On Statistically Secure Obfuscation with Approximate Correctness - - PowerPoint PPT Presentation

1

On Statistically Secure Obfuscation with Approximate Correctness

Zvika Brakerski1 Christina Brzuska2 Nils Fleischhacker3

1Weizmann Institute of Science 2Technical University Hamburg 3Saarland University

August 15, 2016

2

Statistically Secure Obfuscation O C C′ r

2

Statistically Secure Obfuscation O C C′ r

◮ Perfect Correctness: For any circuit C

∀x : C′(x) = C(x)

2

Statistically Secure Obfuscation O C C′ r

◮ Perfect Correctness: For any circuit C

∀x : C′(x) = C(x)

◮ (1 − ǫ)-Approximate Correctness: For any circuit C,

Pr

r,x

• C′(x) = C(x)
• ≥ 1 − ǫ(n)

3

Statistically Secure Obfuscation O C C′ r

◮ Indistinguishability Obfuscator: For any pair of circuits,

such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ negl(n)

3

Statistically Secure Obfuscation O C C′ r

◮ Indistinguishability Obfuscator: For any pair of circuits,

such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ negl(n)

◮ (1 − δ)-Correlation Obfuscator: For any pair of circuits,

such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ δ(n)

3

Statistically Secure Obfuscation O C C′ r

◮ Indistinguishability Obfuscator: For any pair of circuits,

such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ negl(n)

◮ (1 − δ)-Correlation Obfuscator: For any pair of circuits,

such that C1 ≡ C2 and |C1| = |C2| SD(O(C1), O(C2)) ≤ δ(n)

4

Why Do We Even Care About Approximate Correctness? Because approximate obfuscation is useful! [MMNPs16,SW14,Hol06] 0.1 0.2 0.3 0.4 0.5 0.25 0.5 0.75 1 Correctness Error ǫ Statistical Distance δ

Allows PKE from OWF

5

Main Result

◮ If statistically secure, approximately correct iO (saiO) exists,

then either one-way functions do not exist, or NP ⊆ AM ∩ coAM.

◮ More Generally: If (1 − δ)-statistically secure,

(1 − ǫ)-approximately correct correlation obfuscation (sacO) exists with δ(n) ≤ 1

3 − 2 3ǫ(n) − 1 poly(n), then either one-way

functions do not exist, or NP ⊆ AM ∩ coAM.

◮ For very weak parameters, a trivial construction of sacO exists

with δ(n) = 2ǫ(n).

6

The Landscape of Correlation Obfuscation 0.1 0.2 0.3 0.4 0.5 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Correctness Error ǫ Statistical Distance δ

Achievable with Trivial Construction Ruled out by Negative Result

6

The Landscape of Correlation Obfuscation 0.1 0.2 0.3 0.4 0.5 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Correctness Error ǫ Statistical Distance δ

Achievable with Trivial Construction Ruled out by Negative Result Allows PKE from OWF

7

Impossibility of Perfect Correctness [GR07] Ψun Ψsat

7

Impossibility of Perfect Correctness [GR07] Ψun Ψsat

7

Impossibility of Perfect Correctness [GR07] siO siO siO Ψun Ψsat

7

Impossibility of Perfect Correctness [GR07] siO siO siO Ψun Ψsat

≡

7

Impossibility of Perfect Correctness [GR07] siO siO siO Ψun Ψsat

≡

7

Impossibility of Perfect Correctness [GR07] siO siO siO Ψun Ψsat GapSD ∈ AM ∩ coAM = ⇒ NP ⊆ AM ∩ coAM

8

Why Does the Approach Fail in the Approximate Case? saiO saiO Ψsat

8

Why Does the Approach Fail in the Approximate Case? saiO saiO Ψsat

9

Overview of Our Approach CX[k,Ψ] CY saiO saiO

9

Overview of Our Approach CX[k,Ψun] CY saiO saiO

≡

9

Overview of Our Approach CX[k,Ψsat] CY saiO saiO

∼ ∼ ∼

x0 x0 a b =

9

Overview of Our Approach CX[k,Ψsat] CY C ≡ saiO saiO

9

Overview of Our Approach ≈ CX[k,Ψsat] CY C ≡ saiO saiO

10

Puncturable Pseudorandom Functions [BW13,BGI14,KPTZ13] b ← PRF(k, x) k∗ ← Puncture(k, x0)

