Multilinear Maps and Obfuscation
A Survey of Recent Results
Shai Halevi – IBM Research
PKC 2014
Prologue
 We are in the midst of (yet another) “quantum
leap” in our cryptographic capabilities
 Things that were science fiction just two years
ago are now plausible
 General-purpose functional encryption
 Crypto-strength code obfuscation
…
 Fueled by new powerful building blocks
 Combination of Homomorphic Encryption (HE) and
Cryptographic Multilinear Maps (MMAPs)
This Talk
 Overview of the main new tool
 Constructing MMAPs using “HE techniques”
 And application to obfuscation
 There are many others
 Witness Encryption
 Full-Domain Hash
 Functional Encryption
not
today
…
Chapter One: Multilinear Maps
Starting Point: DL-based Crypto
 “The DDH assumption is a gold mine”
-- Boneh ‘98
 Why is it so useful?
 Can “hide” values 𝑎𝑖 in 𝑔𝑎𝑖
 Some tasks are still easy in this representation
 Compute any linear/affine function of the 𝑎𝑖 ’s
 Check if 𝑎𝑖 = 0
 Other tasks are seemingly hard
 E.g., computing/checking quadratic functions (CDH/DDH)
Starting Point: DL-based Crypto
 To use DH in applications, ensure that:
 legitimate parties only compute linear functions
 adversary needs to compute/check quadratics
 Some examples:
 Diffie-Hellman key exchange, ElGamal Encryption,
Cramer-Shoup CCA-Secure Encryption,
Naor-Reingold PRF, Efficient ZKPs, …
Beyond DDH: Bilinear Maps
[J00,SOK00,BF01]
 In bilinear-map groups you can compute
quadratic functions in the exponent
 But computing/checking cubics is hard
 Now the legitimate parties can do a lot more
 Leads to new capabilities
 Identity-based encryption (IBE)
 Predicate encryption (for simple predicates)
 Efficient non-interactive zero-knowledge proofs
…
Why Stop at Two?
 Can we find groups that would let us compute
cubics but not 4th powers?
 Or in general, upto degree 𝑘 but no more?
 Cryptographic multilinear maps (MMAPs)
 Even more useful than bilinear
 [BS’03] explored applications of MMAPs
 Also argued that they are unlikely to be constructed
similarly to bilinear maps
The [GGH’13] Approach to MMAPs
 Construct MMAPs from “HE techniques”
 By modifying the an existing HE scheme
 Recall “somewhat homomorphic” enc.(SWHE)
 Public-key encryption with usual (KeyGen,Enc,Dec)
 An additional procedure 𝑐 ′ ← Eval𝑝𝑘 (𝑃, 𝑐)
 𝑐 = (𝑐1 , … , 𝑐𝑡 ) encrypts 𝑎 = (𝑎1 , … , 𝑎𝑡 )

P is a low-degree polynomial
 𝑐 ′ encrypts 𝑎′ = 𝑃(𝑎)
 This looks a little like what we want
MMAPs vs. SWHE
MMAPs
SWHE
 “Encoding” 𝑒𝑎 = 𝑔𝑎
 Encrypting c𝑎 = E(𝑎)
Computing low-deg
polynomials of the 𝑒𝑎 ’s
is easy
Computing low-deg
polynomials of the 𝑐𝑎 ’s
is easy
Can test for zero
 Cannot test anything
• But if you have skey you
can recover 𝑎 itself
Main Ingredient: Testing for Zero
 To be useful, must be able to test if two
degree-𝑘 expressions are equal
 Using homomorphism, that’s the same as testing if a
degree-𝑘 expression equals zero
 Our approach: augment a SWHE scheme
with a “handicapped” secret key
 Can test if a ciphertext decrypts to zero, but cannot
decrypt arbitrary cipehrtexts
 Assuming that the plaintext-space is large
 Called a “zero-test parameter”
Bird-Eye View of [GGH’13]
 Start from the NTRU HE scheme
