Post on 16-Aug-2020
New Techniques for Obfuscating Conjunctions
0
James Bartusek (Princeton)TancrÚde Lepoint (SRI & )Fermi Ma (Princeton)Mark Zhandry (Princeton)
1
Motivating Scenario: Password Check Program
P ð¥ :if ð¥ = âcorrecthorsebatterystapleâ:
output 1 (accept)else:
output 0 (reject)
Light Blue
HEX 09B6C9
2
Slightly Better Solution
Pâ² ð¥ :if SHA256 ð¥ == âcbe6beb26479b568e5f15b
50217c6c83c0ee051dc4e522b9840d8e291d6aaf46â:
output 1 (accept)else:
output 0 (reject)
Compute SHA256(âcorrecthorsebatterystapleâ)= cbe6beb26479b568e5f15
b50217c6c83c0ee051dc4e522b9840d8e291d6aaf46
Light Blue
HEX 09B6C9
3
Obf(P) ð¥ :if SHA256 ð¥ == âcbe6beb26479b568e5f15b50217c6c83c0ee051dc4e522b9840d8e291d6aaf46â:
output 1 (accept)else:
output 0 (reject)
This is a simple example of program obfuscation [BGIRSVY]for point functions [Can97,CMR98,LPS04,Wee05,BP12,âŠ]
Informally, want Obf to satisfy:⢠(correctness) Obf(P)(ð¥) = P(ð¥) for
all ð¥â¢ (virtual black box) Obf(P) reveals
nothing beyond what can be learned from black box access to P
P ð¥ :if x = âcorrecthorsebatterystapleâ
output 1 (accept)else:
output 0 (reject)
Apply Obf
4
Obfuscation for General ProgramsMany candidates: [GGHRSW13,AGIS14,AB15,Zim15,LV16,Lin16,GMMSSZ16,AS16,LT17,FRS17,BGMZ18,CVW18,AJS18,LM18,Agr18,GJK18,âŠ]
Obfuscation for Specific Functionalities⢠Point Functions
[Can97,CMR98,LPS04,Wee05,CD08,DKL09,GKPV10,BP12,âŠ]
⢠Compute-and-Compare Programs [GKW17,WZ17]
⢠Hamming Balls [DS05]
⢠Hyperplane Membership [CRV09]
⢠Conjunctions [BVWW16,GKW17,WZ17,âŠ]
We study conjunctions, but techniques apply to hamming balls, affine spaces, etc.
Focus of this work: simple techniques to obfuscate specific functionalities.
5
ððð¡ = 1*10*(match) 11100
(mismatch) 10001(match) 10101
(mismatch) 01111
ð9:; ð¥ :if ð¥ matches ððð¡ output 1else output 0
bitstring ð¥ matches ððð¡ if it equals ððð¡ except on *
Obfuscation for Conjunctions(âpattern-matching with wildcardsâ)
6
ððð¡ = 1*10*(match) 11100
(mismatch) 10001(match) 10101
(mismatch) 01111
ð9:; ð¥ :if ð¥ matches ððð¡ output 1else output 0
bitstring ð¥ matches ððð¡ if it equals ððð¡ except on *
Obfuscation for Conjunctions(âpattern-matching with wildcardsâ)
Our work: Allow evaluation of ðððð¡
without leaking anything about ððð¡
7
ððð¡ = 1*10*(match) 11100
(mismatch) 10001(match) 10101
(mismatch) 01111
ð9:; ð¥ :if ð¥ matches ððð¡ output 1else output 0
bitstring ð¥ matches ððð¡ if it equals ððð¡ except on *
Our work: Allow evaluation of ðððð¡
without leaking anything about ððð¡
When is this goal feasible? A: ððð¡ must be drawn from a
distribution where accepting inputs to ð9:; are hard to find [BBCKPS13]
Obfuscation for Conjunctions(âpattern-matching with wildcardsâ)
8
Assumption or Model
[BR13] Multilinear Maps
[BVWW16] Entropic Ring LWE
[GKW17],[WZ17] LWE
[BKMPRS18] Generic Group Model
Prior Conjunction Obfuscators
Our starting point: the [BKMPRS18] construction
9
Assumption or Model
Security holds whenpattern is sampled from:
[BKMPRS18] Generic Group Model ð=[ðð], where ð < 0.774
Construction 1 Generic Group Model* ð=[ð â ð log ð ]
Construction 2 Learning Parity with Noise ð=[ðð] where ð < 1
Construction 3(see paper)
Information theoretic* ð=[ðK] where 0 †ð < 1
Our Results: Three Constructions
ð=[ð€] denotes uniform dist over length ð patterns with ð€ wildcards
*can be extended beyond uniform distributions (see also [BeuWee19])
10
1. Encoding Conjunctions as Inner Products2. A Group-Based Construction3. Security from LPN/RLC
Talk Outline
11
What Does âSimpleâ Mean?
