Obfuscation without Multilinear Maps

Similar documents
Cryptanalysis of branching program obfuscators

Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13

Post-Zeroizing Obfuscation: The case of Evasive Circuits

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Fully Homomorphic Encryption and Bootstrapping

Protecting obfuscation against arithmetic attacks

A Comment on Gu Map-1

On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input

Zeroizing Attacks on Indistinguishability Obfuscation over CLT13

Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding

Post-Zeroizing Obfuscation: The case of Evasive Circuits

Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13

Non-Interactive Secure Multiparty Computation

Lattice-Based Non-Interactive Arugment Systems

A Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University

Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption

Lecture 2: Program Obfuscation - II April 1, 2009

On Kilian s Randomization of Multilinear Map Encodings

Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1

Function-Hiding Inner Product Encryption

Cryptanalysis of GGH15 Multilinear Maps

Cryptanalysis of Indistinguishability Obfuscations of Circuits over GGH13

Differing-Inputs Obfuscation and Applications

Cryptanalyses of Candidate Branching Program Obfuscators

Creating transformations for matrix obfuscation

Obfuscation for Evasive Functions

Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding

Adaptively Secure Constrained Pseudorandom Functions

Low Overhead Broadcast Encryption from Multilinear Maps

Lecture 10 - MAC s continued, hash & MAC

Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall

CS Topics in Cryptography January 28, Lecture 5

More Annihilation Attacks

Offline Witness Encryption

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

A Simple Obfuscation Scheme for Pattern-Matching with Wildcards

Secure Obfuscation in a Weak Multilinear Map Model

A survey on quantum-secure cryptographic systems

Quantum-resistant cryptography

Obfuscation and Weak Multilinear Maps

Sum-of-Squares Meets Program Obfuscation, Revisited

COS598D Lecture 3 Pseudorandom generators from one-way functions

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Gentry s SWHE Scheme

16 Fully homomorphic encryption : Construction

Cryptology. Scribe: Fabrice Mouhartem M2IF

Practical Order-Revealing Encryption with Limited Leakage

Extending Oblivious Transfers Efficiently

New and Improved Key-Homomorphic Pseudorandom Functions

Linear Multi-Prover Interactive Proofs

1 Number Theory Basics

Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption

EME : extending EME to handle arbitrary-length messages with associated data

Public-Key Encryption: ElGamal, RSA, Rabin

How Fast Can We Obfuscate Using Ideal Graded Encoding Schemes

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

A Pseudo-Random Encryption Mode

Efficient Identity-Based Encryption Without Random Oracles

Practical Fully Homomorphic Encryption without Noise Reduction

From Minicrypt to Obfustopia via Private-Key Functional Encryption

Publicly Verifiable Software Watermarking

arxiv: v7 [quant-ph] 20 Mar 2017

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

8 Elliptic Curve Cryptography

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

CS259C, Final Paper: Discrete Log, CDH, and DDH

The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation

Public Key Cryptography

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Minimizing the Complexity of Goldreich s Pseudorandom Generator

Fully Homomorphic Encryption

Obfuscating Circuits via Composite-Order Graded Encoding

Gentry s Fully Homomorphic Encryption Scheme

On Minimal Assumptions for Sender-Deniable Public Key Encryption

Chosen-Ciphertext Attacks on Optimized NTRU

Provable Security against Side-Channel Attacks

Limits on the Locality of Pseudorandom Generators and Applications to Indistinguishability Obfuscation

Smooth Projective Hash Function and Its Applications

Private Puncturable PRFs from Standard Lattice Assumptions

Lecture 15 - Zero Knowledge Proofs

4-3 A Survey on Oblivious Transfer Protocols

Lecture 3: Randomness in Computation

An Unconditionally Secure Protocol for Multi-Party Set Intersection

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

A Domain Extender for the Ideal Cipher

Optimal XOR based (2,n)-Visual Cryptography Schemes

Fully Homomorphic Encryption - Part II

Block encryption of quantum messages

6.892 Computing on Encrypted Data October 28, Lecture 7

New Cryptosystem Using The CRT And The Jordan Normal Form

A REDUCTION OF SEMIGROUP DLP TO CLASSIC DLP

Constant-Round MPC with Fairness and Guarantee of Output Delivery

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Transcription:

