or SoS Meets Program Obfuscation Ilan Komargodski Joint work with - - PowerPoint PPT Presentation

▶

Aug 27, 2023 517 likes •683 views

Limits on Low-Degree PRGs or SoS Meets Program Obfuscation Ilan Komargodski Joint work with Boaz Barak (Harvard) Zvika Brakerski (Weizmann Institute) Pravesh K. Kothari (Princeton) Pseudorandom Generators (PRGs) : {0,1} {0,1}

SLIDE 1

Limits on Low-Degree PRGs

SoS Meets Program Obfuscation

Ilan Komargodski

Joint work with Boaz Barak (Harvard) Zvika Brakerski (Weizmann Institute) Pravesh K. Kothari (Princeton)

SLIDE 2

Pseudorandom Generators (PRGs)

𝐻: {0,1}𝑜 → {0,1}𝑛 𝑦1 𝑦2 𝑦𝑜 𝑧1 𝑧2 𝑧𝑛 𝐻 𝑉𝑜 ≈c.i 𝑉𝑛 Fundamental primitive in cryptography How simple can it be? 𝐻𝑗: {0,1}𝑜 → {0,1} 𝐻𝑗 𝑦 = 𝐻 𝑦 𝑗 Assuming OWFs, ∃ 𝐻: {0,1}𝑜 → {0,1}poly(𝑜)

SLIDE 3

Local Pseudorandom Generators

Locality 𝑒 – every output bit depends on 𝑒 input bits

Do such PRGs exist and if so, how much they can stretch?

𝐻: {0,1}𝑜 → {0,1}𝑛 𝑦1 𝑦2 𝑦𝑜 𝑧1 𝑧2 𝑧𝑛 𝐻 𝑉𝑜 ≈c.i 𝑉𝑛 𝐻𝑗: {0,1}𝑜 → {0,1} 𝐻𝑗 𝑦 = 𝐻 𝑦 𝑗 𝐻𝑗: {0,1}d → {0,1} 𝐻𝑗 𝑦|𝐽𝑗 = 𝐻 𝑦 𝑗

SLIDE 4

Local Pseudorandom Generators

Positive:

OWF ∈ NC1

⇒ ∃ 𝑯: 𝟏, 𝟐 𝒐 → 𝟏, 𝟐 𝒐+𝒐𝝑, 𝒆 = 𝑷(𝟐) [AIK06]

Candidate for 𝑯: 𝟏, 𝟐 𝒐 → 𝟏, 𝟐 𝐪𝐩𝐦𝐳(𝒐),

, 𝒆 = 𝑷(𝟐) [Gol00,…,App13,…,AR16,…] Negative:

For 𝑒 = 2, 𝑛 ≤ 𝑜

[CM01]

For 𝑒 = 3, 𝑛 = 𝑃(𝑜)

[CM01]

For 𝑒 = 4,

𝑛 = 𝑃(𝑜) [MST06]

For general 𝑒, 𝑛 = 𝑃 2𝑒 ⋅ 𝑜 𝑒/2

[MST06] Many applications:

New PKE schemes [ABW10]
Efficient MPC [IKO+11]
Reducing assumptions for indistinguishability obfuscation [AJS15,Lin16,…]

SLIDE 5

iO from Local PRGs

Theorem: [Lin16,AnanthSahai16] ∃ iO based on:

𝐻: 0,1 𝑜 → 0,1 𝑜1+𝜗 with locality 𝑒
Degree 𝑒 multilinear maps
𝑒 = 2
Bilinear maps (well studied, ∃ candidates)
No such PRG
𝑒 ∈ {3,4}
No satisfying candidate of mutlilinear maps
No such PRG
𝑒 ≥ 5
No satisfying candidate of mutlilinear maps
∃ candidates for PRG

SLIDE 6

iO from Local PRGs

Theorem: [LinTessaro17] ∃ iO based on:

𝐻: 0,1 𝑜 → 0,1 𝑜1+𝜗 with block locality 𝑒
Degree 𝑒 multilinear maps

𝐻: Σ𝑜 → {0,1}𝑛 𝑦1 𝑦2 𝑦𝑜 𝑧1 𝑧2 𝑧𝑛 𝐻 𝑉𝑜 ≈c.i 𝑉𝑛 𝐻𝑗: Σ𝑜 → {0,1} 𝐻𝑗 𝑦 = 𝐻 𝑦 𝑗 Σ = 2𝑐: 𝐻: 0,1 𝑜𝑐 → 0,1 𝑛 [LinTessaro17] need 𝐻: 0,1 𝑜𝑐 → 0,1 23𝑐𝑜1+𝜗 Attacks of [CM,MST] do not apply so might exist even for 𝒆 = 𝟑 !

