On Virtual Grey Box Obfuscation for General Circuits

advertisement
On Virtual Grey-Box Obfuscation
for General Circuits
Nir Bitansky
Ran Canetti
Yael Tauman-Kalai
Omer Paneth
Program Obfuscation
π‘₯
Program
y
Obfuscation
π‘₯
y
Obfuscated program
Private Key to Public Key
π‘š
πΈπ‘›π‘π‘ π‘˜ (π‘š)
cipher
Obfuscation
π‘š
cipher
Public Key
Virtual Black-Box (VBB)
[Hada 00, Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm π’ͺ is an obfuscator for a class π’ž if:
For every PPT adversary 𝐴 there exists a PPT simulator 𝑆
such that for every 𝐢 ∈ π’ž and every predicate πœ‹(𝐢):
𝐢
π’ͺ(𝐢)
𝐴
Pr 𝐴(π’ͺ(𝐢)) = πœ‹ 𝐢
πœ‹(𝐢)
𝑆
= Pr 𝑆 𝐢 = πœ‹ 𝐢
± 𝑛𝑒𝑔𝑙
Impossibility Results for VBB
Impossible for some functions.
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossible for all pseudo-entropic functions
w.r.t auxiliary input (assuming IO).
[Goldwasser-Kalai 05, Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14]
Indistinguishability Obfuscation (IO)
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
𝐢1
π’ͺ(𝐢1 )
≡
𝐢2
≈𝑐 π’ͺ(𝐢2 )
History
2000-2013:
No general solution.
Obfuscation for simple functions:
[C97,W05,CD08,CRV10,BC10,BR13]
2013:
Candidate obfuscation for all circuits
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
What is the security
of the candidate obfuscator?
Assumption: the [GGHRSW13] obfuscator is IO
Many recent applications:
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13, Sahai-Waters 13,
Hohenberger-Sahai-Waters 13, Garg-Gentry-Halevi-Raykova 13,
Bitansky-Canetti-P-Rosen 13, Boneh-Zhandry 13, Brzuska-FarshimMittelbach 14, Bitansky-P 14, Ramchen-Waters 14]
Better assumption:
1. Semantically-secure graded encodings
[Pass-Seth-Telang 13]
2. Multilinear subgroup elimination assumption
[Gentry-Lewko-Sahai-Waters 14]
What about other applications?
Example: point function
Can we get more then IO?
Today: virtual grey-box
Simulation Definition for IO
[Bitansky-Canetti 10]
𝐢1
≡
𝐢2
⇒
π’ͺ(𝐢1 )
≈𝑐 π’ͺ(𝐢2 )
Weak VBB:
π’ͺ(𝐢)
𝐢
𝐴
≈
𝑆
Computationally
unbounded
𝐢
Virtual black-box:
Simulator is bounded
𝑆
𝐢
[Bitansky-Canetti 10]
Virtual grey-box (VGB):
Simulator is semi-bounded
unbounded
computation
𝑆
𝐢
Indistinguishability:
Simulator is unbounded
𝑆
polynomial number
of oracle queries
𝐢
Virtual black-box:
Simulator is bounded
𝑆
meaningful
Pseudo-random functions
𝐢
[Bitansky-Canetti 10]
Virtual grey-box (VGB):
Simulator is semi-bounded
Not meaningful
𝑆
meaningful
Point functions
𝐢
Indistinguishability:
Simulator is unbounded
𝑆
Not meaningful
Assume the [GGHRSW13] obfuscation is VGB.
Or better yet, prove it!
Results
Semantically secure
graded encoding
IO
[Pass-Seth-Telang 13]
Semantically secure*
graded encoding
VGB for 𝑁𝐢 1
Semantically secure*
graded encoding
VGB for 𝑁𝐢 1
Results
Semantically secure
graded encoding
Semantically secure*
mutlilinear jigsaw puzzles
Semantically secure*
mutlilinear jigsaw puzzles
IO
[Pass-Seth-Telang 13]
VGB for 𝑁𝐢 1
VGB for all circuits
Results
Semantically secure
graded encoding
Semantically secure*
mutlilinear jigsaw puzzles
Semantically secure*
mutlilinear jigsaw puzzles
Semantically secure
mutlilinear jigsaw puzzles
IO
[Pass-Seth-Telang 13]
VGB for 𝑁𝐢 1
VGB
VBB for new families
New Feasibility Results For VBB
Existing VBB results:
• Point functions [Canetti 97, Wee 05]
• Constant-size set functions [Bitansky-Canetti 10]
• Constant-dimension hyperplanes [Canetti-Rothblum-Varia 10]
New results:
• Fuzzy point functions (Hamming balls)
• Constant-dimension linear subspaces
• Conjunctions (worst-case)
Unified proof for all existing VBB results.
