Cryptography with Updates

Transcription

1 Cryptography with Updates Slides and research in collaboration with: Prabhanjan Ananth UCLA Aloni Cohen MIT Abhishek Jain JHU

2 Garbled Circuits C Offline: slow Online: fast x C(x)

3 Garbled Circuits C Offline: slow Example: C = a model of Alice s value on APPL stock. x = stock price C(x) = buy! Online: fast x C(x)

4

5 Garbled Circuits C Offline: slow C C' Alice wants to update to. Online: fast x C'(x)

6 Garbled Circuits C Offline: slow C C' Alice wants to update to. Does changing a single gate in C require garbling the circuit from scratch? Online: fast x C'(x)

7 Updatable Garbled Circuits Offline: slow C? Update: fast Online: fast x C'(x)

8 Updatable Garbled Circuits Offline: slow C? Update: fast 1. C? C'

9 Updatable Garbled Circuits Offline: slow C? Update: fast 1. C C'? 2.? is easy to compute.

10 Cryptography with Updates: Garbled Circuits Results Obfuscation Prior work: [AJS 17, GP 16] Attribute-based encryption (update secret key) Non-interactive proofs (update NP relation, instance) Prior work (for conjunctions): [Valiant 08]

11 Cryptography with Updates: Garbled Circuits Results Update gates, from lattices Obfuscation Prior work: [AJS 17, GP 16] Attribute-based encryption (update secret key) Non-interactive proofs (update NP relation, instance) Prior work (for conjunctions): [Valiant 08]

12 Cryptography with Updates: Results Garbled Circuits Update gates, from lattices Obfuscation Prior work: [AJS 17, GP 16] Attribute-based encryption (update secret key) Non-interactive proofs (update NP relation, instance) Prior work (for conjunctions): [Valiant 08] Updatable Randomized Encodings (update C, x) General updates, from FE (or OWFs for bounded-many updates)

13 Cryptography with Updates: Results Garbled Circuits Update gates, from lattices Obfuscation Prior work: [AJS 17, GP 16] Attribute-based encryption (update secret key) Non-interactive proofs (update NP relation, instance) Prior work (for conjunctions): [Valiant 08] Updatable Randomized Encodings (update C, x) General updates, from FE (or OWFs for bounded-many updates)

14 Outline Definition of URE Related Work How to use URE: XYZ + URE Updatable XYZ Construction of Updatable Garbled Circuit

15 Updatable Randomized Encodings (URE) (C, x) + u = (C, x ) An update u can be: Change a gate Change a bit of C or x. Arbitrary* (*applying u done by circuit of fixed size)

16 Updatable Randomized Encodings (URE) Authority User Encode (C, x) C, x + u = (C, x ) Randomized Encoding [IK 00, AIK 06]: Encoding is easier than evaluating C. The encoding only reveals C(x).

17 Updatable Randomized Encodings (URE) Authority User Encode (C, x) C, x + u State Encode + u = (C, x )

18 Updatable Randomized Encodings (URE) Apply Update User C, x + u = C, x

19 Updatable Randomized Encodings (URE) Authority User Encode (C, x) C, x + u Encode + u = = (C, x ) C, x

20 Multiple Updates in Serial (C, x) u1 (C 1, x 1 ) u2 (C 2, x 2 )

21 Multiple Updates in Serial (C, x) u1 (C 1, x 1 ) u2 u1 u2 C, x C 1, x 1 (C 2, x 2 ) C 2, x 2

22 Multiple Updates in Serial (C, x) C, x C(x) u1 u1 (C 1, x 1 ) u2 u2 C 1, x 1 C 1 (x 1 ) (C 2, x 2 ) C 2, x 2 C 2 (x 2 )

23 Multiple Updates in Serial (C, x) C, x C(x) u1 u1 (C 1, x 1 ) u2 u2 C 1, x 1 C 1 (x 1 ) (C 2, x 2 ) C 2, x 2 C 2 (x 2 ) Updatable Garbled Circuit: single-use variant.

24 Key Challenge: Efficiency If u C, updating should be simple. u C, x Goal: u = poly( u ) More precisely, the time to compute u should be poly( u, k)

25 Key Challenge: Efficiency If u C, updating should be simple. u C, x Goal: u = poly( u ) More precisely, the time to compute u should be poly( u, k) Compactness (needed for some applications) independent of the output length of C.

