on virtual grey-box obfuscation for general circuits

On Virtual Grey-Box Obfuscation for General Circuits

Nir Bitansky Ran CanettiYael Tauman-Kalai Omer Paneth

Program Obfuscation

Obfuscated program

𝑥 y

Obfuscation

Program

𝑥 y

Private Key to Public Key

Public Key

𝑚 cipher  

Obfuscation

𝐸𝑛𝑐𝑠𝑘(𝑚)

𝑚 cipher  

Virtual Black-Box (VBB)[Hada 00, Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Algorithm is an obfuscator for a class if:

For every PPT adversary there exists a PPT simulator such that for every and every predicate :

𝐴 𝑆𝜋 (𝐶 )𝒪(𝐶 )

𝐶

Pr [ 𝐴(𝒪(𝐶))=𝜋 (𝐶 ) ]=Pr [𝑆𝐶=𝜋 (𝐶 ) ]±𝑛𝑒𝑔𝑙

Impossibility Results for VBB

Impossible for some functions.[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Impossible for all pseudo-entropic functions w.r.t auxiliary input (assuming IO).[Goldwasser-Kalai 05, Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14]

𝐶1

𝒪(𝐶¿¿1)¿

𝐶2

𝒪(𝐶¿¿2)¿

≡

≈𝑐

Indistinguishability Obfuscation (IO)[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

History

No general solution.

Obfuscation for simple functions:[C97,W05,CD08,CRV10,BC10,BR13]

Candidate obfuscation for all circuits [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]

2000-2013:

2013:

What is the security of the candidate obfuscator?

Many recent applications:

[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13, Sahai-Waters 13, Hohenberger-Sahai-Waters 13, Garg-Gentry-Halevi-Raykova 13, Bitansky-Canetti-P-Rosen 13, Boneh-Zhandry 13, Brzuska-Farshim-Mittelbach 14, Bitansky-P 14, Ramchen-Waters 14]

Better assumption: 1. Semantically-secure graded encodings

[Pass-Seth-Telang 13]

2. Multilinear subgroup elimination assumption[Gentry-Lewko-Sahai-Waters 14]

Assumption: the [GGHRSW13] obfuscator is IO

What about other applications?

Example: point function

Can we get more then IO?

Today: virtual grey-box

𝑆𝐴≈𝒪(𝐶 )

𝐶

Simulation Definition for IO[Bitansky-Canetti 10]

𝐶1 𝒪(𝐶¿¿1)¿𝐶2 𝒪(𝐶¿¿2)¿≡ ≈𝑐⇒

Computationally unbounded

Weak VBB:

Virtual black-box:Simulator is bounded

Indistinguishability:Simulator is unbounded

[Bitansky-Canetti 10]

Virtual grey-box (VGB):Simulator is semi-bounded

polynomial numberof oracle queries

unboundedcomputation

𝑆𝐶

𝑆

𝑆𝐶

𝐶

𝑆𝐶

𝑆

𝑆

Virtual black-box:Simulator is bounded

Indistinguishability:Simulator is unbounded

[Bitansky-Canetti 10]

Virtual grey-box (VGB):Simulator is semi-bounded

Pseudo-random functions

meaningful

Point functionsNot meaningful

𝐶

𝐶

meaningful

Not meaningful

Assume the [GGHRSW13] obfuscation is VGB.

Or better yet, prove it!

Results

Semantically secure graded encoding

IO [Pass-Seth-Telang 13]

VGB for Semantically secure* graded encoding

Semantically secure* graded encoding VGB for

Results

Semantically secure graded encoding

IO [Pass-Seth-Telang 13]

VGB for

Semantically secure* mutlilinear jigsaw puzzles VGB for all circuits

Semantically secure* mutlilinear jigsaw puzzles

Results

Semantically secure graded encoding

IO [Pass-Seth-Telang 13]

VGB for

Semantically secure* mutlilinear jigsaw puzzles VGB

Semantically secure* mutlilinear jigsaw puzzles

Semantically secure mutlilinear jigsaw puzzles

VBB for new families

New Feasibility Results For VBB Existing VBB results:• Point functions [Canetti 97, Wee 05]

• Constant-size set functions [Bitansky-Canetti 10]

• Constant-dimension hyperplanes [Canetti-Rothblum-Varia 10]

New results:• Fuzzy point functions (Hamming balls)• Constant-dimension linear subspaces• Conjunctions (worst-case)

Unified proof for all existing VBB results.

Results

Semantically secure graded encoding

IO [Pass-Seth-Telang 13]

VGB for

Semantically secure* mutlilinear jigsaw puzzles VGB

Semantically secure*graded encoding

Semantically secure mutlilinear jigsaw puzzles

VBB for new families

SIM-secure encryption IND-secure encryption

Zero-knowledge proofsWitness indistinguishable proofs

SIM-secure functional encryption

IND-secure functional encryption

Obf. w. Unbounded simulationIndistinguishability obfuscation

[Feige-Lapidot-Shamir 99]

SimulationIndistinguishability

[Goldwasser-Micali 82]

[De Caro-Iovino-Jain-O'Neill-P-Persiano 13]

[Bitansky-Canetti 10]

VGB obfuscation?

