Download presentation

Presentation is loading. Please wait.

Published byJaquez Sturgeon Modified over 2 years ago

1
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs

2
An obfuscator takes a program P and outputs an equivalent program P’ = Obf(P) such that the code of P’ is “useless”. “useless”: no more useful than oracle P. Obfuscation not possible in general. [ BGI + 01 ] P’ P x P(x) Real World Ideal World What’s obfuscation [BGI + 01] ?

3
What’s a point function? A point function: special point k on which outputs 1, otherwise outputs ?. A multi-bit point function (MBPF): special point k on which outputs hidden message m, otherwise outputs ?. Obfuscators of (multi-bit) point functions studied and constructed by [Can97, CMR98, LPS04, Wee05, CD08]. f k (x ) = 1 if x =k ? otherwise f k,m (x ) = m if x =k ? otherwise

4
Relation to Symmetric Encryption Define: Enc k (m) = Obf(f k,m ) Dec k (c) = c(k) Is it a good symmetric encryption scheme? Good: ciphertext c only as useful as oracle f k,m ( ¢ ). Good even if k only has entropy, but is not uniform. ○ Cryptography with weak keys, leakage-resilience… Good even if m depends on k. ○ Security with Key Dependent Messages (KDM).

5
Relation to Symmetric Encryption Encryption w. weak keys (leakage-resilience) Encryption w. KDM MBPF Obfuscation

6
Outline Symmetric Encryption. Weak keys, Leakage-Resilience, KDM MBPF Obfuscation Definitional variants Connections between symmetric encryption and MBPF obfuscation. Implications, new results.

7
Symmetric Key Encryption Semantic security: one oracle call. CPA: many oracle calls. Weak Keys: ® -weak keys: key k ~ (adversarial) distribution w. min-entropy ®. Leakage-Resilience: Adversary learn L-bits of information about k. [AGV09, DK09, NS09,…] Key Dependent Messages: Attacker chooses g() and real oracle outputs Enc k (g(k) ). [BRS02, BHHO08, HH09…] Key k chosen uniformly at random. Attacker chooses messages m Real oracle: outputs Enc k (m ) Fake oracle: outputs Enc k (0 |m| ) Can’t distinguish real and fake oracles. ® –weak key security ) L= |k| - ® Leakage-Resilience.

8
Definition of Obfuscation A MBPF obfuscator takes (k, m) and creates a program P Ã Obf( f k,m ). Correctness: For all x, P(x) f k,m (x) Polynomial slowdown: P runs in poly-time. VBB Security ([BGI + 01]): For any PPT A, there exists a PPT S such that, for all k, m | Pr[A(P) = 1] – Pr[S f k,m () = 1] | < negl where P Ã Obf( f k,m ).

9
Weaker Definitions Alternative: 8 A 9 S 8 distributions {K, M} | Pr[A(P) = 1] – Pr[S f k,m () = 1] | < negl where (k,m) Ã (K, M), P Ã Obf( f k,m ) Weaker definitions place restrictions on {K, M}: ® -entropic security: Require K has min-entropy ¸ ®. Independent messages: Require M independent of K.

10
Composable Obfuscation VBB does not guarantee security if adversary sees many obfuscations of related functions. [CD08] Problem for application to CPA encryption. Self-composable: secure if obfuscate many related MBPFs of type: (k, m 1 ), (k, m 2 ), (k, m 3 ). | Pr[A(P 1,P 2,…) = 1] – Pr[S f k,m1 (), f k,m2 (),... = 1] |

11
MBPF Obfuscation ) Encryption MBPF Obf with entropic sec. ) SS Enc with weak keys + KDM. Self-Composable MBPF Obf ) CPA Enc …but choice of KDM functions is not adaptive. MBPF Obf with entropic sec. for indep. msg. ) SS Enc with weak keys. Self-Composable ) CPA Enc k (m ) = Obf(f k,m )

12
Encryption ) MBPF Obfuscation Are the connections tight? Do various strengthened notions of encryption imply restricted notions of MBPF obfuscation? Yes, but need extra properties from encryption…

13
Key k chosen uniformly at random. Attacker chooses messages m Real oracle: outputs Enc k (m ) Fake oracle: outputs Enc k (0 |m| ) Can’t distinguish real and fake oracles. Extra Properties for Encryption Need: Encryption hides (distribution of) k. Exists some oracle Fake(). Does not get k,m. Need: Wrong-Key Detection. For any k k’,m : Dec k’ ( Enc k (m )) = ? Fake()

14
Encryption, MBPF Obfuscation MBPF Obf with entropic sec., SS Enc with weak keys + KDM. Self-Composable, CPA …but choice of KDM functions is not adaptive. MBPF Obf with entropic sec. for indep. msg., SS Enc with weak keys. Self-Composable, CPA

15
Implications: Encryption with weak keys Prior encryption schemes with ® -weak keys allow for ® (n) = n ² for any ²>0. [AGV09, DKL09, NS09] … BUT the scheme and its efficiency depend on ². Self-composable MBPF Obfuscators for indep. msg. with VBB security gives us: A single encryption scheme with fixed efficiency. CPA secure if key k ~ any dist with ! (log(n)) entropy. Exact security depends on entropy (graceful degradation).

16
Implications: Encryption with fully weak keys Self-composable MBPF Obfuscators for indep. msg. with VBB security, constructed by [Can97, CD08]. Require: strengthened DDH assumption: (g, g a, g b, g ab ) ¼ (g, g a, g b, g c ) where a has ! (log(n)) entropy, b, c uniform. More recently, [GKPV10] construct an encryption scheme with similar “graceful degradation” under standard LWE.

17
Implications: New MBPF Obf Constructions Use recent leakage-resilience results of [AGV09, NS09, DK09] t o get self-composable MBPF obf. for indep. msg. with ® -entropic security: [AGV09] Under LWE assumption, ® (n) = n ² [DKL09] Under LSN (strengthens LPN) assumption ® (n) = ² n [NS09] Under DDH and K-Linear assumption, ® (n) = n ²

18
Implications: Hardness Results for MBPF Obf. Result of [HH09] : SS encryption with KDM cannot be BB reduced to any “standard assumption”. Includes e.g. OWF, TDP, DDH, RSA,… Excludes e.g. RO model, KoE, Exponential hardness. Cannot base MBPF obfuscation (even entropic with uniform k) on “standard assumptions” via BB reductions.

19
THANK YOU! QUESTIONS?

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google