Results 1  10
of
13
Outsourcing Private RAM Computation
, 2014
"... We construct the first schemes that allow a client to privately outsource arbitrary program executions to a remote server while ensuring that: (I) the client’s work is small and essentially independent of the complexity of the computation being outsourced, and (II) the server’s work is only proporti ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
We construct the first schemes that allow a client to privately outsource arbitrary program executions to a remote server while ensuring that: (I) the client’s work is small and essentially independent of the complexity of the computation being outsourced, and (II) the server’s work is only proportional to the runtime of the computation on a random access machine (RAM), rather than its potentially much larger circuit size. Furthermore, our solutions are noninteractive and have the structure of reusable garbled RAM programs, addressing an open question of Lu and Ostrovsky (Eurocrypt 2013). We also construct schemes for an augmented variant of the above scenario, where the client can initially outsource a large private and persistent database to the server, and later outsource arbitrary program executions with read/write access to this database. Our solutions are built from nonreusable garbled RAM in conjunction with new types of reusable garbled circuits that are more efficient than prior solutions but only satisfy weaker security. For the basic setting without a persistent database, we can instantiate the required type of reusable garbled circuits from indistinguishability obfuscation or from functional encryption for circuits as a blackbox. For the more complex setting with a persistent database, we can instantiate the required type of reusable garbled circuits using stronger notions of obfuscation. It remains an open problem to instantiate these new types of reusable garbled circuits under weaker assumptions, possibly avoiding obfuscation altogether. We also give several extensions of our results and techniques to achieve: schemes with efficiency proportional to the inputspecific RAM runtime, verifiable outsourced RAM computation, functional encryption for RAMs, and a candidate obfuscator for RAMs. 1
Implementing cryptographic program obfuscation. Cryptology ePrint Archive, Report 2014/779
, 2014
"... Program obfuscation is the process of making a program “unintelligible ” without changing the program’s underlying input/output behavior. Although there is a long line of work on heuristic techniques for obfuscation, such approaches do not provide any cryptographic guarantee on their effectiveness. ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Program obfuscation is the process of making a program “unintelligible ” without changing the program’s underlying input/output behavior. Although there is a long line of work on heuristic techniques for obfuscation, such approaches do not provide any cryptographic guarantee on their effectiveness. A recent result by Garg et al. (FOCS 2013), however, shows that cryptographic program obfuscation is indeed possible based on a new primitive called a graded encoding scheme. In this work, we present the first implementation of such an obfuscator. We describe several challenges and optimizations we made along the way, present a detailed evaluation of our implementation, and discuss research problems that need to be addressed before such obfuscators can be used in practice. 1
Indistinguishability Obfuscation from Compact Functional Encryption
"... The arrival of indistinguishability obfuscation (iO) has transformed the cryptographic landscape by enabling several security goals that were previously beyond our reach. Consequently, one of the pressing goals currently is to construct iO from wellstudied standard cryptographic assumptions. In th ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
The arrival of indistinguishability obfuscation (iO) has transformed the cryptographic landscape by enabling several security goals that were previously beyond our reach. Consequently, one of the pressing goals currently is to construct iO from wellstudied standard cryptographic assumptions. In this work, we make progress in this direction by presenting a reduction from iO to a natural form of publickey functional encryption (FE). Specifically, we construct iO for general functions from any singlekey FE scheme for NC1 that achieves selective, indistinguishability security against subexponential time adversaries. Further, the FE scheme should be compact, namely, the running time of the encryption algorithm must only be a polynomial in the security parameter and the input message length (and not in the function description size or its output length). We achieve this result by developing a novel arity amplification technique to transform FE for singleary functions into FE for multiary functions (aka multiinput FE). Instantiating our approach with known, noncompact FE schemes, we obtain the first constructions of multiinput FE for constantary functions based on standard assumptions. Finally, as a result of independent interest, we construct a compact FE scheme from randomized encodings for Turing machines and learning with errors assumption.