Obfuscation: On input ððð¡ â {0,1,â} =Output vector ð9:; over ðœ9
12
What Does âSimpleâ Mean?
Obfuscation: On input ððð¡ â {0,1,â} =Output vector ð9:; over ðœ9
Evaluation: On input ð¥ â {0,1} =Write down vector ðWAccept if ðW
X ð9:; = 0
Encoding Conjunctions as Inner Products
âObfuscationâ:ð = 3
ððð¡ = *01
Structure of ðtaken from [BKMPRS18]
Accept!
ð =
00ð\00ð]
*
0
1
ððð¡
13
ð is a uniformly random value in ðœ9
Encoding Conjunctions as Inner Products
âObfuscationâ:ð = 3
ððð¡ = *01
Structure of ðtaken from [BKMPRS18]
ðð» â ð = 0 $ 0 $ $ 0
00ð\00ð]
= 0
ð¥ = 0 0 1
Evaluation: ð¥ = 001
Accept!
(Accepting input)
ð =
00ð\00ð]
*
0
1
ððð¡
14
ð is a uniformly random value in ðœ9
$ denotes arbitrary non-zero value in ðœ9
Encoding Conjunctions as Inner Products
âObfuscationâ:ð = 3
ððð¡ = *01
Structure of ðtaken from [BKMPRS18]
ðð» â ð = 0 $ 0 $ $ 0
00ð\00ð]
= 0
ð¥ = 0 0 1*
0
1
ððð¡Evaluation: ð¥ = 001
Accept!
(Accepting input)
ð =
00ð\00ð]
*
0
1
ððð¡
15
$ denotes arbitrary non-zero value in ðœ9
ð is a uniformly random value in ðœ9
Encoding Conjunctions as Inner Products
ð =
00ð\00ð]
*
0
1
ððð¡
âObfuscationâ:ð = 3
ððð¡ = *01
Structure of ðtaken from [BKMPRS18]
ðð» â ð = 0 $ $ 0 $ 0
00ð\00ð]
= $ð\
ð¥ = 0 1 1*
0
1
ððð¡Evaluation: ð¥ = 011
Reject!
(Rejecting input)
16
$ denotes arbitrary non-zero value in ðœ9
ð is a uniformly random value in ðœ9
17
1. Encoding Conjunctions as Inner Products2. A Group-Based Construction3. Security from LPN/RLC
Talk Outline
18
How can we make this construction secure?
Idea: Avoid giving out ð in the clear, but still allow user to
compute ðð» â ð for any ð that encodes an input ð¥ ðð» â ð = 0 $ 0 $ $ 0
00ð\00ð]
= 0
ð =
00ð\00ð]
*
0
1
ððð¡
âObfuscationâ:ð = 3
ððð¡ = *01
ð¥ = 0 0 1*
0
1
ððð¡Evaluation: ð¥ = 001
2ð
ðð»ð© = 0 $ 0 $ $ 0
19
Slightly Better Construction
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00ð\00ð]
ð©
2ð*
0
1
ððð¡
ð
Obfuscation:1) Encode ððð¡ in ð2) Give out ð© i ð â ðœ9=j\ where
ð© is a public ð + 1 Ã(2ð)matrix satisfying Property 1.
Property 1: Any ð + 1 à ð + 1submatrix of ð© is full rank over ðœ9
(ex: Vandermonde)
ð + 1
Evaluation:On input ð¥ = 001 pick ð â ðœ9=j\ so that
encodes ð¥
(i.e. solve for ð to make these ð entries of ðð»ð© equal 0)
Accept if ðð»ð©ð = ð
ð¥ = 0 0 1
Why does ð© help security?
