Ocupación de las madres y resultados de los hijos

We define a number of special classes of samplers by imposing structural restrictions on their internal operation.

Stateless. The sampler does not keep any internal state and uses independent set of coins on each invocation. All samplers will be stateless in this work unless stated otherwise.

(t, s)-bounded. For polynomials t and s, with overwhelming probability _|C0| = |C1| ≤

Circuits-only. The sampler outputs no messages with overwhelming probability, i.e. it is (_{·, 0)-bounded.}

One-sided. C0 = C1 and m0 = m1 with overwhelming probability. In this case we will

simply write (C, m, z) _←$ S(1λ, st) for the sampling operation. Note that every

one-sided sampler is trivially unpredictable.

Input-independent. For any 1λ _{and st, S(1}λ_{, st) =S(1}λ_{, ε) with overwhelming proba-}

bility.

Aux-free. With overwhelming probability z = ε.

Simple. If the sampler is both aux-free and input-independent.

Random-aux. For a polynomial poly and a ppt algorithm_S0 the sampler takes the form S(1λ_{, st) : z ←}

$ {0, 1}poly(λ);

(C0, C1, m0, m1)←$ S0(1λ, z, st);

return (C0, C1, m0, m1, z) .

Differing-inputs. With overwhelming probability z contains the sampler’s output cir- cuits (C0, C1). Note that statistical unpredictability would imply that the sampled

circuits are functionally equivalent, whereas computational unpredictability would lead to a notion of differing-inputs samplers used to formulate differing-inputs ob- fuscation [ABG+_{13, BST14].}

Block-source. A t-block-source is a random variable X = (X1, . . . , Xt) where for every

j _{∈ [t] and x}1, . . . , xj−1 it holds that Xj|X1=x1,...,Xj−1=xj−1 has high min-entropy.

There is therefore sufficient decorrelation between different components in such a distribution. We can model block sources in our framework by restricting attention to ppt samplers that take the form

S(1λ_{, st) : (C}

0, C1) ←$ S0(1λ, st);

j _←$ [t];

return ((C0[j], C1[j]), (C0[1..(j− 1)], C1[1..(j− 1)]))

where_S0 is a (t, 0)-bounded sampler. The rationale here is that any indistinguisha- bility-based security definition that imposes an adversary to output two block

sources, and later on distinguish some computation performed on the sampled val- ues, e.g. [BRS13a], would remain the same if a sampler such as the one above was used instead (note that in this case, the adversary can only have an advan- tage when outputting distributions that component-wise differ with non-negligible probability).

Functionally-differing. _{S is a (t, ·)-bounded sampler and, with overwhelming proba-} bility over its random coins, _{∀j ∈ [t], ∃x s.t. C}0[j](x)6= C1[j](x).

Chapter 4

Obfuscators

The results described in this section have been published in [ABF16].

An obfuscator is an efficient compiler that takes as input a circuit description and out- puts the description of another circuit with the same functionality that is of similar size, but yet is unintelligible. In recent years, program obfuscation as found tremendous applications in cryptography, ranging from functional encryption [GGH+_{13] to deniable}

encryption [SW14] to multi-party computation [GGHR14]. Several of the constructions we propose later in this thesis rely on obfuscation, so we take the time go over def- initions and revisit concrete obfuscators for the classes of functions comprising point functions and hyperplane membership testing functions. We generalize distributionally- indistinguishable (DI) obfuscators [BC14] from point functions to general circuits, show that DI is a weakening of composable virtual grey-box (CVGB) [BC14, BCKP14], and construct a DI obfuscator for hyperplane membership testing functions.

Syntax. An obfuscator for a circuit family CSp is a uniform ppt algorithm Obf that on input the security parameter 1λ _{and the description of a circuit C ∈ CSp}

λ outputs the

description of another circuit C. We require any obfuscator to satisfy the following two requirements.

Functionality preservation : For any λ ∈ N, any C ∈ CSpλ and any m ∈ MSpλ,

with overwhelming probability over the choice of C _←$ Obf(1λ, C) we have that

Polynomial slowdown : There is a polynomial poly such that for any λ ∈ N, any C_{∈ CSpλ} and any C_←$ Obf(1λ, C) we have that |C| ≤ poly(|C|).

Security definitions for obfuscators can be divided into indistinguishability-based and simulation-based notions. Perhaps the most natural notion is the virtual black-box (VBB) property [BGI+_{01], which requires that whatever can be computed from an obfuscated}

circuit can be also simulated using oracle access to the circuit. Here, we consider a weakening of this notion, known as virtual grey-box (VGB) security [BC14, BCKP14] that follows the VBB approach, but allows simulators to run in unbounded time, as long as they make polynomially many queries to their oracles; we call such simulators semi- bounded. Below we present a self-composable strengthening of this notion where the VGB property is required to hold in the presence of multiple obfuscated circuits.

In the context of security definitions for obfuscators, we consider samplers that do not output any messages. Furthermore, we call a sampler one-sided if its sampled circuits are identical on left and right with probability 1.

4.1

Indistinguishability obfuscation

This property requires that given any two functionally equivalent circuits C0 and C1 of

equal size, the obfuscations of C0 and C1 should be computationally indistinguishable.

More precisely, for any ppt adversary _{A and for any sampler S that outputs two circuits} C0, C1 ∈ CSpλ such that C0(m) = C1(m) for all inputs m and |C0| = |C1|, we have that

Advio_Obf,S,A(λ) := 2_{· Pr[iO}S,A_Obf(1λ)]_{− 1 ∈ Negl,} where game iOS,A_Obf(λ) is defined in Figure 4.1.

iOS,AObf(1 λ_): (C0, C1, z)←$S(1λ) b_←$ {0, 1} C_←$Obf(1λ, C_b) b0 _←$A1(1λ, C0, C1, z, C) return (b = b0₎

Figure 4.1: Game defining iO security of an obfuscator Obf.