Transcript On the Impossibility of Approximate Obfuscation
Nir Bitansky and Omer Paneth
Program Obfuscation
𝑥 Compute 𝑓 𝑠𝑘 (𝑥) 𝑦 = 𝑓 𝑠𝑘 (𝑥)
Program Obfuscation
𝑥 𝑦 = 𝑓 𝑠𝑘 (𝑥)
Program Obfuscation
𝑥 If 𝑥 Sign email 𝑥 with 𝑠𝑘 starts with “[email protected]” 𝑦 = 𝜎(𝑥) /⊥
Virtual Black-Box
[ Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] 𝒪 𝑠𝑘 is an obfuscation of 𝑓 𝑠𝑘 : - Functionality: ∀𝑥, 𝒪 𝑠𝑘 𝑥 = 𝑓 𝑠𝑘 𝑥 - Security: 𝑓 𝑠𝑘 𝒪 𝑠𝑘 𝐴 ≈ 𝑆
Impossibility of Obfuscation There exist families of functions that cannot be obfuscated [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Relaxed Security
[Barak et al. 01, Goldwasser-Rothblum07, Hofheinz-Malone-Lee-Stam07, Hohenberger-Rothblum-Shelat-Vaikuntanathan07, Bitansky-Canetti10] - Functionality: ∀𝑥, 𝒪 𝑠𝑘 𝑥 = 𝑓 𝑠𝑘 𝑥 - Security: 𝑓 𝑠𝑘 𝒪 𝑠𝑘 𝐴 ≈ 𝑆
Relaxed Functionality?
- Functionality: ∀𝑥, 𝒪 𝑠𝑘 𝑥 = 𝑓 𝑠𝑘 𝑥 - Security: 𝑓 𝑠𝑘 𝒪 𝑠𝑘 𝐴 ≈ 𝑆
Approximate Obfuscation [ Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] 𝒪 𝑠𝑘 is an approximate obfuscation of 𝑓 𝑠𝑘 : - Functionality: Pr 𝑥←𝑈 - Security: 𝒪 𝑠𝑘 𝑥 = 𝑓 𝑠𝑘 𝑥 𝑓 𝑠𝑘 𝒪 𝑠𝑘 𝐴 ≈ 𝑆 > 0.9
Main Result Assuming trapdoor permutations, there exist families of functions that cannot be approximately obfuscated Motivation?
Positive applications
From Impossibility to Applications Impossibility of approximate obfuscation Non-black-box extraction 𝑠𝑘 Zero-knowledge with 𝑥 𝐴 𝑠𝑘 resettable security Worst-case 𝑓 𝑠𝑘 (𝑥) extractable signatures
Plan
[BGIRSVY 01]: Impossibility of Obfuscation This work: Impossibility of Approximate Obfuscation Unobfuscatable Functions Robust Unobfuscatable Functions Applications
Unobfuscatable Functions From Barak et al.
𝑓 𝑠𝑘 1. Black-box unlearnability: ∀ efficient 𝐴, 𝑠𝑘 ← 𝑈 : 𝐴 2. Extraction: ∃ efficient 𝐸, ∀𝒪, 𝑠𝑘: 𝑠𝑘 Pr 𝑥←𝑈 𝒪 𝑥 = 𝑓 𝑠𝑘 𝑥 = 1 ⇒ 𝒪 𝐸 𝑠𝑘
Robust Unobfuscatable Functions 𝑓 𝑠𝑘 1. Black-box unlearnability: ∀ efficient 𝐴, 𝑠𝑘 ← 𝑈 : 𝐴 𝑠𝑘 2. Robust extraction: ∃ efficient 𝐸, ∀𝒪, 𝑠𝑘: Pr 𝑥←𝑈 𝒪 𝑥 = 𝑓 𝑠𝑘 𝑥 > 0.9
⇒ 𝒪 𝐸 𝑠𝑘
Robust Unobfuscatable Functions 𝒪 90% ≈ 𝑓 𝑠𝑘 𝒪 𝐸 𝐴 𝑠𝑘 ≈ 𝑆 𝑓 𝑠𝑘 𝑠𝑘
RUFs Construction
Unobfuscatable Functions Construction of Barak et al. (using FHE for simplicity) 𝑓 𝑎,𝑏,𝑠𝑘 𝑥 : 𝑎, 𝑏 𝑠𝑘 – two 𝑛 -bit strings - secret key for FHE
Unobfuscatable Functions 0 𝑛 𝑓 𝐸𝑛𝑐 𝑎 𝑎 𝐸𝑛𝑐 b 𝑓 𝑏 𝑓 𝑓 𝑎,𝑏,𝑠𝑘 (𝑥) = 𝑏 Enc 𝑠𝑘 (𝑎) 𝑏 ⊥ 𝑥 = 𝑎 𝑥 = 0 𝑛 Dec 𝑠𝑘 (𝑥) = 𝑏 o.w.
