349 research outputs found

    Affine Determinant Programs: A Framework for Obfuscation and Witness Encryption

    Get PDF
    An affine determinant program ADP: {0,1}^n → {0,1} is specified by a tuple (A,B_1,...,B_n) of square matrices over F_q and a function Eval: F_q → {0,1}, and evaluated on x \in {0,1}^n by computing Eval(det(A + sum_{i \in [n]} x_i B_i)). In this work, we suggest ADPs as a new framework for building general-purpose obfuscation and witness encryption. We provide evidence to suggest that constructions following our ADP-based framework may one day yield secure, practically feasible obfuscation. As a proof-of-concept, we give a candidate ADP-based construction of indistinguishability obfuscation (iO) for all circuits along with a simple witness encryption candidate. We provide cryptanalysis demonstrating that our schemes resist several potential attacks, and leave further cryptanalysis to future work. Lastly, we explore practically feasible applications of our witness encryption candidate, such as public-key encryption with near-optimal key generation

    Foundations and applications of program obfuscation

    Full text link
    Code is said to be obfuscated if it is intentionally difficult for humans to understand. Obfuscating a program conceals its sensitive implementation details and protects it from reverse engineering and hacking. Beyond software protection, obfuscation is also a powerful cryptographic tool, enabling a variety of advanced applications. Ideally, an obfuscated program would hide any information about the original program that cannot be obtained by simply executing it. However, Barak et al. [CRYPTO 01] proved that for some programs, such ideal obfuscation is impossible. Nevertheless, Garg et al. [FOCS 13] recently suggested a candidate general-purpose obfuscator which is conjectured to satisfy a weaker notion of security called indistinguishability obfuscation. In this thesis, we study the feasibility and applicability of secure obfuscation: - What notions of secure obfuscation are possible and under what assumptions? - How useful are weak notions like indistinguishability obfuscation? Our first result shows that the applications of indistinguishability obfuscation go well beyond cryptography. We study the tractability of computing a Nash equilibrium vii of a game { a central problem in algorithmic game theory and complexity theory. Based on indistinguishability obfuscation, we construct explicit games where a Nash equilibrium cannot be found efficiently. We also prove the following results on the feasibility of obfuscation. Our starting point is the Garg at el. obfuscator that is based on a new algebraic encoding scheme known as multilinear maps [Garg et al. EUROCRYPT 13]. 1. Building on the work of Brakerski and Rothblum [TCC 14], we provide the first rigorous security analysis for obfuscation. We give a variant of the Garg at el. obfuscator and reduce its security to that of the multilinear maps. Specifically, modeling the multilinear encodings as ideal boxes with perfect security, we prove ideal security for our obfuscator. Our reduction shows that the obfuscator resists all generic attacks that only use the encodings' permitted interface and do not exploit their algebraic representation. 2. Going beyond generic attacks, we study the notion of virtual-gray-box obfusca- tion [Bitansky et al. CRYPTO 10]. This relaxation of ideal security is stronger than indistinguishability obfuscation and has several important applications such as obfuscating password protected programs. We formulate a security requirement for multilinear maps which is sufficient, as well as necessary for virtual-gray-box obfuscation. 3. Motivated by the question of basing obfuscation on ideal objects that are simpler than multilinear maps, we give a negative result showing that ideal obfuscation is impossible, even in the random oracle model, where the obfuscator is given access to an ideal random function. This is the first negative result for obfuscation in a non-trivial idealized model

    Block cipher based Public Key Encryption viaIndistinguishability Obfuscation

    Get PDF
    The article is devoted to generation techniques of thenew public key crypto-systems, which are based on applicationof indistinguishability obfuscation methods to selected privatekey crypto-systems. The techniques are applied to symmetrickey crypto-system and the target system is asymmetric one.As an input for our approach an implementation of symmetricblock cipher with a given private-key is considered. Differentobfuscation methods are subjected to processing. The targetsystem would be treated as a public-key for newly createdpublic crypto-system. The approach seems to be interestingfrom theoretical point of view. Moreover, it can be useful forinformation protection in a cloud-computing model

