Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai

Slides:

Advertisements

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

Advertisements

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 1-7: Short Recap.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.

Amit Sahai May 9, 2014 Aarhus Institute of Advanced Studies Advances in Obfuscation.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

1 Robust Combiners for Oblivious Transfer and Other Primitives Danny Harnik Joe Kilian Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Time vs Randomness a GITCS presentation February 13, 2012.

Nir Bitansky and Omer Paneth. Interactive Proofs.

On Virtual Grey-Box Obfuscation for General Circuits Nir Bitansky Ran Canetti Yael Tauman-Kalai Omer Paneth.

Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.

CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

On the Implausibility of Differing-Inputs Obfuscation (and Extractable Witness Encryption) with Auxiliary Input Daniel Wichs (Northeastern U) with: Sanjam.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Rafael Pass Cornell University Constant-round Non-malleability From Any One-way Function Joint work with Huijia (Rachel) Lin.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Shai Halevi – IBM Research PKC 2014 Multilinear Maps and Obfuscation A Survey of Recent Results.

1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.

Technology Panel What technical tools are in our disposal for achieving privacy and security Privacy: Technology + Policy –Without Policy, technology will.

Key Derivation from Noisy Sources with More Errors Than Entropy Benjamin Fuller Joint work with Ran Canetti, Omer Paneth, and Leonid Reyzin May 5, 2014.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

On the work of Shafi Goldwasser and Silvio Micali By Oded Goldreich WIS, Dec 2013.

Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity Ran Canetti, Abhishek Jain and Omer Paneth 1.

1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.

Nir Bitansky and Omer Paneth. Program Obfuscation.

Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit.

Obfuscation of Probabilistic Circuits Ran Canetti, Huijia Lin Stefano Tessaro, Vinod Vaikuntanathan.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Security-Preserving Operations on Big Data Algorithms for Big Data, Frankfurt, September, 2014.

Lower Bounds on Assumptions behind Indistinguishability Obfuscation

Introduction to Obfuscation Mohammad Mahmoody University of Virginia *some slides borrowed from abhi shelat.

NIR BITANSKY, OMER PANETH, ALON ROSEN ON THE CRYPTOGRAPHIC HARDNESS OF FINDING A NASH EQUILIBRIUM.

Boaz Barak, Nir Bitansky, Ran Canetti, Yael Tauman Kalai, Omer Paneth, Amit Sahai.

Pseudo-random generators Talk for Amnon ’ s seminar.

Fine Grained Hardness in Cryptography Omer Reingold SRA.

Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.

Topic 36: Zero-Knowledge Proofs

Lower Bounds on Assumptions behind Indistinguishability Obfuscation

Spring School on Lattice-Based Crypto, Oxford

iO with Exponential Efficiency

Modern symmetric-key Encryption

Our Current Knowledge of Knowledge Assumptions

Semantic Security and Indistinguishability in the Quantum World

Yael Tauman Kalai Area: Cryptography PhD: MIT, with Shafi Goldwasser

A Generic Approach for Constructing Verifiable Random Functions

Cryptography for Quantum Computers

Rishab Goyal Venkata Koppula Brent Waters

Cryptography Lecture 12.

Investigating Provably Secure and Practical Software Protection

Impossibility of SNARGs

Presentation transcript:

The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai Omer Paneth Alon Rosen

Program Obfuscation 𝑥 y Program Obfuscation 𝑥 y Obfuscated program

Private Key to Public Key 𝑚 cipher 𝐸𝑛 𝑐 𝑠𝑘 (𝑚) Obfuscation 𝑚 cipher Public Key

Ideal Obfuscation Hides everything about the program except for its input\output behavior Point Function etc. [Canetti 97, Wee 05, Bitansky- Canetti 10, Canetti-Rothblum-Varia 10] Unobfuscatable Functions [Barak-Goldreich-Impagliazzo- Rudich-Sahai-Vadhan-Yang 01] All functions ?

Obfuscation Constructions Before 2013: No general solution. All functions All functions

Obfuscation Constructions Before 2013: No general solution. 2013: Candidate obfuscation for all circuits [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13] All functions All functions

New Impossibility Result Under computational assumptions, a natural notion of ideal obfuscation cannot be achieved for a large family of cryptographic functionalities. (strengthen the impossibility of [Goldwasser-Kalai 05])

Virtual Black-Box (VBB) [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Algorithm 𝒪 is an obfuscator for a class 𝒞 if: For every PPT adversary 𝐴 there exists a PPT simulator 𝑆 such that for every 𝐶∈𝒞 and every predicate 𝜋(𝐶): 𝐶 𝐴 𝑆 𝒪(𝐶) 𝜋(𝐶) Inefficient!

Using Obfuscation Reduction 𝑆 𝑁=𝑝⋅𝑞 𝑝,𝑞 𝐴

VBB with a Universal Simulator Algorithm 𝒪 is an obfuscator for a class 𝒞 if: There exists a PPT simulator 𝑆 such that for every PPT adversary 𝐴 such that for every 𝐶∈𝒞 and every predicate 𝜋(𝐶): 𝐶 𝐴 𝑆(𝐴) 𝒪(𝐶) 𝜋(𝐶)

Universal Simulation Universal Simulators Black-box Simulators Barak’s ZK simulator

New Impossibility Result Under computational assumptions, VBB obfuscation with a universal simulator cannot be achieved for a large family of cryptographic functionalities.

