Presentation is loading. Please wait.

Presentation is loading. Please wait.

Obfuscation of Probabilistic Circuits Ran Canetti, Huijia Lin Stefano Tessaro, Vinod Vaikuntanathan.

Published byClement Bradley Modified over 9 years ago

Similar presentations

Presentation on theme: "Obfuscation of Probabilistic Circuits Ran Canetti, Huijia Lin Stefano Tessaro, Vinod Vaikuntanathan."— Presentation transcript:

1 Obfuscation of Probabilistic Circuits Ran Canetti, Huijia Lin Stefano Tessaro, Vinod Vaikuntanathan

2 Program Obfuscation P P(x) x x Obf(P) Compile a program into unintelligible ones, preserving functionality

3 Program Obfuscation Compile a program into unintelligible ones, preserving functionality Different notions of obfuscation Virtual-Black-Box (VBB) [BGI+12,GK,BCC+14] Virtual-Grey-Box (VGB) [BC10] Differing-input Obfuscation (diO) [BGI+12] Indistinguishability Obfuscation (iO) [BGI+12]

4 However, so far, Obfuscation for deterministic programs only Probabilistic programs? Reflected in Correctness (For all x, P(x) = Obf[P](x)) E.g. Obfuscate cryptographic algorithms Why bother? Treat random coins as input

5 Motivating Examples Oblivious Sampler g r1, g r2, g r1*r2 Index i Obf(P) Cannot treat the random coins as plain input 1.Hiding: Keep the randomness hidden 2.Correctness: Randomness un-skewed Oblivious re-encryption Re-Randomized C’ = Enc(pk, m; r) Ciphertext C of m Obf(P)

6 This work: IO for probabilistic programs (pIO) There are several variants. Focus on pIO = X-pIO in this talk Theorem 1 (Construction): Sub-exp secure IO  pIO * Theorem 2 (Application to FHE): pIO + Re-Randomizable PKE  FHE ⊺ without circular security * hiding OWF or some details ⊺ more details later

7 pIO Intuition: Correctness PpiO[P] probabilisticdeterministic Preserving functionality: { P(x) } ≈ { piO[P](x) } LHS over the randomness of P RHS over the randomness of piO Strengthened Correctness: Oracle accesses to P or piO[P] are indistinguishable if no inputs are asked repeatedly

8 pIO Intuition: Security ≡ Functionally equivalent PObf(P) QObf(Q) ≈ indistinguishable “functionally indistinguishable” ≅ A notion of functional indistinguishability  a notion of pIO

9 Dynamically-IND A sampler (P, Q, z)  D is dynamically-IND, if (P, Q, z)  D x (P,Q, z) y = P(x) x (P,Q, z) y = Q(x) ≈ D-piO: ∀ such sampler D, {P, Q, piO(P), z} ≈ {P, Q, piO(Q), z} Collapse to diO for deterministic prog Implausible [GGHW14]

10 X-indistinguishability (P, Q, z)  D y = P(x)y = Q(x) ≈ X-piO: ∀ such sampler D, {P, Q, piO(P), z} ≈ {P, Q, piO(Q), z} xx (P,Q, z) (negl / X)-indist (X = # of inputs) Statically-chosen A sampler (P, Q, z)  D is X-IND, if Gap is “Tight”

11 Variants of pIO

12 Sub-exp IO  pIO * Thought experiment pIO(P) pIO(Q) ≈ P, Q have only a single input AND P(x) ≈ Q(x) pIO(P): De-randomize P to de-P k (x) = P(x; PPRF(k, x)) IO obfuscate iO(de-P k ) IO(de-P k ) IO(de-Q k ) ≈

13 iO(de-P k ) iO(de-Q k ) pIO for single-input prog’s iO(de-P k (x)) iO(de-Q k (x)) ≈ iO de-P k (x)= P(x; PPRF(k, x)) iO(y Q ) y P  P(x) iO(y P ) ≈ PPRF ≈ Output-Indist ≈ PPRF ≈ iO

14 iO(de-P k ) iO(de-Q k ) ≈ pIO for single-input prog’s

15 P P Q Q Use Exponential-hybrids, #hybrids = #inputs Sub-exp IO  pIO P P Q Q ≤ i-1> i-1 P P Q Q ≤ i> i Differ only at a single input i+1 Need Sub-Exp IO and X-IND

16 Application of pIO CPA Re-randomizable FHELHE + piO Independent step Work for any LHE with fixed dec depth assuming Super-poly iO Cor: Super-poly LWE + iO  FHE without circular security

17 Evk i = C’ C1C2 P i (C1, C2): 1.Decrypt M1= D(SK i, C1), M2= D(SK i, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i+1, M’) P i (C1, C2): 1.Decrypt M1= D(SK i, C1), M2= D(SK i, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i+1, M’) Re-Rand CPA + piO  LHE D C1 of w1 & C2 of w2 under (Pk i-1,Sk i-1 ) C’ of w’ under (Pk i,Sk i ) NAND at level i Evaluate layer by layer Layer i associated with (Pk i,Sk i ) pIO(P i )

