witness encryption and indistinguishability obfuscation from the multilinear subgroup elimination...
TRANSCRIPT
Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup
Elimination Assumption
Craig Gentry IBM
Allison Lewko Columbia
Amit Sahai UCLA
Brent Waters UT-Austin
Witness Encryption [GGSW13]
Encrypt message under NP statement
M
Á
3-CNF formula Áis satisfiable
Correctness: can decrypt using a witness
Satisfying assignmentfor Á
Security: if statement is false, message is hidden.
Applications of Witness Encryption
• PKE with fast key generation
• Identity-based encryption
• Attribute-based encryption for circuits
• Attribute-based encryption for Turing Machines [GKPVZ13]
Indistinguishability Obfuscation
• But what is it good for?
• Avoids negative results of [BGIRSVY01]
Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits
• a (b+c) vs. ab + ac
Applications of iODemo or “need to know” software
Software Patching
Crypto, old and new: Traitor Tracing, Functional Encryption, Deniable Encryption, …
Indistinguishabilty Obfuscation
“Most” of cryptography
+ OWFs
Vision:
The First Candidate Schemes• WE from multilinear maps [GGSW13]:
• iO from multilinear maps [GGHRSW13], and later [BR13, BGKPS14, PST14]
+ Simple, intuitive construction
- Assumption essentially matches scheme
- Generic group security or scheme structure embedded in the assumption
Goal: Reductions to Simple Assumptions
The Assumption:Multilinear Subgroup Elimination
• k-Mmap over composite N, with many large prime factors:– One “special” prime factor c– k “distinguished” prime factors a1, a2, …, ak
– poly other primes
• Adversary gets Level-1 encodings:– (random) generators of each prime subgroup, except c– hi : random element of order c(a1a2…ai-1ai+1…ak)
• Hard for Adversary to distinguish Level-1 encoding of:– Random element T of order (a1a2…ak)
– vs. Random element T of order c(a1a2…ak)
Obstacle to Using a Simple Assumption for WE
Imagine a typical reduction to a simple assumption:
Hard Problem Attacker
Reduction
CT for falsestatement
decrypt
What if reduction could be fooled into working for a true statement?
trueSimulateWith Witness
It seems reduction needs to “check” the statement is false.
Analogous Obstacle for iO
Hard Problem Attacker
Reduction
Obfuscationfor 2 equalprograms
decrypt
What if reduction could be fooled into working on two programs that differ on some input?
unequalSimulateby testingon a differinginput
It seems reduction needs to “check” that the programs agree everywhere.
Our Approach: Positional WE
Algorithms:
Encrypt(message M, position t, statement Á) CT
Suppose potential witnesses are bit strings of length n (think of as ordered).
M
Á,t
Decrypt( CT, witness w) M only when w ¸ t and w is a valid witness
Security Properties for Positional WE
Positional Indistinguishability:
Message Indistinguishability:
If t is not a valid witness for Á, then:
For any m0, m1:
Deriving WE from Positional WE
For scheme: Encrypt to position 0
For security proof : hybrid over all 2n positions
For a false statement f: PositionalIndist.
MessageIndist.
PositionalIndist.
Positional iO
Security Properties for Positional iO
Building Positional WE
Since we want a simple assumption, we need to keep breaking down the problem:
3 parts in Ciphertext:
1. Counter
2. CNF formula
3. Message (one bit)
wCount = t 1 iff w < t
formula Áw
1 iff w doesn’t satisfy Á
Message 1 iff message = 1
DecryptionOR
Constructing ORs of ANDs with Subgroups
Key:
= random
= identity
Intermediary Goal: find a convenient “OR of ANDs”
abstraction general enough to build a counter, CNF, and message components
Mid-layer Abstraction: Tribes Matrices
Representing an “OR of ANDS” boolean function in a 3-d matrix:
From boolean function analysis: A “tribes” function is an OR of ANDs of disjoint sets
= 1 = 0 = 0
= 1 in this case
Using Tribe Matices• These are general enough to represent counters (threshold functions), CNFs, and messages.
• Can simply concatenate matrices for the separate components
• An ``encrypted” tribe matrix can be produced from multilinear maps
• Certain small changes to an enrypted tribes matrix can be reduced to the subgroup elimination assumption (these don’t affect the overall Boolean function)
• Can use a hybrid chain of small changes to increment counter, Doesn’t change the function b/c CNF is unsatisfied
Back to Indistinguishability Obfuscation
• Basic building blocks can be the same – e.g. positional counter, underlying tribes matrices
• But now we don’t have a formula!
• To increment the counter, we must leverage that two programs agree on that input.
