Boaz Barak, Nir Bitansky, Ran Canetti, Yael Tauman Kalai, Omer Paneth, Amit Sahai Program Obfuscation Approved Document Verify and sign Signature Obfuscation Obfuscated Program Virtual Black-Box (VBB) [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Algorithm πͺ is an obfuscator for a family of functions ππ if: For every adversary π΄ there exists a simulator π such that for every key π and predicate π: ππ πͺ(ππ ) π΄ π(π) π Impossibilities for VBB [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] There exist families of “unobfuscatable” functions • Can be embedded in applications (e.g. encryption, signatures) • Implemented in TC0 Pseudo-entropic functions are unobfuscatable w.r.t auxiliary input \universal simulation [Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14] Positive results • Constructions for simple functions [Can97, CMR98, LPS04, DS05,Wee05, CD08, CV09, CRV10,BR13] • General constructions in idealized models [CV13,BR13,BGKPS13] Which functions are VBB obfuscatable? Find rich classes of functions that can be VBB obfuscated Evasive Functions A family ππ of boolean functions is evasive if for or every π₯ ∈ 0,1 ∗ : Pr π← 0,1 π ππ (π₯) = 1 < negl π . Alternatively: For every efficient (non-uniform) adversary π΄: Pr π← 0,1 π π΄ ππ → π₯ s.t. ππ π₯ = 1 < negl(π). Applications Evasive Functions Disjunctions Hyperplanes Fuzzy point functions Point functions Digital Lockers Example Output Crash Buggy software Good input Bad input Input Patch Bad input Error message No impossibility for VBB obfuscation* of evasive functions *for the right notion of VBB VBB for Evasive Functions Turing machine Circuit Worst-case Impossible Impossible Average-case Impossible No known impossibility Contributions • New definitions for evasive function obfuscation and the relations between them. • Constructions for the zero-set of low degree polynomial based on multilinear maps • Virtual-gray box obfuscation for evasive functions ⇓ Virtual-gray box obfuscation for all functions • New definitions for evasive function obfuscation and the relations between them. • Constructions for the zero-set of low degree polynomial based on multilinear maps • Virtual-gray box obfuscation for evasive functions ⇓ Virtual-gray box obfuscation for all functions Average-case VBB For every adversary π΄ there exists a simulator π such that for every predicate π and for a random key π: ππ πͺ(ππ ) π΄ π(π) π Input-Hiding Obfuscation For every adversary π΄: Pr π← 0,1 π π΄ πͺ ππ → π₯ s.t. ππ π₯ = 1 < negl π . • Only achievable for evasive functions • Incomparable to average-case VBB • New definitions for evasive function obfuscation and the relations between them. • Constructions for the zero-set of low degree polynomial based on multilinear maps • Virtual-gray box obfuscation for evasive functions ⇓ Virtual-gray box obfuscation for all functions Constructions Average-case VBB and Input-hiding obfuscation for a subclass of evasive function: Roots of low degree multivariate polynomials ππ is defined by a multivariate polynomial π over π«π . π For key π ∈ π«π π and input π₯ ∈ π«π : 1 ππ (π₯) = 0 if π π1 , … , ππ , π₯1 , … , π₯π = 0 . otherwise Is the Root Set Evasive? For every input π₯ ∈ π«ππ : π ⋅ , π₯ β’ 0 ⇒ Pr ππ (π₯) = 1 = negl(π) π π ⋅ , π₯ ≡ 0 ⇒ Pr ππ π₯ = 1 = 1 π 1 ππ (π₯) = 0 if π π1 , … , ππ , π₯1 , … , π₯π = 0 . otherwise Two Constructions Security notion Input-hiding Average-case VBB Function families π given by an arithmetic circuit of size poly π and degree poly(π) π given by an arithmetic circuit of size poly π and depth O(log π) Assumption One-way graded encoding Perfectly-hiding graded encoding Graded Encodings [Garg-Gentry-Halevi 13] Gen 1π , π → ππ including a description of a ring π . For every πΌ ∈ π and every 0 ≤ π ≤d, πΌ π is an encoding • Addππ πΌ π , π½ • Mulππ πΌ π1 , • Zeroππ πΌ π π½ → πΌ + π½ π , Neg ππ πΌ π π2 → πΌ×π½ π → −πΌ π π1 +π2 → 1 if πΌ = 0 , and 0 otherwise • Encππ πΌ → πΌ 1 (candidate scheme with public encoding from [CLT13]) Input-Hiding 0/1 Zero Gen 1π , π → ππ π = degree(π) π(π, π₯) π Evaluate π using Add, Neg, Mul πͺ ππ → π1 1 , … , ππ 1 π₯1 1 , … , π₯π 1 ← Enc(π₯) Proof Idea Assume there exists π΄ such that: π΄ πͺ ππ = π1 1 , … , ππ 1 → π₯ s.t. π π, π₯ = 0 If π π, π₯ = 0 then π is a root of π ⋅ , π₯ . Can use π΄ to invert Enc ππ . • New definitions for evasive function obfuscation and the relations between them. • Constructions for the zero-set of low degree polynomial based on multilinear maps • Virtual-gray box obfuscation for evasive functions ⇓ Virtual-gray box obfuscation for all functions Virtual Grey-Box (VGB) [Bitansky-Canetti 10] For every adversary π΄ there exists an unbounded simulator π making polynomial number of oracle queries such that for every predicate π and for a random key π: ππ πͺ(ππ ) π΄ π(π) π Polynomial # of queries Computationally unbounded Why VGB? Virtual black-box obfuscation ⇓ Virtual grey-box obfuscation ⇓ Indistinguishability obfuscation Applications of VGB [Bitansky-Canetti 10] Composable VGB obfuscation for point functions from a strong variant of DDH. ⇓ Digital lockers [CD08], strong KDM encryption [CKVW10], CCA encryption [MH14], computational fuzzy extractors [CFPR14]. Virtual Grey-Box Virtual grey-box is not always meaningful. Example: pseudorandom functions For what functions is virtual grey-box meaningful? VGB for Evasive Functions For evasive functions , Average-case VBB ⇔ average-case VGB ππ πͺ(ππ ) π΄ π(π) π Polynomial # of queries Computationally unbounded Theorem Average-case VGB for evasive functions + indistinguishability obfuscation for all functions ⇓ Average-case VGB* for all functions * 1. Simulator make (slightly) super-polynomial #queries 2. Obfuscator is inefficient Proof Idea Any function family ππ can be decomposed to: ππ = ππ + βπ Can be learned by the VGB simulator Evasive πͺ ππ = ππ + πͺ(βπ ) Decomposition via Learning ππ Decomposition via Learning ππ Decomposition via Learning ππ Decomposition via Learning ππ Decomposition via Learning ππ Decomposition via Learning ππ ππ βπ = ππ − ππ is evasive. Thank You! ο ππ ππ