146 research outputs found
Indistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes
We construct a general-purpose indistinguishability obfuscation (IO)
scheme for all polynomial-size circuits from {\em constant-degree}
graded encoding schemes in the plain model, assuming the existence
of a subexponentially secure Pseudo-Random Generator (PRG)
computable by constant-degree arithmetic circuits (or equivalently
in \NC^0), and the subexponential hardness of the Learning With
Errors (LWE) problems. In contrast, previous general-purpose IO
schemes all rely on polynomial-degree graded encodings.
Our general-purpose IO scheme is built upon two key components:
\begin{itemize}
\item a new bootstrapping theorem that subexponentially secure IO for a subclass
of {\em constant-degree arithmetic circuits} implies IO for all
polynomial size circuits (assuming PRG and LWE as described
above), and
\item a new construction of IO scheme for any generic class of circuits in
the ideal graded encoding model, in which the degree of the graded
encodings is bounded by a variant of the degree, called type
degree, of the obfuscated circuits.
\end{itemize}
In comparison, previous bootstrapping theorems start with IO for
\NC^1, and previous constructions of IO schemes require the degree
of graded encodings to grow polynomially in the size of the
obfuscated circuits
Indistinguishability Obfuscation from DDH-like Assumptions on Constant-Degree Graded Encodings
All constructions of general purpose indistinguishability obfuscation (IO) rely on either meta-assumptions that encapsulate an exponential family of assumptions (e.g., Pass, Seth and Telang, CRYPTO 2014 and Lin, EUROCRYPT 2016), or polynomial families of assumptions on graded encoding schemes with a high polynomial degree/multilinearity (e.g., Gentry, Lewko, Sahai and Waters, FOCS 2014).
We present a new construction of IO, with a security reduction based on two assumptions: (a) a DDH-like assumption β called the joint-SXDH assumption β on constant degree graded en- codings, and (b) the existence of polynomial-stretch pseudorandom generators (PRG) in NC0. Our assumption on graded encodings is simple, has constant size, and does not require handling composite-order rings. This narrows the gap between the mathematical objects that exist (bilinear maps, from elliptic curve groups) and ones that suffice to construct general purpose indistinguishability obfuscation
Multilinear Maps from Obfuscation
International audienceWe provide constructions of multilinear groups equipped with natural hard problems from in-distinguishability obfuscation, homomorphic encryption, and NIZKs. This complements known results on the constructions of indistinguishability obfuscators from multilinear maps in the reverse direction. We provide two distinct, but closely related constructions and show that multilinear analogues of the DDH assumption hold for them. Our first construction is symmetric and comes with a ΞΊ-linear map e : G ΞΊ ββ G T for prime-order groups G and G T. To establish the hardness of the ΞΊ-linear DDH problem, we rely on the existence of a base group for which the (ΞΊ β 1)-strong DDH assumption holds. Our second construction is for the asymmetric setting, where e : G 1 Γ Β· Β· Β· Γ G ΞΊ ββ G T for a collection of ΞΊ + 1 prime-order groups G i and G T , and relies only on the standard DDH assumption in its base group. In both constructions the linearity ΞΊ can be set to any arbitrary but a priori fixed polynomial value in the security parameter. We rely on a number of powerful tools in our constructions: (probabilistic) indistinguishability obfuscation, dual-mode NIZK proof systems (with perfect soundness, witness indistinguishability and zero knowledge), and additively homomorphic encryption for the group Z + N. At a high level, we enable " bootstrapping " multilinear assumptions from their simpler counterparts in standard cryptographic groups, and show the equivalence of IO and multilinear maps under the existence of the aforementioned primitives
On the Invalidity of LV16/Lin17 Obfuscation Schemes
Indistinguishability obfuscation (IO) is at the frontier of cryptography research for several years. LV16/Lin17 obfuscation schemes are famous progresses towards simplifying obfuscation mechanism. In fact, these two schemes only constructed two compact functional encryption (CFE) algorithms, while other things were taken to AJ15 IO frame or BV15 IO frame. That is, CFE algorithms are inserted into AJ15 IO frame or BV15 IO frame to form a complete IO scheme. The basic structure of two CFE algorithms can be described in the following way. The polynomial-time-computable Boolean function is transformed into a group of low-degree low-locality component functions by using randomized encoding, while some public combination of values of component functions is the value of original Boolean function. The encryptor uses constant-degree multilinear maps (rather than polynomial-degree multilinear maps) to encrypt independent variables of component functions. The decryptor uses zero-testing tool of multilinear maps to obtain values of component functions (rather than to obtain values of independent variables), and then uses public combination to obtain the value of original Boolean function.