    Order-Revealing Encryption and the Hardness of Private Learning

    Full text link
    An order-revealing encryption scheme gives a public procedure by which two ciphertexts can be compared to reveal the ordering of their underlying plaintexts. We show how to use order-revealing encryption to separate computationally efficient PAC learning from efficient (ฯต,ฮด)(\epsilon, \delta)-differentially private PAC learning. That is, we construct a concept class that is efficiently PAC learnable, but for which every efficient learner fails to be differentially private. This answers a question of Kasiviswanathan et al. (FOCS '08, SIAM J. Comput. '11). To prove our result, we give a generic transformation from an order-revealing encryption scheme into one with strongly correct comparison, which enables the consistent comparison of ciphertexts that are not obtained as the valid encryption of any message. We believe this construction may be of independent interest.Comment: 28 page

    Obfuscating Conjunctions under Entropic Ring LWE

    Get PDF
    We show how to securely obfuscate conjunctions, which are functions f(x[subscript 1], . . . , x[subscript n]) = โˆง[subscript iโˆˆI] y[superscript i] where I โŠ† [n] and each literal y[subscript i] is either just x[subscript i] or ยฌx[subscript i] e.g., f(x[subscript 1], . . . , x_n) = x[subscript 1] โŠ† ยฌ x[subscript 3] โŠ† ยฌ x[subscript 7] ยท ยท ยท โŠ† x[subscript nโˆ’1]. Whereas prior work of Brakerski and Rothblum (CRYPTO 2013) showed how to achieve this using a non-standard object called cryptographic multilinear maps, our scheme is based on an โ€œentropicโ€ variant of the Ring Learning with Errors (Ring LWE) assumption. As our core tool, we prove that hardness assumptions on the recent multilinear map construction of Gentry, Gorbunov and Halevi (TCC 2015) can be established based on entropic Ring LWE. We view this as a first step towards proving the security of additional multilinear map based constructions, and in particular program obfuscators, under standard assumptions. Our scheme satisfies virtual black box (VBB) security, meaning that the obfuscated program reveals nothing more than black-box access to f as an oracle, at least as long as (essentially) the conjunction is chosen from a distribution having sufficient entropy

    Indistinguishability Obfuscation from Well-Founded Assumptions

    Get PDF
    In this work, we show how to construct indistinguishability obfuscation from subexponential hardness of four well-founded assumptions. We prove: Let ฯ„โˆˆ(0,โˆž),ฮดโˆˆ(0,1),ฯตโˆˆ(0,1)\tau \in (0,\infty), \delta \in (0,1), \epsilon \in (0,1) be arbitrary constants. Assume sub-exponential security of the following assumptions, where ฮป\lambda is a security parameter, and the parameters โ„“,k,n\ell,k,n below are large enough polynomials in ฮป\lambda: - The SXDH assumption on asymmetric bilinear groups of a prime order p=O(2ฮป)p = O(2^\lambda), - The LWE assumption over Zp\mathbb{Z}_{p} with subexponential modulus-to-noise ratio 2kฯต2^{k^\epsilon}, where kk is the dimension of the LWE secret, - The LPN assumption over Zp\mathbb{Z}_p with polynomially many LPN samples and error rate 1/โ„“ฮด1/\ell^\delta, where โ„“\ell is the dimension of the LPN secret, - The existence of a Boolean PRG in NC0\mathsf{NC}^0 with stretch n1+ฯ„n^{1+\tau}, Then, (subexponentially secure) indistinguishability obfuscation for all polynomial-size circuits exists

