Presentation is loading. Please wait.

Presentation is loading. Please wait.

Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser.

Published byRoss Simmons Modified over 9 years ago

Similar presentations

Presentation on theme: "Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser."— Presentation transcript:

1 Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser and R Using slides by Boaz Barak, Yael Kalai

2 Program Obfuscation 101 Obfuscate [verb] “to make obscure or unclear” Obfuscator A compiler that takes programs and makes them difficult to understand.

3 Obf(P) Code Obfuscation: what is it? To intentionally make a program unintelligible, while preserving its functionality. Obf Goal: Change program so still has same I/O behavior but is impossible to understand P

4 for (i=0; i < M.length; i++) { // Adjust position of clock hands var ML=(ns)?document.layers['nsMinutes'+i]:ieMinutes[i].style; ML.top=y[i]+HandY+(i*HandHeight)*Math.sin(min)+scrll; ML.left=x[i]+HandX+(i*HandWidth)*Math.cos(min); } obfuscator for(O79=0;O79<l6x.length;O79++){var O63=(l70)?document.layers ["nsM\151\156u\164\145s"+O79]:ieMinutes[O79].style; O63.top=l61[O79]+O76+(O79*O75)*Math.sin(O51)+l73; O63.left=l75[O79]+l77+(O79*l76)*Math.cos(O51);}

5 Why Obfuscate? For Software Protection Software vendors want to prevent users from reverse-engineering executable code. No good solution known. For Cryptography Many applications: fully homomorphic encryption, private to public key crypto, etc.

6 Obfuscation in Real World Copy protection/Licensing Spam –conceal code that spawns pop-ups Software watermarking Prevent reverse engineering –By competitors –By hackers (e.g., for games) SafeDisc Advanced if (test fails) then exit else …

7 Off the Shelf Obfuscators

8 Why Obfuscate? For Software Protection Software vendors want to prevent users from reverse-engineering executable code. No good solution known. For Cryptography Many applications: fully homomorphic encryption, private to public key crypto, etc.

9 –Cryptographic delegation: signature delegation SIG SK (SK,PK) m m Obfuscation: Cryptographer’s Dream Alice’s secret key and public key can be verified given PK

10 –Cryptographic delegation: signature delegation –Transform any secret key cryptographic primitive into a public key one –Compute on encrypted data –Solve access control problems Obfuscation: Cryptographer’s Dream Many cryptographic tasks could be achieved securely by writing a simple program and then obfuscating it (if possible!). (SK,PK) Want to allow Bob to sign msgs on Oct05 SK Oct07 SIG SK Obf ( )

11 Black-Box Obfuscation: Informal Definition [BGI + 01] Obf( P ) is essentially equivalent to a black box. P P Obf(P) Obf P

12 Defining Obfuscation [BGIRSVY] Obfuscated program should be “as secure as” black-box access. Obfuscator O runs on programs *, must satisfy: 1.Preserves functionality 2.Polynomial slow-down 3.Virtual black-box *Turing Machines, Circuits

13 Defining Obfuscation An algorithm O is an obfuscator if for any program P : (functionality) O(P) ~ P (i.e., O(P) computes the same function as P ) (polynomial slowdown) running time of O(P)  p ( running time of P ) for some polynomial p ( ). We say that O is efficient if it runs in polynomial time.

14 Predicate Virtual Black-Box [BGIRSVY]: For any poly learner L, exists poly simulator S, s.t. for every (poly time) program P : Pr[L(O(P)) = 1] ≈ Pr[S P (1 |P| )=1] SimulatorLearner O(P) P 0/1 ≈ xP(x)

15 Previous Work [Hada] implications of strong obfuscators Strong Negative Results [BGIRSVY] exist Turing Machines, circuits that cannot be obfuscated [GK] under stronger definition, many natural circuits cannot be obfuscated Limited Positive Results Obfuscating “point functions” [C,LPS,W,CMR,DS] Obfuscating using random oracle [LPS]

16 Unfortunately… General-purpose obfuscation is IMPOSSIBLE Proof for Turing Machines: C α,β (x) = β if x=α, 0 otherwise D α,β (C) = 1 if C(α)=β, 0 otherwise Intuition: Given C α,β, D α’,β’ “know” output D α’,β’ ( C α,β ) Given black-box access to C α,β, D α’,β’ “don’t know” what D α’,β’ ( C α,β ) outputs!

