On the Impossibility of Approximate Obfuscation
Nir Bitansky and Omer Paneth
Program Obfuscation
Compute
๐ฅ
๐ฆ= ๐ ๐ ๐(๐ฅ )
Program Obfuscation๐ฅ
๐ฆ= ๐ ๐ ๐(๐ฅ )
Program Obfuscation
Sign email with If starts with
โ[email protected]โ
๐ฅ
๐ฆ=๐ (๐ฅ)/โฅ
Virtual Black-Box
is an obfuscation of :
- Functionality:
๐๐ ๐ ๐๐ด โ๐ช๐ ๐
- Security:
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossibility of Obfuscation
There exist families of functions that cannot be obfuscated
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Relaxed Security
- Functionality:
๐๐ ๐ ๐๐ด โ๐ช๐ ๐
- Security:
[Barak et al. 01, Goldwasser-Rothblum07, Hofheinz-Malone-Lee-Stam07, Hohenberger-Rothblum-Shelat-Vaikuntanathan07,
Bitansky-Canetti10]
Relaxed Functionality?
- Functionality:
๐๐ ๐ ๐๐ด โ๐ช๐ ๐
- Security:
Approximate Obfuscation[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
is an approximate obfuscation of :
- Functionality:
๐๐ ๐ ๐๐ด โ๐ช๐ ๐
- Security:
Main ResultAssuming trapdoor permutations, there exist families of functions that cannot be approximately
obfuscatedMotivation?
Positive applications
From Impossibility to
Applications
Impossibility of approximate obfuscation
Non-black-box extraction
๐ด๐ ๐๐ฅ ๐ ๐ ๐(๐ฅ )
๐ ๐
Zero-knowledge with
resettable security
Worst-case extractable signatures
Plan[BGIRSVY 01]:
This work:
Impossibility of Obfuscation
Impossibility of Approximate Obfuscation
Unobfuscatable Functions
Robust Unobfuscatable
Functions
Applications
Unobfuscatable Functions
๐ด๐ ๐ ๐
๐ ๐
๐ธ๐ช ๐ ๐
1. Black-box unlearnability:
:2. Extraction: Pr๐ฅโ๐
[๐ช (๐ฅ )= ๐ ๐ ๐ (๐ฅ ) ]=1โ
From Barak et al.
Robust Unobfuscatable Functions
1. Black-box unlearnability:
:2. Robust extraction:
๐ด๐ ๐ ๐
๐ ๐
๐ธ๐ช ๐ ๐Pr๐ฅโ๐
[๐ช (๐ฅ )= ๐ ๐ ๐ (๐ฅ ) ]>0 .9โ
Robust Unobfuscatable Functions
๐ ๐ ๐๐ช๐๐ ๐ ๐๐ด โ๐ช
๐ ๐๐ ๐
๐ธ
RUFs Construction
Unobfuscatable FunctionsConstruction of Barak et al. (using FHE for simplicity)
โ two -bit strings - secret key for FHE
๐ ๐ ,๐ , ๐ ๐ (๐ฅ ) :
๐ ๐ ,๐ , ๐ ๐(๐ฅ )ยฟ {ยฟยฟ๐ฅ=๐๐ฅ=0๐De c๐ ๐(๐ฅ)=๐o . w .
En c๐ ๐(๐)๐
๐
โฅ
0๐ ๐ธ๐๐ (๐) ๐ธ๐๐ (b )
๐ ๐
๐
๐
๐
Unobfuscatable Functions
0๐ ๐ธ๐๐ (๐) ๐ธ๐๐ (b )
๐ ๐
๐
๐
๐
Black-Box Unlearnability
๐ด๐๐
๐ถ
0๐ ๐ธ๐๐ (๐) ๐ธ๐๐ (b )
๐ ๐
Extraction
๐ธ๐ถโก ๐ ๐
๐ธ๐ฃ๐๐ (๐ถ )๐ถ๐ถ
๐ถ
0๐ ๐ธ๐๐ (๐) ๐ธ๐๐ (b )
๐ ๐
Robust Extraction?
๐ธ
๐ถโ๐ถโ
๐ถโ ๐ ๐ถโ(๐ฅ)={ โฅ๐ธ๐๐๐ ๐(๐)
๐ฅ=๐๐ฅ=0๐
๐โฅ
๐ท๐๐๐ ๐(๐ฅ )=๐๐ .๐ค .
