1 / 50

Brent Waters

How to Use Indistinguishability Obfuscation. Amit Sahai. Brent Waters. Code Obfuscation. Goal: Make program (maximally) unintelligible. Obfuscator. 2. Applications!. Demo or “ need to know ” software. Software Patching.

aolani
Télécharger la présentation

Brent Waters

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Use Indistinguishability Obfuscation Amit Sahai Brent Waters

  2. Code Obfuscation Goal: Make program (maximally) unintelligible Obfuscator 2

  3. Applications! Demo or “need to know” software Software Patching Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, … 3

  4. Difficulty of Achieving Obfuscation • Initial Functionalities: • Point Functions [LPS04, …] and hyperplanes [CRV10] • Explanation of existing functionality[OS05, HRSV07] Recent: General candidate [GGHRSW13] using multilinear maps [GGH13] What does this mean? 4

  5. Idealized Obfuscation Idea: Learn nothing more than with black box access vs. • Natural for applications, building crypto • Some (contrived) counter-examples [BGIRSVY 01] No broad candidate class of obfuscatable functionalities Generic group proofs [BR13,BGKPS13] 5

  6. Indistinguishability Obfuscation Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits • a (b+c) vs. ab + ac • Avoids negative results of [BGIRSVY01] • What is it good for?

  7. Vision: IO as hub for cryptography Standard Assumption (e.g. LWE) Indistinguishabilty Obfuscation + OWFs This talk “Most” of cryptography 7

  8. How do we build public key encryption from Indistinguishability Obfuscation?

  9. Punctured Programs Technique • Remove key element of program: • Attacker cannot win without it • Does not change functionality Punctured PRF key: K{x*} eval PRF on all points, but x* Security: Cannot distinguish F(K,x*) and random given K{x*} Special case of constrained PRFs [BW13,BGI13,KPTZ13] Build from [GGM84] 9

  10. Initial Attempt Setup: Choose Punctured PRF key K, PK= obfuscation of Problems: (1) Program knows PRF at t* (2) If puncture out, will not be equivalent! 10

  11. Simple PKE from iO Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt(m): Choose random r; input m,r into program Decrypt(K,CT=(c1,c2)): Decryption is fast = symmetric key 11

  12. Proof of Encryption Scheme Hyb 0: IND-CPA 12

  13. Proof of Encryption Scheme Hyb 0: IND-CPA PRG security Hyb 1: t* is random 13

  14. Proof of Encryption Scheme Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} 14

  15. Proof of Encryption Scheme Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} Punctured PRF security Hyb 3: Replace F(K,t*) w/ z* 15

  16. A Very Simple CCA-KEM Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt: Choose random r, give as input Decrypt(K,c): 16

  17. How about signatures?

  18. Natural Candidate Setup: Choose Punctured PRF key K, VK= obfuscation of Works with heuristic, but how to prove?? 18

  19. A Signature Scheme Setup: Choose Punctured PRF key K, VK= obfuscation of f is a OWF Sign(K,m): Verify(VK,m,s): Input m,s into verify program Signing is fast = symmetric key 19

  20. Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] 20

  21. Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program 21

  22. Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program Punctured PRF security Hyb 2: z* random 22

  23. Other Core Primitives • NIZKs[BDMP91] • Sign x if x is in L • Succinct proofs Semi Honest Oblivious Transfer[R81] Injective Trapdoor Functions Simple CCA secure KEM 23

  24. The rest of the talk • Deniable Encryption (2) Functional Encryption [GGHRSW13] (3) Open Directions 24

  25. Deniable Encryption

  26. Deniable Encryption [CDNO97] Anthony Enc(PK, m= ,r) -> CT Demands message and randomness! Fake r’ where Enc(PK, m= ,r’) -> CT Best solutions attacker adv. 1/n, n~ size of pub key Problematic for encrypting many messages 26

