slide1
Download
Skip this Video
Download Presentation
Brent Waters

Loading in 2 Seconds...

play fullscreen
1 / 50

Brent Waters - PowerPoint PPT Presentation


  • 155 Views
  • Uploaded on

How to Use Indistinguishability Obfuscation. Amit Sahai. Brent Waters. Code Obfuscation. Goal: Make program (maximally) unintelligible. Obfuscator. 2. Applications!. Demo or “ need to know ” software. Software Patching.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Brent Waters' - aolani


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
code obfuscation
Code Obfuscation

Goal: Make program (maximally) unintelligible

Obfuscator

2

applications
Applications!

Demo or “need to know” software

Software Patching

Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, …

3

difficulty of achieving obfuscation
Difficulty of Achieving Obfuscation
  • Initial Functionalities:
  • Point Functions [LPS04, …] and hyperplanes [CRV10]
  • Explanation of existing functionality[OS05, HRSV07]

Recent: General candidate [GGHRSW13] using multilinear maps [GGH13]

What does this mean?

4

idealized obfuscation
Idealized Obfuscation

Idea: Learn nothing more than with black box access

vs.

  • Natural for applications, building crypto
  • Some (contrived) counter-examples [BGIRSVY 01]

No broad candidate class of obfuscatable functionalities

Generic group proofs [BR13,BGKPS13]

5

indistinguishability obfuscation
Indistinguishability Obfuscation

Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits

  • a (b+c) vs. ab + ac
  • Avoids negative results of [BGIRSVY01]
  • What is it good for?
vision io as hub for cryptography
Vision: IO as hub for cryptography

Standard Assumption (e.g. LWE)

Indistinguishabilty

Obfuscation

+ OWFs

This talk

“Most” of cryptography

7

slide8

How do we build public key encryption from Indistinguishability Obfuscation?

punctured programs technique
Punctured Programs Technique
  • Remove key element of program:
  • Attacker cannot win without it
  • Does not change functionality

Punctured PRF key: K{x*} eval PRF on all points, but x*

Security: Cannot distinguish F(K,x*) and random given K{x*}

Special case of constrained PRFs [BW13,BGI13,KPTZ13]

Build from [GGM84]

9

initial attempt
Initial Attempt

Setup: Choose Punctured PRF key K, PK= obfuscation of

Problems:

(1) Program knows PRF at t*

(2) If puncture out, will not be equivalent!

10

simple pke from io
Simple PKE from iO

Setup: Choose Punctured PRF key K, PK= obfuscation of

Encrypt(m): Choose random r; input m,r into program

Decrypt(K,CT=(c1,c2)):

Decryption is fast = symmetric key

11

proof of encryption scheme1
Proof of Encryption Scheme

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

13

proof of encryption scheme2
Proof of Encryption Scheme

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

iO security

Hyb 2: Use K{t*}

14

proof of encryption scheme3
Proof of Encryption Scheme

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

iO security

Hyb 2: Use K{t*}

Punctured PRF security

Hyb 3: Replace F(K,t*) w/ z*

15

a very simple cca kem
A Very Simple CCA-KEM

Setup: Choose Punctured PRF key K, PK= obfuscation of

Encrypt: Choose random r, give as input

Decrypt(K,c):

16

natural candidate
Natural Candidate

Setup: Choose Punctured PRF key K, VK= obfuscation of

Works with heuristic, but how to prove??

18

a signature scheme
A Signature Scheme

Setup: Choose Punctured PRF key K, VK= obfuscation of

f is a OWF

Sign(K,m):

Verify(VK,m,s): Input m,s into verify program

Signing is fast = symmetric key

19

proof of signature scheme
Proof of Signature Scheme

Hyb 0: (Selective) Signature Security [GMR84]

20

proof of signature scheme1
Proof of Signature Scheme

Hyb 0: (Selective) Signature Security [GMR84]

iO security

Hyb 1: Punctured Program

21

proof of signature scheme2
Proof of Signature Scheme

Hyb 0: (Selective) Signature Security [GMR84]

iO security

Hyb 1: Punctured Program

Punctured PRF security

Hyb 2: z* random

22

other core primitives
Other Core Primitives
  • NIZKs[BDMP91]
  • Sign x if x is in L
  • Succinct proofs

Semi Honest Oblivious Transfer[R81]

Injective Trapdoor Functions

Simple CCA secure KEM

23

the rest of the talk
The rest of the talk
  • Deniable Encryption

(2) Functional Encryption [GGHRSW13]

(3) Open Directions

24

deniable encryption cdno97
Deniable Encryption [CDNO97]

Anthony

Enc(PK, m= ,r) -> CT

Demands message and randomness!