Obfuscation without Multilinear Maps Dingfeng Ye Peng Liu DCS Center Cyber Security Lab nstitute of nformation Engineering College of nformation Sciences and Technology Chinese Academy of Sciences Pennsylvania State University Beijing, China 100093 University Park, PA 16802 ydf@is.ac.cn pliu@ist.psu.edu Abstract Known methods for obfuscating a circuit need to represent the circuit as a branching program and then use a multilinear map to encrypt the branching program. Multilinear maps are, however, too inefficient for encrypting the branching program. We found a dynamic encoding method which effectively singles out different inputs in the context of the matrix randomization technique of Kilian and Gentry et al., so that multilinear maps are no longer needed. To make the method work, we need the branching programs to be regular. For such branching programs, we also give most efficient constructions for NC1 circuits. This results in a much more efficient core obfuscator for NC1 circuits. ndex terms: Obfuscation, Matrix Branching Program, Dynamic Fencing 1 ntroduction ndistinguishable Obfuscation of general circuits is a powerful functionality of cryptography [6], which was regarded infeasible [2] until work [4] gives constructions for indistinguishable obfuscation. But this seminal work only addressed the existence problem: the solution is totally impractical for any meaningful circuit examples. Significant improvement of efficiency was obtained in later constructions (including [3, 1, 7, 8], but these constructions are still far from practical use. The inefficiency lies in the fact that all these constructions rely on multilinear maps of large degree, which lack efficient instantiations. Our work is inspired by [4, 7]. n these work, a circuit is first translated to a sequence of matrix pairs (the branching program, and circuit evaluation is represented as matrix multiplications. We observe that Kilian s randomization technique, denoted in this work as fencing, already makes the branching program computation secure for single input, as long as the branching program is regular (roughly speaking, the rank function reveals nothing to the attacker. We also observe that the essential thing to make the whole computation secure is to separate computations for different inputs into different worlds, which may not need multilinear maps at all.

A natural way to do this is dynamic fencing: different inputs use independent fences, but this needs exponential storage. We approximate dynamic fencing with group actions: each fence is multiplied by a group element which is bound to an input and the branching variable at the place. This binding is achieved via a simple authentication method when working at higher dimensions. Another contribution of this work is a new regular branching program for NC1 circuits. Our construction has similar efficiency as that of [7], but it is regular, so that Kilian s statistical simulation theorem still holds. Finally, it should be noticed that the security of our scheme is not proved. The difficulty of a security proof is lack of suitable security model to validate our approximation of dynamic fencing. This also means that our scheme does not depend on any known assumptions; we treat attacking the scheme as a new concrete problem which seems to be hard. 2 Notations Let F 2 denote a binary field. Let a+b and ab denote addition and multiplication of a,b F 2, respectively. Let M m,m (F 2 denote the set of m m matrices over F 2. Let GL d (F 2 denote the set of d d invertible matrices. Let denote the identity matrix of appropriate dimension. We often write a matrix without specifying its dimension, if it can be inferred from context; we also write a matrix of blocks without specifying dimensions of the blocks, which should make multiplication of matrices of blocks meaningful. By a matrix sequence {M i : 1 i l}, we mean i M i is meaningful and specification of the length and dimensions are often omitted. Two matrix sequences {M i } and {N j } can be catenated if ( i M i ( j N j is meaningful, and {M i } {N j } denote the matrix sequence of this catenation. For any matrix sequence {M i }, A{M i } is the sequence {AM 1 } {M i : i > 1}; similarly {M i }A means the sequence by multiplying on the right the last matrix with A. 3 Kilian s Randomization This section is generalization of Kilian s Randomization to regular matrix sequences. Let {M i : 1 i l} be a matrix sequence with dimensions d i 1 d i, and let {U i GL di (F 2 : 0 i l} be a sequence of invertible matrices, KR({M i },{U i } will denote the sequence {Ui 1 1 M iu i : 1 i l}. Here, we call {U i } the fences. f the fences are uniformly random, KR({M i },{U i } will be called the Kilian s Randomization (denoted KR of the matrix sequence {M i }. Lemma 3.1 KR of the matrix sequence {M i } and {M i } have the same distribution if there exists {V i } such that {M i } = KR({M i},{v i }. Proof KR({M i },{V i U i } = KR(KR({M i },{V i },{U i } f {M i } = KR({M i},{v i }, we will write {M i } (V0,V l {M i }, and we will simply say that the two matrix sequences are KR equivalent. The following is obvious: Lemma 3.2 {M i } (U,V {M i } {M i} (, U{M i }V 1. 2

