Obfuscation: Hiding Secrets in Software Amit Sahai Actual talk took ~40 minutes An NSF Frontier Center Institut Henri Poincaré, October 16, 2015

The mind-reading adversary Suppose you want to keep a secret. But there is an adversary that: Captures your entire brain Reads and tampers with the activity of every neuron in brain While you are thinking about your secret. Obfuscation: CS-analog of this scenario is common: Can a computer program keep a secret, even if adversary captures the entire program? No trusted hardware, no interaction. Just an ordinary program with ordinary inputs and outputs. Running on a single ordinary computer.

“Spread out the computation” Earlier concepts Secure Multi-Party Computation [Yao, Goldreich-Micali-Wigderson, BenOr-Goldwasser-Wigderson, …] Adversary can see Adversary is blocked Solution idea: “Spread out the computation”

General-Purpose Obfuscation: No part of computation is hidden. Earlier concepts Leakage-Resilient Compilers [Ishai-Sahai-Wagner, …, Goldwasser-Rothblum] Previous concepts required some portion of computation to be completely hidden from Adversary. General-Purpose Obfuscation: No part of computation is hidden. Some fraction* < 1 of computation is leaked to Adversary

What programs allow for secrets? Consider program P(x): Constant: s If x < s, output 1, else output 0 If any program equivalent to P is revealed to Adversary, Adversay can use binary search to recover s. Thus: For secrecy to be plausible, program must (at least) be un-learnable with queries. Hope: “Virtual Black Box” O(P) = P

The road to a good definition O(P) = P Virtual Black Box formalized, but then ruled out, by [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang]. What [BGIRSVY 2001] shows: There are contrived “self-eating programs” for which black-box obfuscation suffers from explicit attacks. Idea: Create Program P(x): Constant: secret s “Check if x = program equivalent to P” If so, output secret s, else output 0 Note: known negative results only for such pathological scenarios. In practice, still reasonable to use VBB definition. But this is a Theory talk, so we won’t explore this further.

A formal definition Indistinguishability Obfuscation (iO) [BGIRSVY] Polynomial slowdown: For any program P, iO(P) is equivalent to P, and Time( iO(P) ) = poly(Time( P )) Indistinguishability: For equivalent programs (P0, P1) of same size, no polynomial-time adversary can distinguish between (P0, P1, iO( P0 )) and (P0, P1, iO( P1 )) No impossibility known, but open for long time. First mathematical construction in 2013: [Garg-Gentry-Halevi-Raykova-Sahai-Waters] Has turned out to be surprisingly useful. Definition does not explicitly protect most secrets, but can be leveraged to provably guarantee secrets. [Garg-Gentry-Halevi-Raykova-Sahai-Waters, Sahai-Waters, … ] The obfuscator iO itself is a probabilistic polynomial-time algorithm. Curious fact: If P=NP, iO for circuits exists unconditionally: iO(C) = padded-min-circuit(C) Thus, iO cannot imply hardness, but as we’ll see later, iO can be used to leverage hardness In other words: iO is a “pseudo-canonicalizer” iO(P) is indistinguishable from, and therefore reveals no more than, a canonical form of the program P. “Researchers are hailing the new work as a watershed moment for cryptography” -Quanta, the Simons Foundation Magazine

iO Example: Crippleware Powerful Software Expressive User Interface Powerful Secrets Crippled (Demo) version redesigned from scratch Crippled User Interface No Secrets ≅ Crippled We can release this and be sure that secrets are safe!

Many, many applications iO used to resolve long-standing open problems: Functional Encryption (see Craig’s talk) [GGHRSW] Deniable Encryption via Punctured Programming [Sahai-Waters] 2-round MPC [Garg-Gentry-Halevi-Raykova] iO also used to introduce new concepts: Multi-Input FE [Goldwasser-Goyal-Jain-Sahai, Gordon-Katz-Liu-Shi-Zhou] Upgrading Random Oracles to Universal Samplers [Hofheinz-Jager-Khurana-Sahai-Waters-Zhandry] Almost surely much more to come… iO as the “central hub” for cryptography?

