Boaz Barak
Sanjam Garg
Yael Tauman Kalai
Omer Paneth
Amit Sahai
Program Obfuscation
π
πΈπππ π (π)
cipher
Obfuscation
π
Public Key
cipher
Virtual Black-Box (VBB)
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm πͺ is an obfuscator for a class π if:
For every PPT adversary π΄ there exists a PPT simulator π
such that for every πΆ ∈ π:
πΆ
πͺ(πΆ)
π΄
π(πΆ)
≈
π
VBB Impossibility
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
There exists contrived “unobfuscatable” programs.
Code of a program
equivalent to πΆ
πΆ
Secret
πΆ
πͺ(πΆ)
Execute
πͺ π
on itself
Secret
π
First Candidate Obfuscation
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
What is the security of the candidate?
Assumption:
The [GGHRSW13] obfuscator is an
Indistingushability Obfuscator.
Indistinguishability Obfuscation (ππͺ):
Noevery
known
except
[BGIRSVY01].
For
pairattacks
of equivalent
circuits
πΆ1 ≡ πΆ2 :
ππͺ πΆ1 ≈π ππͺ(πΆ2 )
This Work
A variant of the [GGHRSW13]
obfuscator is VBB for all circuits
in a generic model
(underlying algebra is idealized)
Multilinear Maps
[Boneh-Silverberg 03, Garg-Gentry-Halevi 13]
Encoding πΌ
π
of πΌ ∈ π
under a set π ⊆ π .
1.
πΌ
1,2,5
± π½
1,2,5
2.
πΌ
1,2,5
± π½
3,4
3. ππ πΌ
1,…,π
= πΌ±π½
= πΌ⋅π½
1,2,5
1,2,3,4,5
= 1 iff πΌ = 0
Idealy: any other operation is hard.
The Generic MM Model
π₯
π₯
πΈ1 , πΈ2 , E3 , E4 , E5
πΆ
πͺ(πΆ)
πΈ6 , πΈ7 , E8 , E9 , E10
πΆ(π₯)
πΆ(π₯)
Add
Multiply
ZT
Our Result
Virtual Black-Box obfuscation in
the generic MM model:
1
1. For NC .
2. For P/Poly assuming LWE.
Avoiding VBB Impossibility
In the Generic MM Model
Code of a program
equivalent to πΆ
πΆ
Secret
Add
Mul
ZT
πͺ(πΆ)
Execute
πͺ π
on itself
Secret
Interpretation
Secure obfuscation against “algebraic attacks”.
Warning:
Non-algebraic attacks do exist [BGIRSVY01].
Interpretation II
+
This Work:
VBB with Generic
Multilinear Maps
Multi-Message
Semantically-Secure
Multilinear Maps
[Pass-Seth-Telang 13]
ππͺ for P/Poly
(assuming LWE)
Virtual gray-box
obfuscation for NC1
[Pass-Seth-Telang 13]
[Bitansky-Canetti-Kalai-P 14].
Previous Works
[GGHRSW13]
[Canetti-Vaikuntanathan13]
ππͺ in the Generic
Colored Matrix Model
VBB from Black-Box
Pseudo-Free Groups
[Brakerski-Rothblum13]
ππͺ in the Generic
MM Model
This Work
[Brakerski-Rothblum13]
Assuming BSH
VBB in the Generic
MM Model
The Construction
1. Construction for NC1 via branching programs
2. Bootstrap to P/Poly assuming LWE
(leveled-FHE with decryption in NC1 )
Branching Programs
Program:
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
Input:
π₯1
π₯2
π₯3
π₯4
BP Evaluation
Program:
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
or
⊥
Input:
0
1
1
0
Output: β€
Obfuscating BP
1. Randomizing
2. Encoding
[Kilian 88]
Step 1: Randomizing
Program:
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
or
⊥
Input:
π₯1
π₯2
π₯3
π₯4
Output: β€
Step 1: Randomizing
Program:
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
or
⊥
Input:
0
1
1
0
Output: β€
Step 2: Encoding
Program:
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
{1}
{2}
{3}
{4}
{5}
{6}
{7}
{8}
{9}
{10} {11} {12}
Obfuscation includes the encodings:
πππ
π
∀ level π, bit π , β€
12
β€
{1, … , 12}
Proof of Security
π40
π10
π21
π50
π31
π80
π61
π71
1
π10
1
π11
…
+
0
π12
π90
π60
π20
π11
π31
+ πΌ⋅
?
β€
π41
=0
π51
0
π10
π71
π81
π91
1
π11
1
π12
Simulation Outline
Test every monomial separately:
π40
π10
π21
π50
π61
π31
By querying πΆ
π80
0
1
π71
1
0
π12
π90
1
π10
0
1
π11
Problems
1. Inconsistent monomials:
π40
π10
π21
π31
π80
π51
π61
0
π12
π90
π71
2. Too many monomials:
0
1
π10 + π11 ⋅ π20 + π21 ⋅ … ⋅ π12
+ π12
1
π10
1
π11
Changing the Sets
{1}
{2}
{3}
{4}
{5}
{6}
{7}
{8}
{9}
{10} {11} {12}
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
{1}
{2}
{3}
{4}
{5}
{6}
{7}
{8}
{9}
{10} {11} {12}
β€
{1, … , 12}
Changing the Sets
1
1′
2
2′
3
3′
4
4′
5
5′
6
6′
7
7′
8
8′
9
9′
π10
π20
π30
π40
π50
π60
π70
π80
π90
0
π10
0
π11
0
π12
π11
π21
π31
π41
π51
π61
π71
π81
π91
1
π10
1
π11
1
π12
1
1′
2
2′
3
3′
4
4′
5
5′
6
6′
7
7′
8
8′
9
9′
10
10′
10
10′
11
11′
11
11′
12
12′
12
12′
β€
1, … , 12
1′, … , 12′
Changing the Sets
1
1′
5
5′
9
9′
π10
π50
π90
π11
π51
π91
1
1′
5
5′
9
9′
Straddling Set System
1,5,9
1′, 5′, 9′
1
1′
5
5′
9
9′
π10
π50
π90
π11
π51
π91
1
5′
5
9′
9
1′
=
9
1
5
∪ ′ ∪ ′
9
1′
5
0-matrices
=
1
9
5
∪
∪
5′
1′
9′
1-matrices
Straddling Set System
1
1′
5
5′
9
9′
π10
π50
π90
π11
π51
π91
1
5′
5
9′
9
1′
Straddling Set System
1
1′
2
2′
3
3′
4
4′
5
5′
6
6′
7
7′
8
8′
9
9′
10
10′
11
11′
12
12′
1
5′
2
6′
3
7′
4
8′
5
9′
6
10′
7
11′
8
12′
9
1′
10
2′
11
3′
12
4′
Too Many Monomials
0
1
π10 π50 π90 + π11 π51 π91 ⋅ … ⋅ π40 π80 π12
+ π41 π81 π12
+
⋅ …⋅
+
Pairing Level Together
From Two Levels to One
10
10′
8
8′
0
π90 π10
π90
0
π10
1
π90 π10
π91
1
π10
0
π91 π10
10
2′
8
12′
1
π91 π10
10,8
10′ , 8′
10,8
10′ , 12′
10,8
2′ , 8′
10,8
2′ , 12′
From Two Levels to One
Dual-Input BP
Input:
π₯1
π₯2
π₯3
π₯4
Too Many Monomials
+
Thank You!
ο
0
