1. How to Use Indistinguishability Obfuscation
Amit Sahai
Brent Waters
test

2. Code Obfuscation Goal: Make program (maximally) unintelligible
Obfuscator 2

3. Applications! Demo or “need to know” software Software Patching
Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, … 3

4. Difficulty of Achieving Obfuscation
Initial Functionalities:
Point Functions [LPS04, …] and hyperplanes [CRV10]
Explanation of existing functionality[OS05, HRSV07]
Recent: General candidate [GGHRSW13] using multilinear maps [GGH13]
What does this mean? 4

5. Idealized Obfuscation
Idea: Learn nothing more than with black box access
vs.
Natural for applications, building crypto
Some (contrived) counter-examples [BGIRSVY 01]
No broad candidate class of obfuscatable functionalities
Generic group proofs [BR13,BGKPS13] 5

6. Indistinguishability Obfuscation
Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits
a (b+c) vs. ab + ac
Avoids negative results of [BGIRSVY01]
What is it good for?

7. Vision: IO as hub for cryptography
Standard Assumption (e.g. LWE)
Indistinguishabilty
Obfuscation
+ OWFs
This talk
“Most” of cryptography 7

8. How do we build public key encryption from Indistinguishability Obfuscation?

9. Punctured Programs Technique
Remove key element of program:
Attacker cannot win without it
Does not change functionality
Punctured PRF key: K{x*} eval PRF on all points, but x*
Security: Cannot distinguish F(K,x*) and random given K{x*}
Special case of constrained PRFs [BW13,BGI13,KPTZ13]
Build from [GGM84] 9

10. Initial Attempt Setup: Choose Punctured PRF key K, PK= obfuscation of
Problems:
(1) Program knows PRF at t*
(2) If puncture out, will not be equivalent! 10

11. Simple PKE from iO
Setup: Choose Punctured PRF key K, PK= obfuscation of
Encrypt(m): Choose random r; input m,r into program
Decrypt(K,CT=(c1,c2)):
Decryption is fast = symmetric key 11

12. Proof of Encryption Scheme
Hyb 0: IND-CPA 12

13. Proof of Encryption Scheme
Hyb 0: IND-CPA
PRG security
Hyb 1: t* is random 13

14. Proof of Encryption Scheme
Hyb 0: IND-CPA
PRG security
Hyb 1: t* is random
iO security
Hyb 2: Use K{t*} 14

15. Proof of Encryption Scheme
Hyb 0: IND-CPA
PRG security
Hyb 1: t* is random
iO security
Hyb 2: Use K{t*}
Punctured PRF security
Hyb 3: Replace F(K,t*) w/ z* 15

16. A Very Simple CCA-KEM
Setup: Choose Punctured PRF key K, PK= obfuscation of
Encrypt: Choose random r, give as input
Decrypt(K,c): 16

17. How about signatures?

18. Natural Candidate
Setup: Choose Punctured PRF key K, VK= obfuscation of
Works with heuristic, but how to prove?? 18

19. A Signature Scheme
Setup: Choose Punctured PRF key K, VK= obfuscation of
f is a OWF
Sign(K,m):
Verify(VK,m,s): Input m,s into verify program
Signing is fast = symmetric key 19

20. Proof of Signature Scheme
Hyb 0: (Selective) Signature Security [GMR84] 20

21. Proof of Signature Scheme
Hyb 0: (Selective) Signature Security [GMR84]
iO security
Hyb 1: Punctured Program 21

22. Proof of Signature Scheme
Hyb 0: (Selective) Signature Security [GMR84]
iO security
Hyb 1: Punctured Program
Punctured PRF security
Hyb 2: z* random 22

23. Other Core Primitives NIZKs[BDMP91] Sign x if x is in L
Succinct proofs
Semi Honest Oblivious Transfer[R81]
Injective Trapdoor Functions
Simple CCA secure KEM 23

24. The rest of the talk Deniable Encryption
(2) Functional Encryption [GGHRSW13]
(3) Open Directions 24

25. Deniable Encryption

26. Deniable Encryption [CDNO97]
Anthony
Enc(PK, m= ,r) -> CT
Demands message and randomness!
Fake r’ where
Enc(PK, m= ,r’) -> CT
Best solutions attacker adv. 1/n, n~ size of pub key
Problematic for encrypting many messages 26