Context: The Development of Crypto Cryptography = Hardness* What about all this space? Obfuscation FE Crippleware FHE ABE IBE Short Signatures MPC ZK PKE Signatures RSA Factoring DDH Bilinear BDDH Bilinear DLIN LWE Gentry’s ICP Mmap Candidates *Let’s ignore information-theoretic cryptography for now.

Rest of this talk: constructions and security Main solution idea: Structured Noise Add structured noise to program components If components are combined via honest program execution, then noise cancels out and output is obtained Any other combination of components leaves noise intact, hiding all useful information from adversary Let’s now jump into how this works: Obfuscation Matrix Branching Programs [Garg-Gentry-Halevi-Raykova-Sahai-Waters] (We will follow presentation of [Barak-Garg-Kalai-Paneth-Sahai] here.)

Example: k=2 G{1} , G{2} , G{1,2} are each copies of ZN Use [2]{1} to denote encoding of 2 in G{1} The “k-Mmap” algebraic framework [Boneh-Silverberg, Garg-Gentry-Halevi] Example: [2]{1} + [7]{1} = [9]{1} But [2]{1} + [7]{2} not allowed. We work in a setting where limits are placed on allowed algebraic ops on encoded values.. Formal setting: For every nonempty subset S of {1,2,…,k}, there is ring GS. Each GS is a copy of ZN for large N. Allowed algebraic operations limited to: Addition: GS x GS to GS Multiplication: GS x GT to GS⌴T, if S and T disjoint Zero-Test: G{1,2,..k} to {Yes,No} We will eventually state computational hardness assumptions over this framework. Example: [2]{1}  [3]{2} = [6]{1,2} But : [2]{1}  [3]{1} not allowed (i.e. only multi-linear operations OK) Only Zero Test query yields un-encoded information “in the clear”.

The “k-Mmap” algebraic framework [Boneh-Silverberg, Garg-Gentry-Halevi] We work in a setting where limits are placed on allowed algebraic ops on encoded values.. Formal setting: For every nonempty subset S of {1,2,…,k}, there is ring GS. Each GS is a copy of ZN for large N. Allowed algebraic operations limited to: Addition: GS x GS to GS Multiplication: GS x GT to GS⌴T, if S and T disjoint Zero-Test: G{1,2,..k} to {Yes,No} We will eventually state computational hardness assumptions over this framework. Important note: To construct obfuscation, only need “Multilinear Jigsaw Puzzles” [GGHRSW] where: No low-level encodings of zero are given out Only master-key holder needs to generate new encodings This is critical to avoids attacks for known Mmap candidates. (more on this later)

Matrix Branching Programs [Barrington, GGHRSW] Simple example: Want to implement: F(x1 x2) = XOR( x1, x2 ) Oblivious Matrix Branching Program for F: n-bit input x=x1x2…xn (e.g. n=3 here) 2k invertible matrices over ZN Evaluation on x: Where B is fixed matrix ≠I over ZN M1, 0 M1, 1 M2, 0 M2, 1 M3, 0 M3, 1 M4, 0 M4, 1 … … [Barrington]: All log-depth (NC1) circuits have poly-size Matrix Branching Programs Mk, 0 Mk, 1

Towards Obfuscation Oblivious Matrix Branching Program for F: Kilian Simulation Towards Obfuscation Oblivious Matrix Branching Program for F: n-bit input x=x1x2…xn (e.g. n=3 here) 2k invertible matrices over ZN Evaluation on x: Where B is fixed matrix ≠I over ZN Kilian Randomization: Chose R1, …, Rk-1 random over ZN Kilian shows that for each x, can statistically simulate Mx matrices knowing only product. M1, 0 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M3, 0 ~ M3, 1 ~ M4, 0 ~ M4, 1 ~ … … Mk, 0 ~ Mk, 1 ~ ~

Towards Obfuscation Proof by example: Consider (M1R) and (R-1M2) Rename: R’ = M2-1R, so R = M2R’ Now: M1R = M1M2R’ R-1M2 = R’-1 Oblivious Matrix Branching Program for F: n-bit input x=x1x2…xn (e.g. n=3 here) 2k invertible matrices over ZN Evaluation on x: Where B is fixed matrix ≠I over ZN Kilian Randomization: Chose R1, …, Rk-1 random over ZN Kilian shows that for each x, can statistically simulate Mx matrices knowing only product. M1, 0 M1, 1 M2, 0 M2, 1 M3, 0 M3, 1 M4, 0 M4, 1 … Mk, 0 Mk, 1 ~ Only need to know M1M2 to generate these. ~

