Post on 17-Jan-2016
On the Impossibility of Approximate Obfuscation
Nir Bitansky and Omer Paneth
Program Obfuscation
Compute
𝑥
𝑦= 𝑓 𝑠𝑘(𝑥 )
Program Obfuscation𝑥
𝑦= 𝑓 𝑠𝑘(𝑥 )
Program Obfuscation
Sign email with If starts with
“omer@bu.edu”
𝑥
𝑦=𝜎 (𝑥)/⊥
Virtual Black-Box
is an obfuscation of :
- Functionality:
𝑆𝑓 𝑠𝑘
𝐴 ≈𝒪𝑠𝑘
- Security:
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossibility of Obfuscation
There exist families of functions that cannot be obfuscated
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Relaxed Security
- Functionality:
𝑆𝑓 𝑠𝑘
𝐴 ≈𝒪𝑠𝑘
- Security:
[Barak et al. 01, Goldwasser-Rothblum07, Hofheinz-Malone-Lee-Stam07, Hohenberger-Rothblum-Shelat-Vaikuntanathan07,
Bitansky-Canetti10]
Relaxed Functionality?
- Functionality:
𝑆𝑓 𝑠𝑘
𝐴 ≈𝒪𝑠𝑘
- Security:
Approximate Obfuscation[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
is an approximate obfuscation of :
- Functionality:
𝑆𝑓 𝑠𝑘
𝐴 ≈𝒪𝑠𝑘
- Security:
Main Result
Assuming trapdoor permutations, there exist families of functions that cannot be approximately
obfuscated
Motivation?
Positive applications
From Impossibility to Applications
Impossibility of approximate obfuscation
Non-black-box extraction
𝐴𝑠𝑘𝑥 𝑓 𝑠𝑘(𝑥 )
𝑠𝑘
Zero-knowledge
with
resettable security
Worst-case
extractable
signatures
Plan[BGIRSVY 01]:
This work:
Impossibility of Obfuscation
Impossibility of Approximate Obfuscation
Unobfuscatable Functions
Robust Unobfuscatable
Functions
Applications
Unobfuscatable Functions
𝐴𝑓 𝑠𝑘
𝑠𝑘
𝐸𝒪 𝑠𝑘
1. Black-box unlearnability:
:
2. Extraction: Pr𝑥←𝑈
[𝒪 (𝑥 )= 𝑓 𝑠𝑘 (𝑥 ) ]=1⇒
From Barak et al.
Robust Unobfuscatable Functions
1. Black-box unlearnability:
:
2. Robust extraction: 𝐴𝑓 𝑠𝑘
𝑠𝑘
𝐸𝒪 𝑠𝑘Pr𝑥←𝑈
[𝒪 (𝑥 )= 𝑓 𝑠𝑘 (𝑥 ) ]>0 .9⇒
Robust Unobfuscatable Functions
𝑓 𝑠𝑘𝒪𝑆𝑓 𝑠𝑘
𝐴 ≈𝒪𝑠𝑘𝑠𝑘
𝐸
RUFs Construction
Unobfuscatable FunctionsConstruction of Barak et al. (using FHE for simplicity)
– two -bit strings - secret key for FHE
𝑓 𝑎 ,𝑏 , 𝑠𝑘 (𝑥 ) :
𝑓 𝑎 ,𝑏 , 𝑠𝑘(𝑥 )¿ {¿¿𝑥=𝑎𝑥=0𝑛De c𝑠𝑘(𝑥)=𝑏o . w .
En c𝑠𝑘(𝑎)𝑏
𝑏
⊥
0𝑛 𝐸𝑛𝑐 (𝑎) 𝐸𝑛𝑐 (b )
𝑎 𝑏
𝑓
𝑓
𝑓
Unobfuscatable Functions
0𝑛 𝐸𝑛𝑐 (𝑎) 𝐸𝑛𝑐 (b )
𝑎 𝑏
𝑓
𝑓
𝑓
Black-Box Unlearnability
𝐴𝑓𝑏
𝐶
0𝑛 𝐸𝑛𝑐 (𝑎) 𝐸𝑛𝑐 (b )
𝑎 𝑏
Extraction
𝐸𝐶≡ 𝑓 𝑏
𝐸𝑣𝑎𝑙 (𝐶 )𝐶𝐶
𝐶
0𝑛 𝐸𝑛𝑐 (𝑎) 𝐸𝑛𝑐 (b )
𝑎 𝑏
Robust Extraction?
𝐸
𝐶∗𝐶∗
𝐶∗ 𝑏 𝐶∗(𝑥)={ ⊥𝐸𝑛𝑐𝑠𝑘(𝑎)
𝑥=𝑎𝑥=0𝑛
𝑏⊥
𝐷𝑒𝑐𝑠 𝑘(𝑥 )=𝑏𝑜 .𝑤 .
