Obfuscation of Probabilistic Circuits

Ran Canetti, Huijia Lin Stefano Tessaro, Vinod Vaikuntanathan

Program Obfuscation

P

P(x)

x

P(x)

x

Obf(P)

Compile a program into unintelligible ones, preserving functionality

Program ObfuscationCompile a program into unintelligible ones,

preserving functionality

Different notions of obfuscation

Virtual-Black-Box (VBB) [BGI+12,GK,BCC+14]

Virtual-Grey-Box (VGB) [BC10]

Differing-input Obfuscation (diO) [BGI+12]

Indistinguishability Obfuscation (iO) [BGI+12]

However, so far,

Obfuscation fordeterministic programs only

Probabilistic programs?

Reflected in Correctness (For all x, P(x) = Obf[P](x))

E.g. Obfuscate cryptographic algorithms

Why bother? Treat random coins as input

Motivating ExamplesOblivious Sampler

gr1, gr2, gr1*r2

Index i

Obf(P)

Cannot treat the random coins as plain input 1. Hiding: Keep the randomness hidden2. Correctness: Randomness un-skewed

Oblivious re-encryption

Re-Randomized C’ = Enc(pk, m; r)

Ciphertext C of m

Obf(P)

This work:

IO for probabilistic programs (pIO)There are several variants. Focus on pIO = X-pIO in this talk

Theorem 1 (Construction):Sub-exp secure IO pIO *

Theorem 2 (Application to FHE):pIO + Re-Randomizable PKE FHE ⊺without circular security

* hiding OWF or some details ⊺ more details later

pIO Intuition: Correctness

P piO[P]

probabilistic deterministic

Preserving functionality:

{ P(x) } ≈ { piO[P](x) }• LHS over the randomness of P• RHS over the randomness of piO

Strengthened Correctness: Oracle accesses to P or piO[P] are indistinguishable if no inputs are asked repeatedly

pIO Intuition: Security

≡ Functionally equivalent

P Obf(P)

Q Obf(Q)

≈ indistinguishable

“functionally indistinguishable”≅A notion of functional indistinguishability a notion of pIO

Dynamically-IND

A sampler (P, Q, z)D is dynamically-IND, if

(P, Q, z) D (P, Q, z) D

x

(P,Q, z)

y = P(x)x

(P,Q, z)

y = Q(x)

≈

D-piO: such sampler D, ∀ {P, Q, piO(P), z} ≈ {P, Q, piO(Q), z} Collapse to diO for deterministic prog

Implausible[GGHW14]

X-indistinguishability

(P, Q, z) D (P, Q, z) D

y = P(x) y = Q(x)

≈

X-piO: such sampler D, ∀ {P, Q, piO(P), z} ≈ {P, Q, piO(Q), z}

x x

(P,Q, z) (P,Q, z)

(negl / X)-indist (X = # of inputs)

Statically-chosenA sampler (P, Q, z)D is X-IND, if

Gap is “Tight”

Variants of pIO

Sub-exp IO pIO *

Thought experiment

pIO(P) pIO(Q)≈

P, Q have only a single input AND P(x) ≈ Q(x)

pIO(P): De-randomize P to de-Pk(x) = P(x; PPRF(k, x))IO obfuscate iO(de-Pk)

IO(de-Pk) IO(de-Qk)≈

iO(de-Pk) iO(de-Qk)

pIO for single-input prog’s

iO(de-Pk(x)) iO(de-Qk(x))

≈ iO

de-Pk(x)= P(x; PPRF(k, x))

iO(yQ)yP P(x)

iO(yP)

≈ PPRF

≈ Output-Indist

≈ PPRF

≈ iO

iO(de-Pk) iO(de-Qk)≈

pIO for single-input prog’s

P

Q

Use Exponential-hybrids, #hybrids = #inputs

Sub-exp IO pIO

P Q≤ i-1 > i-1

P Q≤ i > i

Differ only at a single input i+1Need Sub-Exp IO

and X-IND

Application of pIO

CPARe-randomizable

FHELHE+ piO

Independent step Work for any LHE with fixed dec depthassuming Super-poly iOCor: Super-poly LWE + iO FHEwithout circular security

Evki =

C’

C1 C2 Pi(C1, C2): 1. Decrypt M1= D(SKi, C1), M2= D(SKi, C2)2. Compute M’ = M1 NAND M23. Encrypt C’ = E(Pki+1, M’)

Re-Rand CPA + piO LHE

DC1 of w1 & C2 of w2 under (Pki-1,Ski-1)

