DOCSLIB.ORG

Studies in Program Obfuscation Mayank Varia

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Studies in Program Obfuscation Mayank Varia Studies in Program Obfuscation by Mayank Varia B.S.E., Duke University, 2005 Submitted to the Department of Mathematics in partial fulfillment of the requirements for the degree of Doctor of Philosophy at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2010 c 2010 Mayank Varia. All rights reserved. The author hereby grants to MIT permission to reproduce and to distribute publicly paper and electronic copies of this thesis document in whole or in part in any medium now known or hereafter created. Author................................................................................... Department of Mathematics August 6, 2010 Certified by............................................................................... Ran Canetti Associate Professor, School of Computer Science, Tel Aviv University Thesis Supervisor Accepted by.............................................................................. Michel Goemans Chairman, Applied Mathematics Committee 2 Studies in Program Obfuscation by Mayank Varia Submitted to the Department of Mathematics on August 6, 2010, in partial fulfillment of the requirements for the degree of Doctor of Philosophy Abstract Program obfuscation is the software analog to the problem of tamper-proofing hardware. The goal of program obfuscation is to construct a compiler, called an \obfuscator," that garbles the code of a computer program while maintaining its functionality. Commercial products exist to perform this procedure, but they do not provide a rigorous se- curity guarantee. Over the past decade, program obfuscation has been studied by the theoretical cryptography community, where rigorous definitions of security have been proposed and obfuscators have been constructed for some families of programs. This thesis presents three contributions based on the virtual black-box security definition of Barak et al [10]. First, we show tight connections between obfuscation and symmetric-key encryption. Specifi- cally, obfuscation can be used to construct an encryption scheme with strong leakage resilience and key-dependent message security. The converse is also true, and these connections scale with the level of security desired. As a result, the known constructions and impossibility results for each primitive carry over to the other. Second, we present two new security definitions that augment the virtual black-box property to incorporate non-malleability. The virtual black-box definition does not prevent an adversary from modifying an obfuscated program intelligently. By contrast, our new definitions provide software with the same security guarantees as tamper-proof and tamper-evident hardware, respectively. The first definition prohibits tampering, and the second definition requires that tampering is detectable after the fact. We construct non-malleable obfuscators of both flavors for some program families of interest. Third, we present an obfuscator for programs that test for membership in a hyperplane. This generalizes prior works that obfuscate equality testing. We prove the security of the obfuscator under a new strong variant of the Decisional Diffie-Hellman assumption that holds in the generic group model. Additionally, we show a cryptographic application of the new obfuscator to leakage- resilient one-time digital signatures. The thesis also includes a survey of the prior results in the field. Thesis Supervisor: Ran Canetti Title: Associate Professor, School of Computer Science, Tel Aviv University 3 4 Acknowledgments I am very grateful to many colleagues, friends, and family for their help and support throughout my graduate studies. First and foremost, I am indebted to my advisor Ran Canetti for his guidance for the past four years. As a mathematician working with a computer scientist, we approached most problems from different angles, and understanding his perspective often resulted in solutions and always contributed to my growth as a scientist. Even if we were not able to solve a problem, I knew that Ran would at least provide a list of topical, relevant papers to examine, and the accuracy rate of his suggestions amazes me to this day. Perhaps the highest compliment I can pay him is that he is more helpful from halfway across the world than most people are from halfway across the building. I am also grateful to my co-authors Yael Kalai, Guy Rothblum, and Daniel Wichs for introducing me to their fields of study and making sense of my rambling thoughts. They were a pleasure to work with, both during the times of intensive study and leisurely banter. I also want to thank Nir Bitanski and Ronny Dakdouk for finding bugs, suggesting improvements, and proving new results in the non-malleable obfuscation and hyperplane membership testing problems. Additionally, I thank Michael Sipser and Peter Shor for serving on my thesis committee. As my internal advisor, Mike also provided valuable advice on my graduate research and