Differing-Inputs Obfuscation May 12, 2016 EUROCRYPT 2016 Mihir - - PowerPoint PPT Presentation

differing inputs obfuscation
SMART_READER_LITE
LIVE PREVIEW

Differing-Inputs Obfuscation May 12, 2016 EUROCRYPT 2016 Mihir - - PowerPoint PPT Presentation

Jan 27, 2023 33 likes •405 views

New Negative Results on Differing-Inputs Obfuscation May 12, 2016 EUROCRYPT 2016 Mihir Bellare Igors Stepanovs Brent Waters 1 Our Main Result at a Glance Bellare, Stepanovs, Waters - EUROCRYPT 2016 Differing-inputs obfuscation (Barak et

slide-1
SLIDE 1

New Negative Results on Differing-Inputs Obfuscation

Mihir Bellare Brent Waters Igors Stepanovs May 12, 2016 EUROCRYPT 2016

1

slide-2
SLIDE 2

Our Main Result at a Glance

2

Differing-inputs obfuscation (Barak et al., 2001) Differing-inputs obfuscation is implausible

[GGHW14]: … because it cannot coexist with another form

  • f obfuscation that seems to be weaker.

This work: Differing-inputs obfuscation is impossible … assuming sub-exponentially secure one-way functions.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-3
SLIDE 3

Our Main Result at a Glance

3

Differing-inputs obfuscation (Barak et al., 2001) Differing-inputs obfuscation is implausible

[GGHW14]: … because it cannot coexist with another form

  • f obfuscation that seems to be weaker.

This work: Differing-inputs obfuscation is impossible … assuming sub-exponentially secure one-way functions. for TMs for circuits sub-exp secure

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-4
SLIDE 4

Obfuscation

Obfuscator Program P Program P* no more useful than an oracle for

  • 1. Correctness:

and i.e. P(x) = P*(x) for all x.

  • 2. Security:

4

functionally equivalent,

Circuits or Turing Machines

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-5
SLIDE 5

Obfuscation

Obfuscator Program P Program P* no more useful than an oracle for

  • 1. Correctness:

and i.e. P(x) = P*(x) for all x.

  • 2. Security:

5

functionally equivalent,

[BGIRSVY01]: Virtual Black Box Obfuscation is impossible!

Circuits or Turing Machines

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-6
SLIDE 6

Obfuscation

Obfuscator Program P Program P* no more useful than an oracle for

  • 1. Correctness:

and i.e. P(x) = P*(x) for all x.

  • 2. Security:

6

functionally equivalent, Are there weaker forms of obfuscation that are achievable and useful? PO VGBO iO diO – point-function obfuscation [C97, CMR98, LPS04, ...] – virtual grey box obfuscation [BC10, ...] – indistinguishability obfuscation [BGIRSVY01, GGHRSW13, SW13, ...] – differing-inputs obfuscation [BGIRSVY01, BCP13, ABGSZ13, ...]

[BGIRSVY01]: Virtual Black Box Obfuscation is impossible!

Circuits or Turing Machines

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-7
SLIDE 7

Indistinguishability and Differing-Inputs Obfuscation

(P0, P1)

Left world:

aux

P̃ P̃

Right world:

Obf(P0)

$

P̃ Obf(P1)

$

Security of indistinguishability obfuscation (iO):

Obf is iO-secure if: For all PT adversaries G that output (P0, P1) such that P0 ≡ P1 no PT adversary D can distinguish left from right.

G D

b ∈ {left, right} PT adversaries: G D

[BGIRSVY01]

computationally hard – Generator; – Distinguisher;

7 Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-8
SLIDE 8

Indistinguishability and Differing-Inputs Obfuscation

(P0, P1)

Left world:

aux

P̃ P̃

Right world:

Obf(P0)

$

P̃ Obf(P1)

$

Security of indistinguishability obfuscation (iO):

Obf is iO-secure if: For all PT adversaries G that output (P0, P1) such that P0 ≡ P1 no PT adversary D can distinguish left from right.

G D

b ∈ {left, right} Obf is diO-secure if: For all PT adversaries G that output (P0, P1) such that it is computationally hard to find x satisfying P0(x) ≠ P1(x) no PT adversary D can distinguish left from right.

