Boaz Barak
Sanjam Garg
Yael Tauman Kalai
Omer Paneth
Amit Sahai
Program Obfuscation
𝑚
𝐸𝑛𝑐𝑠𝑘 (𝑚)
cipher
Obfuscation
𝑚
Public Key
cipher
Virtual Black-Box (VBB)
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm 𝒪 is an obfuscator for a class 𝒞 if:
For every PPT adversary 𝐴 there exists a PPT simulator 𝑆
such that for every 𝐶 ∈ 𝒞:
𝐶
𝒪(𝐶)
𝐴
𝑃(𝐶)
≈
𝑆
VBB Impossibility
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
There exists contrived “unobfuscatable” programs.
Code of a program
equivalent to 𝐶
𝐶
Secret
𝐶
𝒪(𝐶)
Execute
𝒪 𝑐
on itself
Secret
𝑆
First Candidate Obfuscation
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
What is the security of the candidate?
Assumption:
The [GGHRSW13] obfuscator is an
Indistingushability Obfuscator.
Indistinguishability Obfuscation (𝑖𝒪):
Noevery
known
except
[BGIRSVY01].
For
pairattacks
of equivalent
circuits
𝐶1 ≡ 𝐶2 :
𝑖𝒪 𝐶1 ≈𝑐 𝑖𝒪(𝐶2 )
This Work
A variant of the [GGHRSW13]
obfuscator is VBB for all circuits
in a generic model
(underlying algebra is idealized)
Multilinear Maps
[Boneh-Silverberg 03, Garg-Gentry-Halevi 13]
Encoding 𝛼
𝑆
of 𝛼 ∈ 𝑅 under a set 𝑆 ⊆ 𝑘 .
1.
𝛼
1,2,5
± 𝛽
1,2,5
2.
𝛼
1,2,5
± 𝛽
3,4
3. 𝑍𝑇 𝛼
1,…,𝑘
= 𝛼±𝛽
= 𝛼⋅𝛽
1,2,5
1,2,3,4,5
= 1 iff 𝛼 = 0
Idealy: any other operation is hard.
The Generic MM Model
𝑥
𝑥
𝐸1 , 𝐸2 , E3 , E4 , E5
𝐶
𝒪(𝐶)
𝐸6 , 𝐸7 , E8 , E9 , E10
𝐶(𝑥)
𝐶(𝑥)
Add
Multiply
ZT
Our Result
Virtual Black-Box obfuscation in
the generic MM model:
1
1. For NC .
2. For P/Poly assuming LWE.
Avoiding VBB Impossibility
In the Generic MM Model
Code of a program
equivalent to 𝐶
𝐶
Secret
Add
Mul
ZT
𝒪(𝐶)
Execute
𝒪 𝑐
on itself
Secret
Interpretation
Secure obfuscation against “algebraic attacks”.
Warning:
Non-algebraic attacks do exist [BGIRSVY01].
Interpretation II
+
This Work:
VBB with Generic
Multilinear Maps
Multi-Message
Semantically-Secure
Multilinear Maps
[Pass-Seth-Telang 13]
𝑖𝒪 for P/Poly
(assuming LWE)
Virtual gray-box
obfuscation for NC1
[Pass-Seth-Telang 13]
[Bitansky-Canetti-Kalai-P 14].
Previous Works
[GGHRSW13]
[Canetti-Vaikuntanathan13]
𝑖𝒪 in the Generic
Colored Matrix Model
VBB from Black-Box
Pseudo-Free Groups
[Brakerski-Rothblum13]
𝑖𝒪 in the Generic
MM Model
This Work
[Brakerski-Rothblum13]
Assuming BSH
VBB in the Generic
MM Model
The Construction
1. Construction for NC1 via branching programs
2. Bootstrap to P/Poly assuming LWE
(leveled-FHE with decryption in NC1 )
Branching Programs
Program:
𝑀10
𝑀20
𝑀30
𝑀40
𝑀50
𝑀60
𝑀70
𝑀80
𝑀90
0
𝑀10
0
𝑀11
0
𝑀12
𝑀11
𝑀21
𝑀31
𝑀41
𝑀51
𝑀61
𝑀71
𝑀81
𝑀91
1
𝑀10
1
𝑀11
1
𝑀12
Input:
𝑥1
𝑥2
𝑥3
𝑥4
BP Evaluation
Program:
𝑀10
𝑀20
𝑀30
𝑀40
𝑀50
𝑀60
𝑀70
𝑀80
𝑀90
0
𝑀10
0
𝑀11
0
𝑀12
𝑀11
𝑀21
𝑀31
𝑀41
𝑀51
𝑀61
𝑀71
𝑀81
𝑀91
1
𝑀10
1
𝑀11
1
𝑀12
or
⊥
Input:
0
1
1
0
Output: ⊤
Obfuscating BP
1. Randomizing
2. Encoding
[Kilian 88]
Step 1: Randomizing
Program:
𝑀10
𝑀20
𝑀30
𝑀40
𝑀50
𝑀60
𝑀70
𝑀80
𝑀90
0
𝑀10
0
𝑀11
0
𝑀12
𝑀11
𝑀21
𝑀31
𝑀41
𝑀51
𝑀61
𝑀71
𝑀81
𝑀91
1
𝑀10
1
𝑀11
1
𝑀12
or
⊥
Input:
𝑥1
𝑥2
𝑥3
𝑥4
Output: ⊤
Step 1: Randomizing
Program:
𝑀10
𝑀20
𝑀30
𝑀40
𝑀50
𝑀60
𝑀70
𝑀80
𝑀90
0
𝑀10
0
𝑀11
0
𝑀12
𝑀11
𝑀21
𝑀31
𝑀41
𝑀51
𝑀61
𝑀71
𝑀81
𝑀91
1
𝑀10
1
𝑀11
1
𝑀12
or
⊥
Input:
0
1
1
0
Output: ⊤
Step 2: Encoding
Program:
𝑀10
𝑀20
𝑀30
𝑀40
𝑀50
𝑀60
𝑀70
𝑀80
𝑀90
0
𝑀10
0
𝑀11
0
𝑀12
𝑀11
𝑀21
𝑀31
𝑀41
𝑀51
𝑀61
𝑀71
𝑀81
𝑀91
1
𝑀10
1
𝑀11
1
𝑀12
{1}
{2}
{3}
{4}
{5}
{6}
{7}
{8}
{9}
{10} {11} {12}
Obfuscation includes the encodings:
𝑀𝑖𝑏
𝑖
∀ level 𝑖, bit 𝑏 , ⊤
12
⊤
{1, … , 12}
Proof of Security
𝑀40
𝑀10
𝑀21
𝑀50
𝑀31
𝑀80
𝑀61
𝑀71
1
𝑀10
1
𝑀11
…
+
0
𝑀12
𝑀90
𝑀60
𝑀20
𝑀11
𝑀31
+ 𝛼⋅
?
