Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Brent Waters PowerPoint Presentation
Download Presentation
Brent Waters

Brent Waters

187 Vues Download Presentation
Télécharger la présentation

Brent Waters

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. How to Use Indistinguishability Obfuscation Amit Sahai Brent Waters

  2. Code Obfuscation Goal: Make program (maximally) unintelligible Obfuscator 2

  3. Applications! Demo or “need to know” software Software Patching Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, … 3

  4. Difficulty of Achieving Obfuscation • Initial Functionalities: • Point Functions [LPS04, …] and hyperplanes [CRV10] • Explanation of existing functionality[OS05, HRSV07] Recent: General candidate [GGHRSW13] using multilinear maps [GGH13] What does this mean? 4

  5. Idealized Obfuscation Idea: Learn nothing more than with black box access vs. • Natural for applications, building crypto • Some (contrived) counter-examples [BGIRSVY 01] No broad candidate class of obfuscatable functionalities Generic group proofs [BR13,BGKPS13] 5

  6. Indistinguishability Obfuscation Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits • a (b+c) vs. ab + ac • Avoids negative results of [BGIRSVY01] • What is it good for?

  7. Vision: IO as hub for cryptography Standard Assumption (e.g. LWE) Indistinguishabilty Obfuscation + OWFs This talk “Most” of cryptography 7

  8. How do we build public key encryption from Indistinguishability Obfuscation?

  9. Punctured Programs Technique • Remove key element of program: • Attacker cannot win without it • Does not change functionality Punctured PRF key: K{x*} eval PRF on all points, but x* Security: Cannot distinguish F(K,x*) and random given K{x*} Special case of constrained PRFs [BW13,BGI13,KPTZ13] Build from [GGM84] 9

  10. Initial Attempt Setup: Choose Punctured PRF key K, PK= obfuscation of Problems: (1) Program knows PRF at t* (2) If puncture out, will not be equivalent! 10

  11. Simple PKE from iO Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt(m): Choose random r; input m,r into program Decrypt(K,CT=(c1,c2)): Decryption is fast = symmetric key 11

  12. Proof of Encryption Scheme Hyb 0: IND-CPA 12

  13. Proof of Encryption Scheme Hyb 0: IND-CPA PRG security Hyb 1: t* is random 13

  14. Proof of Encryption Scheme Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} 14

  15. Proof of Encryption Scheme Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} Punctured PRF security Hyb 3: Replace F(K,t*) w/ z* 15

  16. A Very Simple CCA-KEM Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt: Choose random r, give as input Decrypt(K,c): 16

  17. How about signatures?

  18. Natural Candidate Setup: Choose Punctured PRF key K, VK= obfuscation of Works with heuristic, but how to prove?? 18

  19. A Signature Scheme Setup: Choose Punctured PRF key K, VK= obfuscation of f is a OWF Sign(K,m): Verify(VK,m,s): Input m,s into verify program Signing is fast = symmetric key 19

  20. Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] 20

  21. Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program 21

  22. Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program Punctured PRF security Hyb 2: z* random 22

  23. Other Core Primitives • NIZKs[BDMP91] • Sign x if x is in L • Succinct proofs Semi Honest Oblivious Transfer[R81] Injective Trapdoor Functions Simple CCA secure KEM 23

  24. The rest of the talk • Deniable Encryption (2) Functional Encryption [GGHRSW13] (3) Open Directions 24

  25. Deniable Encryption

  26. Deniable Encryption [CDNO97] Anthony Enc(PK, m= ,r) -> CT Demands message and randomness! Fake r’ where Enc(PK, m= ,r’) -> CT Best solutions attacker adv. 1/n, n~ size of pub key Problematic for encrypting many messages 26

  27. Publicly Deniable Encryption Anyone can explain! Setup(n) -> PK,SK Decrypt(SK,c) -> m Encrypt(PK,m;u)-> c Explain(PK,c,m;r) -> u’ Two security properties(implies standard deniable) (1) IND-CPA Security (2) Indistinguishability of Explanation Single message game Advantage of separation: Simpler proofs 27

