How to Use
Download
1 / 50

Brent Waters - PowerPoint PPT Presentation


  • 155 Views
  • Uploaded on

How to Use Indistinguishability Obfuscation. Amit Sahai. Brent Waters. Code Obfuscation. Goal: Make program (maximally) unintelligible. Obfuscator. 2. Applications!. Demo or “ need to know ” software. Software Patching.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Brent Waters' - aolani


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Brent waters

How to Use Indistinguishability Obfuscation

Amit Sahai

Brent Waters


Code obfuscation
Code Obfuscation

Goal: Make program (maximally) unintelligible

Obfuscator

2


Applications
Applications!

Demo or “need to know” software

Software Patching

Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, …

3


Difficulty of achieving obfuscation
Difficulty of Achieving Obfuscation

  • Initial Functionalities:

  • Point Functions [LPS04, …] and hyperplanes [CRV10]

  • Explanation of existing functionality[OS05, HRSV07]

Recent: General candidate [GGHRSW13] using multilinear maps [GGH13]

What does this mean?

4


Idealized obfuscation
Idealized Obfuscation

Idea: Learn nothing more than with black box access

vs.

  • Natural for applications, building crypto

  • Some (contrived) counter-examples [BGIRSVY 01]

No broad candidate class of obfuscatable functionalities

Generic group proofs [BR13,BGKPS13]

5


Indistinguishability obfuscation
Indistinguishability Obfuscation

Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits

  • a (b+c) vs. ab + ac

  • Avoids negative results of [BGIRSVY01]

  • What is it good for?


Vision io as hub for cryptography
Vision: IO as hub for cryptography

Standard Assumption (e.g. LWE)

Indistinguishabilty

Obfuscation

+ OWFs

This talk

“Most” of cryptography

7


Brent waters

How do we build public key encryption from Indistinguishability Obfuscation?


Punctured programs technique
Punctured Programs Technique Indistinguishability Obfuscation?

  • Remove key element of program:

  • Attacker cannot win without it

  • Does not change functionality

Punctured PRF key: K{x*} eval PRF on all points, but x*

Security: Cannot distinguish F(K,x*) and random given K{x*}

Special case of constrained PRFs [BW13,BGI13,KPTZ13]

Build from [GGM84]

9


Initial attempt
Initial Attempt Indistinguishability Obfuscation?

Setup: Choose Punctured PRF key K, PK= obfuscation of

Problems:

(1) Program knows PRF at t*

(2) If puncture out, will not be equivalent!

10


Simple pke from io
Simple PKE from iO Indistinguishability Obfuscation?

Setup: Choose Punctured PRF key K, PK= obfuscation of

Encrypt(m): Choose random r; input m,r into program

Decrypt(K,CT=(c1,c2)):

Decryption is fast = symmetric key

11


Proof of encryption scheme
Proof of Encryption Scheme Indistinguishability Obfuscation?

Hyb 0: IND-CPA

12


Proof of encryption scheme1
Proof of Encryption Scheme Indistinguishability Obfuscation?

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

13


Proof of encryption scheme2
Proof of Encryption Scheme Indistinguishability Obfuscation?

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

iO security

Hyb 2: Use K{t*}

14


Proof of encryption scheme3
Proof of Encryption Scheme Indistinguishability Obfuscation?

Hyb 0: IND-CPA

PRG security

Hyb 1: t* is random

iO security

Hyb 2: Use K{t*}

Punctured PRF security

Hyb 3: Replace F(K,t*) w/ z*

15


A very simple cca kem
A Very Simple CCA-KEM Indistinguishability Obfuscation?

Setup: Choose Punctured PRF key K, PK= obfuscation of

Encrypt: Choose random r, give as input

Decrypt(K,c):

16


Brent waters

How about signatures? Indistinguishability Obfuscation?


Natural candidate
Natural Candidate Indistinguishability Obfuscation?

Setup: Choose Punctured PRF key K, VK= obfuscation of

Works with heuristic, but how to prove??

18


A signature scheme
A Signature Scheme Indistinguishability Obfuscation?

Setup: Choose Punctured PRF key K, VK= obfuscation of

f is a OWF

Sign(K,m):

Verify(VK,m,s): Input m,s into verify program

Signing is fast = symmetric key

19


Proof of signature scheme
Proof of Signature Scheme Indistinguishability Obfuscation?

Hyb 0: (Selective) Signature Security [GMR84]

20


Proof of signature scheme1
Proof of Signature Scheme Indistinguishability Obfuscation?

Hyb 0: (Selective) Signature Security [GMR84]

iO security

Hyb 1: Punctured Program

21


Proof of signature scheme2
Proof of Signature Scheme Indistinguishability Obfuscation?

Hyb 0: (Selective) Signature Security [GMR84]

iO security

Hyb 1: Punctured Program

Punctured PRF security

Hyb 2: z* random

22


Other core primitives
Other Core Primitives Indistinguishability Obfuscation?

  • NIZKs[BDMP91]

  • Sign x if x is in L

  • Succinct proofs

Semi Honest Oblivious Transfer[R81]

Injective Trapdoor Functions

Simple CCA secure KEM

23


The rest of the talk
The rest of the talk Indistinguishability Obfuscation?

  • Deniable Encryption

(2) Functional Encryption [GGHRSW13]

(3) Open Directions

24


Brent waters

Deniable Encryption Indistinguishability Obfuscation?


Deniable encryption cdno97
Deniable Encryption Indistinguishability Obfuscation?[CDNO97]

Anthony

Enc(PK, m= ,r) -> CT

Demands message and randomness!

