Paper 2018/957

Same Point Composable and Nonmalleable Obfuscated Point Functions

Peter Fenteany and Benjamin Fuller

Abstract

A point obfuscator is an obfuscated program that indicates if a user enters a previously stored password. A digital locker is stronger: outputting a key if a user enters a previously stored password. The real-or-random transform allows one to build a digital locker from a composable point obfuscator (Canetti and Dakdouk, Eurocrypt 2008). Ideally, both objects would be nonmalleable, detecting adversarial tampering. Appending a non-interactive zero knowledge proof of knowledge adds nonmalleability in the common random string (CRS) model. Komargodski and Yogev (Eurocrypt, 2018) built a nonmalleable point obfuscator without a CRS. We show a lemma in their proof is false, leaving security of their construction unclear. Bartusek, Ma, and Zhandry (Crypto, 2019) used similar techniques and introduced another nonmalleable point function; their obfuscator is not secure if the same point is obfuscated twice. Thus, there was no composable and nonmalleable point function to instantiate the real-or-random construction. Our primary contribution is a nonmalleable point obfuscator that can be composed any polynomial number of times with the same point (which must be known ahead of time). Security relies on the assumption used in Bartusek, Ma, and Zhandry. This construction enables a digital locker that is nonmalleable with respect to the input password. As a secondary contribution, we introduce a key encoding step to detect tampering on the key. This step combines nonmalleable codes and seed-dependent condensers. The seed for the condenser must be public and not tampered, so this can be achieved in the CRS model. The password distribution may depend on the condenser’s seed as long as it is efficiently sampleable. This construction is black box in the underlying point obfuscation. Nonmalleability for the password is ensured for functions that can be represented as low degree polynomials. Key nonmalleability is inherited from the class of functions prevented by the nonmalleable code.

Note: Major new ideas and proofs. Previous version of the paper contained untrue construction based on faulty lemma. Construction now based on BMZ19 instead of KY18.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Major revision. 2020 Applied Cryptography and Network Security
Keywords
Digital lockersPoint obfuscationVirtual black-box obfuscationNon-malleable codesSeed dependent condensersNonmalleability
Contact author(s)
benjamin fuller @ uconn edu
peter fenteany @ uconn edu
History
2021-08-16: last of 9 revisions
2018-10-09: received
See all versions
Short URL
https://ia.cr/2018/957
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/957,
      author = {Peter Fenteany and Benjamin Fuller},
      title = {Same Point Composable and Nonmalleable Obfuscated Point Functions},
      howpublished = {Cryptology ePrint Archive, Paper 2018/957},
      year = {2018},
      note = {\url{https://eprint.iacr.org/2018/957}},
      url = {https://eprint.iacr.org/2018/957}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.