Download presentation

Presentation is loading. Please wait.

1
**How to Use Indistinguishability Obfuscation**

Amit Sahai Brent Waters test

2
**Code Obfuscation Goal: Make program (maximally) unintelligible**

Obfuscator 2

3
**Applications! Demo or “need to know” software Software Patching**

Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, … 3

4
**Difficulty of Achieving Obfuscation**

Initial Functionalities: Point Functions [LPS04, …] and hyperplanes [CRV10] Explanation of existing functionality[OS05, HRSV07] Recent: General candidate [GGHRSW13] using multilinear maps [GGH13] What does this mean? 4

5
**Idealized Obfuscation**

Idea: Learn nothing more than with black box access vs. Natural for applications, building crypto Some (contrived) counter-examples [BGIRSVY 01] No broad candidate class of obfuscatable functionalities Generic group proofs [BR13,BGKPS13] 5

6
**Indistinguishability Obfuscation**

Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits a (b+c) vs. ab + ac Avoids negative results of [BGIRSVY01] What is it good for?

7
**Vision: IO as hub for cryptography**

Standard Assumption (e.g. LWE) Indistinguishabilty Obfuscation + OWFs This talk “Most” of cryptography 7

8
**How do we build public key encryption from Indistinguishability Obfuscation?**

9
**Punctured Programs Technique**

Remove key element of program: Attacker cannot win without it Does not change functionality Punctured PRF key: K{x*} eval PRF on all points, but x* Security: Cannot distinguish F(K,x*) and random given K{x*} Special case of constrained PRFs [BW13,BGI13,KPTZ13] Build from [GGM84] 9

10
**Initial Attempt Setup: Choose Punctured PRF key K, PK= obfuscation of**

Problems: (1) Program knows PRF at t* (2) If puncture out, will not be equivalent! 10

11
Simple PKE from iO Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt(m): Choose random r; input m,r into program Decrypt(K,CT=(c1,c2)): Decryption is fast = symmetric key 11

12
**Proof of Encryption Scheme**

Hyb 0: IND-CPA 12

13
**Proof of Encryption Scheme**

Hyb 0: IND-CPA PRG security Hyb 1: t* is random 13

14
**Proof of Encryption Scheme**

Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} 14

15
**Proof of Encryption Scheme**

Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} Punctured PRF security Hyb 3: Replace F(K,t*) w/ z* 15

16
A Very Simple CCA-KEM Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt: Choose random r, give as input Decrypt(K,c): 16

17
How about signatures?

18
Natural Candidate Setup: Choose Punctured PRF key K, VK= obfuscation of Works with heuristic, but how to prove?? 18

19
A Signature Scheme Setup: Choose Punctured PRF key K, VK= obfuscation of f is a OWF Sign(K,m): Verify(VK,m,s): Input m,s into verify program Signing is fast = symmetric key 19

20
**Proof of Signature Scheme**

Hyb 0: (Selective) Signature Security [GMR84] 20

21
**Proof of Signature Scheme**

Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program 21

22
**Proof of Signature Scheme**

Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program Punctured PRF security Hyb 2: z* random 22

23
**Other Core Primitives NIZKs[BDMP91] Sign x if x is in L**

Succinct proofs Semi Honest Oblivious Transfer[R81] Injective Trapdoor Functions Simple CCA secure KEM 23

24
**The rest of the talk Deniable Encryption**

(2) Functional Encryption [GGHRSW13] (3) Open Directions 24

25
Deniable Encryption

26
**Deniable Encryption [CDNO97]**

Anthony Enc(PK, m= ,r) -> CT Demands message and randomness! Fake r’ where Enc(PK, m= ,r’) -> CT Best solutions attacker adv. 1/n, n~ size of pub key Problematic for encrypting many messages 26

27
**Publicly Deniable Encryption Anyone can explain!**

Setup(n) -> PK,SK Decrypt(SK,c) -> m Encrypt(PK,m;u)-> c Explain(PK,c,m;r) -> u’ Two security properties (implies standard deniable) (1) IND-CPA Security (2) Indistinguishability of Explanation Single message game Advantage of separation: Simpler proofs 27

