Transcript On Virtual Grey Box Obfuscation for General Circuits

On Virtual Grey-Box Obfuscation
for General Circuits
Nir Bitansky
Ran Canetti
Yael Tauman-Kalai
Omer Paneth
Program Obfuscation
𝑥
Program
y
Obfuscation
𝑥
y
Obfuscated program
Private Key to Public Key
𝑚
𝐸𝑛𝑐𝑠𝑘 (𝑚)
cipher
Obfuscation
𝑚
cipher
Public Key
Virtual Black-Box (VBB)
[Hada 00, Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm 𝒪 is an obfuscator for a class 𝒞 if:
For every PPT adversary 𝐴 there exists a PPT simulator 𝑆
such that for every 𝐶 ∈ 𝒞 and every predicate 𝜋(𝐶):
𝐶
𝒪(𝐶)
𝐴
Pr 𝐴(𝒪(𝐶)) = 𝜋 𝐶
𝜋(𝐶)
𝑆
= Pr 𝑆 𝐶 = 𝜋 𝐶
± 𝑛𝑒𝑔𝑙
Impossibility Results for VBB
Impossible for some functions.
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossible for all pseudo-entropic functions
w.r.t auxiliary input (assuming IO).
[Goldwasser-Kalai 05, Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14]
Indistinguishability Obfuscation (IO)
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
𝐶1
𝒪(𝐶1 )
≡
𝐶2
≈𝑐 𝒪(𝐶2 )
History
2000-2013:
No general solution.
Obfuscation for simple functions:
[C97,W05,CD08,CRV10,BC10,BR13]
2013:
Candidate obfuscation for all circuits
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
What is the security
of the candidate obfuscator?
Assumption: the [GGHRSW13] obfuscator is IO
Many recent applications:
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13, Sahai-Waters 13,
Hohenberger-Sahai-Waters 13, Garg-Gentry-Halevi-Raykova 13,
Bitansky-Canetti-P-Rosen 13, Boneh-Zhandry 13, Brzuska-FarshimMittelbach 14, Bitansky-P 14, Ramchen-Waters 14]
Better assumption:
1. Semantically-secure graded encodings
[Pass-Seth-Telang 13]
2. Multilinear subgroup elimination assumption
[Gentry-Lewko-Sahai-Waters 14]
What about other applications?
Example: point function
Can we get more then IO?
Today: virtual grey-box
Simulation Definition for IO
[Bitansky-Canetti 10]
𝐶1
≡
𝐶2
⇒
𝒪(𝐶1 )
≈𝑐 𝒪(𝐶2 )
Weak VBB:
𝒪(𝐶)
𝐶
𝐴
≈
𝑆
Computationally
unbounded
𝐶
Virtual black-box:
Simulator is bounded
𝑆
𝐶
[Bitansky-Canetti 10]
Virtual grey-box (VGB):
Simulator is semi-bounded
unbounded
computation
𝑆
𝐶
Indistinguishability:
Simulator is unbounded
𝑆
polynomial number
of oracle queries
𝐶
Virtual black-box:
Simulator is bounded
𝑆
meaningful
Pseudo-random functions
𝐶
[Bitansky-Canetti 10]
Virtual grey-box (VGB):
Simulator is semi-bounded
Not meaningful
𝑆
meaningful
Point functions
𝐶
Indistinguishability:
Simulator is unbounded
𝑆
Not meaningful
Assume the [GGHRSW13] obfuscation is VGB.
Or better yet, prove it!
Results
Semantically secure
graded encoding
IO
[Pass-Seth-Telang 13]
Semantically secure*
graded encoding
VGB for 𝑁𝐶 1
Semantically secure*
graded encoding
VGB for 𝑁𝐶 1
Results
Semantically secure
graded encoding
Semantically secure*
mutlilinear jigsaw puzzles
Semantically secure*
mutlilinear jigsaw puzzles
IO
[Pass-Seth-Telang 13]
VGB for 𝑁𝐶 1
VGB for all circuits
Results
Semantically secure
graded encoding
Semantically secure*
mutlilinear jigsaw puzzles
Semantically secure*
mutlilinear jigsaw puzzles
Semantically secure
mutlilinear jigsaw puzzles
IO
[Pass-Seth-Telang 13]
VGB for 𝑁𝐶 1
VGB
VBB for new families
New Feasibility Results For VBB
Existing VBB results:
• Point functions [Canetti 97, Wee 05]
• Constant-size set functions [Bitansky-Canetti 10]
• Constant-dimension hyperplanes [Canetti-Rothblum-Varia 10]
New results:
• Fuzzy point functions (Hamming balls)
• Constant-dimension linear subspaces
• Conjunctions (worst-case)
Unified proof for all existing VBB results.
Results
Semantically secure
graded encoding
Semantically secure*
graded encoding
Semantically secure*
mutlilinear jigsaw puzzles
Semantically secure
mutlilinear jigsaw puzzles
IO
[Pass-Seth-Telang 13]
VGB for 𝑁𝐶 1
VGB
VBB for new families
Indistinguishability
Simulation
IND-secure encryption
SIM-secure encryption
Witness indistinguishable proofs
Zero-knowledge proofs
IND-secure functional encryption
SIM-secure functional encryption
Indistinguishability obfuscation
Obf. w. Unbounded simulation
?
VGB obfuscation
[Goldwasser-Micali 82]
[Feige-Lapidot-Shamir 99]
[De Caro-Iovino-Jain-O'Neill-P-Persiano 13]
[Bitansky-Canetti 10]
This work
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Indistinguishability Obfuscation
For every pair of circuits 𝐶1 , 𝐶2 :
∀𝑥: 𝐶1 𝑥 = 𝐶2 (𝑥)
𝒪 𝐶1 ≈𝑐 𝒪 𝐶2
Strong Indistinguishability Obfuscation
For every pair of distributions on circuits 𝐶1 , 𝐶2 :
∀𝑥: Pr 𝐶1 𝑥 = 𝐶2 𝑥
≥ 1 − negl 𝑥
𝒪 𝐶1 ≈𝑐 𝒪 𝐶2
VGB from Semantic Security
Semantically-secure graded encoding*
Strong IO for 𝑁𝐶
1
Virtual grey-box obfuscation for 𝑁𝐶 1
The Equivalence.
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Strong IO ⇐ VGB
Let 𝐶1 , 𝐶2 be distributions on circuits such that:
∀𝑥: Pr 𝐶1 𝑥 = 𝐶2 𝑥
≥ 1 − negl 𝑥
For every distinguisher 𝐷:
𝐶2
𝐶1
𝒪 𝐶1
𝐷
≈
𝑆
≈
𝑆
≈
𝐷
𝒪 𝐶2
The Equivalence.
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Strong IO ⇒ VGB: The Challenge
1 if
Point Function: 𝐶𝑥 (𝑧) =
0 if
𝒪(𝐶𝑥 )
𝐴𝑦
𝑥=𝑧
𝑥≠𝑧
1
0
if 𝑥 = 𝑦
if 𝑥 ≠ 𝑦
1
0
if 𝑥 = 𝑦
if 𝑥 ≠ 𝑦
𝐶𝑥
𝑆𝑦
High-Level Simulation Strategy
𝐶
High-Level Simulation Strategy
𝐶
High-Level Simulation Strategy
𝐶
High-Level Simulation Strategy
𝐶
High-Level Simulation Strategy
𝐶
High-Level Simulation Strategy
𝐶
Extract a information about C from the adversary
First Step: Concentrated Functions
A family of boolean functions 𝐷 is concentrated around a
function 𝑓 if for every input 𝑥:
Pr 𝐶 𝑥 = 𝑓 𝑥
𝐶←𝐷
≥ 1 − negl( 𝑥 )
Starting Point
𝐶
The simulator queries 𝐶 on a “splitting” input
𝐶
The simulator queries 𝐶 on a “splitting” input
𝐶
The simulator queries 𝐶 on a “splitting” input
𝐶
The simulator queries 𝐶 on a “splitting” input
The Concentrated Family
𝐶
There is no splitting input to query
Warm Up: Point Functions [Canetti 97]
Let 𝒪 be a strong IO for point functions.
For an adversary 𝐴 let 𝐵𝐴 be the set of points 𝑥 such that:
Pr 𝐴 𝒪 𝐶𝑥
= 1 − Pr 𝐴 𝒪 𝟎
=1 ≥𝜖
How to simulate an obfuscation of 𝐶𝑥 ?
If 𝑥 ∉ 𝐵𝐴 simulation is trivial.
if 𝑥 ∈ 𝐵𝐴 the simulator can learn 𝑥 with a small number of
oracle queries.
𝐶𝑥
𝑆
𝐴(𝒪(𝐶𝑥 ))
𝐴(𝒪(𝟎))
if
if
𝑥 ∈ 𝐵𝐴
𝑥 ∉ 𝐵𝐴
For an adversary 𝐴 let 𝐵𝐴 be a set of functions 𝑥 such that:
Pr 𝐴 𝒪 𝐶𝑥
= 1 − Pr 𝐴 𝟎 = 1 ≥ 𝜖
Claim: 𝐵𝐴 = poly( 𝐴
1
, ).
𝜖
Proof: By the definition of 𝐵𝐴 we have that:
𝒪 𝐶𝑥 ← 𝐵𝐴 ≉𝑐 𝒪 𝟎 .
However, if 𝐵𝐴 is super polynomial:
∀𝑦:
Pr
𝐶𝑥 ←𝐵𝐴
𝐶𝑥 𝑦 = 𝟎 𝑦
≥ 1 − negl 𝑦
Main Step: General Concentrated Functions
Let 𝒪 be a strong IO for 𝐷.
For an adversary 𝐴 let 𝐵𝐴 be the set of functions 𝐶 ∈ 𝐷 s.t:
Pr 𝐴 𝒪 𝐶
= 1 − Pr 𝐴 𝒪 𝑓
=1 ≥𝜖
The set 𝐵𝐴 may be large!
To simulate an obfuscation of 𝐶 ∈ D:
1. If 𝐶 ∉ 𝐵𝐴 simulation is trivial.
2. if 𝐶 ∈ 𝐵𝐴 then simulator can learn a “separating” input
𝑧 s.t. 𝐶 𝑧 ≠ 𝑓(𝑧) in a small number of oracle queries.
3. Set 𝐷2 = 𝐶 ∈ 𝐷 | 𝐶 𝑧 ≠ 𝑓(𝑧) . Note: 𝐷2 ≪ 𝐷 .
4. Repeat.
𝐷
𝐷2
𝐵𝐴
𝐶 𝑧 ≠𝑓 𝑧
𝑓2
𝐵𝐴
𝑓
𝐶
𝐵𝐴
𝐷
𝐷2
𝐶 𝑧 ≠𝑓 𝑧
𝑓2
𝐵𝐴2
𝐶
𝐶 𝑧2
𝑓3
≠ 𝑓2 𝑧2
𝐵𝐴2
𝐷3
𝑓
𝐷
𝐷2
𝐶 𝑧 ≠𝑓 𝑧
𝑓2
𝐶
𝐶 𝑧2
𝐷3
𝐵𝐴3
𝑓3
≠ 𝑓2 𝑧2
𝑓
When 𝐶 ∈ 𝐵𝐴 , how to learn a separating input
𝑧 s.t. 𝐶 𝑧 ≠ 𝑓(𝑧) in a small number of oracle queries?
Claim: There exists a set of separating inputs 𝑍 such that:
1
1. 𝑍 = poly( 𝐴 , 𝜖 ).
2. For every 𝐶 ∈ 𝐵𝐴 , there exists 𝑧 ∈ Z such that 𝐶 𝑧 ≠ 𝑓(𝑧)
Proof:
By the definition of 𝐵𝐴 we have that: 𝒪 𝐶 ← 𝐵𝐴 ≉𝑐 𝒪 𝑓 .
Find an input 𝑧 that is separating for a noticeable fraction of the
functions in 𝐵𝐴 . Such 𝑧 exists since otherwise:
∀𝑧: Pr 𝐶 𝑧 = 𝑓 𝑧
𝑐←𝐵𝐴
≥ 1 − negl 𝑧
Add 𝑧 to 𝑍, set 𝐵𝐴 = 𝐵𝐴 ∖ 𝐶 | 𝐶 𝑧 ≠ 𝑓 𝑧
, and repeat.
Two sources of inefficiency
1. Learning the function:
– Finding splitting inputs to concentrate 𝐷𝑖
2. Learning the adversary:
– Finding the bad set 𝐵𝐴𝑖
– Finding the set of separating inputs 𝑍𝑖
Summary
• VGB is more meaningful than IO and probably
more achievable than VBB.
• Strong IO ⇔ VGB.
• More applications of VGB.
• The quest for the “right” definition is not over.
Thanks!