Seny Kamara: So it`s a pleasure to have Mariana Raykova speaking
advertisement
>> Seny Kamara: So it’s a pleasure to have Mariana Raykova speaking today. Mariana is a research scientist at SRI. She graduated from Columbia. She did her postdoc at IBM Research. I guess most of you know her. She’s done two, no three internships here. Two in the crypto group and one in the security group. And today she’ll be speaking about obfuscation. >> Mariana Raykova: Thanks Seny. Hello everyone. Today I’m going to present to you our work on indistinguishability obfuscation and constructing functional encryptions for all circuits. This is work in collaboration with Sanjam Garg, Craig Gentry, Shai Halevi, Amit Sahai and Brent Waters. So let me start by saying a few non-formal words about what obfuscation is. So code obfuscation, the goal of code obfuscation is to make programs unintelligible while at the same time maintaining their functionality. So this is one example that I took from Wikipedia of how people currently do obfuscation and what obfuscated problems look like. So if we say this initial goal, there are several questions that arise immediately. First one obviously is why would we want to do anything like this? What is this for? The next one is what unintelligible really means? Is there a way to formalize what this unintelligible means? And then the third one is once we have set up these two questions is, can we really achieve anything with these properties? So in this talk I hope that I will give answers to all three of these questions, more or less satisfyingly you will see. So let’s start with the first question. Why would we want to do obfuscation? Well obfuscation in general gives us the ability to hide secrets in software. It’s like, at the very high level. So we imagine that we have the AES, which is a symmetric key encryption. And then we look at the circuit of AES and we also embed there the secret key that we will use for the encryption. So we start with the secret key encryption. And if we obfuscate the circuit we immediately get a public key encryption. So the obfuscation of this AES circuit with the embedded key is a public encryption. And the advantage is that if the obfuscation does not add too much overhead then we have more efficient public key encryptions because in general symmetric key is much more efficient than public key. So another example that we can sum up with this. Imagine that we have a company and we came up with a proprietary algorithm for DNA classification. And we would like to release software that allows people to use this algorithm, but at the same time we don’t want to reveal our secrets in designing this algorithm. So what we can do, is we can provide an obfuscation for our program that is implementing the algorithm while hiding our proprietary information. And then the third example that I would mention is maybe when we think about distribution of software patches. So assume that we have found out that our program has some vulnerability and we want to distribute a software patch. But if people are able to look at this patch that we are distributing, this would also immediately point them to the vulnerability so they can try and leverage this into a patch of already existing software. However, if we had a way to obfuscate this patch, then we can release this fix while hiding the vulnerability as well. So these are… >>: [indiscernible] too or just the patch? >> Mariana Raykova: I mean once you want to apply the patch then you have to, you also, you don’t need to have it obfuscated. It can be in the clear. So but, and in… yeah? >>: If it’s in the clear, if you have an obfuscated patch and the thing you’re patching is in the clear, then you can see which part is updated so you know where the vulnerability is. >> Mariana Raykova: Yeah. So I mean if you assume that you can compare the two things and then find out just by the comparison on the whole code where the change is, then yeah. So the question is whether you, maybe the patch is much smaller and just by looking in the patch you can get the direct pointer to the place where you are patching. So in general, obfuscation is used in contemporary work where people try to come up with that whole solution for obfuscation which mostly implements the principal of security-via-obscurity. So what they really do is make time consuming reverse engineering on a particular obfuscated program. But in no way do they provide any provable properties for existing obfuscations. So this means that our challenge as cryptographers is really to construct obfuscation schemes that provide provable security guarantees. And if you happen not to be into application and you don’t care about applications of obfuscation, I will give you another motivation that you might care about just by virtue of the fact that obfuscation is a very useful primitive. And there is this whole series of new results in crypto that came out immediately after this paper and they implement many new and interesting functionalities which were not possible before we had obfuscation. And for the purposes of this talk, I will actually focus on functional encryption which is a result from our paper. So using obfuscation we construct functional encryptions for all circuits. And here I will take a little deviation to tell you what this functional encryption, what kind of functionality functional encryption provides for you. So basically functional encryption is a generalization of usual encryption keys that give you a way to define a special type of decryption key, decryption key that reveals not the whole encrypted message but only a function evaluated on this message. So imagine that we have Mary who has her driving license and then we encrypt the driving license using functional encryption. Then when Mary goes to the bar we can provide the bartender with the key that allows him to decrypt the ciphertext from the functional encryption and the only thing that he learns is whether Mary is over 21. And the same thing we can provide the policeman with a decryption key that allows him just to learn the type of driving