Shai Halevi – IBM Research PKC 2014 Multilinear Maps and Obfuscation A Survey of Recent Results
Prologue We are in the midst of (yet another) “quantum leap” in our cryptographic capabilities Things that were science fiction just two years ago are now plausible General-purpose functional encryption Crypto-strength code obfuscation … Fueled by new powerful building blocks Combination of Homomorphic Encryption (HE) and Cryptographic Multilinear Maps (MMAPs)
This Talk Overview of the main new tool Constructing MMAPs using “HE techniques” And application to obfuscation There are many others Witness Encryption Full-Domain Hash Functional Encryption … not today
Chapter One: Multilinear Maps
Starting Point: DL-based Crypto
To use DH in applications, ensure that: legitimate parties only compute linear functions adversary needs to compute/check quadratics Some examples: Diffie-Hellman key exchange, ElGamal Encryption, Cramer-Shoup CCA-Secure Encryption, Naor-Reingold PRF, Efficient ZKPs, …
Beyond DDH: Bilinear Maps [J00,SOK00,BF01] In bilinear-map groups you can compute quadratic functions in the exponent But computing/checking cubics is hard Now the legitimate parties can do a lot more Leads to new capabilities Identity-based encryption (IBE) Predicate encryption (for simple predicates) Efficient non-interactive zero-knowledge proofs …
Why Stop at Two?
The [GGH’13] Approach to MMAPs
MMAPs vs. SWHE MMAPsSWHE
Main Ingredient: Testing for Zero
Bird-Eye View of [GGH’13]
Graded Encoding Schemes
Some Variants
Hardness Assumptions
A Few Words About Performance
Take-Home from Chapter One
Chapter Two: Obfuscation
Code Obfuscation Encrypting programs, maintaining functionality Only the functionality should be “visible” in the output Example of recreational obfuscation: -- Wikipedia, accessed Oct-2013 Rigorous treatment [Hada’00, BGIRSVY’01,…] xinU / lreP rehtona tsuJ";sub =$f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&& }%p;$_=$d[$q];sleep rand(2)if/\S/;print
Why Obfuscation? Hiding secrets in software AES encryption strutpatent.com Plaintext Ciphertext
Why Obfuscation? Hiding secrets in software AES encryption Public-key encryption Plaintext Ciphertext xinU / lreP rehtona tsuJ";sub =2)+=$f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}= ~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&& }%p;$_=$d[$q];sleep rand(2)if/\S/;print
Why Obfuscation? Hiding secrets in software Distributing software patches Vulnerable program Patched program 1,2d0 < The Way that can be told of is not the eternal Way; < The name that can be named is not the eternal name 4c2,3 < The Named is the mother of all things. --- > The named is the mother of all things. 11a11,13 > They both may be called deep and profound. > Deeper and more profound, > The door of all subtleties!
Why Obfuscation? Hiding secrets in software Distributing software patches while hiding vulnerability Vulnerable program Patched program xinU / lreP rehtona tsuJ";sub !fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&& }%p;$_=$d[$q];sleep rand(2)if/\S/;print
Why Obfuscation? Hiding secrets in software Uploading my expertise to the web Next move Game of Go
Why Obfuscation? Hiding secrets in software Uploading my expertise to the web without revealing my strategies Next move xinU / lreP rehtona tsuJ";sub f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/ && close$_}%p;wait until$?;map{/^r/&& }%p;$_=$d[$q];sleep rand(2)if/\S/;print Game of Go
Defining Obfuscation Want the output to reveal only functionality E.g., If prog. depends on secrets that are not readily apparent in I/O, then the encrypted program does not reveal these secrets [B+01] show that this is impossible in general Thm: If secure encryption exists, then there are secure encryption schemes for which it is possible to recover the secret key from any program that encrypts. Such encryption schemes are unobfuscatable