A Taste of the Construction
𝑓 𝑎 ,𝑏(𝑥)={𝑏 𝑥=𝑎⊥ 𝑜 .𝑤 .
Q: Find such that:
with errors 𝑓 a , b
Randomly reduce to
Getting Robustness
𝑓 𝑎 ,𝑏(𝑥)={𝑏 𝑥=𝑎⊥ 𝑜 .𝑤 .
with errors 𝑓 a , b
𝑔
h𝑎𝑟
𝑎⊕𝑟 ⊕
𝑟←𝑈𝑏⊕PRF (𝑟 )
PRF (𝑟 )
𝑓
𝑔 , h 𝑓 a , b
𝐴𝑔 , h
𝑏
𝑎 𝑎 queries on and queries on
Construction of RUFs
¿ { 𝑏𝐸𝑛𝑐𝑠 𝑘(𝑎)
𝑥=𝑎𝑥=0𝑛
𝑏⊥
𝐷𝑒𝑐𝑠𝑘(𝑥)=𝑏𝑜 .𝑤 .
𝑓 𝑎 ,𝑏 , 𝑠𝑘(𝑥 )
• RUFs from trapdoor permutations.
• Weak RUFs from OWF only:
Assumptions
𝐸𝒪 𝑠𝑘
∀ 𝑥 :𝒪 (𝑥 )∈ { 𝑓 𝑠𝑘 (𝑥 ) ,⊥}
Applications
Publicly-Verifiable RUOFs
𝐴𝑓 𝑠𝑘
𝑠𝑘 𝐸𝒪 𝑠𝑘
iff
𝑣𝑘 𝑣𝑘
𝑠𝑘,𝑣𝑘←Gen () Pr𝑥←𝑈
[Ver𝑣𝑘 (𝑥 ,𝒪 (𝑥 ) )=1 ]> 1poly(𝑛)
Resettably-Sound ZK[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]
𝑥∈ℒ?𝒫Standard ZK
ResettableSoundnes
s𝒱
Resettable Soundness[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]
𝒱𝒫∗𝑥∉ℒ
Resettable Soundness[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]
𝒱𝒫∗𝑥∉ℒ𝒱
No Black-Box Simulator
𝒱𝒫∗
Resettable soundness Zero-knowledge(black-box simulator) 𝒫∗
𝒱 𝒮𝒱∗
[Barak-Goldreich-Goldwasser-Lindell 01]
Resettably-Sound ZK
𝒱𝒫∗ 𝒮𝒱∗
Resettable soundness Zero-knowledge (non-black-box simulator)𝒫∗
𝒱
[Barak-Goldreich-Goldwasser-Lindell 01, BP 12, Chung-Pass-Seth 13]
𝒫 𝒱Resettably-Sound ZK
𝑠𝑘,𝑣𝑘𝑣𝑘
𝑥←𝑈𝑓 𝑠𝑘(𝑥 )
Witness indistinguishable
proof:
or “knows”
𝒫 𝒱Resettably-Sound ZK
𝑠𝑘,𝑣𝑘𝑣𝑘
𝑥𝑓 𝑠𝑘(𝑥 )
Witness indistinguishable
proof:
or “knows”
𝒱𝒫∗𝑥𝑓 𝑠𝑘(𝑥 )
Analysis
𝒮 𝑖𝑚𝒱∗
Resettable soundness Zero-knowledge
𝒫∗𝑓 𝑠𝑘
𝑠𝑘
𝒮𝑠𝑘
𝐸
• Resettably-sound ZK from OWFs
(Different approach from Chung-Pass-Seth 13)
• Simultaneously-resettable ZK from OWFs
(using srWI by Chung-Ostrovsky-Pass-Visconti
13)
• 4-message resettably-sound ZK
• 3-message simultaneously-resettable
WI proof of knowledge
More Resettable Crypto
Sign 𝑠𝑘
Sign 𝑠𝑘
𝐴𝑚 𝑖
𝜎 (𝑚
¿¿𝑖)¿
𝑣𝑘
Digital Signatures:
Worst-Case Extractable Signatures
∀𝑠𝑘 ,𝑣𝑘
Worst-Case Extractable Signatures
For every
breaks security for ⟹
𝐴
𝐸𝑠𝑘
Thank You.#define _ -F<00||--F-OO--;int F=00,OO=00;main(){F_OO();printf("%1.3f\n",4.*-F/OO/OO);}F_OO(){
_-_-_-_ _-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_ _-_-_-_
}
IOCCC 88