10

Puncturable Pseudorandom Functions [BW13,BGI14,KPTZ13] b ← PRF(k, x) k∗ ← Puncture(k, x0)

◮ Functionality Preserved Under Puncturing:

For all x = x0, PRF(k∗, x) = PRF(k, x)

10

Puncturable Pseudorandom Functions [BW13,BGI14,KPTZ13] b ← PRF(k, x) k∗ ← Puncture(k, x0)

◮ Functionality Preserved Under Puncturing:

For all x = x0, PRF(k∗, x) = PRF(k, x)

◮ Security:

1n x0 k ←$ {0, 1}n, k∗ = Puncture(k, x0)

10

Puncturable Pseudorandom Functions [BW13,BGI14,KPTZ13] b ← PRF(k, x) k∗ ← Puncture(k, x0)

◮ Functionality Preserved Under Puncturing:

For all x = x0, PRF(k∗, x) = PRF(k, x)

◮ Security:

1n x0 k ←$ {0, 1}n, k∗ = Puncture(k, x0)

10

Puncturable Pseudorandom Functions [BW13,BGI14,KPTZ13] b ← PRF(k, x) k∗ ← Puncture(k, x0)

◮ Functionality Preserved Under Puncturing:

For all x = x0, PRF(k∗, x) = PRF(k, x)

◮ Security:

1n x0 k ←$ {0, 1}n, k∗ = Puncture(k, x0)

k∗, PRF(k, x0)

10

Puncturable Pseudorandom Functions [BW13,BGI14,KPTZ13] b ← PRF(k, x) k∗ ← Puncture(k, x0)

◮ Functionality Preserved Under Puncturing:

For all x = x0, PRF(k∗, x) = PRF(k, x)

◮ Security:

1n x0 k ←$ {0, 1}n, k∗ = Puncture(k, x0)

k∗, PRF(k, x0)

k∗, b ←$ {0, 1}

10

Puncturable Pseudorandom Functions [BW13,BGI14,KPTZ13] b ← PRF(k, x) k∗ ← Puncture(k, x0)

◮ Functionality Preserved Under Puncturing:

For all x = x0, PRF(k∗, x) = PRF(k, x)

◮ Security:

≈

1n x0 k ←$ {0, 1}n, k∗ = Puncture(k, x0)

k∗, PRF(k, x0)

k∗, b ←$ {0, 1}

11

Enforcing Large Statistical Distance C[k∗, x0, b](x)

if x = x0 return b else return PRF(k∗, x)

Let C′ denote saiO(C[k∗, x0, b]).

11

Enforcing Large Statistical Distance C[k∗, x0, b](x)

if x = x0 return b else return PRF(k∗, x)

Let C′ denote saiO(C[k∗, x0, b]). b = PRF(k, x0) ⊕ 1

11

Enforcing Large Statistical Distance C[k∗, x0, b](x)

if x = x0 return b else return PRF(k∗, x)

Let C′ denote saiO(C[k∗, x0, b]). b = PRF(k, x0) ⊕ 1 b = PRF(k, x0)

11

Enforcing Large Statistical Distance C[k∗, x0, b](x)

if x = x0 return b else return PRF(k∗, x)

Let C′ denote saiO(C[k∗, x0, b]). b = PRF(k, x0) ⊕ 1 b = PRF(k, x0) C[k∗, x0, b] ≡ PRF(k, ·)

11

Enforcing Large Statistical Distance C[k∗, x0, b](x)

if x = x0 return b else return PRF(k∗, x)

Let C′ denote saiO(C[k∗, x0, b]). b = PRF(k, x0) ⊕ 1 b = PRF(k, x0) C[k∗, x0, b] ≡ PRF(k, ·) Pr[C′(x0) = b] 1 − ǫ CPRF ← saiO(PRF(k, ·)) Pr[CPRF(x0) = b] ≥ 1 − ǫ

