or SoS Meets Program Obfuscation Ilan Komargodski Joint work with - PowerPoint PPT Presentation

Limits on Low-Degree PRGs or SoS Meets Program Obfuscation Ilan Komargodski Joint work with Boaz Barak (Harvard) Zvika Brakerski (Weizmann Institute) Pravesh K. Kothari (Princeton)

Pseudorandom Generators (PRGs) 𝐻: {0,1} 𝑜 → {0,1} 𝑛 𝐻 𝑗 : {0,1} 𝑜 → {0,1} 𝐻 𝑗 𝑦 = 𝐻 𝑦 𝑗 𝑧 1 𝑧 𝑛 𝑧 2 𝑦 1 𝑦 2 𝑦 𝑜 𝐻 𝑉 𝑜 ≈ c.i 𝑉 𝑛 Fundamental primitive in cryptography Assuming OWFs, ∃ 𝐻: {0,1} 𝑜 → {0,1} poly(𝑜) How simple can it be? 2

Local Pseudorandom Generators 𝐻: {0,1} 𝑜 → {0,1} 𝑛 𝐻 𝑗 : {0,1} 𝑜 → {0,1} 𝐻 𝑗 : {0,1} d → {0,1} 𝐻 𝑗 𝑦|𝐽 𝑗 = 𝐻 𝑦 𝑗 𝐻 𝑗 𝑦 = 𝐻 𝑦 𝑗 𝑧 1 𝑧 𝑛 𝑧 2 Locality 𝑒 – every output bit depends on 𝑒 input bits 𝑦 1 𝑦 2 𝑦 𝑜 𝐻 𝑉 𝑜 ≈ c.i 𝑉 𝑛 Do such PRGs exist and if so, how much they can stretch? 3

Local Pseudorandom Generators Positive : ⇒ ∃ 𝑯: 𝟏, 𝟐 𝒐 → 𝟏, 𝟐 𝒐+𝒐 𝝑 , 𝒆 = 𝑷(𝟐) [AIK06] • OWF ∈ NC 1 • Candidate for 𝑯: 𝟏, 𝟐 𝒐 → 𝟏, 𝟐 𝐪𝐩𝐦𝐳(𝒐) , , 𝒆 = 𝑷(𝟐) [Gol00, … ,App13, … ,AR16, … ] Negative : • For 𝑒 = 2 , 𝑛 ≤ 𝑜 [CM01] • For 𝑒 = 3 , 𝑛 = 𝑃(𝑜) [CM01] • For 𝑒 = 4, 𝑛 = 𝑃(𝑜) [MST06] For general 𝑒, 𝑛 = 𝑃 2 𝑒 ⋅ 𝑜 𝑒/2 • [MST06] Many applications : • New PKE schemes [ABW10] • Efficient MPC [IKO+11] • Reducing assumptions for indistinguishability obfuscation [AJS15,Lin16, … ] 4

iO from Local PRGs Theorem : [Lin16,AnanthSahai16] ∃ iO based on: • 𝐻: 0,1 𝑜 → 0,1 𝑜 1+𝜗 with locality 𝑒 • Degree 𝑒 multilinear maps • 𝑒 = 2 • Bilinear maps (well studied, ∃ candidates) • No such PRG • 𝑒 ∈ {3,4} • No satisfying candidate of mutlilinear maps • No such PRG • 𝑒 ≥ 5 • No satisfying candidate of mutlilinear maps • ∃ candidates for PRG 5

iO from Local PRGs Theorem : [LinTessaro17] ∃ iO based on: • 𝐻: 0,1 𝑜 → 0,1 𝑜 1+𝜗 with block locality 𝑒 • Degree 𝑒 multilinear maps 𝐻: Σ 𝑜 → {0,1} 𝑛 𝐻 𝑗 : Σ 𝑜 → {0,1} Σ = 2 𝑐 : 𝐻 𝑗 𝑦 = 𝐻 𝑦 𝑗 𝐻: 0,1 𝑜𝑐 → 0,1 𝑛 𝑧 1 𝑧 2 𝑧 𝑛 [LinTessaro17] need 𝐻: 0,1 𝑜𝑐 → 0,1 2 3𝑐 𝑜 1+𝜗 Attacks of [CM,MST] do 𝑦 1 𝑦 2 𝑦 𝑜 not apply so might exist even for 𝒆 = 𝟑 ! 𝐻 𝑉 𝑜 ≈ c.i 𝑉 𝑛 6

Our Results in a Nutshell 7

Our Results Stretch Predicate Graph Predicate Remark Worst-case Worst-case Different vs. random vs. random vs. Same 𝑛 = ෨ 𝑃(2 2𝑐 𝑜) Worst case Worst case Different 𝑛 = ෨ 𝑃(2 𝑐 𝑜) Worst case Worst case Same Also in [LV17] 𝑛 = ෨ 𝑃(2 𝑐 𝑜) Random Random Different 𝐻 𝑗 : Σ 𝑜 → {0,1} 𝐻: Σ 𝑜 → {0,1} 𝑛 𝐻 𝑗 𝑦 = 𝐻 𝑦 𝑗 𝑧 1 𝑧 2 𝑧 𝑛 Bonus: Simple candidate 3- block-local PRG with O(1)-block size and 𝑦 1 𝑦 2 𝑦 𝑜 poly stretch 𝐻 𝑉 𝑜 ≈ c.i 𝑉 𝑛 8

