Protecting Obfuscation Against Algebraic

Attacks

Boaz Barak Sanjam GargYael Tauman Kalai Omer Paneth Amit Sahai

Program Obfuscation

Public Key

𝑚 cipher  

Obfuscation

𝐸𝑛𝑐𝑠𝑘(𝑚)

𝑚 cipher  

Virtual Black-Box (VBB)[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Algorithm is an obfuscator for a class if:

For every PPT adversary there exists a PPT simulator such that for every :

𝐴 𝑆𝑃 (𝐶 )𝒪(𝐶 )

𝐶

≈

VBB ImpossibilityThere exists contrived “unobfuscatable”

programs.

[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Execute on

itself𝑆𝒪(𝐶 )

𝐶

𝐶 Secret

Secret

Code of a program

equivalent to

First Candidate Obfuscation[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]

What is the security of the candidate?Assumption:

The [GGHRSW13] obfuscator is an Indistingushability Obfuscator.

No known attacks except [BGIRSVY01].Indistinguishability Obfuscation ():For every pair of equivalent circuits :

This Work

A variant of the [GGHRSW13] obfuscator is VBB for all circuits

in a generic model (underlying algebra is idealized)

Multilinear Maps[Boneh-Silverberg 03, Garg-Gentry-Halevi 13]

Encoding of under a set .

1. iff

Idealy: any other operation is hard.

The Generic MM Model

𝐶 𝒪(𝐶 )

AddMultiply

ZT𝑥

𝐶 (𝑥)

𝑥

𝐶 (𝑥)

?

𝐸11

Our Result

Virtual Black-Box obfuscation in the generic MM model:

1. For .2. For assuming LWE.

Avoiding VBB Impossibility

Execute on

itself𝒪(𝐶 )

𝐶 Secret

Secret

Code of a program equivalent to

AddMulZT

In the Generic MM Model

Secure obfuscation against “algebraic

attacks”.

Warning:Non-algebraic attacks do exist [BGIRSVY01].

Interpretation

Interpretation IIThis Work:

VBB with Generic Multilinear Maps

+¿ Multi-Message Semantically-Secure

Multilinear Maps [Pass-Seth-Telang 13]

for P/Poly (assuming

LWE) [Pass-Seth-Telang 13]

Virtual gray-box obfuscation for

[Bitansky-Canetti-Kalai-P 14].

Previous Works in the Generic Colored Matrix

Model

[GGHRSW13]

in the Generic MM Model

[Brakerski-Rothblum13]

VBB in the Generic

MM Model[Brakerski-Rothblum13]

Assuming BSH

This Work

VBB from Black-Box Pseudo-Free

Groups

[Canetti-Vaikuntanathan13]

1. Construction for via branching programs

2. Bootstrap to P/Poly assuming LWE (leveled-FHE with decryption in )

The Construction

Branching Programs

𝑀 10𝑀 2

0𝑀 30𝑀 4

0 𝑀 50𝑀 6

0𝑀 70𝑀 8

0𝑀 90 𝑀 10

0 𝑀 110 𝑀 12

0

𝑀 11𝑀 2

1𝑀 31𝑀 4

1 𝑀 51𝑀 6

1𝑀 71𝑀 8

1𝑀 91 𝑀 10

1 𝑀 111 𝑀 12

1

𝑥1 𝑥2𝑥3 𝑥4Input:

Program:

BP Evaluation

𝑀 10𝑀 2

0𝑀 30𝑀 4

0 𝑀 50𝑀 6

0𝑀 70𝑀 8

0𝑀 90 𝑀 10

0 𝑀 110 𝑀 12

0

𝑀 11𝑀 2

1𝑀 31𝑀 4

1 𝑀 51𝑀 6

1𝑀 71𝑀 8

1𝑀 91 𝑀 10

1 𝑀 111 𝑀 12

1

0110Input:

Program:

⊤ ⊥Output:

or

Obfuscating BP1.Randomizing [Kilian 88]

