Provable Security for Program Obfuscation

Similar documents
Lecture 2: Program Obfuscation - II April 1, 2009

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

On the (Im)possibility of Obfuscating Programs

Lecture 7: CPA Security, MACs, OWFs

Journal of the Association for Computing Machinery. On the (Im)possibility of Obfuscating Programs. For Peer Review

On the (Im)possibility of Obfuscating Programs

1 Cryptographic hash functions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Lecture 5, CPA Secure Encryption from PRFs

Homework 7 Solutions

2 Message authentication codes (MACs)

Block Ciphers/Pseudorandom Permutations

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lecture 11: Key Agreement

Lecture 17: Constructions of Public-Key Encryption

Introduction to Cryptography

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

CPA-Security. Definition: A private-key encryption scheme

1 Cryptographic hash functions

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Positive Results and Techniques for Obfuscation

Modern Cryptography Lecture 4

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

CTR mode of operation

Symmetric Encryption

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

Pseudorandom Generators

On the (Im)possibility of Obfuscating Programs

Computer Science A Cryptography and Data Security. Claude Crépeau

CS154, Lecture 17: conp, Oracles again, Space Complexity

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

CPSC 467b: Cryptography and Computer Security

Authentication. Chapter Message Authentication

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

III. Pseudorandom functions & encryption

Computational security & Private key encryption

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Lecture 20: conp and Friends, Oracles in Complexity Theory

Notes for Lecture 17

On the CCA1-Security of Elgamal and Damgård s Elgamal

Question 1. The Chinese University of Hong Kong, Spring 2018

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Obfuscating Point Functions with Multibit Output

Lecture 24: Randomized Complexity, Course Summary

Lecture 13: Private Key Encryption

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

How to Encrypt with the LPN Problem

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

1 Indistinguishability for multiple encryptions

The Laws of Cryptography Zero-Knowledge Protocols

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch

Topics in Complexity

Equivalences of Basic Cryptographic Functions

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

CMSC 858K Advanced Topics in Cryptography March 4, 2004

Statistical WI (and more) in Two Messages

Lecture 2: Perfect Secrecy and its Limitations

Lectures 2+3: Provable Security

1 Secure two-party computation

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

10 Concrete candidates for public key crypto

Pseudorandom Generators

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8

Lecture 14: Cryptographic Hash Functions

Lecture Notes 20: Zero-Knowledge Proofs

Random Oracles and Auxiliary Input

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Goldreich-Levin Hardcore Predicate. Lecture 28: List Decoding Hadamard Code and Goldreich-L

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture 15 - Zero Knowledge Proofs

Public Key Cryptography

On the (Im)possibility of Obfuscating Programs

Scribe for Lecture #5

Cryptography 2017 Lecture 2

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

CPSC 467: Cryptography and Computer Security

The Indistinguishability of the XOR of k permutations

Introduction to Cryptography Lecture 13

Lecture Note 3 Date:

Advanced Cryptography 1st Semester Public Encryption

Friday Four Square! Today at 4:15PM, Outside Gates

Lecture 18: Zero-Knowledge Proofs

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Privacy and Fault-Tolerance in Distributed Optimization. Nitin Vaidya University of Illinois at Urbana-Champaign

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

6.080/6.089 GITCS Apr 15, Lecture 17

Multiparty Computation

Complexity Theory Part II

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Positive Results and Techniques for Obfuscation

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lattice-Based Non-Interactive Arugment Systems

Transcription:

for Program Obfuscation Black-box Mathematics & Mechanics Faculty Saint Petersburg State University Spring 2005 SETLab

Outline 1 Black-box

Outline 1 2 Black-box

Outline Black-box 1 2 3 Black-box

Perfect What do we want to get? Black-box

Perfect Black-box What do we want to get? We want to be sure that our system is safe to use. In lecture 4 Applications of Obfuscation we ll discuss what kind of safety we want to get by. Today: what does it mean to be sure about safety? Usual approach: to build some proof of safety.

Ways to How are we going to prove security? Black-box

Ways to Black-box How are we going to prove security? Theoretic security: obfuscated program doesn t provide enough information to successful attack Example: exact reverse engineering. Solution: delete comments Computational (cryptographic) security: attack required too much Necessary hardness of attack: average superpolynomial complexity. Now: no problems with such proved complexity

Ways to II So what can we accept as enough hard problem? Black-box

Ways to II Black-box So what can we accept as enough hard problem? NP-hard problems. Disadvantage: worst case complexity NP-hard problems with average complexity results. Example: SUBSET SUM Problems with wide-believed hardness: Examples: FACTORING, DISCRETE LOG

Current What are the best results to the moment? Black-box

Current Black-box What are the best results to the moment? Specific attacks on specific programs are ally hard For some classes of programs we can hide most of internal information Some program analysis is proved to be hard

Current Black-box What are the best results to the moment? Specific attacks on specific programs are ally hard For some classes of programs we can hide most of internal information Some program analysis is proved to be hard And in general is impossible!

