1. Shai Halevi – IBM Research PKC 2014 Multilinear Maps and Obfuscation A Survey of Recent Results

2. Prologue We are in the midst of (yet another) “quantum leap” in our cryptographic capabilities Things that were science fiction just two years ago are now plausible General-purpose functional encryption Crypto-strength code obfuscation … Fueled by new powerful building blocks Combination of Homomorphic Encryption (HE) and Cryptographic Multilinear Maps (MMAPs)

3. This Talk Overview of the main new tool Constructing MMAPs using “HE techniques” And application to obfuscation There are many others Witness Encryption Full-Domain Hash Functional Encryption … not today

4. Chapter One: Multilinear Maps

5. Starting Point: DL-based Crypto

6. To use DH in applications, ensure that: legitimate parties only compute linear functions adversary needs to compute/check quadratics Some examples: Diffie-Hellman key exchange, ElGamal Encryption, Cramer-Shoup CCA-Secure Encryption, Naor-Reingold PRF, Efficient ZKPs, …

7. Beyond DDH: Bilinear Maps [J00,SOK00,BF01] In bilinear-map groups you can compute quadratic functions in the exponent But computing/checking cubics is hard Now the legitimate parties can do a lot more Leads to new capabilities Identity-based encryption (IBE) Predicate encryption (for simple predicates) Efficient non-interactive zero-knowledge proofs …

8. Why Stop at Two?

9. The [GGH’13] Approach to MMAPs

10. MMAPs vs. SWHE MMAPsSWHE

11. Main Ingredient: Testing for Zero

12. Bird-Eye View of [GGH’13]

13. Graded Encoding Schemes

15. Some Variants

16. Hardness Assumptions

17. A Few Words About Performance

18. Take-Home from Chapter One

19. Chapter Two: Obfuscation

20. Code Obfuscation Encrypting programs, maintaining functionality Only the functionality should be “visible” in the output Example of recreational obfuscation: -- Wikipedia, accessed Oct-2013 Rigorous treatment [Hada’00, BGIRSVY’01,…] @P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+ =$f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&& }%p;$_=$d[$q];sleep rand(2)if/\S/;print

21. Why Obfuscation? Hiding secrets in software AES encryption strutpatent.com Plaintext Ciphertext

22. Why Obfuscation? Hiding secrets in software AES encryption  Public-key encryption Plaintext Ciphertext @P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q* =2)+=$f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}= ~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&& }%p;$_=$d[$q];sleep rand(2)if/\S/;print

23. Why Obfuscation? Hiding secrets in software Distributing software patches Vulnerable program Patched program 1,2d0 < The Way that can be told of is not the eternal Way; < The name that can be named is not the eternal name 4c2,3 < The Named is the mother of all things. --- > The named is the mother of all things. 11a11,13 > They both may be called deep and profound. > Deeper and more profound, > The door of all subtleties!

24. Why Obfuscation? Hiding secrets in software Distributing software patches while hiding vulnerability Vulnerable program Patched program @P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+=$f= !fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?;map{/^r/&& }%p;$_=$d[$q];sleep rand(2)if/\S/;print

25. Why Obfuscation? Hiding secrets in software Uploading my expertise to the web Next move http://www.arco-iris.com/George/images/game_of_go.jpg Game of Go

26. Why Obfuscation? Hiding secrets in software Uploading my expertise to the web without revealing my strategies Next move @P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{ @p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+=$ f=!fork;map{$P=$P[$f^ord ($p{$_})&6];$p{$_}=/ ^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/ && close$_}%p;wait until$?;map{/^r/&& }%p;$_=$d[$q];sleep rand(2)if/\S/;print Game of Go

27. Defining Obfuscation Want the output to reveal only functionality E.g., If prog. depends on secrets that are not readily apparent in I/O, then the encrypted program does not reveal these secrets [B+01] show that this is impossible in general Thm: If secure encryption exists, then there are secure encryption schemes for which it is possible to recover the secret key from any program that encrypts. Such encryption schemes are unobfuscatable

28. Defining Obfuscation Okay, some function are bad, but can we do “as well as possible” on every given function? [B+01] suggested the weaker notion of “indistinguishability obfuscation” (iO) Gives the “best-possible” guarantee [GR07] It turns out to suffice for many applications (examples in [GGH+13, SW13,…])

29. Defining Obfuscation [B+01]

30. Obfuscation vs. HE Somewhat reminiscent of MMAPs vs. HE… F Obfuscation FF Encryption F x +  F(x) Result in the clear x +  F(x) x or Result encrypted

