made certified everlasting secure, there are many other important primitives that are not known to be certified everlasting secure. In this paper, we introduce certified everlasting FE. In this primitive, the receiver with the ciphertext of a message m and the functional decryption key of a function f can obtain f(m) and nothing else. The security holds even if the adversary becomes computationally unbounded after issuing a valid certificate. We, first, construct certified everlasting FE for P/poly circuits where only a single key query is allowed for the adversary. We, then, extend it to q-bounded one for NC1 circuits where q-bounded means that q key queries are allowed for the adversary with an a priori bounded polynomial q. For the construction of certified everlasting FE, we introduce and construct certified everlasting versions of secret-key encryption, public-key encryption, receiver non-committing encryption, and a garbling scheme, which are of independent interest.
翻译:加密中的计算安全有这样的风险: 安全背后的计算假设在未来会被破坏。 一个解决方案是构建信息理论安全协议。 一个解决方案是构建信息理论安全协议, 但即使数量世界中, 许多加密原始人也不可能( 不太可能) 拥有信息理论安全。 一个不错的折中( 从量到量) 是认证永久安全, 这大致意味着以下。 一个拥有量子加密数据的接收人可以发布一个证书, 该证书显示接收人删除了加密数据。 如果证书是有效的, 即使接收者在计算上变得不受约束, 也保证了安全。 尽管一些经认证的加密原始人, 如承诺和零知识, 已经得到认证的永久安全, 但还有其他许多重要的原始人, 即使在量子世界也不可能获得信息理论安全。 在此原始文件中, 我们引入了经认证的永久FE。 使用电路的密码和函数解密密密密钥可以独立获取f(m), 并且没有任何其它东西。 即便敌人在进行非约束的计算之后, 也只能使用直通的直通的直路路。 我们, 将直通的直通的直路路路路路路路路, 。