On Virtual Grey-Box Obfuscation for General Circuits Nir Bitansky Ran Canetti Yael Tauman-Kalai Omer Paneth Program Obfuscation π₯ Program y Obfuscation π₯ y Obfuscated program Private Key to Public Key π πΈπππ π (π) cipher Obfuscation π cipher Public Key Virtual Black-Box (VBB) [Hada 00, Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Algorithm πͺ is an obfuscator for a class π if: For every PPT adversary π΄ there exists a PPT simulator π such that for every πΆ ∈ π and every predicate π(πΆ): πΆ πͺ(πΆ) π΄ Pr π΄(πͺ(πΆ)) = π πΆ π(πΆ) π = Pr π πΆ = π πΆ ± ππππ Impossibility Results for VBB Impossible for some functions. [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Impossible for all pseudo-entropic functions w.r.t auxiliary input (assuming IO). [Goldwasser-Kalai 05, Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14] Indistinguishability Obfuscation (IO) [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] πΆ1 πͺ(πΆ1 ) ≡ πΆ2 ≈π πͺ(πΆ2 ) History 2000-2013: No general solution. Obfuscation for simple functions: [C97,W05,CD08,CRV10,BC10,BR13] 2013: Candidate obfuscation for all circuits [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13] What is the security of the candidate obfuscator? Assumption: the [GGHRSW13] obfuscator is IO Many recent applications: [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13, Sahai-Waters 13, Hohenberger-Sahai-Waters 13, Garg-Gentry-Halevi-Raykova 13, Bitansky-Canetti-P-Rosen 13, Boneh-Zhandry 13, Brzuska-FarshimMittelbach 14, Bitansky-P 14, Ramchen-Waters 14] Better assumption: 1. Semantically-secure graded encodings [Pass-Seth-Telang 13] 2. Multilinear subgroup elimination assumption [Gentry-Lewko-Sahai-Waters 14] What about other applications? Example: point function Can we get more then IO? Today: virtual grey-box Simulation Definition for IO [Bitansky-Canetti 10] πΆ1 ≡ πΆ2 ⇒ πͺ(πΆ1 ) ≈π πͺ(πΆ2 ) Weak VBB: πͺ(πΆ) πΆ π΄ ≈ π Computationally unbounded πΆ Virtual black-box: Simulator is bounded π πΆ [Bitansky-Canetti 10] Virtual grey-box (VGB): Simulator is semi-bounded unbounded computation π πΆ Indistinguishability: Simulator is unbounded π polynomial number of oracle queries πΆ Virtual black-box: Simulator is bounded π meaningful Pseudo-random functions πΆ [Bitansky-Canetti 10] Virtual grey-box (VGB): Simulator is semi-bounded Not meaningful π meaningful Point functions πΆ Indistinguishability: Simulator is unbounded π Not meaningful Assume the [GGHRSW13] obfuscation is VGB. Or better yet, prove it! Results Semantically secure graded encoding IO [Pass-Seth-Telang 13] Semantically secure* graded encoding VGB for ππΆ 1 Semantically secure* graded encoding VGB for ππΆ 1 Results Semantically secure graded encoding Semantically secure* mutlilinear jigsaw puzzles Semantically secure* mutlilinear jigsaw puzzles IO [Pass-Seth-Telang 13] VGB for ππΆ 1 VGB for all circuits Results Semantically secure graded encoding Semantically secure* mutlilinear jigsaw puzzles Semantically secure* mutlilinear jigsaw puzzles Semantically secure mutlilinear jigsaw puzzles IO [Pass-Seth-Telang 13] VGB for ππΆ 1 VGB VBB for new families New Feasibility Results For VBB Existing VBB results: • Point functions [Canetti 97, Wee 05] • Constant-size set functions [Bitansky-Canetti 10] • Constant-dimension hyperplanes [Canetti-Rothblum-Varia 10] New results: • Fuzzy point functions (Hamming balls) • Constant-dimension linear subspaces • Conjunctions (worst-case) Unified proof for all existing VBB results. Results Semantically secure graded encoding Semantically secure* graded encoding Semantically secure* mutlilinear jigsaw puzzles Semantically secure mutlilinear jigsaw puzzles IO [Pass-Seth-Telang 13] VGB for ππΆ 1 VGB VBB for new families Indistinguishability Simulation IND-secure encryption SIM-secure encryption Witness indistinguishable proofs Zero-knowledge proofs IND-secure functional encryption SIM-secure functional encryption Indistinguishability obfuscation Obf. w. Unbounded simulation ? VGB obfuscation [Goldwasser-Micali 