1 / 50

510 likes | 704 Vues

How to Use Indistinguishability Obfuscation. Amit Sahai. Brent Waters. Code Obfuscation. Goal: Make program (maximally) unintelligible. Obfuscator. 2. Applications!. Demo or “ need to know ” software. Software Patching.

Télécharger la présentation
## Brent Waters

**An Image/Link below is provided (as is) to download presentation**
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.
Content is provided to you AS IS for your information and personal use only.
Download presentation by click this link.
While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

**How to Use Indistinguishability Obfuscation**Amit Sahai Brent Waters**Code Obfuscation**Goal: Make program (maximally) unintelligible Obfuscator 2**Applications!**Demo or “need to know” software Software Patching Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, … 3**Difficulty of Achieving Obfuscation**• Initial Functionalities: • Point Functions [LPS04, …] and hyperplanes [CRV10] • Explanation of existing functionality[OS05, HRSV07] Recent: General candidate [GGHRSW13] using multilinear maps [GGH13] What does this mean? 4**Idealized Obfuscation**Idea: Learn nothing more than with black box access vs. • Natural for applications, building crypto • Some (contrived) counter-examples [BGIRSVY 01] No broad candidate class of obfuscatable functionalities Generic group proofs [BR13,BGKPS13] 5**Indistinguishability Obfuscation**Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits • a (b+c) vs. ab + ac • Avoids negative results of [BGIRSVY01] • What is it good for?**Vision: IO as hub for cryptography**Standard Assumption (e.g. LWE) Indistinguishabilty Obfuscation + OWFs This talk “Most” of cryptography 7**How do we build public key encryption from**Indistinguishability Obfuscation?**Punctured Programs Technique**• Remove key element of program: • Attacker cannot win without it • Does not change functionality Punctured PRF key: K{x*} eval PRF on all points, but x* Security: Cannot distinguish F(K,x*) and random given K{x*} Special case of constrained PRFs [BW13,BGI13,KPTZ13] Build from [GGM84] 9**Initial Attempt**Setup: Choose Punctured PRF key K, PK= obfuscation of Problems: (1) Program knows PRF at t* (2) If puncture out, will not be equivalent! 10**Simple PKE from iO**Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt(m): Choose random r; input m,r into program Decrypt(K,CT=(c1,c2)): Decryption is fast = symmetric key 11**Proof of Encryption Scheme**Hyb 0: IND-CPA 12**Proof of Encryption Scheme**Hyb 0: IND-CPA PRG security Hyb 1: t* is random 13**Proof of Encryption Scheme**Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} 14**Proof of Encryption Scheme**Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} Punctured PRF security Hyb 3: Replace F(K,t*) w/ z* 15**A Very Simple CCA-KEM**Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt: Choose random r, give as input Decrypt(K,c): 16**Natural Candidate**Setup: Choose Punctured PRF key K, VK= obfuscation of Works with heuristic, but how to prove?? 18**A Signature Scheme**Setup: Choose Punctured PRF key K, VK= obfuscation of f is a OWF Sign(K,m): Verify(VK,m,s): Input m,s into verify program Signing is fast = symmetric key 19**Proof of Signature Scheme**Hyb 0: (Selective) Signature Security [GMR84] 20**Proof of Signature Scheme**Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program 21**Proof of Signature Scheme**Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program Punctured PRF security Hyb 2: z* random 22**Other Core Primitives**• NIZKs[BDMP91] • Sign x if x is in L • Succinct proofs Semi Honest Oblivious Transfer[R81] Injective Trapdoor Functions Simple CCA secure KEM 23**The rest of the talk**• Deniable Encryption (2) Functional Encryption [GGHRSW13] (3) Open Directions 24**Deniable Encryption [CDNO97]**Anthony Enc(PK, m= ,r) -> CT Demands message and randomness! Fake r’ where Enc(PK, m= ,r’) -> CT Best solutions attacker adv. 1/n, n~ size of pub key Problematic for encrypting many messages 26**Publicly Deniable Encryption Anyone can explain!