The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator

The Impossibility of Obfuscation withAuxiliary Input or a Universal Simulator NirBitansky Ran Canetti Henry Cohn ShafiGoldwasser Yael Tauman-Kalai Omer Paneth Alon Rosen

Program Obfuscation Program Obfuscation Obfuscated program

Private Key to Public Key Obfuscation Public Key

Ideal Obfuscation Hides everything about the program except for its input\output behavior Point Function etc. [Canetti 97, Wee 05, Bitansky-Canetti 10, Canetti-Rothblum-Varia 10] Unobfuscatable Functions [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] All functions ?

Obfuscation Constructions Before 2013: No general solution. All functions All functions

Obfuscation Constructions Before 2013: No general solution. 2013: Candidate obfuscation for all circuits [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13] All functions All functions

New Impossibility Result Under computational assumptions, a natural notion of ideal obfuscation cannot be achieved for a large family of cryptographic functionalities. (strengthen the impossibility of [Goldwasser-Kalai 05])

Virtual Black-Box (VBB) [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Algorithm is an obfuscator for a class if: For every PPT adversary there exists a PPT simulator such that for every and every predicate : Inefficient!

Using Obfuscation Reduction

VBB with a Universal Simulator Algorithm is an obfuscator for a class if: There exists a PPT simulator such that for every PPT adversary such that for every and every predicate :

Universal Simulation Universal Simulators Black-box Simulators Barak’s ZK simulator

New Impossibility Result Under computational assumptions, VBB obfuscation with a universal simulator cannot be achieved for a large family of cryptographic functionalities.

Pseudo-Entropic functions A function family has super-polynomial pseudo-entropy if there exists a set of inputs such that for a random function , there exists with super-polynomial min-entropy:

Examples • Pseudo-random functions • Semantically-secure encryption(when the randomness is a PRF of the message)

New Impossibility Result Under computational assumptions, VBB obfuscation with a universal simulator is impossible for any pseudo-entropic function

Indistinguishability Obfuscation [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Assumption: indistinguishability obfuscation for all circuits (A candidate construction given in [GGHRSW13])

This Work Assuming indistinguishability obfuscation, VBB obfuscation with a universal simulator is impossible for any pseudo-entropic function

This Work Worst-case VBB with a universal simulator Average-case VBB with a universal simulator Is Impossible for pseudo-entropic functions Is Impossible for pseudo-entropic functions Assuming indistinguishability obfuscation for all functions Assuming indistinguishability obfuscation for point-filter functions or equivalently, witness encryption

Worst-case VBB with a universal simulator Average-case VBB with a universal simulator [Goldwasser-Kalai 05]: Is Impossible for Filter functions Is Impossible for pseudo-entropic functions Unconditionally Assuming VBB obfuscation for point-filter functions This work: Is Impossible for pseudo-entropic functions Is Impossible for pseudo-entropic functions Assuming indistinguishability obfuscation for all functions Assuming indistinguishabilityobfuscation for point-filter functions

Universal Simulation and Auxiliary Input For every PPT adversary there exists a PPT simulator such that for every , every predicate and every auxiliary input : VBB with a universal simulator

Universal Simulation and Auxiliary Input Worst-case VBB with a universal simulator Average-case VBB with a universal simulator Average-case VBB with independentauxiliary input Worst-case VBB with dependentauxiliary input

Proof Idea What can we do with an obfuscated code that we cannot do with black-box access? [Goldwasser-Kalai 05]: Find a polynomial size circuit computing the function!

Impossibility for Worst-Case VBB Let be a family of PRFs. Fix the simulator . Sample a random . Construct an adversary (that depends on ) that fail . Let be the set of inputs : If and : output the secret , else output .

Impossibility for Worst-Case VBB

Using Indistinguishability Obfuscation

Impossibility for Average-Case VBB : If : output else output .

Impossibility for Average-Case VBB Obfuscation should hide Use Indistinguishability Obfuscation together with puncturable pseudo-random functions

Thanks!

The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator

The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator

Presentation Transcript

The Tree-Width of automata with auxiliary storage

On the Impossibility of Approximate Obfuscation

The Impossibility of Translation Donald Wellman

JavaScript Obfuscation

Impossibility of Consensus

From the Impossibility of Obfuscation to a New Non-Black-Box Simulation Technique

Impossibility of Distributed Consensus with One Faulty Process

The Church, Universal or Local?

Code Obfuscation

Which Auxiliary? Être or Avoir

Combined Input Output Queuing Switch Simulator

URL Obfuscation With @

Interfacing with the Simulator

Universal Device Pairing using an Auxiliary Device

Decidability or Impossibility? 02b = a bit of boring theory

The set of input values of a relation or function

MIMIC Simulator Network Simulator With Thousands of Networking Devices

Explain with example the doctrine of supervening impossibility

Explain with example the doctrine of supervening impossibility

UPGRADE YOUR HOME OR BUSINESS WITH A GOLF SIMULATOR

Impossibility Mining