job hunt. Additionally, I want to acknowledge the applied math department for their flexibility in allowing me to find the proper field of research, and the NDSEG fellowship for supporting me for three years, making the transition much easier. I thank Ron Rivest, Eran Tromer, and all of the graduate students in the cryptography reading group for providing an excellent learning environment and cementing my decision to study cryptography. During the past five years, I have been fortunate to have an outstanding group of officemates, including Victor Chen, Andy Drucker, Matthew Gelvin, Dah-Yoh Lim, and Rotem Oshman. They occasionally helped me with my work and often provided humorous anecdotes and informative conversations. (I promise that the relative frequency of these two events is a reflection on me, not them.) I also thank my friends in the poker group for providing me with a weekly connection to the developments in the math community. Finally, I thank my parents for their love and support. Without their active interest in my education and well-being, I would never have been in a position to start graduate school, let alone finish it. 5 6 Contents 1 Introduction to Obfuscation 9 1.1 Obfuscation in applied cryptography . 10 1.2 Obfuscation in theoretical cryptography . 11 1.2.1 Comparison with encryption . 11 1.2.2 Possible definitions . 13 1.2.3 Negative results . 14 1.2.4 Positive results . 15 1.3 Our results . 17 1.3.1 Obfuscation and symmetric encryption . 18 1.3.2 Non-malleable obfuscation . 21 1.3.3 Obfuscation of hyperplane membership . 26 1.4 Organization . 28 2 Definitions 29 2.1 Circuit families . 29 2.2 Obfuscation . 31 2.2.1 Functionality . 31 2.2.2 Virtual black-box property . 32 3 Survey of Prior Works 35 3.1 Definitions . 35 3.1.1 Virtual black-box . 35 3.1.2 Auxiliary input and composability . 39 3.1.3 Average-case obfuscation . 41 3.2 Positive results . 42 3.2.1 Point circuits and generalizations . 42 3.2.2 Cryptographic applications . 50 3.3 Connections . 54 3.3.1 Impossibility . 54 3.3.2 Separations . 57 3.3.3 Composability . 58 4 Obfuscation and Symmetric Encryption 61 4.1 Introduction . 61 4.2 Definitions . 62 4.2.1 Obfuscation . 62 4.2.2 Encryption with weak keys . 64 7 4.2.3 Proof of Theorem 4.2 . 67 4.2.4 Comparison of α-obfuscation definitions . 70 4.3 Encryption with weak keys and obfuscation with independent messages . 72 4.3.1 Semantically secure encryption . 72 4.3.2 CPA encryption and self-composable obfuscation . 73 4.4 Auxiliary input . 75 4.5 KDM encryption . 76 4.5.1 Semantically secure KDM encryption . 76 4.5.2 Multi-KDM encryption and self-composable obfuscation . 78 4.6 Implications . 79 4.6.1 Encryption with fully weak keys . 79 4.6.2 Achieving obfuscation with independent messages . 80 4.6.3 Difficulty of obfuscation with dependent messages . 82 5 Non-malleable Obfuscation 83 5.1 Introduction . 83 5.2 Defining non-malleable obfuscation . 84 5.2.1 Tamper-proof obfuscation . 84 5.2.2 Discussion . 86 5.2.3 Tamper-evident obfuscation . 92 5.2.4 Models with setup assumptions . 97 5.2.5 Comparison . 99 5.3 Constructions of tamper-proof obfuscators . 100 5.3.1 Single-point circuits . 100 5.3.2 Multi-point circuits . 104 5.4 Constructions of tamper-evident obfuscators . 113 5.4.1 Random oracle model . 113 5.4.2 Common reference string model . 118 6 Obfuscation of Hyperplane Membership 125 6.1 Introduction . 125 6.2 Finite vector spaces . 127 6.3 Assumption . 128 6.3.1 Hierarchy of assumptions . 129 6.3.2 Generic group model . 131 6.3.3 Adaptivity . 137 6.4 Construction . 139 6.5 Multi-bit output . 143 6.6 One-time signature scheme . 145 7 Future work 149 List of Symbols 151 List of Algorithms 155 List of Figures 157 Bibliography 159 8 Chapter 1 Introduction to Obfuscation Cryptography examines how information can be protected while still being used in a meaningful way. The latter part of the goal is particularly important, but often forgotten. Many people view cryptography simply as the art of keeping secrets, but this is not the case. In fact, it is very simple to keep something secret if you never need to recall or use it: simply forget it and continue on as if you had never learned it. The diverse set of problems that cryptographers study all balance the need to use information (a functionality guarantee) with the desire to keep something hidden (a security guarantee). For instance, classical cryptographic problems such as encryption or digital signatures provide the functionality of being able to send a message to one party with security guarantees against malice by others. In this work, we consider the problem of program obfuscation, in which we wish to hide the details of how a computer program works while preserving its functionality. We illustrate the concept with an example involving two people named Alice and Bob. Suppose Bob discovers an algorithm that factors integers quickly. He wants to show the algo- rithm to Alice (along with the rest of the world), but in a responsible manner that does not allow her to break most of the public-key cryptography standards.
