How to Use
This presentation is the property of its rightful owner.
Sponsored Links
1 / 50

Brent Waters PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on
  • Presentation posted in: General

How to Use Indistinguishability Obfuscation. Amit Sahai. Brent Waters. Code Obfuscation. Goal: Make program (maximally) unintelligible. Obfuscator. 2. Applications!. Demo or “ need to know ” software. Software Patching.

Download Presentation

Brent Waters

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Brent waters

How to Use Indistinguishability Obfuscation

Amit Sahai

Brent Waters


Code obfuscation

Code Obfuscation

Goal: Make program (maximally) unintelligible

Obfuscator

2


Applications

Applications!

Demo or “need to know” software

Software Patching

Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, …

3


Difficulty of achieving obfuscation

Difficulty of Achieving Obfuscation

  • Initial Functionalities:

  • Point Functions [LPS04, …] and hyperplanes [CRV10]

  • Explanation of existing functionality[OS05, HRSV07]

Recent: General candidate [GGHRSW13] using multilinear maps [GGH13]

What does this mean?

4


Idealized obfuscation

Idealized Obfuscation

Idea: Learn nothing more than with black box access

vs.

  • Natural for applications, building crypto

  • Some (contrived) counter-examples [BGIRSVY 01]

No broad candidate class of obfuscatable functionalities

Generic group proofs [BR13,BGKPS13]

5


Indistinguishability obfuscation

Indistinguishability Obfuscation

Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits

  • a (b+c) vs. ab + ac

  • Avoids negative results of [BGIRSVY01]

  • What is it good for?


Vision io as hub for cryptography

Vision: IO as hub for cryptography

Standard Assumption (e.g. LWE)

Indistinguishabilty

Obfuscation

+ OWFs

This talk

“Most” of cryptography

7


Brent waters

How do we build public key encryption from Indistinguishability Obfuscation?


Punctured programs technique

Punctured Programs Technique

  • Remove key element of program:

  • Attacker cannot win without it

  • Does not change functionality

Punctured PRF key: K{x*} eval PRF on all points, but x*

Security: Cannot distinguish F(K,x*) and random given K{x*}

Special case of constrained PRFs [BW13,BGI13,KPTZ13]

Build from [GGM84]

9


Initial attempt

Initial Attempt

Setup: Choose Punctured PRF key K, PK= obfuscation of

Problems:

(1) Program knows PRF at t*

(2) If puncture out, will not be equivalent!

10


Simple pke from io

Simple PKE from iO

Setup: Choose Punctured PRF key K, PK= obfuscation of

Encrypt(m): Choose random r; input m,r into program

Decrypt(K,CT=(c1,c2)):

Decryption is fast = symmetric key

11


Proof of encryption scheme

Proof of Encryption Scheme

Hyb 0: IND-CPA

12


Proof of encryption scheme1

Proof of Encryption Scheme

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

13


Proof of encryption scheme2

Proof of Encryption Scheme

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

iO security

Hyb 2: Use K{t*}

14


Proof of encryption scheme3

Proof of Encryption Scheme

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

iO security

Hyb 2: Use K{t*}

Punctured PRF security

Hyb 3: Replace F(K,t*) w/ z*

15


A very simple cca kem

A Very Simple CCA-KEM

Setup: Choose Punctured PRF key K, PK= obfuscation of

Encrypt: Choose random r, give as input

Decrypt(K,c):

16


Brent waters

How about signatures?


Natural candidate

Natural Candidate

Setup: Choose Punctured PRF key K, VK= obfuscation of

Works with heuristic, but how to prove??

18


A signature scheme

A Signature Scheme

Setup: Choose Punctured PRF key K, VK= obfuscation of

f is a OWF

Sign(K,m):

Verify(VK,m,s): Input m,s into verify program

Signing is fast = symmetric key

19


Proof of signature scheme

Proof of Signature Scheme

Hyb 0: (Selective) Signature Security [GMR84]

20


Proof of signature scheme1

Proof of Signature Scheme

Hyb 0: (Selective) Signature Security [GMR84]

iO security

Hyb 1: Punctured Program

21


Proof of signature scheme2

Proof of Signature Scheme

Hyb 0: (Selective) Signature Security [GMR84]

iO security

Hyb 1: Punctured Program

Punctured PRF security

Hyb 2: z* random

22


Other core primitives

Other Core Primitives

  • NIZKs[BDMP91]

  • Sign x if x is in L

  • Succinct proofs

Semi Honest Oblivious Transfer[R81]

Injective Trapdoor Functions

Simple CCA secure KEM

23


The rest of the talk

The rest of the talk

  • Deniable Encryption

(2) Functional Encryption [GGHRSW13]

(3) Open Directions

24


Brent waters

Deniable Encryption


Deniable encryption cdno97

Deniable Encryption [CDNO97]

Anthony

Enc(PK, m= ,r) -> CT

Demands message and randomness!

