1

While dabbling in privacy-preserving protocols (mainly using Semi-Homomorphic Encryption) and coming up with miscellaneous ideas for comparison tests or other similar primitives, based on obfuscation and a small number of rounds between two parties, I have been consistently opposed the argument that such protocols did not provide an "adequate" level of security.

For example, in this particular protocol, the use of random values ($b \in {-1,1}$, $r, r'$) to obfuscate the encrypted value of $(y-x)$ in order to have the other party perform a test on it:

$Enc(c) = (Enc(y) Enc(-x))^{b*r} Enc(-r') = Enc(b*r*(y-x)-r')$ (I)

Or in a simpler example, assuming we want another party to (obliviously) compute the value of $log(x)$, sending the obfuscated value:

$Enc(c) = Enc(x)Enc(r) = Enc(r+x)$ (II)

(where $r$ is a random integer $\in [0, n-x[$)

In both those cases, the argument seems to be that, because $c$ does not follow a perfect uniform distribution (assuming $x$ and $y$ do), the protocol is not secure.

However, this seems like an unrealistically high bar to define "security" (especially given the arbitrary strength of the encryption scheme itself).

In both cases, even with full knowledge of the obfuscation scheme and an infinitely large number of exchanges, a malicious party would have no way to guess the exact value of the unobfuscated values with any degree of accuracy (at best, getting a distribution that is somewhat skewed), whereas typical random share protocols will tend to have a non-zero possibility of failure (due to modulo error and such) that is deemed acceptable.

As a non-cryptographer (math/CS background), I have a hard time understanding this approach to defining "security" and was hoping someone could give me a more formal and/or flexible definition of adequate security through obfuscation than "all obfuscated values exchanged must follow a strict uniform distribution".

Edit: I should add that I am clearly not the only one with trouble with this definition, since peer-reviewed papers like this one or this one clearly present schemes that fail the "uniform distribution of obfuscated value" condition.

Community
  • 1
Dave
  • 385
  • 2
  • 11
  • Where have you seen "the argument" "that, because c does not follow a perfect uniform distribution (assuming x and y do), the protocol is not secure."? $;$ –  Sep 09 '14 at 08:32
  • This is mainly what I was told when discussing such protocols with people in the field. This is also the general impression I get from literature (where the typical "proof of security" for obfuscation is that the obfuscated value is uniformly distributed). I realise this is a weak source and it sounds like a lazy upper bound to me, which is precisely why I'd love some hard reference to what defines proper obfuscation security in such a context. – Dave Sep 09 '14 at 08:58
  • 2
    If you have $x$ and $y$ uniformly distributed, then $x+y$ is also distributed uniformly in most of our typical algebraic structures (there are exceptions ofc). Multiplication is the tricky one, because $x \cdot y$ is usually not uniform. But if you have a homomorphic scheme to get $E(a+b)$ from $E(a)$ and $E(b)$, you deal with the additive case. – tylo Sep 09 '14 at 12:14
  • Sorry, I should have written out all the constraints, but generally, if you do obfuscation, you want to avoid the field limit, so you would add $r ∈ [0, n-x[$ (for example II). That is definitely not uniformly distributed. Not sure what you mean otherwise: Homomorphic scheme allow scalar multiplication and many obfuscation schemes might require more than simple addition. – Dave Sep 09 '14 at 23:27

0 Answers0