Lemma 3.3 f {M i } (U,V {M i } and {N j} (V,V {N j }, then {M i} {N j } (U,V {M i } {N j } Lemma 3.4 f {M i } (U,V {M i } and {M i } (U,V {N i }, then {M i } (UU,VV {N i } Lemma 3.5 [5] f {M i } and {M i } are all invertible, then {M i} (V0, {M i } and {M i} (,V {M i } where V = ( M i 1 ( M i and V 0 = ( M i ( M i 1 Definition A matrix sequence {M i } is called unit if each M i is of the form either or (,0 or (,0 T (T means transpose, and i M i = (where each may have different dimension. A matrix sequence is called regular if it is KR equivalent to a unit matrix.. Lemma 3.6 f {O i } is a unit sequence, and G is invertible, then {O i } (G,G {O i }. ( G Proof Let {U i } be a fence of the form: U i = G or U i = according to dimension. Then KR({O i },{U i } = {O i }. Lemma 3.7 f {M i } is regular, and G is invertible, then both G{M i } and {M i }G are regular. Proof Obvious. Lemma 3.8 Let {M i } be regular and {O i } be the corresponding unit sequence, then {M i } (, V {O i } and {M i } (, {O i }V where V = M i. Proof Suppose {M i } (U,U {O i }, Since {O i } (U 1,U 1 {O i}, we have {M i } (,U U 1 {O i }. By comparing the product, we must have U U 1 = V = M i. Lemma 3.9 f {M i } and {N j } are regular, so is {M i } {N j }. Proof Because catenation of unit sequences is also unit, suppose {M i } (U, {O i } and {N j } (,V {O j }, then we have {M i } {N j } (U,V {O i } {O j } 4 Branching Programs of Circuits A branching program is a pair (BP,inp, where BP = {B i,b : 1 i l,b = 0,1} is a sequence of matrix pairs, and inp : [l] [n] is a map. A branching program can compute a function C : F 2 n F 2 as follows: C(x 1,x 2,,x n = f ( i B i,xinp(i where f is some function from matrices to F 2. We often omit the specification of inp when it can be comprehended. The largest dimension of matrices in BP is called the width of the branching program. BP = {B i,b : 1 i l,b = 0,1} is called regular, if all matrix sequences {B i,bi } are regular. t is well known that branching programs can only efficiently compute NC1 circuits (circuits with 2-fan in gates and depth d < O(log(λ. The efficiency of a branching program is roughly measured by its width and length. Main results on branching programs for NC1 circuits are the following: 3

The Barrington map: width = 5, length 4 d, regular; [1]: width 2 d, length 2 d, regular; [7]: width < d, length 2 d, not regular. n the following, we will give a regular branching program for NC1 circuits with similar efficiency as [7]. To begin with, the operations on matrix sequences: KR,, and A{M i },{M i }A are straightforwardly ( applied to BPs. Another operation is Aug: Aug({B i,b } = {B + i,b }, where B + 1 i,b =. B i,b ( 1 v Let C(x 1,,x n be a circuit with n input variables. We use to represent the value v at a gate (and input. The following formula can be used to evaluate the circuit: ( ( ( 1 a 1 1 1 a + 1 not gate: = ( ( ( 1 a 1 b 1 a + b gate: = ( 1 0 1 1 0 0 gate: 1 a 1 b 0 0 = ( 1 0 1 1 ab The branching program for computing C(x 1,,x n is inductively constructed as follows: ( 1 b each input variable x i is a BP of length 1:, inp(1 = i. ( 1 1 not gate: (BP ; gate: BP 1 BP 2 ; ( 0 gate: Aug(BP 1 0 0 Aug(BP 2 1 0 0 0 Theorem 4.1 The branching program constructed as above is regular. ( 1 v Proof nitially the inputs are regular, and each has product value of the type. By induction, this property is preserved at not gates and gates. t only remains to verify this at gates, which will be done by the following lemma. 4