Pseudo-Entropic functions A function family 𝑓 𝑘 has super-polynomial pseudo-entropy if there exists a set of inputs 𝐼 such that for a random function 𝑓 𝑘 , there exists 𝑍 with super-polynomial min-entropy: 𝐷 ≈ 𝑐 1 2 3 … 𝐼 𝑓 𝑘 (1) 𝑓 𝑘 (2) 𝑓 𝑘 (3) 𝑓 𝑘 (𝐼)\Z

Examples Pseudo-random functions Semantically-secure encryption (when the randomness is a PRF of the message) 𝑚 cipher 𝐸𝑛 𝑐 𝑠𝑘 𝑟 𝑃𝑅 𝐹 𝑠

New Impossibility Result Under computational assumptions, VBB obfuscation with a universal simulator is impossible for any pseudo-entropic function

Indistinguishability Obfuscation [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] ≡ 𝐶 2 𝒪(𝐶 1 ) ≈ 𝑐 𝒪(𝐶 2 ) 𝐶 1 Assumption: indistinguishability obfuscation for all circuits (A candidate construction given in [GGHRSW13])

This Work Assuming indistinguishability obfuscation, VBB obfuscation with a universal simulator is impossible for any pseudo-entropic function

This Work Average-case VBB with a universal simulator Worst-case VBB with a universal simulator Is Impossible for pseudo-entropic functions Is Impossible for pseudo-entropic functions Assuming indistinguishability obfuscation for all functions Assuming indistinguishability obfuscation for point-filter functions or equivalently, witness encryption

[Goldwasser-Kalai 05]: This work: Average-case VBB with a universal simulator Worst-case VBB with a universal simulator [Goldwasser-Kalai 05]: Is Impossible for Filter functions Is Impossible for pseudo-entropic functions Unconditionally Assuming VBB obfuscation for point-filter functions This work: Is Impossible for pseudo-entropic functions Is Impossible for pseudo-entropic functions Assuming indistinguishability obfuscation for all functions Assuming indistinguishability obfuscation for point-filter functions

Universal Simulation and Auxiliary Input For every PPT adversary 𝐴 there exists a PPT simulator 𝑆 such that for every 𝐶∈𝒞, every predicate 𝜋 𝐶 and every auxiliary input 𝑧: 𝐶 𝐴 𝑧 𝑆 𝑧 𝒪(𝐶) 𝜋(𝐶) VBB with a universal simulator

Universal Simulation and Auxiliary Input Average-case VBB with a universal simulator Worst-case VBB with a universal simulator Average-case VBB with independent auxiliary input Worst-case VBB with dependent auxiliary input

Proof Idea What can we do with an obfuscated code that we cannot do with black-box access? [Goldwasser-Kalai 05]: Find a polynomial size circuit computing the function!

Impossibility for Worst-Case VBB Let 𝑓 𝑘 be a family of PRFs. Fix the simulator 𝑆. Sample a random 𝑓 𝑘 . Construct an adversary 𝐴 (that depends on 𝑓 𝑘 ) that fail 𝑆. Let 𝐼 be the set of inputs 1,2,…,2⋅ 𝒪 𝑓 𝑘 𝐴 𝐴 𝑘,𝑏 𝐶 : If 𝐶 = 𝒪 𝑓 𝑘 and 𝐶 𝐼 = 𝑓 𝑘 (𝐼): output the secret 𝑏, else output ⊥. 𝑏\⊥ 𝐶 𝐼 𝑓 𝑘 (𝐼)

Impossibility for Worst-Case VBB 𝑓 𝑘 𝐴 𝑆 𝑏\⊥ 𝐴 𝒪( 𝑓 𝑘 ) 𝑏 𝑏 𝐼 𝑓 𝑘 (𝐼)

Using Indistinguishability Obfuscation 𝐴 𝐴 𝑏\⊥ 𝐴 𝑏\⊥ ⊥ ≈ 𝑐 ≡ 𝐼 𝑓 𝑘 (𝐼) 𝐼 𝑈 𝐴 𝐴 𝑏\⊥ 𝐴 𝑏\⊥ ⊥ ≈ 𝑐 ≈ 𝑐 𝐼 𝑓 𝑘 (𝐼) 𝐼 𝑈

Impossibility for Average-Case VBB 𝐴 𝑏\⊥ 𝐴 𝐼 𝐶 𝐼 𝑓 𝑘 (𝐼) 𝑃𝑅 𝐹 𝑠 →𝑏 𝐶(𝐼) 𝐴 𝑠 𝐶 : If 𝐶 = 𝒪 𝑓 𝑘 : output 𝑏=𝑃𝑅 𝐹 𝑠 (𝐶(𝐼)) else output ⊥.

Impossibility for Average-Case VBB 𝐴 𝐼 𝑃𝑅 𝐹 𝑠 →𝑏 𝐶(𝐼) Obfuscation should hide 𝑃𝑅 𝐹 𝑠 𝑓 𝑘 𝐼 Use Indistinguishability Obfuscation together with puncturable pseudo-random functions

Thanks!