Presentation is loading. Please wait.

Presentation is loading. Please wait.

Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit.

Published byMeagan Stevens Modified over 9 years ago

Similar presentations

Presentation on theme: "Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit."— Presentation transcript:

1 Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit Sahai UCLA Brent Waters UT-Austin

2 Witness Encryption [GGSW13]
Encrypt message under NP statement Satisfying assignment for Á 3-CNF formula Á is satisfiable Á M Correctness: can decrypt using a witness Security: if statement is false, message is hidden.

3 Applications of Witness Encryption
PKE with fast key generation Identity-based encryption Attribute-based encryption for circuits Attribute-based encryption for Turing Machines [GKPVZ13]

4 Indistinguishability Obfuscation
Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits a (b+c) vs. ab + ac Avoids negative results of [BGIRSVY01] But what is it good for?

5 Applications of iO Demo or “need to know” software Vision: + OWFs
Indistinguishabilty Obfuscation + OWFs Software Patching “Most” of cryptography Crypto, old and new: Traitor Tracing, Functional Encryption, Deniable Encryption, …

6 The First Candidate Schemes
WE from multilinear maps [GGSW13]: + Simple, intuitive construction - Assumption essentially matches scheme iO from multilinear maps [GGHRSW13], and later [BR13, BGKPS14, PST14] - Generic group security or scheme structure embedded in the assumption Goal: Reductions to Simple Assumptions

7 The Assumption: Multilinear Subgroup Elimination
k-Mmap over composite N, with many large prime factors: One “special” prime factor c k “distinguished” prime factors a1, a2, …, ak poly other primes Adversary gets Level-1 encodings: (random) generators of each prime subgroup, except c hi : random element of order c(a1a2…ai-1ai+1…ak) Hard for Adversary to distinguish Level-1 encoding of: Random element T of order (a1a2…ak) vs. Random element T of order c(a1a2…ak)

8 Obstacle to Using a Simple Assumption for WE
Imagine a typical reduction to a simple assumption: true CT for false statement Simulate With Witness Hard Problem Attacker decrypt Reduction What if reduction could be fooled into working for a true statement? It seems reduction needs to “check” the statement is false.

9 Analogous Obstacle for iO
Obfuscation for 2 equal programs unequal Simulate by testing on a differing input Hard Problem Attacker decrypt Reduction What if reduction could be fooled into working on two programs that differ on some input? It seems reduction needs to “check” that the programs agree everywhere.

10 Our Approach: Positional WE
Algorithms: Suppose potential witnesses are bit strings of length n (think of as ordered). Encrypt(message M, position t, statement Á)  CT Á,t M Decrypt( CT, witness w)  M only when w ¸ t and w is a valid witness

11 Security Properties for Positional WE
Positional Indistinguishability: If t is not a valid witness for Á, then: Message Indistinguishability: For any m0, m1:

12 Deriving WE from Positional WE
For scheme: Encrypt to position 0 For security proof : hybrid over all 2n positions For a false statement f: Positional Indist. Message Indist. Positional Indist.

13 Positional iO

14 Security Properties for Positional iO

15 Building Positional WE
Since we want a simple assumption, we need to keep breaking down the problem: 3 parts in Ciphertext: w Count = t 1 iff w < t Counter CNF formula Message (one bit) 1 iff w doesn’t satisfy Á w Cut text on outputs route into an OR gate and output wire is decryption Explain need to build 4 things – these 3 + cryptographic OR gate. formula Á OR Decryption 1 iff message = 1 Message

16 Constructing ORs of ANDs with Subgroups
Key: = random = identity Fix typo “multilinear”, get rid of words on this slide – at most one short phrase Make new slides after this to help describe how tribes is an abstraction of these subgroup decision capabilities before defining tribes Explain tribes name

17 Intermediary Goal: find a convenient “OR of ANDs” abstraction general enough to build a counter, CNF, and message components

18 Mid-layer Abstraction: Tribes Matrices
From boolean function analysis: A “tribes” function is an OR of ANDs of disjoint sets Representing an “OR of ANDS” boolean function in a 3-d matrix: = 1 = 0 = 0 = 1 in this case

19 Using Tribe Matices These are general enough to represent
counters (threshold functions), CNFs, and messages. Can simply concatenate matrices for the separate components An ``encrypted” tribe matrix can be produced from multilinear maps Certain small changes to an enrypted tribes matrix can be reduced to the subgroup elimination assumption (these don’t affect the overall Boolean function) Can use a hybrid chain of small changes to increment counter, Doesn’t change the function b/c CNF is unsatisfied

20 Back to Indistinguishability Obfuscation
Basic building blocks can be the same – e.g. positional counter, underlying tribes matrices But now we don’t have a formula! To increment the counter, we must leverage that two programs agree on that input.

21 Core Idea: Kilian Argument “in a Subgroup”
Matrix Branching Program: Kilian: randomize matrices A1,1 R1-1 R1 A2,1 R2-1 R2 A3,1 R3-1 R3 A4,1 A1,0 R1-1 R1 A2,0 R2-1 R2 A3,0 R3-1 R3 A4,0 If only take one matrix per slot, distribution random up to product x1 x3 x2 Input: x1 Evaluate by multiplying one matrix per slot, Selected by corresponding input bit

22 How to Argue Security We need proof of indistinguishability: iO(C0) to iO(C1) Use several “hybrid” steps, where want to switch out some part of C0 computation with C1 computation. Idea: Use Kilian’s simulation to “switch” between C0 and C1 for a single input. Go over each input with 2n hybrids, where n=input size.