Fake r’ where

Enc(PK, m= ,r’) -> CT

Best solutions attacker adv. 1/n, n~ size of pub key

Problematic for encrypting many messages

26


Publicly deniable encryption anyone can explain
Publicly Deniable Encryption Indistinguishability Obfuscation?Anyone can explain!

Setup(n) -> PK,SK

Decrypt(SK,c) -> m

Encrypt(PK,m;u)-> c

Explain(PK,c,m;r) -> u’

Two security properties(implies standard deniable)

(1) IND-CPA Security

(2) Indistinguishability of Explanation

Single message game

Advantage of separation: Simpler proofs

27


Hidden sparse triggers
Hidden Sparse Triggers Indistinguishability Obfuscation?

Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value

Explain(PK, C): Encoding of C in Hidden Trigger Set

Encrypt(PK,m;u): Checks if randomness in trigger set

If yes, decrypts encoding to CT; else does fresh encrypt

Randomness Space

Hidden triggers

28


An attempt and malleability issues
An Attempt and Malleability Issues Indistinguishability Obfuscation?

Explain:

Malleability Attack!

Encrypt:

29


Our deniable encryption system
Our Deniable Encryption System Indistinguishability Obfuscation?

Explain:

Encrypt:

30


Proof overview
Proof Overview Indistinguishability Obfuscation?

IND-CPA Proof: Simple proof; obfuscation not used

  • Explainability:

  • Encoding: Look like random string & non-malleable

  • Intricate multistep hybrid proof

31


Using deployed keys
Using Deployed Keys Indistinguishability Obfuscation?

  • Receiver may:

  • Already have established key

  • Be disinterested/uninterested in D.E.

  • Universal Deniable Encryption: D.E. to ordinary keys

  • One time (uncorrupted) trusted setup

  • Use to deniably encrypt to any PK

  • Takes Encryption function as input

32


Brent waters

Functional Encryption Indistinguishability Obfuscation?


Functional encryption sw05
Functional Encryption Indistinguishability Obfuscation?[SW05…]

MSK

Public Parameters

SK

Authority

X

Functionality: Learn f(x); x is hidden

Collusion Resistance core to concept! (Like IBE)

Collusion Bounded & Applications:

SS10, PRV12, AGVW13, GKVPZ13

CT:x

Key: f

34


An application facial identification
An Application: Facial Identification Indistinguishability Obfuscation?

SK

35


Tools
Tools Indistinguishability Obfuscation?

  • Statistically Simulation Sound NIZKs

  • Statistically sound except for simulated statement

  • Build from WI proofs

Two Key Technique [NY90,S99]

36


Functional encryption system gghrsw13
Functional Encryption System Indistinguishability Obfuscation?[GGHRSW13]

Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup

Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this

KeyGen(SK1,f): Obfuscate program

Decrypt(CT, SKf): Run obfuscated program on CT

37


Proof overview1
Proof Overview Indistinguishability Obfuscation?

Challenge CT:

Keys:

38


Step 1
Step 1 Indistinguishability Obfuscation?

Challenge CT:

Keys:

NIZK security

39


Step 2
Step 2 Indistinguishability Obfuscation?

Challenge CT:

Keys:

IND-CPA security

40


Step 3
Step 3 Indistinguishability Obfuscation?

Challenge CT:

Keys:

IO security

41


Step 4
Step 4 Indistinguishability Obfuscation?

Challenge CT:

Keys:

IND-CPA security

42


Step 5
Step 5 Indistinguishability Obfuscation?

Challenge CT:

Keys:

IO security

43


Step 6
Step 6 Indistinguishability Obfuscation?

Challenge CT:

Keys:

NIZK security

44


Evolution of functional encryption
Evolution of Functional Encryption Indistinguishability Obfuscation?

Sahai-Waters 2005: Introduction of Attribute-Based Encryption

GPSW 2006: Access Control (ABE) for any boolean formula

BW 2007, KSW08: “Predicate Encryption”; dot product functionality

Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.)

GGHSW13/GVW13: ABE for circuits

FE at 2013: Still Inner Product (& Applications)

Best we can do with bilinear maps

GGHRSW 2013: Functional Encryption for any circuit

45


Evolution of functional encryption1
Evolution of Functional Encryption Indistinguishability Obfuscation?

Obfuscation

46


Brent waters

Looking Forward Indistinguishability Obfuscation?


Explosion of obfuscation
Explosion of Obfuscation Indistinguishability Obfuscation?

Late July: GGHRSW13, SW13 eprint

4 months later

  • Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW]

  • Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV]

  • Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR]

  • Two-round secure MPC from Indistinguishability Obfuscation [GGSR]

  • Protecting Obfuscation Against Algebraic Attacks [BGKPS]

  • Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR]

  • Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ]

  • There is no Indistinguishability Obfuscation in Pessiland [MR]

  • On Extractability Obfuscation [BCP]

  • A Note on the Impossibility of Obfuscation with Auxiliary Input [GK]

  • Separations in Circular Security for Arbitrary Length Key Cycles [RVW]

  • Obfuscation for Evasive Functions [BBCKPS]

  • Differing-Inputs Obfuscation and Applications [ABGSZ]

  • More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR]

  • Multi-Input Functional Encryption [GGJS]

  • Functional Encryption for Randomized Functionalities[GJKS]

  • Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS]

  • Multi-Input Functional Encryption [GKLSZ]

  • Obfuscation from Semantically-Secure Multi-linear Encodings [PTS]

48


My probabilities
My Probabilities Indistinguishability Obfuscation?

38%

I will make it to Weizmann in Dec.

Indistinguishability Obfuscation from LWE-type assumption in 4 years

63%

Amit eprints an obfusction paper in next 2 months

95%

49


Thank you
Thank you Indistinguishability Obfuscation?