Towards Obfuscation Oblivious Matrix Branching Program for F: n-bit input x=x1x2…xn (e.g. n=3 here) 2k invertible matrices over ZN Evaluation on x: Where B is fixed matrix ≠I over ZN Kilian Randomization: Chose R1, …, Rk-1 random over ZN Kilian shows that for each x, can statistically simulate Mx matrices knowing only product. M1, 0 M1, 1 M2, 0 M2, 1 M3, 0 M3, 1 M4, 0 M4, 1 … Mk, 0 Mk, 1 ~ ~

Towards Obfuscation Could this already be secure? M1, 0 M1, 1 M2, 0 M2, 1 M3, 0 M3, 1 M4, 0 M4, 1 … Mk, 0 Mk, 1 ~ Encode each matrix entry in GS as shown here. Note: Can still multiply matrices as needed for correctness. {1} {1} {2} {2} {3} {3} {4} {4} No. Key obstacle: Input-Mixing Attack. Don’t know how to bound information learned by input-mixing attacks. {k} {k}

Changing the Mmap sets ~ M1, 0 M1, 1 M2, 0 M2, 1 M3, 0 M3, 1 M4, 0 … Mk, 0 Mk, 1 ~ {1} {1} {2} {2} {3} {3} {4} {4} {k} {k}

Changing the Mmap sets ~ M1, 0 M1, 1 M2, 0 M2, 1 M3, 0 M3, 1 M4, 0 … Mk, 0 Mk, 1 ~ {1,1’} {1,1’} {2,2’} {2,2’} {3,3’} {3,3’} {4,4’} {4,4’} {k,k’} {k,k’}

Changing the Mmap sets ~ ~ ~ ~ ~ ~ M1, 0 M1, 1 {1,1’} {1,1’} M4, 0 {4,4’} {4,4’} M7, 0 ~ M7, 1 ~ {7,7’} {7,7’}

“Straddling Sets” [BGKPS] Changing the Mmap sets M1, 0 ~ M1, 1 ~ {1,1’} {1,7’} “Straddling Sets” [BGKPS] M4, 0 ~ M4, 1 ~ {4,4’} {4,1’} M7, 0 ~ M7, 1 ~ {7,7’} {7,4’}

Obfuscation Construction [GGHRSW, BGKPS] This gives a plausible obfuscation construction. No known attacks on this iO construction (over GGH13). In fact, with a little more randomness: Can rule out all attacks that respect Mmap algebraic interface: [GGHRSW, Brakerski-Rothblum, Barak-Garg-Kalai-Paneth-Sahai], also: [Miles-Sahai-Weiss, Sahai-Zhandry] M1, 0 ~ M1, 1 M2, 0 M2, 1 M3, 0 M3, 1 M4, 0 M4, 1 … … Mk, 0 Mk, 1

Security vs. Algebraic Attacks [GGHRSW, BR, BGKPS] Note that algebraic attacks are highly nontrivial in multilinear (and beyond) setting. Entire subarea of complexity theory: arithmetic circuit complexity devoted to proving lower bounds in such settings. Many, many open problems. In fact, some obfuscation-related security conjectures would imply VP ≠ VNP. [Miles-Sahai-Weiss] Good news: Unlike poor complexity theorists, who study algebraic complexity of natural functions, we cryptographers get to devise our own functions. M1, 0 ~ M1, 1 M2, 0 M2, 1 M3, 0 M3, 1 M4, 0 M4, 1 … … Mk, 0 Mk, 1

Security of iO [GGHRSW] iO requires that iO(C) ≅ iO(C’) if C(x) = C’(x) for all x. It is equivalent to show that there exists an unbounded simulator SC that can simulate any PPT Adversary that is given iO(C) as input. Observe SC same as SC’ Other direction: Unbounded S computes T = padded-min-circuit(C), then feeds iO(T) to adversary. M1, 0 ~ M1, 1 M2, 0 M2, 1 M3, 0 M3, 1 M4, 0 M4, 1 … … Mk, 0 Mk, 1

