Rishab Goyal Venkata Koppula Brent Waters Separating IND-CPA and Circular Security for Unbounded Length Key Cycles Rishab Goyal Venkata Koppula Brent Waters

Key Dependent Message Security [BlackRogawayShrimpton02] Plaintexts dependent on secret key Encrypted Storage Systems (e.g., BitLocker) Anonymous Credential Systems [CamenischLysyanskaya01] Gentry’s Bootstrapping [Gentry09] .... Semantic (IND-CPA) security might not be sufficient Let’s start by talking about …

n-Circular Encryption [CamenischLysyanskya01] All-or-Nothing Sharing Credentials PK1 PK2 . . . PKn Secret SK1 SK2 . . . SKn The most common example where we see key dependent messages in practice is … “A user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. “ EncPK1(SK2) . . . EncPKn-1(SKn) EncPKn(SK1)

n-Circular Security BDDH [BonehHamburgHaleviOstrovysky08] PK1 PK1 . . . . . . +ve Results PKn BDDH [BonehHamburgHaleviOstrovysky08] LWE [ApplebaumCashPeikertSahai09] Extensions [BG10, BHHI10, BGK11, App11, MTY11, BV11, AP12] PKn EncPK1(SK2) EncPK1(0) . . . . . . EncPKn(SK1) EncPKn(0)

Does IND-CPA imply n-Circular Security?

Negative Results n = 2 Bilinear Groups [AcarBelenkiyBellareCash10, CashGreenHohenberger12] LWE [BishopHohenbergerWaters15] n ≥ 3 Obfuscation [KoppulaRamchenWaters15, MarcedoneOrlandi16] LWE [KoppulaWaters16, AlamatiPeikert16] So, what does this suggest?

A Closer Look … iO [KRW15] LWE [AP16, KW16] Theorem. ∀ n, ∃ IND-CPA secure encryption scheme E that is not n-circular secure. For every scheme E, does there exist a parameter n such that it is n-circular secure? So, what does this suggest? These are contrived schemes. This leaves door open for each scheme to have a cycle length property such that it is circular secure for that length. This would mean that every scheme is circular secure for some parameter.

A Closer Look … Assuming iO New Theorem. ∃ IND-CPA secure encryption scheme E such that ∀ n, it is not n-circular secure. For every scheme E, does there exist a parameter n such that it is n-circular secure? So, what does this suggest? These are contrived schemes. This leaves door open for each scheme to have a cycle length property such that it is circular secure for that length. This would mean that every scheme is circular secure for some parameter.

Indistinguishability Obfuscation [BarakGoldreichImpagliazzoRudichSahaiVadhanYang01] Compiling functionally equivalent programs to indistinguishable programs ≣ P0 P1 O O O(P0) O(P1)

} KRW Counterexample ……… Choose key pair = obfuscation of Decrypt ct1 as Decrypt ct2 as … Decrypt ctn as If sk1 = m, output ‘Cycle’. } ……… Inputs

} Extending KRW ……… Decrypt ct1 as Decrypt ct2 as … Decrypt ctn as Inputs Decrypt ct1 as Decrypt ct2 as … Decrypt ctn as If sk1 = m, output ‘Cycle’. Want this to work for all cycle lengths. Cycle length not a-priori known or fixed. (Q- How to defend from iO for TMs?) At first thought, it might seem iO for TMs. But it needs leveraging and input size fixed. Cycle length fixed!

An Iterative Approach …… …… EncPKn(SK1) 1 EncPK1(SK2) n 2 EncPKn-1(SKn) n - 1 EncPK2(SK3) 3 EncPKn-2(SKn-1) …… …… EncPK3(SK4)

An Iterative Approach …… …… EncPKn(SK1) 1 n EncPKn-1(SKn) EncPK1(SK3)

An Iterative Approach …… …… EncPKn(SK1) 1 n EncPKn-1(SKn) EncPK1(SK4)

An Iterative Approach 1 EncPK1(SK1) At a high level, …

Main Idea … Use FHE for cycle reduction Create a 1-cycle tester … … 1 2 n - 1 n 3 … 1 n - 1 n 3 … 1 …

Cycle Reduction: FHE Correctness :

Cycle Reduction: FHE ………… …………

1-Cycle Tester: First Attempt Choose key pair Compute = obfuscation of Output

1-Cycle Tester: First Attempt Choose key pair Compute = obfuscation of Output Intuitively secure, but how to prove under iO? IND-CPA security provable if VBB obfuscation.

1-Cycle Tester: KRW Technique Choose key pair , string s Compute = obfuscation of Output KRW trick. IND-CPA security provable under iO.

1-Cycle Tester: Proof Idea Choose key pair , string s Compute = obfuscation of Output

Putting Together … Needs Fully Homomorphic Encryption!! Use FHE for cycle reduction Create a 1-cycle tester Needs Fully Homomorphic Encryption!! Leveled HE not sufficient! 1 2 n - 1 n 3 … 1 n - 1 n 3 … 1 … Not known from standard assumption or even iO.

An Alternative Approach 1 EncPKn(SK1) EncPK1(SK2) n 2 EncPKn-1(SKn) n - 1 EncPK2(SK3) 3 EncPKn-2(SKn-1) …… …… EncPK3(SK4)

An Alternative Approach 1 EncPK1(SK2) 2 EncPKn-1(SK1) n - 1 EncPK2(SK3) 3 EncPKn-2(SKn-1) …… …… EncPK3(SK4)

An Alternative Approach 1 EncPK1(SK2) 2 EncPKn-2(SK1) EncPK2(SK3) 3 …… …… EncPK3(SK4)

An Alternative Approach 1 EncPK1(SK1) At a high level, …

Summarizing … Use FHE for cycle reduction Create a 1-cycle tester 2 n - 1 n 3 … 1 2 n - 1 3 … 1 … Not known from standard assumption or even iO. Leveled HE

Conclusions and Open Problems Stronger circular security counterexample. Assume existence of iO. Can it be based on more standard assumptions? Say why stronger. That is, it says IND-CPA schemes may not be circular secure for any length parameter.

Conclusions and Open Problems Stronger circular security counterexample. Assume existence of iO. Can it be based on more standard assumptions? Yes! Normally a talk ends here. But very recently, we were able to solve this problem under LWE.

Lockable Obfuscation [GKoppulaWaters17] Correctness:

Lockable Obfuscation [GKoppulaWaters17] Security:

Our Result [GKoppulaWaters17] Lockable Obfuscation All poly sized circuits* Secure under LWE Applications Attribute-Based Encryption  Predicate Encryption Circular Security Separations (Bit Encryption, Unbounded, …) Random Oracle Uninstantiability (Fujisaki-Okamoto, …) Rejecting Indistinguishability Obfuscator (riO) … ePrint: 2017/274

Thank you! Questions?