( 1 a Lemma 4.2 Let {M i } and {N j } be regular with product values re- ( 0 spectively, then Aug({M i } ( 1 ab product value. 0 0 Aug({N j } and 1 0 0 0 ( 1 b is regular with Proof Obviously Aug preserves regularity, so the stated matrix sequence is (, reduced to ( ( 0 a {O i } 0 ( 1 0 1 b 0 0 = ( 1 ab 0 {O i } 1 ab (,0{O i }. 0 b 0 b ( 1 1 ab Let α = (0,b. ( 0 Let G =, α 1 1 ab 1 ab then (,0{O i } = (,0{O i } ( 0 ( b 0 0 (,0 1 ab {O i } ( ( 0 0 1 1 ab = (,0{O i }. 0 5 Dynamic Fencing Let ({B i,b : 1 i l},inp be a branching program, where B i,b is of dimension d i 1 d i ; {U i } be a fixed random fence. Let x = (x 1,,x n denote the input. We wish using a fence {G i,x U i } to evaluate the circuit with this input, where G i,x is independently random relative to its use in circuit evaluation for different inputs. n the following we will give a method to approximate this. Let {G i, j,b : 0 i l,1 j n,b = 0,1} be a set of private random invertible matrices of suitable dimensions, our intended G i,x will be j G i, j,x j. We need the following additonal random data: {A i,b GL di (F 2 : 1 i l,b = 0,1} {A i, j,1,b GL di (F 2 : 1 i l,inp(i < j n,b = 0,1} 5

{A i, j,2,b GL di 1 (F 2 : 1 i l,1 j n,b = 0,1} {B i M di 1,d i (F 2 : 1 i l} {U i, j GL 2di 1 +d i (F 2 : 1 i l, n j < 0} {U i, j GL di 1 +2d i (F 2 : 1 i l,0 j < n} The dynamic fencing of ({B i,b },inp will be DF({B i,b },inp = 1 i l B i, where B i = {B i, j,b : n j n,b = 0,1}: B i, n,b = Ui 1 1 (B i,, i,n,1,b i,n,2,b i 1,n,b if inp(i n; otherwise B i, n,b = Ui 1 1 (B i,, i,n,1,b A 1 i,b i,n,2,b i 1,n,b for inp(i < j < n, B i, j,b = U 1 for j = inp(i, B i, j,b = U 1 i, j 1 for 0 < j < inp(i, B i, j,b = U 1 B i,0,b = U 1 i, 1 A i,b B i,b U i, n i, j 1 i, j 1 for 0 < j < inp(i, B i, j,b = U 1 U i,0 i, j 1 for inp(i j < n, B i, j,b = U 1 B i,n,b = U 1 i,n 1 A i,n,1,b i, j 1 A i,n,2,b i, j,1,b i, j,1,b A 1 i,b i, j,2,b A i, j,2,b A i, j,1,b G i,n,b 6 U i, n i, j,2,b i, j,2,b G i, j,b A i, j,2,b B i i 1, j,b U i i 1, j,b i 1, j,b U i, j G i, j,b U i, j U i, j U i, j U i, j

