Obfuscation for Evasive Functions
Boaz Barak∗ Nir Bitansky† Ran Canetti‡
Yael Tauman Kalai∗ Omer Paneth§ Amit Sahai¶
October 18, 2013
Abstract
Anevasive circuit familyis a collection of circuitsCsuch that for every inputx, a random circuit fromCoutputs 0 onxwith overwhelming probability. We provide a combination of definitional, constructive, and impossibility results regarding obfuscation for evasive functions:
1. The (average case variants of the) notions of virtual black box obfuscation (Barak et al, CRYPTO ’01) andvirtual gray box obfuscation (Bitansky and Canetti, CRYPTO ’10) co-incide for evasive function families. We also define the notion ofinput-hidingobfuscation for evasive function families, stipulating that for a randomC ∈ C it is hard to find, given
O(C), a value outside the preimage of 0. Interestingly, this natural definition, also motivated by applications, is likely not implied by the seemingly stronger notion of average-case virtual black-box obfuscation.
2. If there exist average-case virtual gray box obfuscators for all evasive function families, then there exist (quantitatively weaker) average-case virtual gray obfuscators forallfunction fami-lies.
3. There does not exist aworst-casevirtual black box obfuscator even for evasive circuits, nor is there an average-case virtual gray box obfuscator for evasiveTuring machinefamilies. 4. LetCbe an evasive circuit family consisting of functions that test if a low-degree polynomial
(represented by an efficient arithmetic circuit) evaluates to zero modulo some large prime p. Then under a natural analog of the discrete logarithm assumption in a group supporting multilinear maps, there exists an input-hiding obfuscator forC. Under a newperfectly-hiding multilinear encodingassumption, there is an average-case virtual black box obfuscator for the familyC.
∗
Microsoft Research. †
Tel Aviv University. Email:[email protected]. Supported by an IBM Ph.D. Fellowship, the Check Point Institute for Information Security, and an ISF grant 20006317.
‡
Boston University and Tel Aviv University. Email: [email protected]. Supported by the Check Point Institute for Information Security, an ISF grant 20006317, an NSF EAGER grant, and an NSF Algorithmic foundations grant 1218461.
§
Boston University. Work done while the author was an intern at Microsoft Research New England. Supported by the Simons award for graduate students in theoretical computer science and an NSF Algorithmic foundations grant 1218461.
¶
1
Introduction
The study ofSecure Software Obfuscation— or, methods to transform a program (say described as a Boolean circuit) into a form that is executable but otherwise completely unintelligible — is a central research direction in cryptography. In this work, we study obfuscation of evasive functions— anevasive function familyis a collectionCn of Boolean circuits mapping some domainDto{0,1}such that for everyx ∈ Dthe probability overC ← CnthatC(x) = 1is negligible. Focusing on evasive functions
leads us to new notions of obfuscation, as well as new insights into general-purpose obfuscation.
Why Study Obfuscation of Evasive Functions? To motivate the study of the obfuscation of evasive functions, let us consider the following scenario taken from [GCR12]: Suppose that a large software publisher discovers a new vulnerability in their software that causes the software to behave in undesirable ways on certain (rare) inputs. The publisher then designs a software patchP that tests the input xto see if it falls into theSof bad inputs, and if so outputs 1 to indicate that the inputxshould be ignored. Ifx /∈ S, the patch outputs0to indicate that the software can behave normally. Were the publisher to release the patchP, an adversary could potentially study the code ofP and learn bad inputsx∈Sthat give rise to the original vulnerability. Since it can take months before a majority of computers install a new patch, this would give the attacker plenty of time to exploit this vulnerability on unpatched systems
even when the setS of bad inputs was evasive to begin with. If instead, the publisher could obfuscate the patchP before releasing it, then intuitively an attacker would gain no advantage in finding an input
x ∈ S from studying the obfuscated patch. Indeed, assuming that without seeingP the attacker has negligible chance of finding an inputx∈S, it makes sense to modelP as an evasive function.
Aside from the motivating scenario above, evasive functions are natural to study in the context of software obfuscation because they are a natural generalization of the special cases for which obfuscation was shown to exist in the literature such as point functions [Can97], hyperplanes [CRV10], and conjunc-tions [BR13a].1 Indeed, as we shall see, the study of obfuscation of evasive functions turns out to be quite interesting from a theoretical perspective, and sheds light on general obfuscation as well.
What notions of obfuscation makes sense for evasive functions? As the software patch problem illustrates, a very natural property that we would like is input hiding: Given an obfuscation of a ran-dom circuitC ← Cn, it should be hard for an adversary to find an input x such that C(x) = 1. It also makes sense to consider (average case versions of) strong notions of obfuscation, such as “virtual black box” (VBB) obfuscation introduced by Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang [BGI+01], which, roughly speaking, states that any predicate of the original circuitC com-puted from its obfuscation could be comcom-puted with almost the same probability by an efficient simulator having only oracle (i.e., black box) access to the function (see Section 2 for a formal definition). One can also consider the notion of “virtual gray box” (VGB) introduced by Bitansky and Canetti [BC10], who relaxed the VBB definition to allow the simulator to run in unbounded time (though still with only a polynomial number of queries to its oracle). Another definition proposed in [BGI+01], with a recent construction given by [GGH+13b], is of “indistinguishability obfuscation” (IO). The actual meaning of IO is rather subtle, and we discuss it in Section 1.2.
1.1 Our results
We provide a combination of definitional, constructive, and impossibility results regarding obfuscation for evasive functions. First, we formalize the notion of input-hiding obfuscation for evasive functions (as sketched above). We give evidence that this notion of input-hiding obfuscation is actuallyincomparable
to the standard definition of VBB obfuscation. While it is not surprising that input-hiding obfuscation does not imply VBB obfuscation, it is perhaps more surprising that VBB obfuscation does not imply
1Conjunctions are not necessarily evasive, however the interesting case for obfuscation is large conjunctions which are
input-hiding obfuscation (under certain computational assumptions). Intuitively, this is because VBB obfuscation requires only thatpredicatesof the circuit being obfuscated are simulatable, whereas input hiding requires that no complete input stringxthat causesC(x) = 1can be found.
Second, we formalize a notion ofperfect circuit-hidingobfuscation, which asks that forevery predi-cate of the circuitC← Cn, the probability that the adversary can guess the predicate (or its complement) given an obfuscation ofCis negligibly close to the expected value of the predicate overC ← Cn. We
then show that for any evasive circuit familyC, this simple notion of obfuscation is equivalent to both average-case VBB obfuscation and average-case VGB obfuscation. Thus, in particular, we have:
Theorem 1(Informal). For every evasive function collectionCand obfuscatorO, it holds thatOis an average-case VBB obfuscator forCif and only if it is an average-case VGB obfuscator forC.
We also show that evasive functions are at the heart of the VGB definition in the sense that if it is possible to achieve VGB obfuscators for all evasive circuit families then it is possible to achieve a slightly weaker variant of VGB obfuscation forallcircuits:
Theorem 2(Informal). If there exists average-case VGB obfuscator for every evasive circuit family then there exists a weak average-case VGB obfuscator for every (not necessarily evasive) circuit family.
The notion of “weak” VGB obfuscation allows the simulator to make a slightly super-polynomial number of queries to its oracle. It also allows the obfuscating algorithm to be inefficient. The latter relaxation is not needed if we assume the existence of indistinguishability obfuscators for all circuits, as conjectured in [GGH+13b].
We then proceed to give new constructions of obfuscators for specific natural families of evasive functions. We focus on functions that test if a bounded (polynomial) degree multivariate polynomial, given by an arithmetic circuit, evaluates to zero modulo some large prime p. We provide two con-structions that build upon the approximate multilinear map framework developed by Garg, Gentry, and Halevi [GGH13a] and continued by Coron, Lepoint, and Tibouchi [CLT13]. We first construct an input-hiding obfuscator whose security is based on a variant of a discrete logarithm assumption in the mul-tilinear setting. We then construct a perfect circuit-hiding obfuscator for arithmetic formulas based on a new assumption, calledperfectly-hiding multilinear encoding. Very roughly, we assume that given encodings of kandr ·k, for a randomr andk, the value of any predicate ofkcannot be efficiently learned.
Theorem 3(Informal). LetCbe the evasive function family that tests if a bounded (polynomial) degree multivariate polynomial, given by an arithmetic circuit, evaluates to zero modulo some large prime
p. Then: (i) Assuming the existence of a group supporting a multilinear map in which the discrete logarithm problem is hard there exists an input-hiding obfuscator forC and(ii)Under the perfectly-hiding multilinear encoding assumption, there exists an average-case VBB obfuscator for all log-depth circuits inC.
These constructions can be combined to obtain a single obfuscator for testing if an input is in the zero-set of a bounded-degree polynomial, that simultaneously achieves input-hiding and average-case VBB obfuscation. We give an informal overview of our construction in Section 3.