Fake r’ where

Enc(PK, m= ,r’) -> CT

Best solutions attacker adv. 1/n, n~ size of pub key

Problematic for encrypting many messages

26

publicly deniable encryption anyone can explain
Publicly Deniable Encryption Anyone can explain!

Setup(n) -> PK,SK

Decrypt(SK,c) -> m

Encrypt(PK,m;u)-> c

Explain(PK,c,m;r) -> u’

Two security properties(implies standard deniable)

(1) IND-CPA Security

(2) Indistinguishability of Explanation

Single message game

Advantage of separation: Simpler proofs

27

hidden sparse triggers
Hidden Sparse Triggers

Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value

Explain(PK, C): Encoding of C in Hidden Trigger Set

Encrypt(PK,m;u): Checks if randomness in trigger set

If yes, decrypts encoding to CT; else does fresh encrypt

Randomness Space

Hidden triggers

28

an attempt and malleability issues
An Attempt and Malleability Issues

Explain:

Malleability Attack!

Encrypt:

29

proof overview
Proof Overview

IND-CPA Proof: Simple proof; obfuscation not used

  • Explainability:
  • Encoding: Look like random string & non-malleable
  • Intricate multistep hybrid proof

31

using deployed keys
Using Deployed Keys
  • Receiver may:
  • Already have established key
  • Be disinterested/uninterested in D.E.
  • Universal Deniable Encryption: D.E. to ordinary keys
  • One time (uncorrupted) trusted setup
  • Use to deniably encrypt to any PK
  • Takes Encryption function as input

32

functional encryption sw05
Functional Encryption [SW05…]

MSK

Public Parameters

SK

Authority

X

Functionality: Learn f(x); x is hidden

Collusion Resistance core to concept! (Like IBE)

Collusion Bounded & Applications:

SS10, PRV12, AGVW13, GKVPZ13

CT:x

Key: f

34

tools
Tools
  • Statistically Simulation Sound NIZKs
  • Statistically sound except for simulated statement
  • Build from WI proofs

Two Key Technique [NY90,S99]

36

functional encryption system gghrsw13
Functional Encryption System [GGHRSW13]

Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup

Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this

KeyGen(SK1,f): Obfuscate program

Decrypt(CT, SKf): Run obfuscated program on CT

37

proof overview1
Proof Overview

Challenge CT:

Keys:

38

step 1
Step 1

Challenge CT:

Keys:

NIZK security

39

step 2
Step 2

Challenge CT:

Keys:

IND-CPA security

40

step 3
Step 3

Challenge CT:

Keys:

IO security

41

step 4
Step 4

Challenge CT:

Keys:

IND-CPA security

42

step 5
Step 5

Challenge CT:

Keys:

IO security

43

step 6
Step 6

Challenge CT:

Keys:

NIZK security

44

evolution of functional encryption
Evolution of Functional Encryption

Sahai-Waters 2005: Introduction of Attribute-Based Encryption

GPSW 2006: Access Control (ABE) for any boolean formula

BW 2007, KSW08: “Predicate Encryption”; dot product functionality

Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.)

GGHSW13/GVW13: ABE for circuits

FE at 2013: Still Inner Product (& Applications)

Best we can do with bilinear maps

GGHRSW 2013: Functional Encryption for any circuit

45

explosion of obfuscation
Explosion of Obfuscation

Late July: GGHRSW13, SW13 eprint

4 months later

  • Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW]
  • Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV]
  • Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR]
  • Two-round secure MPC from Indistinguishability Obfuscation [GGSR]
  • Protecting Obfuscation Against Algebraic Attacks [BGKPS]
  • Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR]
  • Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ]
  • There is no Indistinguishability Obfuscation in Pessiland [MR]
  • On Extractability Obfuscation [BCP]
  • A Note on the Impossibility of Obfuscation with Auxiliary Input [GK]
  • Separations in Circular Security for Arbitrary Length Key Cycles [RVW]
  • Obfuscation for Evasive Functions [BBCKPS]
  • Differing-Inputs Obfuscation and Applications [ABGSZ]
  • More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR]
  • Multi-Input Functional Encryption [GGJS]
  • Functional Encryption for Randomized Functionalities[GJKS]
  • Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS]
  • Multi-Input Functional Encryption [GKLSZ]
  • Obfuscation from Semantically-Secure Multi-linear Encodings [PTS]

48

my probabilities
My Probabilities

38%

I will make it to Weizmann in Dec.

Indistinguishability Obfuscation from LWE-type assumption in 4 years

63%

Amit eprints an obfusction paper in next 2 months

95%

49

ad