On Virtual Grey-Box Obfuscation for General Circuits
Nir Bitansky Ran CanettiYael Tauman-Kalai Omer Paneth
Program Obfuscation
Obfuscated program
๐ฅ y
Obfuscation
Program
๐ฅ y
Private Key to Public Key
Public Key
๐ cipher
Obfuscation
๐ธ๐๐๐ ๐(๐)
๐ cipher
Virtual Black-Box (VBB)[Hada 00, Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm is an obfuscator for a class if:
For every PPT adversary there exists a PPT simulator such that for every and every predicate :
๐ด ๐๐ (๐ถ )๐ช(๐ถ )
๐ถ
Pr [ ๐ด(๐ช(๐ถ))=๐ (๐ถ ) ]=Pr [๐๐ถ=๐ (๐ถ ) ]ยฑ๐๐๐๐
Impossibility Results for VBB
Impossible for some functions.[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossible for all pseudo-entropic functions w.r.t auxiliary input (assuming IO).[Goldwasser-Kalai 05, Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14]
๐ถ1
๐ช(๐ถยฟยฟ1)ยฟ
๐ถ2
๐ช(๐ถยฟยฟ2)ยฟ
โก
โ๐
Indistinguishability Obfuscation (IO)[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
History
No general solution.
Obfuscation for simple functions:[C97,W05,CD08,CRV10,BC10,BR13]
Candidate obfuscation for all circuits [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
2000-2013:
2013:
What is the security of the candidate obfuscator?
Many recent applications:
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13, Sahai-Waters 13, Hohenberger-Sahai-Waters 13, Garg-Gentry-Halevi-Raykova 13, Bitansky-Canetti-P-Rosen 13, Boneh-Zhandry 13, Brzuska-Farshim-Mittelbach 14, Bitansky-P 14, Ramchen-Waters 14]
Better assumption: 1. Semantically-secure graded encodings
[Pass-Seth-Telang 13]
2. Multilinear subgroup elimination assumption[Gentry-Lewko-Sahai-Waters 14]
Assumption: the [GGHRSW13] obfuscator is IO
What about other applications?
Example: point function
Can we get more then IO?
Today: virtual grey-box
๐๐ดโ๐ช(๐ถ )
๐ถ
Simulation Definition for IO[Bitansky-Canetti 10]
๐ถ1 ๐ช(๐ถยฟยฟ1)ยฟ๐ถ2 ๐ช(๐ถยฟยฟ2)ยฟโก โ๐โ
Computationally unbounded
Weak VBB:
Virtual black-box:Simulator is bounded
Indistinguishability:Simulator is unbounded
[Bitansky-Canetti 10]
Virtual grey-box (VGB):Simulator is semi-bounded
polynomial numberof oracle queries
unboundedcomputation
๐๐ถ
๐
๐๐ถ
๐ถ
๐๐ถ
๐
๐
Virtual black-box:Simulator is bounded
Indistinguishability:Simulator is unbounded
[Bitansky-Canetti 10]
Virtual grey-box (VGB):Simulator is semi-bounded
Pseudo-random functions
meaningful
Point functionsNot meaningful
๐ถ
๐ถ
meaningful
Not meaningful
Assume the [GGHRSW13] obfuscation is VGB.
Or better yet, prove it!
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for Semantically secure* graded encoding
Semantically secure* graded encoding VGB for
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for
Semantically secure* mutlilinear jigsaw puzzles VGB for all circuits
Semantically secure* mutlilinear jigsaw puzzles
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for
Semantically secure* mutlilinear jigsaw puzzles VGB
Semantically secure* mutlilinear jigsaw puzzles
Semantically secure mutlilinear jigsaw puzzles
VBB for new families
New Feasibility Results For VBB Existing VBB results:โข Point functions [Canetti 97, Wee 05]
โข Constant-size set functions [Bitansky-Canetti 10]
โข Constant-dimension hyperplanes [Canetti-Rothblum-Varia 10]
New results:โข Fuzzy point functions (Hamming balls)โข Constant-dimension linear subspacesโข Conjunctions (worst-case)
Unified proof for all existing VBB results.
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for
Semantically secure* mutlilinear jigsaw puzzles VGB
Semantically secure*graded encoding
Semantically secure mutlilinear jigsaw puzzles
VBB for new families
SIM-secure encryption IND-secure encryption
Zero-knowledge proofsWitness indistinguishable proofs
SIM-secure functional encryption
IND-secure functional encryption
Obf. w. Unbounded simulationIndistinguishability obfuscation
[Feige-Lapidot-Shamir 99]
SimulationIndistinguishability
[Goldwasser-Micali 82]
[De Caro-Iovino-Jain-O'Neill-P-Persiano 13]
[Bitansky-Canetti 10]
VGB obfuscation?
