Results 1  10
of
166
Virtual BlackBox Obfuscation for All Circuits via Generic Graded Encoding
"... We present a new generalpurpose obfuscator for all polynomialsize circuits. The obfuscator uses graded encoding schemes, a generalization of multilinear maps. We prove that the obfuscator exposes no more information than the program’s blackbox functionality, and achieves virtual blackbox securit ..."
Abstract

Cited by 66 (1 self)
 Add to MetaCart
We present a new generalpurpose obfuscator for all polynomialsize circuits. The obfuscator uses graded encoding schemes, a generalization of multilinear maps. We prove that the obfuscator exposes no more information than the program’s blackbox functionality, and achieves virtual blackbox security, in the generic graded encoded scheme model. This proof is under the Bounded Speedup Hypothesis (BSH, a plausible worstcase complexitytheoretic assumption related to the Exponential Time Hypothesis), in addition to standard cryptographic assumptions. We also show that the weaker notion of indistinguishability obfuscation can be achieved without BSH. Very recently, Garg et al. (FOCS 2013) used graded encoding schemes to present a candidate obfuscator for indistinguishability obfuscation. They posed the problem of constructing a provably secure indistinguishability obfuscator in the generic graded encoding scheme model. Our obfuscator resolves this problem. Indeed, under BSH it achieves the stronger notion of virtual black box security, which is our focus in this work. Our construction is different from that of Garg et al., but is inspired by it, in particular by their use of permutation branching programs. We obtain our obfuscator by developing techniques used to obfuscate dCNF formulas (ePrint 2013), and applying them to permutation branching programs. This yields an obfuscator for the complexity class N C 1. We then use homomorphic encryption to obtain an obfuscator for any polynomialsize circuit. 1
Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption
, 2014
"... We revisit the question of constructing secure generalpurpose indistinguishability obfuscation (iO), with a security reduction based on explicit computational assumptions. Previous to our work, such reductions were only known to exist based on instancedependent assumptions and/or adhoc assumption ..."
Abstract

Cited by 39 (11 self)
 Add to MetaCart
We revisit the question of constructing secure generalpurpose indistinguishability obfuscation (iO), with a security reduction based on explicit computational assumptions. Previous to our work, such reductions were only known to exist based on instancedependent assumptions and/or adhoc assumptions: In the original constructive work of Garg et al. (FOCS 2013), the underlying explicit computational assumption encapsulated an exponential family of assumptions for each pair of circuits to be obfuscated. In the more recent work of Pass et al. (ePrint 2013), the underlying assumption is a metaassumption that also encapsulates an exponential family of assumptions, and this metaassumption is invoked in a manner that captures the specific pair of circuits to be obfuscated. The assumptions underlying both these works substantially capture (either explicitly or implicitly) the actual structure of the obfuscation mechanism itself. In our work, we provide the first construction of generalpurpose indistinguishability obfuscation proven secure via a reduction to an instanceindependent computational assumption over multilinear maps, namely, the Multilinear Subgroup Elimination Assumption. Our assumption does not depend on the circuits to be obfuscated (except for its size), and does not correspond
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
"... In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty noninteractive key exchange ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty noninteractive key exchange protocol does not require a trusted setup. Moreover, the size of the published value from each user is independent of the total number of users. • Our broadcast encryption schemes support distributed setup, where users choose their own secret keys rather than be given secret keys by a trusted entity. The broadcast ciphertext size is independent of the number of users. • Our traitor tracing system is fully collusion resistant with short ciphertexts, secret keys, and public key. Ciphertext size is logarithmic in the number of users and secretkey size is independent of the number of users. Our public key size is polylogarithmic in the number of users. The recent functional encryption system of Garg, Gentry, Halevi, Raykova, Sahai, and Waters also leads to a traitor tracing with similar ciphertext and secret key size, but the construction in this paper is simpler and more direct. These constructions resolve an open problem relating to differential privacy. • Generalizing our traitor tracing system gives a private broadcast encryption scheme (where broadcast ciphertexts reveal minimal information about the recipient set) with optimal size ciphertext. Our proof of security for private broadcast encryption and traitor tracing introduces a new tool for iO proofs: the construction makes use of a keyhomomorphic symmetric cipher which plays a crucial role in the proof of security.
Cryptanalysis of the Multilinear Map over the Integers
"... Abstract. We describe a polynomialtime cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT). The attack relies on an adaptation of the socalled zeroizing attack against the Garg, Gentry and Halevi (GGH) candidate multilinear map. Zeroizing is much more devastati ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
Abstract. We describe a polynomialtime cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT). The attack relies on an adaptation of the socalled zeroizing attack against the Garg, Gentry and Halevi (GGH) candidate multilinear map. Zeroizing is much more devastating for CLT than for GGH. In the case of GGH, it allows to break generalizations of the Decision Linear and Subgroup Membership problems from pairingbased cryptography. For CLT, this leads to a total break: all quantities meant to be kept secret can be efficiently and publicly recovered.