Finally, we complement our constructive results by giving two impossibility results regarding the obfuscation of evasive functions. First, we show impossibility with respect to evasive Turing Machines:
Theorem 4(Informal). There exists a class of evasive Turing MachinesMsuch that no input-hiding obfuscator can exist with respect to M and no average-case VGB obfuscator can exist with respect toM.
Theorem 5(Informal). There exists a class of evasive circuitsCsuch that no worst-case VBB obfuscator can exist with respect toC.
1.2 Alternative approaches to obfuscation
We briefly mention two other approaches to general program obfuscation. One is to use the notion of
indistinguishability obfuscation(IO) [BGI+01]. Indeed, in a recent breakthrough result Garg, Gentry, Halevi, Raykova, Sahai and Waters [GGH+13b] propose a candidate general obfuscation mechanism and conjecture that it is IO for all circuits. Improved variants of this construction have been proposed in [BR13b, BGK+13]. Roughly speaking, IO implies that an obfuscation of a circuitC hides “as much as possible” about the circuitC in the sense that ifOis an IO obfuscator, and there exists some other obfuscatorO0 (with not too long output) that (for instance) achieves input hiding or VBB obfuscation forC, thenO(C)will achieve the same security as well [GR07]. However, while IO obfuscators have found uses for many cryptographic applications [GGH+13b, SW13, HSW13], its hard to quantify what security is obtained by directly obfuscating a function with an IO obfuscator since for most classes of functions we do not know what “as much as possible” is. In particular, IO obfuscators are not known to imply properties such as input hiding or VBB/VGB for general circuits. For insance, the “totally unobfuscatable functions” of [BGI+01] (which are functions that are hard to learn but whose canonical representation can be recovered from any circuit) can be trivially IO-obfuscated, but this clearly does not give any meaningful security guarantees. Furthermore, we do not know whether IO obfuscators give guarantees such as input hiding or VBB on any families of evasive functions beyond those families that we already know how to VBB-obfuscate. Thus our work here can be seen as complementary to the question of constructing indistinguishability obfuscators. Furthermore, the hardness assumptions made in this work are much simpler than those implied by the IO security of any of the above candidates.
Another approach is to consider obfuscation mechanisms in idealized models where basic group operations are modeled as calls to abstract oracles. Works along this line, using different levels of abstraction, include [GGH+13b, CV13, BR13b, BGK+13]. It should be stressed however that, as far as we know, proofs of security in any of these idealized models bear no immediate relevance to the security of obfuscation schemes in the plain model.
1.3 Organization of the paper
In Section 2 we formally define evasive function families and the various notions of obfuscation that apply to them, and show equivalence between several of these notions. Section 3 contains our con-structions for obfuscating zero-testing functions for low degree polynomials. In Section 4 we show that obtaining virtual gray box obfuscation for evasive functions implies a weaker variant of VGB for
all functions. Section 5 contains our impossibility results for worst-case VBB obfuscation of evasive circuits and average-case VGB obfuscation of evasive Turing machines.
2
Evasive Circuit Obfuscation
LetC={Cn}n∈Nbe a collection of circuits such that everyC∈ Cnmapsninput bits to a single output
bit, and has sizepoly(n). We say thatCisevasiveif on every input, a random circuit in the collection outputs0with overwhelming probability:2
2To avoid confusion, we note that the notion here is unrelated (and quite different) from the notion of evasive relations in
Definition 2.1(Evasive Circuit Collection). A collection of circuitsCis evasive if there exist a negligible functionµsuch that for everyn∈Nand everyx∈ {0,1}n:
Pr
C←Cn
[C(x) = 1]≤µ(n) .
An equivalent definition that will be more useful to us states that given oracle access to a random circuit in the collection it is hard to find an input that maps to1.
Definition 2.2(Evasive Circuit Collection - Alternative Definition). A collection of circuitsCis evasive if for every adversaryAand for every polynomialqthere exist a negligible functionµsuch that and for everyn∈N:
Pr
C←Cn
[C(AC[q(n)](1n)) = 1]≤µ(n) .
WhereC[q(n)]denotes an oracle to the circuitCwhich allows at mostq(n)queries.
Note that the definition remains unchanged regardless of whetherAis restricted to polynomial time or is computationally unbounded.
2.1 Definitions of Evasive Circuit Obfuscation
We start by recalling the syntax and functionality requirement for circuit obfuscation as defined in [BGI+01].
Definition 2.3(Functionality of Circuit Obfuscation). An obfuscator O for a circuit collectionC is a PPT algorithm such that for allC∈ C,O(C)outputs a description of a circuit that computes the same function asC.
We suggest two new security notions for obfuscation of evasive collections: perfect circuit-hiding and input-hiding. Both notions are average-case notions, that is, they only guarantee security when the obfuscated circuit is chosen at random from the collection.
The notion of input hiding asserts that given an obfuscation of a random circuit in the collection, it remains hard to find input that evaluates to 1.
Definition 2.4(Input-Hiding Obfuscation). An obfuscatorOfor a collection of circuitsCis input-hiding if for every PPT adversaryAthere exist a negligible functionµsuch that for everyn∈Nand for every auxiliary inputz∈ {0,1}poly(n)toA:
Pr
C←Cn
[C(A(z,O(C))) = 1]≤µ(n) ,
where the probability is also over the randomness ofO.
Our second security notion of perfect circuit-hiding asserts that an obfuscation of a random circuit in the collection does not reveal any partial information about original circuit. We show that for evasive collections, this notion is equivalent to existing definitions of case obfuscation such as average-case virtual black-box (VBB) [BGI+01], case virtual gray-box (VGB) [BC10], and average-case oracle indistinguishability [Can97].
Definition 2.5(Perfect Circuit-Hiding Obfuscation). Let C be a collection of circuits. An obfuscator
O for a circuit collection C is perfect circuit-hiding if for every PPT adversaryA there exist a neg-ligible function µ such that for every balanced predicate P, every n ∈ N and every auxiliary input
z∈ {0,1}poly(n)toA:
Pr
C←Cn
[A(z,O(C)) =P(C)]≤ 1
2 +µ(n) ,
Remark2.1 (On Definition 2.5). The restriction to the case of balanced predicates is made for simplicity of exposition only. We note that the proof of Theorem 2.1 implies that Definition 2.5 is equivalent to a more general definition that considers all predicates.
Remark 2.2 (On extending the definitions for non-evasive functions). The definitions of input-hiding and perfect circuit-hiding obfuscation are tailored for evasive collections and clearly cannot be achieved for all collections of circuits. For the case of input-hiding, this follows directly from Definition 2.2 of evasive collections. For the case of perfect circuit-hiding, consider the non-evasive collectionC such that for everyC ∈ C,C(0n)outputs the first bit ofC. Clearly, no obfuscator can preserve functionality while hiding the first bit of the circuit.
2.2 On the Relations Between the Definitions
An input-hiding obfuscation is not necessarily perfect circuit-hiding since an input-hiding obfuscation might always include, for example, the first bit of the circuit in the output. In the other direction we do not know if every perfect circuit-hiding obfuscation is also input hiding. The reason is that the perfect circuit-hiding obfuscation only prevents the adversary from learning a predicate of the circuit. Note that there may be many inputs on which the circuit evaluates to 1. Therefore, even if the obfuscation allows the adversary to learn some input that evaluates to 1, it is not clear how to use such an input to learn a predicate of the circuit. In Section 2.2.1 we give an example of an obfuscation for some evasive collection that is perfect circuit-hiding but not input-hiding. The example is based on a worst case obfuscation assumption for hyperplanes [CRV10]. Nonetheless, in Section 2.2.2 we prove that for evasive collections where every circuit only evaluates to 1 on apolynomialnumber of inputs, then every perfect circuit-hiding obfuscation is also input-hiding.
2.2.1 Counterexample for General Evasive Collection
Let Fbe some finite field with 2Θ(n) elements and letd ∈ Nbe some small constant. We consider the collections of hyperplanes inFdndefined as follows: Cn = {Cv}v∈Fd such that for every~x ∈ F
d,
Cv(~x) = 1iff~x6= 0dandhv, ~xi= 0. Since the field is exponentially large the collection is evasive.
We will construct an obfuscatorO forC that is perfect circuit-hiding but not input hiding. In the construction ofOwe will assume the existence of an obfuscatorO0 forCthat isworst-case VBB secure with auxiliary input. That is,O˜ satisfies the following definition of [GK05]. We note that a candidate construction for such obfuscation can be found in [CRV10].
Definition 2.6(Worst-Case VBB with Auxiliary Input). An obfuscatorO˜for a collection of circuitsC
is perfect circuit-hiding in the worst-case if for every PPT adversaryA there exists a PPT simulator
Simand a negligible functionµsuch that for every predicateP, everyn∈N, everyC ∈ Cnand every auxiliary inputz∈ {0,1}poly(n)toA:
Pr[A(z,
˜
O(C)) =P(C)]−Pr[SimC(z,1n) =P(C)]
≤µ(n) .
