349 research outputs found
Affine Determinant Programs: A Framework for Obfuscation and Witness Encryption
An affine determinant program ADP: {0,1}^n → {0,1} is specified by a tuple (A,B_1,...,B_n) of square matrices over F_q and a function Eval: F_q → {0,1}, and evaluated on x \in {0,1}^n by computing Eval(det(A + sum_{i \in [n]} x_i B_i)).
In this work, we suggest ADPs as a new framework for building general-purpose obfuscation and witness encryption. We provide evidence to suggest that constructions following our ADP-based framework may one day yield secure, practically feasible obfuscation.
As a proof-of-concept, we give a candidate ADP-based construction of indistinguishability obfuscation (iO) for all circuits along with a simple witness encryption candidate. We provide cryptanalysis demonstrating that our schemes resist several potential attacks, and leave further cryptanalysis to future work. Lastly, we explore practically feasible applications of our witness encryption candidate, such as public-key encryption with near-optimal key generation
Foundations and applications of program obfuscation
Code is said to be obfuscated if it is intentionally difficult for humans to understand.
Obfuscating a program conceals its sensitive implementation details and
protects it from reverse engineering and hacking. Beyond software protection, obfuscation
is also a powerful cryptographic tool, enabling a variety of advanced applications.
Ideally, an obfuscated program would hide any information about the original
program that cannot be obtained by simply executing it. However, Barak et al.
[CRYPTO 01] proved that for some programs, such ideal obfuscation is impossible.
Nevertheless, Garg et al. [FOCS 13] recently suggested a candidate general-purpose
obfuscator which is conjectured to satisfy a weaker notion of security called indistinguishability
obfuscation.
In this thesis, we study the feasibility and applicability of secure obfuscation:
- What notions of secure obfuscation are possible and under what assumptions?
- How useful are weak notions like indistinguishability obfuscation?
Our first result shows that the applications of indistinguishability obfuscation go
well beyond cryptography. We study the tractability of computing a Nash equilibrium
vii
of a game { a central problem in algorithmic game theory and complexity theory.
Based on indistinguishability obfuscation, we construct explicit games where a Nash
equilibrium cannot be found efficiently.
We also prove the following results on the feasibility of obfuscation. Our starting
point is the Garg at el. obfuscator that is based on a new algebraic encoding scheme
known as multilinear maps [Garg et al. EUROCRYPT 13].
1. Building on the work of Brakerski and Rothblum [TCC 14], we provide the first
rigorous security analysis for obfuscation. We give a variant of the Garg at el.
obfuscator and reduce its security to that of the multilinear maps. Specifically,
modeling the multilinear encodings as ideal boxes with perfect security, we prove
ideal security for our obfuscator. Our reduction shows that the obfuscator resists
all generic attacks that only use the encodings' permitted interface and do not
exploit their algebraic representation.
2. Going beyond generic attacks, we study the notion of virtual-gray-box obfusca-
tion [Bitansky et al. CRYPTO 10]. This relaxation of ideal security is stronger
than indistinguishability obfuscation and has several important applications
such as obfuscating password protected programs. We formulate a security
requirement for multilinear maps which is sufficient, as well as necessary for
virtual-gray-box obfuscation.
3. Motivated by the question of basing obfuscation on ideal objects that are simpler
than multilinear maps, we give a negative result showing that ideal obfuscation
is impossible, even in the random oracle model, where the obfuscator is given access
to an ideal random function. This is the first negative result for obfuscation
in a non-trivial idealized model
Block cipher based Public Key Encryption viaIndistinguishability Obfuscation
The article is devoted to generation techniques of thenew public key crypto-systems, which are based on applicationof indistinguishability obfuscation methods to selected privatekey crypto-systems. The techniques are applied to symmetrickey crypto-system and the target system is asymmetric one.As an input for our approach an implementation of symmetricblock cipher with a given private-key is considered. Differentobfuscation methods are subjected to processing. The targetsystem would be treated as a public-key for newly createdpublic crypto-system. The approach seems to be interestingfrom theoretical point of view. Moreover, it can be useful forinformation protection in a cloud-computing model
Order-Revealing Encryption and the Hardness of Private Learning
An order-revealing encryption scheme gives a public procedure by which two
ciphertexts can be compared to reveal the ordering of their underlying
plaintexts. We show how to use order-revealing encryption to separate
computationally efficient PAC learning from efficient -differentially private PAC learning. That is, we construct a concept
class that is efficiently PAC learnable, but for which every efficient learner
fails to be differentially private. This answers a question of Kasiviswanathan
et al. (FOCS '08, SIAM J. Comput. '11).
