Protecting Obfuscation against Algebraic Attacks

The goal of general-purpose program obfuscation is to make an arbitrary computer program “unintelligible” while preserving its functionality. At least as far back as the work of Diffie and Hellman in 1976, researchers have contemplated applications of general-purpose obfuscation. However, until 2013, even heuristic constructions for general-purpose obfuscation were not known. This changed with the work of Garg, Gentry, Halevi, Raykova, Sahai, and Waters (FOCS 2013), which gave the first candidate construction of general-purpose obfuscation. The heart of their construction is an obfuscator for log-depth (NC) circuits, building upon a simplified subset of the Approximate Multilinear Maps framework of Garg, Gentry, and Halevi (Eurocrypt 2013) that they call Multilinear Jigsaw Puzzles. Given the importance of general-purpose obfuscation, it is imperative that we gain as much confidence as possible in candidates for general-purpose obfuscation. In this work, we focus on the following question: Do there exist algebraic attacks (a.k.a. generic multilinear attacks) against candidate constructions of general-purpose obfuscation? Indeed, Garg et al. posed the problem of proving that there exist no generic multilinear attacks against their core NC scheme as a major open problem in their work. Solving this problem will give us essential evidence that mathematical approaches to general purpose obfuscation introduced by Garg et al. are sound. This problem was first addressed in the recent work of Brakerski and Rothblum (eprint 2013), who constructed a variant of the Garg et al. candidate obfuscator, and proved that it achieves the strongest definition of security for general-purpose obfuscation — Virtual Black Box (VBB) security — against all generic multilinear attacks, albeit under an unproven assumption they introduce as the Bounded Speedup Hypothesis, which strengthens the Exponential Time Hypothesis. In this work, we resolve the open problem of Garg et al. completely, by removing the need for this additional assumption. More specifically, we describe a different (and arguably simpler) variant of the construction of Garg et al., for which we can prove that it achieves Virtual Black Box security against all generic multilinear attacks, with no further assumptions. ∗Department of Computer Science, UCLA. Work done in part while visiting Microsoft Research, New England. Research supported in part from a DARPA/ONR PROCEED award, NSF grants 1228984, 1136174, 1118096, and 1065276, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through the U.S. Office of Naval Research under Contract N00014-11-1-0389. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government.