# Brent Waters - PowerPoint PPT Presentation

1 / 50

How to Use Indistinguishability Obfuscation. Amit Sahai. Brent Waters. Code Obfuscation. Goal: Make program (maximally) unintelligible. Obfuscator. 2. Applications!. Demo or “ need to know ” software. Software Patching.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Brent Waters

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

#### Presentation Transcript

How to Use Indistinguishability Obfuscation

Amit Sahai

Brent Waters

### Code Obfuscation

Goal: Make program (maximally) unintelligible

Obfuscator

2

### Applications!

Demo or “need to know” software

Software Patching

Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, …

3

### Difficulty of Achieving Obfuscation

• Initial Functionalities:

• Point Functions [LPS04, …] and hyperplanes [CRV10]

• Explanation of existing functionality[OS05, HRSV07]

Recent: General candidate [GGHRSW13] using multilinear maps [GGH13]

What does this mean?

4

### Idealized Obfuscation

Idea: Learn nothing more than with black box access

vs.

• Natural for applications, building crypto

• Some (contrived) counter-examples [BGIRSVY 01]

No broad candidate class of obfuscatable functionalities

Generic group proofs [BR13,BGKPS13]

5

### Indistinguishability Obfuscation

Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits

• a (b+c) vs. ab + ac

• Avoids negative results of [BGIRSVY01]

• What is it good for?

### Vision: IO as hub for cryptography

Standard Assumption (e.g. LWE)

Indistinguishabilty

Obfuscation

+ OWFs

This talk

“Most” of cryptography

7

How do we build public key encryption from Indistinguishability Obfuscation?

### Punctured Programs Technique

• Remove key element of program:

• Attacker cannot win without it

• Does not change functionality

Punctured PRF key: K{x*} eval PRF on all points, but x*

Security: Cannot distinguish F(K,x*) and random given K{x*}

Special case of constrained PRFs [BW13,BGI13,KPTZ13]

Build from [GGM84]

9

### Initial Attempt

Setup: Choose Punctured PRF key K, PK= obfuscation of

Problems:

(1) Program knows PRF at t*

(2) If puncture out, will not be equivalent!

10

### Simple PKE from iO

Setup: Choose Punctured PRF key K, PK= obfuscation of

Encrypt(m): Choose random r; input m,r into program

Decrypt(K,CT=(c1,c2)):

Decryption is fast = symmetric key

11

Hyb 0: IND-CPA

12

### Proof of Encryption Scheme

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

13

### Proof of Encryption Scheme

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

iO security

Hyb 2: Use K{t*}

14

### Proof of Encryption Scheme

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

iO security

Hyb 2: Use K{t*}

Punctured PRF security

Hyb 3: Replace F(K,t*) w/ z*

15

### A Very Simple CCA-KEM

Setup: Choose Punctured PRF key K, PK= obfuscation of

Encrypt: Choose random r, give as input

Decrypt(K,c):

16

### Natural Candidate

Setup: Choose Punctured PRF key K, VK= obfuscation of

Works with heuristic, but how to prove??

18

### A Signature Scheme

Setup: Choose Punctured PRF key K, VK= obfuscation of

f is a OWF

Sign(K,m):

Verify(VK,m,s): Input m,s into verify program

Signing is fast = symmetric key

19

### Proof of Signature Scheme

Hyb 0: (Selective) Signature Security [GMR84]

20

### Proof of Signature Scheme

Hyb 0: (Selective) Signature Security [GMR84]

iO security

Hyb 1: Punctured Program

21

### Proof of Signature Scheme

Hyb 0: (Selective) Signature Security [GMR84]

iO security

Hyb 1: Punctured Program

Punctured PRF security

Hyb 2: z* random

22

### Other Core Primitives

• NIZKs[BDMP91]

• Sign x if x is in L

• Succinct proofs

Semi Honest Oblivious Transfer[R81]

Injective Trapdoor Functions

Simple CCA secure KEM

23

### The rest of the talk

• Deniable Encryption

(2) Functional Encryption [GGHRSW13]

(3) Open Directions

24

Deniable Encryption

### Deniable Encryption [CDNO97]

Anthony

Enc(PK, m= ,r) -> CT

Demands message and randomness!

