Nir Bitansky and Omer Paneth

Program Obfuscation

𝑥 Compute 𝑓 𝑠𝑘 (𝑥) 𝑦 = 𝑓 𝑠𝑘 (𝑥)

Program Obfuscation

𝑥 𝑦 = 𝑓 𝑠𝑘 (𝑥)

Program Obfuscation

𝑥 If 𝑥 Sign email 𝑥 with 𝑠𝑘 starts with “omer@bu.edu” 𝑦 = 𝜎(𝑥) /⊥

Virtual Black-Box

[ Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] 𝒪 𝑠𝑘 is an obfuscation of 𝑓 𝑠𝑘 : - Functionality: ∀𝑥, 𝒪 𝑠𝑘 𝑥 = 𝑓 𝑠𝑘 𝑥 - Security: 𝑓 𝑠𝑘 𝒪 𝑠𝑘 𝐴 ≈ 𝑆

Impossibility of Obfuscation There exist families of functions that cannot be obfuscated [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Relaxed Security

[Barak et al. 01, Goldwasser-Rothblum07, Hofheinz-Malone-Lee-Stam07, Hohenberger-Rothblum-Shelat-Vaikuntanathan07, Bitansky-Canetti10] - Functionality: ∀𝑥, 𝒪 𝑠𝑘 𝑥 = 𝑓 𝑠𝑘 𝑥 - Security: 𝑓 𝑠𝑘 𝒪 𝑠𝑘 𝐴 ≈ 𝑆

Relaxed Functionality?

- Functionality: ∀𝑥, 𝒪 𝑠𝑘 𝑥 = 𝑓 𝑠𝑘 𝑥 - Security: 𝑓 𝑠𝑘 𝒪 𝑠𝑘 𝐴 ≈ 𝑆

Approximate Obfuscation [ Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] 𝒪 𝑠𝑘 is an approximate obfuscation of 𝑓 𝑠𝑘 : - Functionality: Pr 𝑥←𝑈 - Security: 𝒪 𝑠𝑘 𝑥 = 𝑓 𝑠𝑘 𝑥 𝑓 𝑠𝑘 𝒪 𝑠𝑘 𝐴 ≈ 𝑆 > 0.9

Main Result Assuming trapdoor permutations, there exist families of functions that cannot be approximately obfuscated Motivation?

Positive applications

From Impossibility to Applications Impossibility of approximate obfuscation Non-black-box extraction 𝑠𝑘 Zero-knowledge with 𝑥 𝐴 𝑠𝑘 resettable security Worst-case 𝑓 𝑠𝑘 (𝑥) extractable signatures

Plan

[BGIRSVY 01]: Impossibility of Obfuscation This work: Impossibility of Approximate Obfuscation Unobfuscatable Functions Robust Unobfuscatable Functions Applications

Unobfuscatable Functions From Barak et al.

𝑓 𝑠𝑘 1. Black-box unlearnability: ∀ efficient 𝐴, 𝑠𝑘 ← 𝑈 : 𝐴 2. Extraction: ∃ efficient 𝐸, ∀𝒪, 𝑠𝑘: 𝑠𝑘 Pr 𝑥←𝑈 𝒪 𝑥 = 𝑓 𝑠𝑘 𝑥 = 1 ⇒ 𝒪 𝐸 𝑠𝑘

Robust Unobfuscatable Functions 𝑓 𝑠𝑘 1. Black-box unlearnability: ∀ efficient 𝐴, 𝑠𝑘 ← 𝑈 : 𝐴 𝑠𝑘 2. Robust extraction: ∃ efficient 𝐸, ∀𝒪, 𝑠𝑘: Pr 𝑥←𝑈 𝒪 𝑥 = 𝑓 𝑠𝑘 𝑥 > 0.9

