Obfuscation of Probabilistic Circuits Ran Canetti, Huijia Lin Stefano Tessaro, Vinod Vaikuntanathan

Program Obfuscation P P(x) x x Obf(P) Compile a program into unintelligible ones, preserving functionality

Program Obfuscation Compile a program into unintelligible ones, preserving functionality Different notions of obfuscation Virtual-Black-Box (VBB) [BGI+12,GK,BCC+14] Virtual-Grey-Box (VGB) [BC10] Differing-input Obfuscation (diO) [BGI+12] Indistinguishability Obfuscation (iO) [BGI+12]

However, so far, Obfuscation for deterministic programs only Probabilistic programs? Reflected in Correctness (For all x, P(x) = Obf[P](x)) E.g. Obfuscate cryptographic algorithms Why bother? Treat random coins as input

Motivating Examples Oblivious Sampler g r1, g r2, g r1*r2 Index i Obf(P) Cannot treat the random coins as plain input 1.Hiding: Keep the randomness hidden 2.Correctness: Randomness un-skewed Oblivious re-encryption Re-Randomized C’ = Enc(pk, m; r) Ciphertext C of m Obf(P)

This work: IO for probabilistic programs (pIO) There are several variants. Focus on pIO = X-pIO in this talk Theorem 1 (Construction): Sub-exp secure IO  pIO * Theorem 2 (Application to FHE): pIO + Re-Randomizable PKE  FHE ⊺ without circular security * hiding OWF or some details ⊺ more details later

pIO Intuition: Correctness PpiO[P] probabilisticdeterministic Preserving functionality: { P(x) } ≈ { piO[P](x) } LHS over the randomness of P RHS over the randomness of piO Strengthened Correctness: Oracle accesses to P or piO[P] are indistinguishable if no inputs are asked repeatedly

pIO Intuition: Security ≡ Functionally equivalent PObf(P) QObf(Q) ≈ indistinguishable “functionally indistinguishable” ≅ A notion of functional indistinguishability  a notion of pIO

Dynamically-IND A sampler (P, Q, z)  D is dynamically-IND, if (P, Q, z)  D x (P,Q, z) y = P(x) x (P,Q, z) y = Q(x) ≈ D-piO: ∀ such sampler D, {P, Q, piO(P), z} ≈ {P, Q, piO(Q), z} Collapse to diO for deterministic prog Implausible [GGHW14]

X-indistinguishability (P, Q, z)  D y = P(x)y = Q(x) ≈ X-piO: ∀ such sampler D, {P, Q, piO(P), z} ≈ {P, Q, piO(Q), z} xx (P,Q, z) (negl / X)-indist (X = # of inputs) Statically-chosen A sampler (P, Q, z)  D is X-IND, if Gap is “Tight”

Variants of pIO

Sub-exp IO  pIO * Thought experiment pIO(P) pIO(Q) ≈ P, Q have only a single input AND P(x) ≈ Q(x) pIO(P): De-randomize P to de-P k (x) = P(x; PPRF(k, x)) IO obfuscate iO(de-P k ) IO(de-P k ) IO(de-Q k ) ≈

iO(de-P k ) iO(de-Q k ) pIO for single-input prog’s iO(de-P k (x)) iO(de-Q k (x)) ≈ iO de-P k (x)= P(x; PPRF(k, x)) iO(y Q ) y P  P(x) iO(y P ) ≈ PPRF ≈ Output-Indist ≈ PPRF ≈ iO

iO(de-P k ) iO(de-Q k ) ≈ pIO for single-input prog’s

P P Q Q Use Exponential-hybrids, #hybrids = #inputs Sub-exp IO  pIO P P Q Q ≤ i-1> i-1 P P Q Q ≤ i> i Differ only at a single input i+1 Need Sub-Exp IO and X-IND

Application of pIO CPA Re-randomizable FHELHE + piO Independent step Work for any LHE with fixed dec depth assuming Super-poly iO Cor: Super-poly LWE + iO  FHE without circular security

Evk i = C’ C1C2 P i (C1, C2): 1.Decrypt M1= D(SK i, C1), M2= D(SK i, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i+1, M’) P i (C1, C2): 1.Decrypt M1= D(SK i, C1), M2= D(SK i, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i+1, M’) Re-Rand CPA + piO  LHE D C1 of w1 & C2 of w2 under (Pk i-1,Sk i-1 ) C’ of w’ under (Pk i,Sk i ) NAND at level i Evaluate layer by layer Layer i associated with (Pk i,Sk i ) pIO(P i )

