Results 1  10
of
28
On the (im)possibility of obfuscating programs
 Lecture Notes in Computer Science
, 2001
"... Informally, an obfuscator O is an (efficient, probabilistic) “compiler ” that takes as input a program (or circuit) P and produces a new program O(P) that has the same functionality as P yet is “unintelligible ” in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic an ..."
Abstract

Cited by 189 (10 self)
 Add to MetaCart
Informally, an obfuscator O is an (efficient, probabilistic) “compiler ” that takes as input a program (or circuit) P and produces a new program O(P) that has the same functionality as P yet is “unintelligible ” in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic and complexitytheoretic applications, ranging from software protection to homomorphic encryption to complexitytheoretic analogues of Rice’s theorem. Most of these applications are based on an interpretation of the “unintelligibility ” condition in obfuscation as meaning that O(P) is a “virtual black box, ” in the sense that anything one can efficiently compute given O(P), one could also efficiently compute given oracle access to P. In this work, we initiate a theoretical investigation of obfuscation. Our main result is that, even under very weak formalizations of the above intuition, obfuscation is impossible. We prove this by constructing a family of efficient programs P that are unobfuscatable in the sense that (a) given any efficient program P ′ that computes the same function as a program P ∈ P, the “source code ” P can be efficiently reconstructed, yet (b) given oracle access to a (randomly selected) program P ∈ P, no efficient algorithm can reconstruct P (or even distinguish a certain bit in the code from random) except with negligible probability. We extend our impossibility result in a number of ways, including even obfuscators that (a) are not necessarily computable in polynomial time, (b) only approximately preserve the functionality, and (c) only need to work for very restricted models of computation (TC 0). We also rule out several potential applications of obfuscators, by constructing “unobfuscatable” signature schemes, encryption schemes, and pseudorandom function families.
Perfect noninteractive zero knowledge for NP
 Proceedings of Eurocrypt 2006, volume 4004 of LNCS
, 2006
"... Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a ..."
Abstract

Cited by 39 (3 self)
 Add to MetaCart
Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a concurrent setting, which is notoriously hard for interactive zeroknowledge protocols. However, while for interactive zeroknowledge we know how to construct statistical zeroknowledge argument systems for all NP languages, for noninteractive zeroknowledge, this problem remained open since the inception of NIZK in the late 1980's. Here we resolve two problems regarding NIZK: We construct the first perfect NIZK argument system for any NP
Statistical zeroknowledge proofs with efficient provers: Lattice problems and more
 In CRYPTO
, 2003
"... Abstract. We construct several new statistical zeroknowledge proofs with efficient provers, i.e. ones where the prover strategy runs in probabilistic polynomial time given an NP witness for the input string. Our first proof systems are for approximate versions of the Shortest Vector Problem (SVP) a ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
Abstract. We construct several new statistical zeroknowledge proofs with efficient provers, i.e. ones where the prover strategy runs in probabilistic polynomial time given an NP witness for the input string. Our first proof systems are for approximate versions of the Shortest Vector Problem (SVP) and Closest Vector Problem (CVP), where the witness is simply a short vector in the lattice or a lattice vector close to the target, respectively. Our proof systems are in fact proofs of knowledge, and as a result, we immediately obtain efficient latticebased identification schemes which can be implemented with arbitrary families of lattices in which the approximate SVP or CVP are hard. We then turn to the general question of whether all problems in SZK ∩ NP admit statistical zeroknowledge proofs with efficient provers. Towards this end, we give a statistical zeroknowledge proof system with an efficient prover for a natural restriction of Statistical Difference, a complete problem for SZK. We also suggest a plausible approach to resolving the general question in the positive. 1
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 33 (11 self)
 Add to MetaCart
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
An unconditional study of computational zero knowledge
 SIAM Journal on Computing
, 2004
"... We prove a number of general theorems about ZK, the class of problems possessing (computational) zeroknowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that oneway functions exist. We establish several new characterizations of ZK ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
We prove a number of general theorems about ZK, the class of problems possessing (computational) zeroknowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that oneway functions exist. We establish several new characterizations of ZK, and use these characterizations to prove results such as: 1. Honestverifier ZK equals general ZK. 2. Publiccoin ZK equals privatecoin ZK. 3. ZK is closed under union. 4. ZK with imperfect completeness equals ZK with perfect completeness. 5. Any problem in ZK ∩ NP can be proven in computational zero knowledge by a BPP NP prover. 6. ZK with blackbox simulators equals ZK with general, nonblackbox simulators. The above equalities refer to the resulting class of problems (and do not necessarily preserve other efficiency measures such as round complexity). Our approach is to combine the conditional techniques previously used in the study of ZK with the unconditional techniques developed in the study of SZK, the class of problems possessing statistical zeroknowledge proofs. To enable this combination, we prove that every problem in ZK can be decomposed into a problem in SZK together with a set of instances from which a oneway function can be constructed.
