$30 off During Our Annual Pro Sale. View Details »

Introduction to Indistinguishability/Ideal Obfu...

SoraSuegami
October 13, 2024

Introduction to Indistinguishability/Ideal Obfuscation (iO)

An introduction to indistinguishability/ideal Obfuscation (iO) at Progcrypto camp.

SoraSuegami

October 13, 2024
Tweet

More Decks by SoraSuegami

Other Decks in Technology

Transcript

  1. Issues of Multi Party Computation (MPC) While MPC, including fully

    homomorphic encryption (FHE), is a practical method for private computation, it relies on the following two assumptions: • Online Assumption: 
 Some parties holding some secrets or private inputs must remain online until MPC terminates. 
 • Threshold Assumption: 
 When one group of parties, called committee, holds secrets used during MPC for all users, more than a threshold number of the committee parties must be honest and online.
  2. Online & Threshold Assumptions is not ideal The threshold indicates

    a trade of between safety and liveness, 
 but online assumption requires both. t 4BGFUZ /PQSJWBUFEBUBJTNBMJDJPVTMZSFWFBMFEEVSJOH.1$ -JWFOFTT .1$ FWFOUVBMMZTVDDFFET t = n t = 1 5SBEFP ff CFUXFFO TBGFUZBOEMJWFOFTT
  3. Obfuscation fixes this. User’s Machine Any user can evaluate a

    private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)
  4. Obfuscation fixes this. User’s Machine 0CGVTDBUFE QSPHSBNGPS  XJUITFDSFUT P

    s Any user can evaluate a private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)
  5. Obfuscation fixes this. User’s Machine 0CGVTDBUFE QSPHSBNGPS  XJUITFDSFUT P

    s Input x Any user can evaluate a private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)
  6. Obfuscation fixes this. User’s Machine 0CGVTDBUFE QSPHSBNGPS  XJUITFDSFUT P

    s Input x Output 
 P(x, s) Any user can evaluate a private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)
  7. What is Obfuscation based on Cryptographic Assumptions? $JSDVJU C 0CGVTDBUFE

    $JSDVJU 0CG(C) 0CGVTDBUJPO $PNQJMFS *OQVUx 0VUQVU C(x) *OQVUx 0VUQVU 0CG(C)(x) = =
  8. 0CGVTDBUFE $JSDVJU 0CG(C) "OBMZ[JOHʜ )BSEDPEFE QSJWBUFEBUB  4FDSFU BMHPSJUIN *OGPSNBM

    TVQQPTFBOBEWFSTBSZDBOFYUSBDUOPOUSJWJBMJOGPSNBUJPO JOUIFDJSDVJUGSPNUIFPCGVTDBUFEDJSDVJU  
 XFDBODPOTUSVDUBOBEWFSTBSZUIBUCSFBLTIBSEQSPCMFNTJO DSZQUPHSBQIZ What is Obfuscation based on Cryptographic Assumptions?
  9. 0CGVTDBUFE $JSDVJU 0CG(C) "OBMZ[JOHʜ )BSEDPEFE QSJWBUFEBUB  4FDSFU BMHPSJUIN *OGPSNBM

    TVQQPTFBOBEWFSTBSZDBOFYUSBDUOPOUSJWJBMJOGPSNBUJPO JOUIFDJSDVJUGSPNUIFPCGVTDBUFEDJSDVJU 
 XFDBODPOTUSVDUBOBEWFSTBSZUIBUCSFBLTIBSEQSPCMFNTJO DSZQUPHSBQIZ What is Obfuscation based on Cryptographic Assumptions?
  10. &WFOJG DPOUBJOTTPNFIBSEDPEFEQSJWBUFEBUB  JGXFDBONBLFBDJSDVJU XJUIPVUUIFQSJWBUFEBUB UIBUIBTUIFTBNFPVUQVUBTUIBUPG GPSBMMJOQVU UIBUBOBEWFSTBSZDBOQSPWJEF  UIFPCGVTDBUJPOPG