Evk D = P D (C1, C2): 1.Decrypt M1= D(SK D-1, C1), M2= D(SK D-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk D, M’) P D (C1, C2): 1.Decrypt M1= D(SK D-1, C1), M2= D(SK D-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk D, M’) pIO(P D ) CPA-Security CPA-Adv sees PK 0, C = Enc(PK 0, b), {Evk 1 … Evk D } Q D (C1, C2): Encrypt C’ = E(Pk D, 0) Q D (C1, C2): Encrypt C’ = E(Pk D, 0) Fvk D = pIO(Q D ) ≈ ≅

… … CPA-Security CPA-Adv sees PK 0, C = Enc(PK 0, b), {Evk 1 … Evk D } Evk D = Dec( sk D-1, * ) NAND Enc( pk D, * ) Evk i = Dec( sk i, * ) NAND Enc( pk i+1, * ) Evk 1 = Dec( sk 0, * ) NAND Enc( pk 1, * ) Enc( pk D, 0) Fvk D = Enc( pk i, 0) Fvk i = Enc( pk 1, 0) Fvk 1 = Yes! No secret key left  C is hiding But, The sizes of {evk i } blow-up

P i (C1, C2): 1.Decrypt M1= D(SK i-1, C1), M2= D(SK i-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i, M’) P i (C1, C2): 1.Decrypt M1= D(SK i-1, C1), M2= D(SK i-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i, M’) CPA-Security CPA-Adv sees PK 0, C = Enc(PK 0, b), {Evk 1 … Evk D } Q i (C1, C2): Encrypt C’ = E(Pk i, 0) Q i (C1, C2): Encrypt C’ = E(Pk i, 0) ≅ Problem: E needs to be (negl/X)-indist with X = 2^{|C1| + |C2|}  |C’|≥ poly(|C1|+|C2|)

CPA-Security CPA-Adv sees PK 0, C = Enc(PK 0, b), {Evk 1 … Evk D } Solution: Use “Perfect” Lossy PKE 1. Normal PK: comp-hiding correct 2. Trapdoor PK: perfect-hiding no correctness Implied by re-rand PKE P i (C1, C2): 1.Decrypt M1= D(SK i-1, C1), M2= D(SK i-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i, M’) P i (C1, C2): 1.Decrypt M1= D(SK i-1, C1), M2= D(SK i-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i, M’) Q i (C1, C2): Encrypt C’ = E(Pk i, 0) Q i (C1, C2): Encrypt C’ = E(Pk i, 0) ≅

… … CPA-Security CPA-Adv sees PK 0, C = Enc(PK 0, b), {Evk 1 … Evk D } Evk D = Dec( sk D-1, * ) NAND Enc( pk D, * ) Evk i = Dec( sk i, * ) NAND Enc( pk i+1, * ) Evk 1 = Dec( sk 0, * ) NAND Enc( pk 1, * ) Enc( pk D, 0) Fvk D = Enc( pk i, 0) Fvk i = Enc( pk 1, 0) Fvk 1 = Before switching the Evk’s Switch pk’s to trapdoor keys {Enc(pk, *)} = {Enc(pk, 0)} QED No blow-up

Thank you

Indistinguishability Obfuscation [BGI+12] functionally equivalent PiO(P) QiO(Q) ≈ ≡ indistinguishable

Motivating Examples: CPA to FHE Given any CPA, (PK, SK) C1 = E(PK, M1), C2 = E(PK, M2), Convert to FHE, by adding evaluation keys Evk = C’ C1C2 Obf(P) P(C1, C2): 1.Decrypt M1= D(SK, C1), M2= D(SK, C2) 2. Compute M’ = M1 NAND M2 3. Re-Encrypt C’ = E(PK, M’; r) P(C1, C2): 1.Decrypt M1= D(SK, C1), M2= D(SK, C2) 2. Compute M’ = M1 NAND M2 3. Re-Encrypt C’ = E(PK, M’; r) Shown in [ABF+13], under ad-hoc obfuscation assumption

Sub-exp IO  pIO * First, IO  pIO for single-input prog’s pIO(P) pIO(Q) ≈ P, Q single input programs AND P(x) ≈ Q(x) pIO(P): De-randomize P to de-P k (x) = P(x; PPRF(k, x)) IO obfuscate iO(de-P k ) IO(de-P k ) IO(de-Q k ) ≈

iO(de-P k ) iO(de-Q k ) IO  pIO for single-input prog’s iO(de-P k (x)) iO(de-Q k (x)) ≈ iO de-P k (x)= P(x; PPRF(k, x)) iO(y Q ) y P  P(x) iO(y P ) ≈ PPRF ≈ Output-Indist ≈ PPRF ≈ iO

iO(de-P k ) iO(de-Q k ) ≈ IO  pIO for single-input prog’s Sub-exp IO  pIO

Medium Solver Set Amedium of A