Indistinguishability Obfuscation of Iterated Circuits and RAM Programs

A key source of inefficiency in existing obfuscation schemes is that they operate on programs represented as Boolean circuits or (with stronger assumptions and costlier constructs) as Turing machines. We bring the complexity of obfuscation down to the level of RAM programs. That is, assuming injective one way functions and indistinguishability obfuscators for all circuits, we construct indistinguishability obfuscators for RAM programs with the following parameters, up to polylogarithmic factors and a multiplicative factor in the security parameter: (a) The space used by the obfuscated program, as well as the initial size of the program itself, are proportional to the maximum space s used by the plaintext program on any input of the given size. (b) On each input, the runtime of the obfuscated program is proportional to s plus the runtime of the plaintext program on that input. The security loss is proportional to the number of potential inputs for the RAM program. Our construction can be plugged into practically any existing use of indistinguishability obfuscation, such as delegation of computation, functional encryption, non-interactive zero-knowledge, and multiparty computation protocols, resulting in significant efficiency gains. It also gives the first succinct and efficient one-time garbled RAM scheme. The size of the garbled RAM is proportional to the maximum space s used by the RAM machine, and its evaluation time is proportional to the running time of the RAM machine on plaintext inputs. At the heart of our construction is a mechanism for succinctly obfuscating “iterated circuits”, namely circuits that run in iterations, and where the output of an iteration is used as input to the next. As contributions of independent interest, we also introduce (a) a new cryptographic tool called Asymmetrically Constrained Encapsulation (ACE), that allows us to succinctly and asymmetrically puncture both the encapsulation and decapsulation keys; and (b) a new program analysis tool called Inductive Properties (IP), that allows us to argue about computations that are locally different, but yet globally the same. ∗Tel Aviv University and Boston University. Email: canetti@tau.ac.il. Supported by the Check Point Institute for Information Security, ISF grant 1523/14, NSF MACS project, and an NSF Algorithmic foundations grant 1218461. †MIT. Email: holmgren@mit.edu. ‡Johns Hopkins University. Email: abhishekjain.itbhu@gmail.com. §MIT. Email: vinodv@mit.edu. Research supported in part by DARPA Grant number FA875011-2-0225, an Alfred P. Sloan Research Fellowship, the Northrop Grumman Cybersecurity Research Consortium (CRC), Microsoft Faculty Fellowship, and a Steven and Renee Finn Career Development Chair from MIT.

[1]  Craig Gentry,et al.  Two-Round Secure MPC from Indistinguishability Obfuscation , 2014, TCC.

[2]  Rafail Ostrovsky,et al.  Garbled RAM Revisited , 2014, EUROCRYPT.

[3]  R. Raz,et al.  How to delegate computations: the power of no-signaling proofs , 2014, Electron. Colloquium Comput. Complex..

[4]  Aggelos Kiayias,et al.  Delegatable pseudorandom functions and applications , 2013, IACR Cryptol. ePrint Arch..

[5]  Yael Tauman Kalai,et al.  Reusable garbled circuits and succinct functional encryption , 2013, STOC '13.

[6]  Sanjam Garg,et al.  Two-Round Adaptively Secure MPC from Indistinguishability Obfuscation , 2015, TCC.

[7]  Kai-Min Chung,et al.  A Simple ORAM , 2013, IACR Cryptol. ePrint Arch..

[8]  Brent Waters,et al.  A Punctured Programming Approach to Adaptively Secure Functional Encryption , 2015, CRYPTO.

[9]  Yael Tauman Kalai,et al.  Delegation for bounded space , 2013, STOC '13.

[10]  Kai-Min Chung,et al.  On Extractability Obfuscation , 2014, IACR Cryptol. ePrint Arch..

[11]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[12]  Allison Bishop,et al.  Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption , 2015, 2015 IEEE 56th Annual Symposium on Foundations of Computer Science.

[13]  Nir Bitansky,et al.  Succinct Randomized Encodings and their Applications , 2015, IACR Cryptol. ePrint Arch..

[14]  Mark Zhandry,et al.  Differing-Inputs Obfuscation and Applications , 2013, IACR Cryptol. ePrint Arch..

[15]  Omer Paneth,et al.  On the Achievability of Simulation-Based Security for Functional Encryption , 2013, CRYPTO.

[16]  Brent Waters,et al.  Constrained Pseudorandom Functions and Their Applications , 2013, ASIACRYPT.

[17]  Rafael Pass,et al.  Succinct Garbling Schemes and Applications , 2014, IACR Cryptol. ePrint Arch..

[18]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[19]  Ran Canetti,et al.  On the Random-Oracle Methodology as Applied to Length-Restricted Signature Schemes , 2004, TCC.

[20]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[21]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[22]  Rafael Pass,et al.  Indistinguishability Obfuscation from Semantically-Secure Multilinear Encodings , 2014, CRYPTO.

[23]  Craig Gentry,et al.  Outsourcing Private RAM Computation , 2014, 2014 IEEE 55th Annual Symposium on Foundations of Computer Science.

[24]  Elaine Shi,et al.  Oblivious RAM with O((logN)3) Worst-Case Cost , 2011, ASIACRYPT.

[25]  Jonathan Katz,et al.  Secure two-party computation in sublinear (amortized) time , 2012, CCS.

[26]  Kai-Min Chung,et al.  Non-black-box simulation from one-way functions and applications to resettable security , 2013, STOC '13.

[27]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[28]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[29]  Shafi Goldwasser,et al.  Functional Signatures and Pseudorandom Functions , 2014, Public Key Cryptography.