In this paper we restrict IO to be a real white box (RWB). Under such restriction we point out that LV16/Lin17 CFE algorithms being inserted into AJ15 IO frame are invalid. More detailedly, such insertion makes the adversary gradually learn the shape of the function, therefore the scheme is not secure. In other words, such scheme is not a real IO scheme, but rather a garbling scheme. It needs to be said that RWB restriction is reasonable, which means the essential contribution of IO for cryptography research
Multilinear Maps in Cryptography
Multilineare Abbildungen spielen in der modernen Kryptographie eine immer bedeutendere Rolle. In dieser Arbeit wird auf die Konstruktion, Anwendung und Verbesserung von multilinearen Abbildungen eingegangen
On Removing Graded Encodings from Functional Encryption
Functional encryption (FE) has emerged as an outstanding concept. By now, we know that beyond the immediate application to computation over encrypted data, variants with {\em succinct ciphertexts} are so powerful that they yield the full might of indistinguishability obfuscation (IO). Understanding how, and under which assumptions, such succinct schemes can be constructed has become a grand challenge of current research in cryptography. Whereas the first schemes were based themselves on IO, recent progress has produced constructions based on {\em constant-degree graded encodings}. Still, our comprehension of such graded encodings remains limited, as the instantiations given so far have exhibited different vulnerabilities.
Our main result is that, assuming LWE, {\em black-box constructions}
of {\em sufficiently succinct} FE schemes from constant-degree graded
encodings can be transformed to rely on a much better-understood
object --- {\em bilinear groups}. In particular, under an {\em
ΓΌber assumption} on bilinear groups, such constructions imply IO in the plain model. The result demonstrates that the exact level of ciphertext succinctness of FE schemes is of major
importance. In particular, we draw a fine line between known
FE constructions from constant-degree graded encodings, which just
fall short of the required succinctness, and the holy grail of basing
IO on better-understood assumptions.
In the heart of our result, are new techniques for removing ideal graded encoding oracles from FE constructions. Complementing the result, for weaker ideal models, namely the generic-group model and the random-oracle model, we show a transformation from {\em collusion-resistant} FE in either of the two models directly to FE (and IO) in the plain model, without assuming bilinear groups
Indistinguishability Obfuscation from Semantically-Secure Multilinear Encodings
We define a notion of semantic security of multilinear (a.k.a. graded) encoding schemes, which stipulates security of class of algebraic ``decisional\u27\u27 assumptions: roughly speaking, we require that for every nuPPT distribution over two \emph{constant-length} sequences and auxiliary elements such that all arithmetic circuits (respecting the multilinear restrictions and ending with a zero-test) are \emph{constant} with overwhelming probability over , , we have that encodings of are computationally indistinguishable from encodings of . Assuming the existence of semantically secure multilinear encodings and the LWE assumption, we demonstrate the existence of indistinguishability obfuscators for all polynomial-size circuits. We additionally show that if we assume subexponential hardness, then it suffices to consider a \emph{single} (falsifiable) instance of semantical security (i.e., that semantical security holds w.r.t to a particular distribution ) to obtain the same result.
We rely on the beautiful candidate obfuscation constructions of Garg et al (FOCS\u2713), Brakerski and Rothblum (TCC\u2714) and Barak et al (EuroCrypt\u2714) that were proven secure only in idealized generic multilinear encoding models, and develop new techniques for demonstrating security in the standard model, based only on semantic security of multilinear encodings (which trivially holds in the generic multilinear encoding model).
We also investigate various ways of defining an ``uber assumption\u27\u27 (i.e., a super-assumption) for multilinear encodings, and show that the perhaps most natural way of formalizing the assumption that ``any algebraic decision assumption that holds in the generic model also holds against nuPPT attackers\u27\u27 is false
ꡬλΆλΆκ°λ₯ν λλ νμ μνμ λΆμμ κ΄ν μ°κ΅¬
νμλ
Όλ¬Έ(λ°μ¬)--μμΈλνκ΅ λνμ :μμ°κ³Όνλν μ리과νλΆ,2020. 2. μ²μ ν¬.Indistinguishability obfuscation (iO) is a weak notion of the program obfuscation which requires that if two functionally equivalent circuits are given, their obfuscated programs are indistinguishable. The existence of iO implies numerous cryptographic primitives such as multilinear map, functional encryption, non interactive multi-party key exchange. In gen- eral, many iO schemes are based on branching programs, and candidates of multilinear maps represented by GGH13, CLT13 and GGH15.