Unbounded Simulation vs. Algebraic Attacks [GGHRSW, BR, BGKPS, MSW] Consider algebraic adversary, creates polynomial P. Is it zero? Consider any monomial M Because of we know that each monomial can only touch matrix entries corresponding to single input. For each input x, let Px be the sum of all monomials corresponding to input x. Now, apply Kilian’s simulation and Schwartz- Zippel to determine if Px is zero. Can simulate each Px separately: M1, 0 ~ M1, 1 ~ M2, 0 ~ M2, 1 M3, 1 ~ Guarantees algebraic independence of each Px. For P to be zero, by Schwartz-Zippel, each Px must be zero. M3, 0 ~ M4, 0 … ~ M4, 1 ~ … Mk, 0 ~ Mk, 1 ~

Where we are vs. Where we want to be Truly a strange situation: We can start with [GGH13] Mmaps that do have zeroizing attacks. Use [GGH13] Mmaps to build iO. Use iO to build a kind of Mmaps [AFHLP15, PS15]. The final Mmaps do not have any attacks, to the best of our knowledge. (So in fact, bizarrely, we do have Mmap candidates with no known attacks.) Where we are vs. Where we want to be We’ve seen lots of zeroizing attacks on Mmaps. Unfortunately, the attacks are not “algebraic” in the Mmap model, but instead exploiting the underlying algebraic structure in the Mmap candidates. So, our nice security proof itself does not rule out zeroizing attacks on our obfuscation construction. Still, there are no known attacks to the presented obfuscation scheme over (for example) GGH13. Recall: GGH13 seems more secure than other mmap candidates when no low-level 0s are given out. Now what? Invertible Ms Fix C1

Post-Zeroizing Obfuscation Questions Why don’t zeroizing attacks affect obfuscation (over GGH13)? Can we argue that we only need weak Mmaps (that are susceptible to zeroizing attacks) to build fully secure obfuscation? Long-term research agenda: what are the minimal notions of Mmaps that are still powerful enough to yield secure iO ? Questions posed and progress made recently [Badrinarayanan-Miles-Sahai-Zhandry] Invertible Ms Fix C1

Post-Zeroizing Obfuscation [Badrinarayanan-Miles-Sahai-Zhandry] In fact, this holds even when Mi matrices are not full rank. Proven in a completely different way from Kilian’s thm. We use: Argument is careful examination of impact of permutations σ that arise in R-1 on cancellation necessary to get to 0. Post-Zeroizing Obfuscation [Badrinarayanan-Miles-Sahai-Zhandry] Why don’t zeroizing attacks affect obfuscation (over GGH13)? Recall: for zeroizing attacks, at a basic level, we need top-level encodings of zero. How can adversary make these? Theorem [BMSZ] (Informal): Only way for adversary to create top-level zero is by evaluating the complete iterated matrix product (or linear combinations thereof with known constants) Recall from Craig’s talk: Can show as corollary that adversary cannot create such encodings (at least not directly) – ruling out at least one way zeroizing attacks could exist over GGH13. (ongoing work) Invertible Ms Fix C1

Post-Zeroizing Obfuscation [Badrinarayanan-Miles-Sahai-Zhandry] Can we argue that we only need weak Mmaps (that are susceptible to zeroizing attacks) to build fully secure obfuscation? Corollary[BMSZ] (Informal): Yes, at least for evasive functions. Evasive f is where it is hard to find input x such that f(x)=1 Proof sketch: Use Theorem to create obfuscation where only way to get top-level zeroes is to evaluate corresponding to input x such that f(x)=1 Next step: Beyond evasive, using more refined post-zeroizing model? Invertible Ms Fix C1

Post-zeroizing Obfuscation: A new target for Mmap designers Basing security on a natural concrete conjecture [Gentry-Lewko-Sahai-Waters] This gives a single assumption target for future Mmap candidates.