2.Encoding

Step 1: Randomizing

~𝑀10~𝑀 2

0~𝑀 30~𝑀 4

0~𝑀50~𝑀 6

0~𝑀70~𝑀 8

0~𝑀 90~𝑀10

0 ~𝑀110 ~𝑀12

0

~𝑀11~𝑀 2

1~𝑀 31~𝑀 4

1~𝑀51~𝑀 6

1~𝑀71~𝑀 8

1~𝑀 91 ~𝑀10

1 ~𝑀111 ~𝑀12

1

Program:

⊤ ⊥Output:

or𝑥1 𝑥2𝑥3 𝑥4Input:

Step 1: Randomizing

~𝑀10~𝑀 2

0~𝑀 30~𝑀 4

0~𝑀50~𝑀 6

0~𝑀70~𝑀 8

0~𝑀 90~𝑀10

0 ~𝑀110 ~𝑀12

0

~𝑀11~𝑀 2

1~𝑀 31~𝑀 4

1~𝑀51~𝑀 6

1~𝑀71~𝑀 8

1~𝑀 91 ~𝑀10

1 ~𝑀111 ~𝑀12

1

0110Input:

Program:

⊤ ⊥Output:

or

Step 2: Encoding

~𝑀10~𝑀 2

0~𝑀 30~𝑀 4

0~𝑀50~𝑀 6

0~𝑀70~𝑀 8

0~𝑀 90~𝑀10

0 ~𝑀110 ~𝑀12

0

~𝑀11~𝑀 2

1~𝑀 31~𝑀 4

1~𝑀51~𝑀 6

1~𝑀71~𝑀 8

1~𝑀 91 ~𝑀10

1 ~𝑀111 ~𝑀12

1

Program:

{1} {2 } {3 } {4 } {5 } {6 } {7 } {8 } {9 } {10 } {11} {12}

⊤{1,… ,12 }

Obfuscation includes the encodings:

Proof of Security

⊤

+¿

~𝑀10 ~𝑀 4

0~𝑀50 ~𝑀 8

0~𝑀 90 ~𝑀12

0

~𝑀 21~𝑀 3

1 ~𝑀 61~𝑀7

1 ~𝑀101 ~𝑀11

1

~𝑀 20 ~𝑀 6

0 ~𝑀100

~𝑀11 ~𝑀 3

1~𝑀 41~𝑀5

1 ~𝑀71~𝑀 8

1~𝑀 91 ~𝑀11

1 ~𝑀121

…

¿0?

Simulation Outline

Test every monomial separately: ~𝑀1

0 ~𝑀 40~𝑀5

0 ~𝑀 80~𝑀 9

0 ~𝑀120

~𝑀 21~𝑀 3

1 ~𝑀 61~𝑀7

1 ~𝑀101 ~𝑀11

1

By querying 0110

Problems

1. Inconsistent monomials: ~𝑀1

0 ~𝑀 40

~𝑀51

~𝑀 80~𝑀 9

0 ~𝑀120

~𝑀 21~𝑀 3

1 ~𝑀 61~𝑀7

1 ~𝑀101 ~𝑀11

1

2. Too many monomials: (~𝑀1

0+~𝑀11 )⋅ (~𝑀 2

0+~𝑀 21 )⋅… ⋅ (~𝑀12

0 +~𝑀 121 )

