Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS - - PowerPoint PPT Presentation

obfuscation from lwe proofs attacks candidates
SMART_READER_LITE
LIVE PREVIEW

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS - - PowerPoint PPT Presentation

Dec 11, 2023 110 likes •1.04k views

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS & ENS . . . . . . . . C x C x C x C C c obfuscation [ BGIRSVY01, H00, GR07, GGHRSW13 ] . . . . . . . . C x C x C x C C c obfuscation [

slide-1
SLIDE 1

. . . . . . . .

Obfuscation from LWE?

proofs, attacks, candidates

Hoeteck Wee

CNRS & ENS

slide-2
SLIDE 2

. . . . . . . .

  • bfuscation

[BGIRSVY01, H00, GR07, GGHRSW13]

C C

x C x C x

c

C

slide-3
SLIDE 3

. . . . . . . .

  • bfuscation

[BGIRSVY01, H00, GR07, GGHRSW13]

C C C

x C x C x

c

C

slide-4
SLIDE 4

. . . . . . . .

  • bfuscation

[BGIRSVY01, H00, GR07, GGHRSW13]

C O(C) C

x C x C x

c

C

slide-5
SLIDE 5

. . . . . . . .

  • bfuscation

[BGIRSVY01, H00, GR07, GGHRSW13]

C O(C) ≡ C′

∀x : C(x) = C′(x)

c

C

slide-6
SLIDE 6

. . . . . . . .

  • bfuscation

[BGIRSVY01, H00, GR07, GGHRSW13]

C O(C) ≡ C′

∀x : C(x) = C′(x)

≈c O(C′)

slide-7
SLIDE 7

. . . . . . . .

  • bfuscation

[BGIRSVY01, H00, GR07, GGHRSW13]

from LWE ?

candidates, proofs, and attacks

slide-8
SLIDE 8

preliminaries

. . . . . . . .

slide-9
SLIDE 9

. . . . . . . .

LWE assumption [Regev 05]

(A, sA + e) ≈c uniform

A s + e

slide-10
SLIDE 10

. . . . . . . .

LWE assumption [Regev 05]

(A, SA + E) ≈c uniform

A S + E

slide-11
SLIDE 11

. . . . . . . .

LWE assumption [Regev 05]

(A, (I2 ⊗ S)A + E) ≈c uniform

A

S 0 0 S

+ E

slide-12
SLIDE 12

. . . . . . . .

LWE assumption [Regev 05]

(A, (I2 ⊗ S)A + E) ≈c uniform

A A S 0 0 S

+ E

slide-13
SLIDE 13

. . . . . . . .

LWE assumption [Regev 05]

(A, (I2 ⊗ S)A + E) ≈c uniform

SA SA

+ E

slide-14
SLIDE 14

. . . . . . . .

LWE assumption [Regev 05]

(A, (M ⊗ S)A + E) ≈c uniform

(M ⊗ S)A + E

for any permutation matrix M

slide-15
SLIDE 15

. . . . . . . .

LWE assumption [Regev 05]

(A, (M ⊗ S)A

✿✿✿✿✿✿✿✿✿✿✿✿✿✿) ≈c uniform

(M ⊗ S)A + E

for any permutation matrix M

slide-16
SLIDE 16

. . . . . . . .

branching programs

M1,0 M2,0 · · · Mℓ,0 M1,1 M2,1 · · · Mℓ,1 ∈ {0, 1}poly×poly

evaluation.

slide-17
SLIDE 17

. . . . . . . .

branching programs

u M1,0 M2,0 · · · Mℓ,0 M1,1 M2,1 · · · Mℓ,1

  • evaluation. accept iff

u Mx = u ∏ Mi,xi = 0

slide-18
SLIDE 18

. . . . . . . .