31. Obfuscation from MMAPs, 1 st Try

32. 1 st Try Does Not Work Attack: comparing intermediate values Checking if two intermediate wires carry same value Checking if the computation on two different inputs yield the same value on some intermediate wire If two equal intermediate values ever happen, they can be recognized using zero-test Must randomize all intermediate values in all the computations But such that the final result can still be recognized

33. Construction Outline Describe Circuits as Branching Programs (BPs) using Barrington’s theorem [B86] Randomized BPs (RBPs) a-la-Kilian [K88] Additional randomization to counter “simple relations” Encode RBPs “in the exponent” using MMAPs Use zero-test to get the output This allows obfuscating shallow circuits (NC1) Another transformation (using FHE) to get all circuits

34. (Oblivious) Branching Programs A specific way of describing a function This length-9 BP has 4-bit inputs A 2,0 A 1,0 A 3,0 A 5,0 A 4,0 A 6,0 A 7,0 A 8,0 A 9,0 A 2,1 A 1,1 A 3,1 A 5,1 A 4,1 A 6,1 A 7,1 A 8,1 A 9,1 0

35. (Oblivious) Branching Programs A specific way of describing a function This length-9 BP has 4-bit inputs A 2,0 A 1,0 A 3,0 A 5,0 A 4,0 A 6,0 A 7,0 A 8,0 A 9,0 A 2,1 A 1,1 A 3,1 A 5,1 A 4,1 A 6,1 A 7,1 A 8,1 A 9,1 01

36. (Oblivious) Branching Programs A 2,0 A 1,0 A 3,0 A 5,0 A 4,0 A 6,0 A 7,0 A 8,0 A 9,0 A 2,1 A 1,1 A 3,1 A 5,1 A 4,1 A 6,1 A 7,1 A 8,1 A 9,1 0110

37. (Oblivious) Branching Programs

38. Kilian’s Randomized BPs A 2,0 A 1,0 A 3,0 A 5,0 A 4,0 A 6,0 A 2,1 A 1,1 A 3,1 A 5,1 A 4,1 A 6,1 B 1,0 B 2,0 B 3,0 B 4,0 B 5,0 B 6,0 B 1,1 B 2,1 B 3,1 B 4,1 B 5,1 B 6,1

39. Kilian’s Randomized BPs A 2,0 A 1,0 A 3,0 A 5,0 A 4,0 A 6,0 A 2,1 A 1,1 A 3,1 A 5,1 A 4,1 A 6,1 B 1,0 B 2,0 B 3,0 B 4,0 B 5,0 B 6,0 B 1,1 B 2,1 B 3,1 B 4,1 B 5,1 B 6,1

40. Kilian’s Protocol  BP-Obfuscation?

41. “Partial Evaluation” Attacks

42. “Mixed Input” Attack B 2,0 B 4,1

43. Countering “Simple Relations” Additional randomization steps Different works use slightly different forms of additional randomization “Multiplicative bundling” [GGHRHS’13, BR’13] “Straddling” [BGKPS’13, PTS’14] “Abelian component” [CV’13] Can conjecture [GGHRHS’13, BR’13] or prove [BGKPS’13, CV’13, PTS’14] that no simple relations exist

44. Completing the construction

45. Security of Obfuscation

46. A Word About Performance

47. Take-Home from Chapter Two We can obfuscate a computation by: 1. Randomizing the internal values 2. Putting the randomized values “in the exponent” and computing on them using MMAPs

48. Future Directions We only have two MMAPs candidates, and just one approach for using them in obfuscation Hard to develop a theory from so few sample points We need better formal notions of obfuscation Current notions (such as iO) do not capture our intuition, not even for what the current constructions achieve Faster constructions Complexity of current constructions is scary Applications Already have a bunch, the sky is the limit…

49. Thank You Questions?

50. Witness Encryption [GGSW’13] A truly “keyless encryption” Can encrypt relative to any arbitrary “riddle” Defined here relative to exact-cover (XC) XC is NP-complete, so we can translate any “riddle” to it

51. Recall Exact Cover 1 2 3 4 5 {1,2,3} {2,4,5} {1,4} {2,3,5}

52. Witness Encryption Message encrypted wrt to XC instance Encryptor need not know a solution Or even if a solution exists Anyone with a solution can decrypt Secrecy ensured if no solution exists 1 2 3 4 5 {1,2,3} {2,4,5} {1,4} {2,3,5} 1 2 3 4 5 {1,2,3} {2,4,5} {1,4} {2,3,4,5} DecryptableSecret

53. Witness Encryption Using MMAPs 1 2 3 4 5 {1,2,3} {2,4,5} {1,4} {2,3,5}

54. Witness Encryption Using MMAPs

55. Security of Witness Encryption *