  27. Publicly Deniable Encryption Anyone can explain! Setup(n) -> PK,SK Decrypt(SK,c) -> m Encrypt(PK,m;u)-> c Explain(PK,c,m;r) -> u’ Two security properties(implies standard deniable) (1) IND-CPA Security (2) Indistinguishability of Explanation Single message game Advantage of separation: Simpler proofs 27

  28. Hidden Sparse Triggers Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value Explain(PK, C): Encoding of C in Hidden Trigger Set Encrypt(PK,m;u): Checks if randomness in trigger set If yes, decrypts encoding to CT; else does fresh encrypt Randomness Space Hidden triggers 28

  29. An Attempt and Malleability Issues Explain: Malleability Attack! Encrypt: 29

  30. Our Deniable Encryption System Explain: Encrypt: 30

  31. Proof Overview IND-CPA Proof: Simple proof; obfuscation not used • Explainability: • Encoding: Look like random string & non-malleable • Intricate multistep hybrid proof 31

  32. Using Deployed Keys • Receiver may: • Already have established key • Be disinterested/uninterested in D.E. • Universal Deniable Encryption: D.E. to ordinary keys • One time (uncorrupted) trusted setup • Use to deniably encrypt to any PK • Takes Encryption function as input 32

  33. Functional Encryption

  34. Functional Encryption [SW05…] MSK Public Parameters SK Authority X Functionality: Learn f(x); x is hidden Collusion Resistance core to concept! (Like IBE) Collusion Bounded & Applications: SS10, PRV12, AGVW13, GKVPZ13 CT:x Key: f 34

  35. An Application: Facial Identification SK 35

  36. Tools • Statistically Simulation Sound NIZKs • Statistically sound except for simulated statement • Build from WI proofs Two Key Technique [NY90,S99] 36

  37. Functional Encryption System [GGHRSW13] Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this KeyGen(SK1,f): Obfuscate program Decrypt(CT, SKf): Run obfuscated program on CT 37

  38. Proof Overview Challenge CT: Keys: 38

  39. Step 1 Challenge CT: Keys: NIZK security 39

  40. Step 2 Challenge CT: Keys: IND-CPA security 40

  41. Step 3 Challenge CT: Keys: IO security 41

  42. Step 4 Challenge CT: Keys: IND-CPA security 42

  43. Step 5 Challenge CT: Keys: IO security 43

  44. Step 6 Challenge CT: Keys: NIZK security 44

  45. Evolution of Functional Encryption Sahai-Waters 2005: Introduction of Attribute-Based Encryption GPSW 2006: Access Control (ABE) for any boolean formula BW 2007, KSW08: “Predicate Encryption”; dot product functionality Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.) GGHSW13/GVW13: ABE for circuits FE at 2013: Still Inner Product (& Applications) Best we can do with bilinear maps GGHRSW 2013: Functional Encryption for any circuit 45

  46. Evolution of Functional Encryption Obfuscation 46

  47. Looking Forward

  48. Explosion of Obfuscation Late July: GGHRSW13, SW13 eprint 4 months later • Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW] • Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV] • Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR] • Two-round secure MPC from Indistinguishability Obfuscation [GGSR] • Protecting Obfuscation Against Algebraic Attacks [BGKPS] • Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR] • Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ] • There is no Indistinguishability Obfuscation in Pessiland [MR] • On Extractability Obfuscation [BCP] • A Note on the Impossibility of Obfuscation with Auxiliary Input [GK] • Separations in Circular Security for Arbitrary Length Key Cycles [RVW] • Obfuscation for Evasive Functions [BBCKPS] • Differing-Inputs Obfuscation and Applications [ABGSZ] • More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR] • Multi-Input Functional Encryption [GGJS] • Functional Encryption for Randomized Functionalities[GJKS] • Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS] • Multi-Input Functional Encryption [GKLSZ] • Obfuscation from Semantically-Secure Multi-linear Encodings [PTS] 48

  49. My Probabilities 38% I will make it to Weizmann in Dec. Indistinguishability Obfuscation from LWE-type assumption in 4 years 63% Amit eprints an obfusction paper in next 2 months 95% 49

  50. Thank you

More Related