On Virtual Grey-Box Obfuscation for General Circuits
description
Transcript of On Virtual Grey-Box Obfuscation for General Circuits
![Page 1: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/1.jpg)
On Virtual Grey-Box Obfuscation for General Circuits
Nir Bitansky Ran CanettiYael Tauman-Kalai Omer Paneth
![Page 2: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/2.jpg)
Program Obfuscation
Obfuscated program
𝑥 y
Obfuscation
Program
𝑥 y
![Page 3: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/3.jpg)
Private Key to Public Key
Public Key
𝑚 cipher
Obfuscation
𝐸𝑛𝑐𝑠𝑘(𝑚)
𝑚 cipher
![Page 4: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/4.jpg)
Virtual Black-Box (VBB)[Hada 00, Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm is an obfuscator for a class if:
For every PPT adversary there exists a PPT simulator such that for every and every predicate :
𝐴 𝑆𝜋 (𝐶 )𝒪(𝐶 )
𝐶
Pr [ 𝐴(𝒪(𝐶))=𝜋 (𝐶 ) ]=Pr [𝑆𝐶=𝜋 (𝐶 ) ]±𝑛𝑒𝑔𝑙
![Page 5: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/5.jpg)
Impossibility Results for VBB
Impossible for some functions.[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossible for all pseudo-entropic functions w.r.t auxiliary input (assuming IO).[Goldwasser-Kalai 05, Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14]
![Page 6: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/6.jpg)
𝐶1
𝒪(𝐶¿¿1)¿
𝐶2
𝒪(𝐶¿¿2)¿
≡
≈𝑐
Indistinguishability Obfuscation (IO)[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
![Page 7: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/7.jpg)
History
No general solution.
Obfuscation for simple functions:[C97,W05,CD08,CRV10,BC10,BR13]
Candidate obfuscation for all circuits [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
2000-2013:
2013:
![Page 8: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/8.jpg)
What is the security of the candidate obfuscator?
![Page 9: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/9.jpg)
Many recent applications:
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13, Sahai-Waters 13, Hohenberger-Sahai-Waters 13, Garg-Gentry-Halevi-Raykova 13, Bitansky-Canetti-P-Rosen 13, Boneh-Zhandry 13, Brzuska-Farshim-Mittelbach 14, Bitansky-P 14, Ramchen-Waters 14]
Better assumption: 1. Semantically-secure graded encodings
[Pass-Seth-Telang 13]
2. Multilinear subgroup elimination assumption[Gentry-Lewko-Sahai-Waters 14]
Assumption: the [GGHRSW13] obfuscator is IO
![Page 10: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/10.jpg)
What about other applications?
Example: point function
![Page 11: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/11.jpg)
Can we get more then IO?
Today: virtual grey-box
![Page 12: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/12.jpg)
𝑆𝐴≈𝒪(𝐶 )
𝐶
Simulation Definition for IO[Bitansky-Canetti 10]
𝐶1 𝒪(𝐶¿¿1)¿𝐶2 𝒪(𝐶¿¿2)¿≡ ≈𝑐⇒
Computationally unbounded
Weak VBB:
![Page 13: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/13.jpg)
Virtual black-box:Simulator is bounded
Indistinguishability:Simulator is unbounded
[Bitansky-Canetti 10]
Virtual grey-box (VGB):Simulator is semi-bounded
polynomial numberof oracle queries
unboundedcomputation
𝑆𝐶
𝑆
𝑆𝐶
𝐶
![Page 14: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/14.jpg)
𝑆𝐶
𝑆
𝑆
Virtual black-box:Simulator is bounded
Indistinguishability:Simulator is unbounded
[Bitansky-Canetti 10]
Virtual grey-box (VGB):Simulator is semi-bounded
Pseudo-random functions
meaningful
Point functionsNot meaningful
𝐶
𝐶
meaningful
Not meaningful
![Page 15: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/15.jpg)
Assume the [GGHRSW13] obfuscation is VGB.
Or better yet, prove it!