 NTRU ciphertexts naturally come in “levels”
 A level-𝑑 cipehrtext encrypts degree-𝑑 expression
 Modify NTRU to obscure the plaintext space
 Instead of 𝑅/3𝑅 we use 𝑅/𝑔𝑅 for a secret 𝑔
 Needed for security when publishing the “handicapped
secret key”
 Publish a “shifted” level-𝑘 secret key
 Can identify level-𝑘 encryption of zero, not decrypt
 Another scheme along similar lines in [CLT’13]
Graded Encoding Schemes
 Instance generation: 𝑝𝑝, 𝑠𝑝 ← 𝐼𝐺𝐸𝑁(1𝜆 , 1𝑘 )
 Plaintext space implicit in 𝑝𝑝, isomorphic to some 𝑍𝑝
 Secret-key encoding: 𝑒𝑎 ← 𝑆𝐸𝑛𝑐(𝑠𝑝, 𝑎, 𝑖)
 𝑒𝑎 is a level-𝑖 encoding of 𝑎
 𝑆𝐸𝑛𝑐 is randomized
 Addition and multiplication
 𝑒𝑎+𝑏 ← 𝑒𝑎 ⊞ 𝑒𝑏 , 𝑙𝑣𝑙 𝑒𝑎+𝑏 = max 𝑙𝑣𝑙 𝑒𝑎 , 𝑙𝑣𝑙 𝑒𝑏
 𝑒𝑎⋅𝑏 ← 𝑒𝑎 ⊠ 𝑒𝑏 , 𝑙𝑣𝑙 𝑒𝑎⋅𝑏 = 𝑙𝑣𝑙 𝑒𝑎 + 𝑙𝑣𝑙 𝑒𝑏
 Zero-Test: use 𝑝𝑝 to check if a level-𝑘
encoding 𝑒 encodes 0
Some Variants
 Optional public encoding: (𝑎, 𝑒𝑎 ) ← P𝐸𝑛𝑐(p𝑝)
 𝑎 is uniform, 𝑒𝑎 is a level-1 encoding of 𝑎
 Optional re-randomize: 𝑒𝑎′ ← 𝑅𝑒𝑅𝑎𝑛𝑑(𝑝𝑝, 𝑒𝑎 )
 𝑒𝑎′ , 𝑒𝑎 encode the same element
 Distribution of 𝑒𝑎′ depends on 𝑎, but not on 𝑒𝑎
 Some instantiations come with security vulnerabilities
 An “asymmetric” variant
 Instead of levels 1,2, … , 𝑘, encodings associated with
subsets of 𝑘 = {1,2, … , 𝑘}
 Can only multiply encodings relative to disjoint subsets
 Zero-test for encodings relative to 𝑘 itself
Hardness Assumptions
 An “über-assumption” for graded-encodings:
 For any collection of encodings 𝑒1 , … , 𝑒𝑡 (at any level)
 𝑒𝑖 is an encoding of some plaintext 𝑎𝑖
and polynomial 𝑃(𝑥1 , … , 𝑥𝑡 ) of degree > 𝑘
 Computation: Hard to compute a level-≤ 𝑘 encoding
of 𝑃(𝑎1 , … , 𝑎𝑡 ) when the 𝑎𝑖 are uniform
 Decision: Hard to distinguish if the 𝑎𝑖 are uniform,
or chosen as a random root of 𝑃
 An even more general assumption in [PST’14]
 Dubbed “Semantically-Secure Graded Encodings”
A Few Words About Performance
 Currently mostly a plausibility argument
 “Somewhat practical” multilinearity for a small constant
 Best reported implementation in [CLT’13]
 6-linear scheme with 𝑝𝑝 size ~ 2.5 GB, operations in
less than one minute
 Quite aggressive choice of the security parameter
 Main road-block: obscured plaintext space
 Rules out all the optimizations that we have for FHE
 Leaves us with something similar to Gentry’s original
2009 scheme
Take-Home from Chapter One
 MMAPs are similar to DL-based crypto
 Can compute “in the exponent” polynomials of deg ≤ 𝑘
 But not degree 𝑘 + 1 or more
 Can be devised using “HE techniques”
 One difference: need sk to “exponentiate”
 There are variants without this limitation, but they have
other shortcoming
Chapter Two: Obfuscation
Code Obfuscation
 Encrypting programs, maintaining functionality
 Only the functionality should be “visible” in the output
 Example of recreational obfuscation:
@P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU /
lreP rehtona tsuJ";sub p{
@p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+
=$f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/
^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P
.]/&& close$_}%p;wait
until$?;map{/^r/&&<$_>}%p;$_=$d[$q];sleep
rand(2)if/\S/;print
-- Wikipedia, accessed Oct-2013
 Rigorous treatment [Hada’00, BGIRSVY’01,…]
Why Obfuscation?
