Obfuscation and Weak Multilinear Maps
|
|
- Teresa Jackson
- 5 years ago
- Views:
Transcription
1 Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan
2 Obfuscation [BGIRSVY 01,GGHRSW 13] Compiler: scrambles program, hiding implementation Industry accepted security notion: indist. Obfuscation P 1 (x) = P 2 (x) (x) io(p 1 ) c io(p 2 ) Crypto complete : io Most Crypto [GGHRSW 13,SW 13, BZ 13, BST 13, GGHR 13, BP 14, HJKSWZ 14, CLTV 14, ]
3 Multilinear Maps (a.k.a. graded encodings) [BS 03,GGH 13,CLT 13,GGH 15] Main tool for all constructions of obfuscation secret a F, i [k] Levels 1,,k, Field/Ring F Enc [a] i [a] i + [b] i [a+b] i public [a] i [b] j [ab] i+j [a] k IsZero Yes/No
4 Multilinear Maps (a.k.a. graded encodings) [BS 03,GGH 13,CLT 13,GGH 15] k levels: compute arbitrary degree k polynomials Asymmetric mmaps: additional restrictions E.g. multilinear polynomials
5 Obfuscation From Multilinear Maps Obfuscate(P): Enc Eval(x): x [p x ] k IsZero P(x) = 1 p x = 0
6 Applications of Multilinear Maps ABE PKFE SKFE io NIKE WE BE
7 Zeroizing Attacks on MMaps io NIKE PKFE ABE BE WE SKFE
8 Zeroizing Attacks on MMaps (Note: apps still possible using obfuscation)
9 Central Questions Q1: Is obfuscation secure? Q2: If so, how to show it?
10 This Work: Focus on GGH 13 Mmaps
11 Background
12 High- level description GGH13 Level i encoding of x: short x + g s z i (mod q)
13 High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) x 1 +gs 1 x 2 +gs 2 + = (x 1+x 2 )+g(s 1 +s 2 ) z i z i z i
14 High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) Multiplication makes levels add x 1 +gs 1 x 2 +gs 2. = (x 1x 2 )+g(s 1 x 2 +s 2 x 1 +gs 1 s 2 ) z i z j z i+j
15 High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) Multiplication makes levels add Test for zero at top level k Public parameter p zt = h zk g not too big p zt gs z k = hs not too big p zt x+gs z k = hx big g +hs
16 High- level description GGH13 Level i encoding of x: Add within levels short x + g s z i (mod q) Multiplication makes levels add Test for zero at top level k Notes: z must be secret (else can go down levels) g must be secret ([GGH 13] show attack otherwise)
17 Encodings of Zero A Necessary Evil Required for (Most) Applications Re- randomization Needed for most (direct) applications Needed to use any simple assumption on mmaps Add random subset of low- level zeros Successful zero test top level zero
18 Encodings of Zero A Necessary Evil Required for (Most) Applications Two low- level zeros: e 1 = g s 1 /z i, e 2 = g s 2 /z k-i Multiple of g p zt e 1 e 2 mod q = hgs 1 s 2 (over Z) Dangerous For Security
19 Encodings of Zero A Necessary Evil Required for (Most) Applications Zeroizing attacks: GGH 13: Source group assumptions (e.g. DLin, Subgroup decision) are false CGHLMMRST 15: Immunizations don t work HJ 16: MDDH is false, multiparty NIKE broken Probably other assumptions broken too (MDHE, etc) Dangerous For Security
20 Encodings of Zero A Necessary Evil Required for (Most) Applications Dangerous For Security
21 What about Obf/WE/SKFE? Good News: No re- randomization needed in application no low- level zeros (explicit or implicit) Bad News: Top level zeros may still be generated during use Re- rand still needed for simple assumptions
22 Central Questions (Restated) Q1: Can top- level zeros be used to attack io? Q2: How to argue security against zeroizing attacks?
