Obfuscation for

Evasive FunctionsBoaz Barak, Nir Bitansky, Ran Canetti,Yael Tauman Kalai, Omer Paneth, Amit Sahai

Program Obfuscation

Obfuscated Program

Approved Document Signature

Obfuscation

Verify and sign

Virtual Black-Box (VBB)[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Algorithm is an obfuscator for a family of functions if:

For every adversary there exists a simulator such that for every key and predicate :

𝐴 𝑆𝑃 (𝑘)𝒪( 𝑓 𝑘)

𝑓 𝑘

Impossibilities for VBBThere exist families of “unobfuscatable” functions• Can be embedded in applications

(e.g. encryption, signatures)• Implemented in Pseudo-entropic functions are unobfuscatable w.r.t auxiliary input \universal simulation[Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14]

[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Positive results

• Constructions for simple functions [Can97, CMR98, LPS04, DS05,Wee05, CD08, CV09, CRV10,BR13]

• General constructions in idealized models [CV13,BR13,BGKPS13]

Which functions are VBB obfuscatable?

Find rich classes of functions that can be VBB obfuscated

A family of boolean functions is evasive if for or every :

Alternatively:For every efficient (non-uniform) adversary :

.

Evasive Functions

Applications

Evasive Functions

Point functions

Digital Lockers

Fuzzy point

functions

Disjunctions Hyperplanes

Example

Buggy software

Bad inputCrash

Good input

OutputPatch

Error message

Bad input

Input

No impossibility for VBB obfuscation*

of evasive functions *for the right notion of VBB

VBB for Evasive Functions

Turing machine Circuit

Worst-case

Average-case

Impossible

Impossible Impossible

No known impossibility

Contributions• New definitions for evasive function

obfuscation and the relations between them.

• Constructions for the zero-set of low degree polynomial based on multilinear maps

• Virtual-gray box obfuscation for evasive functions

Virtual-gray box obfuscation for all functions

• New definitions for evasive function

obfuscation and the relations between them.

• Constructions for the zero-set of low degree polynomial based on multilinear maps

• Virtual-gray box obfuscation for evasive functions

Virtual-gray box obfuscation for all functions

Average-case VBB

For every adversary there exists a simulator such that for every predicate and for a random key :

𝐴 𝑆𝑃 (𝑘)𝒪( 𝑓 𝑘)

𝑓 𝑘

Input-Hiding ObfuscationFor every adversary

• Only achievable for evasive functions • Incomparable to average-case VBB

• New definitions for evasive function

obfuscation and the relations between them.

• Constructions for the zero-set of low degree polynomial based on multilinear maps

• Virtual-gray box obfuscation for evasive functions

Virtual-gray box obfuscation for all functions

Constructions Average-case VBB and Input-hiding obfuscation for a subclass of evasive function:

Roots of low degree multivariate polynomials

is defined by a multivariate polynomial over . For key and input :

.

Is the Root Set Evasive?

.

For every input

Two Constructions

Security notion

Function families

Assumption

Input-hiding Average-case VBB

given by an arithmetic circuit

of size and degree

given by anarithmetic circuit

of size and depth

One-way graded encoding

Perfectly-hiding graded encoding

Graded Encodings including a description of a ring For every and every d, is an encoding

• , • (candidate scheme with public encoding from [CLT13])

[Garg-Gentry-Halevi 13]

Input-Hiding

𝒪 ( 𝑓 �⃗� )→ [𝑘1 ]1 ,…, [𝑘𝑚 ]1 [𝑥1 ]1 ,…, [𝑥𝑛 ]1←Enc( �⃗�)

Evaluate using [𝑄 (�⃗� , �⃗�) ]𝑑

0 /1Zero

Proof IdeaAssume there exists such that:

If then is a root of Can use to invert

• New definitions for evasive function

obfuscation and the relations between them.

• Constructions for the zero-set of low degree polynomial based on multilinear maps

• Virtual-gray box obfuscation for evasive functions

Virtual-gray box obfuscation for all functions

Virtual Grey-Box (VGB)[Bitansky-Canetti 10]

For every adversary there exists an unbounded simulator making polynomial number of oracle queries

such that for every predicate and for a random key :

𝐴 𝑆𝑃 (𝑘)𝒪( 𝑓 𝑘)

𝑓 𝑘

Computationally unbounded

Polynomial # of

queries

Why VGB?

Virtual black-box obfuscation

Virtual grey-box obfuscation

Indistinguishability obfuscation

Applications of VGBComposable VGB obfuscation for point functions

from a strong variant of DDH.

Digital lockers [CD08], strong KDM encryption [CKVW10], CCA encryption [MH14], computational fuzzy extractors

[CFPR14].

[Bitansky-Canetti 10]

Virtual Grey-BoxVirtual grey-box is not always meaningful.Example: pseudorandom functions

For what functions is virtual grey-box meaningful?

VGB for Evasive Functions

𝐴 𝑆𝑃 (𝑘)𝒪( 𝑓 𝑘)

𝑓 𝑘

Computationally unbounded

Polynomial # of

queries

For evasive functions ,Average-case VBB average-case VGB

Theorem

Average-case VGB for evasive functions

Average-case VGB* for all functions

* 1. Simulator make (slightly) super-polynomial #queries 2. Obfuscator is inefficient

+ indistinguishability obfuscation for all functions

Proof Idea

Any function family can be decomposed to:

Can be learned by the VGB simulator

Evasive

𝒪 ( 𝑓 𝑘 )=𝑔𝑘+𝒪(h𝑘)

Decomposition via Learning

𝑓 𝑘

Decomposition via Learning

𝑓 𝑘

Decomposition via Learning

𝑓 𝑘

Decomposition via Learning

𝑓 𝑘

Decomposition via Learning

𝑓 𝑘

Decomposition via Learning

𝑓 𝑘

𝑔𝑘

is evasive.

Thank You!

𝑓 𝑘

𝑔𝑘