Download presentation

Presentation is loading. Please wait.

1
**How to Use Indistinguishability Obfuscation**

Amit Sahai Brent Waters test

2
**Code Obfuscation Goal: Make program (maximally) unintelligible**

Obfuscator 2

3
**Applications! Demo or “need to know” software Software Patching**

Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, … 3

4
**Difficulty of Achieving Obfuscation**

Initial Functionalities: Point Functions [LPS04, …] and hyperplanes [CRV10] Explanation of existing functionality[OS05, HRSV07] Recent: General candidate [GGHRSW13] using multilinear maps [GGH13] What does this mean? 4

5
**Idealized Obfuscation**

Idea: Learn nothing more than with black box access vs. Natural for applications, building crypto Some (contrived) counter-examples [BGIRSVY 01] No broad candidate class of obfuscatable functionalities Generic group proofs [BR13,BGKPS13] 5

6
**Indistinguishability Obfuscation**

Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits a (b+c) vs. ab + ac Avoids negative results of [BGIRSVY01] What is it good for?

7
**Vision: IO as hub for cryptography**

Standard Assumption (e.g. LWE) Indistinguishabilty Obfuscation + OWFs This talk “Most” of cryptography 7

8
**How do we build public key encryption from Indistinguishability Obfuscation?**

9
**Punctured Programs Technique**

Remove key element of program: Attacker cannot win without it Does not change functionality Punctured PRF key: K{x*} eval PRF on all points, but x* Security: Cannot distinguish F(K,x*) and random given K{x*} Special case of constrained PRFs [BW13,BGI13,KPTZ13] Build from [GGM84] 9

10
**Initial Attempt Setup: Choose Punctured PRF key K, PK= obfuscation of**

Problems: (1) Program knows PRF at t* (2) If puncture out, will not be equivalent! 10

11
Simple PKE from iO Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt(m): Choose random r; input m,r into program Decrypt(K,CT=(c1,c2)): Decryption is fast = symmetric key 11

12
**Proof of Encryption Scheme**

Hyb 0: IND-CPA 12

13
**Proof of Encryption Scheme**

Hyb 0: IND-CPA PRG security Hyb 1: t* is random 13

14
**Proof of Encryption Scheme**

Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} 14

15
**Proof of Encryption Scheme**

Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} Punctured PRF security Hyb 3: Replace F(K,t*) w/ z* 15

16
A Very Simple CCA-KEM Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt: Choose random r, give as input Decrypt(K,c): 16

17
How about signatures?

18
Natural Candidate Setup: Choose Punctured PRF key K, VK= obfuscation of Works with heuristic, but how to prove?? 18

19
A Signature Scheme Setup: Choose Punctured PRF key K, VK= obfuscation of f is a OWF Sign(K,m): Verify(VK,m,s): Input m,s into verify program Signing is fast = symmetric key 19

20
**Proof of Signature Scheme**

Hyb 0: (Selective) Signature Security [GMR84] 20

21
**Proof of Signature Scheme**

Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program 21

22
**Proof of Signature Scheme**

Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program Punctured PRF security Hyb 2: z* random 22

23
**Other Core Primitives NIZKs[BDMP91] Sign x if x is in L**

Succinct proofs Semi Honest Oblivious Transfer[R81] Injective Trapdoor Functions Simple CCA secure KEM 23

24
**The rest of the talk Deniable Encryption**

(2) Functional Encryption [GGHRSW13] (3) Open Directions 24

25
Deniable Encryption

26
**Deniable Encryption [CDNO97]**

Anthony Enc(PK, m= ,r) -> CT Demands message and randomness! Fake r’ where Enc(PK, m= ,r’) -> CT Best solutions attacker adv. 1/n, n~ size of pub key Problematic for encrypting many messages 26

27
**Publicly Deniable Encryption Anyone can explain!**

Setup(n) -> PK,SK Decrypt(SK,c) -> m Encrypt(PK,m;u)-> c Explain(PK,c,m;r) -> u’ Two security properties (implies standard deniable) (1) IND-CPA Security (2) Indistinguishability of Explanation Single message game Advantage of separation: Simpler proofs 27