23 Overall Reduction Strategy
Reduction will isolate each input. Main idea: Have poly many “parallel” obfuscations, each responsible for a bucket of inputs Hybrid Type 1: Allocate/Transfer inputs among different buckets, but programs do not change at all. Assumption used here. Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed. C0 C0 C1 Thank you.

24 Overall Reduction Strategy
Lesson: Ability to make this (minor) change is actually important! Overall Reduction Strategy Hybrid Type 1 Illustration. Consider the code: If (x ≤ 37) then { return C0(x) } else if (x ≤ 39) { } else { return C1(x) } Reduction will isolate each input. Main idea: Have poly many “parallel” obfuscations, each responsible for a bucket of inputs Hybrid Type 1: Allocate/Transfer inputs among different buckets, but programs do not change at all. Assumption used here. Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed*. x 38 C0 C0 C1 C1 Thank you.

25 Hybrids Intuition C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 M1, 1 M2, 0 M2, 1 M3, 0
Mk, 0 ~ Mk, 1 ~

26 Hybrids Intuition C0 C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0
Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~

27 Hybrids Intuition C0 C0 C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
M1, 1 ~ M1, 0 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ M4, 1 ~ Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~ Mk, 0 ~

28 Hybrids Intuition C0 C0 C1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
All R matrices are independent for each obfuscation. Can now use Kilian ! Hybrids Intuition C0 C0 C1 M1, 1 ~ M1, 0 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ M4, 1 ~ Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~ Mk, 0 ~

29 Hybrids Intuition C1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 M1, 1 M2, 0 M2, 1 M3, 0
M4, 0 ~ M4, 1 ~ Mk, 0 ~ Mk, 1 ~

30 How to Transfer Inputs C0 C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
M1, 0 ~ M1, 1 ~ M1, 0 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~

31 Recall: Multilinear Subgroup Elimination Assumption
k-Mmap over composite N, with many large prime factors: One “special” prime factor c k “distinguished” prime factors a1, a2, …, ak poly other primes Adversary gets Level-1 encodings: (random) generators of each prime subgroup, except c hi : random element of order c(a1a2…ai-1ai+1…ak) Hard for Adversary to distinguish Level-1 encoding of: Random element T of order (a1a2…ak) vs. Random element T of order c(a1a2…ak)

32 How to Transfer Inputs (cheating)
Prime a1 Prime c Use T to create these C0 C0 M1, 0 ~ M1, 1 ~ M1, 0 ~ M1, 1 ~ Use hi, i≠1 to create rest (since they are the same in c and a1 subgroups) M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ “Missing” ai in hi used to enforce input consistency. M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ Key point: The programs for each prime is fixed. The reduction can directly build all matrices. Assumption plays no role in matrix choices. Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~

33 Some Additional Details…
1. Constructing multilinear maps w/ composite order subgroups: Can do with a variant of the [CLT13] approach 2. Constructing a prime order version: Can do using an eigenspace approach For details, see the full version of [GLW14] on eprint.

34 Questions?

35 Defining a Cryptographic Tribes Scheme

36 Building Positional WE from Tribes
We need to build each of these into a Tribes matrix 3 parts in a Positional WE Ciphertext: Outputs 1 iff w < t w Counter CNF formula Message (one bit) Count = t Outputs 1 iff w doesn’t satisfy Á w formula Á Message Outputs 1 iff message = 1

37 The Inter-column Security Game
1

38 Encoding a CNF Formula in a Tribes Matrix

39 How Subgroup Elimination Implies Inter-Column Security
1

40 Encoding a Counter in a Tribes Matrix

41 Linking the Counter/Formula/Message
Recall: parts or a Positional WE Ciphertext: Counter CNF formula Message (one bit) Count = t “scratch column,” contains all 0’s, Useful for proof formula Á Message Tribes for M implements OR of count, formula, and message pieces

42 Incrementing the Counter
When formula Á is false, we want to increment counter t using inter-column security game Á false means some clause Áj is false Can use the jth column of MÁ to justify some changes in Mt via inter-column security (for details, see the paper)

43 Instantiating Inter-column Security

44 Arranging the Subgroups

45 Example: n = 2 Challenge: or ?
This is just a typical subgroup decision assumption in the bilinear setting.

46 The Multilinear Subgroup Elimination Assumption

Download ppt "Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit."

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
NP-Hard Nattee Niparnan.

NP-Hard Nattee Niparnan.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Amit Sahai May 9, 2014 Aarhus Institute of Advanced Studies Advances in Obfuscation.

Amit Sahai May 9, 2014 Aarhus Institute of Advanced Studies Advances in Obfuscation.
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.

1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
1 Polynomial Church-Turing thesis A decision problem can be solved in polynomial time by using a reasonable sequential model of computation if and only.

1 Polynomial Church-Turing thesis A decision problem can be solved in polynomial time by using a reasonable sequential model of computation if and only.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.

1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Similar presentations

Ads by Google