We define O(Cv) to outputO(˜ Cv)together with a random point~x such thathv, ~xi = 0. Clearly
O is not input hiding. We show thatO is perfect circuit-hiding. we need to show that for every PPT adversaryAthere exists a PPT simulatorSimsuch that for every predicateP:
Pr
v←Fd[A(O(Cv)) =P(v)]−v←Pr
Fd
[SimCv(1n) =P(v)]
≤negl(n) .
SinceO(Cv) = ( ˜O(Cv), ~x), we need to show that:
Pr
v←Fd
[A( ˜O(Cv), ~x) =P(v)]− Pr v←Fd
[SimCv(1n) =P(v)]
We can interpret~xas auxiliary input toA. Now, sinceO˜is worst-case VBB secure with auxiliary input there exist a simulatorSim˜ such that:
Pr
v←Fd
[A( ˜O(Cv), ~x) =P(v)]− Pr v←Fd
[ ˜SimCv(~x,1n) =P(v)]
≤negl(n) .
SinceCis evasive we can write the above as
Pr
v←Fd[A( ˜O(Cv), ~x) =P(v)]−v←Pr
Fd
[ ˜SimZ(~x,1n) =P(v)]
≤negl(n) ,
where Z is an oracle computing the constant zero function. We define the simulator Sim to simply sample a random vector~x0 ∈Fdand executeSim˜ Z(~x,1n). It is left to show that
Pr
v←Fd[ ˜Sim
Z
(~x,1n) =P(v)]− Pr
v,~x0←
Fd
[ ˜SimZ(~x0,1n) =P(v)]
≤negl(n) .
Plugging in the definition of~xwe need to show that:
Pr
v,~x←Fd[ ˜Sim
Z
(~x,1n) =P(v)|hv, ~xi= 0]− Pr
v,~x0←
Fd
[ ˜SimZ(~x0,1n) =P(v)]
≤negl(n) .
The above follows from the fact that inner product is a two-source extractor [CG88]. Concretely, for a sufficiently large constantdit follows as a corollary from [DF11, Lemma 23], [GR12, Lemma 3.11].
2.2.2 Proof for the Case of Polynomially-Sparse Evasive Collection
Let C be an evasive collection such that every C ∈ Cn outputs 1 on at most p(n) inputs for some
polynomialp. LetO be a perfect circuit-hiding obfuscator forC. Assume towards contradiction that
Ois not input-hiding, that is, there exist and adversaryA, a polynomialpand a sequence{zn}n∈Nof
poly-size auxiliary inputs toAsuch that for infinitely many values ofn∈N:
Pr
C←Cn
[C(A(zn,O(C))) = 1]> p(n) .
Next we show thatOcannot be average-case VBB, and by Theorem 2.1 this contradicts the fact that
Ois perfect circuit-hiding. Letm=m(n)be a bound on the input length of all circuits inCn. For every
i ∈ [p(n)],r ∈ {0,1}m, Consider theinefficientpredicateP
i,r(C)that is defined as follows: Pi,r(C)
first generates the lexicographically sorted list(x1, . . . , xp(n))of all the inputs on whichCevaluates to
1. Then,Pi,r(C)outputshr, xii. LetA0be an adversary that given an obfuscationO(C)and auxiliary
input(z, r), first executesA(z,O(C))and obtains an input x and then outputshr, xi. In the case A
outputs the inputxi we have that:
Pr
C←Cn,r∈{0,1}m
[A0((zn, r),O(C)) =Pi,r(C)|x=xi] = 1 .
Otherwise we have that:
Pr
C←Cn,r∈{0,1}m
[A0((zn, r),O(C)) =Pi,r(C)|x6=xi] =
1 2 .
Fixi∈[p(n)]such that:
Pr
C←Cn,r∈{0,1}m
[x=xi]≥
1
It follows that:
Pr
C←Cn,r∈{0,1}m
[A0((zn, r),O(C)) =Pi,r(C)] =
1
2 +
1
2p(n) . (1)
Conversely, since the function is evasive we have that for every PPT simulator algorithmSimand everyi∈[p(n)]:
Pr
C←Cn
[SimC(zn,1n) =xi]≤negl(n) .
And by Goldreich-Levin [GL89] we also have that for every PPT simulator algorithm Simand every
i∈[p(n)]:
Pr
C←Cn,r∈{0,1}m
[SimC((zn, r),1n) =Pi,r(C)]≤
1
2 + negl(n) . (2)
Combining Equations 1,2 we conclude:
E r∈{0,1}m
PrC←Cn[A
0((z
n, r),O(C)) =Pi,r(C)]−
PrC←Cn[Sim
C((z
n, r),1n) =Pi,r(C)]
≥ 1
4p(n) .
And therefore, there existr ∈ {0,1}msuch that:
Pr
C←Cn
[A0((zn, r),O(C)) =Pi,r(C)]− Pr C←Cn
[SimC((zn, r),1n) =Pi,r(C)]≥
1 4p(n) .
Proving thatOis not average-case VBB.
2.3 Perfect Circuit-Hiding Obfuscation is Equivalent to Existing Notions
We start by recalling the average-case versions of existing security definitions of obfuscation.
Definition 2.7(Average-Case Virtual Black-Box (VBB) from [BGI+01]). An obfuscatorOfor a col-lection of circuitsC is average-case VBB if for every PPT adversary A there exists a PPT simulator
Simand a negligible functionµsuch that for every predicateP, everyn∈Nand every auxiliary input
z∈ {0,1}poly(n)toA:
Pr
C←Cn
[A(z,O(C)) =P(C)]− Pr
C←Cn
[SimC(z,1n) =P(C)]
≤µ(n) ,
where the probability is also over the randomness ofOandSim.
The notion of VGB relaxes VBB by considering a computationally unbounded simulator, however, the number of queries the simulator makes to its oracle is bounded.
Definition 2.8 (Average-Case VGB Obfuscation from [BC10]). An obfuscator O for a collection of circuits C is average-case VGB if for every PPT adversary A there exists a negligible function µ, a polynomialq and a (possibly inefficient) simulatorSimsuch that for every predicateP, everyn ∈ N
and every auxiliary inputz∈ {0,1}poly(n)toA:
Pr
C←Cn
[A(z,O(C)) =P(C)]− Pr
C←Cn
[SimC[q(n)](z,1n) =P(C)]
≤µ(n) ,
The notion of oracle indistinguishability was originally formulated in the context of point functions, and here we give a variation of it for general collections. Similarly to our new notions, this definition is meaningful for evasive collections, but not for arbitrary collections.
Definition 2.9(Average-Case Oracle-Indistinguishability Obfuscation from [Can97]). An obfuscatorO
for a collection of circuitsCis average-case oracle indistinguishable if for every PPT adversaryAthat outputs one bit:
{(C,A(z,O(C)))|C← Cn} n∈N, z∈{0,1}poly(n)
≈c
(C,A(z,O(C0)))C, C0 ← Cn n∈N, z∈{0,1}poly(n)
.
We prove the following theorem showing that, for evasive collections, the above notions are all equivalent to perfect circuit-hiding. We note that, for general circuits, case VBB and average-case VGB are not equivalent (follows from [BC10, Proposition 4.1]). The equivalence of average-average-case VBB and average-case oracle-indistinguishability was proven for point functions by Canetti [Can97]. We generalize the claim for all evasive functions.
Theorem 2.1. LetObe an obfuscator for an evasive collectionC. The following statements are equiv-alent:
1. Ois perfect circuit-hiding (Definition 2.5).
2. Ois average-case VBB (Definition 2.7).
3. Ois average-case VGB (Definition 2.8).
4. Ois average-case oracle-indistinguishability (Definition 2.9).
Remark2.3 (On evasive obfuscation with a universal simulator). It follows from Claim 2.1 in the proof of Theorem 2.1 that every obfuscatorOfor an evasive collectionCthat is average-case VBB-secure (or average-case VGB-secure) can be simulated as follows: given an adversaryA, the simulatorSimsimply executesA on a random obfuscationO(C0)of a circuit C0 sampled uniformly from the collectionC. The simplicity of the above simulator can be demonstrated as follows:
• The simulator isuniversal, that is, the same algorithmSimcan simulate every obfuscatorOand familyCgiven only black box access toOand the ability to sample uniformly fromC.
• The simulator only makesblack-box use of the adversaryA. This is in contrast to the case of worst-case VBB-security where non-black simulators are required ([Can97, Wee05]).
• The simulator does not make any calls to its oracle. This is in contrast to the case of non-evasive function where, for example, the possibility of obfuscating learnable functions can only be demon-strated by a simulator that queries it oracle.
Proof of Theorem 2.1. We prove that (1)⇒(4)⇒(2)⇒(3)⇒(1).