    EPFTOPUSFWFBMJOGPSNBUJPOBCPVU UIFIBSEDPEFEQSJWBUFEBUBCFDBVTFJUJT JOEJTUJOHVJTIBCMFGSPNUIFPCGVTDBUJPOPG  C0 C1 C0 C0 C1 Indistinguishability Obfuscation (iO)
  11. &WFOJG DPOUBJOTTPNFIBSEDPEFEQSJWBUFEBUB  JGXFDBONBLFBDJSDVJU XJUIPVUUIFQSJWBUFEBUBUIBU IBTUIFTBNFPVUQVUBTUIBUPG GPSBMMJOQVUUIBUBO BEWFSTBSZDBOQSPWJEF  UIFPCGVTDBUJPOPG

    EPFTOPUSFWFBMJOGPSNBUJPO BCPVUUIFIBSEDPEFEQSJWBUFEBUBCFDBVTFJUJT JOEJTUJOHVJTIBCMFGSPNUIFPCGVTDBUJPOPG  C0 C1 C0 C0 C1 Indistinguishability Obfuscation (iO)
  12. Ideal Obfuscation under Pseudorandom Oracle Model [JLL+23] 6OGPSUVOBUFMZ BOZTDIFNFTJODMVEJOHJ0DBOOPUFOTVSFUIBUBOBEWFSTBSZ DBOOPUMFBSONPSFJOGPSNBUJPOUIBOUIFDJSDVJUPVUQVUJOQMBJONPEFM

    <#(* >5IFTFDVSJUZPGJ0JTUIFCFTUQPTTJCMFPCGVTDBUJPO<(3> )PXFWFS CZNPEFMJOHBIBTIGVODUJPOBTBQTFVEPSBOEPNPSBDMF 1S0  TJNJMBSUPSBOEPNPSBDMFCVUEJ ff FSFOUGSPNJU XFDBODPOTUSVDUBOJEFBM PCGVTDBUJPOUIBUSFWFBMTOPJOGPSNBUJPOFYDFQUGPSUIFPVUQVU<+-- >
  13. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • FHE.Enc(C( ⋅ , s)) • iOsk Obfuscation
  14. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • FHE.Enc(C( ⋅ , s)) • iOsk Obfuscation iOsk(π, FHE.Enc(y)) 1. Verify the proof to assert that the given is a correct output of for some . 
 2. Output π FHE.Enc(y) FHE.Eval(C(x, s)) x FHE.Dec(sk, FHE.Enc(y))
  15. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • Obfuscate( ) executed by an obfuscator: 1. Sample FHE secret and public keys . 2. Encrypt under . 3. Generate , which hardcodes . 4. Output 
 C, s (sk, pk) C( ⋅ , s) pk iOsk sk iO = (FHE.Enc(C( ⋅ , s)), iOsk)
  16. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • Obfuscate( ) executed by an obfuscator: 1. Sample FHE secret and public keys . 2. Encrypt under . 3. Generate , which hardcodes . 4. Output 
 C, s (sk, pk) C( ⋅ , s) pk iOsk sk iO = (FHE.Enc(C( ⋅ , s)), iOsk) • Eval( ) executed by an evaluator: 
 1. Compute 2. Generate a ZKP proof for 3. Evaluate , outputting . 
 iO, x FHE.Enc(y) := FHE.Eval(C(x, s)) π FHE.Enc(y) iOsk(π, FHE.Enc(y)) y = C(x, s)
  17. How to construct iO 8FMMTUVEJFE$SZQUPHSBQIJD"TTVNQUJPOT 
 -FBSOJOH1BSJUZXJUI/PJTFBTTVNQUJPO 
  1TFVEP3BOEPN(FOFSBUPSJO/$

    DPOTUBOUEFQUIDJSDVJU   %FDJTJPO-JOFBSBTTVNQUJPOPOCJMJOFBSHSPVQT 1VCMJD,FZ'VODUJPOBM&ODSZQUJPOXIPTFFODSZQUJPOUJNFJTTVCMVOBS JOUIFTJ[FPGUIFDJSDVJUPVUQVUTJ[F [JLS22]
  18. How to construct iO 8FMMTUVEJFE$SZQUPHSBQIJD"TTVNQUJPOT 
 -FBSOJOH1BSJUZXJUI/PJTFBTTVNQUJPO 
  1TFVEP3BOEPN(FOFSBUPSJO/$