On the implausibility of differinginputs obfuscation and extractable witness encryption with auxiliary input. Cryptology ePrint Archive, Report 2013/860
, 2013
"... The notion of differinginputs obfuscation (diO) was introduced by Barak et al. (CRYPTO 2001). It guarantees that, for any two circuits C0, C1, if it is difficult to come up with an input x on which C0(x) 6 = C1(x), then it should also be difficult to distinguish the obfuscation of C0 from that of C ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
The notion of differinginputs obfuscation (diO) was introduced by Barak et al. (CRYPTO 2001). It guarantees that, for any two circuits C0, C1, if it is difficult to come up with an input x on which C0(x) 6 = C1(x), then it should also be difficult to distinguish the obfuscation of C0 from that of C1. This is a strengthening of indistinguishability obfuscation, where the above is only guaranteed for circuits that agree on all inputs: C0(x) = C1(x) for all x. Two recent works of Ananth et al. (ePrint 2013) and Boyle et al. (TCC 2014) study the notion of diO in the setting where the attacker is also given some auxiliary information related to the circuits, showing that this notion leads to many interesting applications. In this work, we show that the existence of generalpurpose diO with general auxiliary input has a surprising consequence: it implies that a specific circuit C ∗ with specific auxiliary input aux ∗ cannot be obfuscated in a way that hides some specific information. In other words, under the conjecture that such specialpurpose obfuscation exists, we show that generalpurpose diO cannot exist. We do not know if this specialpurpose obfuscation assumption is implied by diO itself, and hence we do not get an unconditional impossibility result. However, the specialpurpose obfuscation assumption is a falsifiable assumption which we do not know how to break for candidate obfuscation schemes. Showing the existence of generalpurpose diO with general auxiliary input would necessitate showing how to break this assumption. We also show that the specialpurpose obfuscation assumption implies the impossibility of extractable witness encryption with auxiliary input, a notion proposed by Goldwasser et al. (CRYPTO 2013). A variant of this assumption also implies the impossibility of “outputonly dependent ” hardcore bits for general oneway functions, as recently constructed by Bellare and Tessaro (ePrint 2013) using diO. 1
Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation
, 2013
"... Our main result gives a way to instantiate the random oracle with a concrete hash function in “full domain hash ” applications. The term full domain hash was first proposed by Bellare and Rogaway [BR93, BR96] and referred to a signature scheme from any trapdoor permutation that was part of their sem ..."
Abstract

Cited by 30 (4 self)
 Add to MetaCart
Our main result gives a way to instantiate the random oracle with a concrete hash function in “full domain hash ” applications. The term full domain hash was first proposed by Bellare and Rogaway [BR93, BR96] and referred to a signature scheme from any trapdoor permutation that was part of their seminal work introducing the random oracle heuristic. Over time the term full domain hash has (informally) encompassed a broader range of notable cryptographic schemes including the BonehFranklin [BF01] IBE scheme and BonehLynnShacham (BLS) [BLS01] signatures. All of the above described schemes required a hash function that had to be modeled as a random oracle to prove security. Our work utilizes recent advances in indistinguishability obfuscation to construct specific hash functions for use in these schemes. We then prove security of the original cryptosystems when instantiated with our specific hash function. Of particular interest, our work evades the impossibility result of Dodis, Oliveira, and Pietrzak [DOP05], who showed that there can be no blackbox construction of hash functions that allow FullDomain Hash Signatures to be based on trapdoor permutations. This indicates that our techniques applying indistinguishability
Fully Secure Functional Encryption without Obfuscation
"... Previously known functional encryption (FE) schemes for general circuits relied on indistinguishability obfuscation, which in turn either relies on an exponential number of assumptions (basically, one per circuit), or a polynomial set of assumptions, but with an exponential loss in the security red ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
Previously known functional encryption (FE) schemes for general circuits relied on indistinguishability obfuscation, which in turn either relies on an exponential number of assumptions (basically, one per circuit), or a polynomial set of assumptions, but with an exponential loss in the security reduction. Additionally these schemes are proved in an unrealistic selective security model, where the adversary is forced to specify its target before seeing the public parameters. For these constructions, full security can be obtained but at the cost of an exponential loss in the security reduction. In this work, we overcome the above limitations and realize a fully secure functional encryption scheme without using indistinguishability obfuscation. Specifically the security of our scheme relies only on the polynomial hardness of simple assumptions on multilinear maps. 1
GGHLite: More Efficient Multilinear Maps from Ideal Lattices?