category for Mary’s driving license. So this is the functionality of functional encryption and I will later show you how to construct it. So what are our results in this paper that I will present from now on? So we propose the first indistinguishability obfuscation scheme for all circuits. There are two steps in our construction. We first give a candidate obfuscation construction for our shallow circuits or circuits that can be substantiated in NC1. And then we show how to use this obfuscation of NC1 circuits together with fully homomorphic encryption to obtain obfuscation for any circuit in P. So this is our result on obfuscation and then using obfuscation together with functional encryption I will show you how to construct a functional encryption scheme. For the purposes of the presentation I will shift a little bit the order in which I will talk about the different parts of our results. And the reason for this is that this is really the most complicated part, the most messy part maybe from the talk because this is where we also introduce a new hardness assumption. So I will start from the ones that are clean and smooth constructions with nice proofs and then I will proceed to the more complicated one. Yes? >>: [indiscernible] >> Mariana Raykova: Well for this particular example of functional encryption yeah, you can think of… >>: [indiscernible] >> Mariana Raykova: I really, yeah you can just provide the ciphertext and you can do the decryption on the ciphertext. You don’t need any interaction beyond that. So let’s now start with the more formal definition of what obfuscation is. So an obfuscation is a probabilistic algorithm that takes the input of certain program C or a circuit C and then it outputs another program which we will call the obfuscation of this program C prime. And we want, we require the following three properties from our obfuscation. First we want to guarantee that the obfuscation of the function computes exactly the functionality that we started with. So any input evaluation of the original circuit is the same as the evaluation of the obfuscated circuit. Then we want to guarantee that the obfuscated version of our program introduces only polynomial overhead in the original size of the [indiscernible] circuit. And then the third property is the property that I will just state here as unintelligible because there are many ways in which we can compartmentalize the unintelligible. And I will explain the several different flavors that we can require for security. Yeah? >>: [indiscernible] >> Mariana Raykova: It’s large. I don’t know the exact degree but it’s very large. So the first way that we can formalize the security for obfuscation is through what is called virtual blackbox obfuscation. And this security definition tries to capture the intuition that even an obfuscation for a circuit, this does not reveal anything more than a black-box access to the circuit. So it just allows us to feed it input and see the output of the computation but we don’t learn anything more apart from that. And the formal way that we state this security definition is by saying that for every polynomial time adversary A there exists a simulator S such that for all circuits the view that an adversary gets from the obfuscation of the circuits is indistinguishable from a view that’s produced by the simulator which is given all the black-box access to the functionality. So basically this captures the fact that if there is a simulator that can produce this indistinguishable view and it is given just the black-box access to the circuit, then certainly the obfuscation doesn’t reveal anything more. So this is very strong and very good security definition. The bad thing is that it’s impossible. And the work of Barak et al which also introduced this definition shows that achieving black-box obfuscation is impossible. And in particular they construct unobfuscatable family F together with some property about these families such that you can efficiently compute this property if you are given any circuit that computes f. However if you are just given random oracle access to the functionality f there is no way that you can compute this property p. And also the impossibility result for the virtual black-box obfuscation extends to the case when we allow inefficient obfuscator. So the obfuscation algorithm doesn’t need to be polynomial [indiscernible] and so the impossibility result holds. So if we have this impossibility result the natural thing is to try to look at a relaxed definition of security for obfuscation. And here comes the notion of indistinguishability obfuscation which was also introduced in the same work of Barak et al. Indistinguishability obfuscation tells us the following. It tells us that if we start with two circuits that compute the same function or this means that evaluation on any input of the circuit C0 is equal to the evaluation on the same input of the circuit C1, then the obfuscations of the two circuits are indistinguishable. So note that inefficient indistinguishability obfuscation is always possible. For this we can think just about the lexicographical order of all circuits that implement a particular functionality. And we can just designate the first circuit in this lexicographical order as the obfuscation for this functionality. The only problem is that computing this canonical order is inefficient so you don’t get indistinguishability efficient. We don’t know so far how to do efficient indistinguishability obfuscation. Also Goldwater and Ludlam introduce the notion of best possible obfuscation which tries to capture the fact that the obfuscation of a particular function doesn’t allow a learner to learn anything more than any other circuit that implements the same functionality. If we are concerned with just computational indistinguishability then the notion of best possible obfuscation is exactly the same as indistinguishability obfuscation. And since we will be talking only about computation or indistinguishability in this talk, for us indistinguishability obfuscation is equal and the best possible obfuscation. So let’s start