branching programs

u M1,0 M2,0 · · · Mℓ,0 M1,1 M2,1 · · · Mℓ,1

  • evaluation. accept iff

u Mx = u ∏ Mi,xi = 0

– read-many Mx = ∏ Mi,xi+1 mod n, |x| = n ≪ ℓ – captures both logspace and NC

slide-19
SLIDE 19

. . . . . . . .

branching programs

u M1,0 M2,0 · · · Mℓ,0 M1,1 M2,1 · · · Mℓ,1

  • evaluation. accept iff

u Mx = u ∏ Mi,xi = 0

– read-many Mx = ∏ Mi,xi+1 mod n, |x| = n ≪ ℓ – captures both logspace and NC1

slide-20
SLIDE 20

. . . . . . . .

branching programs

u M1,0 M2,0 · · · Mℓ,0 M1,1 M2,1 · · · Mℓ,1

  • evaluation. accept iff uMx = u ∏ Mi,xi = 0

– read-many Mx = ∏ Mi,xi+1 mod n, |x| = n ≪ ℓ – captures both logspace and NC1

slide-21
SLIDE 21

. . . . . . . .

branching programs

(1 − a1) (1 − a2) · · · (1 − aℓ) (a1) (a2) · · · (aℓ)

  • evaluation. accept iff

u Mx = u ∏ Mi,xi = 0

example.

accept iff x

a

(1 × 1 matrices)

slide-22
SLIDE 22

. . . . . . . .

branching programs

(1 − a1) (1 − a2) · · · (1 − aℓ) (a1) (a2) · · · (aℓ)

  • evaluation. accept iff

u Mx = u ∏ Mi,xi = 0

  • example. accept iff x = a

(1 × 1 matrices)

slide-23
SLIDE 23
  • bfuscation

FIRST principles

. . . . . . . .

slide-24
SLIDE 24

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A A M1,0 S A A M2,0 S A A M1,1 S A A M2,1 S A

  • evaluation. Mx

Sx A

slide-25
SLIDE 25

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A A M1,0⊗S1,0 A A M2,0⊗S2,0 A A M1,1⊗S1,1 A A M2,1 ⊗ S2,1 A

  • evaluation. Mx

Sx A

slide-26
SLIDE 26

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A A M1,0⊗S1,0 A A M2,0⊗S2,0 A A M1,1⊗S1,1 A A M2,1 ⊗ S2,1 A

  • evaluation. Mx ⊗ Sx

A

(A ⊗ B)(C ⊗ D) = AC ⊗ BD

slide-27
SLIDE 27

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A0 A−1

0 ( M1,0⊗S1,0

A ) A M2,0⊗S2,0 A A−1

0 ( M1,1⊗S1,1

A ) A M2,1 ⊗ S2,1 A

  • evaluation. Mx ⊗ Sx

A

slide-28
SLIDE 28

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A0

need a trapdoor to sample short pre-image of A0

A−1

0 ( M1,0⊗S1,0

A ) A M2,0⊗S2,0 A A−1

0 ( M1,1⊗S1,1

A ) A M2,1 ⊗ S2,1 A

  • evaluation. Mx ⊗ Sx

A

slide-29
SLIDE 29

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A0 A−1

0 ((M1,0⊗S1,0)A1)

A−1

1 ((M2,0⊗S2,0)

A ) A−1

0 ((M1,1⊗S1,1)A1)

A−1

1 ((M2,1 ⊗ S2,1)

A )

  • evaluation. Mx ⊗ Sx

A

slide-30
SLIDE 30

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A0 A−1

0 ((M1,0⊗S1,0)A1)

A−1

1 ((M2,0⊗S2,0)A2)

A−1

0 ((M1,1⊗S1,1)A1)

A−1

1 ((M2,1 ⊗ S2,1)A2)

  • evaluation. (Mx ⊗ Sx)Aℓ
slide-31
SLIDE 31

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

evaluation.

(Mx ⊗ Sx)Aℓ

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿

slide-32
SLIDE 32

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

evaluation.