In this thesis, we present cryptanalyses of branching program based iO over multilinear maps GGH13 and GGH15. First, we propose cryptanaly- ses of all existing branching program based iO schemes over GGH13 for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroiz- ing, which can be applied to a wide range of obfuscation constructions. We then show that there exists polynomial time reduction from the NTRU problem to all known branching program based iO over GGH13.
Moreover, we propose a new attack on iO based on GGH15 which exploits statistical properties rather than algebraic approaches. We apply our attack to recent two obfuscations called CVW and BGMZ obfuscations. Thus, we break the CVW obfuscation under the current parameter setup, and show that algebraic security model of BGMZ obfuscation is not enough to achieve ideal security. We show that our attack is lying outside of the algebraic security model by presenting some parameters not captured by the proof of the model.κΈ°λ₯μ±μ΄ κ°μ λ νλ‘κ·Έλ¨κ³Ό, κ·Έ λλ
νλ νλ‘κ·Έλ¨λ€μ΄ μμ λ, λλ
νλ νλ‘κ·Έ λ¨λ€μ ꡬλΆν μ μλ€λ©΄ ꡬλΆλΆκ°λ₯ν λλ
νλΌκ³ νλ€. ꡬλΆλΆκ°λ₯ν λλ
νκ° μ‘΄μ¬νλ€λ©΄, λ€μ€μ νν¨μ, ν¨μμνΈ, λ€μκ° ν€κ΅ν λ± λ§μ μνΈνμ μΈ μμ©λ€μ΄ μ‘΄μ¬νκΈ° λλ¬Έμ, ꡬλΆλΆκ°λ₯ν λλ
νλ₯Ό μ€κ³νλ κ²μ λ§€μ° μ€μν λ¬Έμ μ€ νλ μ΄λ€. μΌλ°μ μΌλ‘, λ§μ ꡬλΆλΆκ°λ₯ν λλ
νλ€μ λ€μ€μ νν¨μ GGH13, CLT13, GGH15λ₯Ό κΈ°λ°μΌλ‘ νμ¬ μ€κ³λμλ€.
λ³Έ νμ λ
Όλ¬Έμμλ, λ€μ€μ νν¨μλ₯Ό κΈ°λ°μΌλ‘ νλ λλ
ν κΈ°μ λ€μ λν μ μ μ± λΆμμ μ§ννλ€. λ¨Όμ , GGH13 λ€μ€μ νν¨μλ₯Ό κΈ°λ°μΌλ‘ νλ λͺ¨λ λλ
ν κΈ°μ λ€μ νμ¬ νλΌλ―Έν° νμ μμ νμ§ μμμ 보μΈλ€. νλ‘κ·Έλ¨ λ³ν(program converting), νλ ¬ μ λ‘ν 곡격(matrix zeroizing attack)μ΄λΌλ λ κ°μ§ μλ‘μ΄ λ°© λ²μ μ μνμ¬ μμ μ±μ λΆμνμκ³ , κ·Έ κ²°κ³Ό, νμ‘΄νλ λͺ¨λ GGH13 λ€μ€μ νν¨μ κΈ°λ° λλ
ν κΈ°μ μ΄ λ€νμ μκ° λ΄μ NTRU λ¬Έμ λ‘ νμλ¨μ 보μΈλ€.
λν, GGH15 λ€μ€μ νν¨μλ₯Ό κΈ°λ°μΌλ‘ νλ λλ
ν κΈ°μ μ λν ν΅κ³μ μΈ κ³΅κ²©λ°©λ²μ μ μνλ€. ν΅κ³μ 곡격방λ²μ μ΅μ κΈ°μ μΈ CVW λλ
ν, BGMZ λλ
νμ μ μ©νμ¬, CVW λλ
νκ° νμ¬ νλΌλ―Έν°μμ μμ νμ§ μμμ 보μΈλ€. λν BGMZ λλ
νμμ μ μν λμμ μμ μ± λͺ¨λΈμ΄ μ΄μμ μΈ λλ
ν κΈ°μ μ μ€κ³ν λλ° μΆ©λΆνμ§ μλ€λ κ²μ 보μΈλ€. μ€μ λ‘, BGMZ λλ
νκ° μμ νμ§ μμ νΉμ΄ν νλΌλ―Έν°λ₯Ό μ μνμ¬, μ°λ¦¬ κ³΅κ²©μ΄ BGMZμμ μ μν μμ μ± λͺ¨λΈμ ν΄λΉνμ§ μ μμ 보μΈλ€.1. Introduction 1
1.1 Indistinguishability Obfuscation 1
1.2 Contributions 4
1.2.1 Mathematical Analysis of iO based on GGH13 4
1.2.2 Mathematical Analysis of iO based on GGH15 5
1.3 List of Papers 6
2 Preliminaries 7
2.1 Basic Notations 7
2.2 Indistinguishability Obfuscation 8
2.3 Cryptographic Multilinear Map 9
2.4 Matrix Branching Program 10
2.5 Tensor product and vectorization . 11
2.6 Background Lattices . 12
3 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH13 Multilinear Map 13
3.1 Preliminaries 14
3.1.1 Notations 14
3.1.2 GGH13 Multilinear Map 14
3.2 Main Theorem 17
3.3 Attackable BP Obfuscations 18
3.3.1 Randomization for Attackable Obfuscation Model 20
3.3.2 Encoding by Multilinear Map 21
3.3.3 Linear Relationally Inequivalent Branching Programs 22
3.4 Program Converting Technique 23
3.4.1 Converting to R Program 24
3.4.2 Recovering and Converting to R/ Program 27
3.4.3 Analysis of the Converting Technique 28
3.5 Matrix Zeroizing Attack 29
3.5.1 Existing BP Obfuscations 31
3.5.2 Attackable BP Obfuscation, General Case 34