Perfect circuit-hiding implies average-case oracle-indistinguishability ((1) ⇒ (4)). Let O be a perfect circuit-hiding obfuscator, and assume toward contradiction that O is not average-case oracle-indistinguishable. Namely, suppose there exists a PPT adversaryAthat outputs a single bit, a sequence
{zn}n∈Nof poly-size auxiliary inputs toA, a poly-size distinguisherD, and a polynomialp, such that
for infinitely many values ofn∈N,
Pr
C←Cn
[D(C,A(zn,O(C))) = 1]− Pr C,C0←C
n
[D(C,A(zn,O(C0))) = 1]
≥ 1
Fix suchnand setz=zn. We can write the above as:
C←CEn
Pr[D(C,A(z,O(C))) = 1]− Pr
C0←C n
[D(C,A(z,O(C0))) = 1]
≥ 1
p(n) .
By the triangle inequality we have:
E C←Cn
Pr[D(C,A(z,O(C))) = 1]− Pr
C0←C n
[D(C,A(z,O(C0))) = 1]
≥ 1
p(n) .
SinceAonly outputs one bit, we conclude that:
E C←Cn
Pr[A(z,O(C)) = 1]− Pr
C0←C n
[A(z,O(C0)) = 1]
≥ 1
p(n) .
For everyC, denote bypC the probabilityPr[A(z,O(C)) = 1]. Denote byp¯the average value ofpC
and byp˜the median value ofpC. Assume WLOG that p¯ ≤ p˜(otherwise flipA’s answer). We can
rewrite the above as:
E C←Cn
[|pC−p¯|]≥
1
p(n) .
And therefore also:
E C←Cn
[¯p−pC|pC ≤p¯]· Pr C←Cn
[pC ≤p¯]−
E C←Cn
[¯p−pC|pC >p¯]· Pr C←Cn
[pC >p¯]≥
1
p(n) .
However, since:
E C←Cn
[¯p−pC|pC ≤p¯]· Pr C←Cn
[pC ≤p¯]+
E C←Cn
[¯p−pC|pC >p¯]· Pr C←Cn
[pC >p¯] = E C←Cn
[¯p−pC] = 0 .
We have that:
E C←Cn
[pC−p¯|pC >p¯]· Pr C←Cn
[pC >p¯]≥
1 2p(n) .
Now, sincep¯≤p˜
1
2p(n) ≤C←CEn
[pC −p¯|pC >p¯]· Pr C←Cn
[pC >p¯]≤
E C←Cn
[pC −p¯|pC >p˜]· Pr C←Cn
[pC >p¯]≤
E C←Cn
[pC −p¯|pC >p˜] .
That is:
E C←Cn
[pC|pC >p˜]≥p¯+
1
2p(n) . (3)
We next define a balanced predicatePsuch that:
Pr
C←Cn
[A(z,O(C)) =P(C)]≥ 1
2+
Contradicting the perfect circuit-hiding property ofO. To this end, defineP such thatP(C) = 1if and only ifpC > p˜. P is balanced by the definition ofp˜and from Equation 3 and the definition ofpC we
have:
Pr
C←Cn
[A(z,O(C)) = 1| P(C) = 1]≥p¯+ 1
2p(n) . (4)
Combining Equation 4 with the definition ofp¯we get:
¯
p= Pr
C←Cn
[A(z,O(C)) = 1]
= 1
2CPr←Cn
[A(z,O(C)) = 1| P(C) = 1] +1 2CPr←Cn
[A(z,O(C)) = 1| P(C) = 0]
≥ p¯
2 +
1 4p(n) +
1 2CPr←Cn
[A(z,O(C)) = 1| P(C) = 0] .
And therefore:
Pr
C←Cn
[A(z,O(C)) = 1| P(C) = 0]<p¯− 1
p(n) .
Combining this with Equation 4 we get:
Pr
C←Cn
[A(z,O(C)) =P(C)] =
1 2CPr←Cn
[A(z,O(C)) = 1| P(C) = 1] + 1 2CPr←Cn
[A(z,O(C)) = 0| P(C) = 0] =
1 2
¯
p+ 1
2p(n)+ 1−
¯
p− 1 2p(n)
= 1
2+
1 2p(n)
Contradicting the factOis perfect circuit-hiding.
Average-case oracle-indistinguishability implies average-case VBB ((4) ⇒ (2)). LetO be oracle-indistinguishable. Fix an adversaryAand a sequence {zn}n∈Nof poly-size auxiliary inputs toA. We
consider an efficient simulatorSimthat given auxiliary inputz samples a random circuit from the col-lectionC0 ← Cnand outputsA(z,O(C0)). To show thatOaverage-case VBB we prove the following claim.
Claim 2.1. IfOis oracle indistinguishable then:
Pr
C←Cn
[A(zn,O(C)) =P(C)]− Pr C,C0←C
n
[A(zn,O(C0)) =P(C)]
≤negl(n) .
Proof. Assume towards contradiction that there exists a predicateP and a polynomialpsuch that for infinitely many values ofn:
Pr
C←Cn
[A(zn,O(C)) =P(C)]− Pr C,C0←C
n
[A(zn,O(C0)) =P(C)]
≥ 1
p(n) .
Fix suchnand setz=zn. We can write the above as:
C←CE n
Pr[A(z,O(C)) =P(C)]− Pr
C0←C n
[A(z,O(C0)) =P(C)]
≥ 1
p(n) .
And by the triangle inequality we have:
E C←Cn
Pr[A(z,O(C)) =P(C)]− Pr
C0←C n
[A(z,O(C0)) =P(C)]
≥ 1
SinceCdetermines the value ofP(C), we can rewrite the above as:
E C←Cn
Pr[A(z,O(C)) = 1]− Pr
C0←C n
[A(z,O(C0)) = 1]
≥ 1
p(n) .
For everyC, denote bypC the probabilityPr[A(z,O(C)) = 1]. Denote byp¯the average value ofpC.
Using these notation we write the above as:
E C←Cn
[|pC−p¯|]≥
1
p(n) .
LetBADbe the set of allC ∈ Cnsuch that:
|pC−p¯| ≥
1 2p(n) .
We have that:
Pr
C←Cn
[C∈BAD]≥ 1
2p(n) .
LetBAD0be the set of allC∈BADsuch that:
pC−p¯≥
1 2p(n) .
Assume WLOG thatBAD0contains at least half of the circuits inBAD(otherwise, the rest of the proof will use the setBAD\BAD0instead of the setBAD0). That is:
Pr
C←Cn
C ∈BAD0≥ 1
4p(n) . (5)
Next we define an distinguisherDsuch that
Pr
C←Cn
[D(C,A(z,O(C))) = 1]− Pr
C,C0←C n
[D(C,A(z,O(C0))) = 1]
≥ 1
poly(n) .
Contradicting the oracle-indistinguishability property ofO. WLOG , we defineDto be a randomized non-uniform algorithm.Dgets as input a pair(C, b)taken from one of the distributions:
{(C,A(z,O(C)))|C ← Cn} or
(C,A(z,O(C0)))|C, C0 ← Cn .
Additionally,Dgets the value4n·p(n)·p¯, rounded to the nearest integer as advice.Dwill distinguish as follows:
• DexecutesA(z,O(C))for4n·p2(n)times with independent randomness. Letcbe the number of timesA(z,O(C))outputs 1.
• Ifc≥4n·p2(n)·p¯+n·p(n),Doutputsb. Otherwise,Doutputs a random bitb0 ∈ {0,1}. Denote the distinguishing probability ofDfor a circuitCbyAdvC. That is:
AdvC = Pr[D(C,A(z,O(C))) = 1]− Pr C0←C
n
[D(C,A(z,O(C0))) = 1] .
By the definition ofDwe have
AdvC = (pC−p¯)·Pr[c≥4n·p2(n)·p¯+n·p(n)] (6)
+ Pr[b0 = 1]−Pr[b0= 1]·Pr[c <4n·p2(n)·p¯+n·p(n)] = (pC−p¯)·Pr[c≥4n·p2(n)·p¯+n·p(n)] .
• ForC ∈BAD0we have thatpC ≥p¯+2p1(n). SinceE[c] = 4n·p2(n)·pCwe have by Chernoff:
Pr[c <4n·p2(n)·p¯+n·p(n)]≤
Pr[c <4n·p2(n)·(pC −
1
2p(n)) +n·p(n)] = Pr[c <4n·p2(n)·pC −n·p(n)]≤
Pr[c <(1− 1 4p(n)·pC
)4n·p2(n·pC)]≤
e−Θ
n·p2(n)·pC
(p(n)·pC)2
≤e−Θ(n)= negl(n) .
Plugging this into Equation 6 we get:
AdvC = (pC−p¯)·Pr[c≥4n·p2(n)·p¯+n·p(n)]≥
1
2p(n)·(1−negl(n))≥ 1 4p(n) .
• ForC /∈BAD0we separate the case wherepC <p¯and the case wherepC ≥p¯. IfpC ≥p¯: AdvC = (pC −p¯)·Pr[c≥4n·p2(n)·p¯+n·p(n)]≥0 .