(Mx ⊗ Sx)Aℓ

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿

Mi,b, Si,b small [ACPS09]

slide-33
SLIDE 33

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

evaluation.

(Mx ⊗ Sx)Aℓ

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿ ≈ 0

⇐ ⇒ Mx = 0

slide-34
SLIDE 34

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

evaluation.

(Mx ⊗ Sx)Aℓ

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿

≈ 0 ⇒ accept

slide-35
SLIDE 35

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

(u ⊗ I)A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

evaluation.

(uMx ⊗ Sx)Aℓ

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿

≈ 0 ⇒ accept

slide-36
SLIDE 36

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

(u ⊗ I)A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

candidate obfuscation for NC1 !

[GGHRSW13, HHRS17, ...]

slide-37
SLIDE 37

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

(u ⊗ I)A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

  • Q. O(u, {Mi,b})

?

≈c O(u′, {M′

i,b})

if (u, {Mi,b}) ≡ (u′, {M′

i,b})

slide-38
SLIDE 38

. . . . . . . .

  • bfuscation via GGH15

[Gentry Gorbunov Halevi 15, Canetti Chen 17, ...]

(u ⊗ I)A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

  • Q. O(u, {Mi,b})

?

≈c O(u′, {M′

i,b})

if ∀x : uMx = 0 ⇐

⇒ u′M′

x = 0

slide-39
SLIDE 39

. . . . . . . .

all (u, {Mi,b})

all reject some accept attacks

diagonal Mi b witness enc

read-once read-many

permutation Mi b candidate

NC obfuscation

slide-40
SLIDE 40

. . . . . . . .

all reject ∀x : uMx = 0 some accept attacks

diagonal Mi b witness enc

read-once read-many

permutation Mi b candidate

NC obfuscation

slide-41
SLIDE 41

. . . . . . . .

all reject ∀x : uMx = 0 some accept attacks

diagonal Mi b witness enc

read-once read-many

permutation Mi b candidate

NC obfuscation

slide-42
SLIDE 42

. . . . . . . .

all reject ∀x : uMx = 0 some accept attacks proofs

diagonal Mi b witness enc

read-once read-many

permutation Mi b candidate

NC obfuscation

slide-43
SLIDE 43

. . . . . . . .

all reject ∀x : uMx = 0 some accept attacks proofs

diagonal Mi,b ⇒ witness enc

read-once read-many

permutation Mi b candidate

NC obfuscation

slide-44
SLIDE 44

. . . . . . . .

all reject ∀x : uMx = 0 some accept attacks proofs

diagonal Mi,b ⇒ witness enc permutation Mi,b candidate

NC obfuscation

slide-45
SLIDE 45

. . . . . . . .

all reject ∀x : uMx = 0 some accept attacks proofs

diagonal Mi,b ⇒ witness enc permutation Mi,b

Mi,b ∈  ⋆ 1  

candidate

NC obfuscation

slide-46
SLIDE 46

. . . . . . . .

all reject ∀x : uMx = 0 some accept attacks proofs

diagonal Mi,b ⇒ witness enc permutation Mi,b

Mi,b ∈  ⋆ 1  

candidate

NC1 obfuscation

slide-47
SLIDE 47

. . . . . . . .

all reject ∀x : uMx = 0 some accept attacks proofs

diagonal Mi b witness enc permutation Mi,b

Mi,b ∈  ⋆ 1  

candidate

NC1 obfuscation

1 2 3

slide-48
SLIDE 48

. . . . . . . .

all reject ∀x : uMx = 0 some accept attacks proofs

diagonal Mi b witness enc permutation Mi,b

Mi,b ∈  ⋆ 1  

candidate

NC1 obfuscation

1 2 3

[CVW18]

slide-49
SLIDE 49

1 proofs

. . . . . . . .

slide-50
SLIDE 50

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

slide-51
SLIDE 51

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

  • lemma. ≈c random, for permutation matrices
slide-52
SLIDE 52

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

corollaries.