Results
Semantically secure
graded encoding
Semantically secure*
graded encoding
Semantically secure*
mutlilinear jigsaw puzzles
Semantically secure
mutlilinear jigsaw puzzles
IO
[Pass-Seth-Telang 13]
VGB for 𝑁𝐢 1
VGB
VBB for new families
Indistinguishability
Simulation
IND-secure encryption
SIM-secure encryption
Witness indistinguishable proofs
Zero-knowledge proofs
IND-secure functional encryption
SIM-secure functional encryption
Indistinguishability obfuscation
Obf. w. Unbounded simulation
?
VGB obfuscation
[Goldwasser-Micali 82]
[Feige-Lapidot-Shamir 99]
[De Caro-Iovino-Jain-O'Neill-P-Persiano 13]
[Bitansky-Canetti 10]
This work
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Indistinguishability Obfuscation
For every pair of circuits 𝐢1 , 𝐢2 :
∀π‘₯: 𝐢1 π‘₯ = 𝐢2 (π‘₯)
π’ͺ 𝐢1 ≈𝑐 π’ͺ 𝐢2
Strong Indistinguishability Obfuscation
For every pair of distributions on circuits 𝐢1 , 𝐢2 :
∀π‘₯: Pr 𝐢1 π‘₯ = 𝐢2 π‘₯
≥ 1 − negl π‘₯
π’ͺ 𝐢1 ≈𝑐 π’ͺ 𝐢2
VGB from Semantic Security
Semantically-secure graded encoding*
Strong IO for 𝑁𝐢
1
Virtual grey-box obfuscation for 𝑁𝐢 1
The Equivalence.
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Strong IO ⇐ VGB
Let 𝐢1 , 𝐢2 be distributions on circuits such that:
∀π‘₯: Pr 𝐢1 π‘₯ = 𝐢2 π‘₯
≥ 1 − negl π‘₯
For every distinguisher 𝐷:
𝐢2
𝐢1
π’ͺ 𝐢1
𝐷
≈
𝑆
≈
𝑆
≈
𝐷
π’ͺ 𝐢2
The Equivalence.
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
Strong IO ⇒ VGB: The Challenge
1 if
Point Function: 𝐢π‘₯ (𝑧) =
0 if
π’ͺ(𝐢π‘₯ )
𝐴𝑦
π‘₯=𝑧
π‘₯≠𝑧
1
0
if π‘₯ = 𝑦
if π‘₯ ≠ 𝑦
1
0
if π‘₯ = 𝑦
if π‘₯ ≠ 𝑦
𝐢π‘₯
𝑆𝑦
High-Level Simulation Strategy
𝐢
High-Level Simulation Strategy
𝐢
High-Level Simulation Strategy
𝐢
High-Level Simulation Strategy
𝐢
High-Level Simulation Strategy
𝐢
High-Level Simulation Strategy
𝐢
Extract a information about C from the adversary
First Step: Concentrated Functions
A family of boolean functions 𝐷 is concentrated around a
function 𝑓 if for every input π‘₯:
Pr 𝐢 π‘₯ = 𝑓 π‘₯
𝐢←𝐷
≥ 1 − negl( π‘₯ )
Starting Point
𝐢
The simulator queries 𝐢 on a “splitting” input
𝐢
The simulator queries 𝐢 on a “splitting” input
𝐢
The simulator queries 𝐢 on a “splitting” input
𝐢
The simulator queries 𝐢 on a “splitting” input
The Concentrated Family
𝐢
There is no splitting input to query
Warm Up: Point Functions [Canetti 97]
Let π’ͺ be a strong IO for point functions.
For an adversary 𝐴 let 𝐡𝐴 be the set of points π‘₯ such that:
Pr 𝐴 π’ͺ 𝐢π‘₯
= 1 − Pr 𝐴 π’ͺ 𝟎
=1 ≥πœ–
How to simulate an obfuscation of 𝐢π‘₯ ?
If π‘₯ ∉ 𝐡𝐴 simulation is trivial.
if π‘₯ ∈ 𝐡𝐴 the simulator can learn π‘₯ with a small number of
oracle queries.
