garg.pptx

Indistinguishability

Obfuscation

and Applications

Sanjam Garg

IBM T. J. Watson

Outline

2

•

Part I : What is Obfuscation? What

is it useful for?

•

Part II: How do we construct

Software Obfuscation

O

(P)

P

• _{Obfuscation aims to make computer programs}

“unintelligible” while preserving their functionality.

Protecting intellectual

property via Obfuscation

O

Patching Software Securely

via Obfuscation

Contemporary Obfuscation:

Security-via-Obscurity

#include <stdio.h>

int l;int main(int o,char **O, int I){char c,*D=O[1];if(o>0){ for(l=0;D[l ];D[l ++]-=10){D [l++]-=120;D[l]-= 110;while (!main(0,O,l))D[l] += 20; putchar((D[l]+1032) /20 ) ;}putchar(10);}else{ c=o+ (D[I]+82)%10-(I>l/2)* (D[I-l+I]+72)/10-9;D[I]+=I<0?0 :!(o=main(c/10,O,I-1))*((c+999 )%10-(D[I]+92)%10);}return o;}

• _{Relies on Human ingenuity}

Crypto Obfuscator

Make the task of reverse engineering time-consuming,

• Under complex and new but still very

reasonable computational assumption

• Huge leap: Known obfuscation solutions work for simple families of functions such as point function [C97….]

• _{Even no heuristic!}

Our results

Multilinear Maps

[GGH13]

Obfuscation for all circuits [GGHRSW13]

Functional Encryption

[Sha84,SW06, …,O’Neil10,BSW11,…]

PK MSK

𝑓 _{1 𝑓 2}

𝐸𝑛𝑐(𝑥)

SK’ SK

Key Authority

Prior Work: Limited function such as inner product [KSW08,..] were known to be realizable or were limited to single-key[SS10, AGVW12...]

𝑓 ₁(𝑥) 𝑓 ₂( 𝑥)

We [GGHRSW13] can do it for all circuits.

Witness Encryption

[TW87, Rudich89, … , CS02, CCKV08, GOVW12, … GGSW13]

Application 2

Encrypter

Soundness:

Statement is false Semantic Security

Multiparty Secure Computation [GMW87]

with Minimal-Communication

$

7

$

5

$

3

$

4

$

1

h

𝐻𝑖𝑔 𝑒𝑠𝑡 𝐵𝑖𝑑𝑑𝑒𝑟 ?

Obfuscation [GGHR14] based protocol has

optimal

• _{round complexity}

Many other applications of

Obfuscation

• _{Multi-input Functional Encryption [GGJS13]}

• Functional Encryption for Randomized Functions [GJKS13] • _{Multiparty Key Exchange [BZ13]}

• _{Removing random oracles [HSW13]}

• _{Separation results for circular security [KRW13,MO13]} • _{Functional Witness Encryption [BCP13]}

• _{Impossibility Results [BCPR13a,BP13,GK13,BCPR13b]} • _{Deniable Encryption [SW13]}

• Broadcast Encryption and Traitor Tracing [BZ13,ABGSZ13] • _{Extension to Turing Machines [BCP13, ABGSZ13]}

Part II:

Obfuscation – Formal Notions

[BGIRSVY01]

• _{Produce as output another program} • _{computes the same function as}

• _{at most polynomially larger than} • _{is “unintelligible”}

• Multiple notions

• ``virtual black-box’’ notion:

• cannot do much more with than running it on various inputs

• _{functions for which VBB obfuscation is impossible}

𝐶

𝑂

𝑂

(

𝐶

)

𝐴

(

𝑂

(

𝐶

)

)

∼

𝑆

(

1

)

Indistinguishability Obfuscation

[B+01]

• Def: If compute the same function (and ) then

• Indistinguishable even if you know

• Note: Inefficient iO is always possible

• = lexicographically 1st _{circuit computing}

the same function as

(canonical form)

Witness Encryption from

Indistinguishability

Witness Encryption: Recall

[TW87, Rudich89, … , CS02, CCKV08, GOVW12, … GGSW13]

Application 2

Encrypter

Soundness:

Statement is false Semantic Security

Witness Encryption from

Indistinguishability

Obfuscation?

