Ciphertext-Policy Attribute-Based Encryption

1
How to Use Indistinguishability Obfuscation
Brent Waters
Amit Sahai
2
Code Obfuscation
Goal Make program (maximally) unintelligible
Obfuscator
2
3
Applications!
Demo or need to know software
Software Patching
Crypto galore Traitor Tracing, Functional
Encryption, Deniable Encryption,
3
4
Difficulty of Achieving Obfuscation

• Initial Functionalities
• Point Functions LPS04, and hyperplanes
  CRV10
• Explanation of existing functionalityOS05,
  HRSV07

Recent General candidate GGHRSW13 using
multilinear maps GGH13
What does this mean?
4
5
Idealized Obfuscation
Idea Learn nothing more than with black box
access
vs.

• Natural for applications, building crypto

• Some (contrived) counter-examples BGIRSVY 01

No broad candidate class of obfuscatable
functionalities
Generic group proofs BR13,BGKPS13
5
6
Indistinguishability Obfuscation
Idea Cannot distinguish between obfuscations of
two input/output equivalent circuits

• a (bc) vs. ab ac

• Avoids negative results of BGIRSVY01

• What is it good for?

7
Vision IO as hub for cryptography
Standard Assumption (e.g. LWE)
Indistinguishabilty Obfuscation
OWFs
This talk
Most of cryptography
7
8
How do we build public key encryption from
Indistinguishability Obfuscation?
9
Punctured Programs Technique

• Remove key element of program
• Attacker cannot win without it
• Does not change functionality

Punctured PRF key Kx eval PRF on all points,
but x
Security Cannot distinguish F(K,x) and random
given Kx
Special case of constrained PRFs
BW13,BGI13,KPTZ13 Build from GGM84
9
10
Initial Attempt
Setup Choose Punctured PRF key K, PK
obfuscation of
Problems (1) Program knows PRF at t (2) If
puncture out, will not be equivalent!
10
11
Simple PKE from iO
Setup Choose Punctured PRF key K, PK
obfuscation of
Encrypt(m) Choose random r input m,r into
program
Decrypt(K,CT(c1,c2))
Decryption is fast symmetric key
11
12
Proof of Encryption Scheme
Hyb 0 IND-CPA
12
13
Proof of Encryption Scheme
Hyb 0 IND-CPA
PRG security
Hyb 1 t is random
13
14
Proof of Encryption Scheme
Hyb 0 IND-CPA
PRG security
Hyb 1 t is random
iO security
Hyb 2 Use Kt
14
15
Proof of Encryption Scheme
Hyb 0 IND-CPA
PRG security
Hyb 1 t is random
iO security
Hyb 2 Use Kt
Punctured PRF security
Hyb 3 Replace F(K,t) w/ z
15
16
A Very Simple CCA-KEM
Setup Choose Punctured PRF key K, PK
obfuscation of
Encrypt Choose random r, give as input
Decrypt(K,c)
16
17
How about signatures?
18
Natural Candidate
Setup Choose Punctured PRF key K, VK
obfuscation of
Works with heuristic, but how to prove??
18
19
A Signature Scheme
Setup Choose Punctured PRF key K, VK
obfuscation of
f is a OWF
Sign(K,m)
Verify(VK,m,s) Input m,s into verify program
Signing is fast symmetric key
19
20
Proof of Signature Scheme
Hyb 0 (Selective) Signature Security GMR84
20
21
Proof of Signature Scheme
Hyb 0 (Selective) Signature Security GMR84
iO security
Hyb 1 Punctured Program
21
22
Proof of Signature Scheme
Hyb 0 (Selective) Signature Security GMR84
iO security
Hyb 1 Punctured Program
Punctured PRF security
Hyb 2 z random
22
23
Other Core Primitives

• NIZKsBDMP91
• Sign x if x is in L
• Succinct proofs

Semi Honest Oblivious TransferR81
Injective Trapdoor Functions
Simple CCA secure KEM
23
24
The rest of the talk

1. Deniable Encryption

(2) Functional Encryption GGHRSW13
(3) Open Directions
24
25
Deniable Encryption
26
Deniable Encryption CDNO97
Anthony
Enc(PK, m ,r) -gt CT
Demands message and randomness!
Fake r where
Enc(PK, m ,r) -gt CT
Best solutions attacker adv. 1/n, n size of pub
key Problematic for encrypting many messages
26
27
Publicly Deniable Encryption Anyone can explain!
Setup(n) -gt PK,SK
Decrypt(SK,c) -gt m
Encrypt(PK,mu)-gt c
Explain(PK,c,mr) -gt u
Two security properties (implies standard
deniable)
(1) IND-CPA Security
(2) Indistinguishability of Explanation
Single message game
Advantage of separation Simpler proofs
27
28
Hidden Sparse Triggers
Idea Negligible fraction of random space are
trigger values that cause bypass normal
encryption to specific value
Explain(PK, C) Encoding of C in Hidden Trigger
Set
Encrypt(PK,mu) Checks if randomness in trigger
set If yes, decrypts encoding to CT else does
fresh encrypt
Randomness Space
Hidden triggers
28
29
An Attempt and Malleability Issues
Explain
Malleability Attack!
Encrypt
29
30
Our Deniable Encryption System
Explain
Encrypt
30
31
Proof Overview
IND-CPA Proof Simple proof obfuscation not used