– private constrained PRFs [Canetti Chen 17] – lockable obfuscation [Goyal Koppula Waters, Wichs Zirdelis 17] – traitor tracing [Goyal Koppula Waters 18, CVWWW 18]

slide-53
SLIDE 53

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

  • lemma. ≈c random, for permutation matrices
slide-54
SLIDE 54

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0, A1, A2 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

  • lemma. ≈c random, for permutation matrices
slide-55
SLIDE 55

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0, A1, A2 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

  • lemma. ≈c random, for permutation matrices
  • proof. ←

− [BVWW16]

slide-56
SLIDE 56

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0, A1, A2 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,0 ⊗ S2,0)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 ((M2,1 ⊗ S2,1)A2

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿)

  • lemma. ≈c random, for permutation matrices
  • proof. ←

− [BVWW16]

slide-57
SLIDE 57

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0, A1, A2 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 (uniform)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 (uniform)

  • lemma. ≈c random, for permutation matrices
  • proof. ←

− [BVWW16]

slide-58
SLIDE 58

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0, A1, A2 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 (uniform)

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) A−1

1 (uniform)

  • lemma. ≈c random, for permutation matrices
  • proof. ←

− [BVWW16]

slide-59
SLIDE 59

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0, A1, A2 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) uniform

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) uniform

  • lemma. ≈c random, for permutation matrices
  • proof. ←

− [BVWW16]

slide-60
SLIDE 60

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0, A1, A2 A−1

0 ((M1,0 ⊗ S1,0)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) uniform

A−1

0 ((M1,1 ⊗ S1,1)A1

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) uniform

  • lemma. ≈c random, for permutation matrices
  • proof. ←

− [BVWW16]

slide-61
SLIDE 61

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0, A1, A2 A−1

0 (uniform)

uniform

A−1

0 (uniform)

uniform

  • lemma. ≈c random, for permutation matrices
  • proof. ←

− [BVWW16]

slide-62
SLIDE 62

. . . . . . . .

secure O(permutation)

[Canetti Chen 17, GKW17, WZ17]

A0, A1, A2

uniform uniform uniform uniform

  • lemma. ≈c random, for permutation matrices
  • proof. ←

− [BVWW16]

slide-63
SLIDE 63

2 attacks

. . . . . . . .

slide-64
SLIDE 64

. . . . . . . .

O(read-once)

[Halevi Halevi Stephens-Davidowitz Shoup 17, ...]

  • input. read-once program u, {Mi,b}
  • utput.

(u ⊗ I)A0, { A−1

i−1((Mi,b ⊗ Si,b)Ai

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) }i∈[ℓ],b∈{0,1}

  • evaluation. accept if (uMx ⊗ Sx)Aℓ

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿

?

≈ 0

slide-65
SLIDE 65

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

1.

wij

eval(xi | yj) ≈ 0,

i, j ∈ [L]

L2 accepting inputs xi | yj where xi, yj ∈ {0, 1}ℓ/2 starting point

[CHLRS15, CLLT16, CGH17]

slide-66
SLIDE 66

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

  • 1. wij := eval(xi | yj) ≈ 0,

i, j ∈ [L]

2. rank

W = (wij) ∈ ZL×L

rank X

W starting point

[CHLRS15, CLLT16, CGH17]

slide-67
SLIDE 67

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

  • 1. wij := eval(xi | yj) ≈ 0,

i, j ∈ [L]