 Hiding secrets in software
Plaintext
strutpatent.com
 AES encryption
Ciphertext
Why Obfuscation?
 Hiding secrets in software
Plaintext
@P=split//,".URRUU\c8R";@d=split//,"\nrekcah
xinU / lreP rehtona tsuJ";sub p{
@p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*
=2)+=$f=!fork;map{$P=$P[$f^ord
($p{$_})&6];$p{$_}=/
^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=
~/^[P.]/&& close$_}%p;wait
until$?;map{/^r/&&<$_>}%p;$_=$d[$q];sleep
rand(2)if/\S/;print
Ciphertext
 AES encryption  Public-key encryption
Why Obfuscation?
 Hiding secrets in software
http://www.arco-iris.com/George/images/game_of_go.jpg
Game of Go
Next
move
 Uploading my expertise to the web
Why Obfuscation?
 Hiding secrets in software
Game of Go
@P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU /
lreP rehtona tsuJ";sub p{
@p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+=$
f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/
^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/
&& close$_}%p;wait
until$?;map{/^r/&&<$_>}%p;$_=$d[$q];sleep
rand(2)if/\S/;print
Next
move
 Uploading my expertise to the web
without revealing my strategies
Defining Obfuscation
 Want the output to reveal only functionality
 E.g., If prog. depends on secrets that are not readily
apparent in I/O, then the encrypted program does not
reveal these secrets
 [B+01] show that this is impossible in general
 Thm: If secure encryption exists, then there are secure
encryption schemes for which it is possible to recover
the secret key from any program that encrypts.
 Such encryption schemes are unobfuscatable
Defining Obfuscation
 Okay, some function are bad, but can we do
“as well as possible” on every given function?
 [B+01] suggested the weaker notion of
“indistinguishability obfuscation” (iO)
 Gives the “best-possible” guarantee [GR07]
 It turns out to suffice for many applications (examples
in [GGH+13, SW13,…])
Defining Obfuscation [B+01]
 An efficient public procedure OBF(*)
 Takes as input a program 𝐶
 E.g., encoded as a circuit
 Produce as output another program 𝐶′
 𝐶′ computes the same function as 𝐶
 𝐶′ at most polynomially larger than 𝐶
 Indistinguishability-Obfuscation (iO)
 If 𝐶1 , 𝐶2 compute the same function (and |𝐶1 | = |𝐶2 |),
then 𝑂𝐵𝐹 𝐶1 ≈ 𝑂𝐵𝐹 𝐶2
Obfuscation vs. HE
F
Encryption
F
+
x
F
Obfuscation
or
x
 F(x)
Result encrypted
F
+
x
 F(x)
Result in the clear
 Somewhat reminiscent of MMAPs vs. HE…
Obfuscation from MMAPs, 1st Try
 MMAPs give us one function that we can get
in the clear: equality-to-zero (at level 𝑘)
 Can we build on it to get more functions?
