Transcript Slides
The Impossibility of Obfuscation with
Auxiliary Input or a Universal Simulator
Nir Bitansky
Ran Canetti
Henry Cohn
Shafi Goldwasser
Yael Tauman-Kalai
Omer Paneth
Alon Rosen
Program Obfuscation
π₯
Program
y
Obfuscation
π₯
y
Obfuscated program
Private Key to Public Key
π
πΈπππ π (π)
cipher
Obfuscation
π
cipher
Public Key
Ideal Obfuscation
Hides everything about the program
except for its input\output behavior
Point Function etc.
Unobfuscatable Functions
[Canetti 97, Wee 05, BitanskyCanetti 10, Canetti-Rothblum-Varia 10]
[Barak-Goldreich-ImpagliazzoRudich-Sahai-Vadhan-Yang 01]
All functions
?
Obfuscation Constructions
Before 2013: No general solution.
All functions
Obfuscation Constructions
Before 2013: No general solution.
2013: Candidate obfuscation for all circuits
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
All functions
New Impossibility Result
Under computational assumptions,
a natural notion of ideal obfuscation
cannot be achieved
for a large family of cryptographic functionalities.
(strengthen the impossibility of [Goldwasser-Kalai 05])
Virtual Black-Box (VBB)
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm πͺ is an obfuscator for a class π if:
For every PPT adversary π΄ there exists a PPT simulator π
such that for every πΆ β π and every predicate π(πΆ):
πΆ
πͺ(πΆ)
π΄
π(πΆ)
Inefficient!
π
Using Obfuscation
Reduction
π =πβ
π
π
π΄
π, π
VBB with a Universal Simulator
Algorithm πͺ is an obfuscator for a class π if:
There exists a PPT simulator π such that for every PPT adversary π΄
such that for every πΆ β π and every predicate π(πΆ):
πΆ
πͺ(πΆ)
π΄
π(πΆ)
π(π΄)
Universal Simulation
Universal
Simulators
Barakβs ZK
simulator
Black-box
Simulators
New Impossibility Result
Under computational assumptions,
VBB obfuscation with a universal simulator
cannot be achieved
for a large family of cryptographic functionalities.
Pseudo-Entropic functions
A function family ππ has super-polynomial pseudoentropy if there exists a set of inputs πΌ
such that for a random function ππ ,
there exists π with super-polynomial min-entropy:
π·
1
2
3
ππ (1) ππ (2) ππ (3)
βπ
β¦
πΌ
β¦
ππ (πΌ)\Z
Examples
β’ Pseudo-random functions
β’ Semantically-secure encryption
(when the randomness is a PRF of the message)
π
ππ
πΉπ
π
πΈπππ π
cipher
New Impossibility Result
Under computational assumptions,
VBB obfuscation with a universal simulator
is impossible for any pseudo-entropic function
Indistinguishability Obfuscation
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
πΆ1
β‘
πΆ2
πͺ(πΆ1 )
βπ πͺ(πΆ2 )
Assumption:
indistinguishability obfuscation for all circuits
(A candidate construction given in [GGHRSW13])
This Work
Assuming indistinguishability obfuscation,
VBB obfuscation with a universal simulator
is impossible for any pseudo-entropic function
This Work
Average-case VBB
with a universal simulator
Worst-case VBB
with a universal simulator
Is Impossible for
pseudo-entropic functions
Is Impossible for
pseudo-entropic functions
Assuming
indistinguishability obfuscation
for all functions
Assuming
indistinguishability obfuscation
for point-filter functions
or equivalently,
witness encryption
Average-case VBB
with a universal simulator
Worst-case VBB
with a universal simulator
[Goldwasser-Kalai 05]:
Is Impossible for
Filter functions
Is Impossible for
pseudo-entropic functions
Unconditionally
Assuming
VBB obfuscation
for point-filter functions
This work:
Is Impossible for
pseudo-entropic functions
Is Impossible for
pseudo-entropic functions
Assuming
indistinguishability obfuscation
for all functions
Assuming
indistinguishability obfuscation
for point-filter functions
Universal Simulation and Auxiliary Input
For every PPT adversary π΄ there exists a PPT simulator π
such that for every πΆ β π, every predicate π πΆ
and every auxiliary input π§:
πΆ
πͺ(πΆ)
π΄ π§
π(πΆ)
π π§
VBB with a universal simulator
Universal Simulation and Auxiliary Input
Average-case VBB
with a universal simulator
Worst-case VBB
with a universal simulator
Average-case VBB with
independent auxiliary input
Worst-case VBB with
dependent auxiliary input
Proof Idea
What can we do with an obfuscated code
that we cannot do with black-box access?
[Goldwasser-Kalai 05]:
Find a polynomial size circuit computing the function!
Impossibility for Worst-Case VBB
Let ππ be a family of PRFs.
Fix the simulator π. Sample a random ππ .
Construct an adversary π΄ (that depends on ππ ) that fail π.
Let πΌ be the set of inputs 1,2, β¦ , 2 β
πͺ ππ
πΆ
π΄
π\ β₯
πΌ
ππ (πΌ)
π΄π,π πΆ :
If πΆ = πͺ ππ and πΆ πΌ = ππ (πΌ):
output the secret π,
else output β₯.
Impossibility for Worst-Case VBB
ππ
πͺ(ππ )
π΄
π\ β₯
πΌ
ππ (πΌ)
π
π
π΄
π
Using Indistinguishability Obfuscation
π΄
π΄
π\ β₯
πΌ
βπ
πΌ
ππ (πΌ)
π΄
ππ (πΌ)
π΄
β₯
π΄
β₯
β‘
π
π΄
π\ β₯
πΌ
π\ β₯
βπ
π\ β₯
πΌ
π
βπ
Impossibility for Average-Case VBB
π΄π΄
πΆ
π\ β₯
πΌ
πΌ
ππ (πΌ)
ππ
πΉ
π
πΆ(πΌ)
βπ
π΄π πΆ :
If πΆ = πͺ ππ :
output π = ππ
πΉπ (πΆ(πΌ))
else output β₯.
Impossibility for Average-Case VBB
π΄
ππ
πΉπ
πΌ
πΆ(πΌ)
βπ
Obfuscation should hide ππ
πΉπ ππ πΌ
Use Indistinguishability Obfuscation together
with puncturable pseudo-random functions
Thanks!