brent waters

Brent WatersAmit Sahai

How to Use Indistinguishability Obfuscation

2

Code Obfuscation

Goal: Make program (maximally) unintelligible

Obfuscator

3

Applications!

Demo or “need to know” software

Software Patching

Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, …

4

Difficulty of Achieving Obfuscation

Recent: General candidate [GGHRSW13] using multilinear maps [GGH13]

Initial Functionalities:

•Point Functions [LPS04, …] and hyperplanes [CRV10]

•Explanation of existing functionality[OS05, HRSV07]

What does this mean?

• Some (contrived) counter-examples [BGIRSVY 01]

vs.

5

Idealized Obfuscation

• Natural for applications, building crypto

Idea: Learn nothing more than with black box access

No broad candidate class of obfuscatable functionalities

Generic group proofs [BR13,BGKPS13]

• What is it good for?

Indistinguishability Obfuscation

• Avoids negative results of [BGIRSVY01]

Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits • a (b+c) vs. ab + ac

7

Vision: IO as hub for cryptography

Indistinguishabilty Obfuscation

Standard Assumption (e.g. LWE)

“Most” of cryptography

This talk

+ OWFs

How do we build public key encryption from Indistinguishability Obfuscation?

9

Punctured Programs Technique

Punctured PRF key: K{x*} eval PRF on all points, but x*

Remove key element of program:

•Attacker cannot win without it

•Does not change functionality

Special case of constrained PRFs [BW13,BGI13,KPTZ13]

Build from [GGM84]

Security: Cannot distinguish F(K,x*) and random given K{x*}

10

Initial Attempt

Problems:

(1) Program knows PRF at t*

(2) If puncture out, will not be equivalent!

Setup: Choose Punctured PRF key K, PK= obfuscation of

11

Simple PKE from iO


Encrypt(m): Choose random r; input m,r into programDecrypt(K,CT=(c1,c2)):

Decryption is fast = symmetric key

12

Proof of Encryption Scheme

Hyb 0: IND-CPA

13


Hyb 0: IND-CPA

Hyb 1: t* is random

PRG security

14


Hyb 0: IND-CPA

Hyb 1: t* is random

PRG security

Hyb 2: Use K{t*}

iO security

15


Hyb 0: IND-CPA

Hyb 1: t* is random

PRG security

Hyb 2: Use K{t*}

iO security

Hyb 3: Replace F(K,t*) w/ z*

Punctured PRF security

16

A Very Simple CCA-KEM


Encrypt: Choose random r, give as input

Decrypt(K,c):

How about signatures?

18

Natural Candidate

Setup: Choose Punctured PRF key K, VK= obfuscation of

Works with heuristic, but how to prove??

19

A Signature Scheme

Setup: Choose Punctured PRF key K, VK= obfuscation of

Verify(VK,m,s): Input m,s into verify program

Sign(K,m):

Signing is fast = symmetric key

f is a OWF

20

Proof of Signature Scheme

Hyb 0: (Selective) Signature Security [GMR84]

21



Hyb 1: Punctured Program

iO security

22



Hyb 1: Punctured ProgramHyb 2: z* random

iO security

Punctured PRF security

23

Other Core Primitives

NIZKs[BDMP91]

•Sign x if x is in L

•Succinct proofs

Semi Honest Oblivious Transfer[R81]

Injective Trapdoor Functions

Simple CCA secure KEM

24

The rest of the talk

(1)Deniable Encryption

(2) Functional Encryption [GGHRSW13]

(3) Open Directions

Deniable Encryption

26

Deniable Encryption [CDNO97]

Enc(PK, m= ,r) -> CT

Demands message and randomness!

Fake r’ where

Enc(PK, m= ,r’) -> CT

Anthony

Best solutions attacker adv. 1/n, n~ size of pub key

Problematic for encrypting many messages

27

Publicly Deniable Encryption Anyone can explain!