82] [Feige-Lapidot-Shamir 99] [De Caro-Iovino-Jain-O'Neill-P-Persiano 13] [Bitansky-Canetti 10] This work Strong indistinguishability obfuscation Virtual grey-box obfuscation Indistinguishability Obfuscation For every pair of circuits πΆ1 , πΆ2 : ∀π₯: πΆ1 π₯ = πΆ2 (π₯) πͺ πΆ1 ≈π πͺ πΆ2 Strong Indistinguishability Obfuscation For every pair of distributions on circuits πΆ1 , πΆ2 : ∀π₯: Pr πΆ1 π₯ = πΆ2 π₯ ≥ 1 − negl π₯ πͺ πΆ1 ≈π πͺ πΆ2 VGB from Semantic Security Semantically-secure graded encoding* Strong IO for ππΆ 1 Virtual grey-box obfuscation for ππΆ 1 The Equivalence. Strong indistinguishability obfuscation Virtual grey-box obfuscation Strong IO ⇐ VGB Let πΆ1 , πΆ2 be distributions on circuits such that: ∀π₯: Pr πΆ1 π₯ = πΆ2 π₯ ≥ 1 − negl π₯ For every distinguisher π·: πΆ2 πΆ1 πͺ πΆ1 π· ≈ π ≈ π ≈ π· πͺ πΆ2 The Equivalence. Strong indistinguishability obfuscation Virtual grey-box obfuscation Strong IO ⇒ VGB: The Challenge 1 if Point Function: πΆπ₯ (π§) = 0 if πͺ(πΆπ₯ ) π΄π¦ π₯=π§ π₯≠π§ 1 0 if π₯ = π¦ if π₯ ≠ π¦ 1 0 if π₯ = π¦ if π₯ ≠ π¦ πΆπ₯ ππ¦ High-Level Simulation Strategy πΆ High-Level Simulation Strategy πΆ High-Level Simulation Strategy πΆ High-Level Simulation Strategy πΆ High-Level Simulation Strategy πΆ High-Level Simulation Strategy πΆ Extract a information about C from the adversary First Step: Concentrated Functions A family of boolean functions π· is concentrated around a function π if for every input π₯: Pr πΆ π₯ = π π₯ πΆ←π· ≥ 1 − negl( π₯ ) Starting Point πΆ The simulator queries πΆ on a “splitting” input πΆ The simulator queries πΆ on a “splitting” input πΆ The simulator queries πΆ on a “splitting” input πΆ The simulator queries πΆ on a “splitting” input The Concentrated Family πΆ There is no splitting input to query Warm Up: Point Functions [Canetti 97] Let πͺ be a strong IO for point functions. For an adversary π΄ let π΅π΄ be the set of points π₯ such that: Pr π΄ πͺ πΆπ₯ = 1 − Pr π΄ πͺ π =1 ≥π How to simulate an obfuscation of πΆπ₯ ? If π₯ ∉ π΅π΄ simulation is trivial. if π₯ ∈ π΅π΄ the simulator can learn π₯ with a small number of oracle queries. πΆπ₯ π π΄(πͺ(πΆπ₯ )) π΄(πͺ(π)) if if π₯ ∈ π΅π΄ π₯ ∉ π΅π΄ For an adversary π΄ let π΅π΄ be a set of functions π₯ such that: Pr π΄ πͺ πΆπ₯ = 1 − Pr π΄ π = 1 ≥ π Claim: π΅π΄ = poly( π΄ 1 , ). π Proof: By the definition of π΅π΄ we have that: πͺ πΆπ₯ ← π΅π΄ βπ πͺ π . However, if π΅π΄ is super polynomial: ∀π¦: Pr πΆπ₯ ←π΅π΄ πΆπ₯ π¦ = π π¦ ≥ 1 − negl π¦ Main Step: General Concentrated Functions Let πͺ be a strong IO for π·. For an adversary π΄ let π΅π΄ be the set of functions πΆ ∈ π· s.t: Pr π΄ πͺ πΆ = 1 − Pr π΄ πͺ π =1 ≥π The set π΅π΄ may be large! To simulate an obfuscation of πΆ ∈ D: 1. If πΆ ∉ π΅π΄ simulation is trivial. 2. if πΆ ∈ π΅π΄ then simulator can learn a “separating” input π§ s.t. πΆ π§ ≠ π(π§) in a small number of oracle queries. 3. Set π·2 = πΆ ∈ π· | πΆ π§ ≠ π(π§) . Note: π·2 βͺ π· . 4. Repeat. π· π·2 π΅π΄ πΆ π§ ≠π π§ π2 π΅π΄ π πΆ π΅π΄ π· π·2 πΆ π§ ≠π π§ π2 π΅π΄2 πΆ πΆ π§2 π3 ≠ π2 π§2 π΅π΄2 π·3 π π· π·2 πΆ π§ ≠π π§ π2 πΆ πΆ π§2 π·3 π΅π΄3 π3 ≠ π2 π§2 π When πΆ ∈ π΅π΄ , how to learn a separating input π§ s.t. πΆ π§ ≠ π(π§) in a small number of oracle queries? Claim: There exists a set of separating inputs π such that: 1 1. π = poly( π΄ , π ). 2. For every πΆ ∈ π΅π΄ , there exists π§ ∈ Z such that πΆ π§ ≠ π(π§) Proof: By the definition of π΅π΄ we have that: πͺ πΆ ← π΅π΄ βπ πͺ π . Find an input π§ that is separating for a noticeable fraction of the functions in π΅π΄ . Such π§ exists since otherwise: ∀π§: Pr πΆ π§ = π π§ π←π΅π΄ ≥ 1 − negl π§ Add π§ to π, set π΅π΄ = π΅π΄ β πΆ | πΆ π§ ≠ π π§ , and repeat. Two sources of inefficiency 1. Learning the function: – Finding splitting inputs to concentrate π·π 2. Learning the adversary: – Finding the bad set π΅π΄π – Finding the set of separating inputs ππ Summary • VGB is more meaningful than IO and probably more achievable than VBB. • Strong IO ⇔ VGB. • More applications of VGB. • The quest for the “right” definition is not over. Thanks!