witness encryption and indistinguishability obfuscation from the multilinear subgroup elimination...
TRANSCRIPT
![Page 1: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/1.jpg)
Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup
Elimination Assumption
Craig Gentry IBM
Allison Lewko Columbia
Amit Sahai UCLA
Brent Waters UT-Austin
![Page 2: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/2.jpg)
Witness Encryption [GGSW13]
Encrypt message under NP statement
M
Á
3-CNF formula Áis satisfiable
Correctness: can decrypt using a witness
Satisfying assignmentfor Á
Security: if statement is false, message is hidden.
![Page 3: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/3.jpg)
Applications of Witness Encryption
• PKE with fast key generation
• Identity-based encryption
• Attribute-based encryption for circuits
• Attribute-based encryption for Turing Machines [GKPVZ13]
![Page 4: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/4.jpg)
Indistinguishability Obfuscation
• But what is it good for?
• Avoids negative results of [BGIRSVY01]
Idea: Cannot distinguish between obfuscations of two input/output equivalent circuits
• a (b+c) vs. ab + ac
![Page 5: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/5.jpg)
Applications of iODemo or “need to know” software
Software Patching
Crypto, old and new: Traitor Tracing, Functional Encryption, Deniable Encryption, …
Indistinguishabilty Obfuscation
“Most” of cryptography
+ OWFs
Vision:
![Page 6: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/6.jpg)
The First Candidate Schemes• WE from multilinear maps [GGSW13]:
• iO from multilinear maps [GGHRSW13], and later [BR13, BGKPS14, PST14]
+ Simple, intuitive construction
- Assumption essentially matches scheme
- Generic group security or scheme structure embedded in the assumption
Goal: Reductions to Simple Assumptions
![Page 7: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/7.jpg)
The Assumption:Multilinear Subgroup Elimination
• k-Mmap over composite N, with many large prime factors:– One “special” prime factor c– k “distinguished” prime factors a1, a2, …, ak
– poly other primes
• Adversary gets Level-1 encodings:– (random) generators of each prime subgroup, except c– hi : random element of order c(a1a2…ai-1ai+1…ak)
• Hard for Adversary to distinguish Level-1 encoding of:– Random element T of order (a1a2…ak)
– vs. Random element T of order c(a1a2…ak)
![Page 8: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/8.jpg)
Obstacle to Using a Simple Assumption for WE
Imagine a typical reduction to a simple assumption:
Hard Problem Attacker
Reduction
CT for falsestatement
decrypt
What if reduction could be fooled into working for a true statement?
trueSimulateWith Witness
It seems reduction needs to “check” the statement is false.
![Page 9: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/9.jpg)
Analogous Obstacle for iO
Hard Problem Attacker
Reduction
Obfuscationfor 2 equalprograms
decrypt
What if reduction could be fooled into working on two programs that differ on some input?
unequalSimulateby testingon a differinginput
It seems reduction needs to “check” that the programs agree everywhere.
![Page 10: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/10.jpg)
Our Approach: Positional WE
Algorithms:
Encrypt(message M, position t, statement Á) CT
Suppose potential witnesses are bit strings of length n (think of as ordered).
M
Á,t
Decrypt( CT, witness w) M only when w ¸ t and w is a valid witness
![Page 11: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/11.jpg)
Security Properties for Positional WE
Positional Indistinguishability:
Message Indistinguishability:
If t is not a valid witness for Á, then:
For any m0, m1:
![Page 12: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/12.jpg)
Deriving WE from Positional WE
For scheme: Encrypt to position 0
For security proof : hybrid over all 2n positions
For a false statement f: PositionalIndist.
MessageIndist.
PositionalIndist.
![Page 13: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/13.jpg)
Positional iO
![Page 14: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/14.jpg)
Security Properties for Positional iO
![Page 15: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/15.jpg)
Building Positional WE
Since we want a simple assumption, we need to keep breaking down the problem:
3 parts in Ciphertext:
1. Counter
2. CNF formula
3. Message (one bit)
wCount = t 1 iff w < t
formula Áw
1 iff w doesn’t satisfy Á
Message 1 iff message = 1
DecryptionOR
![Page 16: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/16.jpg)
Constructing ORs of ANDs with Subgroups
Key:
= random
= identity
![Page 17: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/17.jpg)
Intermediary Goal: find a convenient “OR of ANDs”
abstraction general enough to build a counter, CNF, and message components
![Page 18: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/18.jpg)
Mid-layer Abstraction: Tribes Matrices
Representing an “OR of ANDS” boolean function in a 3-d matrix:
From boolean function analysis: A “tribes” function is an OR of ANDs of disjoint sets
= 1 = 0 = 0
= 1 in this case
![Page 19: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/19.jpg)
Using Tribe Matices• These are general enough to represent counters (threshold functions), CNFs, and messages.
• Can simply concatenate matrices for the separate components
• An ``encrypted” tribe matrix can be produced from multilinear maps
• Certain small changes to an enrypted tribes matrix can be reduced to the subgroup elimination assumption (these don’t affect the overall Boolean function)
• Can use a hybrid chain of small changes to increment counter, Doesn’t change the function b/c CNF is unsatisfied
![Page 20: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/20.jpg)
Back to Indistinguishability Obfuscation
• Basic building blocks can be the same – e.g. positional counter, underlying tribes matrices
• But now we don’t have a formula!
• To increment the counter, we must leverage that two programs agree on that input.
![Page 21: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/21.jpg)
Core Idea: Kilian Argument “in a Subgroup”
Matrix Branching Program:
A1,1
A1,0
A2,1
A2,0
A3,1
A3,0
A4,1
A4,0
Input: x1 x3x2 x1
Evaluate by multiplying one matrix per slot,Selected by corresponding input bit
Kilian: randomize matrices
R1-1
R1-1
R2-1
R2-1
R3-1
R3-1
R1
R1
R2
R2
R3
R3
If only take one matrix per slot,distribution random up toproduct
![Page 22: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/22.jpg)
How to Argue Security• We need proof of indistinguishability: iO(C0) to iO(C1)
• Use several “hybrid” steps, where want to switch out somepart of C0 computation with C1 computation.
• Idea: Use Kilian’s simulation to “switch” between C0 and C1 for a single input.– Go over each input with 2n hybrids, where n=input size.
![Page 23: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/23.jpg)
Overall Reduction Strategy• Reduction will isolate each input.• Main idea:– Have poly many “parallel” obfuscations,
each responsible for a bucket of inputs– Hybrid Type 1: Allocate/Transfer inputs among different
buckets, but programs do not change at all. Assumption used here.
– Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program.Information-theoretic / No Assumption needed.
Thank you.
C0 C0 C1
![Page 24: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/24.jpg)
Overall Reduction Strategy
• Reduction will isolate each input.• Main idea:– Have poly many “parallel” obfuscations,
each responsible for a bucket of inputs– Hybrid Type 1: Allocate/Transfer inputs among different
buckets, but programs do not change at all. Assumption used here.
– Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program.Information-theoretic / No Assumption needed*.
Thank you.
C0 C0 C1
x
C1
Hybrid Type 1 Illustration.Consider the code:
If (x ≤ 37) then {return C0(x)
} else if (x ≤ 39) {return C0(x)
} else {return C1(x)
}
38
Lesson:Ability to make this (minor) change
is actually important!
![Page 25: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/25.jpg)
Hybrids Intuition
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0
![Page 26: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/26.jpg)
Hybrids Intuition
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0 C0
![Page 27: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/27.jpg)
Hybrids Intuition
M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~
~ ~
~ ~
~ ~
~ ~
M1, 0
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~
~ ~
~ ~
~ ~
~ ~
C0 C0
…
M1, 1
M2, 0
M3, 0
M4, 1
…
Mk, 0
~
~
~
~
~
C0
![Page 28: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/28.jpg)
Hybrids Intuition
M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~
~ ~
~ ~
~ ~
~ ~
M1, 0
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~
~ ~
~ ~
~ ~
~ ~
C0 C0
…
M1, 1
M2, 0
M3, 0
M4, 1
…
Mk, 0
~
~
~
~
~
C1
All R matrices are independent for each obfuscation.Can now use Kilian !
![Page 29: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/29.jpg)
Hybrids Intuition
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C1
…
![Page 30: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/30.jpg)
How to Transfer Inputs
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0 C0
…
![Page 31: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/31.jpg)
Recall: Multilinear Subgroup Elimination Assumption
• k-Mmap over composite N, with many large prime factors:– One “special” prime factor c– k “distinguished” prime factors a1, a2, …, ak
– poly other primes
• Adversary gets Level-1 encodings:– (random) generators of each prime subgroup, except c– hi : random element of order c(a1a2…ai-1ai+1…ak)
• Hard for Adversary to distinguish Level-1 encoding of:– Random element T of order (a1a2…ak)
– vs. Random element T of order c(a1a2…ak)
![Page 32: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/32.jpg)
How to Transfer Inputs (cheating)
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
M1, 0 M1, 1
M2, 0 M2, 1
M3, 0 M3, 1
M4, 0 M4, 1
… …
Mk, 0 Mk, 1
~ ~
~ ~
~ ~
~ ~
~ ~
C0 C0
…
Prime cPrime a1
Use Tto create these
Use hi, i≠1to create rest
(since they are the samein c and a1 subgroups)
“Missing” ai in hi
used to enforce input consistency.
Key point:The programs for each prime is fixed.
The reduction can directly build all matrices.Assumption plays no role in matrix choices.
![Page 33: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/33.jpg)
Some Additional Details…
1. Constructing multilinear maps w/ composite order subgroups:
2. Constructing a prime order version:
• Can do with a variant of the [CLT13] approach
• Can do using an eigenspace approach
For details, see the full version of [GLW14] on eprint.
![Page 34: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/34.jpg)
Questions?
![Page 35: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/35.jpg)
Defining a Cryptographic Tribes Scheme
![Page 36: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/36.jpg)
Building Positional WE from Tribes
3 parts in a Positional WE Ciphertext:
1. Counter
2. CNF formula
3. Message (one bit)
wCount = t
Outputs 1 iff w < t
formula Áw
Outputs 1 iff w doesn’t satisfy Á
Message Outputs 1 iff message = 1
We need to build each of these into a Tribes matrix
![Page 37: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/37.jpg)
The Inter-column Security Game
1
![Page 38: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/38.jpg)
Encoding a CNF Formula in a Tribes Matrix
![Page 39: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/39.jpg)
How Subgroup Elimination Implies Inter-Column Security
1
![Page 40: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/40.jpg)
Encoding a Counter in a Tribes Matrix
![Page 41: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/41.jpg)
Linking the Counter/Formula/Message
Recall: parts or a Positional WE Ciphertext:
1. Counter
2. CNF formula
3. Message (one bit)
Count = t
formula Á
Message
“scratch column,”contains all 0’s,Useful for proof
Tribes for Mimplements OR of count, formula,and message pieces
![Page 42: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/42.jpg)
Incrementing the Counter
• When formula Á is false, we want to increment counter t using inter-column security game
• Á false means some clause Áj is false
• Can use the jth column of MÁ to justify some changes in Mt via inter-column security
(for details,see the paper)
![Page 43: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/43.jpg)
Instantiating Inter-column Security
![Page 44: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/44.jpg)
Arranging the Subgroups
![Page 45: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/45.jpg)
Example: n = 2
This is just a typical subgroup decision assumption in the bilinear setting.
Challenge: or ?
![Page 46: Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit](https://reader036.vdocument.in/reader036/viewer/2022062322/5697bfda1a28abf838cb01cd/html5/thumbnails/46.jpg)
The Multilinear Subgroup Elimination Assumption