Load more

Recommended publications
  • Secure Merge with O(N Log Log N) Secure Operations
    Secure Merge with O(n log log n) Secure Operations Brett Hemenway Falk # University of Pennsylvania, Philadelphia, PA, USA Rafail Ostrovsky # University of California, Los Angeles, CA, USA Abstract Data-oblivious algorithms are a key component of many secure computation protocols. In this work, we show that advances in secure multiparty shuffling algorithms can be used to increase the efficiency of several key cryptographic tools. The key observation is that many secure computation protocols rely heavily on secure shuffles. The best data-oblivious shuffling algorithms require O(n log n), operations, but in the two-party or multiparty setting, secure shuffling can be achieved with only O(n) communication. Leveraging the efficiency of secure multiparty shuffling, we give novel, information-theoretic algorithms that improve the efficiency of securely sorting sparse lists, secure stable compaction, and securely merging two sorted lists. Securely sorting private lists is a key component of many larger secure computation protocols. The best data-oblivious sorting algorithms for sorting a list of n elements require O(n log n) comparisons. Using black-box access to a linear-communication secure shuffle, we give a secure algorithm for sorting a list of length n with t ≪ n nonzero elements with communication O(t log2 n + n), which beats the best oblivious algorithms when the number of nonzero elements, t, satisfies t < n/ log2 n. Secure compaction is the problem of removing dummy elements from a list, and is essentially equivalent to sorting on 1-bit keys. The best oblivious compaction algorithms run in O(n)-time, but they are unstable, i.e., the order of the remaining elements is not preserved.
    [Show full text]
  • Aristotle's Illicit Quantifier Shift: Is He Guilty Or Innocent
    Aristos Volume 1 Issue 2 Article 2 9-2015 Aristotle's Illicit Quantifier Shift: Is He Guilty or Innocent Jack Green The University of Notre Dame Australia Follow this and additional works at: https://researchonline.nd.edu.au/aristos Part of the Philosophy Commons, and the Religious Thought, Theology and Philosophy of Religion Commons Recommended Citation Green, J. (2015). "Aristotle's Illicit Quantifier Shift: Is He Guilty or Innocent," Aristos 1(2),, 1-18. https://doi.org/10.32613/aristos/ 2015.1.2.2 Retrieved from https://researchonline.nd.edu.au/aristos/vol1/iss2/2 This Article is brought to you by ResearchOnline@ND. It has been accepted for inclusion in Aristos by an authorized administrator of ResearchOnline@ND. For more information, please contact [email protected]. Green: Aristotle's Illicit Quantifier Shift: Is He Guilty or Innocent ARISTOTLE’S ILLICIT QUANTIFIER SHIFT: IS HE GUILTY OR INNOCENT? Jack Green 1. Introduction Aristotle’s Nicomachean Ethics (from hereon NE) falters at its very beginning. That is the claim of logicians and philosophers who believe that in the first book of the NE Aristotle mistakenly moves from ‘every action and pursuit aims at some good’ to ‘there is some one good at which all actions and pursuits aim.’1 Yet not everyone is convinced of Aristotle’s seeming blunder.2 In lieu of that, this paper has two purposes. Firstly, it is an attempt to bring some clarity to that debate in the face of divergent opinions of the location of the fallacy; some proposing it lies at I.i.1094a1-3, others at I.ii.1094a18-22, making it difficult to wade through the literature.