23 Q1: Affirmative! Thm* [MSZ 16]: The branching program obfuscators in [BGKPS 14, PST 14, AGIS 14, BMSZ 16] over GGH 13 do not satisfy io *Small heuristic component
24 (Single input) Branching Programs A 1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 6,0 A 7,0 A 8,0 A 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A 7,1 8, x = 11001: IMP x ( {A i,b } ) = A 1,1 A 2,0 A 3,1 A 4,1 A 5,0 A 6,0 A A 7,1 8,1 If IMP x = 0, output 1, otherwise output 0
25 [BMSZ 16] Obfuscator Building on [GGHRSW 13,BR 14,BGKPS 14,AGIS 14, ] α 1,0 R 2 R 2-1 A 1,0 α 2,0 A 2,0 R 3 α 3,0 R 3-1 A 3,0 R 4 α t,0 R t -1 A t,0 α 1,1 A 1,1 R α 2 2,1 R -1 2 A 2,1 R α 3 3,1 R -1 3 A 3,1 R α 4 t,1 R -1 t A t,1 asymmetric mmap
26 [BMSZ 16] Over GGH 13 Randomized Branching Program Encoding randomness B i,b = α i,b R -1 i A i,b R i+1 S i,b Evaluation: Obfuscation encodings B i,b + z i,b g S i,b C i,b = mod q IMP x ( ) T p x = zt C i,b test if not too big mod q
27 Attack: Annihilating Polynomials T x = p zt h g IMP x ( C i,b ) mod q B i,b S i,b = IMP x ( + g ) mod q h g B i,b = IMP x ( ) + D x ( α i,b, S i,b, R i ) + g E x ( α i,b, S i,b, R i ) mod q
28 Attack: Annihilating Polynomials Suppose P(x) = 1 IMP x ( B i,b ) = 0 T x h = IMP x ( B i,b ) + D x ( α i,b g, S i,b, R i ) + g E x (,, ) α i,b S i,b R i mod q not too big, so holds over Z
29 Attack: Annihilating Polynomials Suppose P(x) = 1 T x = D x ( α i,b, S i,b, R i ) + E x ( α i,b, S i,b, R i ) g Efficiency: Poly- many free vars Exp- many inputs: Pick larger poly set of D x Algebraic dependence: poly Q: Q(D x1, D x2, ) = 0
30 Attack: Annihilating Polynomials Algebraic dependence: poly Q: Q(D x1, D x2, ) = 0 Annihilating polynomial Q(T x1, T x2, ) = Q(D x1 +ge x1, D x2 +ge x2, ) = Q(D x1, D x2, ) + gq + g 2 Q + = gq + g 2 Q + Multiple of g
31 Attack: Annihilating Polynomials Goal: find Q that annihilates P 1, but not P 2 Distinguishing Attack* Extends to any purely algebraic obfuscator Problem: in general, annihilation is hard Thm ([Kay 09]): Unless PH collapses, there are dependent polys for which an annihilating polynomial requires super- polynomial sized circuits Question: Can annihilating polys be found for particular obfuscators/programs? * Additional work needed to test for multiple of g
32 Attack: Annihilating Polynomials Consider single- input setting (used to prove io) Suppose trivial branching program: A i,0 =A i,1 =A i Explicit annihilating polynomial for [BMSZ 16]: q = (D 000 D 111 ) 2 + (D 001 D 110 ) 2 + (D 010 D 101 ) 2 + (D 100 D 011 ) 2-2D 000 D 111 D 001 D 110 2D 000 D 111 D 010 D 101 2D 000 D 111 D 100 D 011-2D 001 D 110 D 010 D 101 2D 001 D 110 D 100 D 011 2D 010 D 101 D 100 D D 000 D 011 D 101 D D 111 D 001 D 010 D 100 Computed by reducing problem to finite size, then brute- force search
33 Attack: Annihilating Polynomials For dual input: First, reduce problem to finite size Brute- force annihilating poly in constant time Haven t found it yet, but still gives poly- time attack Other obfuscators: [BR 14,BGKPS 14, PST 14, AGIS 14]: similar analysis Also attack ORE (SKFE) [BLRSZZ 15] over GGH 13
34 Now What? Goal: Argue security of other schemes Problem: Cannot use simple assumptions Solution: Argue security in abstract attack models
35 Restricted Black Box Fields F = Field, P = class of polynomials on n variables p P IsZero( p(a 1, a 2,, a n ) ) a 1, a 2,, a n F Generic Groups*: P = { Linear functions } Black Box Fields*: P = { Polys with small algebraic circuits} Symmetrix multilinear maps*: P = { Degree k polynomials} Asymmetric multilinear maps*: P = { More complicated restrictions} * Often need greater functionality requirements for protocols. This model suffices for our discussion