 Consider the “universal circuit”
′
𝒏
 𝑼: 𝟎, 𝟏
× 𝟎, 𝟏 𝒏 → 𝟎, 𝟏 , 𝑼 𝑪, 𝒙 = 𝑪(𝒙)
 Encode the bits of 𝐶 at level 1
 For 𝑥, provide level-1 encoding of both 0 and 1
 Carry out the computation “in the exponent”
 Use zero-test to check if the result is zero
1st Try Does Not Work
 Attack: comparing intermediate values
 Checking if two intermediate wires carry same value
 Checking if the computation on two different inputs
yield the same value on some intermediate wire
 If two equal intermediate values ever happen,
they can be recognized using zero-test
 Must randomize all intermediate values in all
the computations
 But such that the final result can still be recognized
Construction Outline
 Describe Circuits as Branching Programs
(BPs) using Barrington’s theorem [B86]
 Randomized BPs (RBPs) a-la-Kilian [K88]
 Additional randomization to counter “simple relations”
 Encode RBPs “in the exponent” using MMAPs
 Use zero-test to get the output
 This allows obfuscating shallow circuits (NC1)
 Another transformation (using FHE) to get all circuits
(Oblivious) Branching Programs
 A specific way of describing a function
 This length-9 BP has 4-bit inputs
A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 A7,0 A8,0 A9,0
A1,1 A2,1 A3,1 A4,1 A5,1 A6,1 A7,1 A8,1 A9,1
0
The 𝐴𝑖,𝑏 ’s are square matrices
Each position 𝑖 is controlled by one input bit
(Oblivious) Branching Programs
 A specific way of describing a function
 This length-9 BP has 4-bit inputs
A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 A7,0 A8,0 A9,0
A1,1 A2,1 A3,1 A4,1 A5,1 A6,1 A7,1 A8,1 A9,1
0 1
(Oblivious) Branching Programs
 A specific way of describing a function
 This length-9 BP has 4-bit inputs
A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 A7,0 A8,0 A9,0
A1,1 A2,1 A3,1 A4,1 A5,1 A6,1 A7,1 A8,1 A9,1
0 1 1 0
 Multiply the chosen 9 matrices together
 If product is 𝐼 output 1. Otherwise output 0.
(Oblivious) Branching Programs
 A specific way of describing a function
 Length-𝑚 BP with 𝑛-bit input is a sequence
𝑗1 , 𝐴1,0 , 𝐴1,1 , 𝑗2 , 𝐴2,0 , 𝐴2,1 , … , (𝑗𝑚 , 𝐴𝑚,0 , 𝐴𝑚,1 )
 𝑗𝑖 ∈ {1, … , 𝑛} are indexes, 𝐴𝑖,𝑏 ’s are matrices
 Input 𝑥 = (𝑥1 , … , 𝑥𝑛 ) chooses matrices 𝐴𝑖,𝑥𝑗
 Compute the product 𝑃𝑥 =
𝑚
𝑖=1 𝐴𝑖,𝑥𝑗𝑖
𝑖
 𝐹 𝑥 = 1 if 𝑃𝑥 = 𝐼, else 𝐹 𝑥 = 0
 Barrington’s Theorem [B86]: Poly-length BPs
can compute any function in NC1
Kilian’s Randomized BPs
B1,0
A1,0
𝑅1
A1,1
B1,1
𝑅1−1
B2,0
B3,0
B4,0
B5,0
A2,0
A3,0
A4,0
A5,0
𝑅2
𝑅2−1
𝑅3
𝑅3−1
𝑅4
𝑅4−1
B6,0
𝑅5
A2,1
A3,1
A4,1
A5,1
B2,1
B3,1
B4,1
B5,1
𝑅5−1
A6,0
A6,1
B6,1
 Choose random invertible matrices 𝑅𝑖
−1
 𝐵𝑖,𝜎 = 𝑅𝑖−1
× 𝐴𝑖,𝜎 × 𝑅𝑖 (with 𝑅0 = 𝑅𝑚+1 = 𝐼)
 Multiplying the B𝑖,𝜎 ’s yields the same product
as multiplying the corresponding A𝑖,𝜎 ’s
Kilian’s Randomized BPs
B1,0
A1,0
𝑅1
A1,1
B1,1
𝑅1−1
B2,0
B3,0
B4,0
B5,0
A2,0
A3,0
A4,0
A5,0
𝑅2
𝑅2−1
𝑅3
𝑅3−1
𝑅4
𝑅4−1
B6,0
𝑅5
A2,1
A3,1
A4,1
A5,1
B2,1
B3,1
B4,1
B5,1
 Each sequence of B𝑖,𝜎 ’s (𝑖 = 1 … 𝑚) is
uniformly random subject to having same
product as A𝑖,𝜎 ’s
𝑅5−1
A6,0
A6,1
B6,1
Kilian’s ProtocolBP-Obfuscation?