To prove our result, we give a generic transformation from an order-revealing
encryption scheme into one with strongly correct comparison, which enables the
consistent comparison of ciphertexts that are not obtained as the valid
encryption of any message. We believe this construction may be of independent
interest.Comment: 28 page
Obfuscating Conjunctions under Entropic Ring LWE
We show how to securely obfuscate conjunctions, which are functions f(x[subscript 1], . . . , x[subscript n]) = โง[subscript iโI] y[superscript i] where
I โ [n] and each literal y[subscript i] is either just x[subscript i] or ยฌx[subscript i] e.g., f(x[subscript 1], . . . , x_n) = x[subscript 1] โ ยฌ x[subscript 3] โ ยฌ x[subscript 7] ยท ยท ยท โ x[subscript nโ1]. Whereas prior work of Brakerski and Rothblum (CRYPTO 2013) showed how to achieve this using a
non-standard object called cryptographic multilinear maps, our scheme is based on an โentropicโ variant of the Ring Learning with Errors (Ring LWE) assumption. As our core tool, we prove that hardness assumptions on the recent multilinear map construction of Gentry, Gorbunov and Halevi (TCC 2015) can be established based on entropic Ring LWE. We view this as a first step towards proving the security of additional multilinear map based constructions, and in particular program obfuscators, under standard
assumptions. Our scheme satisfies virtual black box (VBB) security, meaning that the obfuscated program reveals nothing more than black-box access to f as an oracle, at least as long as (essentially) the conjunction is chosen from a distribution having sufficient entropy
Indistinguishability Obfuscation from Well-Founded Assumptions
In this work, we show how to construct indistinguishability obfuscation from
subexponential hardness of four well-founded assumptions. We prove:
Let be arbitrary
constants. Assume sub-exponential security of the following assumptions, where
is a security parameter, and the parameters below are
large enough polynomials in :
- The SXDH assumption on asymmetric bilinear groups of a prime order ,
- The LWE assumption over with subexponential
modulus-to-noise ratio , where is the dimension of the LWE
secret,
- The LPN assumption over with polynomially many LPN samples
and error rate , where is the dimension of the LPN
secret,
- The existence of a Boolean PRG in with stretch
,
Then, (subexponentially secure) indistinguishability obfuscation for all
polynomial-size circuits exists
๊ตฌ๋ถ๋ถ๊ฐ๋ฅํ ๋๋ ํ์ ์ํ์ ๋ถ์์ ๊ดํ ์ฐ๊ตฌ
ํ์๋
ผ๋ฌธ(๋ฐ์ฌ)--์์ธ๋ํ๊ต ๋ํ์ :์์ฐ๊ณผํ๋ํ ์๋ฆฌ๊ณผํ๋ถ,2020. 2. ์ฒ์ ํฌ.Indistinguishability obfuscation (iO) is a weak notion of the program obfuscation which requires that if two functionally equivalent circuits are given, their obfuscated programs are indistinguishable. The existence of iO implies numerous cryptographic primitives such as multilinear map, functional encryption, non interactive multi-party key exchange. In gen- eral, many iO schemes are based on branching programs, and candidates of multilinear maps represented by GGH13, CLT13 and GGH15.
In this thesis, we present cryptanalyses of branching program based iO over multilinear maps GGH13 and GGH15. First, we propose cryptanaly- ses of all existing branching program based iO schemes over GGH13 for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroiz- ing, which can be applied to a wide range of obfuscation constructions. We then show that there exists polynomial time reduction from the NTRU problem to all known branching program based iO over GGH13.
