Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Published byJaquez Sturgeon Modified over 9 years ago

Similar presentations

Presentation on theme: "Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs."— Presentation transcript:

1 Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs

2  An obfuscator takes a program P and outputs an equivalent program P’ = Obf(P) such that the code of P’ is “useless”. “useless”: no more useful than oracle P.  Obfuscation not possible in general. [ BGI + 01 ] P’ P x P(x) Real World Ideal World What’s obfuscation [BGI + 01] ?

3 What’s a point function?  A point function: special point k on which outputs 1, otherwise outputs ?.  A multi-bit point function (MBPF): special point k on which outputs hidden message m, otherwise outputs ?.  Obfuscators of (multi-bit) point functions studied and constructed by [Can97, CMR98, LPS04, Wee05, CD08]. f k (x ) = 1 if x =k ? otherwise f k,m (x ) = m if x =k ? otherwise

4 Relation to Symmetric Encryption  Define: Enc k (m) = Obf(f k,m ) Dec k (c) = c(k)  Is it a good symmetric encryption scheme? Good: ciphertext c only as useful as oracle f k,m ( ¢ ). Good even if k only has entropy, but is not uniform. ○ Cryptography with weak keys, leakage-resilience… Good even if m depends on k. ○ Security with Key Dependent Messages (KDM).

5 Relation to Symmetric Encryption Encryption w. weak keys (leakage-resilience) Encryption w. KDM MBPF Obfuscation

6 Outline  Symmetric Encryption. Weak keys, Leakage-Resilience, KDM  MBPF Obfuscation Definitional variants  Connections between symmetric encryption and MBPF obfuscation.  Implications, new results.

7 Symmetric Key Encryption  Semantic security: one oracle call. CPA: many oracle calls.  Weak Keys: ® -weak keys: key k ~ (adversarial) distribution w. min-entropy ®. Leakage-Resilience: Adversary learn L-bits of information about k. [AGV09, DK09, NS09,…]  Key Dependent Messages: Attacker chooses g() and real oracle outputs Enc k (g(k) ). [BRS02, BHHO08, HH09…] Key k chosen uniformly at random. Attacker chooses messages m Real oracle: outputs Enc k (m ) Fake oracle: outputs Enc k (0 |m| ) Can’t distinguish real and fake oracles. ® –weak key security ) L= |k| - ® Leakage-Resilience.

8 Definition of Obfuscation  A MBPF obfuscator takes (k, m) and creates a program P Ã Obf( f k,m ).  Correctness: For all x, P(x)  f k,m (x)  Polynomial slowdown: P runs in poly-time.  VBB Security ([BGI + 01]): For any PPT A, there exists a PPT S such that, for all k, m | Pr[A(P) = 1] – Pr[S f k,m () = 1] | < negl where P Ã Obf( f k,m ).

9 Weaker Definitions  Alternative: 8 A 9 S 8 distributions {K, M} | Pr[A(P) = 1] – Pr[S f k,m () = 1] | < negl where (k,m) Ã (K, M), P Ã Obf( f k,m )  Weaker definitions place restrictions on {K, M}: ® -entropic security: Require K has min-entropy ¸ ®. Independent messages: Require M independent of K.

10 Composable Obfuscation  VBB does not guarantee security if adversary sees many obfuscations of related functions. [CD08] Problem for application to CPA encryption.  Self-composable: secure if obfuscate many related MBPFs of type: (k, m 1 ), (k, m 2 ), (k, m 3 ). | Pr[A(P 1,P 2,…) = 1] – Pr[S f k,m1 (), f k,m2 (),... = 1] | <negl  Self-composable obfuscation of PF ) self-composable obfuscation of MBPF. [CD08]

11 MBPF Obfuscation ) Encryption  MBPF Obf with entropic sec. ) SS Enc with weak keys + KDM.  Self-Composable MBPF Obf ) CPA Enc …but choice of KDM functions is not adaptive.  MBPF Obf with entropic sec. for indep. msg. ) SS Enc with weak keys.  Self-Composable ) CPA Enc k (m ) = Obf(f k,m )

12 Encryption ) MBPF Obfuscation  Are the connections tight?  Do various strengthened notions of encryption imply restricted notions of MBPF obfuscation?  Yes, but need extra properties from encryption…

13 Key k chosen uniformly at random. Attacker chooses messages m Real oracle: outputs Enc k (m ) Fake oracle: outputs Enc k (0 |m| ) Can’t distinguish real and fake oracles. Extra Properties for Encryption  Need: Encryption hides (distribution of) k. Exists some oracle Fake(). Does not get k,m.  Need: Wrong-Key Detection. For any k  k’,m : Dec k’ ( Enc k (m )) = ? Fake()

14 Encryption, MBPF Obfuscation  MBPF Obf with entropic sec., SS Enc with weak keys + KDM.  Self-Composable, CPA …but choice of KDM functions is not adaptive.  MBPF Obf with entropic sec. for indep. msg., SS Enc with weak keys.  Self-Composable, CPA

15 Implications: Encryption with weak keys  Prior encryption schemes with ® -weak keys allow for ® (n) = n ² for any ²>0. [AGV09, DKL09, NS09]  … BUT the scheme and its efficiency depend on ².  Self-composable MBPF Obfuscators for indep. msg. with VBB security gives us: A single encryption scheme with fixed efficiency. CPA secure if key k ~ any dist with ! (log(n)) entropy. Exact security depends on entropy (graceful degradation).

16 Implications: Encryption with fully weak keys  Self-composable MBPF Obfuscators for indep. msg. with VBB security, constructed by [Can97, CD08].  Require: strengthened DDH assumption: (g, g a, g b, g ab ) ¼ (g, g a, g b, g c ) where a has ! (log(n)) entropy, b, c uniform.  More recently, [GKPV10] construct an encryption scheme with similar “graceful degradation” under standard LWE.

17 Implications: New MBPF Obf Constructions  Use recent leakage-resilience results of [AGV09, NS09, DK09] t o get self-composable MBPF obf. for indep. msg. with ® -entropic security: [AGV09] Under LWE assumption, ® (n) = n ² [DKL09] Under LSN (strengthens LPN) assumption ® (n) = ² n [NS09] Under DDH and K-Linear assumption, ® (n) = n ²

18 Implications: Hardness Results for MBPF Obf.  Result of [HH09] : SS encryption with KDM cannot be BB reduced to any “standard assumption”. Includes e.g. OWF, TDP, DDH, RSA,… Excludes e.g. RO model, KoE, Exponential hardness.  Cannot base MBPF obfuscation (even entropic with uniform k) on “standard assumptions” via BB reductions.

19 THANK YOU! QUESTIONS?

Download ppt "Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs."

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.

Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with

PRATYAY MUKHERJEE Aarhus University Joint work with
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Lattice-Based Cryptography

Lattice-Based Cryptography
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai

Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai

Similar presentations

Ads by Google