Lemma 5.1 B i can be used to obtain (G i 1,x U i 1 1 B i,xinp(i G i,x U i Proof The wanted is just ( B i, j,x j B i,0,xinp(i ( B i, j,x j =U 1 1 j n 1 j n i 1 (B i,, (G i 1,x 1 B i,xinp(i G i,x B i U i t can be seen from this computation that, if the adversary deviates from the computation as the lemma, he will get a messed encoding at the middle term: i 1,x B i,b i G i,x +B i J 1 +J 2 B i, where J 1,J 2 are not all identity. This kind of messed information seems to be hard to exploit for meaningful computation. This means that the encoding of B i,b is bound to the input variable x inp(i, which means that any kind of interleaved computation will result inconsistent encodings, thus hard to derive useful information. These observations seem to support the following conjecture: Conjecture 5.2 DF({B i,b },inp is computationally equivalent to dynamic fencing {KR({B i,xinp(i },{U i,x } : x F n 2 } as long as min{d i } O(λ (i.e. All groups GL di (F 2 are complex enough. 6 The Obfuscation Scheme Let C(x 1,x 2,,x n be an NC1 circuit of n input variables. Let (BP,inp be the regular branching program of C constructed as previous. Let BP = Aug λ (BP. Let α,β be a random pair of vectors such that ( α 1 v β = v. Then the obfuscation of C is just DF(α BPβ,inp. Lemma 6.1 The scheme has perfect completeness. Proof Given DF(αBPβ,inp, let αbpβ = { B i,b }. For input x we can compute KR(αB i,xinp(i β. G i,x,u i whose product value is same as that of αb i,xinp(i β, which is C(x 1,x 2,,x n. Lemma 6.2 Assuming the conjecture, the scheme achieves VBB security. Proof Assuming the conjecture, it only needs to prove that the circuit evaluation is simulatable for single input x = (x 1,,x n. Let v = C(x, ( then KR of α{ B i,xinp(i }β can be simulated as KR of α 1 v {O i }β. 7

Even the conjecture is false, it is still possible that the scheme achieves indistinguishability security, we conjecture that this is the case. For keyed circuits, i.e. the first k input variables are key bits, we can make the branching program slightly shorter. On constructing the BP for all variables, we place the input variables left-first; then we multiply the matrices belonging to key bits to the left. This results in a branching program where each matrix contains information about key bits. When doing dynamic fencing, it should be noted that rank(b i,0 B i,1 may disclose key information. This can be avoided by choosing A i,b such that rank(b i,0 B i,1 + rank(a i,0 A i,1 is independent of key. Finally, the complexity of the scheme is obviously bounded by O(n(d +λ 2 C, where C is the circuit size, d is the algebraic degree of the circuit. 7 Conclusion We provide the construction of an efficient obfuscation scheme whose complexity is bounded by O(n(d + λ 2 C. A unique characteristic of the scheme is that it does not use multilinear maps. Nevertheless, the scheme relies on a new conjecture to achieve indistinguishability security. How to prove or disprove the conjecture is an open problem yet to be investigated. References [1] Prabhanjan Aanauth, Divya Gupta, Yuval shai, and Amit Sahai. Optimizing obfuscation: Avoiding barrington s theorem. Cryptology eprint archive, 2014. http://eprint.iacr.org/. [2] Boaz Barak, Oded Goldreich, Russell mpagliazzo, Steven Rudich, A. S. Salil, P. vadahan, and Ke Yang. On the (impossibility of obfuscating programs. n CRYPTO, 2001. [3] Dan Boneh, Sanjam Grag, Amit Sahai, and Mark Zhandry. Differing inputs obfuscation and applications. Cryptology eprint archive, 2013. http://eprint.iacr.org/, 2013/689. [4] Sanjam Gary, Craig Gentry, Shai Halevi, Marianna Raykova, Amit Sahai, and Brent Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. n FOCS, 2013. [5] Joe Kilian. Founding cryptography on oblivious transfer. n STOC, 1988. [6] Amit Sahai and Brent Waters. How to use indistinguishability obfuscation: Deniable encryption, and more. n STOC, 2014. [7] Amit Sahai and Mark Zhandry. Obfuscating low rank matrix branching programs. Cryptology eprint archive, 2014. http://eprint.iacr.org/. [8] Joe Zimmerman. How to obfuscate programs directly. n STOC, 2014. 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback