How to Use Indistinguishability Obfuscation Amit Sahai Brent Waters test

Code Obfuscation Goal: Make program (maximally) unintelligible Obfuscator 2

Applications! Demo or “need to know” software Software Patching Crypto galore: Traitor Tracing, Functional Encryption, Deniable Encryption, … 3

Difficulty of Achieving Obfuscation Initial Functionalities: Point Functions [LPS04, …] and hyperplanes [CRV10] Explanation of existing functionality[OS05, HRSV07] Recent: General candidate [GGHRSW13] using multilinear maps [GGH13] What does this mean? 4

Idealized Obfuscation Idea: Learn nothing more than with black box access vs. Natural for applications, building crypto Some (contrived) counter-examples [BGIRSVY 01] No broad candidate class of obfuscatable functionalities Generic group proofs [BR13,BGKPS13] 5

Indistinguishability Obfuscation Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits a (b+c) vs. ab + ac Avoids negative results of [BGIRSVY01] What is it good for?

Vision: IO as hub for cryptography Standard Assumption (e.g. LWE) Indistinguishabilty Obfuscation + OWFs This talk “Most” of cryptography 7

How do we build public key encryption from Indistinguishability Obfuscation?

Punctured Programs Technique Remove key element of program: Attacker cannot win without it Does not change functionality Punctured PRF key: K{x*} eval PRF on all points, but x* Security: Cannot distinguish F(K,x*) and random given K{x*} Special case of constrained PRFs [BW13,BGI13,KPTZ13] Build from [GGM84] 9

Initial Attempt Setup: Choose Punctured PRF key K, PK= obfuscation of Problems: (1) Program knows PRF at t* (2) If puncture out, will not be equivalent! 10

Simple PKE from iO Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt(m): Choose random r; input m,r into program Decrypt(K,CT=(c1,c2)): Decryption is fast = symmetric key 11

Proof of Encryption Scheme Hyb 0: IND-CPA 12

Proof of Encryption Scheme Hyb 0: IND-CPA PRG security Hyb 1: t* is random 13

Proof of Encryption Scheme Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} 14

Proof of Encryption Scheme Hyb 0: IND-CPA PRG security Hyb 1: t* is random iO security Hyb 2: Use K{t*} Punctured PRF security Hyb 3: Replace F(K,t*) w/ z* 15

A Very Simple CCA-KEM Setup: Choose Punctured PRF key K, PK= obfuscation of Encrypt: Choose random r, give as input Decrypt(K,c): 16

How about signatures?

Natural Candidate Setup: Choose Punctured PRF key K, VK= obfuscation of Works with heuristic, but how to prove?? 18

A Signature Scheme Setup: Choose Punctured PRF key K, VK= obfuscation of f is a OWF Sign(K,m): Verify(VK,m,s): Input m,s into verify program Signing is fast = symmetric key 19

Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] 20

Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program 21

Proof of Signature Scheme Hyb 0: (Selective) Signature Security [GMR84] iO security Hyb 1: Punctured Program Punctured PRF security Hyb 2: z* random 22

Other Core Primitives NIZKs[BDMP91] Sign x if x is in L Succinct proofs Semi Honest Oblivious Transfer[R81] Injective Trapdoor Functions Simple CCA secure KEM 23

The rest of the talk Deniable Encryption (2) Functional Encryption [GGHRSW13] (3) Open Directions 24

Deniable Encryption

Deniable Encryption [CDNO97] Anthony Enc(PK, m= ,r) -> CT Demands message and randomness! Fake r’ where Enc(PK, m= ,r’) -> CT Best solutions attacker adv. 1/n, n~ size of pub key Problematic for encrypting many messages 26

Publicly Deniable Encryption Anyone can explain! Setup(n) -> PK,SK Decrypt(SK,c) -> m Encrypt(PK,m;u)-> c Explain(PK,c,m;r) -> u’ Two security properties (implies standard deniable) (1) IND-CPA Security (2) Indistinguishability of Explanation Single message game Advantage of separation: Simpler proofs 27