Setup(n) -> PK,SK

Encrypt(PK,m;u)-> c

Decrypt(SK,c) -> mExplain(PK,c,m;r) -> u’

(1) IND-CPA Security

(2) Indistinguishability of Explanation

Two security properties (implies standard deniable)

Advantage of separation: Simpler proofs

Single message game

28

Hidden Sparse Triggers

Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value

Explain(PK, C): Encoding of C in Hidden Trigger Set

Encrypt(PK,m;u): Checks if randomness in trigger set

If yes, decrypts encoding to CT; else does fresh encrypt

Hidden triggers

Randomness Space

29

An Attempt and Malleability Issues

Encrypt:

Explain:

Malleability Attack!

30

Our Deniable Encryption System

Encrypt:

Explain:

31

Proof Overview

IND-CPA Proof: Simple proof; obfuscation not used

Explainability:

•Encoding: Look like random string & non-malleable

•Intricate multistep hybrid proof

32

Using Deployed Keys

Receiver may:

•Already have established key

•Be disinterested/uninterested in D.E.

Universal Deniable Encryption: D.E. to ordinary keys

•One time (uncorrupted) trusted setup

•Use to deniably encrypt to any PK

•Takes Encryption function as input

Functional Encryption

34

Functional Encryption [SW05…]

Public Parameters

Authority

MSK

Key: f

SK

CT: x

Functionality: Learn f(x); x is hidden

Collusion Bounded & Applications:SS10, PRV12, AGVW13, GKVPZ13

X

Collusion Resistance core to concept! (Like IBE)

35

An Application: Facial Identification

SK

36

Tools

Statistically Simulation Sound NIZKs

•Statistically sound except for simulated statement

•Build from WI proofs

Two Key Technique [NY90,S99]

37

Functional Encryption System [GGHRSW13]

Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup

Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this

KeyGen(SK1,f): Obfuscate program

Decrypt(CT, SKf): Run obfuscated program on CT

38

Proof Overview

Challenge CT:

Keys:

39

Step 1

Challenge CT:

Keys:

NIZK security

40

Step 2

Challenge CT:

Keys:

IND-CPA security

41

Step 3

Challenge CT:

Keys:

IO security

42

Step 4

Challenge CT:

Keys:

IND-CPA security

43

Step 5

Challenge CT:

Keys:

IO security

44

Step 6

Challenge CT:

Keys:

NIZK security

GGHRSW 2013: Functional Encryption for any circuit45

Evolution of Functional Encryption

Sahai-Waters 2005: Introduction of Attribute-Based Encryption

GPSW 2006: Access Control (ABE) for any boolean formula

BW 2007, KSW08: “Predicate Encryption”; dot product functionalityTalks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.)

FE at 2013: Still Inner Product (& Applications)

Best we can do with bilinear maps

GGHSW13/GVW13: ABE for circuits

46

Evolution of Functional Encryption

Obfuscation

Looking Forward

48

Explosion of Obfuscation

• Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW]

• Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV]

• Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR]

• Two-round secure MPC from Indistinguishability Obfuscation [GGSR]

• Protecting Obfuscation Against Algebraic Attacks [BGKPS]

• Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR]

• Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ]

• There is no Indistinguishability Obfuscation in Pessiland [MR]

• On Extractability Obfuscation [BCP]

• A Note on the Impossibility of Obfuscation with Auxiliary Input [GK]

• Separations in Circular Security for Arbitrary Length Key Cycles [RVW]

• Obfuscation for Evasive Functions [BBCKPS]

• Differing-Inputs Obfuscation and Applications [ABGSZ]

• More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR]

• Multi-Input Functional Encryption [GGJS]

• Functional Encryption for Randomized Functionalities[GJKS]

• Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS]

• Multi-Input Functional Encryption [GKLSZ]

• Obfuscation from Semantically-Secure Multi-linear Encodings [PTS]

Late July: GGHRSW13, SW13 eprint

4 months later

95%

49

My Probabilities

I will make it to Weizmann in Dec. 38%

Indistinguishability Obfuscation from LWE-type assumption in 4 years

Amit eprints an obfusction paper in next 2 months

63%

50

Thank you

brent waters

Documents

proof of encryption

public key encryption

proof of signature schemehyb

punctured programio

eval prf

punctured programhyb

key element of program

symmetric key f