brent waters
Post on 02-Feb-2016
46 Views
Preview:
DESCRIPTION
TRANSCRIPT
Brent WatersAmit Sahai
How to Use Indistinguishability Obfuscation
2
Code Obfuscation
Goal: Make program (maximally) unintelligible
Obfuscator
3
Applications!
Demo or “need to know” software
Software Patching
Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, …
4
Difficulty of Achieving Obfuscation
Recent: General candidate [GGHRSW13] using multilinear maps [GGH13]
Initial Functionalities:
•Point Functions [LPS04, …] and hyperplanes [CRV10]
•Explanation of existing functionality[OS05, HRSV07]
What does this mean?
• Some (contrived) counter-examples [BGIRSVY 01]
vs.
5
Idealized Obfuscation
• Natural for applications, building crypto
Idea: Learn nothing more than with black box access
No broad candidate class of obfuscatable functionalities
Generic group proofs [BR13,BGKPS13]
• What is it good for?
Indistinguishability Obfuscation
• Avoids negative results of [BGIRSVY01]
Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits • a (b+c) vs. ab + ac
7
Vision: IO as hub for cryptography
Indistinguishabilty Obfuscation
Standard Assumption (e.g. LWE)
“Most” of cryptography
This talk
+ OWFs
How do we build public key encryption from Indistinguishability Obfuscation?
9
Punctured Programs Technique
Punctured PRF key: K{x*} eval PRF on all points, but x*
Remove key element of program:
•Attacker cannot win without it
•Does not change functionality
Special case of constrained PRFs [BW13,BGI13,KPTZ13]
Build from [GGM84]
Security: Cannot distinguish F(K,x*) and random given K{x*}
10
Initial Attempt
Problems:
(1) Program knows PRF at t*
(2) If puncture out, will not be equivalent!
Setup: Choose Punctured PRF key K, PK= obfuscation of
11
Simple PKE from iO
Setup: Choose Punctured PRF key K, PK= obfuscation of
Encrypt(m): Choose random r; input m,r into programDecrypt(K,CT=(c1,c2)):
Decryption is fast = symmetric key
12
Proof of Encryption Scheme
Hyb 0: IND-CPA
13
Proof of Encryption Scheme
Hyb 0: IND-CPA
Hyb 1: t* is random
PRG security
14
Proof of Encryption Scheme
Hyb 0: IND-CPA
Hyb 1: t* is random
PRG security
Hyb 2: Use K{t*}
iO security
15
Proof of Encryption Scheme
Hyb 0: IND-CPA
Hyb 1: t* is random
PRG security
Hyb 2: Use K{t*}
iO security
Hyb 3: Replace F(K,t*) w/ z*
Punctured PRF security
16
A Very Simple CCA-KEM
Setup: Choose Punctured PRF key K, PK= obfuscation of
Encrypt: Choose random r, give as input
Decrypt(K,c):
How about signatures?
18
Natural Candidate
Setup: Choose Punctured PRF key K, VK= obfuscation of
Works with heuristic, but how to prove??
19
A Signature Scheme
Setup: Choose Punctured PRF key K, VK= obfuscation of
Verify(VK,m,s): Input m,s into verify program
Sign(K,m):
Signing is fast = symmetric key
f is a OWF
20
Proof of Signature Scheme
Hyb 0: (Selective) Signature Security [GMR84]
21
Proof of Signature Scheme
Hyb 0: (Selective) Signature Security [GMR84]
Hyb 1: Punctured Program
iO security
22
Proof of Signature Scheme
Hyb 0: (Selective) Signature Security [GMR84]
Hyb 1: Punctured ProgramHyb 2: z* random
iO security
Punctured PRF security
23
Other Core Primitives
NIZKs[BDMP91]
•Sign x if x is in L
•Succinct proofs
Semi Honest Oblivious Transfer[R81]
Injective Trapdoor Functions
Simple CCA secure KEM
24
The rest of the talk
(1)Deniable Encryption
(2) Functional Encryption [GGHRSW13]
(3) Open Directions
Deniable Encryption
26
Deniable Encryption [CDNO97]
Enc(PK, m= ,r) -> CT
Demands message and randomness!