Black-Box Unlearnability 0 𝑛 𝑓 𝐸𝑛𝑐 𝑎 𝑎 𝐸𝑛𝑐 b 𝑓 𝑏 𝑓 𝑓 𝐴 𝑏
Extraction 0 𝑛 𝐶 𝐸𝑛𝑐 𝑎 𝑎 𝐸𝑣𝑎𝑙(𝐶) 𝐸𝑛𝑐 b 𝐶 𝑏 𝐶 ≡ 𝑓 𝐸 𝑏
Robust Extraction?
0 𝑛 𝐸𝑛𝑐 𝑎 𝐶 ∗ 𝐸𝑛𝑐 b 𝐶 ∗ 𝑎 𝑏 𝐶 ∗ 𝐸 𝑏 𝐶 ∗ (𝑥) = ⊥ 𝐸𝑛𝑐 𝑠𝑘 (𝑎) 𝑏 ⊥ 𝑥 = 𝑎 𝑥 = 0 𝑛 𝐷𝑒𝑐 𝑠𝑘 (𝑥) = 𝑏 𝑜. 𝑤.
A Taste of the Construction 𝑓 𝑎,𝑏 (𝑥) = 𝑏 ⊥ 𝑥 = 𝑎 𝑜. 𝑤.
Q: Find 𝑔 such that: 𝑔 with 10% errors Randomly reduce 𝑓 to 𝑔 𝑓 a,b
Getting Robustness
𝑓 𝑎,𝑏 (𝑥) = 𝑏 ⊥ 𝑥 = 𝑎 𝑜. 𝑤.
𝑔 𝑎,𝑏,𝑘 𝑥 = 𝑏 ⊕ PRF 𝑘 𝑥 ℎ 𝑎,𝑏,𝑘 𝑥 = PRF 𝑘 𝑎 ⊕ 𝑥
𝑎 𝑟 ← 𝑈 𝑟 𝑎 ⊕ 𝑟 𝑔 ℎ 𝑏 ⊕ PRF(𝑟) PRF(𝑟) ⊕ 𝑓 𝑏 (𝑤. 𝑝. 0.8) 𝑔, ℎ with 10% errors 𝑓 a,b 𝑔 𝑎,𝑏,𝑘 𝑥 = 𝑏 ⊕ PRF 𝑘 𝑥 ℎ 𝑎,𝑏,𝑘 𝑥 = PRF 𝑘 𝑎 ⊕ 𝑥
𝐴 𝑔, ℎ 𝑏 queries 𝑔 queries ℎ on 𝑥 and on 𝑎 ⊕ 𝑥 𝑎 𝑔, ℎ 𝑓 a,b 𝑔 𝑎,𝑏,𝑘 𝑥 = 𝑏 ⊕ PRF 𝑘 𝑥 ℎ 𝑎,𝑏,𝑘 𝑥 = PRF 𝑘 𝑎 ⊕ 𝑥
Construction of RUFs
𝑓 𝑎,𝑏,𝑠𝑘 (𝑥) = 𝑏 𝐸𝑛𝑐 𝑠𝑘 (𝑎) 𝑏 ⊥ 𝑥 = 𝑎 𝑥 = 0 𝑛 𝐷𝑒𝑐 𝑠𝑘 (𝑥) = 𝑏 𝑜. 𝑤.