36 Obfuscation in Restricted BBFs ( model used by [BR 14,BGKPS 14,AGIS 14,Z 15,AB 15,BMSZ 16] ) Obfuscate(C): p x P BBF with restricted polynomial class P Eval(x): IsZero( p(a 1, a 2,, a n ) ) a 1, a 2,, a n ß D C If IsZero gives True, output 1 If IsZero gives False, output 0 Our Attack: Model is false for GGH 13
37 A Conservative Model [BMSZ 16] BBF with restricted polynomial class P p P a 1, a 2,, a n ß D C If IsZero( p(a 1, a 2,, a n ) ), ADVERSARY WINS
38 Obfuscation for evasive functions [BMSZ 16] Honest executions always give non- zero Thm([BMSZ 16]): Only way for level respecting adversary to get zero is through honest program executions Impossible to find zeros anywhere for evasive funcs Compare to prior abstract model theorems: Thm([BR 14, BGKPS 14, ]): For level respecting adversary, can guess output of IsZero just by knowing P(x) Doesn t say if/when finding a zero is possible
39 A Conservative Model [BMSZ 16] BBF with restricted polynomial class P p P a 1, a 2,, a n ß D C If IsZero( p(a 1, a 2,, a n ) ), ADVERSARY WINS Model useless in non- evasive settings, e.g. io, SKFE Need model that allows for zeros to occur
40 Characterizing Attacks All Known Classical Attacks Compute polynomials obeying level restrictions Several top level zero encodings Attack
41 Characterizing Attacks All Known Classical Attacks Compute polynomials obeying level restrictions Several top level zero encodings Polynomial in the zeros Multiple of g Attack
42 Refined Abstract Model for Mmap attacks p P a 1, a 2,, a n F s 1, s 2,, s n ß $ F indeterminant Write p(a 1 +gs 1,, a n +gs n ) = c + dg + If c 0, output False If c = 0, output True, d * Also need to assume degree << F Efficient polys* q Q Unrestricted BBF d 1 d 2 d 3 If q(d 1, d 2, ) = 0, adversary wins
43 Refined Abstract Model for Mmap attacks Seems to capture intuition behind attacks Proof in refined model Heuristic evidence of security against current attacks But keep in mind that: Attack in refined model Not trivially Attack on actual protocol
44 Blocking Attacks [GMMSSZ 16] Notably absent from attacked schemes: [GGHRSW 13] A i,b : A i,b D i,b Random diagonal converts even trivial branching programs into non- trivial ones size > multilinearity
45 Blocking Attacks [GMMSSZ 16] Our fix: append random block matrix A i,b : A i,b E i,b Potentially as small as 2 2
46 Blocking Attacks [GMMSSZ 16] Let BP E be branching program defined by E matrices Let E x be evaluation of BP E on input x Thm: If polynomial Q annihilates {D x }*, then it annihilates {E x } as well Let BP F be any BP, F x evaluation of BP F Thm: If polynomial Q annihilates {E x }*, then it annihilates {F x } as well * = with noticeable probability
47 Example Proof Sketch Thm: If polynomial Q annihilates {E x }*, then it annihilates {F x } as well Let E i,b = F i,b + r E i,b random E x = F x + r F x + r 2 F x + Q( {E x } ) = Q( {F x } ) + r Q + r 2 Q + By Schwartz- Zippel, if Pr[Q = 0] = non-negl, Then Q must be identically 0 Q( {F x } ) = 0
48 Branching Program Unannihilateability Assumption: For any efficient polynomial Q*, there is a branching program not annihilated by Q Easy fact: PRFs in NC 1 give unannihilateable branching programs Corollary: Assuming BPUA (or NC 1 PRFs), our obfuscator is secure in the weak mmap model for [GGH 13] * of not too high degree
49 Future Directions Substantiate BPUA (P NP, general OWF, etc) Attack GGH 13 without annihilating polys Extend to obfuscation for circuits Mostly solved: [DGGMM 16] assuming NC 1 PRFs Extend attacks to CLT 13, GGH 15 Partial progress: [CLLT 16] for single- input io over CLT 13 Useful abstract attack model for CLT 13, GGH 15 Thanks!