28
**Hidden Sparse Triggers**

Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value Explain(PK, C): Encoding of C in Hidden Trigger Set Encrypt(PK,m;u): Checks if randomness in trigger set If yes, decrypts encoding to CT; else does fresh encrypt Randomness Space Hidden triggers 28

29
**An Attempt and Malleability Issues**

Explain: Malleability Attack! Encrypt: 29

30
**Our Deniable Encryption System**

Explain: Encrypt: 30

31
**Proof Overview IND-CPA Proof: Simple proof; obfuscation not used**

Explainability: Encoding: Look like random string & non-malleable Intricate multistep hybrid proof 31

32
**Using Deployed Keys Receiver may: Already have established key**

Be disinterested/uninterested in D.E. Universal Deniable Encryption: D.E. to ordinary keys One time (uncorrupted) trusted setup Use to deniably encrypt to any PK Takes Encryption function as input 32

33
**Functional Encryption**

34
**Functional Encryption [SW05…]**

Public Parameters MSK Authority Functionality: Learn f(x); x is hidden Collusion Resistance core to concept! (Like IBE) Collusion Bounded & Applications: SS10, PRV12, AGVW13, GKVPZ13 CT: x Key: f SK X 34

35
**An Application: Facial Identification**

SK 35

36
**Tools Statistically Simulation Sound NIZKs**

Statistically sound except for simulated statement Build from WI proofs Two Key Technique [NY90,S99] 36

37
**Functional Encryption System [GGHRSW13]**

Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this KeyGen(SK1,f): Obfuscate program Decrypt(CT, SKf): Run obfuscated program on CT 37

38
Proof Overview Challenge CT: Keys: 38

39
Step 1 Challenge CT: Keys: NIZK security 39

40
Step 2 Challenge CT: Keys: IND-CPA security 40

41
Step 3 Challenge CT: Keys: IO security 41

42
Step 4 Challenge CT: Keys: IND-CPA security 42

43
Step 5 Challenge CT: Keys: IO security 43

44
Step 6 Challenge CT: Keys: NIZK security 44

45
**Evolution of Functional Encryption**

Sahai-Waters 2005: Introduction of Attribute-Based Encryption GPSW 2006: Access Control (ABE) for any boolean formula BW 2007, KSW08: “Predicate Encryption”; dot product functionality Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.) GGHSW13/GVW13: ABE for circuits FE at 2013: Still Inner Product (& Applications) Best we can do with bilinear maps GGHRSW 2013: Functional Encryption for any circuit 45

46
**Evolution of Functional Encryption**

Obfuscation 46

47
Looking Forward

48
**Explosion of Obfuscation**

Late July: GGHRSW13, SW13 eprint 4 months later Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW] Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV] Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR] Two-round secure MPC from Indistinguishability Obfuscation [GGSR] Protecting Obfuscation Against Algebraic Attacks [BGKPS] Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR] Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ] There is no Indistinguishability Obfuscation in Pessiland [MR] On Extractability Obfuscation [BCP] A Note on the Impossibility of Obfuscation with Auxiliary Input [GK] Separations in Circular Security for Arbitrary Length Key Cycles [RVW] Obfuscation for Evasive Functions [BBCKPS] Differing-Inputs Obfuscation and Applications [ABGSZ] More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR] Multi-Input Functional Encryption [GGJS] Functional Encryption for Randomized Functionalities[GJKS] Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS] Multi-Input Functional Encryption [GKLSZ] Obfuscation from Semantically-Secure Multi-linear Encodings [PTS] 48

49
**My Probabilities I will make it to Weizmann in Dec. 38%**

Indistinguishability Obfuscation from LWE-type assumption in 4 years 63% Amit eprints an obfusction paper in next 2 months 95% 49

50
Thank you

Similar presentations

OK

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Download ppt on oxidation and reduction in chemistry Ppt on data collection methods in action Seminar report and ppt on cloud computing Ppt on content development Ppt on sports day images Ppt on market friendly state name Ppt on marie curie inventions Ppt on organizational culture and values Ppt on standing order crossword Ppt on product advertising campaign