"... Abstract. The GGH Graded Encoding Scheme [10], based on ideal lattices, is the first plausible approximation to a cryptographic multilinear map. Unfortunately, using the security analysis in [10], the scheme requires very large parameters to provide security for its underlying “encoding rerandomiz ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
(Show Context)
Abstract. The GGH Graded Encoding Scheme [10], based on ideal lattices, is the first plausible approximation to a cryptographic multilinear map. Unfortunately, using the security analysis in [10], the scheme requires very large parameters to provide security for its underlying “encoding rerandomization” process. Our main contributions are to formalize, simplify and improve the efficiency and the security analysis of the rerandomization process in the GGH construction. This results in a new construction that we call GGHLite. In particular, we first lower the size of a standard deviation parameter of the rerandomization process of [10] from exponential to polynomial in the security parameter. This first improvement is obtained via a finer security analysis of the “drowning ” step of rerandomization, in which we apply the Rényi divergence instead of the conventional statistical distance as a measure of distance between distributions. Our second improvement is to reduce the number of randomizers needed from Ω(n logn) to 2, where n is the dimension of the underlying ideal lattices. These two contributions allow us to decrease the bit size of the public parameters from O(λ5 log λ) for the GGH scheme to O(λ log2 λ) in GGHLite, with respect to the security parameter λ (for a constant multilinearity parameter κ). 1
Immunizing multilinear maps against zeroizing attacks. IACR Cryptology ePrint Archive
"... In recent work Cheon, Han, Lee, Ryu, and Stehle ́ presented an attack on the multilinear map of Coron, Lepoint, and Tibouchi (CLT). They show that given many lowlevel encodings of zero, the CLT multilinear map can be completely broken, recovering the secret factorization of the CLT modulus. The att ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
In recent work Cheon, Han, Lee, Ryu, and Stehle ́ presented an attack on the multilinear map of Coron, Lepoint, and Tibouchi (CLT). They show that given many lowlevel encodings of zero, the CLT multilinear map can be completely broken, recovering the secret factorization of the CLT modulus. The attack is a generalization of the “zeroizing ” attack of Garg, Gentry, and Halevi. We first strengthen the attack of Cheon, Han, Lee, Ryu, and Stehle ́ by showing that CLT can be broken even without lowlevel encodings of zero. This strengthening is sufficient to show that the subgroup elimination assumption does not hold for the CLT multilinear map. We then present a generic defense against this type of “zeroizing ” attack. For an arbitrary asymmetric compositeorder multilinear map (including CLT), we give a functionalitypreserving transformation that ensures that no sequence of map operations will produce valid encodings (below the zerotesting level) whose product is zero. We prove security of our transformation in a generic model of compositeorder multilinear maps. Our new transformation rules out “zeroizing ” leaving no currently known attacks on the decision linear assumption, subgroup elimination assumption, and other related problems for the CLT multilinear map. Of course, in time, it is possible that different attacks on CLT will emerge. 1
Outsourcing Private RAM Computation
, 2014
"... We construct the first schemes that allow a client to privately outsource arbitrary program executions to a remote server while ensuring that: (I) the client’s work is small and essentially independent of the complexity of the computation being outsourced, and (II) the server’s work is only proporti ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
We construct the first schemes that allow a client to privately outsource arbitrary program executions to a remote server while ensuring that: (I) the client’s work is small and essentially independent of the complexity of the computation being outsourced, and (II) the server’s work is only proportional to the runtime of the computation on a random access machine (RAM), rather than its potentially much larger circuit size. Furthermore, our solutions are noninteractive and have the structure of reusable garbled RAM programs, addressing an open question of Lu and Ostrovsky (Eurocrypt 2013). We also construct schemes for an augmented variant of the above scenario, where the client can initially outsource a large private and persistent database to the server, and later outsource arbitrary program executions with read/write access to this database. Our solutions are built from nonreusable garbled RAM in conjunction with new types of reusable garbled circuits that are more efficient than prior solutions but only satisfy weaker security. For the basic setting without a persistent database, we can instantiate the required type of reusable garbled circuits from indistinguishability obfuscation or from functional encryption for circuits as a blackbox. For the more complex setting with a persistent database, we can instantiate the required type of reusable garbled circuits using stronger notions of obfuscation. It remains an open problem to instantiate these new types of reusable garbled circuits under weaker assumptions, possibly avoiding obfuscation altogether. We also give several extensions of our results and techniques to achieve: schemes with efficiency proportional to the inputspecific RAM runtime, verifiable outsourced RAM computation, functional encryption for RAMs, and a candidate obfuscator for RAMs. 1