with our actual construction for indistinguishability obfuscation. As I mentioned, it will consist of two steps. The first step will be constructing indistinguishability obfuscator for shallow circuits and this construction would be using multi-linear maps and then it will be introducing some complex new assumption. And that’s why we will leave it for later. And the second step in our construction will be to bootstrap the indistinguishability obfuscation for NC1 together with fully homomorphic encryption and to obtain indistinguishability obfuscation for any circuit of in P. This will be a simple and provable construction and that’s why we will start with this construction. So how do we start with an obfuscation in NC1 and obtain obfuscation for any circuit? Well let’s think about what are the properties that homomorphic encryption gives us. So we have some function f that we want to compute an obfuscation of this function. So if we imagine that we encrypt the function f with fully homomorphic encryption, then we get an encryption of the function and we have the property that we can take any plain text input and we can evaluate it with this encrypted function. And we will obtain the final output type of x. But the only problem is that it still we be encrypted under FHE. So, and in the functionality obfuscation we really want to be able to get this output result in the clear. So also when we do this evaluation we will keep a transcript of all the steps that we performed when we were evaluating the encrypted function f on the plain text x. So now we can imagine defining a circuit that takes as input the plain text x. The result of the evaluation f of x and also this transcript that is telling us exactly what happened in the evaluation. And we can take this as a proof that we really performed the evaluation of this encrypted function f on the input x and we can check that really the evaluation, the result of this evaluation f of x is the evaluation of the encrypted function f on the input x and the result is this ciphertext c. So if we can check this proof that guarantees that this is really a ciphertext obtained from the honest evaluation, then we can also use the secret key for the fully homomorphic encryptions key to decrypt the ciphertext c. And note that this functionality that I describe here in this box is all circuits and NC1. This is based on the fact that we have proof for which verification algorithm is in NC1 and also we have fully homomorphic encryption schemes for which the decryption circuit is also in NC1. So now that…yeah? >>: [indiscernible] >> Mariana Raykova: Output fx? >>: [indiscernible] >> Mariana Raykova: So we, but we need to talk [indiscernible] f of x. Right? And f of x is only encrypted. We have only f of x encrypted. Yeah we have everything encrypted. So what we will do is we will obfuscate this functionality. Right? We are trying to build an obfuscation for the function f so we have to have f encrypted. We are trying to hide what’s the function. So what we will do is since we already assumed that we have obfuscation for NC1, we will obfuscate this shallow circuit. So this condition of decryption would verify that whatever ciphertext we have [indiscernible], it’s really the evaluation of our obfuscated function on some input and if this verification holds, then we can use the secret key for the FHE to decrypt the final output. So in this case our obfuscator for any circuit would consist of the FHE encrypted function f together with the obfuscation of this small condition of decryption circuit. Yeah? >>: [indiscernible] >> Mariana Raykova: So the SK is embedded in here, right? This circuit will have SK hardwired. Yeah, so when you write the [indiscernible] your obfuscation algorithm will be the one that generates the parameters for the FHE. You encrypt the function that you will be obfuscating. And then you generate the obfuscation. So we are assuming that we have NC1 obfuscator, right? We are just using it to obfuscate this function here which consists of the proof verification and then the FHE decryption. >>: [indiscernible] >> Mariana Raykova: So I haven’t told you anything about the proof yet. Right? I will proceed with explaining what happens with the proof. So Brian was hitting on the correct question is that you can prove this construction security only if you assume virtual black-box obfuscation. So that’s why we will have to modify this construction. So instead of having one set of FHE encryptions, we will introduce a second parallel FHE encryption scheme. So we will encrypt twice our obfuscated functions on the two different FHE encryption keys. We can similarly obtain the evaluation, the encrypted, the result of the evaluation encrypted under the two different keys. We can keep the transcript that exactly the same way. We can define the condition of decryption [indiscernible] in NC1, which is good. And we can obfuscate this part so now our obfuscator for the whole p will consist of the two encrypted functions f under the two different keys and the obfuscation of the condition of decryption. So now this construction is good enough to prove indistinguishability obfuscation for NC1. And here is an outline of the proof idea how we will show this. So in the proof we have to show indistinguishability obfuscation. We have to show that this construction is a good indistinguishability obfuscator. And as a reminder this means that we have to show that the indistinguishability obfuscation of C1, of C0 and C1, when they evaluate exactly the same function are indistinguishable. So we have to show that this set of two ciphertext and the conditional decryption obfuscation of the condition of decryption is different from these two. Where the difference is really, okay, so let’s go through the steps. So I will show you a number of steps transformation that we will start from this distribution and we will end up in this distribution and I will show you at each step why two consecutive steps are indistinguishable. So what is the first step? Well in the first step we will change the second encryption. Instead of encrypting