The Usefulness of Sparsifiable Inputs: How to Avoid Subexponential iO Thomas Agrikola 1 Geoffroy Couteau 2 Dennis Hofheinz 3 1 Karlsruhe Institute of Technology (KIT), Germany 2 IRIF, Paris-Diderot University, CNRS, France 3 ETH Zurich, Switzerland May 12, 2020
Introduction Indistinguishability obfuscation (IO) is a method to transform a program into an unintelligible one maintaining the original functionality. P 1 ≡ P 2 iO iO iO ( P 1 ) iO ( P 2 ) ≈ Introduction Recap Doubly probabilistic IO Applications Conclusion 1 / 15
Applications of iO encryption Functional adaptive MPC Succinct ◮ We can build almost anything from iO . [GGHRS+13] [CsW19; ACIJS20] IO for Turing Deniable encryption machines [SW14] [KLW15] iO [CLTV15] [FHHL18] Graded encoding Fully homomorphic [DHRW16] [BGI16] schemes encryption [DN18] Homomorphic secret sharing Spooky encryption Universal proxy re-encryption poly reduction to iO subexp reduction to iO Introduction Recap Doubly probabilistic IO Applications Conclusion 2 / 15
Applications of iO encryption Functional adaptive MPC Succinct ◮ We can build almost anything from iO . [GGHRS+13] [CsW19; ACIJS20] IO for Turing Deniable encryption machines [SW14] [KLW15] ◮ But what can we do iO [CLTV15] [FHHL18] from polynomial iO ? Graded encoding Fully homomorphic [DHRW16] [BGI16] schemes encryption [DN18] Homomorphic secret sharing Spooky encryption Universal proxy re-encryption poly reduction to iO subexp reduction to iO Introduction Recap Doubly probabilistic IO Applications Conclusion 2 / 15
Related work on removing subexp. IO ◮ Previous approaches to avoid subexponential reductions to iO: replace iO with functional encryption, [GS16; GPSZ17; LZ17; KLMR18] ◮ short signatures ◮ universal samplers ◮ non-interactive multiparty key exchange ◮ trapdoor one-way permutations ◮ multi-key functional encryption ◮ . . . Introduction Recap Doubly probabilistic IO Applications Conclusion 3 / 15
Related work on removing subexp. IO ◮ Previous approaches to avoid subexponential reductions to iO: replace iO with functional encryption, [GS16; GPSZ17; LZ17; KLMR18] ◮ short signatures ◮ universal samplers ◮ non-interactive multiparty key exchange ◮ trapdoor one-way permutations ◮ multi-key functional encryption ◮ . . . ◮ But the supported operations are relatively restricted Introduction Recap Doubly probabilistic IO Applications Conclusion 3 / 15
Applications of iO encryption Functional adaptive MPC Succinct ◮ We can build almost anything from iO . [GGHRS+13] [CsW19; ACIJS20] IO for Turing Deniable encryption machines [SW14] [KLW15] ◮ But what can we do iO [CLTV15] [FHHL18] from polynomial iO ? Graded encoding Fully homomorphic [DHRW16] [BGI16] schemes encryption [DN18] Homomorphic secret sharing Spooky encryption Universal proxy re-encryption poly reduction to iO subexp reduction to iO piO abstraction Introduction Recap Doubly probabilistic IO Applications Conclusion 4 / 15
Applications of iO encryption Functional adaptive MPC Succinct ◮ We can build almost anything from iO . [GGHRS+13] [CsW19; ACIJS20] IO for Turing Deniable encryption machines [SW14] [KLW15] ◮ But what can we do iO [CLTV15] [FHHL18] from polynomial iO ? Graded encoding Fully homomorphic [DHRW16] [BGI16] schemes encryption [DN18] Homomorphic secret sharing Spooky encryption Universal proxy re-encryption poly reduction to iO subexp reduction to iO piO abstraction Introduction Recap Doubly probabilistic IO Applications Conclusion 4 / 15
Probabilistic IO iO compiles programs into unintelligible ones, while preserving their functionality . x x x x deterministic piO iO iO ( P ) piO ( P ) P P P ( x ) P ( x ) P ( x ; r ) P ( x ; r ′ ) functionally “functionally equivalent indistinguishable” P 1 ≡ P 2 P 1 ≈ P 2 piO piO iO iO iO ( P 1 ) iO ( P 2 ) piO ( P 1 ) piO ( P 2 ) ≈ ≈ Introduction Recap Doubly probabilistic IO Applications Conclusion 5 / 15
Probabilistic IO iO compiles programs into unintelligible ones, while preserving their functionality . x x x x deterministic piO iO iO ( P ) piO ( P ) P P P ( x ) P ( x ) P ( x ; r ) P ( x ; r ′ ) functionally “functionally equivalent indistinguishable” P 1 ≡ P 2 P 1 ≈ P 2 piO piO iO iO iO ( P 1 ) iO ( P 2 ) piO ( P 1 ) piO ( P 2 ) ≈ ≈ Introduction Recap Doubly probabilistic IO Applications Conclusion 5 / 15
