##
###
On Symmetric Encryption and Point Obfuscation
[chapter]

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs

2010
*
Lecture Notes in Computer Science
*

We show tight connections between several cryptographic primitives, namely encryption with weakly random keys, encryption with key-dependent messages (KDM), and obfuscation of point functions with multi-bit output (which we call multi-bit point functions, or MBPFs, for short). These primitives, which have been studied mostly separately in recent works, bear some apparent similarities, both in the flavor of their security requirements and in the flavor of their constructions and assumptions.
## more »

... l, rigorous connections have not been drawn. Our results can be interpreted as indicating that MBPF obfuscators imply a very strong form of encryption that simultaneously achieves security for weakly-random keys and key-dependent messages as special cases. Similarly, each one of the other primitives implies a certain restricted form of MBPF obfuscation. Our results carry both constructions and impossibility results from one primitive to others. In particular: • The recent impossibility result for KDM security of Haitner and Holenstein (TCC '09) carries over to MBPF obfuscators. • The Canetti-Dakdouk construction of MBPF obfuscators based on a strong variant of the DDH assumption (EC '08) gives an encryption scheme which is secure w.r.t. any weak key distribution of super-logarithmic min-entropy (and in particular, also has very strong leakage resilient properties). • All the recent constructions of encryption schemes that are secure w.r.t. weak keys imply a weak form of MBPF obfuscators. Symmetric encryption is an algorithmic tool that allows a pair of parties to communicate secret information over open communication media that are accessible to eavesdroppers. In order to achieve this goal, the communicating parties need to have some shared secret randomness (a key). The classic view of symmetric encryption allows the encryption scheme to determine the distribution of the key precisely (typically it is a uniformly random string). It also assumes that the encryption and decryption algorithms are executed in a completely sealed way, so no information about the key is leaked to the eavesdroppers. Finally, the classic model assumes that the parties only use the key in the encryption and decryption routines and not for any other purpose. In particular, their messages are never related to the key. In recent years, much research has been done to investigate various relaxations of this classic (and somewhat naïve) model. One relaxation is to consider the case where the key is chosen using a "defective" source of randomness that does not generate uniform and independent random bits. (See e.g. [1, 2, 13, 20, 24] and the references therein). Namely, the key is assumed to be taken from a distribution that is adversarially chosen under some restriction. Typically the restriction is that the min-entropy of the distribution of the secret key is at least α, for some value of α. In this case the scheme is said to be secure w.r.t. α-weak keys. A different relaxation of the classic model considers the case where the key is chosen uniformly but some arbitrary information on the key is leaked to the adversary (see e.g. [1, 24] ). This models both direct attacks where the adversary gains access to the internal storage of the parties, such as the cold-boot attack of [17] , and indirect information leakage that occurs when the shared key is derived from the communication between the parties, such as the information exchange used to agree on the key. Of course, all security is lost if the adversary learns the key in its entirety, and therefore some restriction needs to be imposed on the amount of information that the adversary can get. One possibility is to require that the key has some significant statistical entropy left, even given the leakage. We call this the entropic setting. Another, stronger, security notion only insists that it is computationally infeasible to compute the secret key from the leaked information, but allows the leakage to completely determine the key statistically. We call this type of leakage auxiliary input. 1 It turns out that encryption resilient to weak keys is also resilient to a comparable amount of leakage in the entropic setting. Conversely, in some settings there is a simple transformation from leakage resilient encryption to one that withstands comparably weak keys. 2 Yet another relaxation of the classic model considers the case where the messages may depend on the shared key. Security in this more demanding setting was termed key-dependent message security (KDM security) by Black, Rogaway and Shrimpton in [7] . In the last few years, the notion of KDM security has been extensively studied [3, 4, 5, 8, 9, 16, 18, 19] , and several positive results emerged, most notably the results of [3, 8] who showed how to obtain KDM security w.r.t. the class of affine functions (the former under the DDH assumption and the latter under the LWE assumption). In contrast, [16] show that there exist no black-box reductions from the KDM security of any encryption scheme w.r.t. all efficient functions to "any standard cryptographic assumption." While the constructions for KDM-secure schemes and the constructions of schemes that are secure w.r.t. α-weak keys bear significant similarities to each other (eg., see [8, 24] , [3, 13] , and [1, 3]), no formal connections between the problems have been made so far. Another recently studied primitive, which may seem unrelated at a cursory look, is obfuscation of point functions (programs) with multi-bit output. Obfuscation is the task of constructing an algorithm, called an obfuscator O, that takes as input a program p from a family P of programs and outputs a program q = O(p) that has essentially the same functionality as p, but where the code of q only gives information that can also be determined with oracle access to p. A central point here is that O should work correctly and securely for every program in P . A point function with multi-bit output (or a MBPF) is a function I (k,m) which, on input x, outputs m if x = k and ⊥ otherwise. In the special case of point functions, the value m is fixed to some constant, say 1. Obfuscators for point functions are constructed in [10, 25] under strong assumptions, and in [21] in the random oracle model.

doi:10.1007/978-3-642-11799-2_4
fatcat:eb5ovyugj5e45erl2hzv26atsu