Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit Sahai UCLA Brent Waters UT-Austin

Witness Encryption [GGSW13] Encrypt message under NP statement Satisfying assignment for Á 3-CNF formula Á is satisfiable Á M Correctness: can decrypt using a witness Security: if statement is false, message is hidden.

Applications of Witness Encryption PKE with fast key generation Identity-based encryption Attribute-based encryption for circuits Attribute-based encryption for Turing Machines [GKPVZ13]

Indistinguishability Obfuscation Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits a (b+c) vs. ab + ac Avoids negative results of [BGIRSVY01] But what is it good for?

Applications of iO Demo or “need to know” software Vision: + OWFs Indistinguishabilty Obfuscation + OWFs Software Patching “Most” of cryptography Crypto, old and new: Traitor Tracing, Functional Encryption, Deniable Encryption, …

The First Candidate Schemes WE from multilinear maps [GGSW13]: + Simple, intuitive construction - Assumption essentially matches scheme iO from multilinear maps [GGHRSW13], and later [BR13, BGKPS14, PST14] - Generic group security or scheme structure embedded in the assumption Goal: Reductions to Simple Assumptions

The Assumption: Multilinear Subgroup Elimination k-Mmap over composite N, with many large prime factors: One “special” prime factor c k “distinguished” prime factors a1, a2, …, ak poly other primes Adversary gets Level-1 encodings: (random) generators of each prime subgroup, except c hi : random element of order c(a1a2…ai-1ai+1…ak) Hard for Adversary to distinguish Level-1 encoding of: Random element T of order (a1a2…ak) vs. Random element T of order c(a1a2…ak)

Obstacle to Using a Simple Assumption for WE Imagine a typical reduction to a simple assumption: true CT for false statement Simulate With Witness Hard Problem Attacker decrypt Reduction What if reduction could be fooled into working for a true statement? It seems reduction needs to “check” the statement is false.

Analogous Obstacle for iO Obfuscation for 2 equal programs unequal Simulate by testing on a differing input Hard Problem Attacker decrypt Reduction What if reduction could be fooled into working on two programs that differ on some input? It seems reduction needs to “check” that the programs agree everywhere.

Our Approach: Positional WE Algorithms: Suppose potential witnesses are bit strings of length n (think of as ordered). Encrypt(message M, position t, statement Á)  CT Á,t M Decrypt( CT, witness w)  M only when w ¸ t and w is a valid witness

Security Properties for Positional WE Positional Indistinguishability: If t is not a valid witness for Á, then: Message Indistinguishability: For any m0, m1:

Deriving WE from Positional WE For scheme: Encrypt to position 0 For security proof : hybrid over all 2n positions For a false statement f: Positional Indist. Message Indist. Positional Indist.

Positional iO

Security Properties for Positional iO

Building Positional WE Since we want a simple assumption, we need to keep breaking down the problem: 3 parts in Ciphertext: w Count = t 1 iff w < t Counter CNF formula Message (one bit) 1 iff w doesn’t satisfy Á w Cut text on outputs route into an OR gate and output wire is decryption Explain need to build 4 things – these 3 + cryptographic OR gate. formula Á OR Decryption 1 iff message = 1 Message

Constructing ORs of ANDs with Subgroups Key: = random = identity Fix typo “multilinear”, get rid of words on this slide – at most one short phrase Make new slides after this to help describe how tribes is an abstraction of these subgroup decision capabilities before defining tribes Explain tribes name

Intermediary Goal: find a convenient “OR of ANDs” abstraction general enough to build a counter, CNF, and message components

Mid-layer Abstraction: Tribes Matrices From boolean function analysis: A “tribes” function is an OR of ANDs of disjoint sets Representing an “OR of ANDS” boolean function in a 3-d matrix: = 1 = 0 = 0 = 1 in this case

Using Tribe Matices These are general enough to represent counters (threshold functions), CNFs, and messages. Can simply concatenate matrices for the separate components An ``encrypted” tribe matrix can be produced from multilinear maps Certain small changes to an enrypted tribes matrix can be reduced to the subgroup elimination assumption (these don’t affect the overall Boolean function) Can use a hybrid chain of small changes to increment counter, Doesn’t change the function b/c CNF is unsatisfied

Back to Indistinguishability Obfuscation Basic building blocks can be the same – e.g. positional counter, underlying tribes matrices But now we don’t have a formula! To increment the counter, we must leverage that two programs agree on that input.