Probabilistic IO iO compiles programs into piO compiles randomized unintelligible ones, while programs into deterministic preserving their functionality . unintelligible ones, while preserving their functionality . x x x x deterministic piO iO iO ( P ) piO ( P ) P P P ( x ) P ( x ) P ( x ; r ) P ( x ; r ′ ) functionally “functionally equivalent indistinguishable” P 1 ≡ P 2 P 1 ≈ P 2 piO piO iO iO iO ( P 1 ) iO ( P 2 ) piO ( P 1 ) piO ( P 2 ) ≈ ≈ Introduction Recap Doubly probabilistic IO Applications Conclusion 5 / 15
Probabilistic IO iO compiles programs into piO compiles randomized unintelligible ones, while programs into deterministic preserving their functionality . unintelligible ones, while preserving their functionality . x x x x deterministic piO iO iO ( P ) piO ( P ) P P P ( x ) P ( x ) P ( x ; r ) P ( x ; r ′ ) functionally “functionally equivalent indistinguishable” P 1 ≡ P 2 P 1 ≈ P 2 piO piO iO iO iO ( P 1 ) iO ( P 2 ) piO ( P 1 ) piO ( P 2 ) ≈ ≈ Introduction Recap Doubly probabilistic IO Applications Conclusion 5 / 15
Why does piO require subexponential iO ? ◮ Programs are only required to be “functionally indistinguishable” Introduction Recap Doubly probabilistic IO Applications Conclusion 6 / 15
Why does piO require subexponential iO ? ◮ Programs are only required to be “functionally indistinguishable” ◮ Captures a vast class of programs, e.g. P 1 ( x ; r ) P 2 ( x ; r ) ≈ return Enc ( pk , x ; r ) return Enc ( pk , 0; r ) Introduction Recap Doubly probabilistic IO Applications Conclusion 6 / 15
Why does piO require subexponential iO ? ◮ Programs are only required to be “functionally indistinguishable” ◮ Captures a vast class of programs, e.g. P 1 ( x ; r ) P 2 ( x ; r ) ≈ return Enc ( pk , x ; r ) return Enc ( pk , 0; r ) ◮ Strategy due to Canetti et al., [CLTV15]: ◮ derive random coins from input x via PRF( K , x ) r := PRF( x ) piO ( P ) iO return P ( x ; r ) Introduction Recap Doubly probabilistic IO Applications Conclusion 6 / 15
Why does piO require subexponential iO ? ◮ Programs are only required to be “functionally indistinguishable” ◮ Captures a vast class of programs, e.g. P 1 ( x ; r ) P 2 ( x ; r ) ≈ return Enc ( pk , x ; r ) return Enc ( pk , 0; r ) ◮ Strategy due to Canetti et al., [CLTV15]: ◮ derive random coins from input x via PRF( K , x ) r := PRF( x ) piO ( P ) iO return P ( x ; r ) ◮ use iO to obfuscate this deterministic program Introduction Recap Doubly probabilistic IO Applications Conclusion 6 / 15
Construction of piO due to Canetti et al., [CLTV15] piO construction: Example: P 1 ( x ; r ) P 2 ( x ; r ) ≈ r := PRF( x ) return Enc ( pk , x ; r ) return Enc ( pk , 0; r ) return P ( x ; r ) ◮ But iO security can only be applied if circuits behave fully identically ◮ in our example, P 1 and P 2 behave very differently Introduction Recap Doubly probabilistic IO Applications Conclusion 7 / 15
Construction of piO due to Canetti et al., [CLTV15] piO construction: Example: P 1 ( x ; r ) P 2 ( x ; r ) ≈ r := PRF( x ) return Enc ( pk , x ; r ) return Enc ( pk , 0; r ) return P ( x ; r ) ◮ But iO security can only be applied if circuits behave fully identically ◮ in our example, P 1 and P 2 behave very differently � direct (polynomial) reduction to iO won’t work Introduction Recap Doubly probabilistic IO Applications Conclusion 7 / 15
Construction of piO due to Canetti et al., [CLTV15] piO construction: Example: P 1 ( x ; r ) P 2 ( x ; r ) ≈ r := PRF( x ) return Enc ( pk , x ; r ) return Enc ( pk , 0; r ) return P ( x ; r ) ◮ But iO security can only be applied if circuits behave fully identically ◮ in our example, P 1 and P 2 behave very differently � direct (polynomial) reduction to iO won’t work ◮ Use a “one-input-at-a-time” hybrid argument for all possible inputs ◮ this includes the randomness Introduction Recap Doubly probabilistic IO Applications Conclusion 7 / 15
Construction of piO due to Canetti et al., [CLTV15] piO construction: Example: P 1 ( x ; r ) P 2 ( x ; r ) ≈ r := PRF( x ) return Enc ( pk , x ; r ) return Enc ( pk , 0; r ) return P ( x ; r ) ◮ But iO security can only be applied if circuits behave fully identically ◮ in our example, P 1 and P 2 behave very differently � direct (polynomial) reduction to iO won’t work ◮ Use a “one-input-at-a-time” hybrid argument for all possible inputs ◮ this includes the randomness � Our goal: reduce number of hybrids to a polynomial amount Introduction Recap Doubly probabilistic IO Applications Conclusion 7 / 15
Main tool – Extremely lossy functions ◮ Extremely lossy functions (ELFs) due to Zhandry, [Zha16] offer two indistinguishable modes: injective mode extremely lossy mode image size exponential image size polynomial Introduction Recap Doubly probabilistic IO Applications Conclusion 8 / 15
Recommend
More recommend