amit sahai obfuscation: hiding secrets in software an nsf frontier center institut henri poincaré,...
TRANSCRIPT
Amit Sahai
Obfuscation:Hiding Secrets in Software
An NSF Frontier Center
Institut Henri Poincaré, October 16, 2015
The mind-reading adversary
• Suppose you want to keep a secret.But there is an adversary that:– Captures your entire brain– Reads and tampers with the
activity of every neuron in brain– While you are thinking about your secret.
• Obfuscation: CS-analog of this scenario is common:– Can a computer program keep a secret,
even if adversary captures the entire program?– No trusted hardware, no interaction.– Just an ordinary program with ordinary inputs and outputs.– Running on a single ordinary computer.
Earlier conceptsSecure Multi-Party Computation [Yao, Goldreich-Micali-Wigderson, BenOr-Goldwasser-Wigderson, …]
Adversary can see
Adversaryis blocked
Solution idea:“Spread out the computation”
Earlier conceptsLeakage-Resilient Compilers [Ishai-Sahai-Wagner, …, Goldwasser-Rothblum]
Some fraction* < 1of computationis leaked to Adversary
Previous concepts required some portion of computation to be completely hidden
from Adversary.
General-Purpose Obfuscation:No part of computation is hidden.
What programs allow for secrets?• Consider program P(x):– Constant: s– If x < s, output 1, else output 0
• If any program equivalent to P is revealed to Adversary,Adversay can use binary search to recover s.
• Thus: For secrecy to be plausible, program must (at least) be un-learnable with queries.
• Hope: “Virtual Black Box”
O(P) = P
The road to a good definition• Virtual Black Box formalized, but then ruled out, by
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang].
• What [BGIRSVY 2001] shows:– There are contrived “self-eating programs” for which black-
box obfuscation suffers from explicit attacks.– Idea: Create Program P(x):• Constant: secret s• “Check if x = program equivalent to P”• If so, output secret s, else output 0
• Note: known negative results only for such pathologicalscenarios. In practice, still reasonable to use VBB definition. But this is a Theory talk, so we won’t explore this further.
O(P) = P
• Indistinguishability Obfuscation (iO) [BGIRSVY]– Polynomial slowdown: For any program P,
iO(P) is equivalent to P, and Time( iO(P) ) = poly(Time( P ))– Indistinguishability: For equivalent programs (P0, P1) of same
size, no polynomial-time adversary can distinguish between (P0, P1, iO( P0 )) and (P0, P1, iO( P1 ))
• No impossibility known, but open for long time.• First mathematical construction in 2013:
[Garg-Gentry-Halevi-Raykova-Sahai-Waters]• Has turned out to be surprisingly useful.– Definition does not explicitly protect most secrets,
but can be leveraged to provably guarantee secrets.[Garg-Gentry-Halevi-Raykova-Sahai-Waters, Sahai-Waters, … ]
A formal definition
“Researchers are hailing the new work as a watershed moment for cryptography”
-Quanta, the Simons Foundation Magazine
The obfuscator iO itselfis a probabilistic polynomial-time
algorithm.
In other words:iO is a “pseudo-canonicalizer”
iO(P) is indistinguishable from,and therefore reveals no more than,a canonical form of the program P.
Curious fact:If P=NP, iO for circuits exists unconditionally:
iO(C) = padded-min-circuit(C)
Thus, iO cannot imply hardness,but as we’ll see later,
iO can be used to leverage hardness
iO Example: Crippleware
Powerful Software
Expressive User Interface
Powerful Secrets
Crippled (Demo) versionredesigned from scratch
Crippled User Interface
No Secrets
iO:
Crippled
iO:
≅
We can release this and be sure that secrets are safe!