Core Idea: Kilian Argument “in a Subgroup” Matrix Branching Program: Kilian: randomize matrices A1,1 R1-1 R1 A2,1 R2-1 R2 A3,1 R3-1 R3 A4,1 A1,0 R1-1 R1 A2,0 R2-1 R2 A3,0 R3-1 R3 A4,0 If only take one matrix per slot, distribution random up to product x1 x3 x2 Input: x1 Evaluate by multiplying one matrix per slot, Selected by corresponding input bit

How to Argue Security We need proof of indistinguishability: iO(C0) to iO(C1) Use several “hybrid” steps, where want to switch out some part of C0 computation with C1 computation. Idea: Use Kilian’s simulation to “switch” between C0 and C1 for a single input. Go over each input with 2n hybrids, where n=input size.

Overall Reduction Strategy Reduction will isolate each input. Main idea: Have poly many “parallel” obfuscations, each responsible for a bucket of inputs Hybrid Type 1: Allocate/Transfer inputs among different buckets, but programs do not change at all. Assumption used here. Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed. C0 C0 C1 Thank you.

Overall Reduction Strategy Lesson: Ability to make this (minor) change is actually important! Overall Reduction Strategy Hybrid Type 1 Illustration. Consider the code: If (x ≤ 37) then { return C0(x) } else if (x ≤ 39) { } else { return C1(x) } Reduction will isolate each input. Main idea: Have poly many “parallel” obfuscations, each responsible for a bucket of inputs Hybrid Type 1: Allocate/Transfer inputs among different buckets, but programs do not change at all. Assumption used here. Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed*. x 38 C0 C0 C1 C1 Thank you.

Hybrids Intuition C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 M1, 1 M2, 0 M2, 1 M3, 0 … … Mk, 0 ~ Mk, 1 ~

Hybrids Intuition C0 C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~

Hybrids Intuition C0 C0 C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 1 ~ M1, 0 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ … M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ M4, 1 ~ … … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~ Mk, 0 ~

Hybrids Intuition C0 C0 C1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ All R matrices are independent for each obfuscation. Can now use Kilian ! Hybrids Intuition C0 C0 C1 M1, 1 ~ M1, 0 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ … M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ M4, 1 ~ … … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~ Mk, 0 ~

Hybrids Intuition C1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 M1, 1 M2, 0 M2, 1 M3, 0 … M4, 0 ~ M4, 1 ~ … … Mk, 0 ~ Mk, 1 ~

How to Transfer Inputs C0 C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 ~ M1, 1 ~ M1, 0 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ … M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~

Recall: Multilinear Subgroup Elimination Assumption k-Mmap over composite N, with many large prime factors: One “special” prime factor c k “distinguished” prime factors a1, a2, …, ak poly other primes Adversary gets Level-1 encodings: (random) generators of each prime subgroup, except c hi : random element of order c(a1a2…ai-1ai+1…ak) Hard for Adversary to distinguish Level-1 encoding of: Random element T of order (a1a2…ak) vs. Random element T of order c(a1a2…ak)

How to Transfer Inputs (cheating) Prime a1 Prime c Use T to create these C0 C0 M1, 0 ~ M1, 1 ~ M1, 0 ~ M1, 1 ~ Use hi, i≠1 to create rest (since they are the same in c and a1 subgroups) M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ … “Missing” ai in hi used to enforce input consistency. M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ Key point: The programs for each prime is fixed. The reduction can directly build all matrices. Assumption plays no role in matrix choices. … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~

Some Additional Details… 1. Constructing multilinear maps w/ composite order subgroups: Can do with a variant of the [CLT13] approach 2. Constructing a prime order version: Can do using an eigenspace approach For details, see the full version of [GLW14] on eprint.

Questions?

Defining a Cryptographic Tribes Scheme

Building Positional WE from Tribes We need to build each of these into a Tribes matrix 3 parts in a Positional WE Ciphertext: Outputs 1 iff w < t w Counter CNF formula Message (one bit) Count = t Outputs 1 iff w doesn’t satisfy Á w formula Á Message Outputs 1 iff message = 1

The Inter-column Security Game 1

Encoding a CNF Formula in a Tribes Matrix

How Subgroup Elimination Implies Inter-Column Security 1

Encoding a Counter in a Tribes Matrix

Linking the Counter/Formula/Message Recall: parts or a Positional WE Ciphertext: Counter CNF formula Message (one bit) Count = t “scratch column,” contains all 0’s, Useful for proof formula Á Message Tribes for M implements OR of count, formula, and message pieces

Incrementing the Counter When formula Á is false, we want to increment counter t using inter-column security game Á false means some clause Áj is false Can use the jth column of MÁ to justify some changes in Mt via inter-column security (for details, see the paper)

Instantiating Inter-column Security

Arranging the Subgroups

Example: n = 2 Challenge: or ? This is just a typical subgroup decision assumption in the bilinear setting.

The Multilinear Subgroup Elimination Assumption