On the Cryptographic Hardness of Finding a Nash Equilibrium
, 2015
"... We prove that finding a Nash equilibrium of a game is hard, assuming the existence of indistinguishability obfuscation and injective oneway functions with subexponential hardness. We do so by showing how these cryptographic primitives give rise to a hard computational problem that lies in the com ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
We prove that finding a Nash equilibrium of a game is hard, assuming the existence of indistinguishability obfuscation and injective oneway functions with subexponential hardness. We do so by showing how these cryptographic primitives give rise to a hard computational problem that lies in the complexity class PPAD, for which finding Nash equilibrium is known to be complete. Previous proposals for basing PPADhardness on program obfuscation considered a strong “virtual blackbox ” notion that is subject to severe limitations and is unlikely to be realizable for the programs in question. In contrast, for indistinguishability obfuscation no such limitations are known, and recently, several candidate constructions of indistinguishability obfuscation were suggested based on different hardness assumptions on multilinear maps. Our result provides further evidence of the intractability of finding a Nash equilibrium, one that is extrinsic to the evidence presented so far. 1
Optimizing Obfuscation: Avoiding Barrington’s Theorem
"... In this work, we seek to optimize the efficiency of secure generalpurpose obfuscation schemes. We focus on the problem of optimizing the obfuscation of general Boolean formulas – this corresponds to optimizing the “core obfuscator ” from the work of Garg, Gentry, Halevi, Raykova, Sahai, and Waters ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
In this work, we seek to optimize the efficiency of secure generalpurpose obfuscation schemes. We focus on the problem of optimizing the obfuscation of general Boolean formulas – this corresponds to optimizing the “core obfuscator ” from the work of Garg, Gentry, Halevi, Raykova, Sahai, and Waters (FOCS 2013), and all subsequent works constructing generalpurpose obfuscators. This core obfuscator builds upon approximate multilinear maps, where efficiency in proposed instantiations is closely tied to the maximum number of “levels ” of multilinearity required. The most efficient previous construction of a core obfuscator, due to Barak, Garg, Kalai, Paneth, and Sahai (Eurocrypt 2014), required the maximum number of levels of multilinearity to be Θ(`s3.64), where s is the size of the Boolean formula to be obfuscated, and ` is the number of input bits to the formula. In contrast, our construction only requires the maximum number of levels of multilinearity to be Θ(`s). This results in significant improvements in both the total size of the obfuscation, as well as the running time of evaluating an obfuscated formula. Our efficiency improvement is obtained by generalizing the class of branching programs that
On Virtual Grey Box Obfuscation for General Circuits
, 2014
"... An obfuscator O is Virtual Grey Box (VGB) for a class C of circuits if, for any C ∈ C and any predicate pi, deducing pi(C) given O(C) is tantamount to deducing pi(C) given unbounded computational resources and polynomially many oracle queries to C. VGB obfuscation is often significantly more meaning ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
An obfuscator O is Virtual Grey Box (VGB) for a class C of circuits if, for any C ∈ C and any predicate pi, deducing pi(C) given O(C) is tantamount to deducing pi(C) given unbounded computational resources and polynomially many oracle queries to C. VGB obfuscation is often significantly more meaningful than indistinguishability obfuscation (IO). In fact, for some circuit families of interest VGB is equivalent to fullfledged Virtual Black Box obfuscation. We investigate the feasibility of obtaining VGB obfuscation for general circuits. We first formulate a natural strengthening of IO, called strong IO (SIO). Essentially, O is SIO for class C if O(C) ≈ O(C ′) whenever the pair (C,C ′) is taken from a distribution over C where, for all x, C(x) 6 = C ′(x) only with negligible probability. We then show that an obfuscator is VGB for a class C if and only if it is SIO for C. This result is unconditional and holds for any C. We also show that, for some circuit collections, SIO implies virtual blackbox obfuscation. Finally, we formulate a slightly stronger variant of the semantic security property of graded encoding schemes [PassSethTelang Crypto 14], and show that existing obfuscators, such as the ob
PointFunction Obfuscation: A Framework and Generic Constructions
, 2015
"... We give a definitional framework for pointfunction obfuscation in which security is parameterized by a class of algorithms we call target generators. Existing and new notions are captured and explained as corresponding to different choices of this class. This leads to an elegant question: Is it p ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
