1. Implementing BP-Obfuscation Using Graph-Induced Encoding 2017 CCS Implementation Lattices Obfuscation
    Shai Halevi, Tzipora Halevi, Victor Shoup and Noah Stephens-Davidowitz
    [View PDF on acmccs.github.io]
    [Show BibTex Citation]

    @inproceedings{10.1145/3133956.3133976,
    author = {Halevi, Shai and Halevi, Tzipora and Shoup, Victor and Stephens-Davidowitz, Noah},
    title = {Implementing BP-Obfuscation Using Graph-Induced Encoding},
    year = {2017},
    isbn = {9781450349468},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    url = {https://doi.org/10.1145/3133956.3133976},
    doi = {10.1145/3133956.3133976},
    booktitle = {Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security},
    pages = {783–798},
    numpages = {16},
    keywords = {trapdoor lattice sampling, implementation, obfuscation, multilinear maps},
    location = {Dallas, Texas, USA},
    series = {CCS ’17}
    }

We implemented (a simplified version of) the branching-program obfuscator due to Gentry et al. (GGH15), which is itself a variation of the first obfuscation candidate by Garg et al. (GGHRSW13). To keep within the realm of feasibility, we had to give up on some aspects of the construction, specifically the “multiplicative bundling” factors that protect against mixed-input attacks. Hence our implementation can only support read-once branching programs.

To be able to handle anything more than just toy problems, we developed a host of algorithmic and code-level optimizations. These include new variants of discrete Gaussian sampler and lattice trapdoor sampler, efficient matrix-manipulation routines, and many tradeoffs. We expect that these optimizations will find other uses in lattice-based cryptography beyond just obfuscation.

Our implementation is the first obfuscation attempt using the GGH15 graded encoding scheme, offering performance advantages over other graded encoding methods when obfuscating finite-state machines with many states. In out most demanding setting, we were able to obfuscate programs with input length of 20 nibbles (80 bits) and over 100 states, which seems out of reach for prior implementations. Although further optimizations are surely possible, we do not expect any implementation of current schemes to be able to handle much larger parameters.

  1.