Boaz Barak, Nir Bitansky, Ran Canetti,
Yael Tauman Kalai, Omer Paneth, Amit Sahai
Program Obfuscation
Approved
Document
Verify and sign
Signature
Obfuscation
Obfuscated Program
Virtual Black-Box (VBB)
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm 𝒪 is an obfuscator for a family of functions 𝑓𝑘 if:
For every adversary 𝐴 there exists a simulator 𝑆
such that for every key 𝑘 and predicate 𝑃:
𝑓𝑘
𝒪(𝑓𝑘 )
𝐴
𝑃(𝑘)
𝑆
Impossibilities for VBB
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
There exist families of “unobfuscatable” functions
• Can be embedded in applications
(e.g. encryption, signatures)
• Implemented in TC0
Pseudo-entropic functions are unobfuscatable w.r.t
auxiliary input \universal simulation
[Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14]
Positive results
• Constructions for simple functions
[Can97, CMR98, LPS04, DS05,Wee05, CD08, CV09, CRV10,BR13]
• General constructions in idealized models
[CV13,BR13,BGKPS13]
Which functions are
VBB obfuscatable?
Find rich classes of functions
that can be VBB obfuscated
Evasive Functions
A family 𝑓𝑘 of boolean functions is evasive
if for or every 𝑥 ∈ 0,1 ∗ :
Pr
𝑘← 0,1
𝑛
𝑓𝑘 (𝑥) = 1 < negl 𝑛 .
Alternatively:
For every efficient (non-uniform) adversary 𝐴:
Pr
𝑘← 0,1 𝑛
𝐴 𝑓𝑘 → 𝑥 s.t. 𝑓𝑘 𝑥 = 1 < negl(𝑛).
Applications
Evasive Functions
Disjunctions
Hyperplanes
Fuzzy point
functions
Point
functions
Digital
Lockers
Example
Output
Crash
Buggy
software
Good input
Bad input
Input
Patch
Bad input
Error
message
No impossibility for
VBB obfuscation*
of evasive functions
*for the right notion of VBB
VBB for Evasive Functions
Turing
machine
Circuit
Worst-case
Impossible
Impossible
Average-case
Impossible
No known
impossibility
Contributions
• New definitions for evasive function obfuscation
and the relations between them.
• Constructions for the zero-set of low degree
polynomial based on multilinear maps
• Virtual-gray box obfuscation for evasive functions
⇓
Virtual-gray box obfuscation for all functions
• New definitions for evasive function obfuscation
and the relations between them.
• Constructions for the zero-set of low degree
polynomial based on multilinear maps
• Virtual-gray box obfuscation for evasive functions
⇓
Virtual-gray box obfuscation for all functions
Average-case VBB
For every adversary 𝐴 there exists a simulator 𝑆
such that for every predicate 𝑃 and for a random key 𝑘:
𝑓𝑘
𝒪(𝑓𝑘 )
𝐴
𝑃(𝑘)
𝑆
Input-Hiding Obfuscation
For every adversary 𝐴:
Pr
𝑘← 0,1
𝑛
𝐴 𝒪 𝑓𝑘
→ 𝑥 s.t. 𝑓𝑘 𝑥 = 1 < negl 𝑛 .
• Only achievable for evasive functions
• Incomparable to average-case VBB
• New definitions for evasive function obfuscation
and the relations between them.
• Constructions for the zero-set of low degree
polynomial based on multilinear maps
• Virtual-gray box obfuscation for evasive functions
⇓
Virtual-gray box obfuscation for all functions
Constructions
Average-case VBB and Input-hiding obfuscation for a
subclass of evasive function:
Roots of low degree multivariate polynomials
𝑓𝑘 is defined by a multivariate polynomial 𝑄 over 𝕫𝑝 .
𝑛
For key 𝑘 ∈ 𝕫𝑚
𝑝 and input 𝑥 ∈ 𝕫𝑝 :
1
𝑓𝑘 (𝑥) =
0
if 𝑄 𝑘1 , … , 𝑘𝑚 , 𝑥1 , … , 𝑥𝑛 = 0
.
otherwise
Is the Root Set Evasive?
For every input 𝑥 ∈ 𝕫𝑛𝑝 :
𝑄 ⋅ , 𝑥 ≢ 0 ⇒ Pr 𝑓𝑘 (𝑥) = 1 = negl(𝑛)
𝑘
𝑄 ⋅ , 𝑥 ≡ 0 ⇒ Pr 𝑓𝑘 𝑥 = 1 = 1
𝑘
1
𝑓𝑘 (𝑥) =
0
if 𝑄 𝑘1 , … , 𝑘𝑚 , 𝑥1 , … , 𝑥𝑛 = 0
.
otherwise
Two Constructions
Security
notion
Input-hiding
Average-case VBB
Function
families
𝑄 given by an
arithmetic circuit
of size poly 𝑛
and degree poly(𝑛)
𝑄 given by an
arithmetic circuit
of size poly 𝑛
and depth O(log 𝑛)
Assumption
One-way graded
encoding
Perfectly-hiding
graded encoding
Graded Encodings
[Garg-Gentry-Halevi 13]
Gen 1𝑛 , 𝑑 → 𝑃𝑃 including a description of a ring 𝑅.