We give a definitional framework for pointfunction obfuscation in which security is parameterized by a class of algorithms we call target generators. Existing and new notions are captured and explained as corresponding to different choices of this class. This leads to an elegant question: Is it possible to provide a generic construction, meaning one that takes an arbitrary class of target generators and returns a pointfunction obfuscator secure for it? We answer this in the affirmative with three generic constructions, the first based on indistinguishability obfuscation, the second on deterministic publickey encryption and the third on universal computational extractors. By exploiting known constructions of the primitives assumed, we obtain new pointfunction obfuscators, including many under standard assumptions. We end with a broader look that relates different known and possible notions of point function obfuscation to each other
Contention in cryptoland: Obfuscation, leakage and uce
 In Theory of Cryptography, TCC 2016A
, 2016
"... This paper addresses the fundamental question of whether or not different, exciting primitives now being considered actually exist. We show that we, unfortunately, cannot have them all. We provide results of the form:A_:B, meaning one of the primitives A;B cannot exist. (But we don't know which ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
This paper addresses the fundamental question of whether or not different, exciting primitives now being considered actually exist. We show that we, unfortunately, cannot have them all. We provide results of the form:A_:B, meaning one of the primitives A;B cannot exist. (But we don't know which.) Specically, we show that: (1) VGBO (Virtual Grey Box Obfuscation) for all circuits, which has been conjectured to be achieved by candidate constructions, cannot coexist with Canetti's 1997 AIDHI (auxiliary input DH inversion) assumption, which has been used to achieve many goals including pointfunction obfuscation (2) iO (indistinguishability obfuscation) for all circuits cannot coexist with KMLRSE (keymessage leakageresilient symmetric encryption) (3) iO cannot coexist with hash functions that are UCE secure for
Indistinguishability Obfuscation of Iterated Circuits and RAM programs
, 2014
"... A key source of inefficiency in existing obfuscation schemes is that they operate on programs represented as Boolean circuits or (with stronger assumptions and costlier constructs) as Turing machines. We bring the complexity of obfuscation down to the level of RAM programs. That is, assuming inject ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
A key source of inefficiency in existing obfuscation schemes is that they operate on programs represented as Boolean circuits or (with stronger assumptions and costlier constructs) as Turing machines. We bring the complexity of obfuscation down to the level of RAM programs. That is, assuming injective one way functions and indistinguishability obfuscators for all circuits, we construct indistinguishability obfuscators for RAM programs with the following parameters, up to polylogarithmic factors and a multiplicative factor in the security parameter: (a) The space used by the obfuscated program, as well as the initial size of the program itself, are proportional to the maximum space s used by the plaintext program on any input of the given size. (b) On each input, the runtime of the obfuscated program is proportional to s plus the runtime of the plaintext program on that input. The security loss is proportional to the number of potential inputs for the RAM program. Our construction can be plugged into practically any existing use of indistinguishability obfuscation, such as delegation of computation, functional encryption, noninteractive zeroknowledge, and multiparty computation protocols, resulting in significant efficiency gains. It also gives the first succinct and efficient onetime garbled RAM scheme. The size of the garbled RAM is proportional to the maximum
Cryptographic Assumptions: A Position Paper
"... The mission of theoretical cryptography is to dene and construct provably secure cryptographic protocols and schemes. Without proofs of security, cryptographic constructs offer no guarantees whatsoever and no basis for evaluation and comparison. As most security proofs necessarily come in the form ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
The mission of theoretical cryptography is to dene and construct provably secure cryptographic protocols and schemes. Without proofs of security, cryptographic constructs offer no guarantees whatsoever and no basis for evaluation and comparison. As most security proofs necessarily come in the form of a reduction between the security claim and an intractability assumption, such proofs are ultimately only as good as the assumptions they are based on. Thus, the complexity implications of every assumption we utilize should be of signicant substance, and serve as the yard stick for the value of our proposals. Lately, the eld of cryptography has seen a sharp increase in the number of new assumptions that are often complex to dene and difficult to interpret. At times, these assumptions are hard to untangle from the constructions which utilize them. We believe that the lack of standards of what is accepted as a reasonable cryptographic assumption can be harmful to the credibility of our eld. Therefore, there is a great need for measures according to which we classify and compare assumptions, as to which are safe and which are not. In this paper, we propose such a classication and review recently suggested assumptions in this light. This follows the footsteps of Naor (Crypto 2003). Our governing principle is relying on hardness assumptions that are independent of the cryptographic constructions.