cryptography with updates...cryptography with updates: results garbled circuits update gates, from...
TRANSCRIPT
-
Cryptography with Updates
UCLA JHU MIT
Prabhanjan Ananth
Aloni Cohen
Abhishek Jain
Slides and research in collaboration with:
-
Garbled Circuits
Offline: slow
C
Online: fast x
C(x)
-
Garbled Circuits
Offline: slow
C
Online: fast x
C(x)
Example: • C = a model of Alice’s value on APPL stock. • x = stock price • C(x) = buy!
-
Garbled Circuits
Offline: slow
Online: fast x
C'(x)
C
Alice wants to update to . C C'
-
Garbled Circuits
Offline: slow
Online: fast x
C'(x)
C
Alice wants to update to . C C'
Does changing a single gate in 𝐶 require garbling the circuit from scratch?
-
Garbled Circuits
Offline: slow
Online: fast x
C'(x)
C
Update: fast
?
Updatable
-
Garbled Circuits
Offline: slow
C
Update: fast
?
? 1. C C'
Updatable
-
Garbled Circuits
Offline: slow
C
Update: fast
?
2. is easy to compute. ? ? 1. C C'
Updatable
-
Garbled Circuits
Obfuscation
Prior work: [AJS 17, GP 16]
Attribute-based encryption
(update secret key)
Non-interactive proofs (update NP relation, instance)
Prior work (for conjunctions): [Valiant 08]
Cryptography with Updates: Results
-
Cryptography with Updates: Results
Garbled Circuits
Update gates, from lattices
Obfuscation
Prior work: [AJS 17, GP 16]
Attribute-based encryption
(update secret key)
Non-interactive proofs (update NP relation, instance)
Prior work (for conjunctions): [Valiant 08]
-
Cryptography with Updates: Results
Garbled Circuits
Update gates, from lattices
Obfuscation
Prior work: [AJS 17, GP 16]
Attribute-based encryption
(update secret key)
Non-interactive proofs (update NP relation, instance)
Prior work (for conjunctions): [Valiant 08]
Updatable Randomized
Encodings (update C, x)
General updates, from FE
(or OWFs for
bounded-many updates)
-
Cryptography with Updates: Results
Garbled Circuits
Update gates, from lattices
Obfuscation
Prior work: [AJS 17, GP 16]
Attribute-based encryption
(update secret key)
Non-interactive proofs (update NP relation, instance)
Prior work (for conjunctions): [Valiant 08]
Updatable Randomized
Encodings (update C, x)
General updates, from FE
(or OWFs for
bounded-many updates)
-
Outline
• Definition of URE
• Related Work
• How to use URE: • XYZ + URE Updatable XYZ
• Construction of Updatable Garbled Circuit
-
An update 𝑢 can be: • Change a gate • Change a bit of C or x. • Arbitrary*
(*applying 𝑢 done by circuit of fixed size)
(C , x)
u
+
=
(C’ , x’)
Updatable Randomized Encodings (URE)
-
Updatable Randomized Encodings (URE)
(C , x) C , x Encode
Authority User
u
+
=
(C’ , x’)
Randomized Encoding [IK 00, AIK 06]: • Encoding is “easier”
than evaluating C. • The encoding “only
reveals” C(x).
-
Updatable Randomized Encodings (URE)
(C , x) C , x Encode
Authority User
Encode u
+
=
(C’ , x’)
u
+ State
-
Updatable Randomized Encodings (URE)
C , x
User
u
+
=
C’, x’
Apply Update
-
Updatable Randomized Encodings (URE)
(C , x) C , x Encode
Authority User
u
+
=
(C’ , x’)
u
+
=
C’, x’
Encode
-
Multiple Updates in Serial
(C , x)
u1
(C1 , x1)
(C2 , x2)
u2
-
Multiple Updates in Serial
(C , x)
u1
(C1 , x1)
(C2 , x2)
u2
C , x
u1
u2
C1 , x1
C2 , x2
-
Multiple Updates in Serial
(C , x)
u1
(C1 , x1)
(C2 , x2)
u2
C , x
u1
u2
C1 , x1
C2 , x2
C(x)
C1(x1)
C2(x2)
-
Multiple Updates in Serial
(C , x)
u1
(C1 , x1)
(C2 , x2)
u2
C , x
u1
u2
C1 , x1
C2 , x2
C(x)
C1(x1)
C2(x2)
Updatable Garbled Circuit: single-use variant.
-
Key Challenge: Efficiency
≠ C’, x’ u
If 𝑢 ≪ 𝐶′ , updating should be simple.
u = poly( |u| ) Goal:
More precisely, the time to compute should be poly(|u|, k) u
-
Key Challenge: Efficiency
≠ C’, x’ u
If 𝑢 ≪ 𝐶′ , updating should be simple.
u = poly( |u| ) Goal:
More precisely, the time to compute should be poly(|u|, k) u
Compactness (needed for some applications) • independent of the output length of 𝐶′.
-
(Selective) Security • SIMulation
• View can be simulated by just knowing C(x), C1(x1),
C2(x2),…
• INDistinguishability
• Can’t distinguish sequences that agree on C(x), C1(x1), C2(x2),…
-
(Selective) Security • SIMulation
• View can be simulated by just knowing C(x), C1(x1),
C2(x2),… • Compactness impossible
(follows from [AGVW13,CIJOPP13])
• INDistinguishability
• Can’t distinguish sequences that agree on C(x), C1(x1), C2(x2),…
• Generic transformation from compact + IND to non-compact + SIM (as in FE)
-
Previous Work: Incremental Crypto
[Bellare-Goldwasser-Goldreich 94, …]
msg
u
+
=
msg’
σ
σ′
Signer
-
Previous Work: Incremental Crypto
[Bellare-Goldwasser-Goldreich 94, …]
C C
Authority User
u u
+ +
=
C’
=
C’
msg
u
+
=
msg’
σ
σ′
Signer
-
Previous Work: Incremental Crypto
[Bellare-Goldwasser-Goldreich 94, …]
C C
Authority User
u u
+ +
=
C’
=
C’
msg
u
+
=
msg’
σ
σ′
Signer
Two Parties Authority generates the update;
User applies the update.
One Party Signer does everything
in his head.
-
Previous Work: Incremental / Patchable Obfuscation
[Garg-Pandey 16, Ananth-Jain-Sahai 17]
• Incremental Obfuscation • More restricted updates • Lower bound on efficiency for updatable VBB
• Patchable Obfuscation (see Prabhnajan’s talk tomorrow!)
• More general updates • Updating many circuits with a single update
-
Previous Work: URE vs Reusable Garbled Circuits
[Goldwasser-Kalai-Popa-Vaikuntanathan-Zeldovich 13]
• This work: URE with “sequential” updates
• Observation: For “parallel” updates
Parallel URE ≈ Reusable GC
C , x u1
u2 u3
C , x1
u4
C , x2 C , x3 C , x4
-
XYZ + URE ⇒ Updatable XYZ*
*Formalized for a large class of XYZ: including ABE, FE, IO, NIWI, GC (selectively-IND-secure)
ABE
NIZK FE
MPC IO
URE
How to use URE
-
iO + URE ⇒ Updatable iO
C Updatable Randomized Encoding
of
(iO,C)
Obfuscate
-
iO + URE ⇒ Updatable iO
C Updatable Randomized Encoding
of
(iO,C)
Obfuscate
u Encode URE.Encode(u)
-
iO + URE ⇒ Updatable iO
C Updatable Randomized Encoding
of
(iO,C)
Obfuscate
u Encode URE.Encode(u)
URE(iO, C’)
-
iO + URE ⇒ Updatable iO
Correctness and IND-Security inherited from URE, iO Efficiency requires compactness.
C Updatable Randomized Encoding
of
(iO,C)
Obfuscate
u Encode URE.Encode(u)
URE(iO, C’)
-
Not-quite-conclusions
-
Not-quite-conclusions
• Updatable crypto largely unexplored. • The “right” set of definitions, models
-
Not-quite-conclusions
• Updatable crypto largely unexplored. • The “right” set of definitions, models
• Study specific primitives / update types
• Direct constructions • New questions (e.g., efficiency lower bounds, multi-
updating)
-
Not-quite-conclusions
• Updatable crypto largely unexplored. • The “right” set of definitions, models
• Study specific primitives / update types
• Direct constructions • New questions (e.g., efficiency lower bounds, multi-
updating)
Remaining time: Updatable Garbled Circuit from lattices!
-
Updatable Garbled Circuit
C
u
C'
C
u
C'
Garble
Garble
Decode C' (x) x Garble x
Evaluator only recovers C'(x)
-
Yao’s Garbled Circuits
OR
Garble Circuit
[Yao 82,…]
…
…
…
…
…
OR …
…
…
…
…
…
-
AND
a b
c
AND
Attempt 1: Just do it
Generate Update
-
AND
a b
c
AND
Attempt 1: Just do it
…
…
…
…
…
…
…
…
…
…
…
…
Generate Update
Apply Update
…
…
…
…
…
…
…
…
…
…
…
…
-
Attempt 1: Just do it
• Efficiency: 1 gate changed 1 new garbled gate
• Correctness: Can decode the updated circuit, 𝐶′ 𝑥
• Security: Can still recover 𝐶(𝑥)!
AND
a b
c
AND
Generate Update
-
Attempt 1: Just do it
• Efficiency: 1 gate changed 1 new garbled gate
• Correctness: Can decode the updated circuit, 𝐶′ 𝑥
• Security: Can still recover 𝐶(𝑥)!
AND
a b
c
AND
Generate Update
-
Attempt 1: Just do it
• Efficiency: 1 gate changed 1 new garbled gate
• Correctness: Can decode the updated circuit, 𝐶′ 𝑥
• Security: Can still recover 𝐶(𝑥)!
AND
a b
c
AND
Generate Update
-
Attempt 1: Just do it
• Efficiency: 1 gate changed 1 new garbled gate
• Correctness: Can decode the updated circuit, 𝐶′ 𝑥
• Security: Can still recover 𝐶(𝑥)!
AND
a b
c
AND
Generate Update
-
Fixing Security • Idea: encrypt the original garbled gates
Garble Circuit
…
…
…
…
…
…
…
…
…
…
…
…
-
Fixing Security • Idea: encrypt the original garbled gates
Garble Circuit
…
…
…
…
…
…
…
…
…
…
…
…
Generate Update …
…
…
… , ,
-
Fixing Security • Idea: encrypt the original garbled gates
Garble Circuit
…
…
…
…
…
…
…
…
…
…
…
…
Generate Update …
…
…
… , ,
Efficiency: the update is large Correctness Security
-
Security + Efficiency • Idea: punctured decryption key
Garble Circuit
1
…
…
…
…
…
…
…
…
…
…
…
…
-
Security + Efficiency • Idea: punctured decryption key
Garble Circuit
1
…
…
…
…
…
…
…
…
…
…
…
…
Generate Update …
…
…
… , {1}
Can decrypt all gates except #1. Can be build from puncturable PRFs (from OWFs).
[Boneh-Waters 13, Boyle-Goldwasser-Ivan 13, Kiayias-Papadopoulos-Triandopoulos-Zacharias 13]
{1}
-
Security + Efficiency
Garble Circuit
• Idea: punctured decryption key
1
…
…
…
…
…
…
…
…
…
…
…
…
Generate Update …
…
…
… ,
Efficiency Correctness Security
{1}
-
Security + Efficiency
Garble Circuit
• Idea: punctured decryption key
1
…
…
…
…
…
…
…
…
…
…
…
…
Generate Update …
…
…
… ,
Efficiency Correctness Security
{1}
Multiple Updates: Only supports 1 update.
-
Many updates • Idea: punctured proxy re-encryption [ACJ17]
…
…
…
…
…
…
…
…
…
…
…
…
1
2
3
Re-encrypt
{2}
…
…
…
…
…
…
…
…
1
3
Re-encrypt
{1}
…
…
…
…
3
• Security: even given , hidden. …
…
…
…
2 …
…
…
…
1
-
Many updates • Idea: punctured proxy re-encryption [ACJ17]
…
…
…
…
…
…
…
…
…
…
…
…
1
2
3
Re-encrypt
{2}
…
…
…
…
…
…
…
…
1
3
Re-encrypt
{1}
…
…
…
…
3
Can build from key-homomorphic, constrained PRFs (from “LWE”)
[Brakerski-Vaikuntanathan 15, Banarjee-Fuchsbauer-Peikert-Pietrzak-Stevens 15]
-
Many updates
Garble Circuit
• Idea: punctured proxy re-encryption [ACJ17]
1
…
…
…
…
…
…
…
…
…
…
…
…
-
Many updates
Garble Circuit
• Idea: punctured proxy re-encryption [ACJ17]
1
…
…
…
…
…
…
…
…
…
…
…
…
Update 1 …
…
…
… , {1}
-
Many updates
Garble Circuit
• Idea: punctured proxy re-encryption [ACJ17]
1
…
…
…
…
…
…
…
…
…
…
…
…
…
Update 1 …
…
…
… , {1}
Update 2 …
…
…
… , {2}
-
Many updates
Garble Circuit
• Idea: punctured proxy re-encryption [ACJ17]
1
…
…
…
…
…
…
…
…
…
…
…
…
… Garbled Input includes the terminal key.
Update 1 …
…
…
… , {1}
Update 2 …
…
…
… , {2}
-
Many updates
Garble Circuit
• Idea: punctured proxy re-encryption [ACJ17]
1
…
…
…
…
…
…
…
…
…
…
…
…
… Garbled Input includes the terminal key.
Efficiency, Correctness, Security
Update 1 …
…
…
… , {1}
Update 2 …
…
…
… , {2}
-
R M C I ! E
-
(C , x)
u1
u2
C , x
R&R(u1)
C1 , x1
C2 , x2
R&R(u2)
C2(x2)
C1(x1)
C(x)
URE Approach: “Relock and Release”
-
C , x
R&R(u1)
C1 , x1
URE Approach: “Relock and Release”
Relock Release
C1(x1)
-
URE Approach: “Relock and Release”
C , x
R&R(u1)
C1 , x1 RE(C1, x1)
Randomized Encoding
-
URE Approach: “Relock and Release”
C , x
R&R(u1)
C1 , x1 RE(C1, x1)
Garbled Circuit
Garbled Input
Garbled Input
Randomized Encoding
-
URE Approach: “Relock and Release”
C , x
R&R(u1)
C1 , x1 RE(C1, x1)
Garbled Circuit
Garbled Input
Garbled Input
Randomized Encoding
• Correctness: Decode RE(𝐶′, 𝑥′) and continue updating 𝐶′, 𝑥′.
• Security: Simulatable
• Efficiency: 𝑅&𝑅(𝑢) outputs > |𝐶′| bits, thus 𝑅&𝑅(𝑢) > |𝐶′|.
-
“Relock and Release” from Compact FE
C , x
R&R(u)
C', x’ RE(C’ , x’)
Garbled Circuit
Garbled Input
Garbled Input
Randomized Encoding
(1 key, secret key, poly-secure, IND)
Idea: Delegate the computation of 𝑅&𝑅(𝑢) using FE.
-
“Relock and Release” from Compact FE
C , x
R&R(u)
C', x’ RE(C’ , x’)
Garbled Circuit
Garbled Input
Garbled Input
Randomized Encoding
(1 key, secret key, poly-secure, IND)
FE.SK(R&R-Garbler)
Idea: Delegate the computation of 𝑅&𝑅(𝑢) using FE.
-
“Relock and Release” from Compact FE
C , x
R&R(u)
C', x’ RE(C’ , x’)
Garbled Circuit
Garbled Input
Garbled Input
Randomized Encoding
(1 key, secret key, poly-secure, IND)
FE.SK(R&R-Garbler)
FE.Enc(u)
+
Idea: Delegate the computation of 𝑅&𝑅(𝑢) using FE.
-
(C , x)
u1
u2
C , x RE(C, x) FE.SK
“Relock and Release” from Compact FE
-
(C , x)
u1
u2
C , x C(x) RE(C, x) FE.SK
“Relock and Release” from Compact FE
-
(C , x)
u1
u2
C , x C(x) RE(C, x) FE.SK
Enc(u1)
“Relock and Release” from Compact FE
-
(C , x)
u1
u2
C , x
R&R(u1)
C(x) RE(C, x) FE.SK
Enc(u1)
“Relock and Release” from Compact FE
-
(C , x)
u1
u2
C , x
R&R(u1)
C1 , x1
C(x) RE(C, x)
RE(C1, x1)
FE.SK
Enc(u1)
“Relock and Release” from Compact FE
-
(C , x)
u1
u2
C , x
R&R(u1)
C1 , x1 C1(x)
C(x) RE(C, x)
RE(C1, x1)
FE.SK
Enc(u1)
“Relock and Release” from Compact FE
-
(C , x)
u1
u2
C , x
R&R(u1)
C1 , x1 C1(x)
C(x) RE(C, x)
RE(C1, x1)
FE.SK
Enc(u1)
Enc(u2)
“Relock and Release” from Compact FE
-
(C , x)
u1
u2
C , x
R&R(u1)
C1 , x1
R&R(u2)
C1(x)
C(x) RE(C, x)
RE(C1, x1)
FE.SK
Enc(u1)
Enc(u2)
“Relock and Release” from Compact FE
-
(C , x)
u1
u2
C , x
R&R(u1)
C1 , x1
C2 , x2
R&R(u2)
C1(x)
C(x) RE(C, x)
RE(C1, x1)
RE(C2, x2)
FE.SK
Enc(u1)
Enc(u2)
“Relock and Release” from Compact FE
-
(C , x)
u1
u2
C , x
R&R(u1)
C1 , x1
C2 , x2
R&R(u2)
C2(x)
C1(x)
C(x) RE(C, x)
RE(C1, x1)
RE(C2, x2)
FE.SK
Enc(u1)
Enc(u2)
“Relock and Release” from Compact FE
-
(C , x)
u1
C , x
R&R(u1)
C1 , x1 C1(x)
C(x) RE(C, x)
RE(C1, x1)
FE.SK
Enc(u1)
“Relock and Release” from Compact FE
• Efficiency: 𝐹𝐸. 𝐸𝑛𝑐 is fast (by compactness of FE)
• Correctness: Decode RE(𝐶1, 𝑥1) and continue updating 𝐶1, 𝑥1.
• Security: Func. Enc. Garb. Circ. Rand. Enc. C(x)