Cryptography and game theory: Designing protocols for exchanging information
 In Theory of Cryptography Conference
, 2008
"... The goal of this paper is nding fair protocols for the secret sharing and secure multiparty computation (SMPC) problems, when players are assumed to be rational. It was observed by Halpern and Teague (STOC 2004) that protocols with bounded number of iterations are susceptible to backward induction a ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
The goal of this paper is nding fair protocols for the secret sharing and secure multiparty computation (SMPC) problems, when players are assumed to be rational. It was observed by Halpern and Teague (STOC 2004) that protocols with bounded number of iterations are susceptible to backward induction and cannot be considered rational. Previously suggested cryptographic solutions all share the property of having an essential exponential upper bound on their running time, and hence they are also susceptible to backward induction. Although it seems that this bound is an inherent property of every cryptography based solution, we show that this is not the case. We suggest coalitionresilient secret sharing and SMPC protocols with the property that after any sequence of iterations it is still a computational best response to follow them. Therefore, the protocols can be run any number of iterations, and are immune to backward induction. The mean of communication assumed is a broadcast channel, and we consider both the simultaneous and nonsimultaneous cases.
Rothblum: On BestPossible Obfuscation
 TCC
, 2007
"... Abstract. An obfuscator is a compiler that transforms any program (which we will view in this work as a boolean circuit) into an obfuscated program (also a circuit) that has the same inputoutput functionality as the original program, but is “unintelligible”. Obfuscation has applications for cryptog ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
Abstract. An obfuscator is a compiler that transforms any program (which we will view in this work as a boolean circuit) into an obfuscated program (also a circuit) that has the same inputoutput functionality as the original program, but is “unintelligible”. Obfuscation has applications for cryptography and for software protection. Barak et al. initiated a theoretical study of obfuscation, which focused on blackbox obfuscation, where the obfuscated circuit should leak no information except for its (blackbox) inputoutput functionality. A family of functionalities that cannot be obfuscated was demonstrated. Subsequent research has showed further negative results as well as positive results for obfuscating very specific families of circuits, all with respect to black box obfuscation. This work is a study of a new notion of obfuscation, which we call bestpossible obfuscation. Best possible obfuscation makes the relaxed requirement that the obfuscated program leaks as little information as
A Unified Methodology For Constructing PublicKey Encryption Schemes Secure Against Adaptive . . .
, 2002
"... We introduce a new methodology for achieving security against adaptive chosenciphertext attack (CCA) for publickey encryption schemes, which we call the oblivious decryptors model. The oblivious decryptors model generalizes both the twokey model of Naor and Yung, as well the CramerShoup encr ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
We introduce a new methodology for achieving security against adaptive chosenciphertext attack (CCA) for publickey encryption schemes, which we call the oblivious decryptors model. The oblivious decryptors model generalizes both the twokey model of Naor and Yung, as well the CramerShoup encryption schemes. The key ingredient in our new paradigm is Sahai's notion of SimulationSound NIZK proofs. Our
Concurrent zero knowledge without complexity assumptions
 In TCC
, 2006
"... Abstract. We provide unconditional constructions of concurrent statistical zeroknowledge proofs for a variety of nontrivial problems (not known to have probabilistic polynomialtime algorithms). The problems include Graph Isomorphism, Graph Nonisomorphism, Quadratic Residuosity, Quadratic Nonresid ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
Abstract. We provide unconditional constructions of concurrent statistical zeroknowledge proofs for a variety of nontrivial problems (not known to have probabilistic polynomialtime algorithms). The problems include Graph Isomorphism, Graph Nonisomorphism, Quadratic Residuosity, Quadratic Nonresiduosity, a restricted version of Statistical Difference, and approximate versions of the (coNP forms of the) Shortest Vector Problem and Closest Vector Problem in lattices. For some of the problems, such as Graph Isomorphism and Quadratic Residuosity, the proof systems have provers that can be implemented in polynomial time (given an NP witness) and have ~O(log n) rounds, which is known to be essentially optimal for blackbox simulation.
Zero Knowledge and Soundness are Symmetric
 In EUROCRYPT ’07: 26th Annual Conference on the Theory and Applications of Cryptographic Techniques
, 2007
"... Abstract. We give a complexitytheoretic characterization of the class of problems in NP having zeroknowledge argument systems. This characterization is symmetric in its treatment of the zero knowledge and the soundness conditions, and thus we deduce that the class of problems in NP ∩ coNP having z ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Abstract. We give a complexitytheoretic characterization of the class of problems in NP having zeroknowledge argument systems. This characterization is symmetric in its treatment of the zero knowledge and the soundness conditions, and thus we deduce that the class of problems in NP ∩ coNP having zeroknowledge arguments is closed under complement. Furthermore, we show that a problem in NP has a statistical zeroknowledge argument system if and only if its complement has a computational zeroknowledge proof system. What is novel about these results is that they are unconditional, i.e., do not rely on unproven complexity assumptions such as the existence of oneway functions. Our characterization of zeroknowledge arguments also enables us to prove a variety of other unconditional results about the class of problems in NP having zeroknowledge arguments, such as equivalences between honestverifier and maliciousverifier zero knowledge, private coins and public coins, inefficient provers and efficient provers, and nonblackbox simulation and blackbox simulation. Previously, such results were only known unconditionally for zeroknowledge proof systems, or under the assumption that oneway functions exist for zeroknowledge argument systems. 1