    ๊ตฌ๋ถ„๋ถˆ๊ฐ€๋Šฅํ•œ ๋‚œ๋…ํ™”์˜ ์ˆ˜ํ•™์ ๋ถ„์„์— ๊ด€ํ•œ ์—ฐ๊ตฌ

    Get PDF
    ํ•™์œ„๋…ผ๋ฌธ(๋ฐ•์‚ฌ)--์„œ์šธ๋Œ€ํ•™๊ต ๋Œ€ํ•™์› :์ž์—ฐ๊ณผํ•™๋Œ€ํ•™ ์ˆ˜๋ฆฌ๊ณผํ•™๋ถ€,2020. 2. ์ฒœ์ •ํฌ.Indistinguishability obfuscation (iO) is a weak notion of the program obfuscation which requires that if two functionally equivalent circuits are given, their obfuscated programs are indistinguishable. The existence of iO implies numerous cryptographic primitives such as multilinear map, functional encryption, non interactive multi-party key exchange. In gen- eral, many iO schemes are based on branching programs, and candidates of multilinear maps represented by GGH13, CLT13 and GGH15. In this thesis, we present cryptanalyses of branching program based iO over multilinear maps GGH13 and GGH15. First, we propose cryptanaly- ses of all existing branching program based iO schemes over GGH13 for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroiz- ing, which can be applied to a wide range of obfuscation constructions. We then show that there exists polynomial time reduction from the NTRU problem to all known branching program based iO over GGH13. Moreover, we propose a new attack on iO based on GGH15 which exploits statistical properties rather than algebraic approaches. We apply our attack to recent two obfuscations called CVW and BGMZ obfuscations. Thus, we break the CVW obfuscation under the current parameter setup, and show that algebraic security model of BGMZ obfuscation is not enough to achieve ideal security. We show that our attack is lying outside of the algebraic security model by presenting some parameters not captured by the proof of the model.๊ธฐ๋Šฅ์„ฑ์ด ๊ฐ™์€ ๋‘ ํ”„๋กœ๊ทธ๋žจ๊ณผ, ๊ทธ ๋‚œ๋…ํ™”๋œ ํ”„๋กœ๊ทธ๋žจ๋“ค์ด ์žˆ์„ ๋•Œ, ๋‚œ๋…ํ™”๋œ ํ”„๋กœ๊ทธ ๋žจ๋“ค์„ ๊ตฌ๋ถ„ํ•  ์ˆ˜ ์—†๋‹ค๋ฉด ๊ตฌ๋ถ„๋ถˆ๊ฐ€๋Šฅํ•œ ๋‚œ๋…ํ™”๋ผ๊ณ  ํ•œ๋‹ค. ๊ตฌ๋ถ„๋ถˆ๊ฐ€๋Šฅํ•œ ๋‚œ๋…ํ™”๊ฐ€ ์กด์žฌํ•œ๋‹ค๋ฉด, ๋‹ค์ค‘์„ ํ˜•ํ•จ์ˆ˜, ํ•จ์ˆ˜์•”ํ˜ธ, ๋‹ค์ž๊ฐ„ ํ‚ค๊ตํ™˜ ๋“ฑ ๋งŽ์€ ์•”ํ˜ธํ•™์ ์ธ ์‘์šฉ๋“ค์ด ์กด์žฌํ•˜๊ธฐ ๋•Œ๋ฌธ์—, ๊ตฌ๋ถ„๋ถˆ๊ฐ€๋Šฅํ•œ ๋‚œ๋…ํ™”๋ฅผ ์„ค๊ณ„ํ•˜๋Š” ๊ฒƒ์€ ๋งค์šฐ ์ค‘์š”ํ•œ ๋ฌธ์ œ ์ค‘ ํ•˜๋‚˜ ์ด๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ, ๋งŽ์€ ๊ตฌ๋ถ„๋ถˆ๊ฐ€๋Šฅํ•œ ๋‚œ๋…ํ™”๋“ค์€ ๋‹ค์ค‘์„ ํ˜•ํ•จ์ˆ˜ GGH13, CLT13, GGH15๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ํ•˜์—ฌ ์„ค๊ณ„๋˜์—ˆ๋‹ค. ๋ณธ ํ•™์œ„ ๋…ผ๋ฌธ์—์„œ๋Š”, ๋‹ค์ค‘์„ ํ˜•ํ•จ์ˆ˜๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ํ•˜๋Š” ๋‚œ๋…ํ™” ๊ธฐ์ˆ ๋“ค์— ๋Œ€ํ•œ ์•ˆ ์ „์„ฑ ๋ถ„์„์„ ์ง„ํ–‰ํ•œ๋‹ค. ๋จผ์ €, GGH13 ๋‹ค์ค‘์„ ํ˜•ํ•จ์ˆ˜๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ํ•˜๋Š” ๋ชจ๋“  ๋‚œ๋…ํ™” ๊ธฐ์ˆ ๋“ค์€ ํ˜„์žฌ ํŒŒ๋ผ๋ฏธํ„ฐ ํ•˜์— ์•ˆ์ „ํ•˜์ง€ ์•Š์Œ์„ ๋ณด์ธ๋‹ค. ํ”„๋กœ๊ทธ๋žจ ๋ณ€ํ™˜(program converting), ํ–‰๋ ฌ ์ œ๋กœํ™” ๊ณต๊ฒฉ(matrix zeroizing attack)์ด๋ผ๋Š” ๋‘ ๊ฐ€์ง€ ์ƒˆ๋กœ์šด ๋ฐฉ ๋ฒ•์„ ์ œ์•ˆํ•˜์—ฌ ์•ˆ์ „์„ฑ์„ ๋ถ„์„ํ•˜์˜€๊ณ , ๊ทธ ๊ฒฐ๊ณผ, ํ˜„์กดํ•˜๋Š” ๋ชจ๋“  GGH13 ๋‹ค์ค‘์„ ํ˜•ํ•จ์ˆ˜ ๊ธฐ๋ฐ˜ ๋‚œ๋…ํ™” ๊ธฐ์ˆ ์ด ๋‹คํ•ญ์‹ ์‹œ๊ฐ„ ๋‚ด์— NTRU ๋ฌธ์ œ๋กœ ํ™˜์›๋จ์„ ๋ณด์ธ๋‹ค. ๋˜ํ•œ, GGH15 ๋‹ค์ค‘์„ ํ˜•ํ•จ์ˆ˜๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ํ•˜๋Š” ๋‚œ๋…ํ™” ๊ธฐ์ˆ ์— ๋Œ€ํ•œ ํ†ต๊ณ„์ ์ธ ๊ณต๊ฒฉ๋ฐฉ๋ฒ•์„ ์ œ์•ˆํ•œ๋‹ค. ํ†ต๊ณ„์  ๊ณต๊ฒฉ๋ฐฉ๋ฒ•์„ ์ตœ์‹  ๊ธฐ์ˆ ์ธ CVW ๋‚œ๋…ํ™”, BGMZ ๋‚œ๋… ํ™”์— ์ ์šฉํ•˜์—ฌ, CVW ๋‚œ๋…ํ™”๊ฐ€ ํ˜„์žฌ ํŒŒ๋ผ๋ฏธํ„ฐ์—์„œ ์•ˆ์ „ํ•˜์ง€ ์•Š์Œ์„ ๋ณด์ธ๋‹ค. ๋˜ํ•œ BGMZ ๋‚œ๋…ํ™”์—์„œ ์ œ์•ˆํ•œ ๋Œ€์ˆ˜์  ์•ˆ์ „์„ฑ ๋ชจ๋ธ์ด ์ด์ƒ์ ์ธ ๋‚œ๋…ํ™” ๊ธฐ์ˆ ์„ ์„ค๊ณ„ํ•˜ ๋Š”๋ฐ ์ถฉ๋ถ„ํ•˜์ง€ ์•Š๋‹ค๋Š” ๊ฒƒ์„ ๋ณด์ธ๋‹ค. ์‹ค์ œ๋กœ, BGMZ ๋‚œ๋…ํ™”๊ฐ€ ์•ˆ์ „ํ•˜์ง€ ์•Š์€ ํŠน์ดํ•œ ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ์ œ์•ˆํ•˜์—ฌ, ์šฐ๋ฆฌ ๊ณต๊ฒฉ์ด BGMZ์—์„œ ์ œ์•ˆํ•œ ์•ˆ์ „์„ฑ ๋ชจ๋ธ์— ํ•ด๋‹นํ•˜์ง€ ์•Š ์Œ์„ ๋ณด์ธ๋‹ค.1. Introduction 1 1.1 Indistinguishability Obfuscation 1 1.2 Contributions 4 1.2.1 Mathematical Analysis of iO based on GGH13 4 1.2.2 Mathematical Analysis of iO based on GGH15 5 1.3 List of Papers 6 2 Preliminaries 7 2.1 Basic Notations 7 2.2 Indistinguishability Obfuscation 8 2.3 Cryptographic Multilinear Map 9 2.4 Matrix Branching Program 10 2.5 Tensor product and vectorization . 11 2.6 Background Lattices . 12 3 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH13 Multilinear Map 13 3.1 Preliminaries 14 3.1.1 Notations 14 3.1.2 GGH13 Multilinear Map 14 3.2 Main Theorem 17 3.3 Attackable BP Obfuscations 18 3.3.1 Randomization for Attackable Obfuscation Model 20 3.3.2 Encoding by Multilinear Map 21 3.3.3 Linear Relationally Inequivalent Branching Programs 22 3.4 Program Converting Technique 23 3.4.1 Converting to R Program 24 3.4.2 Recovering and Converting to R/ Program 27 3.4.3 Analysis of the Converting Technique 28 3.5 Matrix Zeroizing Attack 29 3.5.1 Existing BP Obfuscations 31 3.5.2 Attackable BP Obfuscation, General Case 34 4 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH15 Multilinear Map 37 4.1 Preliminaries 38 4.1.1 Notations 38 4.2 Statistical Zeroizing Attack . 