Cryptanalysis of branching program obfuscators
Cryptanalysis of branching program obfuscators Jung Hee Cheon 1, Minki Hhan 1, Jiseung Kim 1, Changmin Lee 1, Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary
More informationAnnihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13
Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 Eric Miles Amit Sahai Mark Zhandry Abstract In this work, we present a new class of polynomial-time
More informationAnnihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13
Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 Eric Miles UCLA enmiles@cs.ucla.edu Amit Sahai UCLA sahai@cs.ucla.edu Mark Zhandry MI mzhandry@gmail.com
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationProjective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are
More informationCryptanalysis of Indistinguishability Obfuscations of Circuits over GGH13
Cryptanalysis of Indistinguishability Obfuscations of Circuits over GGH13 Daniel Apon 1, Nico Döttling 2, Sanjam Garg 2, and Pratyay Muherjee 2 1 University of Maryland, College Par, USA 2 University of
More informationGraded Encoding Schemes from Obfuscation. Interactively Secure Groups from Obfuscation
Graded Encoding Schemes from Obfuscation Interactively Secure Groups from Obfuscation P. Farshim 1,2 J. Hesse 1 D. Hofheinz 3 E. Larraia 4 T. Agrikola 1 D. Hofheinz 1 1 École normale supérieure (ENS),
More informationPost-Zeroizing Obfuscation: The case of Evasive Circuits
Post-Zeroizing Obfuscation: The case of Evasive Circuits Saikrishna Badrinarayanan UCLA saikrishna@cs.ucla.edu Eric Miles UCLA enmiles@cs.ucla.edu Mark Zhandry Stanford University mzhandry@stanford.edu
More informationOn Kilian s Randomization of Multilinear Map Encodings
On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions
More informationZeroizing Attacks on Indistinguishability Obfuscation over CLT13
Zeroizing Attacks on Indistinguishability Obfuscation over CLT13 Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 SRI International 3 NTT Secure
More informationSecure Obfuscation in a Weak Multilinear Map Model
Secure Obfuscation in a Weak Multilinear Map Model Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan, and Mark Zhandry Abstract. All known candidate indistinguishibility obfuscation(io)
More informationMultilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear
More informationPost-Zeroizing Obfuscation: The case of Evasive Circuits
Post-Zeroizing Obfuscation: The case of Evasive Circuits Saikrishna Badrinarayanan UCLA saikrishna@cs.ucla.edu Eric Miles UCLA enmiles@cs.ucla.edu Mark Zhandry Stanford University mzhandry@stanford.edu
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationIndistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption
Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry Allison ewko Amit Sahai Brent Waters November 4, 2014 Abstract We revisit the question of constructing
More informationA Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University
A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University Group Basics There are two kinds of people in this world. Those who like additive group
More informationProtecting obfuscation against arithmetic attacks
Protecting obfuscation against arithmetic attacks Eric Miles UCLA enmiles@cs.ucla.edu Amit Sahai UCLA sahai@cs.ucla.edu Mor Weiss Technion morw@cs.technion.ac.il November 23, 2015 Abstract Obfuscation,
More informationImmunizing Multilinear Maps Against Zeroizing Attacks
Immunizing Multilinear Maps Against Zeroizing Attacks Dan Boneh Stanford University David J. Wu Stanford University Joe Zimmerman Stanford University Abstract In recent work Cheon, Han, Lee, Ryu, and Stehlé
More informationMore Annihilation Attacks
More Annihilation Attacks an extension of MSZ16 Charles Jin Yale University May 9, 2016 1 Introduction MSZ16 gives an annihilation attack on candidate constructions of indistinguishability obfuscation
More informationZeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1
Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1 Jean-Sébastien Coron 2 Craig Gentry 3 Shai Halevi 3 Tancrède Lepoint 4 Hemanta K. Maji 5,6 Eric Miles 6 Mariana Raykova 7 Amit
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationCryptanalyses of Candidate Branching Program Obfuscators
Cryptanalyses of Candidate Branching Program Obfuscators ilei Chen Craig Gentry Shai Halevi February 16, 2017 Abstract We describe new cryptanalytic attacks on the candidate branching program obfuscator
More informationIndistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption
Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Fuyuki Kitagawa 1 Ryo Nishimaki 2 Keisuke Tanaka 1 1 Tokyo Institute of Technology, Japan {kitagaw1,keisuke}@is.titech.ac.jp
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationHuijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro
Indistinguishability Obfuscation from Low-Degree Multilinear Maps and (Blockwise) Local PRGs [Lin16b, LT17, To appear, Crypto 17] Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro Circuit
More informationLecture 26. Daniel Apon
Lecture 26 Daniel Apon 1 From IPPSPACE to NPPCP(log, 1): NEXP has multi-prover interactive protocols If you ve read the notes on the history of the PCP theorem referenced in Lecture 19 [3], you will already
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationA Simple Obfuscation Scheme for Pattern-Matching with Wildcards
A Simple Obfuscation Scheme for Pattern-Matching with Wildcards Allison Bishop 1,2, Lucas Kowalczyk 2, Tal Malkin 2, Valerio Pastro 2,3, Mariana Raykova 3, and Kevin Shi 2 1 IEX 2 Columbia University 3
More informationFrom Minicrypt to Obfustopia via Private-Key Functional Encryption
From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University) Functional Encryption [Sahai-Waters 05] Enc
More informationQuantum Oracle Classification
Quantum Oracle Classification The Case of Group Structure Mark Zhandry Princeton University Query Complexity x O(x) O:Xà Y Info about O Examples: Pre- image of given output Collision Complete description
More informationMultilinear Maps from Obfuscation
Multilinear Maps from Obfuscation Martin R. Albrecht (RHUL) Pooya Farshim (QUB) Shuai Han (SJTU) Dennis Hofheinz (KIT) Enrique Larraia (RHUL) Kenneth G. Paterson (RHUL) December 18, 2017 Abstract We provide
More informationStatistical Zeroizing Attack: Cryptanalysis of Candidates of BP Obfuscation over GGH15 Multilinear Map
Statistical Zeroizing Attack: Cryptanalysis of Candidates of BP Obfuscation over GGH15 Multilinear Map Jung Hee Cheon 1, Wonhee Cho 1, Minki Hhan 1, Jiseung Kim 1, and Changmin Lee 2 1 Seoul National University,
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationAlgebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps
Algebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps Michel Abdalla 1,2, Fabrice Benhamouda 3, and Alain Passelègue 4 1 Département d informatique de l ENS École normale
More informationFrom FE Combiners to Secure MPC and Back
From FE Combiners to Secure MPC and Back Prabhanjan Ananth Saikrishna Badrinarayanan Aayush Jain Nathan Manohar Amit Sahai Abstract Functional encryption (FE) has incredible applications towards computing
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim,1,2, Julia Hesse 1,2,3, Dennis Hofheinz,3, and Enrique Larraia 1 DIENS, École normale supérieure, CNRS, PSL Research University, Paris, France 2 INRIA
More informationPerfect Secure Computation in Two Rounds
Perfect Secure Computation in Two Rounds Benny Applebaum Tel Aviv University Joint work with Zvika Brakerski and Rotem Tsabary Theory and Practice of Multiparty Computation Workshop, Aarhus, 2018 The MPC
More informationWhere do pseudo-random generators come from?
