On Virtual Grey Box Obfuscation for General Circuits

Nir Bitansky, Ran Canetti, Yael Tauman Kalai, Omer Paneth
2016 Algorithmica  
An obfuscator O is Virtual Grey Box (VGB) for a class C of circuits if, for any C ∈ C and any predicate π, deducing π(C) given O(C) is tantamount to deducing π(C) given unbounded computational resources and polynomially many oracle queries to C. VGB obfuscation is often significantly more meaningful than indistinguishability obfuscation (IO). In fact, for some circuit families of interest VGB is equivalent to full-fledged Virtual Black Box obfuscation. We investigate the feasibility of
more » ... VGB obfuscation for general circuits. We first formulate a natural strengthening of IO, called strong IO (SIO). Essentially, O is SIO for class C if O(C) ≈ O(C ) whenever the pair (C, C ) is taken from a distribution over C where, for all x, C(x) = C (x) only with negligible probability. We then show that an obfuscator is VGB for a class C if and only if it is SIO for C. This result is unconditional and holds for any C. We also show that, for some circuit collections, SIO implies virtual black-box obfuscation. Finally, we formulate a slightly stronger variant of the semantic security property of graded encoding schemes [Pass-Seth-Telang Crypto 14], and show that existing obfuscators, such as the obfuscator of Barak et al. [Eurocrypt 14], are SIO for all circuits in NC 1 , assuming that the underlying graded encoding scheme satisfies our variant of semantic security. Put together, we obtain VGB obfuscation for all NC 1 circuits under assumptions that are almost the same as those used by Pass et al. to obtain IO for NC 1 circuits. We also show that semantic security is in essence necessary for showing VGB obfuscation. * A preliminary version of this work appears in the proceedings of CRYPTO 2014. Program obfuscation, namely the ability to efficiently compile a given program into a functionally equivalent program that is "unintelligible", is an intriguing concept. Indeed, much effort has been devoted to understanding this concept from the definitional aspect, the algorithmic aspect, and the applications aspect. Here let us concentrate on the first two aspects. Starting with the works of Hada [Had00] and Barak et al. [BGI + 01], a number of measures of security for program obfuscation have been proposed. Let us briefly review three notions of interest. The first, virtual black box (VBB) obfuscation [BGI + 01], requires that having access to the obfuscated program is essentially the same as having access to the program only as black box. Concretely, focusing on programs represented as circuits, an obfuscator O for a family of circuits is worst-case VBB if for any poly-time adversary A, there exists a poly-time simulator S, such that for any circuit C from the family, and any predicate π(·), A cannot learn π(C) from O(C) with noticeably higher probability than S can, given only oracle access to C. The obfuscator O is average-case VBB if the above is only required to hold for circuits C that are sampled at random from the family. While this VBB obfuscation is natural and strong, Barak et al. [BGI + 01] showed that this definition, and variants thereof, are unobtainable in general by demonstrating a family of unobfuscatable functions: these are functions f where any circuit computing the function inherently leaks secrets that are infeasible to compute given only black box access to f . Moreover it turns out that, under cryptographic assumptions, if the simulator S is universal (or equivalently, works for any adversarial auxiliary input) then VBB obfuscation is unobtainable for any circuit family whose functionality has super-polynomial "pseudo entropy" [GK05, BCC + 14]. A weaker variant of VBB, called virtual grey-box (VGB) [BC10], allows the simulator to be semibounded, namely it can be computationally unbounded, while still making only a polynomial number of queries to the circuit C. While significantly weaker than VBB in general, VGB is still meaningful for circuits that are unlearnable even by semi-bounded learners. Furthermore, VGB obfuscators for circuits escape the general impossibility results that apply to VBB obfuscators. A weaker notion yet, called indistinguishability obfuscation (IO) [BGI + 01], allows the (now computationally unbounded) simulator to also make an unbounded number of queries to C. Equivalently, O is an IO for a circuit collection if for any two circuits C 0 and C 1 in the collection, having the same size and functionality, O(C 0 ) and O(C 1 ) are indistinguishable. While IO has some attractive properties, and some important cryptographic applications [GR07, SW13, GGH + 13b], the security guarantees provided by IO are significantly weaker than those provided by either VBB or VGB obfuscation. On the algorithmic level, for many years we had candidate obfuscators only for very simple functions such as point functions and variants. The landscape has changed completely with the recent breakthrough work of [GGH + 13b], which proposed a candidate general-purpose obfuscation algorithm for all circuits. [GGH + 13b] show that their scheme resists some simple attacks; but beyond that, they do not provide any analytic evidence for security. Considerable efforts have been made to analyze the security of the [GGH + 13b] obfuscator and variants. The difficulty appears to be in capturing the security properties required from the graded encodings schemes [GGH13a, CLT13], which is a central component in the construction. As a first step towards understanding the security of the [GGH + 13b] obfuscator, [BR13, BGK + 13] consider an ideal algebraic model, where the adversary is given "generic graded encodings" that can only be manipulated via admissible algebraic operations. They show that, in this model, variants of the [GGH + 13b] scheme are VBB obfuscators for all poly-size circuits. (We remark that [CV13] construct a VBB general obfuscator with similar properties; however their abstract model is different and does not seem to correspond to any existing cryptographic primitive.) Still, neither of these idealized constructions or their analyses have, in of themselves, any bearing on cator for the evasive ensemble n∈N M n ⊕C n , as given by Lemma 5.1, we have Pr A,cO,C←Cn [A(cO(C)) = π(C)] = Pr A,iO,C←Cn A(iO([C] (n) )) = π(C) = Pr A,iO,r,C←Cn [A(iO(C r )) = π(C)] ± n −ω(1) = Pr A,iO,r,C←Cn [A(iO(M n ⊕ eO(C ⊕ M n ; r))) = π(C)] ± n −ω(1) = Pr A,iO,r,C,C ←Cn A(iO(M n ⊕ eO(C ⊕ M n ; r))) = π(C ) ± n −ω(1) = Pr A,iO,r,C,C ←Cn A(iO(C r )) = π(C ) ± n −ω(1) = Pr A,iO,C,C ←Cn A(iO([C] (n) )) = π(C ) ± n −ω(1) = Pr A,cO,C,C ←Cn A(cO(C)) = π(C ) ± n −ω(1) . Thus, again by Lemma 5.1, we deduce that cO is an average-case VBB obfuscator for the concentrated ensembleC.
doi:10.1007/s00453-016-0218-8 fatcat:ytmngd6szjec7d4jkk5cdix36a