    DPOTUBOUEFQUIDJSDVJU   %FDJTJPO-JOFBSBTTVNQUJPOPOCJMJOFBSHSPVQT [JLS22] [BV18] + PrO model [JLL+23] *OEJTUJOHVJTIBCJMJUZ0CGVTDBUJPO *EFBM0CGVTDBUJPO 1VCMJD,FZ'VODUJPOBM&ODSZQUJPOXIPTFFODSZQUJPOUJNFJTTVCMVOBS JOUIFTJ[FPGUIFDJSDVJUPVUQVUTJ[F
  19. How to construct iO 8FMMTUVEJFE$SZQUPHSBQIJD"TTVNQUJPOT 
 -FBSOJOH1BSJUZXJUI/PJTFBTTVNQUJPO 
  1TFVEP3BOEPN(FOFSBUPSJO/$

    DPOTUBOUEFQUIDJSDVJU   %FDJTJPO-JOFBSBTTVNQUJPOPOCJMJOFBSHSPVQT [JLS22] [BV18] + PrO model [JLL+23] *OEJTUJOHVJTIBCJMJUZ0CGVTDBUJPO *EFBM0CGVTDBUJPO 1VCMJD,FZ'VODUJPOBM&ODSZQUJPOXIPTFFODSZQUJPOUJNFJTTVCMVOBS JOUIFTJ[FPGUIFDJSDVJUPVUQVUTJ[F
  20. Public-Key Functional Encryption 4FUVQ .BTUFS 
 TFDSFULFZ msk &OD ek

    .FTTBHF m $JQIFSUFYU ct ,FZ(FO msk $JSDVJU C 'VODUJPOBM 
 TFDSFULFZ fskC %FD ct fskC 0VUQVU C(m) 1SJWBUF0QFSBUJPO &ODSZQUJPO 
 LFZ ek 1VCMJD0QFSBUJPO
  21. Public-Key Functional Encryption 1,'&WT')& 1,'& ')& 0VUQVU 1MBJOUFYU $JQIFSUFYU $JSDVJUUIBUDBO

    CFFWBMVBUFE -JNJUFECZB USVTUFEQBSUZ 'SFF $JSDVJUJT 1SJWBUF1VCMJD 1VCMJD $BOCF1SJWBUF
  22. iO from Public-Key Functional Encryption 1,'&JTBMNPTUJ0TJODFJUBMMPXTOPOJOUFSBDUJWFFWBMVBUJPOPGUIF TQFDJ fi DDJSDVJUPOQSJWBUFJOQVUT )PXFWFS

    1,'&JTOPUJ0CFDBVTFBGVODUJPOBMTFDSFULFZEPFTOPU IJEFJOGPSNBUJPOJOTJEFUIFDJSDVJU %VSJOHUIFFWBMVBUJPOPGC(x, s) 1,'& BSFQVCMJD  JTQSJWBUF C, s x J0 BSFQSJWBUF  JTQVCMJD C, s x
  23. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s) 5IFFWBMVBUPSDBO fi OBMMZPCUBJOFODSZQUJPOPG  BMMPXJOH1,'&EFDSZQUJPOUPPVUQVU  (C, s, x) C(x, s)
  24. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s) 5IFFWBMVBUPSDBO fi OBMMZPCUBJOFODSZQUJPOPG  BMMPXJOH1,'&EFDSZQUJPOUPPVUQVU  (C, s, x) C(x, s) 3FDVSTJWF&ODSZQUJPO$JSDVJU   Di (C, s, x1 x2 …xi−1 ) := '&&OD(pk, (C, s, x1 x2 …xi−1 0)) || '&&OD(pk, (C, s, x1 x2 …xi−1 1))
  25. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s) 5IFFWBMVBUPSDBO fi OBMMZPCUBJOFODSZQUJPOPG  BMMPXJOH1,'&EFDSZQUJPOUPPVUQVU  (C, s, x) C(x, s) 3FDVSTJWF&ODSZQUJPO$JSDVJU Di (C, s, x1 x2 …xi−1 ) := '&&OD(pk, (C, s, x1 x2 …xi−1 0))||'&&OD(pk, (C, s, x1 x2 …xi−1 1)) 5IFJUIEFDSZQUJPOPG1,'&PVUQVUTUIF1,'& FODSZQUJPOTGPS BOE (C, s, x1 x2 …xi−1 0) (C, s, x1 x2 …xi−1 1)
  26. Requirements to PKFE for iO construction [BV18] 'PSUIFPVUQVUTJ[F UIFDPNQVUBUJPOBMDPNQMFYJUZPGUIF FODSZQUJPOBMHPSJUINJODSFBTFTJOPSEFS

