obfuscation of probabilistic circuits ran canetti, huijia lin stefano tessaro, vinod vaikuntanathan
TRANSCRIPT
Obfuscation of Probabilistic Circuits
Ran Canetti, Huijia Lin Stefano Tessaro, Vinod Vaikuntanathan
Program Obfuscation
P
P(x)
x
P(x)
x
Obf(P)
Compile a program into unintelligible ones, preserving functionality
Program ObfuscationCompile a program into unintelligible ones,
preserving functionality
Different notions of obfuscation
Virtual-Black-Box (VBB) [BGI+12,GK,BCC+14]
Virtual-Grey-Box (VGB) [BC10]
Differing-input Obfuscation (diO) [BGI+12]
Indistinguishability Obfuscation (iO) [BGI+12]
However, so far,
Obfuscation fordeterministic programs only
Probabilistic programs?
Reflected in Correctness (For all x, P(x) = Obf[P](x))
E.g. Obfuscate cryptographic algorithms
Why bother? Treat random coins as input
Motivating ExamplesOblivious Sampler
gr1, gr2, gr1*r2
Index i
Obf(P)
Cannot treat the random coins as plain input 1. Hiding: Keep the randomness hidden2. Correctness: Randomness un-skewed
Oblivious re-encryption
Re-Randomized C’ = Enc(pk, m; r)
Ciphertext C of m
Obf(P)
This work:
IO for probabilistic programs (pIO)There are several variants. Focus on pIO = X-pIO in this talk
Theorem 1 (Construction):Sub-exp secure IO pIO *
Theorem 2 (Application to FHE):pIO + Re-Randomizable PKE FHE ⊺without circular security
* hiding OWF or some details ⊺ more details later
pIO Intuition: Correctness
P piO[P]
probabilistic deterministic
Preserving functionality:
{ P(x) } ≈ { piO[P](x) }• LHS over the randomness of P• RHS over the randomness of piO
Strengthened Correctness: Oracle accesses to P or piO[P] are indistinguishable if no inputs are asked repeatedly
pIO Intuition: Security
≡ Functionally equivalent
P Obf(P)
Q Obf(Q)
≈ indistinguishable
“functionally indistinguishable”≅A notion of functional indistinguishability a notion of pIO
Dynamically-IND
A sampler (P, Q, z)D is dynamically-IND, if
(P, Q, z) D (P, Q, z) D
x
(P,Q, z)
y = P(x)x
(P,Q, z)
y = Q(x)
≈
D-piO: such sampler D, ∀ {P, Q, piO(P), z} ≈ {P, Q, piO(Q), z} Collapse to diO for deterministic prog
Implausible[GGHW14]
X-indistinguishability
(P, Q, z) D (P, Q, z) D
y = P(x) y = Q(x)
≈
X-piO: such sampler D, ∀ {P, Q, piO(P), z} ≈ {P, Q, piO(Q), z}
x x
(P,Q, z) (P,Q, z)
(negl / X)-indist (X = # of inputs)
Statically-chosenA sampler (P, Q, z)D is X-IND, if
Gap is “Tight”
Variants of pIO
Sub-exp IO pIO *
Thought experiment
pIO(P) pIO(Q)≈
P, Q have only a single input AND P(x) ≈ Q(x)
pIO(P): De-randomize P to de-Pk(x) = P(x; PPRF(k, x))IO obfuscate iO(de-Pk)
IO(de-Pk) IO(de-Qk)≈
iO(de-Pk) iO(de-Qk)
pIO for single-input prog’s
iO(de-Pk(x)) iO(de-Qk(x))
≈ iO
de-Pk(x)= P(x; PPRF(k, x))
iO(yQ)yP P(x)
iO(yP)
≈ PPRF
≈ Output-Indist
≈ PPRF
≈ iO
iO(de-Pk) iO(de-Qk)≈
pIO for single-input prog’s
P
Q
Use Exponential-hybrids, #hybrids = #inputs
Sub-exp IO pIO
P Q≤ i-1 > i-1
P Q≤ i > i
Differ only at a single input i+1Need Sub-Exp IO
