How to Use Indistinguishability Obfuscation. Amit Sahai. Brent Waters. Code Obfuscation. Goal: Make program (maximally) unintelligible. Obfuscator. 2. Applications!. Demo or “ need to know ” software. Software Patching.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
How to Use Indistinguishability Obfuscation
Amit Sahai
Brent Waters
Goal: Make program (maximally) unintelligible
Obfuscator
2
Demo or “need to know” software
Software Patching
Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, …
3
Recent: General candidate [GGHRSW13] using multilinear maps [GGH13]
What does this mean?
4
Idea: Learn nothing more than with black box access
vs.
No broad candidate class of obfuscatable functionalities
Generic group proofs [BR13,BGKPS13]
5
Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits
Standard Assumption (e.g. LWE)
Indistinguishabilty
Obfuscation
+ OWFs
This talk
“Most” of cryptography
7
How do we build public key encryption from Indistinguishability Obfuscation?
Punctured PRF key: K{x*} eval PRF on all points, but x*
Security: Cannot distinguish F(K,x*) and random given K{x*}
Special case of constrained PRFs [BW13,BGI13,KPTZ13]
Build from [GGM84]
9
Setup: Choose Punctured PRF key K, PK= obfuscation of
Problems:
(1) Program knows PRF at t*
(2) If puncture out, will not be equivalent!
10
Setup: Choose Punctured PRF key K, PK= obfuscation of
Encrypt(m): Choose random r; input m,r into program
Decrypt(K,CT=(c1,c2)):
Decryption is fast = symmetric key
11
Hyb 0: IND-CPA
12
Hyb 0: IND-CPA
PRG security
Hyb 1: t* is random
13
Hyb 0: IND-CPA
PRG security
Hyb 1: t* is random
iO security
Hyb 2: Use K{t*}
14
Hyb 0: IND-CPA
PRG security
Hyb 1: t* is random
iO security
Hyb 2: Use K{t*}
Punctured PRF security
Hyb 3: Replace F(K,t*) w/ z*
15
Setup: Choose Punctured PRF key K, PK= obfuscation of
Encrypt: Choose random r, give as input
Decrypt(K,c):
16
How about signatures?
Setup: Choose Punctured PRF key K, VK= obfuscation of
Works with heuristic, but how to prove??
18
Setup: Choose Punctured PRF key K, VK= obfuscation of
f is a OWF
Sign(K,m):
Verify(VK,m,s): Input m,s into verify program
Signing is fast = symmetric key
19
Hyb 0: (Selective) Signature Security [GMR84]
20
Hyb 0: (Selective) Signature Security [GMR84]
iO security
Hyb 1: Punctured Program
21
Hyb 0: (Selective) Signature Security [GMR84]
iO security
Hyb 1: Punctured Program
Punctured PRF security
Hyb 2: z* random
22
Semi Honest Oblivious Transfer[R81]
Injective Trapdoor Functions
Simple CCA secure KEM
23
(2) Functional Encryption [GGHRSW13]
(3) Open Directions
24
Deniable Encryption
Anthony
Enc(PK, m= ,r) -> CT
Demands message and randomness!
Fake r’ where
Enc(PK, m= ,r’) -> CT
Best solutions attacker adv. 1/n, n~ size of pub key
Problematic for encrypting many messages
26
Setup(n) -> PK,SK
Decrypt(SK,c) -> m
Encrypt(PK,m;u)-> c
Explain(PK,c,m;r) -> u’
Two security properties(implies standard deniable)
(1) IND-CPA Security
(2) Indistinguishability of Explanation
Single message game
Advantage of separation: Simpler proofs
27
Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value
Explain(PK, C): Encoding of C in Hidden Trigger Set
Encrypt(PK,m;u): Checks if randomness in trigger set
If yes, decrypts encoding to CT; else does fresh encrypt
Randomness Space
Hidden triggers
28
Explain:
Malleability Attack!
Encrypt:
29
Explain:
Encrypt:
30
IND-CPA Proof: Simple proof; obfuscation not used
31
32
Functional Encryption
MSK
Public Parameters
SK
Authority
X
Functionality: Learn f(x); x is hidden
Collusion Resistance core to concept! (Like IBE)
Collusion Bounded & Applications:
SS10, PRV12, AGVW13, GKVPZ13
CT:x
Key: f
34
SK
35
Two Key Technique [NY90,S99]
36
Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup
Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this
KeyGen(SK1,f): Obfuscate program
Decrypt(CT, SKf): Run obfuscated program on CT
37
Challenge CT:
Keys:
38
Challenge CT:
Keys:
NIZK security
39
Challenge CT:
Keys:
IND-CPA security
40
Challenge CT:
Keys:
IO security
41
Challenge CT:
Keys:
IND-CPA security
42
Challenge CT:
Keys:
IO security
43
Challenge CT:
Keys:
NIZK security
44
Sahai-Waters 2005: Introduction of Attribute-Based Encryption
GPSW 2006: Access Control (ABE) for any boolean formula
BW 2007, KSW08: “Predicate Encryption”; dot product functionality
Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.)
GGHSW13/GVW13: ABE for circuits
FE at 2013: Still Inner Product (& Applications)
Best we can do with bilinear maps
GGHRSW 2013: Functional Encryption for any circuit
45
Obfuscation
46
Looking Forward
Late July: GGHRSW13, SW13 eprint
4 months later
48
38%
I will make it to Weizmann in Dec.
Indistinguishability Obfuscation from LWE-type assumption in 4 years
63%
Amit eprints an obfusction paper in next 2 months
95%
49