28
**Hidden Sparse Triggers**

Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value Explain(PK, C): Encoding of C in Hidden Trigger Set Encrypt(PK,m;u): Checks if randomness in trigger set If yes, decrypts encoding to CT; else does fresh encrypt Randomness Space Hidden triggers 28

29
**An Attempt and Malleability Issues**

Explain: Malleability Attack! Encrypt: 29

30
**Our Deniable Encryption System**

Explain: Encrypt: 30

31
**Proof Overview IND-CPA Proof: Simple proof; obfuscation not used**

Explainability: Encoding: Look like random string & non-malleable Intricate multistep hybrid proof 31

32
**Using Deployed Keys Receiver may: Already have established key**

Be disinterested/uninterested in D.E. Universal Deniable Encryption: D.E. to ordinary keys One time (uncorrupted) trusted setup Use to deniably encrypt to any PK Takes Encryption function as input 32

33
**Functional Encryption**

34
**Functional Encryption [SW05…]**

Public Parameters MSK Authority Functionality: Learn f(x); x is hidden Collusion Resistance core to concept! (Like IBE) Collusion Bounded & Applications: SS10, PRV12, AGVW13, GKVPZ13 CT: x Key: f SK X 34

35
**An Application: Facial Identification**

SK 35

36
**Tools Statistically Simulation Sound NIZKs**

Statistically sound except for simulated statement Build from WI proofs Two Key Technique [NY90,S99] 36

37
**Functional Encryption System [GGHRSW13]**

Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this KeyGen(SK1,f): Obfuscate program Decrypt(CT, SKf): Run obfuscated program on CT 37

38
Proof Overview Challenge CT: Keys: 38

39
Step 1 Challenge CT: Keys: NIZK security 39

40
Step 2 Challenge CT: Keys: IND-CPA security 40

41
Step 3 Challenge CT: Keys: IO security 41

42
Step 4 Challenge CT: Keys: IND-CPA security 42

43
Step 5 Challenge CT: Keys: IO security 43

44
Step 6 Challenge CT: Keys: NIZK security 44

45
**Evolution of Functional Encryption**

Sahai-Waters 2005: Introduction of Attribute-Based Encryption GPSW 2006: Access Control (ABE) for any boolean formula BW 2007, KSW08: “Predicate Encryption”; dot product functionality Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.) GGHSW13/GVW13: ABE for circuits FE at 2013: Still Inner Product (& Applications) Best we can do with bilinear maps GGHRSW 2013: Functional Encryption for any circuit 45

46
**Evolution of Functional Encryption**

Obfuscation 46

47
Looking Forward

48
**Explosion of Obfuscation**

Late July: GGHRSW13, SW13 eprint 4 months later Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW] Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV] Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR] Two-round secure MPC from Indistinguishability Obfuscation [GGSR] Protecting Obfuscation Against Algebraic Attacks [BGKPS] Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR] Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ] There is no Indistinguishability Obfuscation in Pessiland [MR] On Extractability Obfuscation [BCP] A Note on the Impossibility of Obfuscation with Auxiliary Input [GK] Separations in Circular Security for Arbitrary Length Key Cycles [RVW] Obfuscation for Evasive Functions [BBCKPS] Differing-Inputs Obfuscation and Applications [ABGSZ] More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR] Multi-Input Functional Encryption [GGJS] Functional Encryption for Randomized Functionalities[GJKS] Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS] Multi-Input Functional Encryption [GKLSZ] Obfuscation from Semantically-Secure Multi-linear Encodings [PTS] 48

49
**My Probabilities I will make it to Weizmann in Dec. 38%**

Indistinguishability Obfuscation from LWE-type assumption in 4 years 63% Amit eprints an obfusction paper in next 2 months 95% 49

50
Thank you

Similar presentations

OK

Introduction to Obfuscation Mohammad Mahmoody University of Virginia *some slides borrowed from abhi shelat.

Introduction to Obfuscation Mohammad Mahmoody University of Virginia *some slides borrowed from abhi shelat.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google