Fake r’ where
Enc(PK, m= ,r’) -> CT
Anthony
Best solutions attacker adv. 1/n, n~ size of pub key
Problematic for encrypting many messages
27
Publicly Deniable Encryption Anyone can explain!
Setup(n) -> PK,SK
Encrypt(PK,m;u)-> c
Decrypt(SK,c) -> mExplain(PK,c,m;r) -> u’
(1) IND-CPA Security
(2) Indistinguishability of Explanation
Two security properties (implies standard deniable)
Advantage of separation: Simpler proofs
Single message game
28
Hidden Sparse Triggers
Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value
Explain(PK, C): Encoding of C in Hidden Trigger Set
Encrypt(PK,m;u): Checks if randomness in trigger set
If yes, decrypts encoding to CT; else does fresh encrypt
Hidden triggers
Randomness Space
29
An Attempt and Malleability Issues
Encrypt:
Explain:
Malleability Attack!
30
Our Deniable Encryption System
Encrypt:
Explain:
31
Proof Overview
IND-CPA Proof: Simple proof; obfuscation not used
Explainability:
•Encoding: Look like random string & non-malleable
•Intricate multistep hybrid proof
32
Using Deployed Keys
Receiver may:
•Already have established key
•Be disinterested/uninterested in D.E.
Universal Deniable Encryption: D.E. to ordinary keys
•One time (uncorrupted) trusted setup
•Use to deniably encrypt to any PK
•Takes Encryption function as input
Functional Encryption
34
Functional Encryption [SW05…]
Public Parameters
Authority
MSK
Key: f
SK
CT: x
Functionality: Learn f(x); x is hidden
Collusion Bounded & Applications:SS10, PRV12, AGVW13, GKVPZ13
X
Collusion Resistance core to concept! (Like IBE)
35
An Application: Facial Identification
SK
36
Tools
Statistically Simulation Sound NIZKs
•Statistically sound except for simulated statement
•Build from WI proofs
Two Key Technique [NY90,S99]
37
Functional Encryption System [GGHRSW13]
Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup
Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this
KeyGen(SK1,f): Obfuscate program
Decrypt(CT, SKf): Run obfuscated program on CT
38
Proof Overview
Challenge CT:
Keys:
39
Step 1
Challenge CT:
Keys:
NIZK security
40
Step 2
Challenge CT:
Keys:
IND-CPA security
41
Step 3
Challenge CT:
Keys:
IO security
42
Step 4
Challenge CT:
Keys:
IND-CPA security
43
Step 5
Challenge CT:
Keys:
IO security
44
Step 6
Challenge CT:
Keys:
NIZK security
GGHRSW 2013: Functional Encryption for any circuit45
Evolution of Functional Encryption
Sahai-Waters 2005: Introduction of Attribute-Based Encryption
GPSW 2006: Access Control (ABE) for any boolean formula
BW 2007, KSW08: “Predicate Encryption”; dot product functionalityTalks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.)
FE at 2013: Still Inner Product (& Applications)
Best we can do with bilinear maps
GGHSW13/GVW13: ABE for circuits
46
Evolution of Functional Encryption
Obfuscation
Looking Forward
48
Explosion of Obfuscation
• Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW]
• Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV]
• Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR]
• Two-round secure MPC from Indistinguishability Obfuscation [GGSR]
• Protecting Obfuscation Against Algebraic Attacks [BGKPS]
• Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR]
• Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ]
• There is no Indistinguishability Obfuscation in Pessiland [MR]
• On Extractability Obfuscation [BCP]
• A Note on the Impossibility of Obfuscation with Auxiliary Input [GK]
• Separations in Circular Security for Arbitrary Length Key Cycles [RVW]
• Obfuscation for Evasive Functions [BBCKPS]
• Differing-Inputs Obfuscation and Applications [ABGSZ]
• More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR]
• Multi-Input Functional Encryption [GGJS]
• Functional Encryption for Randomized Functionalities[GJKS]
• Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS]
• Multi-Input Functional Encryption [GKLSZ]
• Obfuscation from Semantically-Secure Multi-linear Encodings [PTS]
Late July: GGHRSW13, SW13 eprint
4 months later
95%
49
My Probabilities
I will make it to Weizmann in Dec. 38%
Indistinguishability Obfuscation from LWE-type assumption in 4 years
Amit eprints an obfusction paper in next 2 months
63%
50
Thank you
top related