WhenpC <p¯, we haveE[c] =n·p2(n)·pC. By Chernoff:
Pr[c >4n·p2(n)·p¯+n·p(n)]≤Pr[c >4n·p2(n)·pC+n·p(n)]
= Pr
c >(1 + 1 4p(n)·pC
)4n·p2(n)·pC
≤e−Θ
n·p2(n)·pC
(p(n)·pC)2
≤e−Θ(n)= negl(n) .
Plugging this into Equation 6 we get:
AdvC = (pC−p¯)·Pr[c≥4n·p2(n)·p¯+n·p(n)]≥ −negl(n) .
In any case, forC /∈BAD0we haveAdvC ≥ −negl(n).
Combining the bounds onAdvC forC∈BAD0andC /∈BAD0with Equation 5 we get: E
C←Cn
[AdvC] = E
C←Cn\BAD0
[−negl(n)]· Pr
C←Cn
[C /∈BAD0]
+ E
C←BAD0
1 4p(n)
· Pr
C←Cn
[C ∈BAD0] ≥ −negl(n) + 1
(4p(n))2 = poly(n) .
Average-case VBB implies average-case VGB ((2)⇒(3)).This implication follows directly from the definitions since average-casepoly-VGB is a relaxation of average-case VBB allowing for the simulator to be computationally unbounded.
Average-case VGB implies perfect circuit-hiding ((3)⇒(1)).LetObe an average-case VGB secure. Fix an adversaryAand a sequence{zn}n∈Nof poly-size auxiliary inputs toA. We will prove a stronger
statement considering also non-balanced predicates. LetP be a (not necessarily balanced) predicate. We denote:
pb(P) = Pr
Claim 2.2. IfOis average-case VGB, then there exist a negligible functionµsuch that for every predi-cateP and for everyn∈N:
Pr
C←Cn
[A(zn,O(C)) =P(C)]≤p(P) +µ(n) .
Proof. Sixnand setz=znSinceOis average-case VGB secure, there exists a negligible functionµ0,
polynomialqand a (possibly inefficient) simulatorSimsuch that:
Pr
C←Cn
[A(z,O(C)) =P(C)]− Pr
C←Cn
[SimC[q(n)](z,1n) =P(C)]
≤µ0(n) . (7) SinceCis evasive, if follows from Definition 2.2 that there exists a negligible functionµ00such that:
Pr
C←Cn
[SimC[q(n)](z,1n) =P(C)]− Pr
C←Cn
[SimZ(z,1n) =P(C)]
≤µ00(n) , (8) whereZis the constant zero function. Note that the circuitCis information theoretically hidden from
SimZand therefore:
Pr
C←Cn
[SimZ(z,1n) =P(C)]≤p(P) . (9)
Combining Equations 7,8 and 9 we get the required:
Pr
C←Cn
[A(O(C)) =P(C)]≤p(P) +µ0(n) +µ00(n) .
3
Obfuscating Root Sets of Low Degree Polynomials
In this section, we present constructions of input-hiding obfuscation and of perfect circuit-hiding ob-fuscation for a subclass of evasive collections. We will be able to obfuscate collections that can be expressed as the zero-set of some low-degree polynomial. More concretely, we say that a collectionCis oflow arithmetic degreeif for everyn, there is primep,|p|=θ(n), and a polynomial size low degree arithmetic circuitU(k, x),k∈Z`
p, x∈Zmp such thatCn={Ck}k∈Z`p andCk(x) = 1iffU(k, x) = 0. Note that the Schwartz-Zippel Lemma, together with the fact thatU(k, x)is of low degree implies that for everyx∈Zm
p either
Pr
k←Z` p
[Ck(x) = 0] = negl(n) or, Pr k←Z`
p
[Ck(x) = 0] = 1 .
Thus, there exists a single functionhsuch that the collection{Ck−h}k∈Z`
p is evasive, whereh(x) = 1 iff:
Pr
k←Z` p
[Ck(x) = 0] = 1 .
In other words, a collection of low arithmetic degree is either evasive or it is a “translation” of an evasive collection by a fixed, efficiently computable (in RP) function that is independent of the key. Therefore, we can restrict ourselves WLOG toevasivecollection of low arithmetic degree.
Both constructions will be based on graded encodingas introduced by Garg, Gentry, and Halevi [GGH13a]. The high-level idea behind both constructions is as follows. The obfuscation of a circuitCk
evaluate the low-degree polynomialU(k, x). Then, the evaluator tests whether the output is an encoding of 0 and learns the value ofCk(x).
The two constructions will encode the keykin two different ways, and their security will be based on two different hardness assumptions. The security of the input-hiding construction will be based on a discrete-logarithm-style assumption on the encoding. The obfuscation will support evasive collections of low arithmetic degree defined by a polynomial size circuit U(k, x) of total degree poly(n). This class of circuits is equivalent to polynomial size arithmetic circuits of depthO(log2(n))and total degree
poly(n) [VSBR83]. The security of the perfect circuit-hiding construction will be based on a new assumption calledthe perfectly-hiding multilinear encoding assumption. The obfuscation will support evasive collections defined by a polynomial size circuitU(k, x)of depth O(log(n)). We also discuss a stronger variant of this assumption, which like in the input-hiding construction, supports arbitrary arithmetic circuits with total polynomial degree.
3.1 Graded Encoding
We start by defining a variant of the symmetric graded encoding scheme from ([GGH13a]), used in our construction, and by specifying hardness assumptions used.
Definition 3.1. A d-graded encoding system consists of a ring R and a collection of disjoint sets of encodings
n
Si(α)|α∈R,0≤i≤d o
. The scheme supports the following efficient procedures:
• Instance Generation: given security parameternand the parameterd,Gen(1n,1d)outputs public
parameterspp.
• Encoding: given the public parametersppandα∈R,Enc(pp, α)outputsu∈S1(α).
• Addition and Nagation: given the public parameterspp and two encodings u1 ∈ Si(α1), u2 ∈
Si(α2),Add(pp, u1, u2)outputs an encoding inSi(α1+α2), andNeg(pp, u1)outputs an encoding in
Si(−α1).
• Multiplication: given the public parametersppand two encodingsu1 ∈ Si(1α1), u2 ∈S (α2)
i2 such
thati1+i2≤d,Mul(pp, u1, u2)outputs an encoding inSi(1α+1·iα22).
• Zero Test: given the public parametersppand an encodingsu,Zero(pp, u)outputs 1 ifu∈Sd(0)
and 0 otherwise.
The main difference between this formulation and the formulation in [GGH13a] is that we assume that there is an efficient procedure for generating level 1 encoding of every ring element. In [GGH13a], it is only possible to obliviously generate an encoding of a random element in R, without knowing the underlying encoded element. While we currently do not know how how to use the construction of [GGH13a] to instantiate our scheme, we can get a candidate construction with public encoding based on the construction of [CLT13], by publishing encodings of all powers of 2 as part of the public parameters. The known candidate constructions involve noisy encodings. Since in our construction we use at most
O(d)operations, we may set the noise parameter to be small enough so that it can be ignored. Therefore, from hereon, we omit the management of noise from the interfaces of the graded encoding.
Our first hardness assumption (used in the construction of input-hiding obfuscation) is that the en-coding function is one-way. That is, given the output ofEnc(pp, α) for randomly generated parame-tersppand a random ring elementα∈RR, it is hard to findα.
encodings ofrandr·kfor randomr, k∈R, the value of any one bit predicate ofkcannot be efficiently learned. The perfectly-hiding multilinear encoding assumption can be shown to hold in an ideal model where the encoding is generic (such as the generic ideal models described in [BR13b, BGK+13]).
Assumption 3.1(perfectly-hiding multilinear encoding). For every PPT adversaryAthat outputs one bit, the following ensembles are computationally indistinguishable:
•
pp, k,A(Enc(pp, r),Enc(pp, r·k)) :k, r←R,pp←Gen(1n,1d) ,
•
pp, k,A(Enc(pp, r),Enc(pp, r·k0)) :k, k0, r←R,pp←Gen(1n,1d) .
We note that both of the above assumptionsdo not hold for the candidate construction of [GGH13a] (assuming there is an efficient encoding procedure for every ring element). However, they are possibly satisfied by other constructions. In particular, to our knowledge there are no known attacks violating this assumption for the candidate construction of [CLT13].
3.2 Input-hiding Obfuscation
LetCnbe an evasive collection defined by the arithmetic circuitU(k, x),k∈Z`p, x∈Zmp of degreed=
poly(n). The obfuscator will make use of ad-symmetric graded encoding scheme over the ringZp. For
everyk∈Z`
pthe obfuscationO(Ck)generates parameterspp←Gen(1n,1d)for the graded encoding,
and outputs a circuit that has the public parameters pp and the encodings {Enc(pp, ki)} for i ∈ [`]
hardwired into it. The circuitO(Ck), on inputx ∈ Zpm, first generates encodings{Enc(pp, xi)} for
i ∈ [m], and uses the evaluation functions of the graded encoding system to compute an encoding
u∈Sd(U(k,x)).O(Ck)then uses the zero test to check whetheru∈Sd(0). If so it outputs 1 and otherwise
it outputs 0.