Changing the Sets

~𝑀10~𝑀 2

0~𝑀 30~𝑀 4

0~𝑀50~𝑀 6

0~𝑀70~𝑀 8

0~𝑀 90~𝑀10

0 ~𝑀110 ~𝑀12

0

~𝑀11~𝑀 2

1~𝑀 31~𝑀 4

1~𝑀51~𝑀 6

1~𝑀71~𝑀 8

1~𝑀 91 ~𝑀10

1 ~𝑀111 ~𝑀12

1

{1} {2 } {3 } {4 } {5 } {6 } {7 } {8 } {9 } {10 } {11} {12}

{1} {2 } {3 } {4 } {5 } {6 } {7 } {8 } {9 } {10 } {11} {12}

⊤{1,… ,12 }

Changing the Sets

~𝑀10~𝑀 2

0~𝑀 30~𝑀 4

0~𝑀50~𝑀 6

0~𝑀70~𝑀 8

0~𝑀 90~𝑀10

0 ~𝑀110 ~𝑀12

0

~𝑀11~𝑀 2

1~𝑀 31~𝑀 4

1~𝑀51~𝑀 6

1~𝑀71~𝑀 8

1~𝑀 91 ~𝑀10

1 ~𝑀111 ~𝑀12

1

{ 11 ′ } { 22 ′} { 33 ′ } { 44 ′} { 55 ′} { 66 ′ } { 77 ′ } { 88 ′ } { 99 ′ } { 1010 ′} { 1111 ′ } { 1212′ }

{ 11 ′ } { 22 ′} { 33 ′ } { 44 ′} { 55 ′} { 66 ′ } { 77 ′ } { 88 ′ } { 99 ′ } { 1010 ′} { 1111 ′ } { 1212′ }

⊤{ 1 ,…,121′ ,…,12′ }

Changing the Sets

~𝑀10 ~𝑀5

0 ~𝑀 90

~𝑀11 ~𝑀5

1 ~𝑀 91

{ 11 ′ } { 55 ′} { 99 ′ }

{ 11 ′ } { 55 ′} { 99 ′ }

Straddling Set System

~𝑀10 ~𝑀5

0 ~𝑀 90

~𝑀11 ~𝑀5

1 ~𝑀 91

{ 15 ′} { 59 ′ } { 91 ′ }

{ 11 ′ } { 55 ′} { 99 ′ }

{ 1 ,5,91′ ,5 ′ ,9 ′}={ 11′ }∪ {55′ }∪{99′ }={ 15 ′}∪{ 59 ′}∪{ 91′ }

-matrices -matrices

Straddling Set System

~𝑀10 ~𝑀5

0 ~𝑀 90

~𝑀11 ~𝑀5

1 ~𝑀 91

{ 15 ′} { 59 ′ } { 91 ′ }

{ 11 ′ } { 55 ′} { 99 ′ }

Straddling Set System

{ 15 ′} { 26 ′ } { 37 ′ } { 48 ′ } { 59 ′ } { 610 ′} { 711 ′} { 812 ′ } { 91 ′ } {102′ } {113 ′ } {124 ′ }

{ 11 ′ } { 22 ′} { 33 ′ } { 44 ′} { 55 ′} { 66 ′ } { 77 ′ } { 88 ′ } { 99 ′ } { 1010 ′} { 1111 ′ } { 1212′ }

Too Many Monomials

( ¿+¿ ) ⋅…⋅ (¿+¿ )

(~𝑀10~𝑀 5

0~𝑀90+~𝑀1

1~𝑀51~𝑀 9

1 )⋅…⋅ (~𝑀 40~𝑀 8

0~𝑀120 +~𝑀 4

1~𝑀 81~𝑀 12

1 )

Pairing Level Together

~𝑀 9

0~𝑀 101

~𝑀 91~𝑀 10

0

From Two Levels to One

~𝑀100~𝑀 9

0

~𝑀101~𝑀 9

1

~𝑀 91~𝑀 10

1

~𝑀 90~𝑀 10

0

{ 812 ′ }{102 ′ }

{ 88 ′ }{ 1010 ′} { 10,810′ ,8 ′}{ 10,810′ ,12 ′}{10,82′ ,8 ′ }{ 10,82′ ,12 ′}

From Two Levels to One

Dual-Input BP

𝑥1 𝑥2𝑥3 𝑥4Input:

Too Many Monomials

(¿ ¿¿¿ ¿ ¿¿¿¿¿+

¿¿¿¿¿¿¿¿)(¿ ¿¿

¿ ¿ ¿¿¿¿¿+¿¿¿¿¿¿¿¿)

Thank You!