Assumptions
• RUFs from trapdoor permutations. • Weak RUFs from OWF only: ∀𝑥: 𝒪 𝑥 ∈ 𝑓 𝑠𝑘 𝑥 , ⊥ 𝒪 𝐸 𝑠𝑘
Applications
Publicly-Verifiable RUOFs 𝑠𝑘, 𝑣𝑘 ← Gen() Ver 𝑣𝑘 𝑥, 𝑦 = 1 iff 𝑦 = 𝑓 𝑠𝑘 (𝑥) 𝑣𝑘 𝑓 𝑠𝑘 𝐴 𝑠𝑘, 𝑣𝑘 ← Gen() 𝑠𝑘 𝑣𝑘 𝒪 𝐸 𝑠𝑘 Pr 𝑥←𝑈 Ver 𝑣𝑘 𝑥, 𝒪 𝑥 = 1 > 1 poly(𝑛)
Resettably-Sound ZK
[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01] 𝑥 ∈ ℒ?
Standard ZK 𝒫 𝒱 Resettable Soundness
Resettable Soundness
[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01] 𝑥 ∉ ℒ 𝒫 ∗ 𝒱
Resettable Soundness
[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01] 𝒫 ∗ 𝒱 𝑥 ∉ ℒ 𝒱
No Black-Box Simulator
[Barak-Goldreich-Goldwasser-Lindell 01] Resettable soundness Zero-knowledge (black-box simulator) 𝒱 ∗ 𝒫 ∗ 𝒱 𝒱 𝒮
Resettably-Sound ZK
[Barak-Goldreich-Goldwasser-Lindell 01, BP 12, Chung-Pass-Seth 13] Resettable soundness Zero-knowledge (non-black-box simulator) 𝒫 ∗ 𝒱 𝒱 𝒱 ∗ 𝒮
Resettably-Sound ZK
𝑣𝑘 𝑥 ← 𝑈 𝑓 𝑠𝑘 (𝑥) 𝒫 𝑠𝑘, 𝑣𝑘 𝒱 Witness indistinguishable proof: 𝑥 ∈ ℒ
or
𝒫 “knows” 𝑠𝑘
Resettably-Sound ZK
𝑣𝑘 𝑥 𝑓 𝑠𝑘 (𝑥) 𝒫 𝑠𝑘, 𝑣𝑘 𝒱 Witness indistinguishable proof: 𝑥 ∈ ℒ
or
𝒫 “knows” 𝑠𝑘
Analysis
Resettable soundness 𝒫 ∗ 𝑓 𝑠𝑘 𝑥 𝑓 𝑠𝑘 (𝑥) 𝒱 𝑠𝑘 Zero-knowledge 𝒱 ∗ ≈ 𝑓 𝑠𝑘 𝒱 ∗ 1 p 𝑛 𝐸 𝑠𝑘
More Resettable Crypto
• Resettably-sound ZK from OWFs (Different approach from Chung-Pass-Seth 13) • Simultaneously-resettable ZK from OWFs (using srWI by Chung-Ostrovsky-Pass-Visconti 13) • 4-message resettably-sound ZK • 3-message simultaneously-resettable WI proof of knowledge
Worst-Case Extractable Signatures Digital Signatures: ∀𝑠𝑘, 𝑣𝑘 Sign 𝑠𝑘 𝑣𝑘 Sign 𝑠𝑘 𝐴 𝑚, 𝜎 𝑚 , 𝑚 ∉ 𝑚 𝑖
Worst-Case Extractable Signatures For every 𝑠𝑘, 𝑣𝑘: 𝐴 𝐴 breaks security for 𝑠𝑘, 𝑣𝑘 ⟹ 𝐸 𝑠𝑘
}
Thank You.
#define _ -F<00||--F-OO--; int F=00,OO=00;main(){F_OO();printf("%1.3f\n",4.*-F/OO/OO);}F_OO(){
_-_-_-_ _-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_ _-_-_-_
IOCCC 88