Theorem 3.1. Ois an input-hiding obfuscator forC, assumingEncis one-way.
Proof. We need to prove thatOsatisfies both the functionality requirement and the security requirement. The functionality requirement follows immediately from the guarantees of the graded encoding scheme. Thus, we focus on proving the security requirement. To this end, fix any PPT adversaryA, and suppose for the sake of contradiction that for infinitely many values ofn,
Pr
k←Z` p
[Ck(A(O(Ck))) = 1]≥
1
poly(n). (10)
.
Next we prove that there exists a PPT adversary A0 that brakes the one-wayness of the encoding. The adversaryA0will make use of the the helper procedureSimplifydescribed in the following claim: Claim 3.1. There exists an efficient procedureSimplifythat, given a multivariate non-trivial polynomial
p : Z`p → Zp of total degree d, represented as an arithmetic circuit, outputs a set of multivariate
polynomials{pj}j∈[`](represented as arithmetic circuits) such that:
1. pj is a multivariate non-trivial polynomial of total degreed.
2. For every r ∈ Z`p such thatp(~r) = 0there existj ∈ [`]such thatpj(r) = 0but the univariate
polynomialq(x) =p(r1, . . . , rj−1, x, rj+1. . . , r`)is non-trivial.
We note that a very similar claim was proven by Bitanskyet al. [BCI+13, Proposition 5.15]. For the sake of completeness, we reprove this claim in Appendix A.
1. A0samples a random indexi∈[`]and a random elementk
j ←Zpfor everyj∈[`]\ {i}.
2. A0 generates a random obfuscationO(Ck) from the encodings{Enc(kj)}j∈[`]\{i} and using his
inputuas the encoding ofki.
3. A0executesA(O(Ck))and obtains an inputx. IfO(Ck)(x)6= 1,A0 aborts.
4. Otherwise,A0 executes the helper procedureSimplifyon the polynomialU(·, x)with the values ofxfixed and obtains a polynomialpi.
5. A0 constructs the univariate polynomialq(x) =pi(k1, . . . , ki−1, x, ki+1, . . . , k`) (the rest of the
elements ofkare known toA0).
6. Ifq≡0,A0aborts, otherwise it outputs a random root ofq.
We show thatA0outputs the correct value ofrwith noticeable probability. By our assumption onA,
O(Ck)(x) 6= 1with some noticeable probability . In this case, it follows from the correctness ofO
thatU(k, x) = 0. Letjbe the index guaranteed by Claim 3.1. Since the distribution ofk1, . . . , k` is
independent from the choice of i, it follows that conditioned on the event U(k, x) = 0, i = j with probability1/`. In this case by Claim 3.1 it holds thatpi(k) = 0but the univariate polynomialpdefined
above is not identically zero, which means thatris one of the at mostdroots ofp. Therefore,A0will
output the correct root with probability at least/(`d).
3.3 Perfect Circuit-Hiding Obfuscation
LetCnbe an evasive collection defined by the arithmetic circuitU(k, x),k∈Z`p, x∈Zmp of depth degree
h = O(log(n)). The obfuscator will make use of ad-symmetric graded encoding scheme ford = 2h
over the ring Zp. For everyk ∈ Z`p, the obfuscationO(Ck) generates parameterspp ← Gen(1n,1d)
for the graded encoding, samples random elementsr1, . . . r` ∈ Zp, and outputs a circuit that has the
public parameters pp hardwired into it, and for every for i ∈ [`], has the encodings Enc(pp, ri) and Enc(pp, ri·ki)hardwired into it.
The circuit O(Ck), on inputx ∈ Zmp , does the following: Fori ∈ [m], it generates the encodings Enc(pp, ri0)andEnc(pp, r0i·xi)wherer0i = 1(Note that when encoding the input we do not needr0ito
be random for security. We only user0ithe make the encoding of the inputxand the keykhave the same format). Using the evaluation functions of the graded encoding system,O(Ck)then computes a pair of
encodingsu0∈Sd(˜r)andu1 ∈S(˜r
·U(k,x))
d for some˜r6= 0that is a function ofr1, . . . , r`. Finally, it uses
the zero test to check whetheru1 ∈S(0)d . If so it outputs 1 and otherwise it outputs 0.
We next elaborate on how this encoded output is computed. The circuitO(Ck)evaluates the
arith-metic circuitU(k, x)gate by gate, as follows: Fix any gate in the formula connecting the wiresw1and
w2tow3. Suppose that for wiresw1andw2we have the pairs of encodings
(uw1
0 , u
w1
1 )∈S
(˜r1)
d1 ×S (˜r1·α1)
d1 , (u
w2
0 , u
w2
1 )∈S
(˜r2)
d2 ×S (˜r2·α2)
d2 ,
wherer˜1,r˜2 6= 0(supposedly the value on the wirew1 isα1 and the value on wirew2 isα2). If the
gate is a multiplication gate, one can compute an encoding for wirew3, by simply computing the pair of
encodings:
(uw3
0 , u
w3
1 )∈S
(˜r1·r˜2)
d1+d2 ×S
(˜r1·r˜2·α1·α2)
d1+d2 .
If the gate is an addition gate we computeuw3
0 in the same way. We also compute the encodings:
uw3,1
1 , u
w3,2
1 ∈S
(˜r1·˜r2·α1)
d1+d2 ×S
(˜r1·˜r2·α2)
which can then be added to get:
uw3
1 ∈S
(˜r1·˜r2·(α1+α2))
d1+d2 .
Note that in any caser˜1 ·r˜2 6= 0. Also note that in the evaluation of every level of the circuitU the
maximal degree of the encodings at most doubles and therefore it never exceedsd= 2h.
Theorem 3.2. Ois a perfect circuit-hiding obfuscator forC, assuming the encoding satisfies the perfectly-hiding multilinear encoding assumption.
Proof. By Theorem 2.1, it suffices to prove thatOis an average-case oracle indistinguishability obfus-cator forC. Namely, it suffices to prove that for every PPT adversaryAthat outputs a single bit,
n
(Ck,A(O(Ck)))
k←Z
` p
o
≈c n
(Ck,A(O(Ck0)))
k, k
0 ←
Z`p o
.
Suppose for the sake of contradiction there exists a PPT adversaryA(that outputs a single bit), a distin-guisherD, and a non-negligible function, such that
Pr
k←Z` p
[D(k,A(O(Ck))) = 1]− Pr k,k0←
Z`p
[D(k,A(O(Ck0))) = 1]
≥(n) ,
Recall that the obfuscated circuitO(Ck)consists of the public parametersppand from the
encod-ings:
{Enc(pp, ri),Enc(pp, ri·ki)}i∈[`],
where r1, . . . , r` ← Z∗p. Since sampling encoding corresponding to random input wires is efficient,
the equation above, together with a standard hybrid argument, implies that there existsi ∈ [`], a PPT adversaryA0(that outputs a single bit), a distinguisherD0, and a non-negligible function0, such that
Prki←Zp[D
0(pp, k
i,A0(Enc(pp, ri),Enc(pp, ri·ki))) = 1]−
Prki,ki0←Zp[D
0(pp, k
i,A0(Enc(pp, ri),Enc(pp, ri·k0i))) = 1]
≥0(n) , .
contradicting the perfectly-hiding multilinear encoding assumption.
Remark3.1 (On unifying the constructions). Under a stronger variant of the perfectly-hiding multilinear encoding assumption we can directly prove that the input hiding obfuscation construction presented in Section 3.2 is also perfect circuit-hiding. Intuitively, the stronger variant assumes that the the function
Encgiven a random inputkalready hides every predicate ofk(without adding any additional random-ization).
Assumption3.2 (strong perfectly-hiding multilinear encoding). For every PPT adversaryAthat outputs one bit, the following ensembles are computationally indistinguishable:
•
pp, k,A(Enc(pp, k)) :k,←R,pp←Gen(1n,1d) ,
•
pp, k,A(Enc(pp, k0)) :k, k0,←R,pp←Gen(1n,1d) .
4
Evasive Function and Virtual Grey Box Obfuscation
We show that average-case VGB obfuscation for all evasive functions implies a slightly weaker form of average-case VGB obfuscation forallfunction.
We start by giving a slightly more general definition for VGB obfuscation that considers also com-putationally unbounded obfuscators and allows for the query complexity of the simulator to be super-polynomial. Note that when the obfuscator is unbounded, we need to explicitly require that it has a polynomial slowdown, that is, the that the obfuscated circuit is not too large.
Definition 4.1(Weak Average-Case VGB Obfuscation). LetC = {Cn}n∈N be a collection of circuits
such that everyC ∈ Cnis a circuit of size poly(n) that takesnbits as input. A (possibly inefficient) algorithmOis a weak average-case VGB obfuscator forCif it satisfies the following requirements:
• Functionality: for all C ∈ C, O(C) outputs a description of a circuit that computes the same function asC.
• Polynomial Slowdown: There exist a polynomialpsuch that for everyC∈ C,|O(C)|< p(|C|).