20
Property 1: Any ð + 1 à ð + 1submatrix of ð© is full rank over ðœ9
(ex: Vandermonde)
Why does ð© help security?
Informal Lemma 1 (No Linear Attacks): If ððð¡ is drawn with enough entropy, then for any ð â ðœ9=j\, ðð»ð©ð is a uniformly random scalar.
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00ð\00ð]
ð©
2ð*
0
1
ððð¡
ððð»
(ð\ ð] ðg ðh)ð + 1
21
Informal Lemma 1 (No Linear Attacks): If ððð¡ is drawn with enough entropy, then for any ð â ðœ9=j\, ðð»ð©ð is a uniformly random scalar.
ðð»ð©ð ðð»ð©ð ðð»ð©ð ðð»ð©ð ðð»ð©ð ðð»ð©ð
00ð\00ð]
2ð
ððð»ð©
(ð©ð denotes ðth column of ð©)*
0
1
ððð¡
1) At most ð out of 2ð entries of ðð»ð©can be 0 (Property 1).
2) If ððð¡ has enough entropy, then with overwhelming probability one of the ð non-zero entries of ðð»ð© will coincide with a non-zero entries in ð.
3) If so, (ðð»ð©)ð will be a random scalar.
Property 1: Any ð + 1 à ð + 1submatrix of ð© is full rank over ðœ9
(ex: Vandermonde)
Why does ð© help security?
22
Group-Based* ConstructionObfuscation: Encode ððð¡ as ð, compute
ð©ð and output:
ðð©ð = ð ð©ð x, ð ð©ð y, ⊠. , ð ð©ð {|x
(same evaluation procedure works in exponent)
*Idea due to [BKMPRS18]: this construction can be viewed as âdualâ to their construction.**Can be extended to more general distributions (see our paper and [BeuWee19])
Theorem: Generic Group adversary [Nac94,Sho97] cannot distinguish ðð©ð from ð + 1random group elements if ððð¡ is uniformly random** with ð â ð(log ð) wildcards.
Proof: generic adversaries limited to linear attacks
Informal Lemma 1 (No Linear Attacks): If ððð¡ is drawn with enough entropy, then for any ð â ðœ9=j\, ðð»ð©ð is a uniformly random scalar.
23
1. Encoding Conjunctions as Inner Products2. A Group-Based Construction3. Security from LPN/RLC
Talk Outline
Step 1: Sample a length 2ð vector ð:
If ððð¡^ = â, ð]^~\ð]^ = 0
0
If ððð¡^ = 0, ð]^~\ð]^ = ð
0 for ð â ðœ9
If ððð¡^ = 1, ð]^~\ð]^ = 0
ð for ð â ðœ9
24
Step 2: Define ð© â ðœ9=j\ Ã]= whose
ð, ð th entry is:ð©^,ï¿œ = ð^
Compute the vector ð©ð â ðœ9=j\
Obfuscation: ðð©ð
ð£\ð£]ð£gð£h
=
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00ð\00ð]
ð©ð
ð*
0
1
Group-Based Construction
(ð© is a fixed public matrix)
Step 1: Sample a length 2ð vector ð:
If ððð¡^ = â, ð]^~\ð]^ = 0
0
If ððð¡^ = 0, ð]^~\ð]^ = ð
0 for ð â ðœ9
If ððð¡^ = 1, ð]^~\ð]^ = 0
ð for ð â ðœ9
25
Step 2: Define ð© â ðœ9=j\ Ã]= whose
ð, ð th entry is:ð©^,ï¿œ = ð^
Compute the vector ð©ð â ðœ9=j\
Obfuscation: ð©ð?
ð£\ð£]ð£gð£h
=
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00ð\00ð]
ð©ð
ð*
0
1
Group-Based Construction
(ð© is a fixed public matrix)
Step 1: Sample a length 2ð vector ð:
If ððð¡^ = â, ð]^~\ð]^ = 0
0
If ððð¡^ = 0, ð]^~\ð]^ = ð
0 for ð â ðœ9
If ððð¡^ = 1, ð]^~\ð]^ = 0
ð for ð â ðœ9
26
Obfuscation: ð©,ð©ð
ð£\ð£]ð£gð£h
=
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00ð\00ð]
ð©ð
ð*
0
1
New Construction
Step 2: Sample a uniformly random matrix ð© â ðœ9
=j\ Ã]=.