⇒ 𝒪 𝐸 𝑠𝑘

Robust Unobfuscatable Functions 𝒪 90% ≈ 𝑓 𝑠𝑘 𝒪 𝐸 𝐴 𝑠𝑘 ≈ 𝑆 𝑓 𝑠𝑘 𝑠𝑘

RUFs Construction

Unobfuscatable Functions Construction of Barak et al. (using FHE for simplicity) 𝑓 𝑎,𝑏,𝑠𝑘 𝑥 : 𝑎, 𝑏 𝑠𝑘 – two 𝑛 -bit strings - secret key for FHE

Unobfuscatable Functions 0 𝑛 𝑓 𝐸𝑛𝑐 𝑎 𝑎 𝐸𝑛𝑐 b 𝑓 𝑏 𝑓 𝑓 𝑎,𝑏,𝑠𝑘 (𝑥) = 𝑏 Enc 𝑠𝑘 (𝑎) 𝑏 ⊥ 𝑥 = 𝑎 𝑥 = 0 𝑛 Dec 𝑠𝑘 (𝑥) = 𝑏 o.w.

Black-Box Unlearnability 0 𝑛 𝑓 𝐸𝑛𝑐 𝑎 𝑎 𝐸𝑛𝑐 b 𝑓 𝑏 𝑓 𝑓 𝐴 𝑏

Extraction 0 𝑛 𝐶 𝐸𝑛𝑐 𝑎 𝑎 𝐸𝑣𝑎𝑙(𝐶) 𝐸𝑛𝑐 b 𝐶 𝑏 𝐶 ≡ 𝑓 𝐸 𝑏

Robust Extraction?

0 𝑛 𝐸𝑛𝑐 𝑎 𝐶 ∗ 𝐸𝑛𝑐 b 𝐶 ∗ 𝑎 𝑏 𝐶 ∗ 𝐸 𝑏 𝐶 ∗ (𝑥) = ⊥ 𝐸𝑛𝑐 𝑠𝑘 (𝑎) 𝑏 ⊥ 𝑥 = 𝑎 𝑥 = 0 𝑛 𝐷𝑒𝑐 𝑠𝑘 (𝑥) = 𝑏 𝑜. 𝑤.

A Taste of the Construction 𝑓 𝑎,𝑏 (𝑥) = 𝑏 ⊥ 𝑥 = 𝑎 𝑜. 𝑤.

Q: Find 𝑔 such that: 𝑔 with 10% errors Randomly reduce 𝑓 to 𝑔 𝑓 a,b

Getting Robustness

𝑓 𝑎,𝑏 (𝑥) = 𝑏 ⊥ 𝑥 = 𝑎 𝑜. 𝑤.

𝑔 𝑎,𝑏,𝑘 𝑥 = 𝑏 ⊕ PRF 𝑘 𝑥 ℎ 𝑎,𝑏,𝑘 𝑥 = PRF 𝑘 𝑎 ⊕ 𝑥

𝑎 𝑟 ← 𝑈 𝑟 𝑎 ⊕ 𝑟 𝑔 ℎ 𝑏 ⊕ PRF(𝑟) PRF(𝑟) ⊕ 𝑓 𝑏 (𝑤. 𝑝. 0.8) 𝑔, ℎ with 10% errors 𝑓 a,b 𝑔 𝑎,𝑏,𝑘 𝑥 = 𝑏 ⊕ PRF 𝑘 𝑥 ℎ 𝑎,𝑏,𝑘 𝑥 = PRF 𝑘 𝑎 ⊕ 𝑥

𝐴 𝑔, ℎ 𝑏 queries 𝑔 queries ℎ on 𝑥 and on 𝑎 ⊕ 𝑥 𝑎 𝑔, ℎ 𝑓 a,b 𝑔 𝑎,𝑏,𝑘 𝑥 = 𝑏 ⊕ PRF 𝑘 𝑥 ℎ 𝑎,𝑏,𝑘 𝑥 = PRF 𝑘 𝑎 ⊕ 𝑥

Construction of RUFs

𝑓 𝑎,𝑏,𝑠𝑘 (𝑥) = 𝑏 𝐸𝑛𝑐 𝑠𝑘 (𝑎) 𝑏 ⊥ 𝑥 = 𝑎 𝑥 = 0 𝑛 𝐷𝑒𝑐 𝑠𝑘 (𝑥) = 𝑏 𝑜. 𝑤.

Assumptions

• RUFs from trapdoor permutations. • Weak RUFs from OWF only: ∀𝑥: 𝒪 𝑥 ∈ 𝑓 𝑠𝑘 𝑥 , ⊥ 𝒪 𝐸 𝑠𝑘

Applications

Publicly-Verifiable RUOFs 𝑠𝑘, 𝑣𝑘 ← Gen() Ver 𝑣𝑘 𝑥, 𝑦 = 1 iff 𝑦 = 𝑓 𝑠𝑘 (𝑥) 𝑣𝑘 𝑓 𝑠𝑘 𝐴 𝑠𝑘, 𝑣𝑘 ← Gen() 𝑠𝑘 𝑣𝑘 𝒪 𝐸 𝑠𝑘 Pr 𝑥←𝑈 Ver 𝑣𝑘 𝑥, 𝒪 𝑥 = 1 > 1 poly(𝑛)

Resettably-Sound ZK

[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01] 𝑥 ∈ ℒ?

Standard ZK 𝒫 𝒱 Resettable Soundness

Resettable Soundness

[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01] 𝑥 ∉ ℒ 𝒫 ∗ 𝒱

Resettable Soundness

[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01] 𝒫 ∗ 𝒱 𝑥 ∉ ℒ 𝒱

No Black-Box Simulator

[Barak-Goldreich-Goldwasser-Lindell 01] Resettable soundness Zero-knowledge (black-box simulator) 𝒱 ∗ 𝒫 ∗ 𝒱 𝒱 𝒮

Resettably-Sound ZK

[Barak-Goldreich-Goldwasser-Lindell 01, BP 12, Chung-Pass-Seth 13] Resettable soundness Zero-knowledge (non-black-box simulator) 𝒫 ∗ 𝒱 𝒱 𝒱 ∗ 𝒮

Resettably-Sound ZK

𝑣𝑘 𝑥 ← 𝑈 𝑓 𝑠𝑘 (𝑥) 𝒫 𝑠𝑘, 𝑣𝑘 𝒱 Witness indistinguishable proof: 𝑥 ∈ ℒ

or

𝒫 “knows” 𝑠𝑘

Resettably-Sound ZK

𝑣𝑘 𝑥 𝑓 𝑠𝑘 (𝑥) 𝒫 𝑠𝑘, 𝑣𝑘 𝒱 Witness indistinguishable proof: 𝑥 ∈ ℒ

or

𝒫 “knows” 𝑠𝑘

Analysis

Resettable soundness 𝒫 ∗ 𝑓 𝑠𝑘 𝑥 𝑓 𝑠𝑘 (𝑥) 𝒱 𝑠𝑘 Zero-knowledge 𝒱 ∗ ≈ 𝑓 𝑠𝑘 𝒱 ∗ 1 p 𝑛 𝐸 𝑠𝑘

More Resettable Crypto

• Resettably-sound ZK from OWFs (Different approach from Chung-Pass-Seth 13) • Simultaneously-resettable ZK from OWFs (using srWI by Chung-Ostrovsky-Pass-Visconti 13) • 4-message resettably-sound ZK • 3-message simultaneously-resettable WI proof of knowledge

Worst-Case Extractable Signatures Digital Signatures: ∀𝑠𝑘, 𝑣𝑘 Sign 𝑠𝑘 𝑣𝑘 Sign 𝑠𝑘 𝐴 𝑚, 𝜎 𝑚 , 𝑚 ∉ 𝑚 𝑖

Worst-Case Extractable Signatures For every 𝑠𝑘, 𝑣𝑘: 𝐴 𝐴 breaks security for 𝑠𝑘, 𝑣𝑘 ⟹ 𝐸 𝑠𝑘

}

Thank You.

 #define _ -F<00||--F-OO--; int F=00,OO=00;main(){F_OO();printf("%1.3f\n",4.*-F/OO/OO);}F_OO(){

_-_-_-_ _-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_ _-_-_-_

IOCCC 88