Results 1  10
of
110
On the (im)possibility of obfuscating programs
 Lecture Notes in Computer Science
, 2001
"... Informally, an obfuscator O is an (efficient, probabilistic) “compiler ” that takes as input a program (or circuit) P and produces a new program O(P) that has the same functionality as P yet is “unintelligible ” in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic an ..."
Abstract

Cited by 341 (24 self)
 Add to MetaCart
(Show Context)
Informally, an obfuscator O is an (efficient, probabilistic) “compiler ” that takes as input a program (or circuit) P and produces a new program O(P) that has the same functionality as P yet is “unintelligible ” in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic and complexitytheoretic applications, ranging from software protection to homomorphic encryption to complexitytheoretic analogues of Rice’s theorem. Most of these applications are based on an interpretation of the “unintelligibility ” condition in obfuscation as meaning that O(P) is a “virtual black box, ” in the sense that anything one can efficiently compute given O(P), one could also efficiently compute given oracle access to P. In this work, we initiate a theoretical investigation of obfuscation. Our main result is that, even under very weak formalizations of the above intuition, obfuscation is impossible. We prove this by constructing a family of efficient programs P that are unobfuscatable in the sense that (a) given any efficient program P ′ that computes the same function as a program P ∈ P, the “source code ” P can be efficiently reconstructed, yet (b) given oracle access to a (randomly selected) program P ∈ P, no efficient algorithm can reconstruct P (or even distinguish a certain bit in the code from random) except with negligible probability. We extend our impossibility result in a number of ways, including even obfuscators that (a) are not necessarily computable in polynomial time, (b) only approximately preserve the functionality, and (c) only need to work for very restricted models of computation (TC 0). We also rule out several potential applications of obfuscators, by constructing “unobfuscatable” signature schemes, encryption schemes, and pseudorandom function families.
Pseudonym Systems
, 1999
"... Pseudonym systems allow users to interact with multiple organizations anonymously, using pseudonyms. The pseudonyms cannot be linked, but are formed in such a way that a user can prove to one organization a statement about his relationship with another. Such statement is called a credential. Previou ..."
Abstract

Cited by 149 (10 self)
 Add to MetaCart
Pseudonym systems allow users to interact with multiple organizations anonymously, using pseudonyms. The pseudonyms cannot be linked, but are formed in such a way that a user can prove to one organization a statement about his relationship with another. Such statement is called a credential. Previous work in this area did not protect the system against dishonest users who collectively use their pseudonyms and credentials, i.e. share an identity. Previous practical schemes also relied very heavily on the involvement of a trusted center. In the present paper we give a formal definition of pseudonym systems where users are motivated not to share their identity, and in which the trusted center's involvement is minimal. We give theoretical constructions for such systems based on any oneway function. We also suggest an efficient and easy to implement practical scheme. This is joint work with Ronald L. Rivest and Amit Sahai.
Improved Garbled Circuit: Free XOR Gates and Applications
"... Abstract. We present a new garbled circuit construction for twoparty secure function evaluation (SFE). In our oneround protocol, XOR gates are evaluated “for free”, which results in the corresponding improvement over the best garbled circuit implementations (e.g. Fairplay [19]). We build permutati ..."
Abstract

Cited by 108 (17 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new garbled circuit construction for twoparty secure function evaluation (SFE). In our oneround protocol, XOR gates are evaluated “for free”, which results in the corresponding improvement over the best garbled circuit implementations (e.g. Fairplay [19]). We build permutation networks [26] and Universal Circuits (UC) [25] almost exclusively of XOR gates; this results in a factor of up to 4 improvement (in both computation and communication) of their SFE. We also improve integer addition and equality testing by factor of up to 2. We rely on the Random Oracle (RO) assumption. Our constructions are proven secure in the semihonest model. 1
MerkleDamg˚ard Revisited: How to Construct a Hash Function
 Advances in Cryptology, Crypto 2005
"... The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than col ..."
Abstract

Cited by 94 (8 self)
 Add to MetaCart
(Show Context)
The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than collisionresistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixedlength building block is viewed as a random oracle or an ideal blockcipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixedlength primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA1 and MD5 — the (strengthened) MerkleDamg˚ard transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain MerkleDamg˚ard construction and are easily implementable in practice.
Simulationsound nizk proofs for a practical language and constant size group signatures
, 2006
"... Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NP ..."
Abstract