Compute the vector ð©ð â ðœ9=j\
random ð©
Idea: Randomize ð©!
Why would this be secure?
27
Learning Parity with Noise Assumption over ðœ9(Random Linear Codes Assumption)
ðâ² âï¿œðŽ +,
Standard LPNset each entry⢠0 w/ prob 1 â ðŒâ¢ ð^ï¿œ â ðœ9 w/ prob ðŒ
uniform
ð ðŽð
ðK
uniform
ð¢,ðŽuniform
uniformuniform
28
âï¿œðŽ +,uniform
ð ðŽð
ðK
uniform
ð¢,ðŽuniform
uniformuniform
Exact LPN [JKPT12]set exactly ðŒð entries non-zero(polynomially equivalent)
ðâ²
Learning Parity with Noise Assumption over ðœ9(Random Linear Codes Assumption)
Standard LPNset each entry⢠0 w/ prob 1 â ðŒâ¢ ð^ï¿œ â ðœ9 w/ prob ðŒ
29
âï¿œðŽ +,uniform
ð ðŽð
ðK
uniform
ð¢,ðŽuniform
uniformuniform
Exact LPN [JKPT12]set exactly ðŒð entries non-zero(polynomially equivalent)
Last modification: switch to âdualâ
ðâ²
Learning Parity with Noise Assumption over ðœ9(Random Linear Codes Assumption)
Standard LPNset each entry⢠0 w/ prob 1 â ðŒâ¢ ð^ï¿œ â ðœ9 w/ prob ðŒ
30
ðŽ
ðK
ð»ð
Compute ð¯ with full row-rank such that:
ð â ðK = ð
Last modification: switch to âdualâ
31
ðŽ +uniform
ð
ðK
ð»ð
ð â ðK
ðŽ
ðK
ð»ð
Compute ð¯ with full row-rank such that:
ð â ðK = ðObserve
= ð»
Last modification: switch to âdualâ
ðâ² ðâ²
32
(Dual) Exact LPN Assumption(polynomially equivalent to LPN)
âï¿œð»,uniform
ð»ðâ ðKð
uniformð¢,ð»
uniform
uniformexactly ðŒð non-zero values
Notice ð¯,ð¯ðâ² looks like the obfuscation ð©,ð©ð
ðâ²
33
ð£\ð£]ð£gð£h
=
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00ð\00ð]
ð©ð
ð*
0
1
random ð©ð£\ð£]âŠ
ð£=~=ï¿œ=
1 2 3 41] 2] 3] 4]1g 2g 3g 4g1h 2h 3h 4h
ð\0ð]ðg0
ðâ²ð
randomð¯
ð¯
Dual Exact LPN Assumption: (ð¯,ð¯ðâ²) looks random
Obfuscation
ð© is ð + 1 à 2ð⢠Sample random ð© over ðœ9⢠Sample ð as uniformly random 2ð
dimensional vector with exactly ðŒðnon-zero entries, conditioned on each pair of positions 2i â 1, 2i having at least one 0 entry.
ð¯ is (ð â ðK) à ð⢠Sample randomð¯ over ðœ9⢠Sample ðâ² as uniformly random ð
dimensional vector with exactly ðŒðnon-zero entries.
random length ð pattern, 1 â ðŒ ð wildcards
LPN for poly samples, field ðœ9constant noise ðŒ, [JKPT12] âexactâ error
(Dual) Exact LPN
34
uniformly random 2ð-dimensional vector with exactly ðŒð non-zero entries conditioned on each pair of positions 2i â 1, 2i having at least one 0 entry.
uniformly random ð-dimensional vector with exactly ðŒð non-zero entries.
âunstructured errorââstructured errorâ
00
0
0
ð\
0
ð]ðg0
0
ð\ï¿œ0ð]ï¿œðgï¿œ0ðâ²
ð
(Dual) Exact LPN Obfuscation
This distribution arises if ððð¡ is uniformly random with 1 â ðŒ ð wildcards.
Theorem: Assuming LPN over ðœ9 (noise rate ðŒ), obfuscation ð©,ð©ð looks uniformly random if ððð¡ is uniformly at random with 1 â ðŒ ð wildcards, for 0 < ðŒ < 1.