• Security: For every super-polynomial functionq=q(n)and for every PPT adversaryAthere exist a (possibly inefficient) simulatorSimand a negligible functionµsuch that for every predicateP, everyn∈Nand every auxiliary inputz∈ {0,1}poly(n)toA:
Pr
C←Cn
[A(z,O(C)) =P(C)]− Pr
C←Cn
[SimC[q(n)](z,1n) =P(C)]
≤µ(n) .
WhereC[q(n)]denotes an oracle to the circuitCwhich allows at mostq(n)queries.
Remark4.1 (On obfuscation with inefficient obfuscator). The notion of obfuscation with computation-ally unbounded obfuscators was first considered in[BGI+01]. To demonstrate the meaningfulness of this notion we note that assuming the existence ofindistinguishability obfuscationfor a collectionCwith an
effficentobfuscator, the existence of a (weak) average-case VGB Obfuscation forCwith a computation-ally unbounded obfuscator already implies the existence of a (weak) average-case VGB Obfuscation for
Cwith aneffficentobfuscator.
Theorem 4.1. If there exists an average-case VGB obfuscator for every collection of evasive circuits, then there exists a weak average-case VGB obfuscator for every collection of circuits.
Proof overview of Theorem 4.1. LetC be a (non-evasive) collection of circuit that we want to VGB obfuscate. We start by showing a computationally unbounded leaning algorithm L that given oracle access to a circuit C ∈ C tries to learn the circuitC. Clearly, IfL can make unbounded number of queries it can learn C exactly. However, if the number of queriesLmakes toC is bounded by some super-polynomial functionq(n), we show thatL can still learn a circuitC0 ∈ C that is “close” to C. That is,CandC0only disagree on some negligible fraction of the inputs.
The learning algorithmLwill repeatedly queryCon the input that gives maximal information about the circuitC, taking into account the information gathered from all the previous oracle answers.Lstops when it learnsCor when there is no query that will give “enough” information aboutC. In this case, we denote byK(C)the set of all circuits inCnthat are consistent with all the previous oracle answers. We
show that all the circuits inK(C)are close toC, andLwill just output a random circuitC0 ∈K(C). The high-level idea behind the construction of the weak average-case VGB obfuscator O for C
In particular,O(C)may contain a random circuitC0 ←K(C)in the clear. To satisfy the functionality requirement, the obfuscation cannot contain onlyC0. Additionally,O(C)will contain the circuitCdiff,
where Cdiff = C ⊕C0 is a circuit that outputs 1 on every input on whichC and C0 differ. Now, to
evaluateC on an inputx an evaluator can computeC(x) = C0(x)⊕Cdiff(x). Clearly, O(C)cannot
containCdiff in the clear, sinceCdiff depends onC. instead, O(C)will obfuscateCdiff using the VGB
obfuscator for evasive collections. SinceC0 is a random function inK(C) it only differs fromC on a negligible fraction of the inputs, and thereforeCdiffoutputs 1 only on a negligible fraction of the inputs.
Unfortunately, this high-level idea does not quite work. The problem is that sinceO(C)contains the circuitC0 in the clear, we cannot argue thatCdiff is taken at random from an evasive collection. In
particular, givenCit may be easy to find an input whereCdiffoutputs1. For example, ifCoutputs1only
on a single inputx, andC0outputs1only on a single inputx0, thenCdiff will output 1 on both inputsx
andx0. Now, given the circuitC0it is easy find the inputx0such thatCdiff(x0) = 1and therefore we do not know how to securely obfuscateCdiff.
To fix this problem we do not chooseC0to be a random circuit in the setK(C), but insteadC0will be a circuit computing the majority function on many random circuits taken from the setK(C). Now we can show that even given the circuitC0it is hard to find an input whereCandC0differ, and therefore the obfuscation ofCdiff is secure.
Theorem 4.1. LetObe an average-case VGB secure obfuscator for every collection of evasive circuits. Let C = {Cn}n∈
N be a (not necessarily evasive) collection of circuits such that everyC ∈ Cn is a
circuit of sizep(n), for some polynomialp, that takesnbits as input. Letq(n)be any super-polynomial function. We construct a weak average-case VGB obfuscator O0 for C where the simulator makes at mostq(n)queries to its oracle.O0will make use of the following learning algorithmLas a subroutine.
The algorithmLis an inefficient algorithm that has oracle access toC, it queries its oracle at mostq0(n)
times forq0(n), (qn(+1)n) , and outputs a circuit that is “close” toC.
Loosely speaking, algorithmL starts by settingK to be the set of all circuits inCn. Then, in each
iterationLreduces the size ofK so that at the end it contains only circuits that are “close” toC. The number of iterations is at mostq0(n) and in each iterationLmakes a single oracle call. However, the computation thatLdoes in each iteration is inefficient.
Formally, algorithmLis defined as follows:
1. SetK ← Cn.
2. For everyb∈ {0,1}and everyx∈ {0,1}ncompute:
pbx= Pr
C0←K[C
0
(x) =b], px = min(p0x, p1x) .
3. Setx∗ = arg maxxpx.
4. Ifpx∗ < p(n)
q0(n), then returnC0 ←K. 5. Else, query the oracle onx∗and set:
K ←K∩
C0|C(x∗) =C0(x∗) .
6. IfKcontains a single elementC, returnC.
We later argue that the output ofLCis a circuit that is close toC, that is, the circuits only disagree on a
negligible fraction of the inputs. Next, we describe a weak average-case VGB obfuscatorO0forC. In the
description ofO0we use the following notation: we denote byC1⊕C2the circuit that is composed from
the circuitsC1andC2where the output wires of these circuits are connected by a XOR gate. Similarly,
we we denote byMajorityi∈[n]Ci the circuit that is composed from the circuitsC1, . . . , Cnwhere the
output wires of these circuits are connected by aMajoritygate.
Note about notation. For any two circuitsC, C0, we use the notationC ≡C0 to mean thatCandC0
are functionally equivalent. That is, the circuits compute the same function, but may be very different as “formal” circuits. We use the (non-standard) notationC = C0 to mean thatC andC0 are not only functionally equivalent, but are also equal as “formal” circuits.
The obfuscatorO0on inputC∈ C operates as follows:
1. Fori∈[n]setCi ← LC where all executions ofLuse independent randomness.
2. Construct the circuitCmaj= Majorityi∈[n]Ci.
3. Construct the circuitCdiff =Cmaj⊕C.
4. Construct and output the circuitCout =Cmaj⊕ O(Cdiff).
The correctness and polynomial slowdown properties ofO0 follow from those of O, and from the fact that all the circuits inCnare of (approximately) the same size.
To show thatO0 is a weak average-case VGB secure, we demonstrate an inefficient simulatorSim.
For every PPT adversary Aand for every auxiliary input z ∈ {0,1}poly(n) toA,Sim is givenz and
oracle access toC[q(n)].Simis defined as follows:
1. Fori∈[n]setCi ← LC[q
0(n)]
where all executions ofLuse independent randomness.
2. Construct the circuitCmaj0 = Majorityi∈[n]Ci.
3. SampleC0 ← LC[q0(n)]and construct the circuitC0
diff =C
0
maj⊕C
0.
4. Construct the circuitCsim =Cmaj0 ⊕ O(Cdiff0 ).
5. ExecuteA(z, Csim)and output the result.
Sim makes n+ 1calls to the learning algorithm L, and each call may performs q0(n) = (qn(+1)n)
queries to the oracle. Thus, in totalSimmakes at mostq(n)oracle calls. Simis a valid simulator if for every predicateP:
Pr
C←Cn
[A(z, Cout) =P(C)]− Pr
C←Cn
[SimC[q(n)](z,1n) =P(C)]
≤negl(n) .
That is:
Pr
C←Cn
[A(z,(Cmaj,O(Cdiff))) =P(C)]− Pr
C←Cn
[A(z,(Cmaj0 ,O(Cdiff0 ))) =P(C)]
≤negl(n) , (11)
whereCdiff =Cmaj⊕CandCdiff0 =C
0
maj⊕C
0as defined byO0and bySim.
Before proving Equation (11) we introduce the following notation. For every circuit C ∈ Cn let
K(C)be the value of the setKwhenLC terminates. Note thatK(C)does not depend on the
random-ness ofLsince randomness is only used in Step 4. DefineGOOD(C, Cmaj)to be the event that:
Cmaj≡Majority
C0∈K(C)
C0
Lemma 4.1. For every circuitC ∈ K, the circuitsCmaj computed by O0(C)andCmaj0 computed by
SimC[q(n)]are identically distributed
Lemma 4.2.
Pr
C←Cn
[GOOD(C, Cmaj)]≥1−negl(n) .