18 Evk D = P D (C1, C2): 1.Decrypt M1= D(SK D-1, C1), M2= D(SK D-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk D, M’) P D (C1, C2): 1.Decrypt M1= D(SK D-1, C1), M2= D(SK D-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk D, M’) pIO(P D ) CPA-Security CPA-Adv sees PK 0, C = Enc(PK 0, b), {Evk 1 … Evk D } Q D (C1, C2): Encrypt C’ = E(Pk D, 0) Q D (C1, C2): Encrypt C’ = E(Pk D, 0) Fvk D = pIO(Q D ) ≈ ≅

19 … … CPA-Security CPA-Adv sees PK 0, C = Enc(PK 0, b), {Evk 1 … Evk D } Evk D = Dec( sk D-1, * ) NAND Enc( pk D, * ) Evk i = Dec( sk i, * ) NAND Enc( pk i+1, * ) Evk 1 = Dec( sk 0, * ) NAND Enc( pk 1, * ) Enc( pk D, 0) Fvk D = Enc( pk i, 0) Fvk i = Enc( pk 1, 0) Fvk 1 = Yes! No secret key left  C is hiding But, The sizes of {evk i } blow-up

20 P i (C1, C2): 1.Decrypt M1= D(SK i-1, C1), M2= D(SK i-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i, M’) P i (C1, C2): 1.Decrypt M1= D(SK i-1, C1), M2= D(SK i-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i, M’) CPA-Security CPA-Adv sees PK 0, C = Enc(PK 0, b), {Evk 1 … Evk D } Q i (C1, C2): Encrypt C’ = E(Pk i, 0) Q i (C1, C2): Encrypt C’ = E(Pk i, 0) ≅ Problem: E needs to be (negl/X)-indist with X = 2^{|C1| + |C2|}  |C’|≥ poly(|C1|+|C2|)

21 CPA-Security CPA-Adv sees PK 0, C = Enc(PK 0, b), {Evk 1 … Evk D } Solution: Use “Perfect” Lossy PKE 1. Normal PK: comp-hiding correct 2. Trapdoor PK: perfect-hiding no correctness Implied by re-rand PKE P i (C1, C2): 1.Decrypt M1= D(SK i-1, C1), M2= D(SK i-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i, M’) P i (C1, C2): 1.Decrypt M1= D(SK i-1, C1), M2= D(SK i-1, C2) 2. Compute M’ = M1 NAND M2 3. Encrypt C’ = E(Pk i, M’) Q i (C1, C2): Encrypt C’ = E(Pk i, 0) Q i (C1, C2): Encrypt C’ = E(Pk i, 0) ≅

22 … … CPA-Security CPA-Adv sees PK 0, C = Enc(PK 0, b), {Evk 1 … Evk D } Evk D = Dec( sk D-1, * ) NAND Enc( pk D, * ) Evk i = Dec( sk i, * ) NAND Enc( pk i+1, * ) Evk 1 = Dec( sk 0, * ) NAND Enc( pk 1, * ) Enc( pk D, 0) Fvk D = Enc( pk i, 0) Fvk i = Enc( pk 1, 0) Fvk 1 = Before switching the Evk’s Switch pk’s to trapdoor keys {Enc(pk, *)} = {Enc(pk, 0)} QED No blow-up

23 Thank you

24 Indistinguishability Obfuscation [BGI+12] functionally equivalent PiO(P) QiO(Q) ≈ ≡ indistinguishable

25 Motivating Examples: CPA to FHE Given any CPA, (PK, SK) C1 = E(PK, M1), C2 = E(PK, M2), Convert to FHE, by adding evaluation keys Evk = C’ C1C2 Obf(P) P(C1, C2): 1.Decrypt M1= D(SK, C1), M2= D(SK, C2) 2. Compute M’ = M1 NAND M2 3. Re-Encrypt C’ = E(PK, M’; r) P(C1, C2): 1.Decrypt M1= D(SK, C1), M2= D(SK, C2) 2. Compute M’ = M1 NAND M2 3. Re-Encrypt C’ = E(PK, M’; r) Shown in [ABF+13], under ad-hoc obfuscation assumption

26 Sub-exp IO  pIO * First, IO  pIO for single-input prog’s pIO(P) pIO(Q) ≈ P, Q single input programs AND P(x) ≈ Q(x) pIO(P): De-randomize P to de-P k (x) = P(x; PPRF(k, x)) IO obfuscate iO(de-P k ) IO(de-P k ) IO(de-Q k ) ≈

27 iO(de-P k ) iO(de-Q k ) IO  pIO for single-input prog’s iO(de-P k (x)) iO(de-Q k (x)) ≈ iO de-P k (x)= P(x; PPRF(k, x)) iO(y Q ) y P  P(x) iO(y P ) ≈ PPRF ≈ Output-Indist ≈ PPRF ≈ iO

28 iO(de-P k ) iO(de-Q k ) ≈ IO  pIO for single-input prog’s Sub-exp IO  pIO

29 Medium Solver Set Amedium of A

Download ppt "Obfuscation of Probabilistic Circuits Ran Canetti, Huijia Lin Stefano Tessaro, Vinod Vaikuntanathan."

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
On i -Hop Homomorphic Encryption Craig Gentry, Shai Halevi, Vinod Vaikuntanathan IBM Research No relation to.

On i -Hop Homomorphic Encryption Craig Gentry, Shai Halevi, Vinod Vaikuntanathan IBM Research No relation to.
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.

1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai

Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

Similar presentations

Ads by Google