36
ð¢ âï¿œð»ð
ð â ðK ð» ð»ðâ²,,
ðµWant to show:
2ð
ðµ ð¢ð + 1 ðµðâï¿œ
(Dual) Exact LPN:
, ,
ðâ² unstructured error
ð structured error
uniform
uniform
uniform
uniform uniform
uniform
Theorem: Assuming LPN over ðœ9 (noise rate ðŒ), obfuscation ð©,ð©ð looks uniformly random if ððð¡ is uniformly at random with 1 â ðŒ ð wildcards, for 0 < ðŒ < 1.
37
ð»\ ð»] ð»g ð»h ð»ï¿œ
ð
ð â ðK
Easy Step: Sample ð random columns ð\,âŠð=. Replace ð¯ with ð² where each pair of indices (2ð â 1,2ð) is either ð»^, ð^ or ð^, ð»^ (pick randomly).
ð»\ ð\ ð] ð»] ðg ð»g ð»h ðh ðï¿œ ð»ï¿œ
2ð
ð â ðK
ðŸð»
Claim: ð¯ðâ² = ð²ð where ðâ² is unstructured error and ð is structured error.
ð¢orð»ðâ², ð¢
orð»ðâ², ð¢
orðŸð
=
38
ð»\ ð»] ð»g ð»h ð»ï¿œ ð»\ ð\ ð] ð»] ðg ð»g ð»h ðh ðï¿œ ð»ï¿œ
00
0
0
ð\ï¿œ
0
ð]ï¿œ
ðgï¿œ
0
0
ð unstructured errornon-zero entries in ðŒð randomly chosen positions
ð structured errornon-zero entries in ðŒð randomly chosen positions, each pairhas at least one 0
ð
ð â ðK
2ðð\ï¿œ0ð]ï¿œðgï¿œ0
=ðŸð»
2ðð
Claim: ð¯ðâ² = ð²ð where ðâ² is unstructured error and ð is structured error.
ðâ²ð
ð»\ ð\ ð] ð»] ðg ð»g ð»h ðh ðï¿œ ð»ï¿œ
39
ð¢ âï¿œð»ð
ð â ðK ð» ð»ðâ²,,(Dual) Exact LPN: ðâ² unstructured erroruniform
uniform uniformLPN gives us ð â ðKrows âfor freeâ
ð¢ âï¿œ ðŸð,,ð structured erroruniform
ð»\ ð\ ð] ð»] ðg ð»g ð»h ðh ðï¿œ ð»ï¿œð â ðK
2ð
ðŸðŸ
40
ð¢ âï¿œð»ð
ð â ðK ð» ,,uniform
uniform uniform
ð¢ âï¿œ ,,uniform
ð â ðK
We need ð + 1 rows for the obfuscation construction.
Need ðK + 1 additional rows Need ðK + 1 additional rowsðK + 1
ð»ðâ²
ðâ² unstructured error
ðŸð
ð structured error2ð
uniform uniformðŸ ðŸ
(Dual) Exact LPN:
LPN gives us ð â ðKrows âfor freeâ
41
ð¢ âï¿œ ðŸð,,uniform
ð â ðK
2ð
ðK + 1
uniform uniformðŸ ðŸð ðð¢â ?
Issue: If we sample additional rows ð uniformly at random, we canât fill in ðð without ð.
ð structured error
42
Observation: We know ðŸ^ð for any row ðŸ^ of ðŸ.
So we can use random linear combinations of rows of ðŸ.
ð¢ âï¿œ ðŸð,,ð structured erroruniform
ð â ðK
2ð
uniform uniformðŸ ðŸ
43
ð¢ âï¿œ ,,uniform
ð â ðK
2ð
ðK + 1
uniform uniform
ð ðK + 1ð â ðK
Sample randommatrix ð :
ð ðŸ ð ðŸð ð¢
So are we done?
Observation: We know ðŸ^ð for any row ðŸ^ of ðŸ.
So we can use random linear combinations of rows of ðŸ.
ðŸð
ð structured error
ðŸ ðŸð ðŸð
44
ð¢ âï¿œ ,,uniform
ð â ðK
2ð
ðK + 1
uniform uniformðŸ ðŸ
ð ðK + 1ð â ðK
Sample randommatrix ð :
ð ðŸ ð ðŸð ð¢ ð ðŸð
Observation: We know ðŸ^ð for any row ðŸ^ of ðŸ.