Cited by 83 (12 self)
 Add to MetaCart
(Show Context)
Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NPcomplete language such as Circuit Satisfiability. Security of all our constructions is based on the decisional linear assumption. The NIZK proof system is quite general and has many applications such as digital signatures, verifiable encryption and group signatures. We focus on the latter and get the first group signature scheme satisfying the strong security definition of Bellare, Shi and Zhang [7] in the standard model without random oracles where each group signature consists only of a constant number of group elements. We also suggest a simulationsound NIZK proof of knowledge, which is much more efficient than previous constructions in the literature. Caveat: The constants are large, and therefore our schemes are not practical. Nonetheless, we find it very interesting for the first time to have NIZK proofs and group signatures that except for a constant factor are optimal without using the random oracle model to argue security.
Improved delegation of computation using fully homomorphic encryption
 CRYPTO 2010, LNCS 6223
, 2010
"... Following Gennaro, Gentry, and Parno (Cryptology ePrint Archive 2009/547), we use fully homomorphic encryption to design improved schemes for delegating computation. In such schemes, a delegator outsources the computation of a function F on many, dynamically chosen inputs xi to a worker in such a wa ..."
Abstract

Cited by 71 (2 self)
 Add to MetaCart
(Show Context)
Following Gennaro, Gentry, and Parno (Cryptology ePrint Archive 2009/547), we use fully homomorphic encryption to design improved schemes for delegating computation. In such schemes, a delegator outsources the computation of a function F on many, dynamically chosen inputs xi to a worker in such a way that it is infeasible for the worker to make the delegator accept a result other than F (xi). The “online stage ” of the Gennaro et al. scheme is very efficient: the parties exchange two messages, the delegator runs in time poly(log T), and the worker runs in time poly(T), where T is the time complexity of F. However, the “offline stage ” (which depends on the function F but not the inputs to be delegated) is inefficient: the delegator runs in time poly(T) and generates a public key of length poly(T) that needs to be accessed by the worker during the online stage. Our first construction eliminates the large public key from the Gennaro et al. scheme. The delegator still invests poly(T) time in the offline stage, but does not need to communicate or publish anything. Our second construction reduces the work of the delegator in the offline stage to poly(log T) at the price of a 4message (offline) interaction with a poly(T)time worker
MultiPropertyPreserving Hash Domain Extension and the EMD Transform
 Advances in Cryptology – ASIACRYPT 2006
, 2006
"... Abstract We point out that the seemingly strong pseudorandom oracle preserving (PROPr) propertyof hash function domainextension transforms defined and implemented by Coron et. al. [12] can actually weaken our guarantees on the hash function, in particular producing a hash functionthat fails to be ..."
Abstract

Cited by 70 (8 self)
 Add to MetaCart
(Show Context)
Abstract We point out that the seemingly strong pseudorandom oracle preserving (PROPr) propertyof hash function domainextension transforms defined and implemented by Coron et. al. [12] can actually weaken our guarantees on the hash function, in particular producing a hash functionthat fails to be even collisionresistant (CR) even though the compression function to which the transform is applied is CR. Not only is this true in general, but we show that all the transformspresented in [12] have this weakness. We suggest that the appropriate goal of a domain extension transform for the next generation of hash functions is to be multiproperty preserving, namelythat one should have a single transform that is simultaneously at least collisionresistance preserving, pseudorandom function preserving and PROPr. We present an efficient new transformthat is proven to be multiproperty preserving in this sense.
On the (In)security of the FiatShamir Paradigm
 In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
, 2003
"... In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen ..."
Abstract

Cited by 55 (2 self)
 Add to MetaCart
(Show Context)
In 1986, Fiat and Shamir suggested a general method for transforming secure 3round publiccoin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen message attacks. All other known constructions which achieve such security are substantially more inefficient and complicated in design. In 1996...
Distinguisher and RelatedKey Attack on the Full AES256
 Advances in Cryptology – CRYPTO 2009, Proceedings, volume 5677 of Lecture Notes in Computer Science
, 2009
"... Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that th ..."
Abstract

Cited by 53 (5 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that the same task for an ideal cipher of the same block size would require at least O(q · 2 q−1 q+1 128) time. Using similar approach and with the same complexity we can also construct qpseudo collisions for AES256 in DaviesMeyer hashing mode, a scheme which is provably secure in the idealcipher model. We have also computed partial qmulticollisions in time q · 2 37 on a PC to verify our results. These results show that AES256 can not model an ideal cipher in theoretical constructions. Finally we extend our results to find the first publicly known attack on the full 14round AES256: a relatedkey distinguisher which works for one out of every 2 35 keys with 2 120 data and time complexity and negligible memory. This distinguisher is translated into a keyrecovery attack with total complexity of 2 131 time and 2 65 memory. Keywords: AES, relatedkey attack, chosen key distinguisher, DaviesMeyer, ideal cipher.
Fully anonymous group signatures without random oracles
 In ASIACRYPT 2007, volume 4833 of LNCS
, 2007
"... We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in par ..."
Abstract

Cited by 53 (2 self)
 Add to MetaCart
(Show Context)
We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in particular providing protection against key exposures and not relying on random oracles in the security proof.