ON OBFUSCATION WITH RANDOM ORACLES
advertisement
ON OBFUSCATION WITH RANDOM ORACLES RAN CANETTI, YAEL KALAI, OMER PANETH [Lynn-Prabhakaran-Sahai 04]: Can simulation based obfuscation be constructed with a Random Oracle? Today: Impossible in general! A Candidate Obfuscator [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13] Multilinear Maps π₯ Barrington's theorem π¦ ← ππ πΉπ (π₯) π¦ Kilian’s randomization What is the security of the candidate obfuscator? Other candidate obfuscators: [Brakerski-Rothblum 13, Barak-Garg-Kalai-P-Sahai 13, PassSeth-Telang 13, Ananth-Gupta-Ishai-Sahai 14, Gentry-LewkoSahai-Waters 14, Zimmerman 14, Applebaum-Brakerski 15, Badrinarayanan-Miles-Sahai-Zhandry 15] Virtual-Black-Box Obfuscation (VBB) [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Obfuscator πͺ satisfies: 1. Correctness: πͺ Π ≡ Π 2. Security: Π πͺ Π π΄ππ£ ≈ πππ What is the security of the candidate obfuscators? Indistinguishability obfuscation [BGIRSVY 01] Virtual-black-box obfuscation Impossible PC differing-inputs obfuscation [BGIRSVY 01] [BGIRSVY 01] [Ishai-Pandey-Sahai 14] Plausible Virtual-grey-box obfuscation [Bitansky-Canetti 10] Ideal model security Provable [BR 14, BGKPS 14] The Ideal Multilinear-Map Model • Add \ Subtract • Multiply (multilinear only) πΌ π½ 2 3 πΌ + π½? πͺ Π πͺ Π πΌ, π½, πΎ, πΏ πΏ πΎ πΏ 7 5 Security [Brakerski-Rothblum 14, Barak-Garg-Kalai-P-Sahai 14] Ideal MMap Oracle πͺ Π π΄ππ£ ≈ Π πππ The [BGIRSVI01] does not extend! Unobfuscatable Functions [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] π₯ a program equivalent to Ππ ππ πΉπ (π₯) Ππ Oracle πͺ Πk π΄ππ£ π π Πk πππ [Miles-Sahai-Weiss 14, Pass-Seth-Telang 13, Bitansky-Canetti-Kalai-P 14] Indistinguishability obfuscation Reduction Virtual-black-box obfuscation Heuristic PC differing-inputs Obfuscation Obfuscation in the ideal mmap model Virtual-grey-box obfuscation + Mmap construction Can we get obfuscation in other ideal models? Ideal Multilinear Map Generic group model? Random oracle model? Plain Model Constructions in Other Ideal Models • Obfuscation with secure hardware [Goyal-Ishai-Sahai-Venkatesan-Wadia 10, Bitansky-Canetti-Goldwasser-Halevi-Kalai-Rothblum 11, …] • Ideal pseudo-free groups [Canetti-Vaikuntanathan 13] • Multilinear maps with relaxed security [Miles-Sahai-Weiss 14] A Different Motivation What is the best security we can hope for? VBB Obfuscation Plausible Impossible A Different Motivation Indistinguishability obfuscation PC differing-inputs obfuscation Virtual-grey-box obfuscation Virtual-black-box obfuscation Impossible Ideal model security A Different Motivation What structures are needed? Ideal Multilinear Map Generic group model? Random oracle model? Plain Model Motivation – Summary 1. Alternative heuristic obfuscators in the plain model 2. Understand the structures needed for general purpose obfuscation The Result First negative result with respect to a non-trivial oracle! Ideal Multilinear Map Generic group model? Random oracle model Plain Model Main Lemma Any function that can be obfuscated with a random oracle, can also be VBB obfuscated in the plain model with approximate correctness. Approximate correctness: Pr[Π π₯ = πͺ(Π)(π₯)] ≥ 0.9 π₯ Proof Outline Main Lemma + Theorem [Bitansky-P 13]: Assuming trapdoor permutations, there exist “robust” unobfuscatable functions that cannot be obfuscated (in the plain model) even with approximate correctness. Proof Outline Main Lemma + [Bitansky-P 13] Robust unobfuscatable functions cannot be obfuscated with random oracles Main Lemma Random oracle Π πͺ πͺ Π Π πͺ′ πͺ′ Π Approximately correct Naïve Attempt Perfect correctness π |π (π) = No security π (π) if π ∈ π π else π₯ πͺ′ π Π πͺ π πͺ Π πͺ′ Π π |π πͺ Π Π πͺ′ π π π → π₯1 πͺ πͺ Π πͺ′ Π π₯ πͺ Π π1 π π → π₯π … π |π1∪β―∪ππ πͺ Π ππ π Approximate Correctness π₯ πͺ′ πͺ π π π → π₯1 π1 πͺ Π π … π → π₯π ππ πͺ Π π πͺ′ Π ππ₯ π |π1 ∪β―∪ππ πͺ Π Pr[Π π₯ ≠ πͺ(Π)(π₯)] ≤ 0.1 π₯ ⇑ Pr π ∩ ππ₯ β π1 ∪ β― ∪ ππ ≠ ∅ ≤ 0.1 Approximate Correctness π₯ πͺ′ πͺ π π π → π₯1 π1 πͺ Π π … π → π₯π ππ π πͺ Π ππ₯ π |π1 ∪β―∪ππ πͺ Π Pr ππ₯ ∈ π β π1 , … , ππ Pr ∃π ∈ π s. t. π = ππ₯ πͺ′ Π ≤ 0.1 π ∧ ∀π(π ≠ ππ ) ≤ π Comparison with [Impagliazzo-Rrudich 95] Information theoretic key agreement with random oracle [IR 95] Information theoretic key agreement In the plain model Obfuscation with random oracle Today Approximately correct obfuscation in the plain model Robust Unobfuscatable Functions [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Πk πͺ Πk π΄ππ£ π πππ [Bitansky-P 13]: even if πͺ Πk is approximately correct 0π Π πΈππ π πΈππ b Π π π Ππ,π,π π (π₯) = Encπ π (π) π ⊥ Π π π₯=π π₯ = 0π Decπ π (π₯) = π o.w. 0π πΈππ π Π πΈππ b Π π π Π Π π πππ 0π πͺ Π πΈππ π πͺ Π πΈππ b πͺ Π π πͺ Π πͺ Π π΄ππ£ π π 0π πͺ Π πΈππ π πͺ Π πΈππ b πͺ Π π πͺ Π π approximately correct πͺ Π π΄ππ£ π A Taste of the Construction π ππ,π (π₯) = ⊥ π₯=π π. π€. Q: Find π such that: π with 10% errors πa,b Getting Robustness π ππ,π (π₯) = ⊥ π₯=π π. π€. ππ,π,π π₯ = π ⊕ PRFπ π₯ βπ,π,π π₯ = PRFπ π ⊕ π₯ π←π π π π⊕π π, β with 10% errors π π β πa,b π ⊕ PRF(π) PRF(π) ⊕ π (π€. π. 0.8) ππ,π,π π₯ = π ⊕ PRFπ π₯ βπ,π,π π₯ = PRFπ π ⊕ π₯ π, β π΄ π΄ queries π on π₯ and π π΄ queries β on π ⊕ π₯ π π π, β πa,b ππ,π,π π₯ = π ⊕ PRFπ π₯ βπ,π,π π₯ = PRFπ π ⊕ π₯ Robust Unobfuscatable Functions π ππ,π,π π (π₯) = πΈπππ π (π) π ⊥ π₯=π π₯ = 0π π·πππ π (π₯) = π π. π€. Thank You! Ideal Multilinear Map Generic group model? Random oracle model Plain Model