⊤
𝑀41
=0
𝑀51
0
𝑀10
𝑀71
𝑀81
𝑀91
1
𝑀11
1
𝑀12
Simulation Outline
Test every monomial separately:
𝑀40
𝑀10
𝑀21
𝑀50
𝑀61
𝑀31
By querying 𝐶
𝑀80
0
1
𝑀71
1
0
𝑀12
𝑀90
1
𝑀10
0
1
𝑀11
Problems
1. Inconsistent monomials:
𝑀40
𝑀10
𝑀21
𝑀31
𝑀80
𝑀51
𝑀61
0
𝑀12
𝑀90
𝑀71
2. Too many monomials:
0
1
𝑀10 + 𝑀11 ⋅ 𝑀20 + 𝑀21 ⋅ … ⋅ 𝑀12
+ 𝑀12
1
𝑀10
1
𝑀11
Changing the Sets
{1}
{2}
{3}
{4}
{5}
{6}
{7}
{8}
{9}
{10} {11} {12}
𝑀10
𝑀20
𝑀30
𝑀40
𝑀50
𝑀60
𝑀70
𝑀80
𝑀90
0
𝑀10
0
𝑀11
0
𝑀12
𝑀11
𝑀21
𝑀31
𝑀41
𝑀51
𝑀61
𝑀71
𝑀81
𝑀91
1
𝑀10
1
𝑀11
1
𝑀12
{1}
{2}
{3}
{4}
{5}
{6}
{7}
{8}
{9}
{10} {11} {12}
⊤
{1, … , 12}
Changing the Sets
1
1′
2
2′
3
3′
4
4′
5
5′
6
6′
7
7′
8
8′
9
9′
𝑀10
𝑀20
𝑀30
𝑀40
𝑀50
𝑀60
𝑀70
𝑀80
𝑀90
0
𝑀10
0
𝑀11
0
𝑀12
𝑀11
𝑀21
𝑀31
𝑀41
𝑀51
𝑀61
𝑀71
𝑀81
𝑀91
1
𝑀10
1
𝑀11
1
𝑀12
1
1′
2
2′
3
3′
4
4′
5
5′
6
6′
7
7′
8
8′
9
9′
10
10′
10
10′
11
11′
11
11′
12
12′
12
12′
⊤
1, … , 12
1′, … , 12′
Changing the Sets
1
1′
5
5′
9
9′
𝑀10
𝑀50
𝑀90
𝑀11
𝑀51
𝑀91
1
1′
5
5′
9
9′
Straddling Set System
1,5,9
1′, 5′, 9′
1
1′
5
5′
9
9′
𝑀10
𝑀50
𝑀90
𝑀11
𝑀51
𝑀91
1
5′
5
9′
9
1′
=
9
1
5
∪ ′ ∪ ′
9
1′
5
0-matrices
=
1
9
5
∪
∪
5′
1′
9′
1-matrices
Straddling Set System
1
1′
5
5′
9
9′
𝑀10
𝑀50
𝑀90
𝑀11
𝑀51
𝑀91
1
5′
5
9′
9
1′
Straddling Set System
1
1′
2
2′
3
3′
4
4′
5
5′
6
6′
7
7′
8
8′
9
9′
10
10′
11
11′
12
12′
1
5′
2
6′
3
7′
4
8′
5
9′
6
10′
7
11′
8
12′
9
1′
10
2′
11
3′
12
4′
Too Many Monomials
0
1
𝑀10 𝑀50 𝑀90 + 𝑀11 𝑀51 𝑀91 ⋅ … ⋅ 𝑀40 𝑀80 𝑀12
+ 𝑀41 𝑀81 𝑀12
+
⋅ …⋅
+
Pairing Level Together
From Two Levels to One
10
10′
8
8′
0
𝑀90 𝑀10
𝑀90
0
𝑀10
1
𝑀90 𝑀10
𝑀91
1
𝑀10
0
𝑀91 𝑀10
10
2′
8
12′
1
𝑀91 𝑀10
10,8
10′ , 8′
10,8
10′ , 12′
10,8
2′ , 8′
10,8
2′ , 12′
From Two Levels to One
Dual-Input BP
Input:
𝑥1
𝑥2
𝑥3
𝑥4
Too Many Monomials
+
Thank You!