  • 2. rank(W = (wij) ∈ ZL×L)

rank X

W starting point

[CHLRS15, CLLT16, CGH17]

slide-68
SLIDE 68

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

  • 1. wij := eval(xi | yj) = ˆ

xi, ˆ yj assuming read-once

  • 2. rank(W = (wij) ∈ ZL×L)

rank X

W starting point

[CHLRS15, CLLT16, CGH17]

slide-69
SLIDE 69

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

  • 1. wij := eval(xi | yj) = ˆ

xi, ˆ yj assuming read-once

  • 2. rank(W = (wij) ∈ ZL×L)

rank X

W = ˆ x1 ˆ x2 . . . ˆ xL ˆ y1 ˆ y2 . . . ˆ yL

slide-70
SLIDE 70

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

  • 1. wij := eval(xi | yj) = ˆ

xi, ˆ yj assuming read-once

  • 2. rank(W = (wij) ∈ ZL×L)

rank X

W = Y low norm low norm X

slide-71
SLIDE 71

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

  • 1. wij := eval(xi | yj) = ˆ

xi, ˆ yj assuming read-once

  • 2. rank(W = (wij) ∈ ZL×L)

rank X

W = Y low norm full rank X

slide-72
SLIDE 72

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

  • 1. wij := eval(xi | yj) = ˆ

xi, ˆ yj assuming read-once

  • 2. rank(W = (wij) ∈ ZL×L) = rank(X)

W = Y full rank X

slide-73
SLIDE 73

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

  • 1. wij := eval(xi | yj) = ˆ

xi, ˆ yj assuming read-once

  • 2. rank(W = (wij) ∈ ZL×L) = rank(X)

W = Y full rank uMx1 ⊗ Sx1 | e1 uMx2 ⊗ Sx2 | e2 . . . uMxL ⊗ SxL | eL

slide-74
SLIDE 74

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

  • 1. wij := eval(xi | yj) = ˆ

xi, ˆ yj assuming read-once

  • 2. rank(W = (wij) ∈ ZL×L) = rank(X)

W = Y full rank uMx1 uMx2 . . . uMxL

slide-75
SLIDE 75

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

read-many

O(sizec) attack for read-c [ADGM17, CLTT17]

  • intuition. read-c → read-once, size O(sizec)

i.e., attack fails if c is very large

slide-76
SLIDE 76

. . . . . . . .

rank attack

[Chen Vaikuntanathan W 18]

read-many

O(sizec) attack for read-c [ADGM17, CLTT17]

  • intuition. read-c → read-once, size O(sizec)

i.e., attack fails if c is very large

slide-77
SLIDE 77

3 candidate

. . . . . . . .

slide-78
SLIDE 78

. . . . . . . .

witness encryption?

[Chen Vaikuntanathan W 18]

  • input. SAT formula ϕ, message µ ∈ {0, 1}

enc(ϕ, µ) leaks µ iff ϕ is satisfiable

slide-79
SLIDE 79

. . . . . . . .

witness encryption?

[Chen Vaikuntanathan W 18]

  • input. SAT formula ϕ, message µ ∈ {0, 1}

u = (1 · · · 1) Mi,b diagonal matrices, dim = # clauses uMx = 0 iff ϕ is satisfiable [GLW14]

slide-80
SLIDE 80

. . . . . . . .

witness encryption?

[Chen Vaikuntanathan W 18]

  • input. SAT formula ϕ, message µ ∈ {0, 1}

ˆ u = (1 · · · 1 1) ˆ Mi,b diagonal matrices, dim = # clauses +1 ˆ u ˆ Mx = (0 µ) if ϕ is satisfiable [GLW14]

slide-81
SLIDE 81

. . . . . . . .

witness encryption?

[Chen Vaikuntanathan W 18]

  • input. SAT formula ϕ, message µ ∈ {0, 1}

ˆ u = (1 · · · 1 1) ˆ Mi,b diagonal matrices, dim = # clauses +1 ˆ u ˆ Mx = (0 µ) if ϕ is satisfiable [GLW14]

  • utput.

(ˆ u ⊗ I)A0, { A−1

i−1(( ˆ

Mi,b ⊗ Si,b)Ai

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) }i∈[ℓ],b∈{0,1}

slide-82
SLIDE 82

. . . . . . . .

simple obfuscation candidate

[Chen Vaikuntanathan W 18]

  • input. read-many program u, {Mi,b}
  • utput.