26 SIMulation (Selective) Security View can be simulated by just knowing C(x), C 1 (x 1 ), C 2 (x 2 ), INDistinguishability Can t distinguish sequences that agree on C(x), C 1 (x 1 ), C 2 (x 2 ),

27 SIMulation (Selective) Security View can be simulated by just knowing C(x), C 1 (x 1 ), C 2 (x 2 ), Compactness impossible (follows from [AGVW13,CIJOPP13]) INDistinguishability Can t distinguish sequences that agree on C(x), C 1 (x 1 ), C 2 (x 2 ), Generic transformation from compact + IND to non-compact + SIM (as in FE)

28 Previous Work: Incremental Crypto [Bellare-Goldwasser-Goldreich 94, ] Signer msg σ + u = msg σ

29 Previous Work: Incremental Crypto [Bellare-Goldwasser-Goldreich 94, ] Signer Authority User msg σ C C + u + + u u = = = msg σ C C

30 Previous Work: Incremental Crypto [Bellare-Goldwasser-Goldreich 94, ] Signer Authority User msg σ C C + u + + u u = = = msg σ C C One Party Signer does everything in his head. Two Parties Authority generates the update; User applies the update.

31 Previous Work: Incremental / Patchable Obfuscation [Garg-Pandey 16, Ananth-Jain-Sahai 17] Incremental Obfuscation More restricted updates Lower bound on efficiency for updatable VBB Patchable Obfuscation (see Prabhnajan s talk tomorrow!) More general updates Updating many circuits with a single update

32 Previous Work: URE vs Reusable Garbled Circuits [Goldwasser-Kalai-Popa-Vaikuntanathan-Zeldovich 13] This work: URE with sequential updates Observation: For parallel updates Parallel URE Reusable GC C, x u1 u2 u3 u4 C, x 1 C, x 2 C, x 3 C, x 4

33 How to use URE XYZ + URE Updatable XYZ* MPC NIZK ABE FE IO URE *Formalized for a large class of XYZ: including ABE, FE, IO, NIWI, GC (selectively-ind-secure)

34 io + URE Updatable io C Obfuscate Updatable Randomized Encoding of (io,c)

35 io + URE Updatable io C u Obfuscate Encode Updatable Randomized Encoding of (io,c) URE.Encode(u)

36 io + URE Updatable io C u Obfuscate Encode Updatable Randomized Encoding of (io,c) URE.Encode(u) URE(iO, C )

37 io + URE Updatable io C u Obfuscate Encode Updatable Randomized Encoding of (io,c) URE.Encode(u) URE(iO, C ) Correctness and IND-Security inherited from URE, io Efficiency requires compactness.

38 Not-quite-conclusions

39 Not-quite-conclusions Updatable crypto largely unexplored. The right set of definitions, models

40 Not-quite-conclusions Updatable crypto largely unexplored. The right set of definitions, models Study specific primitives / update types Direct constructions New questions (e.g., efficiency lower bounds, multiupdating)

41 Not-quite-conclusions Updatable crypto largely unexplored. The right set of definitions, models Study specific primitives / update types Direct constructions New questions (e.g., efficiency lower bounds, multiupdating) Remaining time: Updatable Garbled Circuit from lattices!

42 Updatable Garbled Circuit C Garble C u Garble u C' C' Decode C' (x) x Garble x Evaluator only recovers C'(x)

43 Yao s Garbled Circuits [Yao 82,] Garble Circuit OR OR

44 Attempt 1: Just do it a c AND b Generate Update AND

45 Attempt 1: Just do it c a AND b Generate Update AND Apply Update

46 Attempt 1: Just do it a c AND b Generate Update AND Efficiency: 1 gate changed 1 new garbled gate Correctness: Can decode the updated circuit, C x Security: Can still recover C(x)!

47 Attempt 1: Just do it a c AND b Generate Update AND Efficiency: 1 gate changed 1 new garbled gate Correctness: Can decode the updated circuit, C x Security: Can still recover C(x)!

48 Attempt 1: Just do it a c AND b Generate Update AND Efficiency: 1 gate changed 1 new garbled gate Correctness: Can decode the updated circuit, C x Security: Can still recover C(x)!

49 Attempt 1: Just do it a c AND b Generate Update AND Efficiency: 1 gate changed 1 new garbled gate Correctness: Can decode the updated circuit, C x Security: Can still recover C(x)!

