Virtual Grey-Boxes Beyond Obfuscation:
A Statistical Security Notion
for Cryptographic Agents
Shashank Agrawal, Manoj Prabhakaran, Ching-Hua Yu
Security Guarantee in Cryptography
• A cryptographic scheme can provide certain security properties
• Modern cryptography have involved properties
• E.g., indistinguishability-based security
• Sometimes the request form of the test family is unclear, or hard to be
connected to a hardness assumption.
• E.g., simulation-based security
• Sometimes too strong to guarantee
• Different primitives used very different definitions based on their
functionality (e.g., Obfuscation vs. FE)
Indistinguishability-Preserving Security [AAP15]
• In the ideal world:
• The cryptographic objects, e.g., ciphertexts, keys are virtualized as “agents”
• Agents are uploaded to a black-box, where the user can only access them
through “handles”
• IND-PRE security says
If
Box0
Box1
≈
Ideal world experiment
then
Cipher1
Cipher0
≈
Real world experiment
[AAP15] Agrawal, Agrawal, Prabhakaran. Towards a Unified Theory of Cryptographic Agents. Eurocrypt’15.
Cryptographic Agents (simplified)
• A schema Σ specifies the ideal
operations provided by a primitive
A scheme Π = (O, Ε) for Σ is an
implementation of Σ in the real
world
B[∑]
b
Test
Aux info
User
guess b
More generally, Test
can be interactive
Agents can model obfuscation, functional encryption, fully homomorphic encryption, …
Main Results
• Generalization of Virtual Grey Box security to all cryptographic agent schemas
• New interesting examples: for graded encoding schemes (= “semantic security” [PST’14]),
for “homomorphic functional encryption” (see paper).
• A strong simulation based definition: s-SIM security, using a computationally
unbounded simulator
• A basic indistinguishability definition: IND-CON
• Concentrated distribution: outcome of every operation is (w.h.p.) same as that given by a
fixed agent
• Can’t distinguish between agents drawn from two distributions concentrated around the
same agent
• The two are equivalent for all agent families!
• Generalizes to all agents a result of [BCKP’14]: VGB obfuscation ⇔ Strong IO
Main Results
• Generalization of Virtual Grey Box security to all cryptographic agent schemas
• Also equivalent to an “intermediate” indistinguishability-preserving security
•
•
•
•
s-IND-PRE security, w.r.t. a computationally unbounded, non-interactive test family
s-SIM ⇔ s−IND−PRE ⇔ IND−CON
Equivalence is not about a primitive (e.g., obfuscation), but about the security definition
A more modular and more general proof than [BCKP’14]
• A Composition Theorem for s-IND-PRE
• Tricky due to unbounded adversary
• Possible when there is a “statistical reduction”
• s-Reduction12+ s-Reduction23⇒ s-Reduction13
(Strong-sampler)
Semantic security for
Graded Encoding Scheme
same as s-IND-PRE
security!
• Application: VGB obfuscation for NC1 circuits [BCKP’14] is immediate
• Graded encoding scheme [PST’14] + s-Reduction [BGKPS’14] ⇒ s-IND-PRE Obfuscation
s-IND-PRE
• A scheme Π is an s-IND-PRE implementation of a schema Σ if,
every Test ∈ Γ ∗ which is statistically-hiding w.r.t. Σ is hiding w.r.t Π
• (Statistical) Ideal World Hiding
• Any unbounded User who sends a poly. number of queries to B[Σ] can’t guess b
• More precisely, p-Γ ∗ -s-IND-PRE-secure:
• If a Test is statistically hiding with advantage at most 1/p(η) against all ideal world
users making at most p(η) queries
• then it must be hiding with advantage at most 1/η against all η-time real world
users
IND-CON
• Generalizes Strong IO (SIO) of [BCKP’14]
• Recall: Test uploads a set of agents drawn from some distribution
• Concentrated distribution: outcome of any sequence of operations in the
ideal world is (w.h.p.) same as that given by a fixed set of agents
• IND-CON: in real world, can’t distinguish between agents drawn from
two distributions concentrated around the same set of agents
• A very basic security requirement!
• A priori not clear if this is sufficiently strong to be useful
Query Strategy
• Models a sequence of operations (possibly
modifying the state of the agents)
𝑞0
ans0,0
ans0,1
• cf. for obfuscation, order was not important,
and hence enough to model a single query
𝑞1
• A d-Query Strategy Q is a tree of depth at
most d
• Each internal node u is labeled with a query 𝑞𝑢
• Each outgoing edge from u is labeled with a
possible outcome of 𝑞𝑢
• Each node can be labeled by the agent-sets
that are consistent with the
queries/answers on the path to that node
ans1,1
ans1,0
𝑞3
𝑞2
ans2,0
ans2,1
s-IND-PRE ⇒IND-CON
If 𝐷0 , 𝐷1 is p(𝜂)-concentrated ⇒ 𝐷0 , 𝐷1 are (statistically) hard to
distinguish by depth-p(𝜂) query strategy
𝐷0
𝐷1
b
𝐷0 , 𝐷1
b
𝐷0 , 𝐷1
⇒ it’s p(𝜂)-ideal hiding
⇒ by p-Γ ∗ -s-IND-PRE, it’s 𝜂-real hiding
IND-CON ⇒
∗
Γ -s-IND-PRE
• Idea: Can decompose an arbitrary distribution
into a collection of concentrated distributions
• Lemma: Any distribution over agents has an
efficient query strategy, such that after the query,
w.h.p., we will be left with a concentrated
distribution
• i.e., most mass will be on leaves which yield
concentrated distributions
• For two ideal-hiding distributions, yields almost
equal distribution over pairs of identically
concentrated distributions
• Then IND-CON implies real-hiding
𝑞0
ans0,0
ans0,1
𝑞1
ans1,1
ans1,0
𝑞3
𝑞2
ans2,0
ans2,1
s-SIM ⇔ s-IND-PRE
• s-SIM: natural simulation based security, but allows an unbounded
simulator who can make only a polynomial number of queries
• Allows vanishing (1/poly) simulation error
• Easier direction: s-SIM ⇒ s-IND-PRE
• s-IND-PRE ⇒ s-SIM: Requires us to build a simulator
• Idea: Approximately learn what the uploaded agents are using polynomially
many queries, and encode those agents
• Such that, the confusion remaining after learning is masked by the encoding
• Define a query-strategy for the simulator
• Following the approach of [BCKP’14]
• Simpler argument because we need to only ensure that the confusion left
corresponds to a hiding test, rather than a pair of concentrated distributions
Simulator’s Query Strategy
Uses unbounded
computational power
to compute D
• For simplicity assume Test uploads a single agent
• S be the set of agents consistent with queries so far
• D ⊆S be the set of distinguishable agents P: O(P) is sufficiently
distinguishable (by the given adversary) from O(R) for random R in S
• If D not empty, IND-PRE implies an ideal distinguishing query-strategy.
Execute it to shrink S.
• Repeat until D is empty and then encode a random element in S
• Poly depth query strategy!
cf. In [BCKP’14], can’t do this unless D is
concentrated. A second set of queries needed
to enforce concentration (similar to the one in
the proof for s-IND-PRE ⇒ IND-CON)
Thank you