Core Idea: Kilian Argument “in a Subgroup”
Matrix Branching Program:
A1,1
A1,0
A2,1
A2,0
A3,1
A3,0
A4,1
A4,0
Input: x1 x3x2 x1
Evaluate by multiplying one matrix per slot,Selected by corresponding input bit
Kilian: randomize matrices
R1-1
R1-1
R2-1
R2-1
R3-1
R3-1
R1
R1
R2
R2
R3
R3
If only take one matrix per slot,distribution random up toproduct
How to Argue Security• We need proof of indistinguishability: iO(C0) to iO(C1)
• Use several “hybrid” steps, where want to switch out somepart of C0 computation with C1 computation.
• Idea: Use Kilian’s simulation to “switch” between C0 and C1 for a single input.– Go over each input with 2n hybrids, where n=input size.
Overall Reduction Strategy• Reduction will isolate each input.• Main idea:– Have poly many “parallel” obfuscations,
each responsible for a bucket of inputs– Hybrid Type 1: Allocate/Transfer inputs among different
buckets, but programs do not change at all. Assumption used here.
– Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program.Information-theoretic / No Assumption needed.
Thank you.
C0 C0 C1
Overall Reduction Strategy
• Reduction will isolate each input.• Main idea:– Have poly many “parallel” obfuscations,
each responsible for a bucket of inputs– Hybrid Type 1: Allocate/Transfer inputs among different
buckets, but programs do not change at all. Assumption used here.
– Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program.Information-theoretic / No Assumption needed*.
Thank you.
C0 C0 C1
x
C1
Hybrid Type 1 Illustration.Consider the code:
If (x ≤ 37) then {return C0(x)
} else if (x ≤ 39) {return C0(x)
} else {return C1(x)
}
38
Lesson:Ability to make this (minor) change
is actually important!
Hybrids Intuition
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0
Hybrids Intuition
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0 C0
Hybrids Intuition
M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~
~ ~
~ ~
~ ~
~ ~
M1, 0
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~
~ ~
~ ~
~ ~
~ ~
C0 C0
…
M1, 1
M2, 0
M3, 0
M4, 1
…
Mk, 0
~
~
~
~
~
C0
Hybrids Intuition
M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~
~ ~
~ ~
~ ~
~ ~
M1, 0
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~
~ ~
~ ~
~ ~
~ ~
C0 C0
…
M1, 1
M2, 0
M3, 0
M4, 1
…
Mk, 0
~
~
~
~
~
C1
All R matrices are independent for each obfuscation.Can now use Kilian !
Hybrids Intuition
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C1
…
How to Transfer Inputs
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0 C0
…
Recall: Multilinear Subgroup Elimination Assumption
• k-Mmap over composite N, with many large prime factors:– One “special” prime factor c– k “distinguished” prime factors a1, a2, …, ak
– poly other primes
• Adversary gets Level-1 encodings:– (random) generators of each prime subgroup, except c– hi : random element of order c(a1a2…ai-1ai+1…ak)
• Hard for Adversary to distinguish Level-1 encoding of:– Random element T of order (a1a2…ak)
– vs. Random element T of order c(a1a2…ak)
How to Transfer Inputs (cheating)
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0 C0
…
Prime cPrime a1
Use Tto create these
Use hi, i≠1to create rest
(since they are the samein c and a1 subgroups)
“Missing” ai in hi
used to enforce input consistency.
Key point:The programs for each prime is fixed.
The reduction can directly build all matrices.Assumption plays no role in matrix choices.
Some Additional Details…
1. Constructing multilinear maps w/ composite order subgroups:
2. Constructing a prime order version:
• Can do with a variant of the [CLT13] approach
• Can do using an eigenspace approach
For details, see the full version of [GLW14] on eprint.
Questions?
Defining a Cryptographic Tribes Scheme
Building Positional WE from Tribes
3 parts in a Positional WE Ciphertext:
1. Counter
2. CNF formula
3. Message (one bit)
wCount = t
Outputs 1 iff w < t
formula Áw
Outputs 1 iff w doesn’t satisfy Á
Message Outputs 1 iff message = 1
We need to build each of these into a Tribes matrix
The Inter-column Security Game
1
Encoding a CNF Formula in a Tribes Matrix
How Subgroup Elimination Implies Inter-Column Security
1
Encoding a Counter in a Tribes Matrix
Linking the Counter/Formula/Message
Recall: parts or a Positional WE Ciphertext:
1. Counter
2. CNF formula
3. Message (one bit)
Count = t
formula Á
Message
“scratch column,”contains all 0’s,Useful for proof
Tribes for Mimplements OR of count, formula,and message pieces
Incrementing the Counter
• When formula Á is false, we want to increment counter t using inter-column security game
• Á false means some clause Áj is false
• Can use the jth column of MÁ to justify some changes in Mt via inter-column security
(for details,see the paper)
Instantiating Inter-column Security
Arranging the Subgroups
Example: n = 2
This is just a typical subgroup decision assumption in the bilinear setting.
Challenge: or ?
The Multilinear Subgroup Elimination Assumption