PPT
advertisement
How to Use
Indistinguishability Obfuscation
Amit Sahai
Brent Waters
Code Obfuscation
Goal: Make program (maximally) unintelligible
Obfuscator
2
Applications!
Demo or “need to know” software
Software Patching
Crypto galore: Traitor Tracing, Functional
Encryption, Deniable Encryption, …
3
Difficulty of Achieving Obfuscation
Initial Functionalities:
•Point Functions
[LPS04, …] and
hyperplanes [CRV10]
•Explanation of existing functionality[OS05, HRSV07]
Recent: General candidate [GGHRSW13] using
multilinear maps [GGH13]
What does this mean?
4
Idealized Obfuscation
Idea: Learn nothing more than with black box access
vs.
• Natural for applications, building crypto
• Some (contrived) counter-examples [BGIRSVY 01]
No broad candidate class of obfuscatable
functionalities
Generic group proofs [BR13,BGKPS13]
5
Indistinguishability Obfuscation
Idea: Cannot distinguish between obfuscations of two
input/output equivalent circuits
• a (b+c) vs. ab + ac
• Avoids negative results of
• What is it good for?
[BGIRSVY01]
Vision: IO as hub for cryptography
Standard Assumption (e.g. LWE)
Indistinguishabilty
Obfuscation
+ OWFs
This talk
“Most” of cryptography
7
How do we build public key encryption from
Indistinguishability Obfuscation?
Punctured Programs Technique
Remove key element of program:
• Attacker cannot win without it
• Does not change functionality
Punctured PRF key: K{x*} eval PRF on all points, but x*
Security: Cannot distinguish F(K,x*) and random given K{x*}
Special case of constrained PRFs [BW13,BGI13,KPTZ13]
Build from [GGM84]
9
Initial Attempt
Setup: Choose Punctured PRF key K, PK= obfuscation of
Problems:
(1) Program knows PRF at t*
(2) If puncture out, will not be equivalent!
10
Simple PKE from iO
Setup: Choose Punctured PRF key K, PK= obfuscation of
Encrypt(m): Choose random r; input m,r into program
Decrypt(K,CT=(c1,c2)):
Decryption is fast = symmetric key
11
Proof of Encryption Scheme
Hyb 0: IND-CPA
12
Proof of Encryption Scheme
Hyb 0: IND-CPA
Hyb 1: t* is random
PRG security
13
Proof of Encryption Scheme
Hyb 0: IND-CPA
Hyb 1: t* is random
Hyb 2: Use K{t*}
PRG security
iO security
14
Proof of Encryption Scheme
Hyb 0: IND-CPA
Hyb 1: t* is random
Hyb 2: Use K{t*}
Hyb 3: Replace F(K,t*) w/ z*
PRG security
iO security
Punctured PRF security
15
A Very Simple CCA-KEM
Setup: Choose Punctured PRF key K, PK= obfuscation of
Encrypt: Choose random r, give as input
Decrypt(K,c):
16
How about signatures?
Natural Candidate
Setup: Choose Punctured PRF key K, VK= obfuscation of
Works with heuristic, but how to prove??
18
A Signature Scheme
Setup: Choose Punctured PRF key K, VK= obfuscation of
f is a OWF
Sign(K,m):
Verify(VK,m,s): Input m,s into verify program
Signing is fast = symmetric key
19
Proof of Signature Scheme
Hyb 0: (Selective) Signature Security
[GMR84]
20
Proof of Signature Scheme
Hyb 0: (Selective) Signature Security
Hyb 1: Punctured Program
[GMR84]
iO security
21
Proof of Signature Scheme
Hyb 0: (Selective) Signature Security
Hyb 1: Punctured Program
Hyb 2: z* random
[GMR84]
iO security
Punctured PRF security
22
Other Core Primitives
NIZKs[BDMP91]
• Sign x if x is in L
• Succinct proofs
Semi Honest Oblivious Transfer[R81]
Injective Trapdoor Functions
Simple CCA secure KEM
23
The rest of the talk
(1) Deniable Encryption
(2) Functional Encryption [GGHRSW13]
(3) Open Directions
24
Deniable Encryption
Deniable Encryption
[CDNO97]
Anthony
Enc(PK, m=
Demands message
and randomness!
Fake r’ where
Enc(PK, m=
,r) -> CT
,r’) -> CT
Best solutions attacker adv. 1/n, n~ size of pub key
Problematic for encrypting many messages
26
Publicly Deniable Encryption
Setup(n) -> PK,SK
Encrypt(PK,m;u)-> c
Anyone can explain!
