Indistinguishability Obfuscation from Low-Degree Multilinear Maps and (Blockwise) Local PRGs [Lin16b, LT17, To appear, Crypto 17] Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro
Circuit Obfuscation Compile a circuit C into Ĉ that preserves functionality, and is unintelligible (resistant to reverse engineering) x C Obfuscator O x Ĉ y = C(x) y = C(x)
Indistinguishability Obfuscator io [BGI+01] Which one of two equivalent circuits C 1 C 2 is obfuscated? C 1 C 2, meaning Same size C 1 = C 2 Same truth table TB(C 1 ) = TB(C 2 ) { } { } io (C1) io (C2)
Balancing at the border of (in)security Candidate io [GGHRSW13,BR14,BGKPS14,PST14,GLSW14,AGIS14,Zim15, AB15,GMMSSZ16,DGGMM16,Lin16,LV16,AS16,Lin16b,LT17] Graded Encodings [GGH13] Direct Attack [MSZ16,ADGM1 7,CGH17] Candidates [GGH13,CLT13, GGH15,CLT15] Zeroizing Attacks [GGH13,CHL15, GHMS14,BWZ14, CGH15]
What objects and assumptions imply IO? Beefing Up Security Reduction Heavy GES Local PRG Light GES
Degree-L of GES Support evaluation of degree-l polynomials More secure Potentially easier to find algebraic instantiation High-deg GES Low-deg GES What power do low-deg GES have? Also, weaker functionality and security
Deg-poly GES [GGHRSW13.] Ideal model ~ Uber assump [PST14] MSEA [GLSW14,GGHZ16 + AJ15/BV15] Deg-O(1) GES [Lin16] DDH-like joint-sxdh [LV16] Deg-5 GES [AS16] Close to ideal model security Deg-5 MMap [Lin16b] SXDH Deg-3 MMap [LT17] SXDH Bilinear Map Locality O(1) PRG Locality 5 PRG Locality 4 PRG Impossible [MST03] Block Locality 3 PRG Block Locality 2 PRG Impossible [LV17,BBKK17]
(Asymmetric) Multilinear Maps [BS03,Rot13] Encode in group G L : [a] L = g a L Multiply: [a 1 ] [a i ] 1 i [a j ] j [a D ] D [a 1 a D ] D+1 Degree d (d = 2, Bilinear map ) Add/Sub: [a i ] L [a j ] L [a i + a j ] L Zero-Test (ZT): ZT( [a] L ) = 1 iff a = 0
Deg-d Mmap vs Deg-d GES [a 1 ] 1 Pairable [a i ] i [a j ] j [a n ] d [a 1 ] [a i ] Li [a j ] L1 Lj [a n ] Ln GES is stronger Functionality-wise: Support evaluation of more polynomials Security-wise: More control on what polynomials are prohibited label
[a 1 a 5 ] 6 [a 1 ] 1 [a 2 ] 2 [a 3 ] 3 [a 4 ] 4 [a 5 ] 5 SXDH: Classical DDH on EACH label source group { [a] L [b] L [ab] L } { } [a] L [b] L [r] L a, b, r ß R given { [1] } L L [5]
* In the rest of the talk, implicitly assume sub-exp security Main Theorem [Lin16b]: a construction of (sub-exp secure) IO from d-linear MMaps assuming sub-exp SXDH on d-linear MMaps sub-exp locality-d PRG sub-exp LWE Block Locality d PRG [LT17]
Blockwise Local PRGs Locality L [CEMT09, BQ12, OW14, AL16] L = 5 [Gol00,MST03,OW14] L < 5 impossible [MST03] Polynomial stretch y = s 234 y s Blockwise Locality BL y Block size b log(λ) s Input Blocks
Preliminary Study on Blockwise Local PRGs Goldreich s local functions with input bits replaced by blocks F 6,8,9 : y : = P : (s 6(:) ) y s BL When BL 3, G: graph a deg-bl G with bipartite good expansion graph, (unique P : 0,1 neighbor 9 JK expansion) {0,1} Do Not Exist :( * 1. Blockwise locality-3 Small-Bias Generators 2. For large b, a good expander G, and suitable P, F 6,8,9 is a high-locality Cool Attacks, function with next good Talk expansion, assumed to be OW and pseudorandom by [AR16] * Small window of expansion, not known to be sufficient for IO 3. Hardness amplification