Encrypter

𝑐

=

𝑖𝑂

(

𝐶

)

Statement :

𝑚

Roadmap for the

Construction

1. iO for “shallow circuits” (NC1₎

• _{Using multilinear maps}

• _{Security under a new complex assumption}

2. Bootstrap to get iO for all circuits

• _{Using homomorphic encryption with NC}1

decryption

• _{Very simple and provable transformation}

F Homomorphic

Encryption F

x

+ F(x)

Encrypted-result + eval transcript

NC1 _Circuit If describes homomorphic

evaluation that takes x,F to , then use sk to decrypt

F(x)

CondDec

NC

Obfuscation



P

x

+ F(x)

Encrypted-result + eval transcript

@P=split//,".URRUU\

c8R";@d=split//,"\nrekcah xinU / lreP rehtona

tsuJ";sub p{ @p{"r$p“…

F(x)

Obfuscate only this part

NC1 _Circuit

Output of P obfuscator

F Homomorphic

Encryption F

CondDec

• _{We have iO, not “perfect” obfuscation}

NC

Obfuscation



P

Obfuscation

x

+ F(x)

Encrypted-result + eval transcript

@P=split//,".URRUU\

c8R";@d=split//,"\nrekcah xinU / lreP rehtona

tsuJ";sub p{ @p{"r$p“…

F(x)

Obfuscate only this part

NC1 _Circuit

Output of P obfuscator

F Homomorphic

Encryption F

CondDec

F _F(x)

CondDec_{F, F, SK}(· ,· ) Indist. Obfuscation

Indist. Obfuscation

≈

NC

Obfuscation



P

How to realize iO for

1.

View circuit as a

matrix branching program

◦ Barrington’s Theorem [B86]

2.

Randomize

it via Kilian’s approach [K88]

3.

Use

multilinear maps

to make computation

hidden

4.

Attacks and fixes

• _{Barrington’s theorem:}

• _{An circuit}  polynomial length MBP • _{With constant-dimension matrices}

• _{Example: length-9 MBP with 4-bit input}

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

0

• _{This length-9 BP has 4-bit inputs}

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

0 1

Matrix Branching Program

• This length-9 BP has 4-bit inputs

• Multiply the chosen 9 matrices together

• If product is output 1. Otherwise output 0.

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

0 1 1 0

Kilian’s Randomization

• _{Randomization can hide everything else} • _{Sample to . Set}

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

0 1 1 0

B

B

B

B

B

What if we give both?

• _{Perfect privacy is lost once we give both ’s}

B

B

B

B

B

B

B

B

B

B

First line of defense:

Multilinear Maps

[BS03,

G

GH13]

• _{Multilinear Maps}

• _{``encrypt’’ these matrices}

• _{identity matrices can be tested}

• _{Recall cryptographic -multilinear map:}

• _{Groups of order , generators and target group}

with generator .

• _{Computable map}

• _{Multi-linearity: for all ’s.}

• _{[GGH13] maps are noisy but lets ignore that}

First line of defense:

Multilinear Maps

[BS03,

G

GH13]

• _{Encode the ’s in the exponent,}

• _{Can use the map to multiply them} • _{Then we can check if}

B

B

B

B

B

B

B

B

B

B

Attack 1: Are the ’s hidden?

• _{Mixed input attacks: Inconsistent matrix selection:}

• _{Product includes and , but these two steps depend on} the same input bit (i.e., )

• _{Roughly, you learn what happens when fixing some}

internal wire in the circuit of

B

B

B

B

B

B

B

B

B

B

B

B

B

B

B

B

B

B

Attack 2: Are the ’s hidden?

• _{Partial evaluation attacks: Evaluate the program on} two inputs , but only use matrices between steps ,

• _{Check if}

• _{Roughly, you learn if in the computations of the}

circuits for , you have the same value on some internal wire

B

B

B

B

B

B

B

B

B

B

Fixing attack 1:

Multiplicative bundling

34

B

B

B

B

B

B

B

B

B

B

Fixing attack 1:

Multiplicative bundling

B

B

B

B

B

B

B

B

B

B

Attack 2: Does it still exist?

36

B

B

B

B

B

B

B

B

B

B

Fixing attack 2:

Extended Multiplicative

bundling

B

B

B

B

B

B

B

B

B

B

B

B

B

B

B

B

B

B

𝛾

𝛾

𝛾

𝛾

𝛾

𝛾

𝛾

𝛾

𝛾

Fixing attack 2:

Extended Multiplicative

bundling

38

Security Proof?

• _{Not on a standard assumption, but} • _{a complex new assumption.}

• _{Some evidence: We give proof of security in a}

certain generic mulitlinear matrix model.

• _{Evidence strengthened by [BR13, BGKPS13] who}

Open Problems

•

Better assumptions

•

Stronger notions

•

Faster constructions

• _{Complexity of our construction is horrendous}

•

More applications

• _{The sky is the limit…}

Thank You