Decrypt(SK,c) -> m
Explain(PK,c,m;r) -> u’
Two security properties (implies standard deniable)
(1) IND-CPA Security
(2) Indistinguishability of Explanation
Single message game
Advantage of separation: Simpler proofs
27
Hidden Sparse Triggers
Idea: Negligible fraction of random space are “trigger values”
that cause bypass normal encryption to specific value
Explain(PK, C): Encoding of C in Hidden Trigger Set
Encrypt(PK,m;u): Checks if randomness in trigger set
If yes, decrypts encoding to CT; else does fresh encrypt
Randomness Space
Hidden triggers
28
An Attempt and Malleability Issues
Explain:
Encrypt:
Malleability Attack!
29
Our Deniable Encryption System
Explain:
Encrypt:
30
Proof Overview
IND-CPA Proof: Simple proof; obfuscation not used
Explainability:
• Encoding: Look like random string & non-malleable
• Intricate multistep hybrid proof
31
Using Deployed Keys
Receiver may:
• Already have established key
• Be disinterested/uninterested in D.E.
Universal Deniable Encryption: D.E. to ordinary keys
• One time (uncorrupted) trusted setup
• Use to deniably encrypt to any PK
• Takes Encryption function as input
32
Functional Encryption
Functional Encryption
[SW05…]
Public
Parameters
MSK
Authority
Functionality: Learn f(x); x is hidden
Collusion Resistance core to concept! (Like IBE)
Collusion Bounded & Applications:
Key: f
SS10, PRV12, AGVW13, GKVPZ13
CT: x
X
SK
34
An Application: Facial Identification
SK
35
Tools
Statistically Simulation Sound NIZKs
• Statistically sound except for simulated statement
• Build from WI proofs
Two Key Technique
[NY90,S99]
36
Functional Encryption System
[GGHRSW13]
Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2)
output CRS from NIZK setup
Encrypt(PP,m): Encrypt m under each of PK1, PK2,
generate proof p of this
KeyGen(SK1,f): Obfuscate program
Decrypt(CT, SKf): Run obfuscated program on CT
37
Proof Overview
Challenge CT:
Keys:
38
Step 1
Challenge CT:
Keys:
NIZK security
39
Step 2
Challenge CT:
Keys:
IND-CPA security
40
Step 3
Challenge CT:
Keys:
IO security
41
Step 4
Challenge CT:
Keys:
IND-CPA security
42
Step 5
Challenge CT:
Keys:
IO security
43
Step 6
Challenge CT:
Keys:
NIZK security
44
Evolution of Functional Encryption
Sahai-Waters 2005: Introduction of Attribute-Based Encryption
GPSW 2006: Access Control (ABE) for any boolean formula
BW 2007, KSW08: “Predicate Encryption”; dot product functionality
Talks 2008: “Rebranded” as Functional Encryption , BSW11
reformalized (BSW11+O10 added simulation def.)
GGHSW13/GVW13: ABE for circuits
FE at 2013: Still Inner Product (& Applications)
Best we can do with bilinear maps
GGHRSW 2013: Functional Encryption for any circuit
45
Evolution of Functional Encryption
Obfuscation
46
Looking Forward
Explosion of Obfuscation
Late July: GGHRSW13, SW13 eprint
4 months later
•
Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW]
•
Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV]
•
Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR]
•
Two-round secure MPC from Indistinguishability Obfuscation [GGSR]
•
Protecting Obfuscation Against Algebraic Attacks [BGKPS]
•
Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR]
•
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ]
•
There is no Indistinguishability Obfuscation in Pessiland [MR]
•
On Extractability Obfuscation [BCP]
•
A Note on the Impossibility of Obfuscation with Auxiliary Input [GK]
•
Separations in Circular Security for Arbitrary Length Key Cycles [RVW]
•
Obfuscation for Evasive Functions [BBCKPS]
•
Differing-Inputs Obfuscation and Applications [ABGSZ]
•
More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR]
•
Multi-Input Functional Encryption [GGJS]
•
Functional Encryption for Randomized Functionalities[GJKS]
•
Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS]
•
Multi-Input Functional Encryption [GKLSZ]
•
Obfuscation from Semantically-Secure Multi-linear Encodings [PTS]
48
My Probabilities
I will make it to Weizmann in Dec.
38%
Indistinguishability Obfuscation from LWE-type
assumption in 4 years
63%
Amit eprints an obfusction paper in next 2 months
95%
49
Thank you
50