Security of differing-inputs obfuscation (diO):

PT adversaries: G D

[BGIRSVY01]

– Generator; – Distinguisher;

8 Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-9
SLIDE 9

Indistinguishability and Differing-Inputs Obfuscation

(P0, P1)

Left world:

aux

P̃ P̃

Right world:

Obf(P0)

$

P̃ Obf(P1)

$

Security of indistinguishability obfuscation (iO):

Obf is iO-secure if: For all PT adversaries G that output (P0, P1) such that P0 ≡ P1 no PT adversary D can distinguish left from right.

G D

b ∈ {left, right}

(P0, P1) aux x

G I

Obf is diO-secure if: For all PT adversaries G that output (P0, P1) such that it is computationally hard to find x satisfying P0(x) ≠ P1(x) no PT adversary D can distinguish left from right.

Security of differing-inputs obfuscation (diO):

PT adversaries: G D I

[BGIRSVY01]

– Generator; – Distinguisher; – Inverter.

9 Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-10
SLIDE 10

Indistinguishability and Differing-Inputs Obfuscation

10

(P0, P1)

Left world:

aux

P̃ P̃

Right world:

Obf(P0)

$

P̃ Obf(P1)

$

Security of indistinguishability obfuscation (iO):

Obf is iO-secure if: For all PT adversaries G that output (P0, P1) such that P0 ≡ P1 no PT adversary D can distinguish left from right.

G D

b ∈ {left, right}

(P0, P1) aux x

G I

Obf is diO-secure if: For all PT adversaries G that output (P0, P1) such that it is computationally hard to find x satisfying P0(x) ≠ P1(x) no PT adversary D can distinguish left from right.

Security of differing-inputs obfuscation (diO):

PT adversaries: G D I

[BGIRSVY01]

– Generator; – Distinguisher; – Inverter. (1) Polynomially diO-secure (2) Sub-exponentially diO-secure polynomially hard sub-exponentially hard We consider two security levels:

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-11
SLIDE 11

[SW13, ...]

Indistinguishability Obfuscation (iO)

11

Is iO achievable? Why should I care?! [GGHRSW13, …]

Here is a candidate construction!

“iO as a central hub of cryptography”

We can build many crypto primitives from iO!

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-12
SLIDE 12

[SW13, ...]

Indistinguishability Obfuscation (iO)

12

Is iO achievable? Why should I care?! [GGHRSW13, …]

Here is a candidate construction!

“iO as a central hub of cryptography”

We can build many crypto primitives from iO!

proposed broken Heavy, ad-hoc assumptions. Constructions are getting broken.

Does iO exist?

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-13
SLIDE 13

[SW13, ...]

Indistinguishability Obfuscation (iO)

13

Is iO achievable? Why should I care?! [GGHRSW13, …]

Here is a candidate construction!

“iO as a central hub of cryptography”

We can build many crypto primitives from iO!

proposed broken Heavy, ad-hoc assumptions. Constructions are getting broken.

Does iO exist? We make progress towards settling the existence of iO by providing negative results for diO.

Candidate iO constructions conjectured to meet diO. (Proven in idealized models by BR13, BGKPS13).

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-14
SLIDE 14

Theorem ([GGHW14]): Polynomially secure diO for circuits does not exist if: there exists an existentially unforgeable digital signature scheme DS, and there exists a collision-resistant hash function H, and there exists a special-purpose obfuscator for H and DS.

Implausibility of Differing-Inputs Obfuscation

A novel, ad-hoc assumption introduced by [GGHW14]. Is it more plausible than diO?

[GGHW14]

Differing-inputs obfuscation is implausible!

14

[GGHW14]

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-15
SLIDE 15

Theorem B. Polynomially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist, and sub-exponentially secure indistinguishability obfuscation for circuits exists. Theorem A. Sub-exponentially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist.

Our Results

15

The proof uses iO!

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-16
SLIDE 16

Theorem B. Polynomially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist, and sub-exponentially secure indistinguishability obfuscation for circuits exists. Theorem A. Sub-exponentially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist.