Ana and BAna Slide from Lecture 1 your turn to explain. Black-box

Ana and BAna Black-box Slide from Lecture 1 your turn to explain. We are interested in 2 types of polynomial-time analyzers: Ana is a source-code analyzer that can read the program. Ana(P) BAna is a black-box analyzer that only queries the program as an oracle. BAna P (time(p))

Ana and BAna Black-box Slide from Lecture 1 your turn to explain. We are interested in 2 types of polynomial-time analyzers: Ana is a source-code analyzer that can read the program. Ana(P) BAna is a black-box analyzer that only queries the program as an oracle. BAna P (time(p)) Black-Box security Ana can t get more information than BAna could

Black-Box : Formal Definition A nondeterministic algorithm O is a TM obfuscator if three following conditions hold: (functionality) For every TM M, the string O(M) describes the same function as M. Black-box

Black-Box : Formal Definition A nondeterministic algorithm O is a TM obfuscator if three following conditions hold: (functionality) For every TM M, the string O(M) describes the same function as M. (polynomial slowdown) The description length and running time of O(M) are at most polynomially larger than that of M. Black-box

Black-Box : Formal Definition Black-box A nondeterministic algorithm O is a TM obfuscator if three following conditions hold: (functionality) For every TM M, the string O(M) describes the same function as M. (polynomial slowdown) The description length and running time of O(M) are at most polynomially larger than that of M. ( virtual black box property) For any PPT A, there is a PPT S and a negligible function α such that for all TMs M Pr[A(O(M)) = 1] Pr[S M (1 M ) = 1] α( M ).

Black-Box : Two Programs Black-box A 2-TM obfuscator is defined in the same way as a TM-obfuscator, except the virtual black box property is changed as follows ( virtual black box property) For any PPT A, there is a PPT S and a negligible function α such that for all TMs M and N Pr[A(O(M), O(N)) = 1] Pr[S M,N (1 M + N ) = 1] α(min( M, N )).

Black-Box : Two Programs Black-box A 2-TM obfuscator is defined in the same way as a TM-obfuscator, except the virtual black box property is changed as follows ( virtual black box property) For any PPT A, there is a PPT S and a negligible function α such that for all TMs M and N Pr[A(O(M), O(N)) = 1] Pr[S M,N (1 M + N ) = 1] α(min( M, N )). What obfuscator is more powerful?

Two Programs Lemma Two Programs Lemma 2-TM obfuscators do not exist. Black-box

Two Programs Lemma Black-box Two Programs Lemma 2-TM obfuscators do not exist. { β, x = α C α,β (x) = 0, otherwise { 1, C(α) = β D α,β (C) = 0, otherwise Z k (x) = 0 k Intuition: it is difficult to distinguish pairs C α,β, D α,β from pair Z k, D α,β given only black box access to these programs.

Lemma Proof: Rough Sketch Suppose O is 2-TM obfuscator. Let s check its black box property on pairs C α,β, D α,β and Z k, D α,β for every α, β where A = N(M). Black-box

Lemma Proof: Rough Sketch Suppose O is 2-TM obfuscator. Let s check its black box property on pairs C α,β, D α,β and Z k, D α,β for every α, β where A = N(M). Pr[A(O(C α,β ), O(D α,β )) = 1] = 1 Black-box

Lemma Proof: Rough Sketch Suppose O is 2-TM obfuscator. Let s check its black box property on pairs C α,β, D α,β and Z k, D α,β for every α, β where A = N(M). Pr[A(O(C α,β ), O(D α,β )) = 1] = 1 Pr[A(O(Z k ), O(D α,β )) = 1] = 2 k Black-box

Lemma Proof: Rough Sketch Black-box Suppose O is 2-TM obfuscator. Let s check its black box property on pairs C α,β, D α,β and Z k, D α,β for every α, β where A = N(M). Pr[A(O(C α,β ), O(D α,β )) = 1] = 1 Pr[A(O(Z k ), O(D α,β )) = 1] = 2 k Pr[S C α,β,d α,β = 1] Pr[S Z k,d α,β = 1] 2 Ω(k)

Lemma Proof: Rough Sketch Black-box Suppose O is 2-TM obfuscator. Let s check its black box property on pairs C α,β, D α,β and Z k, D α,β for every α, β where A = N(M). Pr[A(O(C α,β ), O(D α,β )) = 1] = 1 Pr[A(O(Z k ), O(D α,β )) = 1] = 2 k Pr[S C α,β,d α,β = 1] Pr[S Z k,d α,β = 1] 2 Ω(k)

Lemma Proof: Rough Sketch Black-box Suppose O is 2-TM obfuscator. Let s check its black box property on pairs C α,β, D α,β and Z k, D α,β for every α, β where A = N(M). Pr[A(O(C α,β ), O(D α,β )) = 1] = 1 Pr[A(O(Z k ), O(D α,β )) = 1] = 2 k Pr[S C α,β,d α,β = 1] Pr[S Z k,d α,β = 1] 2 Ω(k) So we get a contradiction! But...