![Page 16: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/16.jpg)
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for Semantically secure* graded encoding
Semantically secure* graded encoding VGB for
![Page 17: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/17.jpg)
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for
Semantically secure* mutlilinear jigsaw puzzles VGB for all circuits
Semantically secure* mutlilinear jigsaw puzzles
![Page 18: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/18.jpg)
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for
Semantically secure* mutlilinear jigsaw puzzles VGB
Semantically secure* mutlilinear jigsaw puzzles
Semantically secure mutlilinear jigsaw puzzles
VBB for new families
![Page 19: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/19.jpg)
New Feasibility Results For VBB Existing VBB results:• Point functions [Canetti 97, Wee 05]
• Constant-size set functions [Bitansky-Canetti 10]
• Constant-dimension hyperplanes [Canetti-Rothblum-Varia 10]
New results:• Fuzzy point functions (Hamming balls)• Constant-dimension linear subspaces• Conjunctions (worst-case)
Unified proof for all existing VBB results.
![Page 20: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/20.jpg)
Results
Semantically secure graded encoding
IO [Pass-Seth-Telang 13]
VGB for
Semantically secure* mutlilinear jigsaw puzzles VGB
Semantically secure*graded encoding
Semantically secure mutlilinear jigsaw puzzles
VBB for new families
![Page 21: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/21.jpg)
SIM-secure encryption IND-secure encryption
Zero-knowledge proofsWitness indistinguishable proofs
SIM-secure functional encryption
IND-secure functional encryption
Obf. w. Unbounded simulationIndistinguishability obfuscation
[Feige-Lapidot-Shamir 99]
SimulationIndistinguishability
[Goldwasser-Micali 82]
[De Caro-Iovino-Jain-O'Neill-P-Persiano 13]
[Bitansky-Canetti 10]
VGB obfuscation?
![Page 22: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/22.jpg)
This work
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
![Page 23: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/23.jpg)
Indistinguishability Obfuscation
For every pair of circuits :
∀ 𝑥 :𝐶1 (𝑥 )=𝐶2(𝑥)
𝒪 (𝐶1 )≈𝑐𝒪 (𝐶2 )
![Page 24: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/24.jpg)
Strong Indistinguishability Obfuscation
For every pair of distributions on circuits:
∀ 𝑥 :Pr [~𝐶1 (𝑥 )=~𝐶2 (𝑥 ) ]≥1−negl (|𝑥|)
𝒪 (~𝐶1 )≈𝑐𝒪 (~𝐶2 )
![Page 25: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/25.jpg)
VGB from Semantic Security
Strong IO for
Virtual grey-box obfuscation for
Semantically-secure graded encoding*
![Page 26: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/26.jpg)
The Equivalence.
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
![Page 27: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/27.jpg)
Strong IO VGB
Let be distributions on circuits such that:
∀ 𝑥 :Pr [~𝐶1 (𝑥 )=~𝐶2 (𝑥 ) ]≥1−negl (|𝑥|)
𝐷≈ 𝐷𝑆
~𝐶1
𝑆
~𝐶2
≈ ≈
For every distinguisher
𝒪 (~𝐶1 ) 𝒪 (~𝐶2 )
![Page 28: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/28.jpg)
The Equivalence.
Strong indistinguishability obfuscation
Virtual grey-box obfuscation
![Page 29: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/29.jpg)
Strong IO VGB: The Challenge
𝑆
𝐴𝑦𝒪(𝐶𝑥)
𝐶 𝑥
{1 if 𝑥=𝑦0 if 𝑥≠ 𝑦
❑𝑦 {1 if 𝑥=𝑦0 if 𝑥≠ 𝑦
Point Function: =
![Page 30: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/30.jpg)
𝐶
High-Level Simulation Strategy
![Page 31: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/31.jpg)
𝐶
High-Level Simulation Strategy
![Page 32: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/32.jpg)
𝐶
High-Level Simulation Strategy
![Page 33: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/33.jpg)
𝐶
High-Level Simulation Strategy
![Page 34: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/34.jpg)
𝐶
High-Level Simulation Strategy
![Page 35: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/35.jpg)
𝐶
High-Level Simulation Strategy
Extract a information about C from the adversary
![Page 36: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/36.jpg)
First Step: Concentrated Functions
A family of boolean functions is concentrated around a function if for every input :
Pr𝐶←𝐷
[𝐶 (𝑥 )= 𝑓 (𝑥 ) ]≥1−negl(|𝑥|)
![Page 37: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/37.jpg)
𝐶
Starting Point
The simulator queries on a “splitting” input
![Page 38: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/38.jpg)
𝐶
The simulator queries on a “splitting” input
![Page 39: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/39.jpg)
𝐶
The simulator queries on a “splitting” input
![Page 40: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/40.jpg)
𝐶
The simulator queries on a “splitting” input
![Page 41: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/41.jpg)
𝐶
The Concentrated Family
There is no splitting input to query
![Page 42: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/42.jpg)
Warm Up: Point Functions [Canetti 97]
Let be a strong IO for point functions. For an adversary let be the set of points such that:
Pr [𝐴 (𝒪 (𝐶𝑥 ))=1 ]− Pr [ 𝐴 (𝒪 (𝟎 ) )=1 ]≥𝜖
𝑆𝐶 𝑥
{𝐴(𝒪(𝐶𝑥 )) if 𝑥∈𝐵𝐴
𝐴(𝒪(𝟎)) if 𝑥∉𝐵𝐴
How to simulate an obfuscation of ?
If simulation is trivial.if the simulator can learn with a small number of oracle queries.
![Page 43: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/43.jpg)
Claim: .
Proof: By the definition of we have that:
.
However, if is super polynomial:
Pr [𝐴 (𝒪 (𝐶𝑥 ))=1 ]− Pr [ 𝐴 (𝟎 )=1 ]≥𝜖For an adversary let be a set of functions such that:
![Page 44: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/44.jpg)
Main Step: General Concentrated Functions
Let be a strong IO for .
For an adversary let be the set of functions s.t:
Pr [𝐴 (𝒪 (𝐶 ) )=1 ]−Pr [𝐴 (𝒪 ( 𝑓 ) )=1 ]≥𝜖
The set may be large!
![Page 45: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/45.jpg)
To simulate an obfuscation of :
1. If simulation is trivial.
2. if then simulator can learn a “separating” input s.t. in
a small number of oracle queries.
3. Set . Note: .
4. Repeat.
![Page 46: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/46.jpg)
𝐵𝐴
𝐵𝐴
𝐷
𝐵𝐴
𝐶
𝐶 (𝑧 )≠ 𝑓 (𝑧 )
𝑓𝑓 2
![Page 47: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/47.jpg)
𝑓
𝐷𝐷2
𝐶
𝑓 2𝐵𝐴2
𝐵𝐴2
𝐶 (𝑧 )≠ 𝑓 (𝑧 )
𝐷3
𝑓 3𝐶 (𝑧 2 )≠ 𝑓 2 (𝑧 2 )
![Page 48: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/48.jpg)
𝑓
𝐷𝐷2
𝐶
𝑓 2
𝐶 (𝑧 )≠ 𝑓 (𝑧 )
𝐷3
𝑓 3𝐶 (𝑧 2 )≠ 𝑓 2 (𝑧 2 )
𝐵𝐴3
![Page 49: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/49.jpg)
Claim: There exists a set of separating inputs such that: 1. . 2. For every , there exists such that
Proof:By the definition of we have that: .
Find an input that is separating for a noticeable fraction of the functions in . Such exists since otherwise:
∀ 𝑧 : Pr𝑐←𝐵𝐴
[𝐶 (𝑧 )= 𝑓 (𝑧 ) ]≥1−negl (|𝑧|)
Add to , set , and repeat.
When , how to learn a separating input s.t. in a small number of oracle queries?
![Page 50: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/50.jpg)
Two sources of inefficiency
1. Learning the function:– Finding splitting inputs to concentrate
2. Learning the adversary:– Finding the bad set – Finding the set of separating inputs
![Page 51: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/51.jpg)
Summary
• VGB is more meaningful than IO and probably more achievable than VBB.
• Strong IO VGB.
• More applications of VGB.• The quest for the “right” definition is not over.
![Page 52: On Virtual Grey-Box Obfuscation for General Circuits](https://reader036.fdocuments.us/reader036/viewer/2022062410/568151e7550346895dc0216b/html5/thumbnails/52.jpg)
Thanks!