Fake r’ where

Enc(PK, m= ,r’) -> CT

Best solutions attacker adv. 1/n, n~ size of pub key

Problematic for encrypting many messages

26

### Publicly Deniable Encryption Anyone can explain!

Setup(n) -> PK,SK

Decrypt(SK,c) -> m

Encrypt(PK,m;u)-> c

Explain(PK,c,m;r) -> u’

Two security properties(implies standard deniable)

(1) IND-CPA Security

(2) Indistinguishability of Explanation

Single message game

27

### Hidden Sparse Triggers

Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value

Explain(PK, C): Encoding of C in Hidden Trigger Set

Encrypt(PK,m;u): Checks if randomness in trigger set

If yes, decrypts encoding to CT; else does fresh encrypt

Randomness Space

Hidden triggers

28

### An Attempt and Malleability Issues

Explain:

Malleability Attack!

Encrypt:

29

Explain:

Encrypt:

30

### Proof Overview

IND-CPA Proof: Simple proof; obfuscation not used

• Explainability:

• Encoding: Look like random string & non-malleable

• Intricate multistep hybrid proof

31

### Using Deployed Keys

• Be disinterested/uninterested in D.E.

• Universal Deniable Encryption: D.E. to ordinary keys

• One time (uncorrupted) trusted setup

• Use to deniably encrypt to any PK

• Takes Encryption function as input

32

Functional Encryption

### Functional Encryption [SW05…]

MSK

Public Parameters

SK

Authority

X

Functionality: Learn f(x); x is hidden

Collusion Resistance core to concept! (Like IBE)

Collusion Bounded & Applications:

SS10, PRV12, AGVW13, GKVPZ13

CT:x

Key: f

34

SK

35

### Tools

• Statistically Simulation Sound NIZKs

• Statistically sound except for simulated statement

• Build from WI proofs

Two Key Technique [NY90,S99]

36

### Functional Encryption System [GGHRSW13]

Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup

Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this

KeyGen(SK1,f): Obfuscate program

Decrypt(CT, SKf): Run obfuscated program on CT

37

Challenge CT:

Keys:

38

Challenge CT:

Keys:

NIZK security

39

Challenge CT:

Keys:

IND-CPA security

40

Challenge CT:

Keys:

IO security

41

Challenge CT:

Keys:

IND-CPA security

42

Challenge CT:

Keys:

IO security

43

Challenge CT:

Keys:

NIZK security

44

### Evolution of Functional Encryption

Sahai-Waters 2005: Introduction of Attribute-Based Encryption

GPSW 2006: Access Control (ABE) for any boolean formula

BW 2007, KSW08: “Predicate Encryption”; dot product functionality

Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.)

GGHSW13/GVW13: ABE for circuits

FE at 2013: Still Inner Product (& Applications)

Best we can do with bilinear maps

GGHRSW 2013: Functional Encryption for any circuit

45

Obfuscation

46

Looking Forward

### Explosion of Obfuscation

Late July: GGHRSW13, SW13 eprint

4 months later

• Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW]

• Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV]

• Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR]

• Two-round secure MPC from Indistinguishability Obfuscation [GGSR]

• Protecting Obfuscation Against Algebraic Attacks [BGKPS]

• Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR]

• Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ]

• There is no Indistinguishability Obfuscation in Pessiland [MR]

• On Extractability Obfuscation [BCP]

• A Note on the Impossibility of Obfuscation with Auxiliary Input [GK]

• Separations in Circular Security for Arbitrary Length Key Cycles [RVW]

• Obfuscation for Evasive Functions [BBCKPS]

• Differing-Inputs Obfuscation and Applications [ABGSZ]

• More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR]

• Multi-Input Functional Encryption [GGJS]

• Functional Encryption for Randomized Functionalities[GJKS]

• Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS]

• Multi-Input Functional Encryption [GKLSZ]

• Obfuscation from Semantically-Secure Multi-linear Encodings [PTS]

48

### My Probabilities

38%

I will make it to Weizmann in Dec.

Indistinguishability Obfuscation from LWE-type assumption in 4 years

63%

Amit eprints an obfusction paper in next 2 months

95%

49