io Construction Step 1 + Block-locality-dPRG SK Functional Encryption Deg-d (SK) FE for Deg-d Polynomial with linear efficiency with linear efficiency Step 2 Deg-d MMap w/ SXDH Degree Preserving Bootstrapping [LT17] Key Idea: Preprocessing! [Lin16b,AS16,LT17] Degree Preserving FE Construction [Lin16b] Key Idea: Recursively Compose IPE [ABDP15]
Functional Encryption --- Encryption with partial decryption keys msk ß Setup(1 n ) Enc(msk, m): Dec( sk C, ct ): Keygen(msk, C): ct(m) sk(c) ct(m) sk(c) y = C(m) Semantic Security:, m 2, m P C, s.t. C V (m 2 : ) = C V (m P : ) 2 ct m : : sk C V V P ct m : sk C V V :
Functional Encryption msk ß Setup(1 n ) Enc(msk, m): ct(m) Keygen(msk, C): Non-Compact: T Enc = poly(λ, m, C ) (Weakly) Compact T Enc = poly(λ, m ) C 1-ε Linear efficiency T Enc = poly(λ) m sk(c)
io Bootstrapping [BNPW16] 1-key FE for NC 1 compact + Block-locality-dPRG 1. Deg(FE) = 3 L + 1 [Lin16,LV16] Bootstrapping via Randomized Encoding + local PRG 2. Deg(FE) = L [Lin16b,AS16] deg-d FE w/ linear efficiency 3. Deg(FE) = BL [LT17]
Randomized Encodings (RE) [AIK04] Represent a complex computation, by a simpler computation f x = y NC 2 RE ] x; r = Π NC c d Deg RE g = 4 Importantly, deg 1 in x and deg 3 in r s.t., Π encodes y, and reveals nothing else
Use RE for Low-Deg Computation [Lin16, LV16] Goal: 1-key FE for NC 1 compact CT(x) SK(f) Tool: Deg-d FE linearly efficient CT(x, r) SK(RE ] ) Compact? T Enc = poly λ x, r poly λ f 2op Deg(FE) = Deg RE g = 4 Need, Randomness Efficient RE r < f 1oε
Use PRG for Randomness Efficiency [Lin16, LV16] r = PRG s g(x, s) = RE ] x ; PRG s Compact s = r } }~ w.l.o.g. RE has r = O f è T Enc = x, s = f 2op Tool: deg-d FE linearly efficient CT(x, s) SK g Deg(FE) = Deg g = 3Deg PRG + 1 3 L + 1
io Bootstrapping [LT17] [BNPW16] 1-key FE for NC 1 compact + Block-locality-dPRG 1. Deg(FE) = 3 L + 1 [Lin16,LV16] Bootstrapping via Randomized Encoding + local PRG 2. Deg(FE) = L [Lin16b,AS16] Preprocessing at Encryption time deg-d FE w/ linear efficiency 3. Deg(FE) = BL [LT17]
Preprocessing [Lin16,LV16] Goal: Decompose g into A, B s.t. g(x, s) = RE ] x ; PRG s = B( A x, s ) CT(A(x, s)) SK B Compact T Enc = A(x, s) f 2op Deg(FE) = Deg B L
Pro-process Multiplication with x [Lin16,LV16] Recall: RE has deg 1 in x & deg 3 in r g(x, s) = RE ] x ; PRG s = x : PRG s PRGˆ s PRG (s) Compact T Enc = A(x, s) x, s, x s poly(λ) f 2op A(x, s) = CT( x, s, x s ) SK B s.t. B A x, s Deg(FE) = Deg B Deg g 1 = g(x, s) &
Pro-process Multiplication between s [Lin16,LV16] Recall: RE has deg 1 in x & deg 3 in r g(x, s) = RE ] x ; PRG s = x : PRG s PRGˆ s PRG (s) Compact T Enc = A(x, s) x, s, s s f 2op f 2op CT( ) SK B s.t. B A x, s A(x, s) = x, s, s s Deg(FE) = Deg B Deg g 1 = g(x, s) &
g(x, s) = RE ] x ; PRG s = x : PRG s PRGˆ s PRG (s) Multiplication b/w random edges Hard to pre-compute compactly j k l L s } s Š s s Œ s sˆ}sˆšsˆ sˆœsˆ s } s Š s s Œ s s
g(x, s) = RE ] x ; PRG s Massage g into this form What can we pre-compute? Pre-Compute Multiplication b/w the same (random) edge, compactly L s s } s Š s s Œ s Ž Ž Ž Ž Ž s Š s s Œ s ŽŽ ŽŽ ŽŽ ŽŽ ŽŽ s Š s s Œ s s } s } s s
g(x, s) = RE ] x ; PRG s f x = {f : (x)} w.l.o.g f : = poly(λ) o.w. f = Yao(f, x; PRF(k)) m f {RE ] x; r i } = {RE } m f Then r i = poly λ & multiplication within r : r :V r : r :
RE ] x; r i = {RE } m f r i = poly λ multiplication within r : r :V r : r : So far, r i = i th portion of PRG s Multiplication b/w random edges r 1 r i r m s
RE ] x; r i = {RE } m f r i = poly λ multiplication within r : r :V r : r : j k l Now, r 1j r ij r mj = PRG s j j Multiplication b/w same edges s j s k s l Poly(λ)
Pre-compute deg-3 monomials over each column So that, r :V r : r : can be computed in degree L è Deg(FE) = L # monomials = column s V = poly(λ)f 2op è Compactness Multiplication b/w same edges s j s k s l Poly(λ)
io Bootstrapping [LT17] [BNPW16] 1-key FE for NC 1 compact + Block-locality-dPRG 1. Deg(FE) = 3 L + 1 [Lin16,LV16] Bootstrapping via Randomized Encoding + local PRG 2. Deg(FE) = L [Lin16b,AS16] Preprocessing at Encryption time deg-d FE w/ linear efficiency 3. Deg(FE) = BL [LT17] Extend Preprocessing to Block Locality
Pre-compute Mult b/w blocks in each column [LT17] Pre-compute all monomials over each block, 2 ( ) = λ, many Pre-compute deg-3 mnmls over mnmls in each column poly λ, many s j s k log(λ) Poly(λ) s l
io Construction Step 1 + Block-locality-dPRG SK Functional Encryption Deg-d (SK) FE for Deg-d Polynomial with linear efficiency with linear efficiency Step 2 Degree Preserving Bootstrapping [LT17] Key Idea: Preprocessing! [Lin16b,AS16,LT17] Degree Preserving FE Construction [Lin16b] Key Idea: Compose IPE [ABDP15] Deg-d MMap w/ SXDH
Bird s Eye View: Deg-d FE ç Deg-d Mmap Suppose we only want to compute x 1 x d while hiding x [x 1 x d ] d+1 [x d ] d Functionality Security How to hide x? [x 1 ] 1 [x 2 ] 2 [x 3 ] 3
Bird s Eye View: Deg-d FE ç Deg-d Mmap Suppose we only want to compute x 1 x d, while hiding x [LV16] Security ç RE [AIK14] + Function Hiding IPE [x 1 x d ] d+1 RE.Decode [Lin16b] Security ç Recursively composing IPE [x 1 x d ] d+1 IPE: FE for inner products ç SXDH on Bilinear maps ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) [ RE (x 1 x d ; r) ] d ict(x 1 ) isk(x 2 ) ict(x r ) isk(r ) No Waste of Degree
FE Construction 4. Security Challenge 3. Deg-d FE from d-linear maps [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )
isk(u) ict(v) Inner Product Encryption Dec <u,v> Weak Functionality: Test if <u,v> is zero Public-key IPE ç DDH or LWE or Paillier [ABDP15,ALS16] Secret-key IPE, function hiding (i.e, hide both u, v) ç Bilinear map [KSW08,BJK15+LV16,DDM16] csk (u) = [ U ] cct(v) = [ V ] 1 0 Dec [<u,v>] 2 target group different source groups Canonical Form FH SK-IPE [This work]