 Encode RBP for 𝑈(𝐶, 𝑥) with the 𝐶 part fixed
 Publish only one 𝐵𝑖,𝜎 for the bits of 𝐶, both 𝐵𝑖,𝜎 ’s for 𝑥
 Can evaluates 𝑈(𝐶, 𝑥) for any 𝑥.
 “Simple relations” exist between the 𝐵𝑖,𝜎 ’s
 Since we give both 𝐵𝑖,𝜎 ’s for some 𝑖’s
 Enable some attacks
 “Partial-evaluation” attacks: Compare partial products
across different evaluations
 “Mixed-Input” attacks: Compute products that do not
respect the BP structure
Countering “Simple Relations”
 Additional randomization steps
 Different works use slightly different forms of
additional randomization
 “Multiplicative bundling” [GGHRHS’13, BR’13]
 “Straddling” [BGKPS’13, PTS’14]
 “Abelian component” [CV’13]
 Can conjecture [GGHRHS’13, BR’13] or prove
[BGKPS’13, CV’13, PTS’14] that no simple
relations exist
Completing the construction
 Put randomized matrices “in the exponent”
 Set multi-linearity parameter to 𝑚
 Encode all elements at level 1
 Publish one matrix for the bits of 𝐶, both for 𝑥
 To compute 𝐶(𝑥)
 Choose the encoded matrices corresponding to 𝑥
 Multiply matrices “in the exponent” using ⊞,⊠
 Use zero-test to check if the result is the identity
Security of Obfuscation
 No polynomial relation of degree ≤ 𝑚,
except those that involve the output matrix
 Output relations are the same when we obfuscate two
circuits with identical functionality
 By (generalized) über-assumption, the
two distributions over encodings are
indistinguishable
 Mission Accomplished
A Word About Performance
 Needs 𝑚-linear maps for 𝑚 in the thousands
 Need I say more?
Take-Home from Chapter Two
 We can obfuscate a computation by:
1. Randomizing the internal values
2. Putting the randomized values “in the
exponent” and computing on them using
MMAPs
Future Directions
 We only have two MMAPs candidates, and just
one approach for using them in obfuscation
 Hard to develop a theory from so few sample points
 We need better formal notions of obfuscation
 Current notions (such as iO) do not capture our intuition,
not even for what the current constructions achieve
 Faster constructions
 Complexity of current constructions is scary
 Applications
 Already have a bunch, the sky is the limit…
Thank You
Questions?