Many, many applications• iO used to resolve long-standing open problems:– Functional Encryption (see Craig’s talk) [GGHRSW]– Deniable Encryption via Punctured Programming [Sahai-Waters] – 2-round MPC [Garg-Gentry-Halevi-Raykova]
• iO also used to introduce new concepts:– Multi-Input FE [Goldwasser-Goyal-Jain-Sahai, Gordon-Katz-Liu-Shi-Zhou]– Upgrading Random Oracles to Universal Samplers
[Hofheinz-Jager-Khurana-Sahai-Waters-Zhandry]
• Almost surely much more to come…• iO as the “central hub” for cryptography?
Context: The Development of Crypto
Cryptography = Hardness*
*Let’s ignore information-theoretic cryptography for now.
RSA Factoring
DDH
MPC
ZKPKE
Signatures
Bilinear BDDHBilinear DLIN
ABE
IBEShort Signatures
LWEGentry’s ICP
MmapCandidates
FHEObfuscation
FE
Crippleware
What about allthis space?
Rest of this talk: constructions and security
• Main solution idea: Structured Noise– Add structured noise to program components– If components are combined via honest program execution,
then noise cancels out and output is obtained– Any other combination of components leaves noise intact,
hiding all useful information from adversary
• Let’s now jump into how this works:Obfuscation Matrix Branching Programs[Garg-Gentry-Halevi-Raykova-Sahai-Waters](We will follow presentation of [Barak-Garg-Kalai-Paneth-Sahai] here.)
• We work in a setting where limits are placed on allowed algebraic ops on encoded values..
• Formal setting: For every nonempty subset S of {1,2,…,k}, there is ring GS. Each GS is a copy of ZN for large N.
• Allowed algebraic operations limited to:– Addition: GS x GS to GS – Multiplication: GS x GT to GS T⌴ , if S and T disjoint– Zero-Test: G{1,2,..k} to {Yes,No}
• We will eventually state computational hardnessassumptions over this framework.
The “k-Mmap” algebraic framework [Boneh-Silverberg, Garg-Gentry-Halevi]
Example: [2]{1} + [7]{1} = [9]{1}
But [2]{1} + [7]{2} not allowed.
Example: [2]{1} [3]{2} = [6]{1,2}
But : [2]{1} [3]{1} not allowed
(i.e. only multi-linear operations OK)
Example: k=2
G{1} , G{2} , G{1,2} are each copies of ZN
Use [2]{1} to denote encoding of 2 in G{1}
Only Zero Test query yields un-encoded information“in the clear”.
• We work in a setting where limits are placed on allowed algebraic ops on encoded values..
• Formal setting: For every nonempty subset S of {1,2,…,k}, there is ring GS. Each GS is a copy of ZN for large N.
• Allowed algebraic operations limited to:– Addition: GS x GS to GS – Multiplication: GS x GT to GS T⌴ , if S and T disjoint– Zero-Test: G{1,2,..k} to {Yes,No}
• We will eventually state computational hardnessassumptions over this framework.
The “k-Mmap” algebraic framework [Boneh-Silverberg, Garg-Gentry-Halevi]
Important note:To construct obfuscation, only need
“Multilinear Jigsaw Puzzles” [GGHRSW] where:
• No low-level encodings of zero are given out• Only master-key holder needs to generate
new encodings
This is critical to avoids attacks for known Mmap candidates. (more on this later)
• Oblivious Matrix Branching Program for F:– n-bit input x=x1x2…xn (e.g. n=3 here)
– 2k invertible matrices over ZN
– Evaluation on x:
– Where B is fixed matrix ≠I over ZN
Matrix Branching Programs[Barrington, GGHRSW]
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
Simple example:Want to implement:F(x1 x2) = XOR( x1, x2 )
[Barrington]: All log-depth (NC1) circuitshave poly-size Matrix Branching Programs
Towards Obfuscation
• Oblivious Matrix Branching Program for F:– n-bit input x=x1x2…xn (e.g. n=3 here)
– 2k invertible matrices over ZN
– Evaluation on x:
– Where B is fixed matrix ≠I over ZN
• Kilian Randomization:– Chose R1, …, Rk-1 random over ZN
– Kilian shows that for each x, can statisticallysimulate Mx matrices knowing only product.