For every 𝛼 ∈ 𝑅 and every 0 ≤ 𝑙 ≤d, 𝛼 𝑙 is an encoding
• Add𝑃𝑃 𝛼 𝑙 , 𝛽
• Mul𝑃𝑃 𝛼
𝑙1 ,
• Zero𝑃𝑃 𝛼
𝑑
𝛽
→ 𝛼 + 𝛽 𝑙 , Neg 𝑃𝑃 𝛼
𝑙
𝑙2
→ 𝛼×𝛽
𝑙
→ −𝛼
𝑙
𝑙1 +𝑙2
→ 1 if 𝛼 = 0 , and 0 otherwise
• Enc𝑃𝑃 𝛼 → 𝛼
1
(candidate scheme with public encoding from [CLT13])
Input-Hiding
0/1
Zero
Gen 1𝑛 , 𝑑 → 𝑃𝑃
𝑑 = degree(𝑄)
𝑄(𝑘, 𝑥)
𝑑
Evaluate 𝑄 using
Add, Neg, Mul
𝒪 𝑓𝑘 → 𝑘1 1 , … , 𝑘𝑚
1
𝑥1 1 , … , 𝑥𝑛
1
← Enc(𝑥)
Proof Idea
Assume there exists 𝐴 such that:
𝐴 𝒪 𝑓𝑘 = 𝑘1 1 , … , 𝑘𝑚
1
→ 𝑥 s.t. 𝑄 𝑘, 𝑥 = 0
If 𝑄 𝑘, 𝑥 = 0 then 𝑘 is a root of 𝑄 ⋅ , 𝑥 .
Can use 𝐴 to invert Enc 𝑘𝑖 .
• New definitions for evasive function obfuscation
and the relations between them.
• Constructions for the zero-set of low degree
polynomial based on multilinear maps
• Virtual-gray box obfuscation for evasive functions
⇓
Virtual-gray box obfuscation for all functions
Virtual Grey-Box (VGB)
[Bitansky-Canetti 10]
For every adversary 𝐴 there exists an unbounded simulator 𝑆
making polynomial number of oracle queries
such that for every predicate 𝑃 and for a random key 𝑘:
𝑓𝑘
𝒪(𝑓𝑘 )
𝐴
𝑃(𝑘)
𝑆
Polynomial #
of queries
Computationally
unbounded
Why VGB?
Virtual black-box obfuscation
⇓
Virtual grey-box obfuscation
⇓
Indistinguishability obfuscation
Applications of VGB
[Bitansky-Canetti 10]
Composable VGB obfuscation for point functions
from a strong variant of DDH.
⇓
Digital lockers [CD08], strong KDM encryption [CKVW10], CCA
encryption [MH14], computational fuzzy extractors [CFPR14].
Virtual Grey-Box
Virtual grey-box is not always meaningful.
Example: pseudorandom functions
For what functions is
virtual grey-box meaningful?
VGB for Evasive Functions
For evasive functions ,
Average-case VBB ⇔ average-case VGB
𝑓𝑘
𝒪(𝑓𝑘 )
𝐴
𝑃(𝑘)
𝑆
Polynomial #
of queries
Computationally
unbounded
Theorem
Average-case VGB for evasive functions
+ indistinguishability obfuscation for all functions
⇓
Average-case VGB* for all functions
* 1. Simulator make (slightly) super-polynomial #queries
2. Obfuscator is inefficient
Proof Idea
Any function family 𝑓𝑘 can be decomposed to:
𝑓𝑘 = 𝑔𝑘 + ℎ𝑘
Can be learned by
the VGB simulator
Evasive
𝒪 𝑓𝑘 = 𝑔𝑘 + 𝒪(ℎ𝑘 )
Decomposition via Learning
𝑓𝑘
Decomposition via Learning
𝑓𝑘
Decomposition via Learning
𝑓𝑘
Decomposition via Learning
𝑓𝑘
Decomposition via Learning
𝑓𝑘
Decomposition via Learning
𝑔𝑘
𝑓𝑘
ℎ𝑘 = 𝑓𝑘 − 𝑔𝑘 is evasive.
Thank You!

𝑔𝑘
𝑓𝑘