- 137 Views
- Uploaded on
- Presentation posted in: General

Brent Waters

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

How to Use Indistinguishability Obfuscation

Amit Sahai

Brent Waters

Goal: Make program (maximally) unintelligible

Obfuscator

2

Demo or “need to know” software

Software Patching

Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, …

3

- Initial Functionalities:
- Point Functions [LPS04, …] and hyperplanes [CRV10]
- Explanation of existing functionality[OS05, HRSV07]

Recent: General candidate [GGHRSW13] using multilinear maps [GGH13]

What does this mean?

4

Idea: Learn nothing more than with black box access

vs.

- Natural for applications, building crypto

- Some (contrived) counter-examples [BGIRSVY 01]

No broad candidate class of obfuscatable functionalities

Generic group proofs [BR13,BGKPS13]

5

Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits

- a (b+c) vs. ab + ac

- Avoids negative results of [BGIRSVY01]

- What is it good for?

Standard Assumption (e.g. LWE)

Indistinguishabilty

Obfuscation

+ OWFs

This talk

“Most” of cryptography

7

How do we build public key encryption from Indistinguishability Obfuscation?

- Remove key element of program:
- Attacker cannot win without it
- Does not change functionality

Punctured PRF key: K{x*} eval PRF on all points, but x*

Security: Cannot distinguish F(K,x*) and random given K{x*}

Special case of constrained PRFs [BW13,BGI13,KPTZ13]

Build from [GGM84]

9

Setup: Choose Punctured PRF key K, PK= obfuscation of

Problems:

(1) Program knows PRF at t*

(2) If puncture out, will not be equivalent!

10

Setup: Choose Punctured PRF key K, PK= obfuscation of

Encrypt(m): Choose random r; input m,r into program

Decrypt(K,CT=(c1,c2)):

Decryption is fast = symmetric key

11

Hyb 0: IND-CPA

12

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

13

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

iO security

Hyb 2: Use K{t*}

14

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

iO security

Hyb 2: Use K{t*}

Punctured PRF security

Hyb 3: Replace F(K,t*) w/ z*

15

Setup: Choose Punctured PRF key K, PK= obfuscation of

Encrypt: Choose random r, give as input

Decrypt(K,c):

16

How about signatures?

Setup: Choose Punctured PRF key K, VK= obfuscation of

Works with heuristic, but how to prove??

18

Setup: Choose Punctured PRF key K, VK= obfuscation of

f is a OWF

Sign(K,m):

Verify(VK,m,s): Input m,s into verify program

Signing is fast = symmetric key

19

Hyb 0: (Selective) Signature Security [GMR84]

20

Hyb 0: (Selective) Signature Security [GMR84]

iO security

Hyb 1: Punctured Program

21

Hyb 0: (Selective) Signature Security [GMR84]

iO security

Hyb 1: Punctured Program

Punctured PRF security

Hyb 2: z* random

22

- NIZKs[BDMP91]
- Sign x if x is in L
- Succinct proofs

Semi Honest Oblivious Transfer[R81]

Injective Trapdoor Functions

Simple CCA secure KEM

23

- Deniable Encryption

(2) Functional Encryption [GGHRSW13]

(3) Open Directions

24

Deniable Encryption

Anthony

Enc(PK, m= ,r) -> CT

Demands message and randomness!

Fake r’ where

Enc(PK, m= ,r’) -> CT

Best solutions attacker adv. 1/n, n~ size of pub key

Problematic for encrypting many messages

26

Setup(n) -> PK,SK

Decrypt(SK,c) -> m

Encrypt(PK,m;u)-> c

Explain(PK,c,m;r) -> u’

Two security properties(implies standard deniable)

(1) IND-CPA Security

(2) Indistinguishability of Explanation

Single message game

Advantage of separation: Simpler proofs

27

Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value

Explain(PK, C): Encoding of C in Hidden Trigger Set

Encrypt(PK,m;u): Checks if randomness in trigger set

If yes, decrypts encoding to CT; else does fresh encrypt

Randomness Space

Hidden triggers

28

Explain:

Malleability Attack!

Encrypt:

29

Explain:

Encrypt:

30

IND-CPA Proof: Simple proof; obfuscation not used

- Explainability:
- Encoding: Look like random string & non-malleable
- Intricate multistep hybrid proof

31

- Receiver may:
- Already have established key
- Be disinterested/uninterested in D.E.

- Universal Deniable Encryption: D.E. to ordinary keys
- One time (uncorrupted) trusted setup
- Use to deniably encrypt to any PK
- Takes Encryption function as input

32

Functional Encryption

MSK

Public Parameters

SK

Authority

X

Functionality: Learn f(x); x is hidden

Collusion Resistance core to concept! (Like IBE)

Collusion Bounded & Applications:

SS10, PRV12, AGVW13, GKVPZ13

CT:x

Key: f

34

SK

35

- Statistically Simulation Sound NIZKs
- Statistically sound except for simulated statement
- Build from WI proofs

Two Key Technique [NY90,S99]

36

Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup

Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this

KeyGen(SK1,f): Obfuscate program

Decrypt(CT, SKf): Run obfuscated program on CT

37

Challenge CT:

Keys:

38

Challenge CT:

Keys:

NIZK security

39

Challenge CT:

Keys:

IND-CPA security

40

Challenge CT:

Keys:

IO security

41

Challenge CT:

Keys:

IND-CPA security

42

Challenge CT:

Keys:

IO security

43

Challenge CT:

Keys:

NIZK security

44

Sahai-Waters 2005: Introduction of Attribute-Based Encryption

GPSW 2006: Access Control (ABE) for any boolean formula

BW 2007, KSW08: “Predicate Encryption”; dot product functionality

Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.)

GGHSW13/GVW13: ABE for circuits

FE at 2013: Still Inner Product (& Applications)

Best we can do with bilinear maps

GGHRSW 2013: Functional Encryption for any circuit

45

Obfuscation

46

Looking Forward

Late July: GGHRSW13, SW13 eprint

4 months later

- Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW]
- Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV]
- Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR]
- Two-round secure MPC from Indistinguishability Obfuscation [GGSR]
- Protecting Obfuscation Against Algebraic Attacks [BGKPS]
- Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR]
- Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ]
- There is no Indistinguishability Obfuscation in Pessiland [MR]
- On Extractability Obfuscation [BCP]
- A Note on the Impossibility of Obfuscation with Auxiliary Input [GK]
- Separations in Circular Security for Arbitrary Length Key Cycles [RVW]
- Obfuscation for Evasive Functions [BBCKPS]
- Differing-Inputs Obfuscation and Applications [ABGSZ]
- More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR]
- Multi-Input Functional Encryption [GGJS]
- Functional Encryption for Randomized Functionalities[GJKS]
- Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS]
- Multi-Input Functional Encryption [GKLSZ]
- Obfuscation from Semantically-Secure Multi-linear Encodings [PTS]

48

38%

I will make it to Weizmann in Dec.

Indistinguishability Obfuscation from LWE-type assumption in 4 years

63%

Amit eprints an obfusction paper in next 2 months

95%

49