4 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH15 Multilinear Map 37
4.1 Preliminaries 38
4.1.1 Notations 38
4.2 Statistical Zeroizing Attack . 39
4.2.1 Distinguishing Distributions using Sample Variance 42
4.3 Cryptanalysis of CVW Obfuscation 44
4.3.1 Construction of CVW Obfuscation 45
4.3.2 Cryptanalysis of CVW Obfuscation 48
4.4 Cryptanalysis of BGMZ Obfuscation 56
4.4.1 Construction of BGMZ Obfuscation 56
4.4.2 Cryptanalysis of BGMZ Obfuscation 59
5 Conclusions 65
6 Appendix 66
6.1 Appendix of Chapter 3 66
6.1.1 Extended Attackable Model 66
6.1.2 Examples of Matrix Zeroizing Attack 68
6.1.3 Examples of Linear Relationally Inequivalent BPs 70
6.1.4 Read-once BPs from NFA 70
6.1.5 Input-unpartitionable BPs from Barringtons Theorem 71
6.2 Appendix of Chapter 5 73
6.2.1 Simple GGH15 obfuscation 73
6.2.2 Modified CVW Obfuscation . 75
6.2.3 Transformation of Branching Programs 76
6.2.4 Modification of CVW Obfuscation 77
6.2.5 Assumptions of lattice preimage sampling 78
6.2.6 Useful Tools for Computing the Variances 79
6.2.7 Analysis of CVW Obfuscation 84
6.2.8 Analysis of BGMZ Obfuscation 97
Abstract (in Korean) 117Docto
Indistinguishability Obfuscation from Well-Founded Assumptions
In this work, we show how to construct indistinguishability obfuscation from
subexponential hardness of four well-founded assumptions. We prove:
Let be arbitrary
constants. Assume sub-exponential security of the following assumptions, where
is a security parameter, and the parameters below are
large enough polynomials in :
- The SXDH assumption on asymmetric bilinear groups of a prime order ,
- The LWE assumption over with subexponential
modulus-to-noise ratio , where is the dimension of the LWE
secret,
- The LPN assumption over with polynomially many LPN samples
and error rate , where is the dimension of the LPN
secret,
- The existence of a Boolean PRG in with stretch
,
Then, (subexponentially secure) indistinguishability obfuscation for all
polynomial-size circuits exists
Indistinguishability Obfuscation: From Approximate to Exact
We show general transformations from subexponentially-secure approximate indistinguishability obfuscation (IO) where the obfuscated circuit agrees with the original circuit on a 1/2+Ο΅ fraction of inputs on a certain samplable distribution, into exact indistinguishability obfuscation where the obfuscated circuit and the original circuit agree on all inputs. As a step towards our results, which is of independent interest, we also obtain an approximate-to-exact transformation for functional encryption. At the core of our techniques is a method for βfoolingβ the obfuscator into giving us the correct answer, while preserving the indistinguishability-based security. This is achieved based on various types of secure computation protocols that can be obtained from different standard assumptions.
Put together with the recent results of Canetti, Kalai and Paneth (TCC 2015), Pass and Shelat (TCC 2016), and Mahmoody, Mohammed and Nemathaji (TCC 2016), we show how to convert indistinguishability obfuscation schemes in various ideal models into exact obfuscation schemes in the plain model.National Science Foundation (U.S.) (Grant CNS-1350619)National Science Foundation (U.S.) (Grant CNS-1414119
- β¦