ON SYMMETRIC ENCRYPTION

ANDPOINT OBFUSCATION

Ran Canetti, Yael Tauman Kalai,

Mayank Varia, Daniel Wichs

An obfuscator takes a program P and outputs an equivalent program P’ = Obf(P) such that the code of P’ is “useless”.“useless”: no more useful than oracle P.

Obfuscation not possible in general. [BGI+01]

P’ Px

P(x)

Real World Ideal World

What’s obfuscation [BGI+01] ?

What’s a point function? A point function: special point k on which outputs 1,

otherwise outputs ?.

A multi-bit point function (MBPF): special point k on which outputs hidden message m, otherwise outputs ?.

Obfuscators of (multi-bit) point functions studied and constructed by [Can97, CMR98, LPS04, Wee05, CD08].

fk(x) =1 if x =k? otherwise

fk,m(x) =m if x =k? otherwise

Relation to Symmetric Encryption

Define:

Enck(m) = Obf(fk,m)

Deck(c) = c(k)

Is it a good symmetric encryption scheme?Good: ciphertext c only as useful as oracle fk,m(¢).Good even if k only has entropy, but is not uniform.

○ Cryptography with weak keys, leakage-resilience…Good even if m depends on k.

○ Security with Key Dependent Messages (KDM).

Relation to Symmetric Encryption

Encryption w. weak keys(leakage-resilience)

Encryption w. KDM

MBPF Obfuscation

Outline Symmetric Encryption.

Weak keys, Leakage-Resilience, KDM

MBPF ObfuscationDefinitional variants

Connections between symmetric encryption and MBPF obfuscation.

Implications, new results.

Symmetric Key Encryption

Semantic security: one oracle call. CPA: many oracle calls.

Weak Keys: ®-weak keys: key k ~ (adversarial) distribution w. min-entropy ®. Leakage-Resilience: Adversary learn L-bits of information about k.

[AGV09, DK09, NS09,…]

Key Dependent Messages: Attacker chooses g() and real oracle outputs Enck(g(k)). [BRS02, BHHO08, HH09…]

Key k chosen uniformly at random. Attacker chooses messages m

Real oracle: outputs Enck(m)Fake oracle: outputs Enck (0|m|)

Can’t distinguish real and fake oracles.

®–weak key security ) L= |k| - ® Leakage-Resilience.

Definition of Obfuscation A MBPF obfuscator takes (k, m) and creates a

program P Ã Obf(fk,m).

Correctness: For all x , P(x) = fk,m(x) Polynomial slowdown: P runs in poly-time.

VBB Security ([BGI+ 01]):

For any PPT A, there exists a PPT S

such that, for all k, m

| Pr[A(P) = 1] – Pr[Sfk,m() = 1] | < negl

where P Ã Obf(fk,m).

Weaker Definitions

Alternative: 8 A 9 S 8 distributions {K, M}

| Pr[A(P) = 1] – Pr[Sfk,m() = 1] | < negl

where (k,m) Ã (K, M), P Ã Obf(fk,m)

Weaker definitions place restrictions on {K, M}:

®-entropic security: Require K has min-entropy ¸ ®.Independent messages: Require M independent of K.

Composable Obfuscation VBB does not guarantee security if adversary sees

many obfuscations of related functions. [CD08]Problem for application to CPA encryption.

Self-composable: secure if obfuscate many related MBPFs of type: (k, m1), (k, m2), (k, m3).

| Pr[A(P1,P2,…) = 1] – Pr[Sfk,m1(), fk,m2() ,... = 1] | <negl

Self-composable obfuscation of PF ) self-composable obfuscation of MBPF. [CD08]

MBPF Obfuscation ) Encryption

MBPF Obf with entropic sec. ) SS Enc with weak keys + KDM.

Self-Composable MBPF Obf ) CPA Enc …but choice of KDM functions is not adaptive.

MBPF Obf with entropic sec. for indep. msg. ) SS Enc with weak keys.

Self-Composable ) CPA

Enck(m) = Obf(fk,m)

Encryption ) MBPF Obfuscation

Are the connections tight? Do various strengthened notions of

encryption imply restricted notions of MBPF obfuscation?

Yes, but need extra properties from encryption…

Key k chosen uniformly at random. Attacker chooses messages m

Real oracle: outputs Enck(m)Fake oracle: outputs Enck (0|m|)

Can’t distinguish real and fake oracles.

Extra Properties for Encryption

Need: Encryption hides (distribution of) k.Exists some oracle Fake() . Does not get k,m.

Need: Wrong-Key Detection. For any k k’,m : Deck’(Enck(m)) = ?

Fake()

Encryption , MBPF Obfuscation

MBPF Obf with entropic sec. , SS Enc with weak keys + KDM.

Self-Composable , CPA…but choice of KDM functions is not adaptive.

MBPF Obf with entropic sec. for indep. msg. , SS Enc with weak keys.

Self-Composable , CPA

Implications: Encryption with weak keys

Prior encryption schemes with ®-weak keys allow for ®(n) = n² for any ²>0. [AGV09, DKL09, NS09]

… BUT the scheme and its efficiency depend on ².

Self-composable MBPF Obfuscators for indep. msg. with VBB security gives us: A single encryption scheme with fixed efficiency.CPA secure if key k ~ any dist with !(log(n)) entropy.Exact security depends on entropy (graceful degradation).

Implications: Encryption with fully weak keys

Self-composable MBPF Obfuscators for indep. msg. with VBB security, constructed by [Can97, CD08].

Require: strengthened DDH assumption: (g, ga, gb, gab) ¼ (g, ga, gb, gc)

where a has !(log(n)) entropy, b, c uniform.

More recently, [GKPV10] construct an encryption scheme with similar “graceful degradation” under standard LWE.

Implications: New MBPF Obf Constructions

Use recent leakage-resilience results of [AGV09, NS09, DK09] to get self-composable MBPF obf. for indep. msg. with ®-entropic security: [AGV09] Under LWE assumption, ®(n) = n²

[DKL09] Under LSN (strengthens LPN) assumption ®(n) = ²n [NS09] Under DDH and K-Linear assumption, ®(n) = n²

Implications: Hardness Results for MBPF Obf.

Result of [HH09]: SS encryption with KDM cannot be BB reduced to any “standard assumption”. Includes e.g. OWF, TDP, DDH, RSA,…Excludes e.g. RO model, KoE, Exponential

hardness.

Cannot base MBPF obfuscation (even entropic with uniform k) on “standard assumptions” via BB reductions.

THANK YOU!

QUESTIONS?