The “k-Mmap” algebraic framework [Boneh-Silverberg ‘03, Garg-Gentry-Halevi ‘13] We work in a setting where limits are placed on allowed algebraic manipulations. For every nonempty subset S of {1,2,…,k}, there is GS: Each GS is a copy of ZN for large N. Allowed algebraic operations limited to: Addition: GS x GS to GS Multiplication: GS x GT to GS⌴T, if S and T disjoint Zero-Test: G{1,2,..k} to {Yes,No}

The “k-Mmap” algebraic framework [Boneh-Silverberg ‘03, Garg-Gentry-Halevi ‘13] We work in a setting where limits are placed on allowed algebraic manipulations. For every “level” i in {1,2,…,k}, there is Gi: Each Gi is a copy of ZN for large N. Allowed algebraic operations limited to: Addition: Gi x Gi to Gi Multiplication: GS x GT to GS⌴T, if S and T disjoint Zero-Test: Gk to {Yes,No}

The “k-Mmap” algebraic framework [Boneh-Silverberg ‘03, Garg-Gentry-Halevi ‘13] We work in a setting where limits are placed on allowed algebraic manipulations. For every “level” i in {1,2,…,k}, there is Gi: Each Gi is a copy of ZN for large N. Allowed algebraic operations limited to: Addition: Gi x Gi to Gi Multiplication: Gi x Gj to Gi+j, if i+j ≤ k Zero-Test: Gk to {Yes,No}

Warm-up (Special-Case) Assumption This is essentially a “Subgroup Decision Assumption” without pairings k=1 Mmap over composite N, with 2 large prime factors: One “special” prime factor c One “distinguished” prime factor a1 Can represent x in ZN using CRT: (x mod c, x mod a1) Adversary gets Level-1 encodings: (random) generators of each prime subgroup, except c: [ (0, r1) ]1 h1 = [ (r2, 0) ]1 Hard for Adversary to distinguish Level-1 encoding of: T = [ (r3, r4) ]1 vs. T = [ (0, r4) ]1

Warm-up 2 (Special-Case) Assumption k=2 Mmap over composite N, with 3 large prime factors: One “special” prime factor c Two “distinguished” prime factors a1, a2 Can represent x in ZN using CRT: (x mod c, x mod a1, x mod a2) Adversary gets Level-1 encodings: (random) generators of each prime subgroup, except c: [ (0, r1, 0) ]1 and [ (0, 0, r2) ]1 h1 = [ (r3, 0, r4) ]1 and h2 = [ (r5, r6, 0) ]1 Hard for Adversary to distinguish Level-1 encoding of: T = [ (r7, r8, r9) ]1 vs. T = [ (0, r8, r9) ]1 Note: Can’t give out gc = [ (r, 0, 0) ]1 ! Otherwise, compute (T  gc) and ZeroTest to distinguish. Note: Can’t set max multi-linearity k=3 ! Otherwise, compute (T  h1 h2) and ZeroTest to distinguish.

The Assumption [GLW14]: Multilinear Subgroup Elimination k Mmap over composite N, with many large prime factors: One “special” prime factor c k “distinguished” prime factors a1, a2, …, ak poly other primes; CRT representation: (x mod c, x mod a1, …) Adversary gets Level-1 encodings: (random) generators of each prime subgroup, except c: For “distinguished primes” as well as other primes hi = [ (r, r1, r2, …, ri-1, 0, ri+1, ri+2, …, rk, 0, …, 0) ]1 for all i Hard for Adversary to distinguish Level-1 encoding of: T = [ (r’, r’1, r’2, …, r’k, 0, …, 0) ]1 vs. T = [ (0, r’1, r’2, …, r’k, 0, …, 0) ]1

How to argue security We need proof of indistinguishability: iO(C0) to iO(C1) Use several “hybrid” steps, where want to switch out some part of C0 computation with C1 computation. Idea: Use Kilian’s simulation to “switch” between C0 and C1 for a single input. Go over each input with 2n hybrids, where n=input size. This is OK by complexity leveraging: We assume 2λ hardness, where λ is security parameter, and Mmap realization has poly(λ) overhead. When obfuscating program C with inputs of length n, Choose λ such that λε >> n ε

Overall reduction strategy Reduction will isolate each input. Main idea: Have poly many “parallel” obfuscations, each responsible for a bucket of inputs Hybrid Type 1: Transfer inputs between different buckets, but programs do not change at all. Assumption used here. Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed. C0 C0 C1 Thank you.

Overall reduction strategy Reduction will isolate each input. Main idea: Have poly many “parallel” obfuscations, each responsible for a bucket of inputs Hybrid Type 1: Allocate/Transfer inputs among different buckets, but programs do not change at all. Assumption used here. Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed. C0 C0 C1 Thank you.