Moreover, we propose a new attack on iO based on GGH15 which exploits statistical properties rather than algebraic approaches. We apply our attack to recent two obfuscations called CVW and BGMZ obfuscations. Thus, we break the CVW obfuscation under the current parameter setup, and show that algebraic security model of BGMZ obfuscation is not enough to achieve ideal security. We show that our attack is lying outside of the algebraic security model by presenting some parameters not captured by the proof of the model.๊ธฐ๋ฅ์ฑ์ด ๊ฐ์ ๋ ํ๋ก๊ทธ๋จ๊ณผ, ๊ทธ ๋๋
ํ๋ ํ๋ก๊ทธ๋จ๋ค์ด ์์ ๋, ๋๋
ํ๋ ํ๋ก๊ทธ ๋จ๋ค์ ๊ตฌ๋ถํ ์ ์๋ค๋ฉด ๊ตฌ๋ถ๋ถ๊ฐ๋ฅํ ๋๋
ํ๋ผ๊ณ ํ๋ค. ๊ตฌ๋ถ๋ถ๊ฐ๋ฅํ ๋๋
ํ๊ฐ ์กด์ฌํ๋ค๋ฉด, ๋ค์ค์ ํํจ์, ํจ์์ํธ, ๋ค์๊ฐ ํค๊ตํ ๋ฑ ๋ง์ ์ํธํ์ ์ธ ์์ฉ๋ค์ด ์กด์ฌํ๊ธฐ ๋๋ฌธ์, ๊ตฌ๋ถ๋ถ๊ฐ๋ฅํ ๋๋
ํ๋ฅผ ์ค๊ณํ๋ ๊ฒ์ ๋งค์ฐ ์ค์ํ ๋ฌธ์ ์ค ํ๋ ์ด๋ค. ์ผ๋ฐ์ ์ผ๋ก, ๋ง์ ๊ตฌ๋ถ๋ถ๊ฐ๋ฅํ ๋๋
ํ๋ค์ ๋ค์ค์ ํํจ์ GGH13, CLT13, GGH15๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ์ฌ ์ค๊ณ๋์๋ค.
๋ณธ ํ์ ๋
ผ๋ฌธ์์๋, ๋ค์ค์ ํํจ์๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ๋ ๋๋
ํ ๊ธฐ์ ๋ค์ ๋ํ ์ ์ ์ฑ ๋ถ์์ ์งํํ๋ค. ๋จผ์ , GGH13 ๋ค์ค์ ํํจ์๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ๋ ๋ชจ๋ ๋๋
ํ ๊ธฐ์ ๋ค์ ํ์ฌ ํ๋ผ๋ฏธํฐ ํ์ ์์ ํ์ง ์์์ ๋ณด์ธ๋ค. ํ๋ก๊ทธ๋จ ๋ณํ(program converting), ํ๋ ฌ ์ ๋กํ ๊ณต๊ฒฉ(matrix zeroizing attack)์ด๋ผ๋ ๋ ๊ฐ์ง ์๋ก์ด ๋ฐฉ ๋ฒ์ ์ ์ํ์ฌ ์์ ์ฑ์ ๋ถ์ํ์๊ณ , ๊ทธ ๊ฒฐ๊ณผ, ํ์กดํ๋ ๋ชจ๋ GGH13 ๋ค์ค์ ํํจ์ ๊ธฐ๋ฐ ๋๋
ํ ๊ธฐ์ ์ด ๋คํญ์ ์๊ฐ ๋ด์ NTRU ๋ฌธ์ ๋ก ํ์๋จ์ ๋ณด์ธ๋ค.
๋ํ, GGH15 ๋ค์ค์ ํํจ์๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ๋ ๋๋
ํ ๊ธฐ์ ์ ๋ํ ํต๊ณ์ ์ธ ๊ณต๊ฒฉ๋ฐฉ๋ฒ์ ์ ์ํ๋ค. ํต๊ณ์ ๊ณต๊ฒฉ๋ฐฉ๋ฒ์ ์ต์ ๊ธฐ์ ์ธ CVW ๋๋
ํ, BGMZ ๋๋
ํ์ ์ ์ฉํ์ฌ, CVW ๋๋
ํ๊ฐ ํ์ฌ ํ๋ผ๋ฏธํฐ์์ ์์ ํ์ง ์์์ ๋ณด์ธ๋ค. ๋ํ BGMZ ๋๋
ํ์์ ์ ์ํ ๋์์ ์์ ์ฑ ๋ชจ๋ธ์ด ์ด์์ ์ธ ๋๋
ํ ๊ธฐ์ ์ ์ค๊ณํ ๋๋ฐ ์ถฉ๋ถํ์ง ์๋ค๋ ๊ฒ์ ๋ณด์ธ๋ค. ์ค์ ๋ก, BGMZ ๋๋
ํ๊ฐ ์์ ํ์ง ์์ ํน์ดํ ํ๋ผ๋ฏธํฐ๋ฅผ ์ ์ํ์ฌ, ์ฐ๋ฆฌ ๊ณต๊ฒฉ์ด BGMZ์์ ์ ์ํ ์์ ์ฑ ๋ชจ๋ธ์ ํด๋นํ์ง ์ ์์ ๋ณด์ธ๋ค.1. Introduction 1
1.1 Indistinguishability Obfuscation 1
1.2 Contributions 4
1.2.1 Mathematical Analysis of iO based on GGH13 4
1.2.2 Mathematical Analysis of iO based on GGH15 5
1.3 List of Papers 6
2 Preliminaries 7
2.1 Basic Notations 7
2.2 Indistinguishability Obfuscation 8
2.3 Cryptographic Multilinear Map 9
2.4 Matrix Branching Program 10
2.5 Tensor product and vectorization . 11
2.6 Background Lattices . 12
3 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH13 Multilinear Map 13
3.1 Preliminaries 14
3.1.1 Notations 14
3.1.2 GGH13 Multilinear Map 14
3.2 Main Theorem 17
3.3 Attackable BP Obfuscations 18
3.3.1 Randomization for Attackable Obfuscation Model 20
3.3.2 Encoding by Multilinear Map 21
3.3.3 Linear Relationally Inequivalent Branching Programs 22
3.4 Program Converting Technique 23