A Taste of the Construction
๐ ๐ ,๐(๐ฅ)={๐ ๐ฅ=๐โฅ ๐ .๐ค .
Q: Find such that:
with errors ๐ a , b
Randomly reduce to
Getting Robustness
๐ ๐ ,๐(๐ฅ)={๐ ๐ฅ=๐โฅ ๐ .๐ค .
with errors ๐ a , b
๐h
๐๐
๐โ๐ โ
๐โ๐๐โPRF (๐ )
PRF (๐ )
๐
๐ , h ๐ a , b
๐ด๐ , h
๐
๐ ๐ queries on and queries on
Construction of RUFs
ยฟ { ๐๐ธ๐๐๐ ๐(๐)
๐ฅ=๐๐ฅ=0๐
๐โฅ
๐ท๐๐๐ ๐(๐ฅ)=๐๐ .๐ค .
๐ ๐ ,๐ , ๐ ๐(๐ฅ )
โข RUFs from trapdoor permutations.
โข Weak RUFs from OWF only:
Assumptions
๐ธ๐ช ๐ ๐
โ ๐ฅ :๐ช (๐ฅ )โ { ๐ ๐ ๐ (๐ฅ ) ,โฅ}
Applications
Publicly-Verifiable RUOFs
๐ด๐ ๐ ๐
๐ ๐ ๐ธ๐ช ๐ ๐
iff
๐ฃ๐ ๐ฃ๐
๐ ๐,๐ฃ๐โGen () Pr๐ฅโ๐
[Ver๐ฃ๐ (๐ฅ ,๐ช (๐ฅ ) )=1 ]> 1poly(๐)
Resettably-Sound ZK[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]
๐ฅโโ?๐ซStandard ZK
ResettableSoundnes
s๐ฑ
Resettable Soundness[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]
๐ฑ๐ซโ๐ฅโโ
Resettable Soundness[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]
๐ฑ๐ซโ๐ฅโโ๐ฑ
No Black-Box Simulator
๐ฑ๐ซโ
Resettable soundness Zero-knowledge(black-box simulator) ๐ซโ
๐ฑ ๐ฎ๐ฑโ
[Barak-Goldreich-Goldwasser-Lindell 01]
Resettably-Sound ZK
๐ฑ๐ซโ ๐ฎ๐ฑโ
Resettable soundness Zero-knowledge (non-black-box simulator)๐ซโ
๐ฑ
[Barak-Goldreich-Goldwasser-Lindell 01, BP 12, Chung-Pass-Seth 13]
๐ซ ๐ฑResettably-Sound ZK๐ ๐,๐ฃ๐๐ฃ๐
๐ฅโ๐๐ ๐ ๐(๐ฅ )
Witness indistinguishable proof:
or โknowsโ
๐ซ ๐ฑResettably-Sound ZK๐ ๐,๐ฃ๐๐ฃ๐๐ฅ๐ ๐ ๐(๐ฅ )
Witness indistinguishable proof:
or โknowsโ
๐ฑ๐ซโ๐ฅ๐ ๐ ๐(๐ฅ )
Analysis
๐ฎ ๐๐๐ฑโ
Resettable soundness Zero-knowledge
๐ซโ๐ ๐ ๐
๐ ๐
๐ฎ๐ ๐
๐ธ
โข Resettably-sound ZK from OWFs (Different approach from Chung-Pass-Seth 13)
โข Simultaneously-resettable ZK from OWFs (using srWI by Chung-Ostrovsky-Pass-Visconti 13)
โข 4-message resettably-sound ZK โข 3-message simultaneously-resettable
WI proof of knowledge
More Resettable Crypto
Sign ๐ ๐
Sign ๐ ๐
๐ด๐ ๐
๐ (๐ยฟยฟ ๐)ยฟ๐ฃ๐
Digital Signatures:
Worst-Case Extractable Signatures
โ๐ ๐ ,๐ฃ๐
Worst-Case Extractable SignaturesFor every
breaks security for โน
๐ด
๐ธ๐ ๐
Thank You.#define _ -F<00||--F-OO--;int F=00,OO=00;main(){F_OO();printf("%1.3f\n",4.*-F/OO/OO);}F_OO(){
_-_-_-_ _-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_ _-_-_-_
}
IOCCC 88