    [Show full text]
  • Scope Ambiguity in Syntax and Semantics
    Scope Ambiguity in Syntax and Semantics Ling324 Reading: Meaning and Grammar, pg. 142-157 Is Scope Ambiguity Semantically Real? (1) Everyone loves someone. a. Wide scope reading of universal quantifier: ∀x[person(x) →∃y[person(y) ∧ love(x,y)]] b. Wide scope reading of existential quantifier: ∃y[person(y) ∧∀x[person(x) → love(x,y)]] 1 Could one semantic representation handle both the readings? • ∃y∀x reading entails ∀x∃y reading. ∀x∃y describes a more general situation where everyone has someone who s/he loves, and ∃y∀x describes a more specific situation where everyone loves the same person. • Then, couldn’t we say that Everyone loves someone is associated with the semantic representation that describes the more general reading, and the more specific reading obtains under an appropriate context? That is, couldn’t we say that Everyone loves someone is not semantically ambiguous, and its only semantic representation is the following? ∀x[person(x) →∃y[person(y) ∧ love(x,y)]] • After all, this semantic representation reflects the syntax: In syntax, everyone c-commands someone. In semantics, everyone scopes over someone. 2 Arguments for Real Scope Ambiguity • The semantic representation with the scope of quantifiers reflecting the order in which quantifiers occur in a sentence does not always represent the most general reading. (2) a. There was a name tag near every plate. b. A guard is standing in front of every gate. c. A student guide took every visitor to two museums. • Could we stipulate that when interpreting a sentence, no matter which order the quantifiers occur, always assign wide scope to every and narrow scope to some, two, etc.? 3 Arguments for Real Scope Ambiguity (cont.) • But in a negative sentence, ¬∀x∃y reading entails ¬∃y∀x reading.
    [Show full text]
  • Universally Composable Security: a New Paradigm for Cryptographic Protocols∗
    Universally Composable Security: A New Paradigm for Cryptographic Protocols∗ Ran Canettiy February 11, 2020 Abstract We present a general framework for describing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any crypto- graphic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general composition operation, called universal composition. The proposed framework with its security-preserving composition operation allows for mod- ular design and analysis of complex cryptographic protocols from simpler building blocks. More- over, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol sessions that run concur- rently in an adversarially controlled manner. This is a useful guarantee, which allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks. Keywords: cryptographic protocols, security analysis, protocol composition, universal composi- tion. ∗An extended abstract of this work appears in the proceedings of the 42nd Foundations of Computer Science conference, 2001. This is an updated version. While the overall spirit and the structure of the definitions and results in this paper has remained the same, many important details have changed. We point out and motivate the main differences as we go along. Earlier versions of this work appeared in December 2018, July 2013, Decem- ber and January 2005, and October 2001, under the same title, and in December 2000 under the title \A unified framework for analyzing security of protocols". These earlier versions can be found at the ECCC archive, TR 01-16 (http://eccc.uni-trier.de/eccc-reports/2001/TR01-016); however they are not needed for understanding this work and have only historic significance.
    [Show full text]
  • Magic Adversaries Versus Individual Reduction: Science Wins Either Way ?
    Magic Adversaries Versus Individual Reduction: Science Wins Either Way ? Yi Deng1;2 1 SKLOIS, Institute of Information Engineering, CAS, Beijing, P.R.China 2 State Key Laboratory of Cryptology, P. O. Box 5159, Beijing ,100878,China [email protected] Abstract. We prove that, assuming there exists an injective one-way function f, at least one of the following statements is true: – (Infinitely-often) Non-uniform public-key encryption and key agreement exist; – The Feige-Shamir protocol instantiated with f is distributional concurrent zero knowledge for a large class of distributions over any OR NP-relations with small distinguishability gap. The questions of whether we can achieve these goals are known to be subject to black-box lim- itations. Our win-win result also establishes an unexpected connection between the complexity of public-key encryption and the round-complexity of concurrent zero knowledge. As the main technical contribution, we introduce a dissection procedure for concurrent ad- versaries, which enables us to transform a magic concurrent adversary that breaks the distribu- tional concurrent zero knowledge of the Feige-Shamir protocol into non-black-box construc- tions of (infinitely-often) public-key encryption and key agreement. This dissection of complex algorithms gives insight into the fundamental gap between the known universal security reductions/simulations, in which a single reduction algorithm or simu- lator works for all adversaries, and the natural security definitions (that are sufficient for almost all cryptographic primitives/protocols), which switch the order of qualifiers and only require that for every adversary there exists an individual reduction or simulator. 1 Introduction The seminal work of Impagliazzo and Rudich [IR89] provides a methodology for studying the lim- itations of black-box reductions.