3.4.1 Converting to R Program 24
3.4.2 Recovering and Converting to R/ Program 27
3.4.3 Analysis of the Converting Technique 28
3.5 Matrix Zeroizing Attack 29
3.5.1 Existing BP Obfuscations 31
3.5.2 Attackable BP Obfuscation, General Case 34
4 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH15 Multilinear Map 37
4.1 Preliminaries 38
4.1.1 Notations 38
4.2 Statistical Zeroizing Attack . 39
4.2.1 Distinguishing Distributions using Sample Variance 42
4.3 Cryptanalysis of CVW Obfuscation 44
4.3.1 Construction of CVW Obfuscation 45
4.3.2 Cryptanalysis of CVW Obfuscation 48
4.4 Cryptanalysis of BGMZ Obfuscation 56
4.4.1 Construction of BGMZ Obfuscation 56
4.4.2 Cryptanalysis of BGMZ Obfuscation 59
5 Conclusions 65
6 Appendix 66
6.1 Appendix of Chapter 3 66
6.1.1 Extended Attackable Model 66
6.1.2 Examples of Matrix Zeroizing Attack 68
6.1.3 Examples of Linear Relationally Inequivalent BPs 70
6.1.4 Read-once BPs from NFA 70
6.1.5 Input-unpartitionable BPs from Barringtons Theorem 71
6.2 Appendix of Chapter 5 73
6.2.1 Simple GGH15 obfuscation 73
6.2.2 Modified CVW Obfuscation . 75
6.2.3 Transformation of Branching Programs 76
6.2.4 Modification of CVW Obfuscation 77
6.2.5 Assumptions of lattice preimage sampling 78
6.2.6 Useful Tools for Computing the Variances 79
6.2.7 Analysis of CVW Obfuscation 84
6.2.8 Analysis of BGMZ Obfuscation 97
Abstract (in Korean) 117Docto
Indistinguishability Obfuscation: From Approximate to Exact
We show general transformations from subexponentially-secure approximate indistinguishability obfuscation (IO) where the obfuscated circuit agrees with the original circuit on a 1/2+ฯต fraction of inputs on a certain samplable distribution, into exact indistinguishability obfuscation where the obfuscated circuit and the original circuit agree on all inputs. As a step towards our results, which is of independent interest, we also obtain an approximate-to-exact transformation for functional encryption. At the core of our techniques is a method for โfoolingโ the obfuscator into giving us the correct answer, while preserving the indistinguishability-based security. This is achieved based on various types of secure computation protocols that can be obtained from different standard assumptions.
Put together with the recent results of Canetti, Kalai and Paneth (TCC 2015), Pass and Shelat (TCC 2016), and Mahmoody, Mohammed and Nemathaji (TCC 2016), we show how to convert indistinguishability obfuscation schemes in various ideal models into exact obfuscation schemes in the plain model.National Science Foundation (U.S.) (Grant CNS-1350619)National Science Foundation (U.S.) (Grant CNS-1414119
- โฆ