multiparty key exchange, efficient traitor tracing, and ... › ~mzhandry › docs › talks ›...
TRANSCRIPT
![Page 1: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/1.jpg)
INDISTINGUISHABILITY
OBFUSCATION Mark Zhandry – Stanford University
* Joint work with Dan Boneh
![Page 2: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/2.jpg)
Program Obfuscation
Intuition: Mangle a program
• Same functionality as original
• Hides all implementation details
Potential uses:
• IP protection
• Prevent tampering
• Cryptography
![Page 3: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/3.jpg)
Virtual Black Box Obfuscation [BGI+’01]
Having source code no better than black box access
P P’ O
b=0,1 b
![Page 4: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/4.jpg)
Virtual Black Box Obfuscation
Potential Cryptographic Applications:
• Public key encryption from private key encryption:
• Homomorphic encryption:
• Functional Encryption
P( c1 , c2 , ⨀∈{+,×} ) {
m1 Dec(c1)
m2 Dec(c2)
return Enc(m1⨀m2)
}
O P’
Enc(⋅) O P’
![Page 5: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/5.jpg)
Virtual Black Box Obfuscation
Potential Cryptographic Applications:
• Public key encryption from private key encryption:
• Homomorphic encryption:
• Functional Encryption
P( c1 , c2 , ⨀∈{+,×} ) {
m1 Dec(c1)
m2 Dec(c2)
return Enc(m1⨀m2)
}
O P’
Enc(⋅) O P’
Theorem ([BGI+’01]): VBB for all programs is impossible
![Page 6: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/6.jpg)
Indistinguishability Obfuscation (iO) [BGI+’01]
If two programs have same functionality, obfuscations are
indistinguishable
P1
iO
P1 ’
P2
iO
P2 ’
P1(x) = P2(x) ∀x
≈
![Page 7: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/7.jpg)
Indistinguishability Obfuscation (iO)
BGI+ counter example does not apply to iO
An exploding field:
•[BGI+’01] Original definition
•[GR’07] Further investigation
•[GGH+’13] First candidate construction
• Functional encryption
•[BR’13, BGK+’13, …] Additional constructions
•[SW’13, HSW’13, GGHR’13, BZ’13, …] Uses
• Public key encryption, signatures, deniable encryption, multiparty
key exchange, MPC, …
•[BCPR’13, MR’13, BCP’13, …] Further Investigation
![Page 8: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/8.jpg)
Our Results
• Non-interactive multiparty key exchange without trusted
setup
• All existing protocols required trusted setup
• Efficient broadcast encryption
• Distributed
• Use existing keys
• Efficient traitor tracing
• Shortest secret keys and ciphertexts known
All constructions from iO and one-way functions
This talk
![Page 9: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/9.jpg)
(Non-Interactive) Multiparty Key Exchange
Public bulletin board
KABCD KABCD KABCD KABCD
?
![Page 10: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/10.jpg)
Prior Constructions
First achieved using multilinear maps
• These constructions all require trusted setup before
protocol is run
• Trusted authority can also learn group key
params
![Page 11: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/11.jpg)
Prior Constructions
First achieved using multilinear maps
• These constructions all require trusted setup before
protocol is run
• Trusted authority can also learn group key
params
![Page 12: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/12.jpg)
Our Construction (w/ Trusted Setup)
Building blocks:
• iO
• Pseudorandom function F
• Pseudorandom generator G: SX
Idea: shared key is F applied to published values
• F itself kept secret
• Publish program that computes F,
• but only if user supplies proof that they are allowed to
![Page 13: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/13.jpg)
Our Construction (w/ Trusted Setup)
s1S s2 s3
s4
How to establish shared group key?
x1 x2
x3 x4
![Page 14: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/14.jpg)
Our Construction (w/ Trusted Setup)
F P( y1, ..., yn, s, i ) {
If G(s) ≠ yi, output ⊥
Otherwise, output F(y1, ..., yn)
}
iO
P’
![Page 15: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/15.jpg)
Our Construction (w/ Trusted Setup)
s1 s2 s3 s4
x1 x2
x3 x4
P’
KABCD = P’(x1, x2, x3, x4, s1, 1)
![Page 16: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/16.jpg)
Security of Our Construction
Adversary sees P’ and the Xi, wants to learn F(x1,...,xn)
F P( y1, ..., yn, s, i ) {
If G(s) ≠ yi, output ⊥
Otherwise, output F(y1, ..., yn)
}
iO P’
s1 G x1
sn G xn
… … S
![Page 17: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/17.jpg)
Step 1: Replace xi
Draw xi uniformly at random
• Security of G: adversary cannot tell difference
Observation: if X is much larger than S,
all xi are outside range of G, w.h.p.
F P( y1, ..., yn, s, i ) {
If G(s) ≠ yi, output ⊥
Otherwise, output F(y1, ..., yn)
}
iO P’
x1
xn X
…
![Page 18: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/18.jpg)
Punctured PRFs [BW’13, KPTZ’13, BGI’13,SW’13]
Can give out code to evaluate F at all but a single point z
Security: given Fz, t=F(z) indistinguishable from random
F
Fz x F(x) if x ≠ z
⊥ if x = z
Fz
t = F(z) ≈
Fz
t T
![Page 19: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/19.jpg)
Step 2: Puncture F
Let z = (x1, ..., xn)
Puncture F at z, and abort if input is z
Inputs where P2 differs from P?
• Only (x1,...,xn,s,i) where G(s) = xi
• W.h.p. no such input exists
• iO: P2 indistinguishable from P
Fz P2( y1, ..., yn, s, i ) {
If G(s) ≠ yi, output ⊥
If (y1, ..., yn) = z, output ⊥
Otherwise, output Fz(y1, ..., yn)
}
iO P’
x1
xn X
…
![Page 20: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/20.jpg)
Step 3: Simulate
Simulate view of adversary, given Fz
Security of F: k = F(z) indist.
from a random key
Fz P2( y1, ..., yn, s, i ) {
If G(s) ≠ yi, output ⊥
If (y1, ..., yn) = z, output ⊥
Otherwise, output Fz(y1, ..., yn)
}
iO P’
x1
xn X
… ✓
![Page 21: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/21.jpg)
Removing Trusted Setup
As described, our scheme needs trusted setup
Observation: Obfuscated program can be generated
independently of publishing step
Untrusted setup: user 1 generates P’, sends with x1
F P( y1, ..., yn, s, i ) {
If G(s) ≠ yi, output ⊥
Otherwise, output F(y1, ..., yn)
}
iO P’
![Page 22: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/22.jpg)
Multiparty Key Exchange Without Trusted Setup
s1 s2 s3 s4
x1
P’ x2
x3 x4
![Page 23: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/23.jpg)
Broadcast Encryption
✗ ✗
![Page 24: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/24.jpg)
Broadcast Encryption
s1 s2 s3 s4
x1 x2
x3 x4
P’ xD
dummy user
![Page 25: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/25.jpg)
Broadcast Encryption
• Replace unintended recipients with dummy
• Compute shared key for protocol
• Ex: k = F(x1,xD,xD,x4)
• Use shared key to encrypt message
✗ ✗
![Page 26: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/26.jpg)
Broadcast Encryption
Private key scheme: empty ciphertext header
Public broadcast key scheme: a single xi value
Additional Properties:
•Distributed – users and broadcaster each generate their
own parameters
•Can be used with existing RSA keys (under plausible
assumptions)
![Page 27: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/27.jpg)
Other Constructions
Recipient private broadcast encryption
•Ciphertext size: λ+n
•Secret key size: λ
•Public key size: poly(n, λ)
Traitor tracing
•Ciphertext size: λ+log(n)
•Secret key size: λ
•Public key size: poly(log(n), λ)
![Page 28: Multiparty Key Exchange, Efficient Traitor Tracing, and ... › ~mzhandry › docs › talks › IOApps.slides.pdfOur Results •Non-interactive multiparty key exchange without trusted](https://reader034.vdocuments.mx/reader034/viewer/2022042406/5f1fffee2267f62dce74d181/html5/thumbnails/28.jpg)
Open Questions
Reduce public key sizes
•Using differing-inputs obfuscation [ABGSZ’13]
•From iO?
Other primitives from iO
•FHE?
Thanks!