Fake r’ where

Enc(PK, m= ,r’) -> CT

Best solutions attacker adv. 1/n, n~ size of pub key

Problematic for encrypting many messages

26


Publicly deniable encryption anyone can explain

Publicly Deniable Encryption Anyone can explain!

Setup(n) -> PK,SK

Decrypt(SK,c) -> m

Encrypt(PK,m;u)-> c

Explain(PK,c,m;r) -> u’

Two security properties(implies standard deniable)

(1) IND-CPA Security

(2) Indistinguishability of Explanation

Single message game

Advantage of separation: Simpler proofs

27


Hidden sparse triggers

Hidden Sparse Triggers

Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value

Explain(PK, C): Encoding of C in Hidden Trigger Set

Encrypt(PK,m;u): Checks if randomness in trigger set

If yes, decrypts encoding to CT; else does fresh encrypt

Randomness Space

Hidden triggers

28


An attempt and malleability issues

An Attempt and Malleability Issues

Explain:

Malleability Attack!

Encrypt:

29


Our deniable encryption system

Our Deniable Encryption System

Explain:

Encrypt:

30


Proof overview

Proof Overview

IND-CPA Proof: Simple proof; obfuscation not used

  • Explainability:

  • Encoding: Look like random string & non-malleable

  • Intricate multistep hybrid proof

31


Using deployed keys

Using Deployed Keys

  • Receiver may:

  • Already have established key

  • Be disinterested/uninterested in D.E.

  • Universal Deniable Encryption: D.E. to ordinary keys

  • One time (uncorrupted) trusted setup

  • Use to deniably encrypt to any PK

  • Takes Encryption function as input

32


Brent waters

Functional Encryption


Functional encryption sw05

Functional Encryption [SW05…]

MSK

Public Parameters

SK

Authority

X

Functionality: Learn f(x); x is hidden

Collusion Resistance core to concept! (Like IBE)

Collusion Bounded & Applications:

SS10, PRV12, AGVW13, GKVPZ13

CT:x

Key: f

34


An application facial identification

An Application: Facial Identification

SK

35


Tools

Tools

  • Statistically Simulation Sound NIZKs

  • Statistically sound except for simulated statement

  • Build from WI proofs

Two Key Technique [NY90,S99]

36


Functional encryption system gghrsw13

Functional Encryption System [GGHRSW13]

Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup

Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this

KeyGen(SK1,f): Obfuscate program

Decrypt(CT, SKf): Run obfuscated program on CT

37


Proof overview1

Proof Overview

Challenge CT:

Keys:

38


Step 1

Step 1

Challenge CT:

Keys:

NIZK security

39


Step 2

Step 2

Challenge CT:

Keys:

IND-CPA security

40


Step 3

Step 3

Challenge CT:

Keys:

IO security

41


Step 4

Step 4

Challenge CT:

Keys:

IND-CPA security

42


Step 5

Step 5

Challenge CT:

Keys:

IO security

43


Step 6

Step 6

Challenge CT:

Keys:

NIZK security

44


Evolution of functional encryption

Evolution of Functional Encryption

Sahai-Waters 2005: Introduction of Attribute-Based Encryption

GPSW 2006: Access Control (ABE) for any boolean formula

BW 2007, KSW08: “Predicate Encryption”; dot product functionality

Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.)

GGHSW13/GVW13: ABE for circuits

FE at 2013: Still Inner Product (& Applications)

Best we can do with bilinear maps

GGHRSW 2013: Functional Encryption for any circuit

45


Evolution of functional encryption1

Evolution of Functional Encryption

Obfuscation

46


Brent waters

Looking Forward


Explosion of obfuscation

Explosion of Obfuscation

Late July: GGHRSW13, SW13 eprint

4 months later

  • Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW]

  • Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV]

  • Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR]

  • Two-round secure MPC from Indistinguishability Obfuscation [GGSR]

  • Protecting Obfuscation Against Algebraic Attacks [BGKPS]

  • Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR]

  • Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ]

  • There is no Indistinguishability Obfuscation in Pessiland [MR]

  • On Extractability Obfuscation [BCP]

  • A Note on the Impossibility of Obfuscation with Auxiliary Input [GK]

  • Separations in Circular Security for Arbitrary Length Key Cycles [RVW]

  • Obfuscation for Evasive Functions [BBCKPS]

  • Differing-Inputs Obfuscation and Applications [ABGSZ]

  • More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR]

  • Multi-Input Functional Encryption [GGJS]

  • Functional Encryption for Randomized Functionalities[GJKS]

  • Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS]

  • Multi-Input Functional Encryption [GKLSZ]

  • Obfuscation from Semantically-Secure Multi-linear Encodings [PTS]

48


My probabilities

My Probabilities

38%

I will make it to Weizmann in Dec.

Indistinguishability Obfuscation from LWE-type assumption in 4 years

63%

Amit eprints an obfusction paper in next 2 months

95%

49


Thank you

Thank you


  • Login