11

Enforcing Large Statistical Distance C[k∗, x0, b](x)

if x = x0 return b else return PRF(k∗, x)

Let C′ denote saiO(C[k∗, x0, b]). b = PRF(k, x0) ⊕ 1 b = PRF(k, x0) C[k∗, x0, b] ≡ PRF(k, ·) Pr[C′(x0) = b] 1 − ǫ Pr[C′(x0) = b] 1 − ǫ

PRF security

11

Enforcing Large Statistical Distance C[k∗, x0, b](x)

if x = x0 return b else return PRF(k∗, x)

Let C′ denote saiO(C[k∗, x0, b]). b = PRF(k, x0) ⊕ 1 b = PRF(k, x0) C[k∗, x0, b] ≡ PRF(k, ·) Pr[C′(x0) = b] 1 − ǫ Pr[C′(x0) = b] 1 − ǫ

PRF security

Pr[CPRF(x0) = PRF(k, x0)] ≥ 1 − ǫ ∧ Pr[C′(x0) = PRF(k, x0)] 1 − ǫ = ⇒ SD(CPRF, C) 1 − 2ǫ

12

Restriction to Unique-SAT

◮ We restrict our attention to Unique-SAT (USAT) ◮ USAT is NP hard via a randomized reduction [VV85] ◮ Combining this with previous results [MX10,BL13] we show

that USAT ∈ BPPGapSD = ⇒ SAT ∈ AM ∩ coAM

13

The Formula-Indexed Circuit CX[k, s, Ψ](x)

if Ψ(x ⊕ s) = 1 return PRF(k, x) ⊕ 1 else return PRF(k, x)

13

The Formula-Indexed Circuit CX[k, s, Ψ](x)

if Ψ(x ⊕ s) = 1 return PRF(k, x) ⊕ 1 else return PRF(k, x)

Ψ ∈ USAT Ψ ∈ UNSAT

13

The Formula-Indexed Circuit CX[k, s, Ψ](x)

if Ψ(x ⊕ s) = 1 return PRF(k, x) ⊕ 1 else return PRF(k, x)

Ψ ∈ USAT Ψ ∈ UNSAT CX[k, s, Ψ] ≡ PRF(k, ·)

13

The Formula-Indexed Circuit CX[k, s, Ψ](x)

if Ψ(x ⊕ s) = 1 return PRF(k, x) ⊕ 1 else return PRF(k, x)

Ψ ∈ USAT Ψ ∈ UNSAT CX[k, s, Ψ] ≡ PRF(k, ·) CX[k, s, Ψ] ≡ C[k∗, x0, b] for x0 = xψ ⊕ s b = PRF(k, x0) ⊕ 1

14

Putting it All Together X[Ψ](1n)

k ←$ {0, 1}n s ←$ {0, 1}n C := CX[k, s, Ψ] C′ ←$ O(C) return (k, s, C′)

Y (1n)

k ←$ {0, 1}n s ←$ {0, 1}n C := PRF(k, ·) C′ ←$ O(C) return (k, s, C′)

Ψ ∈ UNSAT ⇐ ⇒ SD(X[Ψ], Y ) ≤ negl(n) Ψ ∈ USAT ⇐ ⇒ SD(X[Ψ], Y ) 1 − 2ǫ

◮ We can therefore decide USAT in BPPGapSD. ◮ Thus, if saiO and one-way functions both exist, then

NP ⊆ AM ∩ coAM and the polynomial hierarchy collapses.

15

The Landscape of Correlation Obfuscation 0.1 0.2 0.3 0.4 0.5 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Correctness Error ǫ Statistical Distance δ

Achievable with Trivial Construction Ruled out by Negative Result Allows PKE from OWF

16

Thank You!

Nils Fleischhacker fleischhacker@cs.uni-saarland.de I’m looking for a postdoc position. If you’re interested in hiring me, please send me an email. Full Version: ia.cr/2016/226