This work

Strong indistinguishability obfuscation

Virtual grey-box obfuscation

Indistinguishability Obfuscation

For every pair of circuits :

∀ 𝑥 :𝐶1 (𝑥 )=𝐶2(𝑥)

𝒪 (𝐶1 )≈𝑐𝒪 (𝐶2 )

Strong Indistinguishability Obfuscation

For every pair of distributions on circuits:

∀ 𝑥 :Pr [~𝐶1 (𝑥 )=~𝐶2 (𝑥 ) ]≥1−negl (|𝑥|)

𝒪 (~𝐶1 )≈𝑐𝒪 (~𝐶2 )

VGB from Semantic Security

Strong IO for

Virtual grey-box obfuscation for

Semantically-secure graded encoding*

The Equivalence.

Strong indistinguishability obfuscation

Virtual grey-box obfuscation

Strong IO VGB

Let be distributions on circuits such that:

∀ 𝑥 :Pr [~𝐶1 (𝑥 )=~𝐶2 (𝑥 ) ]≥1−negl (|𝑥|)

𝐷≈ 𝐷𝑆

~𝐶1

𝑆

~𝐶2

≈ ≈

For every distinguisher

𝒪 (~𝐶1 ) 𝒪 (~𝐶2 )

The Equivalence.

Strong indistinguishability obfuscation

Virtual grey-box obfuscation

Strong IO VGB: The Challenge

𝑆

𝐴𝑦𝒪(𝐶𝑥)

𝐶 𝑥

{1 if 𝑥=𝑦0 if 𝑥≠ 𝑦

❑𝑦 {1 if 𝑥=𝑦0 if 𝑥≠ 𝑦

Point Function: =

𝐶

High-Level Simulation Strategy

𝐶

High-Level Simulation Strategy

𝐶

High-Level Simulation Strategy

𝐶

High-Level Simulation Strategy

𝐶

High-Level Simulation Strategy

𝐶

High-Level Simulation Strategy

Extract a information about C from the adversary

First Step: Concentrated Functions

A family of boolean functions is concentrated around a function if for every input :

Pr𝐶←𝐷

[𝐶 (𝑥 )= 𝑓 (𝑥 ) ]≥1−negl(|𝑥|)

𝐶

Starting Point

The simulator queries on a “splitting” input

𝐶

The simulator queries on a “splitting” input

𝐶

The simulator queries on a “splitting” input

𝐶

The simulator queries on a “splitting” input

𝐶

The Concentrated Family

There is no splitting input to query

Warm Up: Point Functions [Canetti 97]

Let be a strong IO for point functions. For an adversary let be the set of points such that:

Pr [𝐴 (𝒪 (𝐶𝑥 ))=1 ]− Pr [ 𝐴 (𝒪 (𝟎 ) )=1 ]≥𝜖

𝑆𝐶 𝑥

{𝐴(𝒪(𝐶𝑥 )) if 𝑥∈𝐵𝐴

𝐴(𝒪(𝟎)) if 𝑥∉𝐵𝐴

How to simulate an obfuscation of ?

If simulation is trivial.if the simulator can learn with a small number of oracle queries.

Claim: .

Proof: By the definition of we have that:

.

However, if is super polynomial:

Pr [𝐴 (𝒪 (𝐶𝑥 ))=1 ]− Pr [ 𝐴 (𝟎 )=1 ]≥𝜖For an adversary let be a set of functions such that:

Main Step: General Concentrated Functions

Let be a strong IO for .

For an adversary let be the set of functions s.t:

Pr [𝐴 (𝒪 (𝐶 ) )=1 ]−Pr [𝐴 (𝒪 ( 𝑓 ) )=1 ]≥𝜖

The set may be large!

To simulate an obfuscation of :

1. If simulation is trivial.

2. if then simulator can learn a “separating” input s.t. in

a small number of oracle queries.

3. Set . Note: .

4. Repeat.

𝐵𝐴

𝐵𝐴

𝐷

𝐵𝐴

𝐶

𝐶 (𝑧 )≠ 𝑓 (𝑧 )

𝑓𝑓 2

𝑓

𝐷𝐷2

𝐶

𝑓 2𝐵𝐴2

𝐵𝐴2

𝐶 (𝑧 )≠ 𝑓 (𝑧 )

𝐷3

𝑓 3𝐶 (𝑧 2 )≠ 𝑓 2 (𝑧 2 )

𝑓

𝐷𝐷2

𝐶

𝑓 2

𝐶 (𝑧 )≠ 𝑓 (𝑧 )

𝐷3

𝑓 3𝐶 (𝑧 2 )≠ 𝑓 2 (𝑧 2 )

𝐵𝐴3

Claim: There exists a set of separating inputs such that: 1. . 2. For every , there exists such that

Proof:By the definition of we have that: .

Find an input that is separating for a noticeable fraction of the functions in . Such exists since otherwise:

∀ 𝑧 : Pr𝑐←𝐵𝐴

[𝐶 (𝑧 )= 𝑓 (𝑧 ) ]≥1−negl (|𝑧|)

Add to , set , and repeat.

When , how to learn a separating input s.t. in a small number of oracle queries?

Two sources of inefficiency

1. Learning the function:– Finding splitting inputs to concentrate

2. Learning the adversary:– Finding the bad set – Finding the set of separating inputs

Summary

• VGB is more meaningful than IO and probably more achievable than VBB.

• Strong IO VGB.

• More applications of VGB.• The quest for the “right” definition is not over.

Thanks!