So we can use random linear combinations of rows of ðŸ.
ðŸð
ð structured error
The matrix isnât random!(rank is at most ð â ðK)
45
One last idea: we know half the
entries of ð since we implicitly
âinsertedâ ð zeros.
ð¢ âï¿œ ,,uniform
ð â ðK
2ð
ðK + 1
uniform uniform
ð ðŸ ð ðŸð ð¢
ðŸð
ð structured error
ðŸ ðŸð ðŸð
46
One last idea: we know half the
entries of ð since we implicitly
âinsertedâ ð zeros.
ð¢ âï¿œ ,,uniform
ð â ðK
2ð
ðK + 1
uniform uniformð ð¢
ðŸð
ð structured error
Sample matrix ð with ð uniformly random non-zero columns coinciding with ð known zero entries of ð. (i.e. ðð = 0)
2ððK + 1 = ð
all 0âs column uniformly random columns
ð ðŸ + ð ð ðŸ + ððŸ ðŸ
ð ðŸð
47
ð â ðK
2ð
ðK + 1
uniform ðŸð ðŸ + ð
ðµâï¿œ
ð+ 1
2ð
uniform
???
Does(ðŸ, ð ðŸ + ð)
look uniformly random?
48
ð â ðK
2ð
ðK + 1
uniform ðŸð ðŸ + ð
ðµâï¿œ
ð+ 1
2ð
uniform
???
Heuristic Argument: Entropy Countingð¯ï¿œ ðŸ +ð¯ï¿œ ð +ð¯ï¿œ(ð)= ðï¿œ # entries in ðŸ + ðï¿œ # entries in ð
+ ðï¿œ # nonzero entries in ð + ð= ð¯ï¿œ ðµ â ð]Kjï¿œ + ðIf 2ð + ð¿ < 1, LHL yields (ðŸ, ð ðŸ + ð)statistically close to uniform.
ð ðK + 1
ð â ðK
2ð
ðK + 1 ð
Does(ðŸ, ð ðŸ + ð)
look uniformly random?
ð â ðK
2ð
ðŸ
all 0âs
uniform
uniform
uniform
matrices over ðœï¿œ, log ð = ðï¿œ
49
ðµðµ ð¢ ðµðâï¿œ, ,
uniform
uniform uniform
âï¿œ
ð+ 1
2ð
ð¢ âï¿œ ,,uniform
ð â ðK
2ð
ðK + 1
uniform uniformð ð¢
ðŸð
ð structured error
ð structured error
ð ðŸ + ð ð ðŸ + ððŸ ðŸ
ð ðŸð
Another Perspective: Structured Error LPN
For what â is (ðµ, ðµð) pseudorandom?
⢠Pseudorandom if â = ð â ðK, ð < 1 (perfectly equivalent to Exact LPN)
⢠[This work] Pseudorandom if â = ð + ð¡, ðŸ < 1/2 (statistically equivalent to Exact LPN)
⢠[AroraGe12] Can solve for ð if â = 2ð â ðï¿œ, ð¿ < 1/250
ðµ ðµð,uniform
2ð ð structured error
â
Another Perspective: Structured Error LPN
For what â is (ðµ, ðµð) pseudorandom?
⢠Pseudorandom if â = ð â ðK, ð < 1 (perfectly equivalent to Exact LPN)
⢠[This work] Pseudorandom if â = ð + ð¡, ðŸ < 1/2 (statistically equivalent to Exact LPN)
⢠[AroraGe12] Can solve for ð if â = 2ð â ðï¿œ, ð¿ < 1/251
ðµ ðµð,uniform
2ð ð structured error
â
52
Conclusion⢠In the GGM: obfuscate conjunctions by encoding in a vector
and multiplying by a structured matrix.⢠If we multiply by a random matrix, we can avoid groups and
rely on LPN.
In the paper:
⢠An information theoretic conjunction obfuscator consisting of a sequence of matrices; evaluation is done by taking asubset-sum of matrices and computing the determinant.
Thank You!ePrint: ia.cr/2018/936slides: cs.princeton.edu/~fermim/talks/crypto-day.pdf