the circuit C0 it will encrypt the circuit C1. And why do we claim that these two are indistinguishable? Well we will claim that these two are indistinguishable because of the semantic security of the fully homomorphic encryption. We just have two different encryptions of two different semantics. And also by virtue of the fact that we haven’t used anywhere the secret decryption key for the second FHE. What we are using here is the decryption key for the red FHE parameters. The next step will be changing the obfuscation where instead of embedding SK0 we will be embedding SK1. And why these two [indiscernible] will be indistinguishable will come from the property of the indistinguishability obfuscation of NC1. Because these two circuits will still evaluate exactly to the same on any input. Together with the property that we have perfectly sound non-interactive witness indistinguishable proof, which basically means that nobody, no adversary can generate cheating proof that would allow you to decrypt if you are not feeding exactly the same encryption if you haven’t evaluated the red ciphertext and the yellow ciphertext on two different messages. So this indistinguishabilty of these two sets follow from the obfuscation, the indistinguishability obfuscation property for NC1 together with this [indiscernible] this property of our proof. Yeah? >>: [indiscernible] >> Mariana Raykova: So this means that one of them is decrypting the output here and one of them is decrypting the output here. We know that these two circuits evaluate to the same. Right? This is our starting definition, is that C0 and C1 evaluate to the same on any input. So you just have to make sure that when you produce the correct proof that says that the yellow and the red were evaluated exactly on the same input. So if we have guaranteed that they are evaluated on the same input then you are guaranteed that their output will be the same. Yeah? >>: [indiscernible] >> Mariana Raykova: Yeah the encryption always… >>: [indiscernible]. Where do you use this? >> Mariana Raykova: You use, here the, you use it by the fact that you cannot provide input for the obfuscations that evaluated the two ciphertext on two different inputs. Right? As part of the proof you are checking that the two ciphertext that you are giving into the obfuscation are evaluation of the two encryption of the same function on the same input. Because if you were able to see the two evaluations on two different inputs then you will be able to, in one case you will be decrypting the first one and the other case you will be decrypting the second one. And if you manage to cheat and provide two different inputs then you will be able to evaluate. So you have to guarantee that he is not able to produce a cheating, that there doesn’t exist a cheating proof for this system. And we, I mean in our paper we construct such a proof system. >>: [indiscernible] >> Mariana Raykova: So the verification algorithm is in the obfuscation. So the next step is just switching the first ciphertext. The security here is again from the semantic security of FHE. And then the last step of switching the key back from SK1 to SK0 again follows in the same way as the previous step. So this is the outline of the construction from NC1 to P. Now I will proceed with the next clean construction which is the functional encryption construction starting from obfuscation for all circuits. So let me define what functional encryption is. So a functional encryption consists of an algorithm that produces the parameters for this key which is a public encryption key. And then a master secret key. Then we have an encryption algorithm which takes a message and encrypts that message under the public key. We also have a key generation algorithm which takes the master secret key and the particular function which will be associated with the resulting decryption key. So it produces a decryption key associated with F and when we want to decrypt a particular ciphertext that encrypts a message m with a decryption key that’s associated with function F, then the output of the decryption is the evaluation of F on the encrypted message m. So this is the formal definition of functional encryption. So let’s see now how we construct functional encryption, if we have obfuscation for any circuit. So the set up for our functional encryption key will consist of generating two pairs of parameters for semantically secure public encryption keys. Then if we want to encrypt a message m, what we will do is we will encrypt the message under the two public keys for the public encryption key. And then we will also produce a proof that these two ciphertexts encrypt the same message. So our ciphertext will be two ciphertexts and a proof. Then if we want to generate a decryption key for a function F, what we will do is we will generate an obfuscation for a function that takes a function encryption ciphertext which is two regular ciphertexts and the proof. It checks the proof which guarantees that the two ciphertexts encrypt the same message. And if this verification holds, then what we will do is we will decrypt the first ciphertext which is under the SK0 key and then we will take this decrypted value and we will evaluate only the function F. And this will be the output. If this verification did not hold, then the decryption will fail. I mean this verification wouldn’t hold only if you don’t have a correctly constructed ciphertext. And then the decryption is easy. We just interpret the decryption key as an obfuscated program and we evaluate it on the particular ciphertext. So this is the whole construction for the functional encryption. It’s very similar to the… yeah? >>: [indiscernible] >> Mariana Raykova: Yeah. We will use it in the proof. We will need it only for the proof, which appears on the next slide. So why did we need really these two parallel encryption keys? I mean you can, might be reminded of the proof for CTA security from [indiscernible] where they have this parallel, two public key encryption schemes. So what is, I never mentioned to you, what is the definition of security of