Our Results

16

Type of programs Assumptions [GGHW14] theorem Circuits Special-purpose obfuscation, … Theorem A Turing Machines Sub-exponentially secure OWFs [and sub-exponentially secure iO]

The proof uses iO!

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-17
SLIDE 17

Theorem B. Polynomially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist, and sub-exponentially secure indistinguishability obfuscation for circuits exists. Theorem A. Sub-exponentially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist.

Our Results

17

Type of programs Assumptions [GGHW14] theorem Circuits Special-purpose obfuscation, … Theorem A Turing Machines Sub-exponentially secure OWFs [and sub-exponentially secure iO]

[ABGSZ13, BCP14]

FHE + diO for circuits + SNARKs diO for TMs.

Obtain a corollary for circuits from:

The proof uses iO!

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-18
SLIDE 18

Theorem B. Polynomially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist, and sub-exponentially secure indistinguishability obfuscation for circuits exists. Theorem A. Sub-exponentially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist.

Our Results

18

Sub-exponential assumptions?!

When natural problems are hard, they appear to be sub-exponentially hard.

(Factoring, DLOG, LWE, SVP, ...). Type of programs Assumptions [GGHW14] theorem Circuits Special-purpose obfuscation, … Theorem A Turing Machines Sub-exponentially secure OWFs [and sub-exponentially secure iO]

The proof uses iO!

[ABGSZ13, BCP14]

FHE + diO for circuits + SNARKs diO for TMs.

Obtain a corollary for circuits from:

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-19
SLIDE 19

[GGHW14] Attack

(C0, C1) aux

G

Construct generator G using: digital signature scheme DS, “special-purpose obfuscator” spO, hash function H. Let Obf be any obfuscator. It is not diO-secure if: (1) It is easy to distinguish Obf(C0) from Obf(C1). (2) It is hard to find x such that C0(x) ≠ C1(x).

19 Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-20
SLIDE 20

d DS.Verify(vk, m, σ) Return d

[GGHW14] Attack

(C0, C1) aux = spO(C2)

G

Construct generator G using: digital signature scheme DS, “special-purpose obfuscator” spO, hash function H. Generates a key pair (vk,sk) for DS. Let Obf be any obfuscator. It is not diO-secure if: (1) It is easy to distinguish Obf(C0) from Obf(C1). (2) It is hard to find x such that C0(x) ≠ C1(x).

20

m H(C̃) σ DS.Sign(sk, m) b C̃(m, σ) Return b C2(C̃): C0(m, σ): C1(m, σ): Return 0

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-21
SLIDE 21

d DS.Verify(vk, m, σ) Return d

[GGHW14] Attack

(C0, C1) aux = spO(C2)

G

Construct generator G using: digital signature scheme DS, “special-purpose obfuscator” spO, hash function H. Generates a key pair (vk,sk) for DS. Let Obf be any obfuscator. It is not diO-secure if: (1) It is easy to distinguish Obf(C0) from Obf(C1). (2) It is hard to find x such that C0(x) ≠ C1(x).

21

m H(C̃) σ DS.Sign(sk, m) b C̃(m, σ) Return b C2(C̃): C0(m, σ): C1(m, σ): Return 0 b aux(C̃) Return b D(C̃, aux): C2(C̃) =

0 if C̃ is Obf(C0) 1 if C̃ is Obf(C1)

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-22
SLIDE 22

d DS.Verify(vk, m, σ) Return d

[GGHW14] Attack

(C0, C1) aux = spO(C2)

G

Construct generator G using: digital signature scheme DS, “special-purpose obfuscator” spO, hash function H. Generates a key pair (vk,sk) for DS. Let Obf be any obfuscator. It is not diO-secure if: (1) It is easy to distinguish Obf(C0) from Obf(C1). (2) It is hard to find x such that C0(x) ≠ C1(x).

22

m H(C̃) σ DS.Sign(sk, m) b C̃(m, σ) Return b C2(C̃): C0(m, σ): C1(m, σ): Return 0 b aux(C̃) Return b D(C̃, aux): C2(C̃) =

0 if C̃ is Obf(C0) 1 if C̃ is Obf(C1)

[GGHW14]

spO is more plausible than diO!

Assume there exists spO that hides sk “sufficiently good”.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-23
SLIDE 23

If |m| ≠ k then return 0 d DS.Verify(vk, m, σ) Return d

Our Attack

(M0, M1) aux = iO(M2)

G

Construct generator G using: digital signature scheme DS, indistinguishability obfuscator iO. Let Obf be any obfuscator. It is not diO-secure if: (1) It is easy to distinguish Obf(M0) from Obf(M1). (2) It is hard to find x such that M0(x) ≠ M1(x).

23

m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M0(m, σ): M1(m, σ): Return 0

We now use a hybrid argument to prove (2).

We change the construction of G as follows: Replace 1. spO with iO. Replace circuits with TMs. 2. Require |m| = k in M 3.

1.

Remove hash function. 4. 5. …

..

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-24
SLIDE 24

Hybrid Argument

(M0, M1) aux = iO(M2) x

G I

If |m| ≠ k then return 0 d DS.Verify(vk, m, σ) Return d m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M0(m, σ): M1(m, σ): Return 0 x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Adversary I wins if it outputs x such that…

Hybrid game 0.

String of length k.

24 Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-25
SLIDE 25

Hybrid Argument

(M0, M1) aux = iO(M2) x

G I

If |m| ≠ k then return 0 d DS.Verify(vk, m, σ) Return d m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M0(m, σ): M1(m, σ): Return 0 x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Adversary I wins if it outputs x such that…

x = (m, σ) is a valid message-signature pair, and |m| = k, and m > “11…11”.

Hybrid game 0. Hybrid game 2k.

String of length k.

25

Adversary cannot win.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-26
SLIDE 26

Hybrid Argument

(M0, M1) aux = iO(M2) x

G I

If |m| ≠ k then return 0 d DS.Verify(vk, m, σ) Return d m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M0(m, σ): M1(m, σ): Return 0 x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Adversary I wins if it outputs x such that…

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…01”. x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “11…11”. x = (m, σ) is a valid message-signature pair, and |m| = k, and m > “11…11”.

Hybrid game 0. Hybrid game 1. Hybrid game 2k-1. Hybrid game 2k.

26

String of length k. Adversary cannot win.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-27
SLIDE 27

Hybrid Argument

(M0, M1) aux = iO(M2) x

G I

If |m| ≠ k then return 0 d DS.Verify(vk, m, σ) Return d m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M0(m, σ): M1(m, σ): Return 0 x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Adversary I wins if it outputs x such that…

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…01”. x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “11…11”. x = (m, σ) is a valid message-signature pair, and |m| = k, and m > “11…11”.

Hybrid game 0. Hybrid game 1. Hybrid game 2k-1. Hybrid game 2k.

27

sub-exp small sub-exp small

String of length k. Adversary cannot win.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-28
SLIDE 28

Hybrid Argument

(M0, M1) aux = iO(M2) x

G I

If |m| ≠ k then return 0 d DS.Verify(vk, m, σ) Return d m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M0(m, σ): M1(m, σ): Return 0 x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Adversary I wins if it outputs x such that…

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…01”. x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “11…11”. x = (m, σ) is a valid message-signature pair, and |m| = k, and m > “11…11”.

Hybrid game 0. Hybrid game 1. Hybrid game 2k-1. Hybrid game 2k.

28

sub-exp small sub-exp small sub-exp small

String of length k. Adversary cannot win.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-29
SLIDE 29

Hybrid Argument: A Single Transition

(M0, M1) aux = iO(M2) x

G I

If |m| ≠ k then return 0 d DS.Verify(vk, m, σ) Return d m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M0(m, σ): M1(m, σ): Return 0 x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Adversary I wins if it outputs x such that…

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…01”.

Hybrid game 0. Hybrid game 1.

29

sub-exp small

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-30
SLIDE 30

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Hybrid Argument: A Single Transition

Adversary I wins if it outputs x such that…

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…01”.

Hybrid game 0. Hybrid game 1. 3 intermediate steps between every two hybrid games. Game (0,A). Game (0,B). We use consistent puncturable signature schemes. In the spirit of puncturable PRFs.

30

(M0, M1) aux = iO(M2) x

G I

If |m| ≠ k then return 0 d DS.Verify(vk, m, σ) Return d m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M0(m, σ): M1(m, σ): Return 0

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-31
SLIDE 31

Consistent Puncturable Signature Schemes

31

We define a signature scheme DS that is:

DS.PKg DS.PSign

sk

σ

sk* m* m (≠m*)

  • 1. Puncturable.
  • 2. Consistent.

DS.Sign

sk

σ DS.PSign σ

sk* m (≠m*)

Every valid m has the same σ for both sk and sk*.

We require selective puncturable unforgeability:

PT adversary A: Chooses a challenge message m 1.

*.

Receives ( 2. vk, sk*), where sk* is punctured at m*. Is asked to forge a valid signature for m 3.

*.

Our construction follows Sahai-Waters signatures [SW13].

We build a consistent puncturable signature scheme from iO and PPRF.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-32
SLIDE 32

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Hybrid Argument: A Single Transition

Adversary I wins if it outputs x such that…

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…01”.

Hybrid game 0. Hybrid game 1. Security of iO. Security of iO. Game (0,A). Game (0,B).

32

(M0, M1) aux x

G I

m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ):

Security of DS.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-33
SLIDE 33

m M ̃ (m, σ) If (m = m*) then return b* σ DS.Sign(sk*, m) b M ̃ (m, σ) Return b x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Hybrid Argument: A Single Transition

Adversary I wins if it outputs x such that…

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…01”.

Hybrid game 0. Hybrid game 1. Security of iO. Security of iO. Game (0,A). Game (0,B).

33

(M0, M1) aux x

G I

m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M3(M ̃ ): aux = iO(M2) aux = iO(M3)

Security of DS. Puncture sk at m* = “00…00”.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-34
SLIDE 34

m M ̃ (m, σ) If (m = m*) then return b* σ DS.Sign(sk*, m) b M ̃ (m, σ) Return b x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Hybrid Argument: A Single Transition

Adversary I wins if it outputs x such that…

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…01”.

Hybrid game 0. Hybrid game 1. Security of iO. Security of iO. Game (0,A). Game (0,B). m ≥ “00…01”

34

(M0, M1) aux x

G I

m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M3(M ̃ ): aux = iO(M2) aux = iO(M3)

m ≥ “00…00” Security of DS. Puncture sk at m* = “00…00”.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-35
SLIDE 35

m M ̃ (m, σ) If (m = m*) then return b* σ DS.Sign(sk*, m) b M ̃ (m, σ) Return b x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…00”.

Hybrid Argument: A Single Transition

Adversary I wins if it outputs x such that…

x = (m, σ) is a valid message-signature pair, and |m| = k, and m ≥ “00…01”.

Hybrid game 0. Hybrid game 1. Security of iO. Security of iO. Game (0,A). Game (0,B). m ≥ “00…01”

35

(M0, M1) aux x

G I

m M ̃ (m, σ) σ DS.Sign(sk, m) b M ̃ (m, σ) Return b M2(M ̃ ): M3(M ̃ ): aux = iO(M2) aux = iO(M3) aux = iO(M2)

Revert back to the original aux. m ≥ “00…00” Security of DS. Puncture sk at m* = “00…00”.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-36
SLIDE 36

P0

Parameter Dependencies

H P1

diO iO

Pver P2 P3 G A lot of technical details omitted in this talk. k

36

[BST14] Require |aux| < |P0| and |aux| < |P1| to avoid negative results.

[GGHW14] found a workaround by assuming special-purpose obfuscation for TMs. I want to obfuscate TMs that take inputs of length ≤ a fixed poly.

Our attacks do not apply in this case. Hard to avoid circular dependencies. Limitations of our results:

  • 1. TMs with poly-bounded inputs.

Our results do not apply if max input length of TMs is apriori bounded by some polynomial.

  • 2. «Short» auxiliary inputs.

Bellare, Stepanovs, Waters - EUROCRYPT 2016

slide-37
SLIDE 37

Thank You!

37

P0 H P1

diO iO

Pver P2 P3 G k

Bellare, Stepanovs, Waters - EUROCRYPT 2016