Results 21  30
of
336
Reusable garbled circuits and succinct functional encryption
, 2013
"... Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
(Show Context)
Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs x. In this paper, we construct for the first time reusable garbled circuits. The key building block is a new succinct singlekey functional encryption scheme. Functional encryption is an ambitious primitive: given an encryption Enc(x) of a value x, and a secret key skf for a function f, anyone can compute f(x) without learning any other information about x. We construct, for the first time, a succinct functional encryption scheme for any polynomialtime function f where succinctness means that the ciphertext size does not grow with the size of the circuit for f, but only with its depth. The security of our construction is based on the intractability of the Learning with Errors (LWE) problem and holds as long as an adversary has access to a single key skf (or even an a priori bounded number of keys for different functions). Building on our succinct singlekey functional encryption scheme, we show several new applications in addition to reusable garbled circuits, such as a paradigm for general function obfuscation which we call tokenbased obfuscation, homomorphic encryption for a class of Turing machines where the evaluation runs in inputspecific time rather than worstcase time, and a scheme for delegating computation which is publicly verifiable and maintains the privacy of the computation.
An Abstract InterpretationBased Framework for Software watermarking
, 2004
"... Software watermarking consists in the intentional embedding of indelible stegosignatures or watermarks into the subject software and extraction of the stegosignatures embedded in the stegoprograms for purposes such as intellectual property protection. We introduce the novel concept of abstract softw ..."
Abstract

Cited by 42 (1 self)
 Add to MetaCart
Software watermarking consists in the intentional embedding of indelible stegosignatures or watermarks into the subject software and extraction of the stegosignatures embedded in the stegoprograms for purposes such as intellectual property protection. We introduce the novel concept of abstract software watermarking. The basic idea is that the watermark is hidden in the program code in such a way that it can only be extracted by an abstract interpretation of the (maybe nonstandard) concrete semantics of this code. This static analysisbased approach allows the watermark to be recovered even if only a small part of the program code is present and does not even need that code to be executed. We illustrate the technique by a simple abstract watermarking protocol for methods of Java TM classes. The concept applies equally well to any other kind of software (including hardware originally specified by software).
Private Circuits II: Keeping Secrets In Tamperable Circuits
, 2006
"... Motivated by the problem of protecting cryptographic hardware, we continue the investigation of private circuits initiated in [16]. In this work, our aim is to construct circuits that should protect the secrecy of their internal state against an adversary who may modify the values of an unbounde ..."
Abstract

Cited by 41 (4 self)
 Add to MetaCart
(Show Context)
Motivated by the problem of protecting cryptographic hardware, we continue the investigation of private circuits initiated in [16]. In this work, our aim is to construct circuits that should protect the secrecy of their internal state against an adversary who may modify the values of an unbounded number of wires, anywhere in the circuit. In contrast, all previous works on protecting cryptographic hardware relied on an assumption that some portion of the circuit must remain completely free from tampering.
can mobile agents do secure electronic transactions on untrusted hosts? A survey of the security issues and the current solutions
 ACM Trans. Internet Technol
, 2003
"... This article investigates if and how mobile agents can execute secure electronic transactions on untrusted hosts. An overview of the security issues of mobile agents is first given. The problem of untrusted (i.e., potentially malicious) hosts is one of these issues, and appears to be the most diffic ..."
Abstract

Cited by 40 (0 self)
 Add to MetaCart
This article investigates if and how mobile agents can execute secure electronic transactions on untrusted hosts. An overview of the security issues of mobile agents is first given. The problem of untrusted (i.e., potentially malicious) hosts is one of these issues, and appears to be the most difficult to solve. The current approaches to counter this problem are evaluated, and their relevance for secure electronic transactions is discussed. In particular, a stateoftheart survey of mobile agentbased secure electronic transactions is presented. Categories and Subject Descriptors: A.1 [Introductory and Survey]; E.3 [Data Encryption];
A semanticsbased approach to malware detection
 PROCEEDINGS OF THE 34TH ACM SIGPLANSIGACT SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES, POPL 2007, ACM (2007) 377–388
, 2007
"... Malware detection is a crucial aspect of software security. Current malware detectors work by checking for “signatures,” which attempt to capture (syntactic) characteristics of the machinelevel byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to co ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
(Show Context)
Malware detection is a crucial aspect of software security. Current malware detectors work by checking for “signatures,” which attempt to capture (syntactic) characteristics of the machinelevel byte sequence of the malware. This reliance on a syntactic approach makes such detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter syntactic properties of the malware byte sequence without significantly affecting their execution behavior. This paper takes the position that the key to malware identification lies in their semantics. It proposes a semanticsbased framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behaviors of malware as well as the program being checked for infection, and uses abstract interpretation to “hide” irrelevant aspects of these behaviors. As a concrete application of our approach, we show that the semanticsaware malware detector proposed by Christodorescu et al. is complete with respect to a number of common obfuscations used by malware writers.
Positive results and techniques for obfuscation
 In EUROCRYPT ’04
, 2004
"... Abstract. Informally, an obfuscator O is an efficient, probabilistic “compiler” that transforms a program P into a new program O(P) with the same functionality as P, but such that O(P) protects any secrets that may be built into and used by P. Program obfuscation, if possible, would have numerous im ..."
Abstract

Cited by 36 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Informally, an obfuscator O is an efficient, probabilistic “compiler” that transforms a program P into a new program O(P) with the same functionality as P, but such that O(P) protects any secrets that may be built into and used by P. Program obfuscation, if possible, would have numerous important cryptographic applications, including: (1) “Intellectual property ” protection of secret algorithms and keys in software, (2) Solving the longstanding open problem of homomorphic publickey encryption, (3) Controlled delegation of authority and access, (4) Transforming PrivateKey Encryption into PublicKey Encryption, and (5) Access Control Systems. Unfortunately however, program obfuscators that work on arbitrary programs cannot exist [1]. No positive results for program obfuscation were known prior to this work. In this paper, we provide the first positive results in program obfuscation. We focus on the goal of access control, and give several provable obfuscations for complex access control functionalities, in the random oracle model. Our results are obtained through nontrivial compositions of obfuscations; we note that general composition of obfuscations is impossible, and so developing techniques for composing obfuscations is an important goal. Our work can also be seen as making initial progress toward the goal of obfuscating finite automata or regular expressions, an important general class of machines which are not ruled out by the impossibility results of [1]. We also note that our work provides the first formal proof techniques for obfuscation, which we expect to be useful in future work in this area. 1
On cryptography with auxiliary input
 DKL09] [DS05] [FGK+ 10] [FOR12] [GHV10
, 2009
"... We study the question of designing cryptographic schemes which are secure even if an arbitrary function f(sk) of the secret key is leaked, as long as the secret key sk is still (exponentially) hard to compute from this auxiliary input. This setting of auxiliary input is more general than the more tr ..."
Abstract

Cited by 33 (4 self)
 Add to MetaCart
(Show Context)
We study the question of designing cryptographic schemes which are secure even if an arbitrary function f(sk) of the secret key is leaked, as long as the secret key sk is still (exponentially) hard to compute from this auxiliary input. This setting of auxiliary input is more general than the more traditional setting, which assumes that some of information about the secret key sk may be leaked, but sk still has high minentropy left. In particular, we deal with situations where f(sk) informationtheoretically determines the entire secret key sk. As our main result, we construct CPA/CCA secure symmetric encryption schemes that remain secure with exponentially hardtoinvert auxiliary input. We give several applications of such schemes. • We construct an averagecase obfuscator for the class of point functions, which remains secure with exponentially hardtoinvert auxiliary input, and is reusable. • We construct a reusable and robust extractor that remains secure with exponentially hardtoinvert auxiliary input. Our results rely on a new cryptographic assumption, Learning SubspacewithNoise (LSN), which is related to the well known Learning ParitywithNoise (LPN) assumption.
On the impossibility of obfuscation with auxiliary input
 In Proceedings of the 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS’05
, 2005
"... Barak et al. formalized the notion of obfuscation, and showed that there exist (contrived) classes of functions that cannot be obfuscated. In contrast, Canetti and Wee showed how to obfuscate point functions, under various complexity assumptions. Thus, it would seem possible that most programs of in ..."
Abstract

Cited by 32 (2 self)
 Add to MetaCart
Barak et al. formalized the notion of obfuscation, and showed that there exist (contrived) classes of functions that cannot be obfuscated. In contrast, Canetti and Wee showed how to obfuscate point functions, under various complexity assumptions. Thus, it would seem possible that most programs of interest can be obfuscated even though in principle general purpose obfuscators do not exist. We show that this is unlikely to be the case. In particular, we consider the notion of obfuscation w.r.t. auxiliary input, which corresponds to the setting where the adversary, which is given the obfuscated circuit, may have some additional a priori information. This is essentially the case of interest in any usage of obfuscation we can imagine. We prove that there exist many natural classes of functions that cannot be obfuscated w.r.t. auxiliary input, both when the auxiliary input is dependent of the function being obfuscated and even when the auxiliary input is independent of the function being obfuscated. We also give a positive result. In particular, we show that any obfuscator for the class of point functions is also an obfuscator w.r.t. independent auxiliary input. 1
On the implausibility of differinginputs obfuscation and extractable witness encryption with auxiliary input. Cryptology ePrint Archive, Report 2013/860
, 2013
"... The notion of differinginputs obfuscation (diO) was introduced by Barak et al. (CRYPTO 2001). It guarantees that, for any two circuits C0, C1, if it is difficult to come up with an input x on which C0(x) 6 = C1(x), then it should also be difficult to distinguish the obfuscation of C0 from that of C ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
The notion of differinginputs obfuscation (diO) was introduced by Barak et al. (CRYPTO 2001). It guarantees that, for any two circuits C0, C1, if it is difficult to come up with an input x on which C0(x) 6 = C1(x), then it should also be difficult to distinguish the obfuscation of C0 from that of C1. This is a strengthening of indistinguishability obfuscation, where the above is only guaranteed for circuits that agree on all inputs: C0(x) = C1(x) for all x. Two recent works of Ananth et al. (ePrint 2013) and Boyle et al. (TCC 2014) study the notion of diO in the setting where the attacker is also given some auxiliary information related to the circuits, showing that this notion leads to many interesting applications. In this work, we show that the existence of generalpurpose diO with general auxiliary input has a surprising consequence: it implies that a specific circuit C ∗ with specific auxiliary input aux ∗ cannot be obfuscated in a way that hides some specific information. In other words, under the conjecture that such specialpurpose obfuscation exists, we show that generalpurpose diO cannot exist. We do not know if this specialpurpose obfuscation assumption is implied by diO itself, and hence we do not get an unconditional impossibility result. However, the specialpurpose obfuscation assumption is a falsifiable assumption which we do not know how to break for candidate obfuscation schemes. Showing the existence of generalpurpose diO with general auxiliary input would necessitate showing how to break this assumption. We also show that the specialpurpose obfuscation assumption implies the impossibility of extractable witness encryption with auxiliary input, a notion proposed by Goldwasser et al. (CRYPTO 2013). A variant of this assumption also implies the impossibility of “outputonly dependent ” hardcore bits for general oneway functions, as recently constructed by Bellare and Tessaro (ePrint 2013) using diO. 1
Independence from obfuscation: A semantic framework for diversity
 In Proc. of IEEE Computer Security Foundations Workshop
, 2006
"... A set of replicas is diverse to the extent that all implement the same functionality but they differ in their implementation details. Diverse replicas are less likely to succumb to the same attacks, when attacks depend on memory layout and/or other implementation details. Recent work advocates using ..."
Abstract

Cited by 30 (4 self)
 Add to MetaCart
(Show Context)
A set of replicas is diverse to the extent that all implement the same functionality but they differ in their implementation details. Diverse replicas are less likely to succumb to the same attacks, when attacks depend on memory layout and/or other implementation details. Recent work advocates using mechanical means, such as program rewriting, to create such diversity. A correspondence between the specific transformations being employed and the attacks they defend against is often provided, but little has been said about the overall effectiveness of diversity per se in defending against attacks. With this broader goal in mind, we here give a precise characterization of attacks, applicable to viewing diversity as a defense, and also show how mechanicallygenerated diversity compares to a wellunderstood defense: type checking. 1