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
~
Kilian Simulation
Towards Obfuscation
• Oblivious Matrix Branching Program for F:– n-bit input x=x1x2…xn (e.g. n=3 here)
– 2k invertible matrices over ZN
– Evaluation on x:
– Where B is fixed matrix ≠I over ZN
• Kilian Randomization:– Chose R1, …, Rk-1 random over ZN
– Kilian shows that for each x, can statisticallysimulate Mx matrices knowing only product.
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
~
Proof by example:• Consider (M1R) and (R-1M2)
• Rename: R’ = M2-1R, so R = M2R’
• Now: • M1R = M1M2R’• R-1M2 = R’-1
Only need to knowM1M2 to generate these.
Towards Obfuscation
• Oblivious Matrix Branching Program for F:– n-bit input x=x1x2…xn (e.g. n=3 here)
– 2k invertible matrices over ZN
– Evaluation on x:
– Where B is fixed matrix ≠I over ZN
• Kilian Randomization:– Chose R1, …, Rk-1 random over ZN
– Kilian shows that for each x, can statisticallysimulate Mx matrices knowing only product.
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
~
Towards Obfuscation
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
{1} {1}
{2} {2}
{3} {3}
{4} {4}
{k} {k}
Encode eachmatrix entry
in GS
as shown here.
Note: Can stillmultiply matrices
as needed forcorrectness.
Could this already be
secure?
No.Key obstacle:Input-Mixing
Attack.Don’t know how to bound
information learnedby input-mixing attacks.
Changing the Mmap sets
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
{1} {1}
{2} {2}
{3} {3}
{4} {4}
{k} {k}
Changing the Mmap sets
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
{1,1’} {1,1’}
{2,2’} {2,2’}
{3,3’} {3,3’}
{4,4’} {4,4’}
{k,k’} {k,k’}
Changing the Mmap sets
M1, 0 M1, 1
M4, 0 M4, 1
M7, 0 M7, 1
~ ~
~ ~
~ ~
{1,1’} {1,1’}
{4,4’} {4,4’}
{7,7’} {7,7’}
Changing the Mmap sets
M1, 0 M1, 1
M4, 0 M4, 1
M7, 0 M7, 1
~ ~
~ ~
~ ~
{1,1’} {1,7’}
{4,4’} {4,1’}
{7,7’} {7,4’}
“Straddling Sets”[BGKPS]
Obfuscation Construction[GGHRSW, BGKPS]
• This gives a plausibleobfuscation construction.
• No known attacks on this iOconstruction (over GGH13).
• In fact, with a little morerandomness:
• Can rule out all attacks thatrespect Mmap algebraicinterface: [GGHRSW, Brakerski-Rothblum,Barak-Garg-Kalai-Paneth-Sahai],also: [Miles-Sahai-Weiss, Sahai-Zhandry]
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
Security vs. Algebraic Attacks[GGHRSW, BR, BGKPS]
• Note that algebraic attacks arehighly nontrivial in multilinear(and beyond) setting.– Entire subarea of complexity theory:
arithmetic circuit complexity devotedto proving lower bounds in such settings.
– Many, many open problems.– In fact, some obfuscation-related
security conjectures would implyVP ≠ VNP. [Miles-Sahai-Weiss]
• Good news:– Unlike poor complexity theorists,
who study algebraic complexity ofnatural functions, we cryptographersget to devise our own functions.
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
Security of iO[GGHRSW]
• iO requires that iO(C) ≅ iO(C’)if C(x) = C’(x) for all x.
• It is equivalent to show thatthere exists an unboundedsimulator SC that can simulateany PPT Adversary that is given iO(C) as input.– Observe SC same as SC’
– Other direction:Unbounded S computesT = padded-min-circuit(C), then feeds iO(T) to adversary.
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
• Consider algebraic adversary,creates polynomial P. Is it zero?
• Consider any monomial M• Because of
we know that each monomial canonly touch matrix entriescorresponding to single input.
• For each input x, let Px be the sum of all monomials corresponding to input x.
• Now, apply Kilian’s simulation and Schwartz-Zippel to determine if Px is zero.