     m 𝒪 (mα) *OPSEFSGPSUIFDPNQVUBUJPOBMDPNQMFYJUZUPDPOWFSHF BGUFS SFDVSTJPOT  NVTUCFMFTTUIBO 
 TVCMJOFBSF ff i DJFODZ  n α
  27. PKFE in Three Steps [JLS22]  3FQSFTFOUBQSPDFTTUPHFOFSBUFBHBSCMFEDJSDVJUGPSBDJSDVJU BOEJUT HBSCMFEJOQVUTGPSJOQVUT JOBDPOTUBOUEFHSFFNVMUJWBSJBUFQPMZOPNJBM

    
  $POWFSUUIFQPMZOPNJBMJOUPBEFHSFFQPMZOPNJBMTVDIUIBU UIF EFHSFFGPSQSJWBUFBOEQVCMJDJOQVUTBSFUXPBOEDPOTUBOU SFTQFDUJWFMZ  BOE UIFSVOOJOHUJNFUPFODPEFUIFPSJHJOBMWBSJBCMFTUPQSJWBUFBOE QVCMJDJOQVUTJTTVCMJOFBSXJUISFTQFDUUPUIFPVUQVUTJ[F   6TF1,'&GPSEFHSFFQPMZOPNJBMT DBMMFEQBSUJBMMZIJEJOHGVODUJPOBM FODSZQUJPO 1)'&  C x m
  28. PKFE in Three Steps [JLS22]  3FQSFTFOUBQSPDFTTUPHFOFSBUFBHBSCMFEDJSDVJUGPSBDJSDVJU BOEJUT HBSCMFEJOQVUTGPSJOQVUT JOBDPOTUBOUEFHSFFNVMUJWBSJBUFQPMZOPNJBM

    
  $POWFSUUIFQPMZOPNJBMJOUPBEFHSFFQPMZOPNJBMTVDIUIBU UIF EFHSFFGPSQSJWBUFBOEQVCMJDJOQVUTBSFUXPBOEDPOTUBOU SFTQFDUJWFMZ  BOE UIFSVOOJOHUJNFUPFODPEFUIFPSJHJOBMWBSJBCMFTUPQSJWBUFBOE QVCMJDJOQVUTJTTVCMJOFBSXJUISFTQFDUUPUIFPVUQVUTJ[F   6TF1,'&GPSEFHSFFQPMZOPNJBMT DBMMFEQBSUJBMMZIJEJOHGVODUJPOBM FODSZQUJPO 1)'&  C x m
  29. PKFE in Three Steps [JLS22] 6TF1,'&GPSEFHSFFQPMZOPNJBMT HBSCMFEDJSDVJUHFOFSBUJPO Encryption Process: 


    1. Encode input and random seeds into private and public inputs . 2. Encrypt under the public key for PHFE, denoted by . 3. Output . 
 x r (SI, PI) (SI, PI) ctPHFE ctPHFE
  30. PKFE in Three Steps [JLS22] 6TF1,'&GPSEFHSFFQPMZOPNJBMT HBSCMFEDJSDVJUHFOFSBUJPO Decryption Process: 


    1. Decrypt the given , outputting a garbled circuit and its garbled inputs. 2. Evaluate the garbled circuit on the garbled inputs, outputting 
 ctPHFE C(x) Encryption Process: 
 1. Encode input and random seeds into private and public inputs . 2. Encrypt under the public key for PHFE, denoted by . 3. Output . 
 x r (SI, PI) (SI, PI) ctPHFE ctPHFE
  31. PKFE in Three Steps [JLS22]  3FQSFTFOUBQSPDFTTUPHFOFSBUFBHBSCMFEDJSDVJUGPSBDJSDVJU BOEJUT HBSCMFEJOQVUTGPSJOQVUT JOBDPOTUBOUEFHSFFNVMUJWBSJBUFQPMZOPNJBM