Lemma Proof: Rough Sketch Black-box Suppose O is 2-TM obfuscator. Let s check its black box property on pairs C α,β, D α,β and Z k, D α,β for every α, β where A = N(M). Pr[A(O(C α,β ), O(D α,β )) = 1] = 1 Pr[A(O(Z k ), O(D α,β )) = 1] = 2 k Pr[S C α,β,d α,β = 1] Pr[S Z k,d α,β = 1] 2 Ω(k) So we get a contradiction! But... There is a flaw in the proof. Do you see?

Impossibility Theorem Impossibility Theorem TM obfuscators do not exist. Black-box

Impossibility Theorem Impossibility Theorem TM obfuscators do not exist. Black-box F α,β (b, x) = C α,β #D α,β G α,β (b, x) = Z k #D α,β Algorithm A is the following: to decompose M into two parts and evaluate the second part on the code (encoding) of the first. Argument is similar to the Lemma s proof.

Slide from Lecture 1 your turn to explain. Black-box

Slide from Lecture 1 your turn to explain. Black-box Instance: two families of programs Π 1 and Π 2 Adversary task: given a program P Π 1 Π 2 to decide whether P Π 1 or P Π 2.

Slide from Lecture 1 your turn to explain. Black-box Instance: two families of programs Π 1 and Π 2 Adversary task: given a program P Π 1 Π 2 to decide whether P Π 1 or P Π 2. Desirable protection: make adversary task as difficult as well-known ally hard problem is.

Password Checking Hiding Black-box prog π w 1 ; var x:string, y:bit; input(x); if x = w then y:=1 else y:=0; output(y); end of prog;

Password Checking Hiding Black-box prog π w 1 ; var x:string, y:bit; input(x); if x = w then y:=1 else y:=0; output(y); end of prog; prog π 0 ; var x:string, y:bit; input(x); y:=0; output(y); end of prog; Task: Make this families indistinguishable.

Some Theoretical Background One-Way Permutation is bijection from the set of all binary strings of length k to itself which is easy to compute and difficult to inverse. F : B k B k Black-box Hardcore Predicate for one way permutation F is a predicate (i.e. boolean function) h such that given F(x) its difficult to predict h(x) better than just guess it. Usual construction of hard-core predicate: choose r by random and take any one way permutation F than given a pair (F(x), r) its difficult to uncover x r.

Program with hidden password checking Black-box prog Π var x: string, y:bit; const u, v:string, σ:bit; input(x); if ONE_WAY(x)=v then if x u = σ then y:=1 else y:=0; else y:=0; output(y); end of prog;

Model of Computation Slide from Lecture 1 your turn to explain. Black-box

Model of Computation Slide from Lecture 1 your turn to explain. Black-box task: keep F unknown to Bob.

Homomorphic Encryption Black-box General idea: to design an encoding such that it is possible to evaluate various operations over encrypted messages (and getting encrypted results) without decrypting them. In particular encoding is called Additively homomorphic if it is possible to compute E(x + y) from E(x) and E(y) Multiplicatively homomorphic if it is possible to compute E(xy) from E(x) and E(y) Mixed multiplicatively homomorphic if it is possible to compute E(xy) from E(x) and y.

Homomorphic Encryption II Fact: there exists additively homomorphic encryption schemes over the rings Z/NZ. Corollary: there exists additively & mixed multiplicatively homomorphic encryption schemes over the rings Z/NZ. Black-box

Homomorphic Encryption II Black-box Fact: there exists additively homomorphic encryption schemes over the rings Z/NZ. Corollary: there exists additively & mixed multiplicatively homomorphic encryption schemes over the rings Z/NZ. Proof: Mixed multiplication could be done by polynomial number of additions.

Encrypting Polynomials Black-box Let P be polynomial over Z/NZ ring. P = a i1...i s X i 1 1... Xs is Then we can encrypt P by just sending encrypted coefficients (using MM-A homomorphic encryption). Bob is able to compute E(P(X)) and return it back to Alice. What we reveal to Bob? Only set of nonzero coefficients of P.

results What are further results for encrypted? Black-box

results What are further results for encrypted? Black-box Other presentations of function. [Loreiro, Molva] function as a matrix. [Sander, Tschudin] another basic hard problem: decomposition of rational functions.

More Black-Box What are other functions obfuscated with black-box security? Black-box

More Black-Box What are other functions obfuscated with black-box security? [LPS 2004] interactive access control system. Black-box

More Black-Box Black-box What are other functions obfuscated with black-box security? [LPS 2004] interactive access control system. Next results I expect from you!

Quality of obfuscating transformations What is hard to get from programs after obfuscating transformations? Black-box

Quality of obfuscating transformations Black-box What is hard to get from programs after obfuscating transformations? Alias analysis is NP-hard! Average hardness is proved only for several fixed analysis algorithms

We can prove property extracting to be hard in some cases. Black-box

We can prove property extracting to be hard in some cases. We can use cryptographic constructions to hide some internal constants. Black-box

We can prove property extracting to be hard in some cases. We can use cryptographic constructions to hide some internal constants. Obfuscation in general is impossible. Black-box

We can prove property extracting to be hard in some cases. We can use cryptographic constructions to hide some internal constants. Obfuscation in general is impossible. Black-box Question Time!

Not covered by the talk Back Up Slides Not covered by the talk Black box security with relations to zero-knowledge

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback