Transcript Slides
Boaz Barak
Sanjam Garg
Yael Tauman Kalai
Omer Paneth
Amit Sahai
Program Obfuscation
π
πΈπππ π (π)
cipher
Obfuscation
π
Public Key
cipher
Virtual Black-Box (VBB)
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm πͺ is an obfuscator for a class π if:
For every PPT adversary π΄ there exists a PPT simulator π
such that for every πΆ β π:
πΆ
πͺ(πΆ)
π΄
π(πΆ)
β
π
VBB Impossibility
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
There exists contrived βunobfuscatableβ programs.
Code of a program
equivalent to πΆ
πΆ
Secret
πΆ
πͺ(πΆ)
Execute
πͺ π
on itself
Secret
π
First Candidate Obfuscation
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
What is the security of the candidate?
Assumption:
The [GGHRSW13] obfuscator is an
Indistingushability Obfuscator.
Indistinguishability Obfuscation (ππͺ):
Noevery
known
except
[BGIRSVY01].
For
pairattacks
of equivalent
circuits
πΆ1 β‘ πΆ2 :
ππͺ πΆ1 βπ ππͺ(πΆ2 )
This Work
A variant of the [GGHRSW13]
obfuscator is VBB for all circuits
in a generic model
(underlying algebra is idealized)
Multilinear Maps
[Boneh-Silverberg 03, Garg-Gentry-Halevi 13]
Encoding πΌ
π
of πΌ β π
under a set π β π .
1.
πΌ
1,2,5
± π½
1,2,5
2.
πΌ
1,2,5
± π½
3,4
3. ππ πΌ
1,β¦,π
= πΌ±π½
= πΌβ
π½
1,2,5
1,2,3,4,5
= 1 iff πΌ = 0
Idealy: any other operation is hard.
The Generic MM Model
π₯
π₯
πΈ1 , πΈ2 , E3 , E4 , E5
πΆ
πͺ(πΆ)
πΈ6 , πΈ7 , E8 , E9 , E10
πΆ(π₯)
πΆ(π₯)
Add
Multiply
ZT
Our Result
Virtual Black-Box obfuscation in
the generic MM model:
1
1. For NC .
2. For P/Poly assuming LWE.
Avoiding VBB Impossibility
In the Generic MM Model
Code of a program
equivalent to πΆ
πΆ
Secret
Add
Mul
ZT
πͺ(πΆ)
Execute
πͺ π
on itself
Secret
Interpretation
Secure obfuscation against βalgebraic attacksβ.
Warning:
Non-algebraic attacks do exist [BGIRSVY01].
Interpretation II
+
This Work:
VBB with Generic
Multilinear Maps
Multi-Message
Semantically-Secure
Multilinear Maps
[Pass-Seth-Telang 13]
ππͺ for P/Poly
(assuming LWE)
Virtual gray-box
obfuscation for NC1
[Pass-Seth-Telang 13]
[Bitansky-Canetti-Kalai-P 14].
Previous Works
[GGHRSW13]
[Canetti-Vaikuntanathan13]
ππͺ in the Generic
Colored Matrix Model
VBB from Black-Box
Pseudo-Free Groups
[Brakerski-Rothblum13]
ππͺ in the Generic
MM Model
This Work
[Brakerski-Rothblum13]
Assuming BSH
VBB in the Generic
MM Model
The Construction
1. Construction for NC1 via branching programs
2. Bootstrap to P/Poly assuming LWE
(leveled-FHE with decryption in NC1 )
Branching Programs
Program:
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
Input:
π₯1
π₯2
π₯3
π₯4
BP Evaluation
Program:
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
or
β₯
Input:
0
1
1
0
Output: β€
Obfuscating BP
1. Randomizing
2. Encoding
[Kilian 88]
Step 1: Randomizing
Program:
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
or
β₯
Input:
π₯1
π₯2
π₯3
π₯4
Output: β€
Step 1: Randomizing
Program:
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
or
β₯
Input:
0
1
1
0
Output: β€
Step 2: Encoding
Program:
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
{1}
{2}
{3}
{4}
{5}
{6}
{7}
{8}
{9}
{10} {11} {12}
Obfuscation includes the encodings:
πππ
π
β level π, bit π , β€
12
β€
{1, β¦ , 12}
Proof of Security
π40
π10
π21
π50
π31
π80
π61
π71
1
π10
1
π11
β¦
+
0
π12
π90
π60
π20
π11
π31
+ πΌβ
?
β€
π41
=0
π51
0
π10
π71
π81
π91
1
π11
1
π12
Simulation Outline
Test every monomial separately:
π40
π10
π21
π50
π61
π31
By querying πΆ
π80
0
1
π71
1
0
π12
π90
1
π10
0
1
π11
Problems
1. Inconsistent monomials:
π40
π10
π21
π31
π80
π51
π61
0
π12
π90
π71
2. Too many monomials:
0
1
π10 + π11 β
π20 + π21 β
β¦ β
π12
+ π12
1
π10
1
π11
Changing the Sets
{1}
{2}
{3}
{4}
{5}
{6}
{7}
{8}
{9}
{10} {11} {12}
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
{1}
{2}
{3}
{4}
{5}
{6}
{7}
{8}
{9}
{10} {11} {12}
β€
{1, β¦ , 12}
Changing the Sets
1
1β²
2
2β²
3
3β²
4
4β²
5
5β²
6
6β²
7
7β²
8
8β²
9
9β²
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
1
1β²
2
2β²
3
3β²
4
4β²
5
5β²
6
6β²
7
7β²
8
8β²
9
9β²
10
10β²
10
10β²
11
11β²
11
11β²
12
12β²
12
12β²
β€
1, β¦ , 12
1β², β¦ , 12β²
Changing the Sets
1
1β²
5
5β²
9
9β²
π10
π50
π90
π11
π51
π91
1
1β²
5
5β²
9
9β²
Straddling Set System
1,5,9
1β², 5β², 9β²
1
1β²
5
5β²
9
9β²
π10
π50
π90
π11
π51
π91
1
5β²
5
9β²
9
1β²
=
9
1
5
βͺ β² βͺ β²
9
1β²
5
0-matrices
=
1
9
5
βͺ
βͺ
5β²
1β²
9β²
1-matrices
Straddling Set System
1
1β²
5
5β²
9
9β²
π10
π50
π90
π11
π51
π91
1
5β²
5
9β²
9
1β²
Straddling Set System
1
1β²
2
2β²
3
3β²
4
4β²
5
5β²
6
6β²
7
7β²
8
8β²
9
9β²
10
10β²
11
11β²
12
12β²
1
5β²
2
6β²
3
7β²
4
8β²
5
9β²
6
10β²
7
11β²
8
12β²
9
1β²
10
2β²
11
3β²
12
4β²
Too Many Monomials
0
1
π10 π50 π90 + π11 π51 π91 β
β¦ β
π40 π80 π12
+ π41 π81 π12
+
β
β¦β
+
Pairing Level Together
From Two Levels to One
10
10β²
8
8β²
0
π90 π10
π90
0
π10
1
π90 π10
π91
1
π10
0
π91 π10
10
2β²
8
12β²
1
π91 π10
10,8
10β² , 8β²
10,8
10β² , 12β²
10,8
2β² , 8β²
10,8
2β² , 12β²
From Two Levels to One
Dual-Input BP
Input:
π₯1
π₯2
π₯3
π₯4
Too Many Monomials
+
Thank You!
ο