**Setup(n) -> PK,SK Decrypt(SK,c) -> m Encrypt(PK,m;u)-> c Explain(PK,c,m;r) -> u’ Two security properties(implies standard deniable) (1) IND-CPA Security (2) Indistinguishability of Explanation Single message game Advantage of separation: Simpler proofs 27**Hidden Sparse Triggers**Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value Explain(PK, C): Encoding of C in Hidden Trigger Set Encrypt(PK,m;u): Checks if randomness in trigger set If yes, decrypts encoding to CT; else does fresh encrypt Randomness Space Hidden triggers 28**An Attempt and Malleability Issues**Explain: Malleability Attack! Encrypt: 29**Our Deniable Encryption System**Explain: Encrypt: 30**Proof Overview**IND-CPA Proof: Simple proof; obfuscation not used • Explainability: • Encoding: Look like random string & non-malleable • Intricate multistep hybrid proof 31**Using Deployed Keys**• Receiver may: • Already have established key • Be disinterested/uninterested in D.E. • Universal Deniable Encryption: D.E. to ordinary keys • One time (uncorrupted) trusted setup • Use to deniably encrypt to any PK • Takes Encryption function as input 32**Functional Encryption [SW05…]**MSK Public Parameters SK Authority X Functionality: Learn f(x); x is hidden Collusion Resistance core to concept! (Like IBE) Collusion Bounded & Applications: SS10, PRV12, AGVW13, GKVPZ13 CT:x Key: f 34**Tools**• Statistically Simulation Sound NIZKs • Statistically sound except for simulated statement • Build from WI proofs Two Key Technique [NY90,S99] 36**Functional Encryption System [GGHRSW13]**Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this KeyGen(SK1,f): Obfuscate program Decrypt(CT, SKf): Run obfuscated program on CT 37**Proof Overview**Challenge CT: Keys: 38**Step 1**Challenge CT: Keys: NIZK security 39**Step 2**Challenge CT: Keys: IND-CPA security 40**Step 3**Challenge CT: Keys: IO security 41**Step 4**Challenge CT: Keys: IND-CPA security 42**Step 5**Challenge CT: Keys: IO security 43**Step 6**Challenge CT: Keys: NIZK security 44**Evolution of Functional Encryption**Sahai-Waters 2005: Introduction of Attribute-Based Encryption GPSW 2006: Access Control (ABE) for any boolean formula BW 2007, KSW08: “Predicate Encryption”; dot product functionality Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.) GGHSW13/GVW13: ABE for circuits FE at 2013: Still Inner Product (& Applications) Best we can do with bilinear maps GGHRSW 2013: Functional Encryption for any circuit 45**Evolution of Functional Encryption**Obfuscation 46**Explosion of Obfuscation**Late July: GGHRSW13, SW13 eprint 4 months later • Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW] • Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV] • Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR] • Two-round secure MPC from Indistinguishability Obfuscation [GGSR] • Protecting Obfuscation Against Algebraic Attacks [BGKPS] • Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR] • Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ] • There is no Indistinguishability Obfuscation in Pessiland [MR] • On Extractability Obfuscation [BCP] • A Note on the Impossibility of Obfuscation with Auxiliary Input [GK] • Separations in Circular Security for Arbitrary Length Key Cycles [RVW] • Obfuscation for Evasive Functions [BBCKPS] • Differing-Inputs Obfuscation and Applications [ABGSZ] • More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR] • Multi-Input Functional Encryption [GGJS] • Functional Encryption for Randomized Functionalities[GJKS] • Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS] • Multi-Input Functional Encryption [GKLSZ] • Obfuscation from Semantically-Secure Multi-linear Encodings [PTS] 48**My Probabilities**38% I will make it to Weizmann in Dec. Indistinguishability Obfuscation from LWE-type assumption in 4 years 63% Amit eprints an obfusction paper in next 2 months 95% 49

More Related