50 Fixing Security Idea: encrypt the original garbled gates Garble Circuit

51 Fixing Security Idea: encrypt the original garbled gates Garble Circuit Generate Update,,

52 Fixing Security Idea: encrypt the original garbled gates Garble Circuit Generate Update,, Efficiency: the update is large Correctness Security

53 Security + Efficiency Idea: punctured decryption key Garble Circuit 1

54 Security + Efficiency Idea: punctured decryption key Garble Circuit 1 Generate Update, {1} {1} Can decrypt all gates except #1. Can be build from puncturable PRFs (from OWFs). [Boneh-Waters 13, Boyle-Goldwasser-Ivan 13, Kiayias-Papadopoulos-Triandopoulos-Zacharias 13]

55 Security + Efficiency Idea: punctured decryption key Garble Circuit 1 Generate Update, {1} Efficiency Correctness Security

56 Security + Efficiency Idea: punctured decryption key Garble Circuit 1 Generate Update, {1} Efficiency Correctness Security Multiple Updates: Only supports 1 update.

57 Many updates Idea: punctured proxy re-encryption [ACJ17] Re-encrypt {2} 1 3 Re-encrypt {1} 3 Security: even given, hidden. 2 1

58 Many updates Idea: punctured proxy re-encryption [ACJ17] 1 2 Re-encrypt 1 Re-encrypt 3 3 {2} 3 {1} Can build from key-homomorphic, constrained PRFs (from LWE ) [Brakerski-Vaikuntanathan 15, Banarjee-Fuchsbauer-Peikert-Pietrzak-Stevens 15]

59 Many updates Idea: punctured proxy re-encryption [ACJ17] Garble Circuit 1

60 Many updates Idea: punctured proxy re-encryption [ACJ17] Garble Circuit 1 Update 1, {1}

61 Many updates Idea: punctured proxy re-encryption [ACJ17] Garble Circuit 1 Update 1 Update 2,, {1} {2}

62 Many updates Idea: punctured proxy re-encryption [ACJ17] Garble Circuit 1 Update 1 Update 2 Garbled Input includes the terminal key.,, {1} {2}

63 Many updates Idea: punctured proxy re-encryption [ACJ17] Garble Circuit 1 Update 1 Update 2 Garbled Input includes the terminal key. Efficiency, Correctness, Security,, {1} {2}

64 M E R C I!

65 URE Approach: Relock and Release (C, x) C, x u1 R&R(u1) C(x) C 1, x 1 C 1 (x 1 ) u2 R&R(u2) C 2, x 2 C 2 (x 2 )

66 URE Approach: Relock and Release C, x R&R(u1) Relock C 1, x 1 Release C 1 (x 1 )

67 URE Approach: Relock and Release C, x R&R(u1) C 1, x 1 RE(C 1, x 1 ) Randomized Encoding

68 URE Approach: Relock and Release C, x R&R(u1) Garbled Input Garbled Circuit C 1, x 1 RE(C 1, x 1 ) Garbled Input Randomized Encoding

69 URE Approach: Relock and Release C, x R&R(u1) Garbled Input Garbled Circuit C 1, x 1 RE(C 1, x 1 ) Garbled Input Randomized Encoding Correctness: Decode RE(C, x ) and continue updating C, x. Security: Simulatable Efficiency: R&R(u) outputs > C bits, thus R&R(u) > C.

70 Relock and Release from Compact FE C, x Garbled Input (1 key, secret key, poly-secure, IND) R&R(u) Garbled Circuit C', x Garbled Input RE(C, x ) Randomized Encoding Idea: Delegate the computation of R&R(u) using FE.

71 Relock and Release from Compact FE FE.SK(R&R-Garbler) C, x Garbled Input (1 key, secret key, poly-secure, IND) R&R(u) Garbled Circuit C', x RE(C, x ) Garbled Input Randomized Encoding Idea: Delegate the computation of R&R(u) using FE.

72 Relock and Release from Compact FE FE.SK(R&R-Garbler) + C, x Garbled Input (1 key, secret key, poly-secure, IND) FE.Enc(u) R&R(u) Garbled Circuit C', x RE(C, x ) Garbled Input Randomized Encoding Idea: Delegate the computation of R&R(u) using FE.

73 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) u1 u2

74 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 u2

75 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) u2

76 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) u2

77 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) u2

78 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) u2

79 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) u2 Enc(u 2 )

80 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) u2 Enc(u 2 ) R&R(u2)

81 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) u2 Enc(u 2 ) R&R(u2) C 2, x 2 RE(C 2, x 2 )

82 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) u2 Enc(u 2 ) R&R(u2) C 2, x 2 RE(C 2, x 2 ) C 2 (x)

83 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) Efficiency: FE. Enc is fast (by compactness of FE) Correctness: Decode RE(C 1, x 1 ) and continue updating C 1, x 1. Security: Func. Enc. Garb. Circ. Rand. Enc. C(x)