Computer Science 2426F Fall, 2018 St. George Campus University of Toronto Notes #6 (for Lecture 9) Where do pseudo-random generators come from? Later we will define One-way Functions: functions that are
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationPrivate Puncturable PRFs from Standard Lattice Assumptions
Private Puncturable PRFs from Standard Lattice Assumptions Sam Kim Stanford University Joint work with Dan Boneh and Hart Montgomery Pseudorandom Functions (PRFs) [GGM84] Constrained PRFs [BW13, BGI13,
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationLecture 04: Secret Sharing Schemes (2) Secret Sharing
Lecture 04: Schemes (2) Recall: Goal We want to Share a secret s Z p to n parties, such that {1,..., n} Z p, Any two parties can reconstruct the secret s, and No party alone can predict the secret s Recall:
More informationHow to Generate and use Universal Samplers
How to Generate and use Universal Samplers Dennis Hofheinz Karlsruher Institut für Technologie Dennis.Hofheinz@kit.edu Dakshita Khurana UCLA Center for Encrypted Functionalities dakshita@cs.ucla.edu Brent
More informationConstructing Witness PRF and Offline Witness Encryption Without Multilinear Maps
Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps Tapas Pal, Ratna Dutta Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur-721302, India tapas.pal@iitkgp.ac.in,ratna@maths.iitkgp.ernet.in
More informationan information-theoretic model for adaptive side-channel attacks
an information-theoretic model for adaptive side-channel attacks Boris Köpf, David Basin ETH Zurich, Switzerland successful side-channel attacks Attacker must be able to extract information about the key
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationObfuscation without Multilinear Maps
Obfuscation without Multilinear Maps Dingfeng Ye Peng Liu DCS Center Cyber Security Lab nstitute of nformation Engineering College of nformation Sciences and Technology Chinese Academy of Sciences Pennsylvania
More informationAdaptively Secure Constrained Pseudorandom Functions
Adaptively Secure Constrained Pseudorandom Functions Dennis Hofheinz dennis.hofheinz@kit.edu Venkata Koppula University of Texas at Austin kvenkata@cs.utexas.edu Akshay Kamath University of Texas at Austin
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationCryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography
Cryptography CS 555 Topic 22: Number Theory/Public Key-Cryptography 1 Exam Recap 2 Exam Recap Highest Average Score on Question Question 4: (Feistel Network with round function f(x) = 0 n ) Tougher Questions
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationCS 355: TOPICS IN CRYPTOGRAPHY
CS 355: TOPICS IN CRYPTOGRAPHY DAVID WU Abstract. Preliminary notes based on course material from Professor Boneh s Topics in Cryptography course (CS 355) in Spring, 2014. There are probably typos. Last
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationLecture 26: Arthur-Merlin Games
CS 710: Complexity Theory 12/09/2011 Lecture 26: Arthur-Merlin Games Instructor: Dieter van Melkebeek Scribe: Chetan Rao and Aaron Gorenstein Last time we compared counting versus alternation and showed
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim 1&2, Julia Hesse 1&2&5, Dennis Hofheinz 3, and Enrique Larraia 4 1 Département d informatique de l ENS, École normale supérieure, CNRS, PSL Research
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationfrom Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim and David J. Wu Stanford University Digital Watermarking CRYPTO CRYPTO CRYPTO Often used to identify owner of content
More informationAdvanced Cryptography Quantum Algorithms Christophe Petit
The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat
More informationSecure Multi-Party Computation. Lecture 17 GMW & BGW Protocols
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party
More informationLattice-Based SNARGs and Their Application to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh Yuval Ishai Amit Sahai David J. Wu Abstract Succinct non-interactive arguments (SNARGs) enable verifying NP computations
