Slides
advertisement
The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai Omer Paneth Alon Rosen Program Obfuscation π₯ Program y Obfuscation π₯ y Obfuscated program Private Key to Public Key π πΈπππ π (π) cipher Obfuscation π cipher Public Key Ideal Obfuscation Hides everything about the program except for its input\output behavior Point Function etc. Unobfuscatable Functions [Canetti 97, Wee 05, BitanskyCanetti 10, Canetti-Rothblum-Varia 10] [Barak-Goldreich-ImpagliazzoRudich-Sahai-Vadhan-Yang 01] All functions ? Obfuscation Constructions Before 2013: No general solution. All functions Obfuscation Constructions Before 2013: No general solution. 2013: Candidate obfuscation for all circuits [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13] All functions New Impossibility Result Under computational assumptions, a natural notion of ideal obfuscation cannot be achieved for a large family of cryptographic functionalities. (strengthen the impossibility of [Goldwasser-Kalai 05]) Virtual Black-Box (VBB) [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Algorithm πͺ is an obfuscator for a class π if: For every PPT adversary π΄ there exists a PPT simulator π such that for every πΆ ∈ π and every predicate π(πΆ): πΆ πͺ(πΆ) π΄ π(πΆ) Inefficient! π Using Obfuscation Reduction π =π⋅π π π΄ π, π VBB with a Universal Simulator Algorithm πͺ is an obfuscator for a class π if: There exists a PPT simulator π such that for every PPT adversary π΄ such that for every πΆ ∈ π and every predicate π(πΆ): πΆ πͺ(πΆ) π΄ π(πΆ) π(π΄) Universal Simulation Universal Simulators Barak’s ZK simulator Black-box Simulators New Impossibility Result Under computational assumptions, VBB obfuscation with a universal simulator cannot be achieved for a large family of cryptographic functionalities. Pseudo-Entropic functions A function family ππ has super-polynomial pseudoentropy if there exists a set of inputs πΌ such that for a random function ππ , there exists π with super-polynomial min-entropy: π· 1 2 3 ππ (1) ππ (2) ππ (3) ≈π … πΌ … ππ (πΌ)\Z Examples • Pseudo-random functions • Semantically-secure encryption (when the randomness is a PRF of the message) π ππ πΉπ π πΈπππ π cipher New Impossibility Result Under computational assumptions, VBB obfuscation with a universal simulator is impossible for any pseudo-entropic function Indistinguishability Obfuscation [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] πΆ1 ≡ πΆ2 πͺ(πΆ1 ) ≈π πͺ(πΆ2 ) Assumption: indistinguishability obfuscation for all circuits (A candidate construction given in [GGHRSW13]) This Work Assuming indistinguishability obfuscation, VBB obfuscation with a universal simulator is impossible for any pseudo-entropic function This Work Average-case VBB with a universal simulator Worst-case VBB with a universal simulator Is Impossible for pseudo-entropic functions Is Impossible for pseudo-entropic functions Assuming indistinguishability obfuscation for all functions Assuming indistinguishability obfuscation for point-filter functions or equivalently, witness encryption Average-case VBB with a universal simulator Worst-case VBB with a universal simulator [Goldwasser-Kalai 05]: Is Impossible for Filter functions Is Impossible for pseudo-entropic functions Unconditionally Assuming VBB obfuscation for point-filter functions This work: Is Impossible for pseudo-entropic functions Is Impossible for pseudo-entropic functions Assuming indistinguishability obfuscation for all functions Assuming indistinguishability obfuscation for point-filter functions Universal Simulation and Auxiliary Input For every PPT adversary π΄ there exists a PPT simulator π such that for every πΆ ∈ π, every predicate π πΆ and every auxiliary input π§: πΆ πͺ(πΆ) π΄ π§ π(πΆ) π π§ VBB with a universal simulator Universal Simulation and Auxiliary Input Average-case VBB with a universal simulator Worst-case VBB with a universal simulator Average-case VBB with independent auxiliary input Worst-case VBB with dependent auxiliary input Proof Idea What can we do with an obfuscated code that we cannot do with black-box access? [Goldwasser-Kalai 05]: Find a polynomial size circuit computing the function! Impossibility for Worst-Case VBB Let ππ be a family of PRFs. Fix the simulator π. Sample a random ππ . Construct an adversary π΄ (that depends on ππ ) that fail π. Let πΌ be the set of inputs 1,2, … , 2 ⋅ πͺ ππ πΆ π΄ π\ ⊥ πΌ ππ (πΌ) π΄π,π πΆ : If πΆ = πͺ ππ and πΆ πΌ = ππ (πΌ): output the secret π, else output ⊥. Impossibility for Worst-Case VBB ππ πͺ(ππ ) π΄ π\ ⊥ πΌ ππ (πΌ) π π π΄ π Using Indistinguishability Obfuscation π΄ π΄ π\ ⊥ πΌ ≈π πΌ ππ (πΌ) π΄ ππ (πΌ) π΄ ⊥ π΄ ⊥ ≡ π π΄ π\ ⊥ πΌ π\ ⊥ ≈π π\ ⊥ πΌ π ≈π Impossibility for Average-Case VBB π΄π΄ πΆ π\ ⊥ πΌ πΌ ππ (πΌ) ππ πΉ π πΆ(πΌ) →π π΄π πΆ : If πΆ = πͺ ππ : output π = ππ πΉπ (πΆ(πΌ)) else output ⊥. Impossibility for Average-Case VBB π΄ ππ πΉπ πΌ πΆ(πΌ) →π Obfuscation should hide ππ πΉπ ππ πΌ Use Indistinguishability Obfuscation together with puncturable pseudo-random functions Thanks!