𝐢π‘₯
𝑆
𝐴(π’ͺ(𝐢π‘₯ ))
𝐴(π’ͺ(𝟎))
if
if
π‘₯ ∈ 𝐡𝐴
π‘₯ ∉ 𝐡𝐴
For an adversary 𝐴 let 𝐡𝐴 be a set of functions π‘₯ such that:
Pr 𝐴 π’ͺ 𝐢π‘₯
= 1 − Pr 𝐴 𝟎 = 1 ≥ πœ–
Claim: 𝐡𝐴 = poly( 𝐴
1
, ).
πœ–
Proof: By the definition of 𝐡𝐴 we have that:
π’ͺ 𝐢π‘₯ ← 𝐡𝐴 ≉𝑐 π’ͺ 𝟎 .
However, if 𝐡𝐴 is super polynomial:
∀𝑦:
Pr
𝐢π‘₯ ←𝐡𝐴
𝐢π‘₯ 𝑦 = 𝟎 𝑦
≥ 1 − negl 𝑦
Main Step: General Concentrated Functions
Let π’ͺ be a strong IO for 𝐷.
For an adversary 𝐴 let 𝐡𝐴 be the set of functions 𝐢 ∈ 𝐷 s.t:
Pr 𝐴 π’ͺ 𝐢
= 1 − Pr 𝐴 π’ͺ 𝑓
=1 ≥πœ–
The set 𝐡𝐴 may be large!
To simulate an obfuscation of 𝐢 ∈ D:
1. If 𝐢 ∉ 𝐡𝐴 simulation is trivial.
2. if 𝐢 ∈ 𝐡𝐴 then simulator can learn a “separating” input
𝑧 s.t. 𝐢 𝑧 ≠ 𝑓(𝑧) in a small number of oracle queries.
3. Set 𝐷2 = 𝐢 ∈ 𝐷 | 𝐢 𝑧 ≠ 𝑓(𝑧) . Note: 𝐷2 β‰ͺ 𝐷 .
4. Repeat.
𝐷
𝐷2
𝐡𝐴
𝐢 𝑧 ≠𝑓 𝑧
𝑓2
𝐡𝐴
𝑓
𝐢
𝐡𝐴
𝐷
𝐷2
𝐢 𝑧 ≠𝑓 𝑧
𝑓2
𝐡𝐴2
𝐢
𝐢 𝑧2
𝑓3
≠ 𝑓2 𝑧2
𝐡𝐴2
𝐷3
𝑓
𝐷
𝐷2
𝐢 𝑧 ≠𝑓 𝑧
𝑓2
𝐢
𝐢 𝑧2
𝐷3
𝐡𝐴3
𝑓3
≠ 𝑓2 𝑧2
𝑓
When 𝐢 ∈ 𝐡𝐴 , how to learn a separating input
𝑧 s.t. 𝐢 𝑧 ≠ 𝑓(𝑧) in a small number of oracle queries?
Claim: There exists a set of separating inputs 𝑍 such that:
1
1. 𝑍 = poly( 𝐴 , πœ– ).
2. For every 𝐢 ∈ 𝐡𝐴 , there exists 𝑧 ∈ Z such that 𝐢 𝑧 ≠ 𝑓(𝑧)
Proof:
By the definition of 𝐡𝐴 we have that: π’ͺ 𝐢 ← 𝐡𝐴 ≉𝑐 π’ͺ 𝑓 .
Find an input 𝑧 that is separating for a noticeable fraction of the
functions in 𝐡𝐴 . Such 𝑧 exists since otherwise:
∀𝑧: Pr 𝐢 𝑧 = 𝑓 𝑧
𝑐←𝐡𝐴
≥ 1 − negl 𝑧
Add 𝑧 to 𝑍, set 𝐡𝐴 = 𝐡𝐴 βˆ– 𝐢 | 𝐢 𝑧 ≠ 𝑓 𝑧
, and repeat.
Two sources of inefficiency
1. Learning the function:
– Finding splitting inputs to concentrate 𝐷𝑖
2. Learning the adversary:
– Finding the bad set 𝐡𝐴𝑖
– Finding the set of separating inputs 𝑍𝑖
Summary
• VGB is more meaningful than IO and probably
more achievable than VBB.
• Strong IO ⇔ VGB.
• More applications of VGB.
• The quest for the “right” definition is not over.
Thanks!
Download