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationObfuscation for Evasive Functions
Obfuscation for Evasive Functions Boaz Barak Nir Bitansky Ran Canetti Yael Tauman Kalai Omer Paneth Amit Sahai October 18, 2013 Abstract An evasive circuit family is a collection of circuits C such that
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Integer Factorization iven an integer N, find it s prime factors Studied for centuries, presumed difficult rade school algorithm:
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation
ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation Nir Bitansky Omer Paneth February 12, 2015 Abstract We present new constructions of two-message and one-message
More informationComputational Number Theory. Adam O Neill Based on
Computational Number Theory Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Secret Key Exchange - * Is Alice Ka Public Network Ka = KB O KB 0^1 Eve should have a hard time getting information
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More information1 Reductions and Expressiveness
15-451/651: Design & Analysis of Algorithms November 3, 2015 Lecture #17 last changed: October 30, 2015 In the past few lectures we have looked at increasingly more expressive problems solvable using efficient
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationOne-Way Functions and (Im)perfect Obfuscation
One-Way Functions and (Im)perfect Obfuscation Ilan Komargodski Tal Moran Moni Naor Rafael Pass Alon Rosen Eylon Yogev Abstract A program obfuscator takes a program and outputs a scrambled version of it,
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2 assumptions and reductions Helger Lipmaa University of Tartu, Estonia MOTIVATION Assume Alice designs a protocol How to make sure it is secure? Approach 1: proof
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationConstraining Pseudorandom Functions Privately
Constraining Pseudorandom Functions Privately Dan Boneh, Kevin Lewi, and David J. Wu Stanford University {dabo,klewi,dwu4}@cs.stanford.edu Abstract In a constrained pseudorandom function (PRF), the master
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationExploding Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness
Exploding Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness Qipeng Liu Mark Zhandry Princeton University {qipengl, mzhandry}@princeton.edu Abstract There is some
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationDistribution Design. Ariel Gabizon. Amos Beimel. Eyal Kushilevitz.
Distribution Design ABSTRACT Amos Beimel Dept. of Computer Science Ben Gurion University amos.beimel@gmail.com Yuval Ishai Dept. of Computer Science Technion and UCLA yuvali@cs.technion.ac.il Motivated
More informationCryptanalysis of GGH15 Multilinear Maps
Cryptanalysis of GGH15 Multilinear Maps Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 CryptoExperts 3 NTT Secure Platform Laboratories June
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationOn the Complexity of Compressing Obfuscation
On the Complexity of Compressing Obfuscation Gilad Asharov Naomi Ephraim Ilan Komargodski Rafael Pass Abstract Indistinguishability obfuscation has become one of the most exciting cryptographic primitives
More informationCutting-Edge Cryptography Through the Lens of Secret Sharing
Cutting-Edge Cryptography Through the Lens of Secret Sharing Ilan Komargodski Mark Zhandry Abstract Secret sharing is a mechanism by which a trusted dealer holding a secret splits the secret into many
More informationSecure Multiparty Computation from Graph Colouring
Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012 Ron Steinfeld Secure Multiparty Computation from Graph Colouring July 2012 1/34 Acknowledgements Based on joint
More informationDual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits
Dual System Framework in Multilinear Settings and pplications to Fully Secure Compact BE for Unbounded-Size Circuits Nuttapong ttrapadung National Institute of dvanced Industrial Science and Technology
More information