On Virtual Grey-Box Obfuscation for General Circuits
Nir Bitansky Ran CanettiYael Tauman-Kalai Omer Paneth
Program Obfuscation
Obfuscated program
𝑥 y
Obfuscation
Program
𝑥 y
Private Key to Public Key
Public Key
𝑚 cipher
Obfuscation
𝐸𝑛𝑐𝑠𝑘(𝑚)
𝑚 cipher
Virtual Black-Box (VBB)[Hada 00, Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm is an obfuscator for a class if:
For every PPT adversary there exists a PPT simulator such that for every and every predicate :
𝐴 𝑆𝜋 (𝐶 )𝒪(𝐶 )
𝐶
Pr [ 𝐴(𝒪(𝐶))=𝜋 (𝐶 ) ]=Pr [𝑆𝐶=𝜋 (𝐶 ) ]±𝑛𝑒𝑔𝑙
Impossibility Results for VBB
Impossible for some functions.[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossible for all pseudo-entropic functions w.r.t auxiliary input (assuming IO).[Goldwasser-Kalai 05, Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14]
𝐶1
𝒪(𝐶¿¿1)¿
𝐶2
𝒪(𝐶¿¿2)¿
≡
≈𝑐
Indistinguishability Obfuscation (IO)[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
History
No general solution.
Obfuscation for simple functions:[C97,W05,CD08,CRV10,BC10,BR13]
Candidate obfuscation for all circuits [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
2000-2013:
2013:
What is the security of the candidate obfuscator?
Many recent applications:
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13, Sahai-Waters 13, Hohenberger-Sahai-Waters 13, Garg-Gentry-Halevi-Raykova 13, Bitansky-Canetti-P-Rosen 13, Boneh-Zhandry 13, Brzuska-Farshim-Mittelbach 14, Bitansky-P 14, Ramchen-Waters 14]
Better assumption: 1. Semantically-secure graded encodings
[Pass-Seth-Telang 13]
2. Multilinear subgroup elimination assumption[Gentry-Lewko-Sahai-Waters 14]
Assumption: the [GGHRSW13] obfuscator is IO
What about other applications?
Example: point function
Can we get more then IO?
Today: virtual grey-box
𝑆𝐴≈𝒪(𝐶 )
𝐶
Simulation Definition for IO[Bitansky-Canetti 10]
𝐶1 𝒪(𝐶¿¿1)¿𝐶2 𝒪(𝐶¿¿2)¿≡ ≈𝑐⇒
Computationally unbounded
Weak VBB:
Virtual black-box:Simulator is bounded
Indistinguishability:Simulator is unbounded
[Bitansky-Canetti 10]
Virtual grey-box (VGB):Simulator is semi-bounded
polynomial numberof oracle queries
unboundedcomputation
𝑆𝐶
𝑆
𝑆𝐶
𝐶
𝑆𝐶
𝑆
𝑆
Virtual black-box:Simulator is bounded
Indistinguishability:Simulator is unbounded
[Bitansky-Canetti 10]
Virtual grey-box (VGB):Simulator is semi-bounded
Pseudo-random functions
meaningful
Point functionsNot meaningful
𝐶
𝐶
meaningful
Not meaningful
Assume the [GGHRSW13] obfuscation is VGB.
Or better yet, prove it!
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for Semantically secure* graded encoding
Semantically secure* graded encoding VGB for
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for
Semantically secure* mutlilinear jigsaw puzzles VGB for all circuits
Semantically secure* mutlilinear jigsaw puzzles
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for
Semantically secure* mutlilinear jigsaw puzzles VGB
Semantically secure* mutlilinear jigsaw puzzles
Semantically secure mutlilinear jigsaw puzzles
VBB for new families
New Feasibility Results For VBB Existing VBB results:• Point functions [Canetti 97, Wee 05]
• Constant-size set functions [Bitansky-Canetti 10]
• Constant-dimension hyperplanes [Canetti-Rothblum-Varia 10]
New results:• Fuzzy point functions (Hamming balls)• Constant-dimension linear subspaces• Conjunctions (worst-case)
Unified proof for all existing VBB results.
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for
Semantically secure* mutlilinear jigsaw puzzles VGB
Semantically secure*graded encoding
Semantically secure mutlilinear jigsaw puzzles
VBB for new families
SIM-secure encryption IND-secure encryption
Zero-knowledge proofsWitness indistinguishable proofs
SIM-secure functional encryption
IND-secure functional encryption
Obf. w. Unbounded simulationIndistinguishability obfuscation
[Feige-Lapidot-Shamir 99]
SimulationIndistinguishability
[Goldwasser-Micali 82]
[De Caro-Iovino-Jain-O'Neill-P-Persiano 13]
[Bitansky-Canetti 10]
VGB obfuscation?