C’ of w’ under (Pki,Ski)

NAND at level i

Evaluate layer by layer Layer i associated with (Pki,Ski)

pIO(Pi)

EvkD =

PD(C1, C2): 1. Decrypt M1= D(SKD-1, C1), M2= D(SKD-1, C2)2. Compute M’ = M1 NAND M23. Encrypt C’ = E(PkD, M’)

pIO(PD)

CPA-SecurityCPA-Adv sees PK0, C = Enc(PK0, b), {Evk1… EvkD}

QD(C1, C2):

Encrypt C’ = E(PkD, 0)FvkD = pIO(QD)

≈ ≅

…

…

CPA-SecurityCPA-Adv sees PK0, C = Enc(PK0, b), {Evk1… EvkD}

EvkD =Dec(skD-1, * )

NANDEnc(pkD, * )

Evki =Dec(ski, * )

NANDEnc(pki+1, * )

Evk1 =Dec(sk0, * )

NANDEnc(pk1, * )

Enc(pkD, 0)FvkD =

Enc(pki, 0)Fvki =

Enc(pk1, 0)Fvk1 = Yes!No secret key left C is hiding But, The sizes of {evki} blow-up

Pi(C1, C2): 1. Decrypt M1= D(SKi-1, C1), M2= D(SKi-1, C2)2. Compute M’ = M1 NAND M23. Encrypt C’ = E(Pki, M’)

CPA-SecurityCPA-Adv sees PK0, C = Enc(PK0, b), {Evk1… EvkD}

Qi(C1, C2):

Encrypt C’ = E(Pki, 0)

≅ Problem:E needs to be (negl/X)-indistwith X = 2^{|C1| + |C2|} |C’|≥ poly(|C1|+|C2|)

CPA-SecurityCPA-Adv sees PK0, C = Enc(PK0, b), {Evk1… EvkD}

Solution: Use “Perfect” Lossy PKE

1. Normal PK: comp-hiding correct2. Trapdoor PK: perfect-hiding no correctness

Implied by re-rand PKE

Pi(C1, C2): 1. Decrypt M1= D(SKi-1, C1), M2= D(SKi-1, C2)2. Compute M’ = M1 NAND M23. Encrypt C’ = E(Pki, M’)

Qi(C1, C2):

Encrypt C’ = E(Pki, 0)

≅

…

…

CPA-SecurityCPA-Adv sees PK0, C = Enc(PK0, b), {Evk1… EvkD}

EvkD =Dec(skD-1, * )

NANDEnc(pkD, * )

Evki =Dec(ski, * )

NANDEnc(pki+1, * )

Evk1 =Dec(sk0, * )

NANDEnc(pk1, * )

Enc(pkD, 0)FvkD =

Enc(pki, 0)Fvki =

Enc(pk1, 0)Fvk1 = Before switching the Evk’sSwitch pk’s to trapdoor keys

{Enc(pk, *)} = {Enc(pk, 0)}

QED

No blow-up

Thank you

Indistinguishability Obfuscation [BGI+12]

functionally equivalent

P iO(P)

Q iO(Q)

≈≡ indistinguishable

Motivating Examples: CPA to FHE

Given any CPA,

(PK, SK) C1 = E(PK, M1), C2 = E(PK, M2),

Convert to FHE, by adding evaluation keys

Evk =

C’

C1 C2

Obf(P)

P(C1, C2): 1. Decrypt M1= D(SK, C1), M2= D(SK, C2)2. Compute M’ = M1 NAND M23. Re-Encrypt C’ = E(PK, M’; r)

Shown in [ABF+13], under ad-hoc obfuscation assumption

Sub-exp IO pIO *First, IO pIO for single-input prog’s

pIO(P) pIO(Q)≈

P, Q single input programs AND P(x) ≈ Q(x)

pIO(P): De-randomize P to de-Pk(x) = P(x; PPRF(k, x))IO obfuscate iO(de-Pk)

IO(de-Pk) IO(de-Qk)≈

iO(de-Pk) iO(de-Qk)

IO pIO for single-input prog’s

iO(de-Pk(x)) iO(de-Qk(x))

≈ iO

de-Pk(x)= P(x; PPRF(k, x))

iO(yQ)yP P(x)

iO(yP)

≈ PPRF

≈ Output-Indist

≈ PPRF

≈ iO

iO(de-Pk) iO(de-Qk)≈

IO pIO for single-input prog’sSub-exp IO pIO

Medium SolverSet A medium of A