functional encryption. So there are different notions of security for functional encryption. There are simulation definition which we know is impossible. And that’s why we will prove security for another, security definition, which is indistinguishability security, which roughly says that the encryptions of two messages are indistinguishable if you are given decryption keys for function that evaluates to the same value on the two messages. That’s the intuition for the security definition for indistinguishability. So what does this mean? So we have an encryption of the first message. And then we have a decryption for a function, for a particular function that obeys this property. And then we will have the encryption of the second message with the decryption key of the same function. So I need to show you how to transition from this distribution to this distribution, and claim that these steps are all computational indistinguishability. So first step that we will do, is we will change the encryption, the proof in this encryption with a simulated proof. So for this we need to have statistical simulations on [indiscernible], which we know how to do. The next step will be once we have the simulated proof, we can afford to change the encryption in the second ciphertext from m0 to m1 because we already have the simulated proof and the whole point of the proof was to guarantee that these two things are in the same. These two steps are indistinguishable just from the semantic security of the public key encryption. Then what we will do is we will start actually using the second encryption scheme parameters. So we will change the decryption key. Instead of using the decryption key for the red scheme, to use the decryption key for the blue scheme, which means that in the decryption step you will decrypt the second ciphertext instead of the first one. So here you are decrypting C0 and then evaluating the function. Here we will be decrypting C1 and then evaluate the function F. Why are these two steps indistinguishable? Well because we have a guarantee that F of m0 is equal to F of m1. So these two obfuscations are obfuscations of functions that are really evaluating exactly the same functionality. They have the same output on any input. Right? The only reason is that this is a simulated proof for the challenge message as any adversary, no adversary can generate a simulated proof. So an adversary would be able to produce only valid encryptions that encrypt the same two messages in the two slots. So these two decryption keys obviously will evaluate to the same. And on this challenge message we will have the property that F of m0 is equal to F of m1 so this follows that these two steps are indistinguishable. And we basically continue in the same way, switching the first message back to m1 and then switching the decryption key from using SK1 to using Sk0. So this is basically how final the proof for the construction. So now that we have gone through all the nice construction with a relatively clear proof, we will go to the obfuscation construction for circuits in NC1. So let’s start with all the ingredients that I will be using for this construction. And then I will tell you step by step how we will put them together into our construction. So we will be using a representation of circuits in NC1 using branching programs, which were introduced by Barrington. We will also use Kilian’s technique for randomizing branching programs. We will also use multi-linear maps for which we have the construction of Garg, Gentry, Halevi and then Karong [phonetic], La Pointe [phonetic] and [indiscernible]. So we will put all these things together and then I will describe several different further modifications that are in to do with different issues that this original construction will have. They will come as defenses to particular attacks that we saw in the original construction. And then at the end I will state for you a complicated assumption and give you some, point you to some evidence that maybe it is a good assumption. So what is a, what are branching programs or oblivious branching programs? They were introduced as a computational model which was introduced by Barrington in ‘86. So how do you describe computation with a branching program? So if you have a branching program of length m that takes input of length n bits, consists of m pairs of matrices which, these should be 5x5 matrices, so all these matrices are 5x5 matrices. And then in addition to that you have a function that tells you, that maps any position in the branching program to a bit in the input. So you have these [indiscernible] for each position, [indiscernible] of matrices for each position of the branching program. And then you have a function that tells you, for each position in the branching program, which input you have to look at. Why would you be looking at the input? Well, for the evaluation. The evaluation of a branching program for a function F consists, is basically the multiplication of all, of one matrix in each position, where you choose which matrix to take, depending on the input bit in the position given by this map. So for each position in the branching program, you look at this function and if the input bit was one, you use the matrix for A1. And if the input bit was 0 then you use the other matrix. Really I think the best thing is to look at an example to understand how branching programs work. So imagine that you have a branching program of length 9. So this means that you have 9 [indiscernible] of matrices. And if this branching program has input of length 4-bit, and then the map that maps branching program positions to input bits says that the position 3, 6 and 9 are determined by the first bit in the input. So if this first bit is 0, then for the evaluation we have to use the matrices that correspond to input bit 0. Then similarly, we can look at the subset of position in the branching program determined by the second bit in the input. So if that input is 1, then we take the other matrices and we do the same thing with the rest of the input bits 3 and 4, and put the evaluation