17 “Proof” C α,β (x) = β if x=α, 0 otherwise D α,β (C) = 1 if C(α)=β, 0 otherwise F α,β (b,y) = C α,β (y) if b=0 D α,β (y) if b=1 Z α,β (b,y) = 0 if b=0 D α,β (y) if b=1 From black-box access, F α,β, Z α,β look the same From non black-box access: O(F α,β )(1, O(F α,β (0,·))) = 1 O(Z α,β )(1, O(Z α,β (0,·))) = 0

18 What to Do? Look at more specific programs Point Functions Relax the Definition No more black box!

19 Obfuscating Point Functions Point or “password” function family: I p (x)=1 if x=p 0 otherwise Useful e.g. for access control, storing passwords Restricted family of functions\programs

20 Tool: Random Oracle Say we have access to a truly random function Random Oracle R:{0,1} n -> {0,1} n Only way to learn output is querying oracle on input In general, model is useful (e.g. [FS]) but problematic [CGH,DNRS,GK]

21 Obfuscating Point Functions Obfuscated Program( I p ):[LPS] Store R(p) (in the clear) on input x, if R(x)=R(p) output 1 otherwise output 0 Obfuscated b\c of random oracle Get similar results from (strong) assumptions [C,W] Note obfuscator works only for very simple point function programs [M]

22 What to Do? Look at more specific programs Point Functions Relax the Definition No more black box!

23 Relaxed Definition Compare obfuscated program with black box? “Apples and oranges”. Program is not black box. Relax requirement: Compare obfuscated program with other programs, we want obfuscation that is “more secure” than any other program! Best possible obfuscation.

24 Best Possible Obfuscation [GR]: For every poly learner L, exists poly simulator S s.t. for every circuit C 1, for every equivalent C 2 ( |C 1 | = |C 2 | ) distributions L(O(C 1 )) and S(C 2 ) indistinguishable. SimulatorLearner O(C 1 ) 0/1 ≈ C2C2 Output xC(x) Computational Statistical Perfect C

25 Meaningful Guarantee? Guarantee from definition: Anything that can be learned from O(C) can be learned from any equivalent circuit of same size as C. O(C) is “more secure” than all these circuits. Obfuscator has to output some circuit equivalent to C, definition guarantees the output is best possible.

26 Indistinguishability Obfuscators [BGIRSVY] Indistinguishability Obfuscator Obfuscations of equivalent circuits of the same size should be computationally indistinguishable. Definitions equivalent for efficient obfuscation (but not for inefficient obfuscation).

27 Best-Possible Obfuscation Results Best possible vs. black box obfuscation –Black-box implies best-possible. –A “natural” obfuscation task can be achieved under best-possible but not under black-box definition. Unconditionally (statistically) best-possible –If P=NP can best-possible obfuscate all circuits. –Unconditionally best possible obfuscation for AC 0 implies PH collapses to second level. Obfuscation and Random Oracles –Can use random-oracle to build (simple, natural) circuits that cannot be best-possible obfuscated.

28 Best Possible vs. Black-Box Obfuscation

29 Best-Possible vs. Black-Box Claim: black-box obfuscator → best-possible obfuscator Proof Intuition: Suppose obfuscator not best-possible: Obfuscations of equivalent C 1 and C 2 are distinguishable from non-black-box access, but circuits indistinguishable from black-box access! Predicate Adversary “guesses” whether obfuscation is of C 1 or C 2. Obfuscator is not black-box!

30 Best-Possible vs. Black-Box (2) OBDDs: log-space programs with read-once left-to- right access to their input tape. Claim: Can efficiently best-possible* obfuscate OBDDs as OBDDs. Proof: OBDDs have efficiently computable canonical representation [Bryant]. Claim: OBDDs cannot be black-box obfuscated as OBDDs. Proof: Extract non black-box information from canonical representation. Restriction: Require that obfuscator maintains complexity measures of obfuscated program. Interesting both for positive and negative results.

