Presentation is loading. Please wait.

Presentation is loading. Please wait.

Amit Sahai May 9, 2014 Aarhus Institute of Advanced Studies Advances in Obfuscation.

Published byAnissa Benson Modified over 9 years ago

Similar presentations

Presentation on theme: "Amit Sahai May 9, 2014 Aarhus Institute of Advanced Studies Advances in Obfuscation."— Presentation transcript:

1 Amit Sahai May 9, 2014 Aarhus Institute of Advanced Studies Advances in Obfuscation

2 General-Purpose Obfuscation For decades: only ad-hoc methods, all broken This changed with [Garg-Gentry-Halevi-Raykova-Sahai-Waters, FOCS 2013] : First rigorous general approach Has led to many follow-up works already [everyone et al, 2013 & 2014]

3 Wait... What about [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Ye 2001]? Isn’t general-purpose obfuscation supposed to be impossible? What [BGIRSVY 2001] shows: – There are contrived “self-eating programs” for which black-box obfuscation suffers from explicit attacks. What [BGIRSVY 2001] + follow-ups do not show: – “All programs cannot be obfuscated” – “There is a natural setting where black-box obfuscation fails” The [BGIRSVY 2001] lesson: – Which secrets are hidden by obfuscation is not always clear. O(P) =P

4 How to Proceed Theoretically safest way forward: – Indistinguishability Obfuscation (iO) – Given two equivalent circuits (C 0, C 1 ), bounded adversary cannot distinguish (C 0, C 1, iO( C 0 )) from (C 0, C 1, iO( C 1 )) – No impossibilities known: Definition does not tell us what secrets are (directly) hidden – Still remarkably useful [ GGHRSW, Sahai-Waters ‘13, Garg-Gentry-Halevi-Raykova ‘13, … (see Eurocrypt+ePrint) ] Also… proceed “anyway” with black-box obfuscation – Black-box obfuscation like random-oracle model – ROM also has contrived negative results, but still very useful (e.g. IBE [Boneh-Franklin] Gödel Prize) – Can we get more confidence in using black-box obfuscation, for instance with respect to idealized adversary model?

5 This talk: security of obfuscation How confident are we about obfuscation? Where does security really come from? This talk: – “Generic algebraic model” security: [Barak-Garg-Kalai-Paneth-Sahai ‘13, Eurocrypt 2014] : black-box In this talk: quick overview, to set up for next result: – Goldwasser-Micali style reduction security: [Gentry-Lewko-Sahai-Waters ‘14] : iO from Multilinear Subgroup Elimination Assumption. First assumption where challenge does not contain iO constructions. Recall: Assuming LWE, only need obfuscation for branching programs (in fact NC 1 ) [GGHRSW ‘13].

6 Part I Generic Security For Obfuscation Previous work: [GGHRSW ‘13, Brakerski-Rothblum ‘13]: more restricted adversary, or strong complexity assumption

7 k – Mmaps [Boneh-Silverberg ‘03, Garg-Gentry-Halevi ‘13] k “levels” of encodings: G 1, …, G k : Each G i is a copy of Z N. Maps: – Addition: G i x G i to G i – Multiplication: G i x G j to G (i+j), if i+j ≤ k – Zero-Test: G k to {Yes,No} Generic k-mmap model: Algebraic framework implemented by oracles. Adversary never sees actual representations in G i

8 Matrix Branching Programs [Barrington ‘86, Kilian ‘88, GGHRSW] Oblivious Matrix Branching Program for F: – n bit input x (e.g. n=3 here) – 2k matrices over Z N – Evaluation on x: – Where B is fixed matrix ≠ I over Z N Kilian Randomization: – Chose R 1, …, R k-1 random over Z N – Kilian shows that for each x, can statistically simulate M x matrices knowing only product. M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

9 Obfuscation Construction Ideas [GGHRSW ’13, BGKPS ‘13] Encode each matrix at level 1 using mmap: matrix multiplication is multilinear Problems remain. Key Problem: Input-Mixing Attack Adversary may learn secrets in this case. We must prevent this. We do so by introducing “straddling sets” – algebraic tool for preventing Input-Mixing (& more). M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

10 Generic Black-Box Proof (a glimpse) Straddling sets allow decomposition of Adv queries into queries that only depend on matrices corresponding to single input. Heart of Proof: Query for single input can be statistically simulated [Kilian]. (many steps omitted) This gives us unconditional proof of black-box security in generic model. M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

11 Part II Using reductions to argue security for iO. Goldwasser-Micali viewpoint (slightly different from yesterday’s talk): Goal: Base security on assumption that does not directly provide obfuscated programs to Adversary.

12 Our Assumption [GLW14] : Multilinear Subgroup Elimination k-Mmap over composite N, with many large prime factors: – One “special” prime factor c – k “distinguished” prime factors a 1, a 2, …, a k – poly other primes Adversary gets Level-1 encodings: – (random) generators of each prime subgroup, except c – h i : random element of order c(a 1 a 2 …a i-1 a i+1 …a k ) Adversary to distinguish between Level-1 encoding of: – Random element T of order (a 1 a 2 …a k ) – Random element T of order c(a 1 a 2 …a k ) Note: Assumption does not incorporate branching program matrices, straddling sets, circuits… In fact, assumption made by [GLW14] in context without these.