SLIDE 7

Our Results in a Nutshell

SLIDE 8

Our Results

𝐻: Σ𝑜 → {0,1}𝑛 𝑦1 𝑦2 𝑦𝑜 𝑧1 𝑧2 𝑧𝑛

𝐻 𝑉𝑜 ≈c.i 𝑉𝑛

𝐻𝑗: Σ𝑜 → {0,1} 𝐻𝑗 𝑦 = 𝐻 𝑦 𝑗

Stretch Predicate Worst-case

vs. random

Graph Worst-case

vs. random

Predicate Different

vs. Same

Remark 𝑛 = ෨ 𝑃(22𝑐𝑜) Worst case Worst case Different 𝑛 = ෨ 𝑃(2𝑐𝑜) Worst case Worst case Same Also in [LV17] 𝑛 = ෨ 𝑃(2𝑐𝑜) Random Random Different

Bonus: Simple candidate 3- block-local PRG with O(1)-block size and poly stretch

SLIDE 9

Image Refutation

G(r) 𝑎 A A does image-refutation w.r.t 𝑎: Pr

𝑨←G r A 𝑨 = 1 = 1

Pr

𝑨←𝑎 A 𝑨 = 1 < 0.5

A break pseudo-randomness:

Pr

𝑨←𝑎 A 𝑨 = 1 −

Pr

𝑨←G r A 𝑨 = 1

> 𝑜𝑓𝑕 Refutation => distinguishing

𝑎=uniform

Refutation handles preprocessing on 𝑠

SLIDE 10

Proof Idea

Step 1: Reduce “block-locality” to “sparse algebraic degree“. Let ҧ 𝑞 = 𝑞1, … , 𝑞𝑛 is a tuple of degree 2 polynomials with 𝑡 monomials ҧ 𝑞: 𝐒𝑜 → 𝐒𝑛 Step 2: On input 𝑨 ∈ ±1 𝑛 (output of PRG or random), compute 𝑤𝑏𝑚 = max

𝑦∈{±1}𝑜 ෍ 𝑗=1 𝑛

𝑨𝑗 ⋅ 𝑞𝑗 𝑦

Theorem: 1) If 𝑨 is in the image of ҧ 𝑞, then 𝑤𝑏𝑚 is large 2) Otherwise 𝑤𝑏𝑚 is small

SLIDE 11

Step 2

On input 𝑨 ∈ ±1 𝑛 (output of PRG or random), compute 𝑤𝑏𝑚 = max

𝑦∈{±1}𝑜 ෍ 𝑗=1 𝑛

𝑨𝑗 ⋅ 𝑞𝑗 𝑦

1) If 𝑨 is in the image

f ҧ

𝑞, then 𝑤𝑏𝑚 ≥ 𝑛 2) Otherwise 𝑤𝑏𝑚 ≤ 𝑜𝑡𝑛

1) ∃𝑦: ෍

𝑗=1 𝑛

𝑨𝑗 ⋅ 𝑞𝑗 𝑦 = ෍

𝑗=1 𝑛

𝑨𝑗

2 = 𝑛

2) Define 𝑛 independent R.V Yi = 𝑨𝑗 ⋅ 𝑞𝑗 (⋅) where each 𝑍

𝑗 ≤ 𝑡.

By Chernoff w.h.p ෍

𝑗=1 𝑛

𝑍

𝑗 ≤ 𝑃

𝑜𝑡𝑛 .

Distinguish if 𝑛 ≥ Ω(𝑜𝑡)

SLIDE 12

Step 2

On input 𝑨 ∈ ±1 𝑛 (output of PRG or random), compute 𝑤𝑏𝑚 = max

𝑦∈{±1}𝑜 ෍ 𝑗=1 𝑛

𝑨𝑗 ⋅ 𝑞𝑗 𝑦

Theorem ]Charikar-Wirth via Grothendieck Inequality[: For every degree-2 polynomial 𝑞: 𝐒𝑜 → 𝐒 𝑤𝑏𝑚 = max

𝑦∈ ±1 𝑜 𝑞(𝑦)

can be approximated to within 𝑷(𝐦𝐩𝐡 𝒐) factor.

SLIDE 13

Step 1

Reduce “block-locality” to “sparse algebraic degree“. A-priori unrelated:

2-block-local with |block|=𝑐 could have degree 2𝑐

Idea: Preprocess 𝑦 ∈ ±1 𝑐𝑜 to 𝑦′ ∈ ±1 𝑜′ for 𝑜′ = 2𝑐𝑜

𝑐 𝑜 2𝑐 2𝑐 2𝑐 2𝑐 𝑜

𝑦 𝑦′

SLIDE 14

Step 1

The 𝑗-th block of 𝑦′ consists of all 2𝑐 monomials on the 𝑗-th block

f 𝑦.

𝐻: ±1 𝑐𝑜 → ±1 𝑛 ⇒ 𝐻′: ±1 2𝑐𝑜 → 𝐒𝑛 Properties:

If 𝐻 has block-locality ℓ, then 𝐻′ has degree ℓ
# of monomials in 𝐻′ is 22𝑐
𝐻′ is not necessarily a PRG even if 𝐻 is a PRG
Yet, the image of 𝐻′ contains the image of 𝐻
Solving image-refutation on 𝐻′ is enough

Rules out 2-block local generator with |block|=𝑐 with 𝑛 ≥ Ω 22𝑐 ⋅ 2𝑐 ⋅ 𝑜 = Ω(23𝑐 ⋅ 𝑜).

Using preprocessing

SLIDE 15

Summary & Questions

Stretch Predicate Worst- case vs. random Graph Worst- case vs. random Predicat e Different

vs. Same

Remark 𝑛 = ෨ 𝑃(22𝑐𝑜) Worst case Worst case Different 𝑛 = ෨ 𝑃(2𝑐𝑜) Worst case Worst case Same Also in [LV17] 𝑛 = ෨ 𝑃(2𝑐𝑜) Random Random Different

𝑛 = ෨

𝑃(2𝑐𝑜), worst-case, worst-case, different

Find a different way to get iO from bililnear maps