    
  $POWFSUUIFQPMZOPNJBMJOUPBEFHSFFQPMZOPNJBMTVDIUIBU UIF EFHSFFGPSQSJWBUFBOEQVCMJDJOQVUTBSFUXPBOEDPOTUBOU SFTQFDUJWFMZ  BOE UIFSVOOJOHUJNFUPFODPEFUIFPSJHJOBMWBSJBCMFTUPQSJWBUFBOE QVCMJDJOQVUTJTTVCMJOFBSXJUISFTQFDUUPUIFPVUQVUTJ[F   6TF1,'&GPSEFHSFFQPMZOPNJBMT DBMMFEQBSUJBMMZIJEJOHGVODUJPOBM FODSZQUJPO 1)'&  C x m
  32. Deg 2.5 Polynomials with LPN [JLS22] Observation: since error is

    sparse, the following is also sparse: e Corr Corr = {hj (x′  ) − hj (x′  + e)}j∈[m]
  33. Deg 2.5 Polynomials with LPN [JLS22] Observation: since error is

    sparse, the following is also sparse: e Corr Corr = {hj (x′  ) − hj (x′  + e)}j∈[m] The matrix of has at most non-zeros for with overwhelming probability, i.e., the rank is at most . Corr m1−ϵ ϵ > 0 m1−ϵ
  34. Deg 2.5 Polynomials with LPN [JLS22] Observation: since error is

    sparse, the following is also sparse: e Corr Corr = {hj (x′  ) − hj (x′  + e)}j∈[m] The matrix of has at most non-zeros for with overwhelming probability, i.e., the rank is at most . Corr m1−ϵ ϵ > 0 m1−ϵ , where the sizes of is sublinear, i.e., Corr = UV |U, V| 𝒪 (m1−ϵ)
  35. Deg 2.5 Polynomials with LPN [JLS22] 4VCMJOFBSTJ[FE1VCMJDBOE1SJWBUF*OQVUTVTJOH-1/ SI = (s⊗

    d 2 , U, V) PI = (A, b = sA + e + x′  ) 1. The degree is 2.5 2. the sizes of is sublinear, i.e., |U, V| 𝒪 (m1−ϵ)
  36. 3FGFSFODFT • [SW14] Sahai, A., & Waters, B. (2014, May).

    How to use indistinguishability obfuscation: deniable encryption, and more. In Proceedings of the forty-sixth annual ACM symposium on Theory of computing (pp. 475-484). • [JLL+23] Jain, A., Lin, H., Luo, J., & Wichs, D. (2023, August). The pseudorandom oracle model and ideal obfuscation. In Annual International Cryptology Conference (pp. 233-262). Cham: Springer Nature Switzerland. • [BGI+01] Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., & Yang, K. (2001, August). On the (im) possibility of obfuscating programs. In Annual international cryptology conference (pp. 1-18). Berlin, Heidelberg: Springer Berlin Heidelberg. • [GR07] Goldwasser, S., & Rothblum, G. N. (2007). On best-possible obfuscation. In Theory of Cryptography: 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, The Netherlands, February 21-24, 2007. Proceedings 4 (pp. 194-213). Springer Berlin Heidelberg. • [JLS22] Jain, A., Lin, H., & Sahai, A. (2022, May). Indistinguishability obfuscation from LPN over F p, DLIN, and PRGs in NC 0. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 670-699). Cham: Springer International Publishing. • [GGH+13] Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., & Waters, B. (2016). Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM Journal on Computing, 45(3), 882-929. • [BV18] Bitansky, N., & Vaikuntanathan, V. (2018). Indistinguishability obfuscation from functional encryption. Journal of the ACM (JACM), 65(6), 1-37. • [JLS21] Jain, A., Lin, H., & Sahai, A. (2021, June). Indistinguishability obfuscation from well-founded assumptions. In Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing (pp. 60-73).