Defining Obfuscation Okay, some function are bad, but can we do “as well as possible” on every given function? [B+01] suggested the weaker notion of “indistinguishability obfuscation” (iO) Gives the “best-possible” guarantee [GR07] It turns out to suffice for many applications (examples in [GGH+13, SW13,…])
Defining Obfuscation [B+01]
Obfuscation vs. HE Somewhat reminiscent of MMAPs vs. HE… F Obfuscation FF Encryption F x + F(x) Result in the clear x + F(x) x or Result encrypted
Obfuscation from MMAPs, 1 st Try
1 st Try Does Not Work Attack: comparing intermediate values Checking if two intermediate wires carry same value Checking if the computation on two different inputs yield the same value on some intermediate wire If two equal intermediate values ever happen, they can be recognized using zero-test Must randomize all intermediate values in all the computations But such that the final result can still be recognized
Construction Outline Describe Circuits as Branching Programs (BPs) using Barrington’s theorem [B86] Randomized BPs (RBPs) a-la-Kilian [K88] Additional randomization to counter “simple relations” Encode RBPs “in the exponent” using MMAPs Use zero-test to get the output This allows obfuscating shallow circuits (NC1) Another transformation (using FHE) to get all circuits
(Oblivious) Branching Programs A specific way of describing a function This length-9 BP has 4-bit inputs A 2,0 A 1,0 A 3,0 A 5,0 A 4,0 A 6,0 A 7,0 A 8,0 A 9,0 A 2,1 A 1,1 A 3,1 A 5,1 A 4,1 A 6,1 A 7,1 A 8,1 A 9,1 0
(Oblivious) Branching Programs A specific way of describing a function This length-9 BP has 4-bit inputs A 2,0 A 1,0 A 3,0 A 5,0 A 4,0 A 6,0 A 7,0 A 8,0 A 9,0 A 2,1 A 1,1 A 3,1 A 5,1 A 4,1 A 6,1 A 7,1 A 8,1 A 9,1 01
(Oblivious) Branching Programs A 2,0 A 1,0 A 3,0 A 5,0 A 4,0 A 6,0 A 7,0 A 8,0 A 9,0 A 2,1 A 1,1 A 3,1 A 5,1 A 4,1 A 6,1 A 7,1 A 8,1 A 9,1 0110
(Oblivious) Branching Programs
Kilian’s Randomized BPs A 2,0 A 1,0 A 3,0 A 5,0 A 4,0 A 6,0 A 2,1 A 1,1 A 3,1 A 5,1 A 4,1 A 6,1 B 1,0 B 2,0 B 3,0 B 4,0 B 5,0 B 6,0 B 1,1 B 2,1 B 3,1 B 4,1 B 5,1 B 6,1
Kilian’s Randomized BPs A 2,0 A 1,0 A 3,0 A 5,0 A 4,0 A 6,0 A 2,1 A 1,1 A 3,1 A 5,1 A 4,1 A 6,1 B 1,0 B 2,0 B 3,0 B 4,0 B 5,0 B 6,0 B 1,1 B 2,1 B 3,1 B 4,1 B 5,1 B 6,1
Kilian’s Protocol BP-Obfuscation?
“Partial Evaluation” Attacks
“Mixed Input” Attack B 2,0 B 4,1
Countering “Simple Relations” Additional randomization steps Different works use slightly different forms of additional randomization “Multiplicative bundling” [GGHRHS’13, BR’13] “Straddling” [BGKPS’13, PTS’14] “Abelian component” [CV’13] Can conjecture [GGHRHS’13, BR’13] or prove [BGKPS’13, CV’13, PTS’14] that no simple relations exist
Completing the construction
Security of Obfuscation
A Word About Performance
Take-Home from Chapter Two We can obfuscate a computation by: 1. Randomizing the internal values 2. Putting the randomized values “in the exponent” and computing on them using MMAPs
Future Directions We only have two MMAPs candidates, and just one approach for using them in obfuscation Hard to develop a theory from so few sample points We need better formal notions of obfuscation Current notions (such as iO) do not capture our intuition, not even for what the current constructions achieve Faster constructions Complexity of current constructions is scary Applications Already have a bunch, the sky is the limit…
Thank You Questions?
Witness Encryption [GGSW’13] A truly “keyless encryption” Can encrypt relative to any arbitrary “riddle” Defined here relative to exact-cover (XC) XC is NP-complete, so we can translate any “riddle” to it
Recall Exact Cover {1,2,3} {2,4,5} {1,4} {2,3,5}
Witness Encryption Message encrypted wrt to XC instance Encryptor need not know a solution Or even if a solution exists Anyone with a solution can decrypt Secrecy ensured if no solution exists {1,2,3} {2,4,5} {1,4} {2,3,5} {1,2,3} {2,4,5} {1,4} {2,3,4,5} DecryptableSecret
Witness Encryption Using MMAPs {1,2,3} {2,4,5} {1,4} {2,3,5}
Witness Encryption Using MMAPs
Security of Witness Encryption *