  28. Hidden Sparse Triggers Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value Explain(PK, C): Encoding of C in Hidden Trigger Set Encrypt(PK,m;u): Checks if randomness in trigger set If yes, decrypts encoding to CT; else does fresh encrypt Randomness Space Hidden triggers 28

  29. An Attempt and Malleability Issues Explain: Malleability Attack! Encrypt: 29

  30. Our Deniable Encryption System Explain: Encrypt: 30

  31. Proof Overview IND-CPA Proof: Simple proof; obfuscation not used • Explainability: • Encoding: Look like random string & non-malleable • Intricate multistep hybrid proof 31

  32. Using Deployed Keys • Receiver may: • Already have established key • Be disinterested/uninterested in D.E. • Universal Deniable Encryption: D.E. to ordinary keys • One time (uncorrupted) trusted setup • Use to deniably encrypt to any PK • Takes Encryption function as input 32

  33. Functional Encryption

  34. Functional Encryption [SW05…] MSK Public Parameters SK Authority X Functionality: Learn f(x); x is hidden Collusion Resistance core to concept! (Like IBE) Collusion Bounded & Applications: SS10, PRV12, AGVW13, GKVPZ13 CT:x Key: f 34

  35. An Application: Facial Identification SK 35

  36. Tools • Statistically Simulation Sound NIZKs • Statistically sound except for simulated statement • Build from WI proofs Two Key Technique [NY90,S99] 36

  37. Functional Encryption System [GGHRSW13] Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this KeyGen(SK1,f): Obfuscate program Decrypt(CT, SKf): Run obfuscated program on CT 37

  38. Proof Overview Challenge CT: Keys: 38

  39. Step 1 Challenge CT: Keys: NIZK security 39

  40. Step 2 Challenge CT: Keys: IND-CPA security 40

  41. Step 3 Challenge CT: Keys: IO security 41

  42. Step 4 Challenge CT: Keys: IND-CPA security 42

  43. Step 5 Challenge CT: Keys: IO security 43

  44. Step 6 Challenge CT: Keys: NIZK security 44

  45. Evolution of Functional Encryption Sahai-Waters 2005: Introduction of Attribute-Based Encryption GPSW 2006: Access Control (ABE) for any boolean formula BW 2007, KSW08: “Predicate Encryption”; dot product functionality Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.) GGHSW13/GVW13: ABE for circuits FE at 2013: Still Inner Product (& Applications) Best we can do with bilinear maps GGHRSW 2013: Functional Encryption for any circuit 45

  46. Evolution of Functional Encryption Obfuscation 46

  47. Looking Forward

  48. Explosion of Obfuscation Late July: GGHRSW13, SW13 eprint 4 months later • Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW] • Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV] • Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR] • Two-round secure MPC from Indistinguishability Obfuscation [GGSR] • Protecting Obfuscation Against Algebraic Attacks [BGKPS] • Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR] • Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ] • There is no Indistinguishability Obfuscation in Pessiland [MR] • On Extractability Obfuscation [BCP] • A Note on the Impossibility of Obfuscation with Auxiliary Input [GK] • Separations in Circular Security for Arbitrary Length Key Cycles [RVW] • Obfuscation for Evasive Functions [BBCKPS] • Differing-Inputs Obfuscation and Applications [ABGSZ] • More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR] • Multi-Input Functional Encryption [GGJS] • Functional Encryption for Randomized Functionalities[GJKS] • Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS] • Multi-Input Functional Encryption [GKLSZ] • Obfuscation from Semantically-Secure Multi-linear Encodings [PTS] 48

  49. My Probabilities 38% I will make it to Weizmann in Dec. Indistinguishability Obfuscation from LWE-type assumption in 4 years 63% Amit eprints an obfusction paper in next 2 months 95% 49

  50. Thank you