• Explainability
• Encoding Look like random string non-malleable
• Intricate multistep hybrid proof

31
32
Using Deployed Keys

• Receiver may
• Already have established key
• Be disinterested/uninterested in D.E.

• Universal Deniable Encryption D.E. to ordinary
  keys
• One time (uncorrupted) trusted setup
• Use to deniably encrypt to any PK
• Takes Encryption function as input

32
33
Functional Encryption
34
Functional Encryption SW05
Functionality Learn f(x) x is hidden
Collusion Resistance core to concept! (Like IBE)
Collusion Bounded Applications SS10, PRV12,
AGVW13, GKVPZ13
Key f
CT x
34
35
An Application Facial Identification
35
36
Tools

• Statistically Simulation Sound NIZKs
• Statistically sound except for simulated
  statement
• Build from WI proofs

Two Key Technique NY90,S99
36
37
Functional Encryption System GGHRSW13
Setup Generate two keys pairs (PK1,SK1),
(PK2,SK2) output CRS from NIZK setup
Encrypt(PP,m) Encrypt m under each of PK1, PK2,
generate proof p of this
KeyGen(SK1,f) Obfuscate program
Decrypt(CT, SKf) Run obfuscated program on CT
37
38
Proof Overview
Challenge CT
Keys
38
39
Step 1
Challenge CT
Keys
NIZK security
39
40
Step 2
Challenge CT
Keys
IND-CPA security
40
41
Step 3
Challenge CT
Keys
IO security
41
42
Step 4
Challenge CT
Keys
IND-CPA security
42
43
Step 5
Challenge CT
Keys
IO security
43
44
Step 6
Challenge CT
Keys
NIZK security
44
45
Evolution of Functional Encryption
Sahai-Waters 2005 Introduction of
Attribute-Based Encryption
GPSW 2006 Access Control (ABE) for any boolean
formula
BW 2007, KSW08 Predicate Encryption dot
product functionality
Talks 2008 Rebranded as Functional Encryption
, BSW11 reformalized (BSW11O10 added simulation
def.)
GGHSW13/GVW13 ABE for circuits
FE at 2013 Still Inner Product ( Applications)
Best we can do with bilinear maps
GGHRSW 2013 Functional Encryption for any circuit
45
46
Evolution of Functional Encryption
Obfuscation
46
47
Looking Forward
48
Explosion of Obfuscation
Late July GGHRSW13, SW13 eprint
4 months later

• Replacing a Random Oracle Full Domain Hash From
  Indistinguishability Obfuscation HSW
• Obfuscating Branching Programs Using Black-Box
  Pseudo-Free Groups CV
• Virtual Black-Box Obfuscation for All Circuits
  via Generic Graded Encoding BR
• Two-round secure MPC from Indistinguishability
  Obfuscation GGSR
• Protecting Obfuscation Against Algebraic Attacks
  BGKPS
• Indistinguishability Obfuscation vs.
  Auxiliary-Input Extractable Functions One Must
  Fall BCPR
• Multiparty Key Exchange, Efficient Traitor
  Tracing, and More from Indistinguishability
  Obfuscation BZ
• There is no Indistinguishability Obfuscation in
  Pessiland MR
• On Extractability Obfuscation BCP
• A Note on the Impossibility of Obfuscation with
  Auxiliary Input GK
• Separations in Circular Security for Arbitrary
  Length Key Cycles RVW
• Obfuscation for Evasive Functions BBCKPS
• Differing-Inputs Obfuscation and Applications
  ABGSZ
• More on the Impossibility of Virtual-Black-Box
  Obfuscation with Auxiliary Input BCPR
• Multi-Input Functional Encryption GGJS
• Functional Encryption for Randomized
  FunctionalitiesGJKS
• Obfuscation-based Non-black-box Simulation and
  Four Message Concurrent Zero Knowledge for NP
  PPS
• Multi-Input Functional Encryption GKLSZ
• Obfuscation from Semantically-Secure Multi-linear
  Encodings PTS

48
49
My Probabilities
38
I will make it to Weizmann in Dec.
Indistinguishability Obfuscation from LWE-type
assumption in 4 years
63
95
Amit eprints an obfusction paper in next 2 months
49
50
Thank you