The ABDP PK-IPE Scheme from DDH imsk : s ß Z ª impk : [s] = g s isk(y) : <s, y> y ict(x) : [-r] = g -r [rs + x] = g r s + x Dec < ict(x), isk(y) > = [-r <s, y>] + [<rs, y> + <x, y>] = [<x, y>]
FE Construction 4. Security Challenge 3. Deg-d FE [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )
qfe: SK-FE for Quadratic Poly Starting Point: Compute quadratic polynomials using inner products f(x) = Σ C ij x i x j = < C, x x > qmsk : S ß Z ª Š But, qct = n 2 qsk(f) = isk(c) : <S, C> C qct(x) = ict(x x) : [-r] [rs + x x]
qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > Idea: Compress Ciphertext qmsk : S ß Z ª Š qsk(f) = isk(c) : <S, C> C But, S = n 2 qct is imcompressble qct(x) = ict(x x) : [-r] [rs + x x]
qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > qmsk : s 1 s 2 ß Z ª Idea: Compress Ciphertext 1. Replace S with s 1 s 2 Now, ict depends on (r, s 1, s 2, x) = O(n) qsk(f) = isk(c) : <s 1 s 2, C> C qct(x) = ict(x x) : [-r] [r s 1 s 2 + x x]
qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > qmsk : s 1 s 2 ß Z ª Idea: Compress Ciphertext 1. Replace S with s 1 s 2 2. Generate ict using canonical FH IPE ict[i,j] = [rs : 2 s V P + x : x V ] = [< x : s : 2, x V rs V P >] qsk(f) = isk(c) : <s 1 s 2, C> C qct(x) = ict(x x) : [-r] [r s 1 s 2 + x x] Dec cct(x : s : 2 ) csk(x V rs V P )
qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > Idea: Compress Ciphertext 1. Replace S with s 1 s 2 2. Generate ict using canonical FH IPE qmsk : s 1 s 2 ß Z ª qsk(f) = isk(c) : <s 1 s 2, C> C Linear Efficiency qct = n( cct + csk )=O(n) Security Hope FH IPE reveals only ict PK IPE Sec è ict hides x qct(x) : [-r] [r s 1 s 2 + x x] Dec cct(x : s : 2 ) csk(x V rs V P )
FE Construction 4. Security Challenge 3. Deg-d FE Generalizing IPE to high degree, deg-d HIPE Use HIPE to compress N d -size ABDP CT [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )
dfe: SK-FE for Deg-d Poly Starting Point: Compute deg-d polynomials using inner products f(x) = Σ C } x } x = < C, x d > MSK : S ß Z ª = x x SK(f) = isk(c) : <S, C> C But, FH IPE only compresses CT to n d/2 CT(x) = ict( x d ) : [-r] [rs + x d ]
New Tool: High-degree IPE (HIPE) --- Multi-input FE for computing high-degree inner product Deg-d HIPE hct 1 (x 1 ) hct d-1 (x d-1 ) hsk(x d ) Deg-d Inner Product Dec <x 1, x 2,, x d-1, x d V > = : [ª] V [ ] x : Weak Functionality: Test if inner product is zero Function hiding: Hide x 1, x 2,, x d-1, x d
New Tool: High-degree IPE (HIPE) --- Multi-input FE for computing high-degree inner product Canonical Deg-d HIPE hct 1 (x 1 ) hct d-1 (x d-1 ) hsk(x d ) = = = [X 1 ] 1 [X d-1 ] d-1 [X d ] d Deg-d Inner Product Dec [ ] : [ª] V [ ] d+1 <x 1, x 2,, x d-1, x d > = x : V This Work: Canonical Deg-d HIPE ç SXDH on Deg-d Mmaps
dfe: SK-FE for Deg-d Poly f(x) = < C, x d > Idea: Compress Ciphertext 1. Replace S with s d = s 1 s 2 s d MSK : s 1, s 2,, s d ß {0,1} ª SK(f) = isk(c) : < s d, C> C ict depends on (r, s 1,, s d, x) = O(n) CT(x) = ict( x d ) : [-r] [r s d + x d ]
dfe: SK-FE for Deg-d Poly f(x) = < C, x d > Idea: Compress Ciphertext 1. Replace S with s d = s 1 s 2 s d 2. Generate ict using canonical FH HIPE MSK : s 1, s 2,, s d ß {0,1} ª SK(f) ict[i 1,,i d ] = [ rs 2 :} s o2 : ¹} s : + x :} x : ¹} x : ] = [ < x :} s 2 :} x : ¹} s o2 : ¹}, x : rs : > ] = isk(c) : < s d, C> C CT(x) = ict( x d ) : [-r] [r s d + x d ]
dfe: SK-FE for Deg-d Poly f(x) = < C, x d > Idea: Compress Ciphertext 1. Replace S with s d = s 1 s 2 s d 2. Generate ict using canonical FH HIPE MSK : s 1, s 2,, s d ß {0,1} ª SK(f) ict[i 1,,i d ] = [ rs 2 :} s o2 : ¹} s : + x :} x : ¹} x : ] = [ < x :} s 2 :} x : ¹} s o2 : ¹}, x : rs : > ] = isk(c) : < s d, C> C Dec CT(x) : [-r] hct 1 (x :} s 2 :} ) hct d-1 (x : ¹} rs o2 : ¹} ) hsk(x : rs : )
This work: Canonical FH Deg-d HIPE ç SXDH on Deg-d MMaps Canonical Canonical Canonical Recursion: Deg-d HIPE ç Deg-d-1 HIPE + FH IPE Deg-d Inner Product <x 1, x 2,, x d-1, x d V > = : [ª] V [ ] x : = < x 1 x 2 x d-1, x d > coordinate-wise multiplication Compute using Deg-(d-1) HIPE Compute using FH IPE
Canonical Canonical Canonical Idea: Deg-d HIPE ç Deg-d-1 HIPE + FH IPE Use deg-d-1 HIPE to compute deg-d-1 product hct 1 (x 2 2 ) hct d-2 (x 2 op ) hsk(x 2 o2 ) Dec [x 2 2 x 2 o2 ] hct 1 (x 2 : ) hct d-2 (x : op ) hsk(x : o2 ) Dec [x : 2 x : o2 ] hct 1 (x 2 ª ) hct d-2 (x ª op ) hsk(x ª o2 ) Dec [x ª 2 x ª o2 ] Encrypt x 1, x d-2, x d-1 one by one using deg-d HIPE Each row i with an independent hmsk i = [x 1 x 2 xd 1 ]
Canonical Canonical Canonical Idea: Deg-d HIPE ç Deg-d-1 HIPE + FH IPE Use deg-d-1 HIPE to compute cct(deg-d-1 product) hct 1 (X 2 2 ) hct d-2 (X 2 op ) hsk(x 2 o2 ) Dec cct 1 hct 1 (X 2 : ) hct d-2 (X : op ) hsk(x : o2 ) Dec cct i hct 1 (X 2» ) hct d-2 (X» op ) hsk(x» o2 ) Dec cct l = j Each X cct(x 1 x 2 xd 1 i depends only on xj and cmsk ) CT 1 (x 1 ) CT d-1 (x d-2 ) CT d-1 (x d-1 ) SK(x d ) csk(x d ) [ <x 1, x 2,, x d-1, x d > ]
FE Construction 4. Security Challenge 3. Deg-d FE Generalizing IPE to high degree, deg-d HIPE Use HIPE to compress N d -size ABDP CT [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )
Want: qct(u) qct(v), if f i (u) = f i (v) for all i qsk(f 1 ) = isk(c 1 ) qsk(f i ) = isk(c i ) qsk(f l ) = isk(c l ) 2. Sec of PK-IPE è ict hides x = or v ict(x x) : [-r] [r s 1 s 2 + x x] Need sec to hold for imsk = s 1 s 2 qct(x) : Dec [-r] cct(x : s : 2 ) csk(x V rs V P ) 1. FH of SK-IPE è only ict is revealed Need Simu Sec
Want: qct(u) qct(v), if f i (u) = f i (v) for all i qsk(f 1 ) = isk(c 1 ) qsk(f i ) = isk(c i ) qsk(f l ) = isk(c l ) 1. Change matrix x x row by row ict(x x) : [-r] [r s 2 ¼: s 2 + v ¼: v] [r s 2 : s 2 + u : u / v : v ] [r s 2 Á: s 2 + u Á: u ] qct(x) : [-r] Dec cct(x : s : 2 ) csk(x V rs V P ) 2. Use Ind-FH to emulate Sim-FH 3. Add offset in qsk to keep outputs same 4. SXDH è s : 2 s 2 U n
Lin16b: IO ç SXDH on DEG-5 Multi-linear Maps + locality-5 PRG + LWE LT17: IO ç SXDH on Trilinear Maps + Block-locality-3 PRG + LWE Bilinear Map
Thank you!