Image Refutation G(r) 𝑎 A break pseudo-randomness: A 𝑨←𝑎 A 𝑨 = 1 − Pr 𝑨←G r A 𝑨 = 1 Pr > 𝑜𝑓𝑕 A does image-refutation Refutation => distinguishing • 𝑎 =uniform w.r.t 𝑎 : 𝑨←G r A 𝑨 = 1 = 1 Pr Refutation handles 𝑨←𝑎 A 𝑨 = 1 < 0.5 Pr preprocessing on 𝑠 9

ҧ Proof Idea Step 1: Reduce “block - locality” to “sparse algebraic degree“. Let ҧ 𝑞 = 𝑞 1 , … , 𝑞 𝑛 is a tuple of degree 2 polynomials with 𝑡 monomials 𝑞: 𝐒 𝑜 → 𝐒 𝑛 Step 2: On input 𝑨 ∈ ±1 𝑛 (output of PRG or random), compute 𝑛 𝑤𝑏𝑚 = 𝑦∈{±1} 𝑜 ෍ max 𝑨 𝑗 ⋅ 𝑞 𝑗 𝑦 𝑗=1 Theorem : 1) If 𝑨 is in the image of ҧ 𝑞 , then 𝑤𝑏𝑚 is large 2) Otherwise 𝑤𝑏𝑚 is small 10

Step 2 On input 𝑨 ∈ ±1 𝑛 (output of PRG or random), compute 𝑛 𝑤𝑏𝑚 = 𝑦∈{±1} 𝑜 ෍ max 𝑨 𝑗 ⋅ 𝑞 𝑗 𝑦 𝑗=1 Distinguish if 1) 𝑛 𝑛 𝑛 ≥ Ω(𝑜𝑡) 2 = 𝑛 ∃𝑦: ෍ 𝑨 𝑗 ⋅ 𝑞 𝑗 𝑦 = ෍ 𝑨 𝑗 𝑗=1 𝑗=1 2) 1) If 𝑨 is in the image Define 𝑛 independent R.V 𝑞 , then 𝑤𝑏𝑚 ≥ 𝑛 of ҧ Y i = 𝑨 𝑗 ⋅ 𝑞 𝑗 (⋅) where each 𝑍 𝑗 ≤ 𝑡. 2) Otherwise By Chernoff w.h.p 𝑛 𝑤𝑏𝑚 ≤ 𝑜𝑡𝑛 ෍ 𝑍 𝑗 ≤ 𝑃 𝑜𝑡𝑛 . 𝑗=1 11

Step 2 On input 𝑨 ∈ ±1 𝑛 (output of PRG or random), compute 𝑛 𝑤𝑏𝑚 = 𝑦∈{±1} 𝑜 ෍ max 𝑨 𝑗 ⋅ 𝑞 𝑗 𝑦 𝑗=1 Theorem ] Charikar-Wirth via Grothendieck Inequality [ : For every degree - 2 polynomial 𝑞: 𝐒 𝑜 → 𝐒 𝑤𝑏𝑚 = 𝑦∈ ±1 𝑜 𝑞(𝑦) max can be approximated to within 𝑷(𝐦𝐩𝐡 𝒐) factor. 12

Step 1 Reduce “ block-locality ” to “ sparse algebraic degree “ . A-priori unrelated: • 2-block-local with |block|= 𝑐 could have degree 2𝑐 Idea: Preprocess 𝑦 ∈ ±1 𝑐𝑜 to 𝑦 ′ ∈ ±1 𝑜 ′ for 𝑜 ′ = 2 𝑐 𝑜 𝑦 𝑐 𝑜 𝑜 𝑦′ 2 𝑐 2 𝑐 2 𝑐 2 𝑐 13

Step 1 The 𝑗 -th block of 𝑦′ consists of all 2 𝑐 monomials on the 𝑗 -th block of 𝑦 . 𝐻: ±1 𝑐𝑜 → ±1 𝑛 𝐻′: ±1 2 𝑐 𝑜 → 𝐒 𝑛 ⇒ Properties: • If 𝐻 has block-locality ℓ , then 𝐻′ has degree ℓ • # of monomials in 𝐻′ is 2 2𝑐 • 𝐻′ is not necessarily a PRG even if 𝐻 is a PRG • Yet, the image of 𝐻′ contains the image of 𝐻 Using • Solving image-refutation on 𝐻′ is enough preprocessing Rules out 2-block local generator with |block|= 𝑐 with 𝑛 ≥ Ω 2 2𝑐 ⋅ 2 𝑐 ⋅ 𝑜 = Ω(2 3𝑐 ⋅ 𝑜) . 14

Summary & Questions Stretch Predicate Graph Predicat Remark Worst- Worst- e case vs. case vs. Different random random vs. Same 𝑛 = ෨ 𝑃(2 2𝑐 𝑜) Worst Worst Different case case 𝑛 = ෨ 𝑃(2 𝑐 𝑜) Worst Worst Same Also in case case [LV17] 𝑛 = ෨ 𝑃(2 𝑐 𝑜) Random Random Different • 𝑛 = ෨ 𝑃(2 𝑐 𝑜) , worst-case, worst-case, different • Find a different way to get iO from bililnear maps 15