Witness Encryption [GGSW’13]
 A truly “keyless encryption”
 Can encrypt relative to any arbitrary “riddle”
 Defined here relative to exact-cover (XC)
 XC is NP-complete, so we can translate any “riddle” to it
Recall Exact Cover
 Instance: universe [𝑘] and a collection of
subsets 𝑆𝑖 ⊂ [𝑘], 𝑖 = 1, … , 𝑚
1
2
{1,2,3}
{2,4,5}
3
4
{1,4}
5
{2,3,5}
 A solution: sub-collection of the 𝑆𝑖 ’s that
covers every element of [𝑘] exactly once
Witness Encryption
 Message encrypted wrt to XC instance
 Encryptor need not know a solution
 Or even if a solution exists
 Anyone with a solution can decrypt
 Secrecy ensured if no solution exists
{1,2,3}
1
2
{2,4,5}
{1,2,3}
1
2
{2,4,5}
3
3
4
{1,4}
4
5
{2,3,5}
5
Decryptable
{1,4}
{2,3,4,5}
Secret
Witness Encryption Using MMAPs
 Choose random 𝑎𝑗 for element 𝑗
 Product 𝑝𝑖 = 𝑗∈𝑆𝑖 𝑎𝑗 for subset 𝑆𝑖
 Publish encoding 𝑒𝑖 = 𝐸𝑛𝑐|𝑆𝑖 | (𝑝𝑖 )
 Product of everything p∗ = 𝑗∈[𝑘] 𝑎𝑗
 Use encoding 𝑒 ∗ = 𝐸𝑛𝑐𝑘 (𝑝∗ ) to hide message
𝑎1
𝑎2
𝑎3
𝑎4
𝑎5
1
2
{1,2,3}
𝑒1 = 𝐸𝑛𝑐3 (𝑎1 ⋅ 𝑎2 ⋅ 𝑎3 )
{2,4,5}
𝑒2 = 𝐸𝑛𝑐3 (𝑎2 ⋅ 𝑎4 ⋅ 𝑎5 )
3
4
{1,4}
5
{2,3,5}
𝑒3 ⊠ 𝑒4 ≈ 𝑒 ∗
𝑒3 = 𝐸𝑛𝑐2 (𝑎1 ⋅ 𝑎4 )
𝑒4 = 𝐸𝑛𝑐3 (𝑎2 ⋅ 𝑎3 ⋅ 𝑎5 )
𝑒 ∗ = 𝐸𝑛𝑐5 (𝑎1 ⋅ 𝑎2 ⋅ 𝑎3 ⋅ 𝑎4 ⋅ 𝑎5 )
ctxt = (𝑒1 , … , 𝑒4 , 𝐸𝑥𝑡𝑟𝑎𝑐𝑡 𝑒 ∗ ⊕ 𝑀)
Witness Encryption Using MMAPs
 Encrypt(message M, instance (𝑘, 𝑆1 , … , 𝑆𝑚 ))
 Set 𝑝𝑝, 𝑠𝑝 ← 𝐼𝑛𝑠𝑡𝐺𝑒𝑛(1𝜆 , 1𝑘 ), choose 𝑎𝑗 ← 𝑍𝑝 ∀𝑗
 Compute 𝑝𝑖 = 𝑗∈𝑆𝑖 𝑎𝑗 ∀𝑆𝑖 , and p∗ = 𝑗∈[𝑘] 𝑎𝑗
 Encode 𝒆𝒊 ← 𝐒𝐄𝐧𝐜(𝐬𝐩, 𝒑𝒊 , 𝑺𝒊 ), 𝒆∗ ← 𝐒𝐄𝐧𝐜 𝐬𝐩, 𝒑∗ , 𝒌
 Use 𝒆∗ to hide message, 𝒄∗ ← 𝐄𝐱𝐭𝐫𝐚𝐜𝐭 𝐩𝐩, 𝒆∗ ⊕ 𝐌
 Ciphertext is (pp, 𝑒1 , … , 𝑒𝑚 , 𝑐 ∗ )
 Decrypt(cover 𝐶, ciphertext (pp, 𝑒1 , … , 𝑒𝑚 , 𝑐 ∗ ))
 Multiply encodings in cover 𝒆 ←⊠𝒊∈𝑪 𝒆𝒊
 Use to unmask message, 𝑴 ← 𝒄∗ ⊕ 𝐄𝐱𝐭𝐫𝐚𝐜𝐭 𝐩𝐩, 𝒆
Security of Witness Encryption
 If no exact cover, then no polynomial relation
of degree ≤ 𝑘 between 𝑝∗ and the 𝑝𝑖′ 𝑠
 For some no-instances, 𝑝∗ is uniform even given 𝑝𝑖′ 𝑠
 For others there is a relation,* but of degree > 𝑘
 By über-assumption, 𝑒 ∗ is indistinguishable
from encoding of a uniform element
 If 𝑒 ∗ was an encoding of a uniform element, then
𝐸𝑥𝑡𝑟𝑎𝑐𝑡 𝑝𝑝, 𝑒 ∗ was a uniform bit string
* There could be many such relations,
need to generalize über-assumption