39 4.2.1 Distinguishing Distributions using Sample Variance 42 4.3 Cryptanalysis of CVW Obfuscation 44 4.3.1 Construction of CVW Obfuscation 45 4.3.2 Cryptanalysis of CVW Obfuscation 48 4.4 Cryptanalysis of BGMZ Obfuscation 56 4.4.1 Construction of BGMZ Obfuscation 56 4.4.2 Cryptanalysis of BGMZ Obfuscation 59 5 Conclusions 65 6 Appendix 66 6.1 Appendix of Chapter 3 66 6.1.1 Extended Attackable Model 66 6.1.2 Examples of Matrix Zeroizing Attack 68 6.1.3 Examples of Linear Relationally Inequivalent BPs 70 6.1.4 Read-once BPs from NFA 70 6.1.5 Input-unpartitionable BPs from Barringtons Theorem 71 6.2 Appendix of Chapter 5 73 6.2.1 Simple GGH15 obfuscation 73 6.2.2 Modified CVW Obfuscation . 75 6.2.3 Transformation of Branching Programs 76 6.2.4 Modification of CVW Obfuscation 77 6.2.5 Assumptions of lattice preimage sampling 78 6.2.6 Useful Tools for Computing the Variances 79 6.2.7 Analysis of CVW Obfuscation 84 6.2.8 Analysis of BGMZ Obfuscation 97 Abstract (in Korean) 117Docto

    Indistinguishability Obfuscation: From Approximate to Exact

    Get PDF
    We show general transformations from subexponentially-secure approximate indistinguishability obfuscation (IO) where the obfuscated circuit agrees with the original circuit on a 1/2+ฯต fraction of inputs on a certain samplable distribution, into exact indistinguishability obfuscation where the obfuscated circuit and the original circuit agree on all inputs. As a step towards our results, which is of independent interest, we also obtain an approximate-to-exact transformation for functional encryption. At the core of our techniques is a method for โ€œfoolingโ€ the obfuscator into giving us the correct answer, while preserving the indistinguishability-based security. This is achieved based on various types of secure computation protocols that can be obtained from different standard assumptions. Put together with the recent results of Canetti, Kalai and Paneth (TCC 2015), Pass and Shelat (TCC 2016), and Mahmoody, Mohammed and Nemathaji (TCC 2016), we show how to convert indistinguishability obfuscation schemes in various ideal models into exact obfuscation schemes in the plain model.National Science Foundation (U.S.) (Grant CNS-1350619)National Science Foundation (U.S.) (Grant CNS-1414119
    • โ€ฆ
    corecore