on the branching program. We just select the corresponding matrices and we multiply them all together. Once we have multiplied these matrices, we check whether the product is the identity matrix. And if the product is the identity matrix, this means that the output of the evaluation is 1. Otherwise the output of the evaluation is 0. This is how branching programs work and this is how the computation in a branching program is described. Barrington’s theorem says that every function that’s computable by a depth d circuit has a branching program representation that is of length of 4d. And what does this mean, is that every circuit that’s an NC1, which means that it’s a depth of O of log n has a branching program of polynomial length. So that’s why our construction would really work for functions in NC1. So we have defined what the branching program is. Let’s try to see what the randomized branching program is. Let’s use an approach that was introduced by Kilian. And in his paper he was using randomized branching programs for two party computation. So we will use them in different context. So if we started with a branching program that was of length m and takes input of size n, then we obtain a randomized branching program by sampling m random matrices, random invertible matrices, also of size 5x5. And we compute new matrices which are the product of the original matrices in the branching program, multiply those both sides with two of the random matrices, which is the matrix in position i minus 1. And then this is the invert of the [indiscernible] following randomizing matrix at position i. So basically you insert all these m random matrices in between your other matrices. What this enforces is really that the only way to evaluate a branching program is in the correct order. You cannot mix matrices and take a matrix at position 10 and then put it in position 2 instead of that. You keep the mapping exactly the same, the mapping between… yeah? >>: [indiscernible] >> Mariana Raykova: I mean you can compute different… >>: [indiscernible] but you can certainly multiply all the even pairs together and then… >> Mariana Raykova: Yeah but if you, you will not, you will break the property of the branching program that… >>: [indiscernible] >> Mariana Raykova: So basically the randomized branching program now consists of these new randomized matrices and the original map between positions in the branching program and the input. And this randomized branching program provides a single input privacy, which means that if you look at the matrices that correspond to a single input for an evaluation, these matrices don’t reveal anything more than the output of the computation. The only meaningful thing you can obtain from them is if you multiply them in order and then compare them against identity. And this is basically the idea of Kilian’s two party computation protocol. What we want to do here is we want to use these randomized branching programs to do obfuscation. We want to somehow embed them in a protocol that says that when we give them out, really this is an obfuscation from the program. The only thing we can do is multiply in the correct order and evaluate a function. We are still far from that and so how would we want to use this randomized branching program? Well we want to compute a randomized branching program for a universal function and then provide for the positions that are determined by the obfuscated function. We will provide only one of the randomized matrices from the branching program. And for all positions that are determined from the actual input on which we will be evaluating F, then we will provide both matrices. We will evaluate the obfuscation just in the same way we were evaluating a randomized branching program. Of course this is not sufficient construction because once we give more than one input for a branching program, more than one matrix for a position for the input, then the privacy for the inputs is lost. So how are we going to fix this problem? Well we would encode these randomized matrices using multi-linear maps. So that’s how we will be hiding the matrices. So let me define what a multi-linear map is. It is basically a cryptographic primitive that allows you to do both addition and multiplication on encoded values. So you have, you start with several groups and then you have a map that allows you to compute operation on encoding the two values that result into an encoding of the product of these values. And the difference from a multi-linear map and fully homomorphic encryption is that you have an additional property that you can, in this idealized definition of the multi-linear map, you will be able to do comparisons, multi comparisons. In reality we don’t have a construction for this idealized definition of a multi-linear map. What we have is actually approximation of a multi-linear map where the encoding algorithm is randomized algorithm. It’s not a deterministic algorithm. So we don’t just take Ga for the encoding. But then we have a function that’s called zero-test, which basically allows you to test whether a particular encoding is an encoding of 0, which helps you do the quality test. The hardness assumptions for multi-linear maps are analogs to the descript log and the multi-linear DDH. So we have two known constructions for approximate multi-linear maps and we will be using those. So now that we have the definition of this multi-linear map, what we will do is we will take the matrices from the randomized branching program and we will encode each entry in the matrix using the multilinear map. So this notation is a bit abusing notation. This basically means that each entry in this randomized matrix is encoded using a multi-liner map. The properties of the multi-linear maps just tells us that we can perform the evaluation of the randomized branching program underneath the multi-linear map. We can do the whole multiplication of the matrices and then at the end we can also do the comparisons of the results against the identity matrix, again using the zero-test function from the multi-linear map. So is this good