• Can simulate each Px separately:
Unbounded Simulation vs. Algebraic Attacks[GGHRSW, BR, BGKPS, MSW]
M1, 1
M2, 0
M3, 0
M4, 1
…
Mk, 0
~
~
~
~
~
M1, 0~
M2, 1
M3, 1
~
~
M4, 0
…
~
Mk, 1~
Guarantees algebraic independence of each Px.
For P to be zero, by Schwartz-Zippel, each Px
must be zero.
Where we arevs.
Where we want to be• We’ve seen lots of zeroizing attacks on Mmaps.• Unfortunately, the attacks are not “algebraic” in the Mmap
model, but instead exploiting the underlying algebraic structure in the Mmap candidates.
• So, our nice security proof itself does not rule out zeroizing attacks on our obfuscation construction.
• Still, there are no known attacks to the presented obfuscation scheme over (for example) GGH13.• Recall: GGH13 seems more secure than other mmap candidates when no
low-level 0s are given out.
• Now what?
Truly a strange situation:
We can start with [GGH13] Mmaps that do have zeroizing attacks.
Use [GGH13] Mmaps to build iO.
Use iO to build a kind of Mmaps [AFHLP15, PS15].
The final Mmaps do not have any attacks,to the best of our knowledge.
(So in fact, bizarrely, we do have Mmap candidates with no known attacks.)
Post-Zeroizing ObfuscationQuestions
• Why don’t zeroizing attacks affect obfuscation (over GGH13)?• Can we argue that we only need weak Mmaps (that are
susceptible to zeroizing attacks) to build fully secure obfuscation?• Long-term research agenda: what are the minimal notions of
Mmaps that are still powerful enough to yield secure iO ?– Questions posed and progress made recently
[Badrinarayanan-Miles-Sahai-Zhandry]
Post-Zeroizing Obfuscation[Badrinarayanan-Miles-Sahai-Zhandry]
• Why don’t zeroizing attacks affect obfuscation (over GGH13)?• Recall: for zeroizing attacks, at a basic level, we need
top-level encodings of zero. How can adversary make these?• Theorem [BMSZ] (Informal):• Only way for adversary to create top-level zero is by evaluating
the complete iterated matrix product(or linear combinations thereof with known constants)
• Recall from Craig’s talk:
• Can show as corollary that adversary cannot create such encodings (at least not directly) – ruling out at least one way zeroizing attacks could exist over GGH13. (ongoing work)
In fact, this holds even when Mi matrices are not full rank.Proven in a completely different way from Kilian’s thm.We use:
Argument is careful examination of impact of permutationsσ that arise in R-1 on cancellation necessary to get to 0.
Post-Zeroizing Obfuscation[Badrinarayanan-Miles-Sahai-Zhandry]
• Can we argue that we only need weak Mmaps (that are susceptible to zeroizing attacks) to build fully secure obfuscation?
• Corollary[BMSZ] (Informal):• Yes, at least for evasive functions.• Evasive f is where it is hard to find input x such that f(x)=1• Proof sketch:
Use Theorem to create obfuscation where only way to get top-level zeroes is to evaluate corresponding to input x such that f(x)=1
• Next step: Beyond evasive, using more refined post-zeroizing model?
Post-zeroizing Obfuscation:A new target for Mmap designers
Basing security on a natural concrete conjecture
[Gentry-Lewko-Sahai-Waters]
This gives a single assumption targetfor future Mmap candidates.
The “k-Mmap” algebraic framework [Boneh-Silverberg ‘03, Garg-Gentry-Halevi ‘13]
• We work in a setting where limits are placed on allowed algebraic manipulations.
• For every nonempty subset S of {1,2,…,k}, there is GS:Each GS is a copy of ZN for large N.
• Allowed algebraic operations limited to:– Addition: GS x GS to GS – Multiplication: GS x GT to GS T⌴ , if S and T disjoint– Zero-Test: G{1,2,..k} to {Yes,No}
The “k-Mmap” algebraic framework [Boneh-Silverberg ‘03, Garg-Gentry-Halevi ‘13]
• We work in a setting where limits are placed on allowed algebraic manipulations.