This work
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Indistinguishability Obfuscation
For every pair of circuits :
โ ๐ฅ :๐ถ1 (๐ฅ )=๐ถ2(๐ฅ)
๐ช (๐ถ1 )โ๐๐ช (๐ถ2 )
Strong Indistinguishability Obfuscation
For every pair of distributions on circuits:
โ ๐ฅ :Pr [~๐ถ1 (๐ฅ )=~๐ถ2 (๐ฅ ) ]โฅ1โnegl (|๐ฅ|)
๐ช (~๐ถ1 )โ๐๐ช (~๐ถ2 )
VGB from Semantic Security
Strong IO for
Virtual grey-box obfuscation for
Semantically-secure graded encoding*
The Equivalence.
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Strong IO VGB
Let be distributions on circuits such that:
โ ๐ฅ :Pr [~๐ถ1 (๐ฅ )=~๐ถ2 (๐ฅ ) ]โฅ1โnegl (|๐ฅ|)
๐ทโ ๐ท๐
~๐ถ1
๐
~๐ถ2
โ โ
For every distinguisher
๐ช (~๐ถ1 ) ๐ช (~๐ถ2 )
The Equivalence.
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Strong IO VGB: The Challenge
๐
๐ด๐ฆ๐ช(๐ถ๐ฅ)
๐ถ ๐ฅ
{1 if ๐ฅ=๐ฆ0 if ๐ฅโ ๐ฆ
โ๐ฆ {1 if ๐ฅ=๐ฆ0 if ๐ฅโ ๐ฆ
Point Function: =
๐ถ
High-Level Simulation Strategy
๐ถ
High-Level Simulation Strategy
๐ถ
High-Level Simulation Strategy
๐ถ
High-Level Simulation Strategy
๐ถ
High-Level Simulation Strategy
๐ถ
High-Level Simulation Strategy
Extract a information about C from the adversary
First Step: Concentrated Functions
A family of boolean functions is concentrated around a function if for every input :
Pr๐ถโ๐ท
[๐ถ (๐ฅ )= ๐ (๐ฅ ) ]โฅ1โnegl(|๐ฅ|)
๐ถ
Starting Point
The simulator queries on a โsplittingโ input
๐ถ
The simulator queries on a โsplittingโ input
๐ถ
The simulator queries on a โsplittingโ input
๐ถ
The simulator queries on a โsplittingโ input
๐ถ
The Concentrated Family
There is no splitting input to query
Warm Up: Point Functions [Canetti 97]
Let be a strong IO for point functions. For an adversary let be the set of points such that:
Pr [๐ด (๐ช (๐ถ๐ฅ ))=1 ]โ Pr [ ๐ด (๐ช (๐ ) )=1 ]โฅ๐
๐๐ถ ๐ฅ
{๐ด(๐ช(๐ถ๐ฅ )) if ๐ฅโ๐ต๐ด
๐ด(๐ช(๐)) if ๐ฅโ๐ต๐ด
How to simulate an obfuscation of ?
If simulation is trivial.if the simulator can learn with a small number of oracle queries.
Claim: .
Proof: By the definition of we have that:
.
However, if is super polynomial:
Pr [๐ด (๐ช (๐ถ๐ฅ ))=1 ]โ Pr [ ๐ด (๐ )=1 ]โฅ๐For an adversary let be a set of functions such that:
Main Step: General Concentrated Functions
Let be a strong IO for .
For an adversary let be the set of functions s.t:
Pr [๐ด (๐ช (๐ถ ) )=1 ]โPr [๐ด (๐ช ( ๐ ) )=1 ]โฅ๐
The set may be large!
To simulate an obfuscation of :
1. If simulation is trivial.
2. if then simulator can learn a โseparatingโ input s.t. in
a small number of oracle queries.
3. Set . Note: .
4. Repeat.
๐ต๐ด
๐ต๐ด
๐ท
๐ต๐ด
๐ถ
๐ถ (๐ง )โ ๐ (๐ง )
๐๐ 2
๐
๐ท๐ท2
๐ถ
๐ 2๐ต๐ด2
๐ต๐ด2
๐ถ (๐ง )โ ๐ (๐ง )
๐ท3
๐ 3๐ถ (๐ง 2 )โ ๐ 2 (๐ง 2 )
๐
๐ท๐ท2
๐ถ
๐ 2
๐ถ (๐ง )โ ๐ (๐ง )
๐ท3
๐ 3๐ถ (๐ง 2 )โ ๐ 2 (๐ง 2 )
๐ต๐ด3
Claim: There exists a set of separating inputs such that: 1. . 2. For every , there exists such that
Proof:By the definition of we have that: .
Find an input that is separating for a noticeable fraction of the functions in . Such exists since otherwise:
โ ๐ง : Pr๐โ๐ต๐ด
[๐ถ (๐ง )= ๐ (๐ง ) ]โฅ1โnegl (|๐ง|)
Add to , set , and repeat.
When , how to learn a separating input s.t. in a small number of oracle queries?
Two sources of inefficiency
1. Learning the function:โ Finding splitting inputs to concentrate
2. Learning the adversary:โ Finding the bad set โ Finding the set of separating inputs
Summary
โข VGB is more meaningful than IO and probably more achievable than VBB.
โข Strong IO VGB.
โข More applications of VGB.โข The quest for the โrightโ definition is not over.
Thanks!