27. Publicly Deniable Encryption Anyone can explain!
Setup(n) -> PK,SK
Decrypt(SK,c) -> m
Encrypt(PK,m;u)-> c
Explain(PK,c,m;r) -> u’
Two security properties (implies standard deniable)
(1) IND-CPA Security
(2) Indistinguishability of Explanation
Single message game
Advantage of separation: Simpler proofs 27

28. Hidden Sparse Triggers
Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value
Explain(PK, C): Encoding of C in Hidden Trigger Set
Encrypt(PK,m;u): Checks if randomness in trigger set
If yes, decrypts encoding to CT; else does fresh encrypt
Randomness Space
Hidden triggers 28

29. An Attempt and Malleability Issues
Explain:
Malleability Attack!
Encrypt: 29

30. Our Deniable Encryption System
Explain:
Encrypt: 30

31. Proof Overview IND-CPA Proof: Simple proof; obfuscation not used
Explainability:
Encoding: Look like random string & non-malleable
Intricate multistep hybrid proof 31

32. Using Deployed Keys Receiver may: Already have established key
Be disinterested/uninterested in D.E.
Universal Deniable Encryption: D.E. to ordinary keys
One time (uncorrupted) trusted setup
Use to deniably encrypt to any PK
Takes Encryption function as input 32

33. Functional Encryption

34. Functional Encryption [SW05…]
Public Parameters
MSK
Authority
Functionality: Learn f(x); x is hidden
Collusion Resistance core to concept! (Like IBE)
Collusion Bounded & Applications:
SS10, PRV12, AGVW13, GKVPZ13
CT: x
Key: f SK X 34

35. An Application: Facial IdentificationSK 35

36. Tools Statistically Simulation Sound NIZKs
Statistically sound except for simulated statement
Build from WI proofs
Two Key Technique [NY90,S99] 36

37. Functional Encryption System [GGHRSW13]
Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup
Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this
KeyGen(SK1,f): Obfuscate program
Decrypt(CT, SKf): Run obfuscated program on CT 37

38. Proof Overview
Challenge CT:
Keys: 38

39. Step 1
Challenge CT:
Keys:
NIZK security 39

40. Step 2
Challenge CT:
Keys:
IND-CPA security 40

41. Step 3
Challenge CT:
Keys:
IO security 41

42. Step 4
Challenge CT:
Keys:
IND-CPA security 42

43. Step 5
Challenge CT:
Keys:
IO security 43

44. Step 6
Challenge CT:
Keys:
NIZK security 44

45. Evolution of Functional Encryption
Sahai-Waters 2005: Introduction of Attribute-Based Encryption
GPSW 2006: Access Control (ABE) for any boolean formula
BW 2007, KSW08: “Predicate Encryption”; dot product functionality
Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.)
GGHSW13/GVW13: ABE for circuits
FE at 2013: Still Inner Product (& Applications)
Best we can do with bilinear maps
GGHRSW 2013: Functional Encryption for any circuit 45

46. Evolution of Functional Encryption
Obfuscation 46

47. Looking Forward

48. Explosion of Obfuscation
Late July: GGHRSW13, SW13 eprint
4 months later
Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW]
Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV]
Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR]
Two-round secure MPC from Indistinguishability Obfuscation [GGSR]
Protecting Obfuscation Against Algebraic Attacks [BGKPS]
Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR]
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ]
There is no Indistinguishability Obfuscation in Pessiland [MR]
On Extractability Obfuscation [BCP]
A Note on the Impossibility of Obfuscation with Auxiliary Input [GK]
Separations in Circular Security for Arbitrary Length Key Cycles [RVW]
Obfuscation for Evasive Functions [BBCKPS]
Differing-Inputs Obfuscation and Applications [ABGSZ]
More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR]
Multi-Input Functional Encryption [GGJS]
Functional Encryption for Randomized Functionalities[GJKS]
Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS]
Multi-Input Functional Encryption [GKLSZ]
Obfuscation from Semantically-Secure Multi-linear Encodings [PTS] 48

49. My Probabilities I will make it to Weizmann in Dec. 38%
Indistinguishability Obfuscation from LWE-type assumption in 4 years
63%
Amit eprints an obfusction paper in next 2 months
95% 49

50. Thank you