Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brent WatersAmit Sahai How to Use Indistinguishability Obfuscation.

Similar presentations


Presentation on theme: "Brent WatersAmit Sahai How to Use Indistinguishability Obfuscation."— Presentation transcript:

1 Brent WatersAmit Sahai How to Use Indistinguishability Obfuscation

2 2 Code Obfuscation Goal: Make program (maximally) unintelligible Obfuscator

3 3 Applications! Demo or “need to know” software Software Patching Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, …

4 4 Difficulty of Achieving Obfuscation Recent: General candidate [GGHRSW13] using multilinear maps [GGH13] Initial Functionalities: Point Functions [LPS04, …] and hyperplanes [CRV10] Explanation of existing functionality [OS05, HRSV07] What does this mean?

5 Some (contrived) counter-examples [BGIRSVY 01] vs. 5 Idealized Obfuscation Natural for applications, building crypto Idea: Learn nothing more than with black box access No broad candidate class of obfuscatable functionalities Generic group proofs [BR13,BGKPS13]

6 What is it good for? Indistinguishability Obfuscation Avoids negative results of [BGIRSVY01] Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits a (b+c) vs. ab + ac

7 7 Vision: IO as hub for cryptography Indistinguishabilty Obfuscation Standard Assumption (e.g. LWE) “Most” of cryptography This talk + OWFs

8 How do we build public key encryption from Indistinguishability Obfuscation?

9 9 Punctured Programs Technique Punctured PRF key: K{x*} eval PRF on all points, but x* Remove key element of program: Attacker cannot win without it Does not change functionality Special case of constrained PRFs [BW13,BGI13,KPTZ13] Build from [GGM84] Security: Cannot distinguish F(K,x*) and random given K{x*}

10 10 Initial Attempt Problems: (1) Program knows PRF at t* (2) If puncture out, will not be equivalent! Setup: Choose Punctured PRF key K, PK= obfuscation of

11 11 Simple PKE from iO Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt(m): Choose random r; input m,r into program Decrypt(K,CT=(c1,c2)): Decryption is fast = symmetric key

12 12 Proof of Encryption Scheme Hyb 0: IND-CPA

13 13 Proof of Encryption Scheme Hyb 0: IND-CPA Hyb 1: t* is random PRG security

14 14 Proof of Encryption Scheme Hyb 0: IND-CPA Hyb 1: t* is random PRG security Hyb 2: Use K{t*} iO security

15 15 Proof of Encryption Scheme Hyb 0: IND-CPA Hyb 1: t* is random PRG security Hyb 2: Use K{t*} iO security Hyb 3: Replace F(K,t*) w/ z* Punctured PRF security

16 16 A Very Simple CCA-KEM Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt: Choose random r, give as input Decrypt(K,c):

17 How about signatures?

18 18 Natural Candidate Setup: Choose Punctured PRF key K, VK= obfuscation of Works with heuristic, but how to prove??

19 19 A Signature Scheme Setup: Choose Punctured PRF key K, VK= obfuscation of Verify(VK,m,s): Input m,s into verify program Sign(K,m): Signing is fast = symmetric key f is a OWF

20 20 Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84]

21 21 Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] Hyb 1: Punctured Program iO security

22 22 Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] Hyb 1: Punctured Program Hyb 2: z* random iO security Punctured PRF security

23 23 Other Core Primitives NIZKs [BDMP91] Sign x if x is in L Succinct proofs Semi Honest Oblivious Transfer [R81] Injective Trapdoor Functions Simple CCA secure KEM

24 24 The rest of the talk (1)Deniable Encryption (2) Functional Encryption [GGHRSW13] (3) Open Directions

25 Deniable Encryption

26 26 Deniable Encryption [CDNO97] Enc(PK, m=,r) -> CT Demands message and randomness! Fake r’ where Enc(PK, m=,r’) -> CT Anthony Best solutions attacker adv. 1/n, n~ size of pub key Problematic for encrypting many messages

27 27 Publicly Deniable Encryption Anyone can explain! Setup(n) -> PK,SK Encrypt(PK,m;u)-> c Decrypt(SK,c) -> m Explain(PK,c,m;r) -> u’ (1) IND-CPA Security (2) Indistinguishability of Explanation Two security properties (implies standard deniable) Advantage of separation: Simpler proofs Single message game

28 28 Hidden Sparse Triggers Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value Explain(PK, C): Encoding of C in Hidden Trigger Set Encrypt(PK,m;u): Checks if randomness in trigger set If yes, decrypts encoding to CT; else does fresh encrypt Hidden triggers Randomness Space

29 29 An Attempt and Malleability Issues Encrypt: Explain: Malleability Attack!

30 30 Our Deniable Encryption System Encrypt: Explain:

31 31 Proof Overview IND-CPA Proof: Simple proof; obfuscation not used Explainability: Encoding: Look like random string & non-malleable Intricate multistep hybrid proof

32 32 Using Deployed Keys Receiver may: Already have established key Be disinterested/uninterested in D.E. Universal Deniable Encryption: D.E. to ordinary keys One time (uncorrupted) trusted setup Use to deniably encrypt to any PK Takes Encryption function as input

33 Functional Encryption

34 34 Functional Encryption [SW05…] Public Parameters Authority MSK Key: f SK CT: x Functionality: Learn f(x); x is hidden Collusion Bounded & Applications: SS10, PRV12, AGVW13, GKVPZ13 X Collusion Resistance core to concept! (Like IBE)

35 35 An Application: Facial Identification SK

36 36 Tools Statistically Simulation Sound NIZKs Statistically sound except for simulated statement Build from WI proofs Two Key Technique [NY90,S99]

37 37 Functional Encryption System [GGHRSW13] Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this KeyGen(SK1,f): Obfuscate program Decrypt(CT, SKf): Run obfuscated program on CT

38 38 Proof Overview Challenge CT: Keys:

39 39 Step 1 Challenge CT: Keys: NIZK security

40 40 Step 2 Challenge CT: Keys: IND-CPA security

41 41 Step 3 Challenge CT: Keys: IO security

42 42 Step 4 Challenge CT: Keys: IND-CPA security

43 43 Step 5 Challenge CT: Keys: IO security

44 44 Step 6 Challenge CT: Keys: NIZK security

45 GGHRSW 2013: Functional Encryption for any circuit 45 Evolution of Functional Encryption Sahai-Waters 2005: Introduction of Attribute-Based Encryption GPSW 2006: Access Control (ABE) for any boolean formula BW 2007, KSW08: “Predicate Encryption”; dot product functionality Talks 2008: “Rebranded” as Functional Encryption, BSW11 reformalized (BSW11+O10 added simulation def.) FE at 2013: Still Inner Product (& Applications) Best we can do with bilinear maps GGHSW13/GVW13: ABE for circuits

46 46 Evolution of Functional Encryption Obfuscation

47 Looking Forward

48 48 Explosion of Obfuscation Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW] Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV] Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR] Two-round secure MPC from Indistinguishability Obfuscation [GGSR] Protecting Obfuscation Against Algebraic Attacks [BGKPS] Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR] Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ] There is no Indistinguishability Obfuscation in Pessiland [MR] On Extractability Obfuscation [BCP] A Note on the Impossibility of Obfuscation with Auxiliary Input [GK] Separations in Circular Security for Arbitrary Length Key Cycles [RVW] Obfuscation for Evasive Functions [BBCKPS] Differing-Inputs Obfuscation and Applications [ABGSZ] More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR] Multi-Input Functional Encryption [GGJS] Functional Encryption for Randomized Functionalities[GJKS] Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS] Multi-Input Functional Encryption [GKLSZ] Obfuscation from Semantically-Secure Multi-linear Encodings [PTS] Late July: GGHRSW13, SW13 eprint 4 months later

49 95% 49 My Probabilities I will make it to Weizmann in Dec. 38% Indistinguishability Obfuscation from LWE-type assumption in 4 years Amit eprints an obfusction paper in next 2 months 63%

50 50 Thank you


Download ppt "Brent WatersAmit Sahai How to Use Indistinguishability Obfuscation."

Similar presentations


Ads by Google