This work
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Indistinguishability Obfuscation
For every pair of circuits :
∀ 𝑥 :𝐶1 (𝑥 )=𝐶2(𝑥)
𝒪 (𝐶1 )≈𝑐𝒪 (𝐶2 )
Strong Indistinguishability Obfuscation
For every pair of distributions on circuits:
∀ 𝑥 :Pr [~𝐶1 (𝑥 )=~𝐶2 (𝑥 ) ]≥1−negl (|𝑥|)
𝒪 (~𝐶1 )≈𝑐𝒪 (~𝐶2 )
VGB from Semantic Security
Strong IO for
Virtual grey-box obfuscation for
Semantically-secure graded encoding*
The Equivalence.
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Strong IO VGB
Let be distributions on circuits such that:
∀ 𝑥 :Pr [~𝐶1 (𝑥 )=~𝐶2 (𝑥 ) ]≥1−negl (|𝑥|)
𝐷≈ 𝐷𝑆
~𝐶1
𝑆
~𝐶2
≈ ≈
For every distinguisher
𝒪 (~𝐶1 ) 𝒪 (~𝐶2 )
The Equivalence.
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Strong IO VGB: The Challenge
𝑆
𝐴𝑦𝒪(𝐶𝑥)
𝐶 𝑥
{1 if 𝑥=𝑦0 if 𝑥≠ 𝑦
❑𝑦 {1 if 𝑥=𝑦0 if 𝑥≠ 𝑦
Point Function: =
𝐶
High-Level Simulation Strategy
𝐶
High-Level Simulation Strategy
𝐶
High-Level Simulation Strategy
𝐶
High-Level Simulation Strategy
𝐶
High-Level Simulation Strategy
𝐶
High-Level Simulation Strategy
Extract a information about C from the adversary
First Step: Concentrated Functions
A family of boolean functions is concentrated around a function if for every input :
Pr𝐶←𝐷
[𝐶 (𝑥 )= 𝑓 (𝑥 ) ]≥1−negl(|𝑥|)
𝐶
Starting Point
The simulator queries on a “splitting” input
𝐶
The simulator queries on a “splitting” input
𝐶
The simulator queries on a “splitting” input
𝐶
The simulator queries on a “splitting” input
𝐶
The Concentrated Family
There is no splitting input to query
Warm Up: Point Functions [Canetti 97]
Let be a strong IO for point functions. For an adversary let be the set of points such that:
Pr [𝐴 (𝒪 (𝐶𝑥 ))=1 ]− Pr [ 𝐴 (𝒪 (𝟎 ) )=1 ]≥𝜖
𝑆𝐶 𝑥
{𝐴(𝒪(𝐶𝑥 )) if 𝑥∈𝐵𝐴
𝐴(𝒪(𝟎)) if 𝑥∉𝐵𝐴
How to simulate an obfuscation of ?
If simulation is trivial.if the simulator can learn with a small number of oracle queries.
Claim: .
Proof: By the definition of we have that:
.
However, if is super polynomial:
Pr [𝐴 (𝒪 (𝐶𝑥 ))=1 ]− Pr [ 𝐴 (𝟎 )=1 ]≥𝜖For an adversary let be a set of functions such that:
Main Step: General Concentrated Functions
Let be a strong IO for .
For an adversary let be the set of functions s.t:
Pr [𝐴 (𝒪 (𝐶 ) )=1 ]−Pr [𝐴 (𝒪 ( 𝑓 ) )=1 ]≥𝜖
The set may be large!
To simulate an obfuscation of :
1. If simulation is trivial.
2. if then simulator can learn a “separating” input s.t. in
a small number of oracle queries.
3. Set . Note: .
4. Repeat.
𝐵𝐴
𝐵𝐴
𝐷
𝐵𝐴
𝐶
𝐶 (𝑧 )≠ 𝑓 (𝑧 )
𝑓𝑓 2
𝑓
𝐷𝐷2
𝐶
𝑓 2𝐵𝐴2
𝐵𝐴2
𝐶 (𝑧 )≠ 𝑓 (𝑧 )
𝐷3
𝑓 3𝐶 (𝑧 2 )≠ 𝑓 2 (𝑧 2 )
𝑓
𝐷𝐷2
𝐶
𝑓 2
𝐶 (𝑧 )≠ 𝑓 (𝑧 )
𝐷3
𝑓 3𝐶 (𝑧 2 )≠ 𝑓 2 (𝑧 2 )
𝐵𝐴3
Claim: There exists a set of separating inputs such that: 1. . 2. For every , there exists such that
Proof:By the definition of we have that: .
Find an input that is separating for a noticeable fraction of the functions in . Such exists since otherwise:
∀ 𝑧 : Pr𝑐←𝐵𝐴
[𝐶 (𝑧 )= 𝑓 (𝑧 ) ]≥1−negl (|𝑧|)
Add to , set , and repeat.
When , how to learn a separating input s.t. in a small number of oracle queries?
Two sources of inefficiency
1. Learning the function:– Finding splitting inputs to concentrate
2. Learning the adversary:– Finding the bad set – Finding the set of separating inputs
Summary
• VGB is more meaningful than IO and probably more achievable than VBB.
• Strong IO VGB.
• More applications of VGB.• The quest for the “right” definition is not over.
Thanks!