enough for hiding the matrices B? I mean it looks pretty good. But here is an attack that we can still do even if we have done all this encoding with the multi-linear maps. So imagine that we have a randomized branching program and we will be evaluating this randomized branching program on two different inputs, x and x prime. So the prescribed way in which we can evaluate this is select the corresponding matrices and then multiply all of them. However, what we can still do is we can take subsets of the positions, like consecutive positions, two consecutive positions with only subset of them and we can do the correct computation and we can compare these two values. We still have the power to compare these values because the randomized matrices are still aligned and we have the zero-test property from the multi-linear map. And what this attack roughly maps to is learning whether the intermediate values in the evaluations of these two functions are equal. This is a graph mapping of what this attack allows us to learn. Another type of attack that‘s still not prevented is what is called a mixed input attack. So in a randomized branching program we have this mapping that tells you which positions in the branching program are determined by a particular input. So in general in the honest evaluation what you should be doing is you should be taking matrices that correspond to the same bit when you are evaluating a branching program. However, so far we haven’t done anything that prevents an evaluator to take an inconsistent set of matrices for that position. So he can take 1 here and then 0 and 0 here. So this is what we will call inconsistent matrix selection. You can still do the evaluation and test for the results because all the randomizing matrices did this to enforce you to take one matrix in each position. But they didn’t enforce anything about consistency here. So what this attack roughly allows you to learn is what happens with the evaluation if you fix some internal wires to a particular position, to a particular bit 0 or 1. So what is the fix for these two types of attacks that are still remaining? It’s a technique that we call multiplicative bundling. So what we will do is we will compute constants for all positions in the branching program that are determined by the same input bit. We will compute constants and we will multiply them into the B matrices. And this constant will be the property that if you have taken the matrices, consistent matrices, then these constants will cancel out. They will have product 1. So if these are the matrices for 0, this 1 they will be canceling out. However, if you try to multiply inconsistent matrices as in the previous attack, then the product of this constant will be something unknown, different from 1. And this would eventually prevent you from being able to do the zero-test in the final output. So you wouldn’t be able to get any meaningful information when you evaluate the branching program with the inconsistent set of matrices and then try to do the zero-test at the end. In fact what we do in our actual construction is, we have two parallel branching programs, the real one and then a dummy branching program. The dummy branching program doesn’t do any actual computations. The only matrix that we are embedding here is the identity matrix. However, the constant that we are using in this real evaluation branching program and in the dummy evaluation program are chosen in such a way that they implore the consistent use of matrices in positions that are determined by the same bit. So we make sure the product of all the alpha constants in positions determined by the same input g is equal to the product of all the beta constants in the positions determined by the same big g. So now the evaluation is evaluate the real computation in the real branching program, evaluate the dummy branching program then subtract those to cancel out the influence of the randomizing constant. And then apply the zero-test. So basically this multiplicative bundling insures this property. Unfortunately, these two types of attacks, what you can still try to do is try to check whether you have somewhere matrices inside the computation that differ by a multiplicative constant just by doing the multi-linear map [indiscernible] the corresponding positions. This thing allows you to compute an encoding of the determinant of a matrix or try to determine the rank of a matrix. All of these attacks on these pieces in the construction we don’t know how to leverage them into an actual attack of the obfuscation. There is no obvious way how to leverage them. However, these are not things that you would like to be able to do. So even though we don’t know how to reverse and to attack, we try to prevent all these kinds of additional computations that you can do with the pieces in the obfuscation. And counter measures that we introduce to stop these attacks are the following. What we will do is we will embed the matrices from the randomized branching program in much higher dimension matrices. So what will be the dimension of these matrices will be such that you have tried to do things inside. If you tried to compute a matrix rank, we want to guarantee that you go beyond the level for the multi-linear map. And the level of the multi-linear map tells you how far you can apply the zero-test and learn useful things. So basically this extension with the higher dimension matrices will prevent the attacks that I list in the previous slide. So now what we will do is we will embed the matrices from the branching program together with this randomizing the multiplicative bundling constants in the lower right corner. Then we will generate random values in the, for the rest of the diagonal. And then we will apply the randomization for the randomized branching program on top of this newly expanded dimension matrices. So this of course introduces some issues in the correctness of the evaluation of the branching program. Because you still have the property that the multiplication in the lower right diagonal will be the computation of the branching program. However all the top, they have no interest that we introduce to be random values. They have no relation in the two, in the real evaluation branching program and in the dummy evaluation branching program. So to manage this and get back the correctness of the evaluation, we introduce what we call bookends vectors. These bookends vectors will make sure that they would cancel all the random values in the diagonals, in the top of the diagonals. And also we will make sure that the non-canceling part that will go in the lower right corner or which is the part of the randomized branching program, they will have the same product in the real computation branching program and in the dummy computation branching program. And we will also apply the randomization matrices. We will tie everything together with the randomization matrices by multiplying these bookends vectors with the first randomization matrix from the order and then we will multiply the last randomization matrix with the right bookends vector. So the evaluation now will be not only the multiplication of the matrices from the original branching program, but also at the end we will multiply with the two bookends vectors. Which the bottom line of this computation will be that you will cancel out all the random values on the upper diagonal. So you will be canceling once you multiply with these two vectors. Then we’ll have zeroes in these positions, so you will cancel the effect of the interest in this diagonal and you will be left only with the result of the branching programs which you can compare for equality. So if you didn’t follow this last part, I will tell you that there is a different way to enforce the same property that is kind of much cleaner and some works after ours introduced it. So just to recap. What is the construction for the obfuscation of NC1? We start with a branching program. Then we introduce the multiplicative bundling that forces you to use consistent matrices for each input bit. Then we embed these matrices in these higher dimension matrices to prevent all these attacks if we don’t know really how to leverage every one. Then we randomize the matrices using the randomization technique from Kilian. We compute our bookends vectors, which bring us back the correctness for the computation that was destroyed by the higher dimension. As I mentioned, there is an alternative approach where you start using asymmetric multi-linear maps that basically force you to do only the correct computations. And they rely on some other assumption, but I don’t think they introduce any more assumptions than we already have. It’s a much clearer solution I would say. So at the end, once we have obtained all these randomized matrices we encode them with a multi-linear map that has high enough level to allow the evaluation of the computations for the branching program, but nothing more. And then once you have this obfuscation the evaluation of the obfuscation function is just computation on the two branching programs. The real computation and the dummy one. And then compare the results. So what is the security of this construction? So basically the assumption that we have is that once you have this transformation, if you apply this transformation on functions on two circuits that are implementing the same functions, these two distributions of these randomized encoded matrices are indistinguishable. Basically the assumption says that once you are given this obfuscation that consists of these matrices, the only way that you can get useful information is to multiply them in the correct order. And by virtue of the fact that these two circuits evaluate to the same value, you will be guaranteed that you will be getting the same values in both cases. The evidence that this might be a good assumption is that we show that, in our paper we show proof of security of this assumption in what we call generic multi-linear matrix model. Then the following work after us, the two following works after us actually show that the security of this assumption in the generic multi-linear map model, and also some even more recent work shows that this is secure even if you assume some different multi-linear map with a different security property that satisfies semantic security. If you have a multi-linear map that satisfies a property that they call semantic security you can also show the security of this assumption. So these are all evidence that maybe this assumption is a good assumption. Obviously this leaves us the first big open problem from now on is coming up with better assumptions. Another thing that are interesting to look at are actually coming up with stronger notions of obfuscations. Because indistinguishability obfuscation is not really good for everything. It doesn’t really capture the initial intuition of what we want to obtain from obfuscation. And possibly our current construction satisfies a much stronger notion than undistinguishabiliy obfuscation. There is a proof that in the generic multilinear map model is virtual black-box obfuscation. So we have this proof. I mean we know that the impossibility for a larger black-box, but if we assume the generic multi-linear map model, we can show that our construction has satisfied this property. Obviously the efficiency of the construction is nowhere near to anything practical. Another interesting question is coming up with new, more new applications of obfuscation. We already have seen a whole series of follow up work. I am sure that there are more in store. So with this I would like to thank you and I will take any questions. [applause] Yes? >>: [indiscernible] if you could do indistinguishability obfuscation [indiscernible]? >> Mariana Raykova: No I think there is such a result but I mean this really doesn’t imply that I guess. I mean if the result in general about the relation but I’m not sure whether it was indistinguishability obfuscation or some of the stronger relations of obfuscations. You might be right but yeah, these are relations that start to give you connections between things that we are both guessing exist, but maybe one of them doesn’t. [applause]