Overall reduction strategy Lesson: Ability to make this (minor) type of change is actually sufficient! Overall reduction strategy Hybrid Type 1 Illustration. Consider the code: if (x ≤ 37) then { return C0(x) } else if (x ≤ 39) { } else { return C1(x) } Reduction will isolate each input. Main idea: Have poly many “parallel” obfuscations, each responsible for a bucket of inputs Hybrid Type 1: Allocate/Transfer inputs among different buckets, but programs do not change at all. Assumption used here. Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed*. x 38 C0 C0 C1 C1 Thank you.

Hybrids intuition C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 M1, 1 M2, 0 M2, 1 M3, 0 … … Mk, 0 ~ Mk, 1 ~

Hybrids intuition C0 C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Use Assumption to make this change M1, 0 ~ M1, 1 ~ M1, 0 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~

Hybrids intuition C0 C0 C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 ~ M1, 1 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ … … … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~

Hybrids intuition C0 C0 C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 ~ M1, 1 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ … M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ M4, 1 ~ … … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~ Mk, 0 ~

Hybrids intuition C0 C0 C1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ All R matrices are independent for each obfuscation. Can now use Kilian ! Hybrids intuition C0 C0 C1 M1, 0 ~ M1, 1 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ … M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ M4, 1 ~ … … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~ Mk, 0 ~

Hybrids intuition C1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 M1, 1 M2, 0 M2, 1 M3, 0 … M4, 0 ~ M4, 1 ~ … … Mk, 0 ~ Mk, 1 ~

How to transfer inputs C0 C0 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M1, 0 ~ M1, 1 ~ M1, 0 ~ M1, 1 ~ M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ … M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~

The Assumption [GLW14]: Multilinear Subgroup Elimination k Mmap over composite N, with many large prime factors: One “special” prime factor c k “distinguished” prime factors a1, a2, …, ak poly other primes; CRT representation: (x mod c, x mod a1, …) Adversary gets Level-1 encodings: (random) generators of each prime subgroup, except c: For “distinguished primes” as well as other primes hi = [ (r, r1, r2, …, ri-1, 0, ri+1, ri+2, …, rk, 0, …, 0) ]1 for all i Hard for Adversary to distinguish Level-1 encoding of: T = [ (r’, r’1, r’2, …, r’k, 0, …, 0) ]1 vs. T = [ (0, r’1, r’2, …, r’k, 0, …, 0) ]1

How to transfer inputs (cheating) Prime a1 Prime c Use T to create these C0 C0 M1, 0 ~ M1, 1 ~ M1, 0 ~ M1, 1 ~ Use hi, i≠1 to create rest (since they are the same in c and a1 subgroups) M2, 0 ~ M2, 1 ~ M2, 0 ~ M2, 1 ~ M3, 0 ~ M3, 1 ~ M3, 0 ~ M3, 1 ~ … “Missing” ai in hi used to enforce input consistency. M4, 0 ~ M4, 1 ~ M4, 0 ~ M4, 1 ~ Key point: The programs for each prime is fixed. The reduction can directly build all matrices. Assumption plays no role in matrix choices. … … … … Mk, 0 ~ Mk, 1 ~ Mk, 0 ~ Mk, 1 ~

iO without Mmap candidates? FE to iO (sketch) [AJ, BV,AJS] Starting point: [Goldwasser-Goyal-Jain-Sahai] [Gordon-Katz-Liu-Shi-Zhou] showed that Multi-Input Functional Encryption (MiFE) implies iO In fact, only need FE for simple functions [AJS]: Priv-key FE Func-Priv MiFE1 Func-Priv MiFE2 ... [BS’15] Func-Priv MiFE𝑛-1 n-1 Invertible Ms Fix C1 Pub-key FE Pub-key FE Pub-key FE MiFE2 MiFE3 MiFE𝒏 Slide from Abhishek Jain

Conclusion Obfuscation – despite amazing progress, still in its infancy. Need to explore risky new approaches. We are still in the initial mapping-out stage, not anywhere near the cleanup stage. Efficiency remains major bottleneck. Polynomial time, but current computational overhead easily exceeds 2100. iO surprisingly useful: See Craig’s talk! Invertible Ms Fix C1