Hidden Sparse Triggers Idea: Negligible fraction of random space are “trigger values” that cause bypass normal encryption to specific value Explain(PK, C): Encoding of C in Hidden Trigger Set Encrypt(PK,m;u): Checks if randomness in trigger set If yes, decrypts encoding to CT; else does fresh encrypt Randomness Space Hidden triggers 28

An Attempt and Malleability Issues Explain: Malleability Attack! Encrypt: 29

Our Deniable Encryption System Explain: Encrypt: 30

Proof Overview IND-CPA Proof: Simple proof; obfuscation not used Explainability: Encoding: Look like random string & non-malleable Intricate multistep hybrid proof 31

Using Deployed Keys Receiver may: Already have established key Be disinterested/uninterested in D.E. Universal Deniable Encryption: D.E. to ordinary keys One time (uncorrupted) trusted setup Use to deniably encrypt to any PK Takes Encryption function as input 32

Functional Encryption

Functional Encryption [SW05…] Public Parameters MSK Authority Functionality: Learn f(x); x is hidden Collusion Resistance core to concept! (Like IBE) Collusion Bounded & Applications: SS10, PRV12, AGVW13, GKVPZ13 CT: x Key: f SK X 34

An Application: Facial Identification SK 35

Tools Statistically Simulation Sound NIZKs Statistically sound except for simulated statement Build from WI proofs Two Key Technique [NY90,S99] 36

Functional Encryption System [GGHRSW13] Setup: Generate two keys pairs (PK1,SK1), (PK2,SK2) output CRS from NIZK setup Encrypt(PP,m): Encrypt m under each of PK1, PK2, generate proof p of this KeyGen(SK1,f): Obfuscate program Decrypt(CT, SKf): Run obfuscated program on CT 37

Proof Overview Challenge CT: Keys: 38

Step 1 Challenge CT: Keys: NIZK security 39

Step 2 Challenge CT: Keys: IND-CPA security 40

Step 3 Challenge CT: Keys: IO security 41

Step 4 Challenge CT: Keys: IND-CPA security 42

Step 5 Challenge CT: Keys: IO security 43

Step 6 Challenge CT: Keys: NIZK security 44

Evolution of Functional Encryption Sahai-Waters 2005: Introduction of Attribute-Based Encryption GPSW 2006: Access Control (ABE) for any boolean formula BW 2007, KSW08: “Predicate Encryption”; dot product functionality Talks 2008: “Rebranded” as Functional Encryption , BSW11 reformalized (BSW11+O10 added simulation def.) GGHSW13/GVW13: ABE for circuits FE at 2013: Still Inner Product (& Applications) Best we can do with bilinear maps GGHRSW 2013: Functional Encryption for any circuit 45

Evolution of Functional Encryption Obfuscation 46

Looking Forward

Explosion of Obfuscation Late July: GGHRSW13, SW13 eprint 4 months later Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation [HSW] Obfuscating Branching Programs Using Black-Box Pseudo-Free Groups [CV] Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding [BR] Two-round secure MPC from Indistinguishability Obfuscation [GGSR] Protecting Obfuscation Against Algebraic Attacks [BGKPS] Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall [BCPR] Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation [BZ] There is no Indistinguishability Obfuscation in Pessiland [MR] On Extractability Obfuscation [BCP] A Note on the Impossibility of Obfuscation with Auxiliary Input [GK] Separations in Circular Security for Arbitrary Length Key Cycles [RVW] Obfuscation for Evasive Functions [BBCKPS] Differing-Inputs Obfuscation and Applications [ABGSZ] More on the Impossibility of Virtual-Black-Box Obfuscation with Auxiliary Input [BCPR] Multi-Input Functional Encryption [GGJS] Functional Encryption for Randomized Functionalities[GJKS] Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP [PPS] Multi-Input Functional Encryption [GKLSZ] Obfuscation from Semantically-Secure Multi-linear Encodings [PTS] 48

My Probabilities I will make it to Weizmann in Dec. 38% Indistinguishability Obfuscation from LWE-type assumption in 4 years 63% Amit eprints an obfusction paper in next 2 months 95% 49

Thank you