and X-IND
Application of pIO
CPARe-randomizable
FHELHE+ piO
Independent step Work for any LHE with fixed dec depthassuming Super-poly iOCor: Super-poly LWE + iO FHEwithout circular security
Evki =
C’
C1 C2 Pi(C1, C2): 1. Decrypt M1= D(SKi, C1), M2= D(SKi, C2)2. Compute M’ = M1 NAND M23. Encrypt C’ = E(Pki+1, M’)
Re-Rand CPA + piO LHE
DC1 of w1 & C2 of w2 under (Pki-1,Ski-1)
C’ of w’ under (Pki,Ski)
NAND at level i
Evaluate layer by layer Layer i associated with (Pki,Ski)
pIO(Pi)
EvkD =
PD(C1, C2): 1. Decrypt M1= D(SKD-1, C1), M2= D(SKD-1, C2)2. Compute M’ = M1 NAND M23. Encrypt C’ = E(PkD, M’)
pIO(PD)
CPA-SecurityCPA-Adv sees PK0, C = Enc(PK0, b), {Evk1… EvkD}
QD(C1, C2):
Encrypt C’ = E(PkD, 0)FvkD = pIO(QD)
≈ ≅
…
…
CPA-SecurityCPA-Adv sees PK0, C = Enc(PK0, b), {Evk1… EvkD}
EvkD =Dec(skD-1, * )
NANDEnc(pkD, * )
Evki =Dec(ski, * )
NANDEnc(pki+1, * )
Evk1 =Dec(sk0, * )
NANDEnc(pk1, * )
Enc(pkD, 0)FvkD =
Enc(pki, 0)Fvki =
Enc(pk1, 0)Fvk1 = Yes!No secret key left C is hiding But, The sizes of {evki} blow-up
Pi(C1, C2): 1. Decrypt M1= D(SKi-1, C1), M2= D(SKi-1, C2)2. Compute M’ = M1 NAND M23. Encrypt C’ = E(Pki, M’)
CPA-SecurityCPA-Adv sees PK0, C = Enc(PK0, b), {Evk1… EvkD}
Qi(C1, C2):
Encrypt C’ = E(Pki, 0)
≅ Problem:E needs to be (negl/X)-indistwith X = 2^{|C1| + |C2|} |C’|≥ poly(|C1|+|C2|)
CPA-SecurityCPA-Adv sees PK0, C = Enc(PK0, b), {Evk1… EvkD}
Solution: Use “Perfect” Lossy PKE
1. Normal PK: comp-hiding correct2. Trapdoor PK: perfect-hiding no correctness
Implied by re-rand PKE
Pi(C1, C2): 1. Decrypt M1= D(SKi-1, C1), M2= D(SKi-1, C2)2. Compute M’ = M1 NAND M23. Encrypt C’ = E(Pki, M’)
Qi(C1, C2):
Encrypt C’ = E(Pki, 0)
≅
…
…
CPA-SecurityCPA-Adv sees PK0, C = Enc(PK0, b), {Evk1… EvkD}
EvkD =Dec(skD-1, * )
NANDEnc(pkD, * )
Evki =Dec(ski, * )
NANDEnc(pki+1, * )
Evk1 =Dec(sk0, * )
NANDEnc(pk1, * )
Enc(pkD, 0)FvkD =
Enc(pki, 0)Fvki =
Enc(pk1, 0)Fvk1 = Before switching the Evk’sSwitch pk’s to trapdoor keys
{Enc(pk, *)} = {Enc(pk, 0)}
QED
No blow-up
Thank you
Indistinguishability Obfuscation [BGI+12]
functionally equivalent
P iO(P)
Q iO(Q)
≈≡ indistinguishable
Motivating Examples: CPA to FHE
Given any CPA,
(PK, SK) C1 = E(PK, M1), C2 = E(PK, M2),
Convert to FHE, by adding evaluation keys
Evk =
C’
C1 C2
Obf(P)
P(C1, C2): 1. Decrypt M1= D(SK, C1), M2= D(SK, C2)2. Compute M’ = M1 NAND M23. Re-Encrypt C’ = E(PK, M’; r)
Shown in [ABF+13], under ad-hoc obfuscation assumption
Sub-exp IO pIO *First, IO pIO for single-input prog’s
pIO(P) pIO(Q)≈
P, Q single input programs AND P(x) ≈ Q(x)
pIO(P): De-randomize P to de-Pk(x) = P(x; PPRF(k, x))IO obfuscate iO(de-Pk)
IO(de-Pk) IO(de-Qk)≈
iO(de-Pk) iO(de-Qk)
IO pIO for single-input prog’s
iO(de-Pk(x)) iO(de-Qk(x))
≈ iO
de-Pk(x)= P(x; PPRF(k, x))
iO(yQ)yP P(x)
iO(yP)
≈ PPRF
≈ Output-Indist
≈ PPRF
≈ iO
iO(de-Pk) iO(de-Qk)≈
IO pIO for single-input prog’sSub-exp IO pIO
Medium SolverSet A medium of A