Lemma 4.3. For everyCmaj∗ such that:
Pr
C←Cn
[Cmaj=Cmaj∗ ]>0 ,
We have:
PrC←Cn[A(z,(Cmaj,O(Cdiff))) =P(C)|Cmaj=C
∗
maj∧GOOD(C, C
∗
maj)]−
PrC←Cn[A(z,(C
0
maj,O(Cdiff0 ))) =P(C)|Cmaj0 =Cmaj∗ ∧GOOD(C, Cmaj∗ )]
≤negl(n) ,
whereCdiff =Cmaj⊕CandCdiff0 =Cmaj⊕C0 as defined byOand bySim.
Proof of Lemma 4.1. We start by showing that L makes at most q0(n) queries to its oracle. By the choice of x∗, in every execution of Step 5 in L the size of the setK reduces by a factor of at least
(1−p∗x)≥1−qp0((nn)). Since|Cn| ≤2p(n), afterq0(n)queriesKmust contain a single element. It follows
that the output of LC, executed by O0, and the output of LC[q(n)], executed by Sim, are identically
distributed and therefore the circuitsCmajcomputed byO0 andCmaj0 computed bySimare identically
distributed.
Proof of Lemma 4.2. FixCand denote byC˜majthe circuit:
˜
Cmaj≡Majority
C0∈K(C)
C0
IfK(C)contains a single element (corresponding to Step 6 ofL) thenGOODmust occur. Else, the stopping condition in Step 4 ofLgrantees that for everyx∈ {0,1}n,
px=pbx= Pr
C←K(C)[C(x) =b]<
p(n)
q0(n) ,
forpbx = min(p0x, p1x), or alternatively forb= 1−C˜maj(x). Thus, for everyx∈ {0,1}n,
Pr
C←K(C)[C(x)6= ˜Cmaj(x)]<
p(n)
q0(n) .
The eventGOOD does not occur if and only if there exist x ∈ {0,1}n such that at least n/2 of the
circuitsC1, . . . , Cndisagree withC˜majonx. Since everyCiis sampled independently fromK(C)and
sinceq0is super-polynomial we have that:
Pr
C←Cn
[¬GOOD]≤2n·
n
n
2
·
p(n)
q0(n)
n
2
<
16p(n)
q0(n)
n
2
Proof of Lemma 4.3. FixCmaj∗ such that:
Pr
C←Cn
[Cmaj=Cmaj∗ ]>0 ,
where recall that byCmaj=Cmaj∗ , we mean that the circuits are not only functionally equivalent, but also
have the exact same structure. This structural equivalence implies that there exist circuitsC1∗, . . . Cn∗ ∈ Cnsuch thatCmaj∗ is of the formCmaj∗ = Majorityi∈[n]Ci∗. The next claim will be useful in the proof of
Lemma 4.3.
Claim 4.1.
1. For everyC∗∈ Cnand everyC, C0 ∈K(C∗), the random variableCmajin the execution ofO(C)
and the random variableCmajin the execution ofO(C0)are identically distributed.
2. For everyC1∗, . . . Cn∗ ∈ Cn, forCmaj∗ = Majorityi∈[n]Ci∗, and for every C /∈ K(C ∗
1),Cmaj 6=
Cmaj∗ (C)whereCmajis defined by the in the execution ofO0.
In the proof of Claim 4.1 we will use the following claim:
Claim 4.2. For everyC∗ ∈ Cnand everyC∈K(C∗)it holds thatK(C) =K(C∗).
Proof. Fix anyC∗ ∈ Cnand anyC ∈ K(C∗). Consider the set of oracle queries made byLC and by
LC∗ and their answers. If the sets are equal thenK(C) = K(C∗). Else, bothLC andLC∗ make one
queryx∗such thatC(x∗)6=C∗(x∗). However, this contradicts the fact thatC∈K(C∗).
Proof of Claim 4.1. For Part 1, fix any C∗ ∈ Cn and any C, C0 ∈ K(C∗). Claim 4.2 implies that
K(C) =K(C0) =K(C∗). Since the output ofLC is just a random element inK(C)if follows that the
output ofLC and the output ofLC0 are identically distributed, and therefore the random variableC
maj
in the execution ofO0(C)and the random variableCmajin the execution ofO0(C0)are also identically
distributed.
For Part 2, fix any C1∗, . . . Cn∗ ∈ Cn, and any C /∈ K(C1∗) and letCmaj∗ = Majorityi∈[n]Ci∗. If
Cmaj=Cmaj∗ (that is, circuit are formally identical) then it must be thatC1∗∈K(C). This, together with
Claim 4.2 implies thatK(C) = K(C1∗). Since it is always true thatC ∈K(C), this also implies that
C∈K(C1∗), contradicting our assumption.
We are now ready to prove Lemma 4.3. Recall thatCmaj∗ = Majorityi∈[n]Ci∗. Denote the setK(C1∗)
byK∗. By Claim 4.1 (Part2), the lemma statement is equivalent to the following, where we sampleC
fromK∗instead of fromCn:
PrC←K∗[A(z,(Cmaj,O(Cdiff))) =P(C)|Cmaj=C∗
maj∧GOOD(C, C
∗
maj)]−
PrC←K∗[A(z,(C0
maj,O(Cdiff0 ))) =P(C)|Cmaj0 =Cmaj∗ ∧GOOD(C, Cmaj∗ )]
≤negl(n) , (12)
whereCdiff =Cmaj⊕CandCdiff0 =C
0
maj⊕C
0as defined byO0and bySim.
Let the adversaryA0beAwithCmaj∗ hard-coded to it. That is,A0(z,O(Cdiff))outputsA(z,(Cmaj∗ ,O(Cdiff))).
Now we can rewrite Equation (12) as:
PrC←K∗[A0(z,O(Cdiff)) =P(C)|Cmaj=C∗
maj∧GOOD(C, C
∗
maj)]−
PrC←K∗[A0(z,O(C0
diff)) =P(C)|Cmaj0 =Cmaj∗ ∧GOOD(C, Cmaj∗ )]
Let P0 be a predicate that hasC∗
maj hardwired into it, and is defined as follows: On inputs of the
formCdiff = Cmaj∗ ⊕C whereGOOD(C, Cmaj∗ )holds, the predicate P0(Cdiff) outputs P(C). On all
other inputs the output ofP0 is arbitrarily defined to be 0. Now we can rewrite Equation (13) as:
PrC←K∗[A0(z,O(Cdiff)) =P0(Cdiff)|Cmaj=C∗
maj∧GOOD(C, C
∗
maj)]−
PrC←K∗[A0(z,O(C0
diff)) =P0(Cdiff)|Cmaj0 =Cmaj∗ ∧GOOD(C, Cmaj∗ )]
≤negl(n) . (14)
Recall thatO0 setsC
diff =Cmaj⊕C. LetCdiff be the collection:
Cdiff =
Cdiff =Cmaj⊕C
C←K∗ Cmaj=Cmaj∗
GOOD(C, Cmaj∗ )
n∈N,Cmaj∗ .
Additionally, recall thatSimsetsCdiff0 =Cmaj0 ⊕C0whereC0 ← LC. LetC0
diffbe the collection:
Cdiff0 =
Cdiff0 =Cmaj0 ⊕C0
C←K∗ C0 ← LC
Cmaj0 =Cmaj∗
GOOD(C, Cmaj∗ )
n∈N,Cmaj∗ .
Now we can rewrite Equation (14) as:
PrCdiff←Cdiff[A
0(z,O(C
diff)) =P0(Cdiff)]− PrC0
diff←Cdiff,Cdiff←C
0
diff[A
0(z,O(C0
diff)) =P
0(C
diff)]
≤negl(n) , (15)
By the proof of Claim 4.1, K(C) = K∗ and C0 is just a random circuit inK∗. Therefore, the collectionsCdiffandCdiff0 are identical, and we can rewrite Equation (15) as:
PrCdiff←Cdiff[A
0(z,O(C
diff)) =P0(Cdiff)]− PrC0
diff,Cdiff←Cdiff[A
0(z,O(C0
diff)) =P0(Cdiff)]
≤negl(n) , (16)
Claim 4.3. The collectionCdiffis evasive.
Proof. IfK∗contains a single element (corresponding to Step 6 ofL) thenCmaj≡Cand the collection Cdiff contains only the all-zero function and is therefore evasive. Assuming |K∗| > 1, the stopping condition in Step 4 ofLgrantees that for everyx∈ {0,1}n:
px=pbx= Pr
C←K(C)[C(x) =b]<
p(n)
q0(n) ,
forpbx = min(p0x, p1x), or alternatively for:
b= 1−Majority
C0∈K(C)
C0(x) .
By the proof of Claim 4.1,K(C) =K∗for everyC∈K∗. Therefore, for everyx∈ {0,1}n,
Pr
C←K∗[C(x)6= Majority
C0∈K∗
C0(x)]< p(n) q0(n)
Now, plugging in the definitions ofCdiff and ofGOOD(C, Cmaj∗ )and sinceq
0 is super-polynomial, we
get that for everyx∈ {0,1}n,
Pr
C←K∗[Cdiff(x) = 1] =C←PrK∗[C(x)6=C
∗
maj(x)]<
p(n)
q0(n) = negl(n),