(u ⊗ I)A0, { A−1

i−1((Mi,b ⊗ Si,b)Ai

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) }i∈[ℓ],b∈{0,1}

slide-83
SLIDE 83

. . . . . . . .

simple obfuscation candidate

[Chen Vaikuntanathan W 18]

  • input. read-many program u, {Mi,b}
  • utput.

(ˆ u ⊗ I)A0, { A−1

i−1(( ˆ

Mi,b ⊗ Si,b)Ai

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) }i∈[ℓ],b∈{0,1}

slide-84
SLIDE 84

. . . . . . . .

simple obfuscation candidate

[Chen Vaikuntanathan W 18]

  • input. read-many program u, {Mi,b}
  • utput.

(ˆ u ⊗ I)A0, { A−1

i−1(( ˆ

Mi,b ⊗ Si,b)Ai

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) }i∈[ℓ],b∈{0,1}

ˆ Mi,b =    

Mi,b R(1)

i,b

... R(ℓ)

i,b

   

slide-85
SLIDE 85

. . . . . . . .

simple obfuscation candidate

[Chen Vaikuntanathan W 18]

  • input. read-many program u, {Mi,b}
  • utput.

(ˆ u ⊗ I)A0, { A−1

i−1(( ˆ

Mi,b ⊗ Si,b)Ai

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) }i∈[ℓ],b∈{0,1}

ˆ Mi,b =    

Mi,b R(1)

i,b

... R(ℓ)

i,b

   

R(j)

i,b∈{0,1}2×2

input consistency

slide-86
SLIDE 86

. . . . . . . .

simple obfuscation candidate

[Chen Vaikuntanathan W 18]

  • input. read-many program u, {Mi,b}
  • utput.

(ˆ u ⊗ I)A0, { A−1

i−1(( ˆ

Mi,b ⊗ Si,b)Ai

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) }i∈[ℓ],b∈{0,1}

status.

– secure in idealized model [Bartusek Guan Ma Zhandry 18] – tweaks against statistical tests [Cheon Cho Hhan Kim Lee 19]

slide-87
SLIDE 87

. . . . . . . .

simple obfuscation candidate

[Chen Vaikuntanathan W 18]

  • input. read-many program u, {Mi,b}
  • utput.

(ˆ u ⊗ I)A0, { A−1

i−1(( ˆ

Mi,b ⊗ Si,b)Ai

✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿✿) }i∈[ℓ],b∈{0,1}

status.

– secure in idealized model [Bartusek Guan Ma Zhandry 18] – tweaks against statistical tests [Cheon Cho Hhan Kim Lee 19]

slide-88
SLIDE 88

4 obfuscation

some thoughts

. . . . . . . .

slide-89
SLIDE 89

. . . . . . . .

  • bfuscation: small steps
  • 1. weaker primitives from LWE

– lockable obfuscation, mixed FE, ...

  • 2. targets for crypt-analysis

– minimal work-arounds

  • 3. candidates from “crypt-analyzable” assumptions

// merci !

slide-90
SLIDE 90

. . . . . . . .

  • bfuscation: small steps
  • 1. weaker primitives from LWE

– lockable obfuscation, mixed FE, ...

  • 2. targets for crypt-analysis

– minimal work-arounds

  • 3. candidates from “crypt-analyzable” assumptions

// merci !

slide-91
SLIDE 91

. . . . . . . .

  • bfuscation: small steps
  • 1. weaker primitives from LWE

– lockable obfuscation, mixed FE, ...

  • 2. targets for crypt-analysis

– minimal work-arounds

  • 3. candidates from “crypt-analyzable” assumptions

// merci !

slide-92
SLIDE 92

. . . . . . . .

  • bfuscation: small steps
  • 1. weaker primitives from LWE

– lockable obfuscation, mixed FE, ...

  • 2. targets for crypt-analysis

– minimal work-arounds

  • 3. candidates from “crypt-analyzable” assumptions

// merci !