31 Statistically Best-Possible Obfuscation

32 If P=NP … Can perfectly best-possible obfuscate any circuit! Obfuscator: output the lexicographically first smallest equivalent circuit (efficient if P=NP ). Simulator: also output the lexicographically first smallest equivalent circuit (efficient if P=NP ). PERFECTLY best-possible obfuscation.

33 Statistically Best-Possible? Goal: unconditionally best-possible obfuscation? Approaches: Techniques from secure multi-party computation, “Randomizing” circuits, Focusing on low complexity classes.

34 Statistically Best-Possible → PH Collapse Theorem: If CNF circuits can be statistically best-possible obfuscated (even inefficiently), then polynomial hierarchy collapses.

35 Suppose O is statistically best possible obfuscator. Idea: Use O to get AM protocol for Co-NP complete language. Collapses poly hierarchy [F,AH,BHZ]. Co-NP complete language L : circuit-equivalence, (C 1,C 2 ) in L iff C 1 ≡ C 2 Stat. Best-Possible → PH Collapse (2)

36 Stat. Best-Possible → PH Collapse (3) On input (C 1,C 2 ) use distributions S(C 1 ),S(C 2 ) If (C 1,C 2 ) not equivalent: O(C 1 ), O(C 2 ) disjoint by preserving functionality so S(C 1 ), S(C 2 ) stat.-far by best-possible property If (C 1,C 2 ) equivalent: O(C 1 ), S(C 1 ) stat.-close by best-possible property O(C 1 ), S(C 2 ) stat.-close by best-possible property conclude S(C 1 ),S(C 2 ) also stat. close Reduced circuit equivalence to statistical distance, a problem in AM [SV].

37 Random Oracles and Obfuscation

38 [LPS] use random oracles to help obfuscation. If one could realize random oracles, would this necessarily help obfuscation? Not necessarily: can also use random oracles to build un-obfuscatable circuits!

39 Random Oracles and Obfuscation Theorem: There exists a simple family of circuits implementing point function functionalities that cannot be best- possible obfuscated. Circuits in the family make oracle calls. Does not rule out that every (non-oracle) circuit can be best-possible obfuscated.

40 Unobfuscatable Circuit C p,M for I p p |[n]\M R x1x1 x2x2 x3x3 x4x4 x5x5 xnxn... R(p |M ) Λ For a point p {0,1} n, choose subset M [n] M = = Any Circuit computed from C p,M and preserving functionality must call oracle on x |M. Exposes non black-box info on M !

41 Conclusions and Open Problems Black-Box Obfuscation More natural impossibility results [GK] More Positive Results [HRsV] Constant-depth circuits? New Best-Possible Obfuscators Current positive results have flavor of “finding canonical representations”. Goal: more examples of best-possible obfuscation. Think outside the (black) box Hardness Results? Best-possible obfuscation hardness results likely to be different from black-box results.

42 THE END Thank You

Download ppt "Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser."

Similar presentations

Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional.

Quantum Copy-Protection and Quantum Money Scott Aaronson (MIT) | | | Any humor in this talk is completely unintentional.
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Turing Machines January 2003 Part 2:. 2 TM Recap We have seen how an abstract TM can be built to implement any computable algorithm TM has components:

Turing Machines January 2003 Part 2:. 2 TM Recap We have seen how an abstract TM can be built to implement any computable algorithm TM has components:
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Complexity Theory Lecture 6

Complexity Theory Lecture 6
Security Seminar, Fall 2003 On the (Im)possibility of Obfuscating Programs Boaz Barak, Oded Goldreich, Russel Impagliazzo, Steven Rudich, Amit Sahai, Salil.

Security Seminar, Fall 2003 On the (Im)possibility of Obfuscating Programs Boaz Barak, Oded Goldreich, Russel Impagliazzo, Steven Rudich, Amit Sahai, Salil.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)

Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)
OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.

OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

Similar presentations

Ads by Google