    [Show full text]
  • CHURP: Dynamic-Committee Proactive Secret Sharing
    CHURP: Dynamic-Committee Proactive Secret Sharing Sai Krishna Deepak Maram∗† Cornell Tech Fan Zhang∗† Lun Wang∗ Andrew Low∗ Cornell Tech UC Berkeley UC Berkeley Yupeng Zhang∗ Ari Juels∗ Dawn Song∗ Texas A&M Cornell Tech UC Berkeley ABSTRACT most important resources—money, identities [6], etc. Their loss has We introduce CHURP (CHUrn-Robust Proactive secret sharing). serious and often irreversible consequences. CHURP enables secure secret-sharing in dynamic settings, where the An estimated four million Bitcoin (today worth $14+ Billion) have committee of nodes storing a secret changes over time. Designed for vanished forever due to lost keys [69]. Many users thus store their blockchains, CHURP has lower communication complexity than pre- cryptocurrency with exchanges such as Coinbase, which holds at vious schemes: O¹nº on-chain and O¹n2º off-chain in the optimistic least 10% of all circulating Bitcoin [9]. Such centralized key storage case of no node failures. is also undesirable: It erodes the very decentralization that defines CHURP includes several technical innovations: An efficient new blockchain systems. proactivization scheme of independent interest, a technique (using An attractive alternative is secret sharing. In ¹t;nº-secret sharing, asymmetric bivariate polynomials) for efficiently changing secret- a committee of n nodes holds shares of a secret s—usually encoded sharing thresholds, and a hedge against setup failures in an efficient as P¹0º of a polynomial P¹xº [73]. An adversary must compromise polynomial commitment scheme. We also introduce a general new at least t +1 players to steal s, and at least n−t shares must be lost technique for inexpensive off-chain communication across the peer- to render s unrecoverable.
    [Show full text]
  • Improved Threshold Signatures, Proactive Secret Sharing, and Input Certification from LSS Isomorphisms
    Improved Threshold Signatures, Proactive Secret Sharing, and Input Certification from LSS Isomorphisms Diego F. Aranha1, Anders Dalskov2, Daniel Escudero1, and Claudio Orlandi1 1 Aarhus University, Denmark 2 Partisia, Denmark Abstract. In this paper we present a series of applications steming from a formal treatment of linear secret-sharing isomorphisms, which are linear transformations between different secret-sharing schemes defined over vector spaces over a field F and allow for efficient multiparty conversion from one secret-sharing scheme to the other. This concept generalizes the folklore idea that moving from a secret-sharing scheme over Fp to a secret sharing \in the exponent" can be done non-interactively by multiplying the share unto a generator of e.g., an elliptic curve group. We generalize this idea and show that it can also be used to compute arbitrary bilinear maps and in particular pairings over elliptic curves. We include the following practical applications originating from our framework: First we show how to securely realize the Pointcheval-Sanders signature scheme (CT-RSA 2016) in MPC. Second we present a construc- tion for dynamic proactive secret-sharing which outperforms the current state of the art from CCS 2019. Third we present a construction for MPC input certification using digital signatures that we show experimentally to outperform the previous best solution in this area. 1 Introduction A(t; n)-secure secret-sharing scheme allows a secret to be distributed into n shares in such a way that any set of at most t shares are independent of the secret, but any set of at least t + 1 shares together can completely reconstruct the secret.
    [Show full text]
  • 2011, Velopment of Software Platforms Techniques
    Winter 2010/11 TEL AVIV UNIVERSITY REVIEW Science and the Sacred Explosives Detection Digitizing Architectural Design Israel-India Ties Information Overload 9 New faculty member Prof. Ronitt Rubinfeld uses advanced math- ematical techniques Cover story: to make sense of the The Science of data deluge. Judaism 2 From digitizing the Cairo Geniza to studying biblical weather, TAU Honing Israel’s scholars are offering fresh scientif- Security Edge 10 ic perspectives on Jewish culture The Yuval Ne’eman Workshop in and religion. Science, Technology and Security influences Israel’s national security policy. Closing a Circle 14 A community TEL AVIV UNIVERSITY REVIEW outreach program Winter 2010/11 Winter helps children cope with the loss of a relative from cancer. Issued by the Strategic Communications Dept. Development and Public Affairs Division Tel Aviv University Ramat Aviv 69978 Tel Aviv, Israel Prizes 37 TAU physicist Prof. Yakir Aharonov Tel: +972 3 6408249 sections Fax: + 972 3 6407080 receives the US National Medal of Science from President Barack E-mail: [email protected] Obama www.tau.ac.il innovations 16 Editor: Louise Shalev Contributors: Rava Eleasari, Pauline Reich, Ruti Ziv, Michal Alexander, Sarah Lubelski, Gil Zohar leadership 20 Graphic Design: TAU Graphic Design Studio/ Michal Semo-Kovetz; Dalit Pessach Dio’olamot Photography: Development and Public Affairs Division initiatives Photography Department/Michal Roche Ben Ami, 24 Michal Kidron Additional Photography: Ryan K Morris Photography and the National Science & Technology Medals associations 26 Foundation; Yaron Hershkovic; Avraham Hay, from the Wolfe Family Collection, courtesy of the Bible Lands Museum, Jerusalem; Yoram Reshef digest 34 Administrative Coordinator: Pauline Reich Administrative Assistant: Shay Bramson Translation Services: Sagir Translations, Offiservice newsmakers Printing: Eli Meir Printing 39 Officers of Tel Aviv University a Harvey M.
    [Show full text]
  • Discrete Mathematics, Chapter 1.4-1.5: Predicate Logic
    Discrete Mathematics, Chapter 1.4-1.5: Predicate Logic Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 1.4-1.5 1 / 23 Outline 1 Predicates 2 Quantifiers 3 Equivalences 4 Nested Quantifiers Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 1.4-1.5 2 / 23 Propositional Logic is not enough Suppose we have: “All men are mortal.” “Socrates is a man”. Does it follow that “Socrates is mortal” ? This cannot be expressed in propositional logic. We need a language to talk about objects, their properties and their relations. Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 1.4-1.5 3 / 23 Predicate Logic Extend propositional logic by the following new features. Variables: x; y; z;::: Predicates (i.e., propositional functions): P(x); Q(x); R(y); M(x; y);::: . Quantifiers: 8; 9. Propositional functions are a generalization of propositions. Can contain variables and predicates, e.g., P(x). Variables stand for (and can be replaced by) elements from their domain. Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 1.4-1.5 4 / 23 Propositional Functions Propositional functions become propositions (and thus have truth values) when all their variables are either I replaced by a value from their domain, or I bound by a quantifier P(x) denotes the value of propositional function P at x. The domain is often denoted by U (the universe). Example: Let P(x) denote “x > 5” and U be the integers. Then I P(8) is true. I P(5) is false.
    [Show full text]
  • Resettably Sound Zero-Knoweldge Arguments from Owfs - the (Semi) Black-Box Way
    Resettably Sound Zero-Knoweldge Arguments from OWFs - the (semi) Black-Box way Rafail Ostrovsky Alessandra Scafuro Muthuramakrishnan UCLA, USA UCLA, USA Venkitasubramaniam University of Rochester, USA Abstract We construct a constant-round resettably-sound zero-knowledge argument of knowledge based on black-box use of any one-way function. Resettable-soundness was introduced by Barak, Goldreich, Goldwasser and Lindell [FOCS 01] and is a strengthening of the soundness requirement in interactive proofs demanding that soundness should hold even if the malicious prover is allowed to “reset” and “restart” the verifier. In their work they show that resettably-sound ZK arguments require non-black-box simula- tion techniques, and also provide the first construction based on the breakthrough simulation technique of Barak [FOCS 01]. All known implementations of Barak’s non-black-box technique required non-black-box use of a collision-resistance hash-function (CRHF). Very recently, Goyal, Ostrovsky, Scafuro and Visconti [STOC 14] showed an implementation of Barak’s technique that needs only black-box access to a collision-resistant hash-function while still having a non-black-box simulator. (Such a construction is referred to as semi black-box.) Plugging this implementation in the BGGL’s construction yields the first resettably-sound ZK arguments based on black-box use of CRHFs. However, from the work of Chung, Pass and Seth [STOC 13] and Bitansky and Paneth [STOC 13], we know that resettably-sound ZK arguments can be constructed from non-black-box use of any one-way function (OWF), which is the minimal assumption for ZK arguments. Hence, a natural question is whether it is possible to construct resettably-sound zero- knowledge arguments from black-box use of any OWF only.
    [Show full text]
  • CURRICULUM VITAE Rafail Ostrovsky
    last updated: December 26, 2020 CURRICULUM VITAE Rafail Ostrovsky Distinguished Professor of Computer Science and Mathematics, UCLA http://www.cs.ucla.edu/∼rafail/ mailing address: Contact information: UCLA Computer Science Department Phone: (310) 206-5283 475 ENGINEERING VI, E-mail: [email protected] Los Angeles, CA, 90095-1596 Research • Cryptography and Computer Security; Interests • Streaming Algorithms; Routing and Network Algorithms; • Search and Classification Problems on High-Dimensional Data. Education NSF Mathematical Sciences Postdoctoral Research Fellow Conducted at U.C. Berkeley 1992-95. Host: Prof. Manuel Blum. Ph.D. in Computer Science, Massachusetts Institute of Technology, 1989-92. • Thesis titled: \Software Protection and Simulation on Oblivious RAMs", Ph.D. advisor: Prof. Silvio Micali. Final version appeared in Journal of ACM, 1996. Practical applications of thesis work appeared in U.S. Patent No.5,123,045. • Minor: \Management and Technology", M.I.T. Sloan School of Management. M.S. in Computer Science, Boston University, 1985-87. B.A. Magna Cum Laude in Mathematics, State University of New York at Buffalo, 1980-84. Department of Mathematics Graduation Honors: With highest distinction. Personal • U.S. citizen, naturalized in Boston, MA, 1986. Data Appointments UCLA Computer Science Department (2003 { present): Distinguished Professor of Computer Science. Recruited in 2003 as a Full Professor with Tenure. UCLA School of Engineering (2003 { present): Director, Center for Information and Computation Security. (See http://www.cs.ucla.edu/security/.) UCLA Department of Mathematics (2006 { present): Distinguished Professor of Mathematics (by courtesy). 1 Appointments Bell Communications Research (Bellcore) (cont.) (1999 { 2003): Senior Research Scientist; (1995 { 1999): Research Scientist, Mathematics and Cryptography Research Group, Applied Research.
    [Show full text]
  • The Comparative Predictive Validity of Vague Quantifiers and Numeric
    c European Survey Research Association Survey Research Methods (2014) ISSN 1864-3361 Vol.8, No. 3, pp. 169-179 http://www.surveymethods.org Is Vague Valid? The Comparative Predictive Validity of Vague Quantifiers and Numeric Response Options Tarek Al Baghal Institute of Social and Economic Research, University of Essex A number of surveys, including many student surveys, rely on vague quantifiers to measure behaviors important in evaluation. The ability of vague quantifiers to provide valid information, particularly compared to other measures of behaviors, has been questioned within both survey research generally and educational research specifically. Still, there is a dearth of research on whether vague quantifiers or numeric responses perform better in regards to validity. This study examines measurement properties of frequency estimation questions through the assessment of predictive validity, which has been shown to indicate performance of competing question for- mats. Data from the National Survey of Student Engagement (NSSE), a preeminent survey of university students, is analyzed in which two psychometrically tested benchmark scales, active and collaborative learning and student-faculty interaction, are measured through both vague quantifier and numeric responses. Predictive validity is assessed through correlations and re- gression models relating both vague and numeric scales to grades in school and two education experience satisfaction measures. Results support the view that the predictive validity is higher for vague quantifier scales, and hence better measurement properties, compared to numeric responses. These results are discussed in light of other findings on measurement properties of vague quantifiers and numeric responses, suggesting that vague quantifiers may be a useful measurement tool for behavioral data, particularly when it is the relationship between variables that are of interest.
    [Show full text]