• For every “level” i in {1,2,…,k}, there is Gi:Each Gi is a copy of ZN for large N.
• Allowed algebraic operations limited to:– Addition: Gi x Gi to Gi – Multiplication: GS x GT to GS T⌴ , if S and T disjoint– Zero-Test: Gk to {Yes,No}
The “k-Mmap” algebraic framework [Boneh-Silverberg ‘03, Garg-Gentry-Halevi ‘13]
• We work in a setting where limits are placed on allowed algebraic manipulations.
• For every “level” i in {1,2,…,k}, there is Gi:Each Gi is a copy of ZN for large N.
• Allowed algebraic operations limited to:– Addition: Gi x Gi to Gi – Multiplication: Gi x Gj to Gi+j, if i+j ≤ k– Zero-Test: Gk to {Yes,No}
Warm-up (Special-Case)Assumption
• k=1 Mmap over composite N, with 2 large prime factors:– One “special” prime factor c– One “distinguished” prime factor a1
– Can represent x in ZN using CRT: (x mod c, x mod a1)
• Adversary gets Level-1 encodings:– (random) generators of each prime subgroup, except c:
• [ (0, r1) ]1
– h1 = [ (r2, 0) ]1
• Hard for Adversary to distinguish Level-1 encoding of:– T = [ (r3, r4) ]1
– vs. T = [ (0, r4) ]1
This is essentially a“Subgroup Decision Assumption”
without pairings
Warm-up 2 (Special-Case)Assumption
• k=2 Mmap over composite N, with 3 large prime factors:– One “special” prime factor c– Two “distinguished” prime factors a1, a2
– Can represent x in ZN using CRT: (x mod c, x mod a1, x mod a2)
• Adversary gets Level-1 encodings:– (random) generators of each prime subgroup, except c:
• [ (0, r1, 0) ]1 and [ (0, 0, r2) ]1
– h1 = [ (r3, 0, r4) ]1 and h2 = [ (r5, r6, 0) ]1
• Hard for Adversary to distinguish Level-1 encoding of:– T = [ (r7, r8, r9) ]1
– vs. T = [ (0, r8, r9) ]1
Note: Can’t give out gc = [ (r, 0, 0) ]1 !
Otherwise, compute (T gc) and ZeroTest to distinguish.
Note: Can’t set max multi-linearity k=3 !Otherwise, compute (T h1 h2) and ZeroTest to distinguish.
The Assumption [GLW14]:Multilinear Subgroup Elimination
• k Mmap over composite N, with many large prime factors:– One “special” prime factor c– k “distinguished” prime factors a1, a2, …, ak
– poly other primes; CRT representation: (x mod c, x mod a1, …)
• Adversary gets Level-1 encodings:– (random) generators of each prime subgroup, except c:
• For “distinguished primes” as well as other primes– hi = [ (r, r1, r2, …, ri-1, 0, ri+1, ri+2, …, rk, 0, …, 0) ]1 for all i
• Hard for Adversary to distinguish Level-1 encoding of:– T = [ (r’, r’1, r’2, …, r’k, 0, …, 0) ]1
– vs. T = [ (0, r’1, r’2, …, r’k, 0, …, 0) ]1
How to argue security• We need proof of indistinguishability: iO(C0) to iO(C1)• Use several “hybrid” steps, where want to switch out some
part of C0 computation with C1 computation.• Idea: Use Kilian’s simulation to “switch” between
C0 and C1 for a single input.– Go over each input with 2n hybrids, where n=input size.
• This is OK by complexity leveraging:– We assume 2λ hardness, where λ is security parameter,
and Mmap realization has poly(λ) overhead. – When obfuscating program C with inputs of length n,
Choose λ such that λε >> n
ε
Overall reduction strategy• Reduction will isolate each input.• Main idea:– Have poly many “parallel” obfuscations,
each responsible for a bucket of inputs– Hybrid Type 1: Transfer inputs between different
buckets, but programs do not change at all. Assumption used here.
– Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program.Information-theoretic / No Assumption needed.
Thank you.
C0 C0 C1
Overall reduction strategy• Reduction will isolate each input.• Main idea:– Have poly many “parallel” obfuscations,
each responsible for a bucket of inputs– Hybrid Type 1: Allocate/Transfer inputs among different
buckets, but programs do not change at all. Assumption used here.
– Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program.Information-theoretic / No Assumption needed.
Thank you.
C0 C0 C1
Overall reduction strategy• Reduction will isolate each input.• Main idea:– Have poly many “parallel” obfuscations,
each responsible for a bucket of inputs– Hybrid Type 1: Allocate/Transfer inputs among different
buckets, but programs do not change at all. Assumption used here.
– Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program.Information-theoretic / No Assumption needed*.
Thank you.
C0 C0 C1
x
C1
Hybrid Type 1 Illustration.Consider the code:
if (x ≤ 37) then {return C0(x)
} else if (x ≤ 39) {return C0(x)
} else {return C1(x)
}
38
Lesson:Ability to make this (minor) type of
change is actually sufficient!
Hybrids intuition
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0
Hybrids intuition
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0 C0
Use Assumption to make this change
Hybrids intuition
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
C0 C0
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
C0
M1, 0~ M1, 1
~ M1, 1~
Hybrids intuition
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
C0 C0
…
M1, 1
M2, 0
M3, 0
M4, 1
…
Mk, 0
~
~
~
~
~
C0
M1, 0~ M1, 1
~
Hybrids intuition
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
C0 C0
…
M1, 1
M2, 0
M3, 0
M4, 1
…
Mk, 0
~
~
~
~
~
C1
All R matrices are independent for each obfuscation.Can now use Kilian !
M1, 0~ M1, 1
~
Hybrids intuition
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C1
…
How to transfer inputs
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0 C0
…
The Assumption [GLW14]:Multilinear Subgroup Elimination
• k Mmap over composite N, with many large prime factors:– One “special” prime factor c– k “distinguished” prime factors a1, a2, …, ak
– poly other primes; CRT representation: (x mod c, x mod a1, …)
• Adversary gets Level-1 encodings:– (random) generators of each prime subgroup, except c:
• For “distinguished primes” as well as other primes– hi = [ (r, r1, r2, …, ri-1, 0, ri+1, ri+2, …, rk, 0, …, 0) ]1 for all i
• Hard for Adversary to distinguish Level-1 encoding of:– T = [ (r’, r’1, r’2, …, r’k, 0, …, 0) ]1
– vs. T = [ (0, r’1, r’2, …, r’k, 0, …, 0) ]1
How to transfer inputs (cheating)
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0 C0
…
Prime cPrime a1
Use Tto create these
Use hi, i≠1to create rest
(since they are the samein c and a1 subgroups)
“Missing” ai in hi
used to enforce input consistency.
Key point:The programs for each prime is fixed.
The reduction can directly build all matrices.Assumption plays no role in matrix choices.
iO without Mmap candidates?FE to iO (sketch) [AJ, BV,AJS]
• Starting point:[Goldwasser-Goyal-Jain-Sahai] [Gordon-Katz-Liu-Shi-Zhou]showed that Multi-Input Functional Encryption (MiFE) implies iO
Func-Priv MiFE1
Pub-key FE
Func-Priv MiFE2
Pub-key FE
Func-Priv MiFE-1
Pub-key FE
Priv-key FE
MiFE2 MiFE3 MiFE
...[BS’15]
n-1
Slide from Abhishek Jain
In fact, only need FE for simple functions [AJS]:
Conclusion
• Obfuscation – despite amazing progress, still in its infancy.
• Need to explore risky new approaches. We are still in the initial mapping-out stage, not anywhere near the cleanup stage.
• Efficiency remains major bottleneck. Polynomial time, but current computational overhead easily exceeds 2100.
• iO surprisingly useful: See Craig’s talk!