13 Previous iO Assumptions Ad-hoc assumption, directly incorporating obfuscated programs: – [GGHRSW ‘13, Pass-Seth-Telang (April 30, 2014 revision)] Mmap Meta-Assumptions [BGKPS’13] – A Meta assumption is “Assumption on Assumptions”: – E.g. “All assumptions that satisfy X, Y, Z are true” – [PST ‘13]: iO from Meta-assumption based on generic security – However, actual invocation of Meta-Assumption must directly incorporate obfuscated programs (into z,m 0,m 1 ) into Adversary’s challenge given by assumption. Unsatisfying state of affairs from Goldwasser-Micali standpoint. Can we do better?

14 Is 2 n security loss inherent? A good reason why we were stuck [Garg-Gentry-Sahai-Waters ’13] for getting better assumptions. Informal Claim: all natural reductions have to confirm if C 0 and C 1 really are equivalent programs. (This takes 2 n time, where n=input length.) Informal Proof Sketch: Suppose not, i.e., the reduction is only poly-time, and can’t figure out if C 0 and C 1 are equivalent.

15 Is 2 n security loss inherent? Consider C b (x): – Constant: y* – If PRG(x)=y*, then output b; else output 0 Note: if y*chosen at random, then C 0 and C 1 are equivalent w.h.p., otherwise if y* = PRG(x*), they are not. Create attacker Atk for assumption A: – Atk gets challenge ch from A. – Choose y*=PRG(x*), create C 0 and C 1. – Now Atk runs reduction on inputs ch, C 0 and C 1. Reduction makes oracle queries to a distinguisher between iO(C 0 ) and iO(C 1 ) But Atk can trivially distinguish P=iO(C 0 ) vs P=iO(C 1 ) by just running P(x*) – Eventually, reduction breaks assumption A. Thus, if reduction cannot check equivalent of C 0 and C 1, then assumption A can be broken in poly-time. Complexity leveraging seems essential.

16 How to argue security Consider any hybrid argument from iO(C 0 ) to iO(C 1 ) There must be some critical hybrid step, where some actual computation switches from C 0 -like to C 1 -like. All previous work dealt with such a hybrid by directly invoking assumption – very unsatisfying. How can we avoid this? Idea: Again use Kilian’s simulation to “switch” between C 0 and C 1 for a single input. – Can we use this idea within a reduction?

17 Overall reduction strategy We know reduction should take 2 n time. Let’s use this time to isolate each input, and somehow apply Kilian. Main idea: – Have poly many “parallel” obfuscations, each responsible for a bucket of inputs – Hybrid Type 1: Transfer inputs between different buckets, but programs do not change at all. Assumption used here. – Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed.

18 Hybrids intuition M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C0C0

19 Hybrids intuition M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C0C0 C0C0

20 Hybrids intuition M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ M 1, 0 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ C0C0 C0C0 … M 1, 1 M 2, 0 M 3, 0 M 4, 1 … M k, 0 ~ ~ ~ ~ ~ C0C0

21 Hybrids intuition M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ M 1, 0 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ C0C0 C0C0 … M 1, 1 M 2, 0 M 3, 0 M 4, 1 … M k, 0 ~ ~ ~ ~ ~ C1C1 All R matrices are independent per column. Can now use Kilian !

22 Hybrids intuition M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C1C1 …

23 How to transfer inputs M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C0C0 C0C0 …

24 Our Assumption: Multilinear Subgroup Elimination k-Mmap over composite N, with many prime factors: – One “special” prime factor c – k “distinguished” prime factors a 1, a 2, …, a k – poly other primes Adversary gets Level-1 encodings: – (random) generators of each prime subgroup, except c – h i : random element of order c(a 1 a 2 …a i-1 a i+1 …a k ) Adversary to distinguish between Level-1 encoding of: – Random element T of order (a 1 a 2 …a k ) – Random element T of order c(a 1 a 2 …a k ) Note: Assumption does not incorporate matrices, branching programs, straddling sets, circuits…

25 How to transfer inputs (cheating) M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 …… M k, 0 M k, 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C0C0 C0C0 … Prime c Prime a 1 Use T to create these Use T to create these Use h i, i≠1 to create rest (since they are the same in c and a 1 subgroups) Use h i, i≠1 to create rest (since they are the same in c and a 1 subgroups) “Missing” a i in h i used to enforce input consistency. Key point: The programs for each prime is fixed. The reduction can directly build all matrices. Assumption plays no role in matrix choices.

26 Conclusions Obfuscation: beautiful area for study These results: deeper understanding of where security can come from – My take: Much less likely now that there might be a [BGIRSVY] -style negative result hiding in the iO woodwork Still an enormous amount of work to be done – Security from LWE ? (Need mmap functionalities) – Completely different obfuscation methods? – Avoid mmap-like functionality altogether? – Greater efficiency? Initial work: [Ananth-Gupta-Ishai-Sahai ‘14] Thank you

Download ppt "Amit Sahai May 9, 2014 Aarhus Institute of Advanced Studies Advances in Obfuscation."

Similar presentations

Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?

Quantum Versus Classical Proofs and Advice Scott Aaronson Waterloo MIT Greg Kuperberg UC Davis | x {0,1} n ?
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Lecture 19. Reduction: More Undecidable problems

Lecture 19. Reduction: More Undecidable problems
Optimizing Compilers for Modern Architectures Allen and Kennedy, Chapter 13 Compiling Array Assignments.

Optimizing Compilers for Modern Architectures Allen and Kennedy, Chapter 13 Compiling Array Assignments.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
15-251 Great Theoretical Ideas in Computer Science for Some.

Great Theoretical Ideas in Computer Science for Some.
Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.

Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
On Virtual Grey-Box Obfuscation for General Circuits Nir Bitansky Ran Canetti Yael Tauman-Kalai Omer Paneth.

On Virtual Grey-Box Obfuscation for General Circuits Nir Bitansky Ran Canetti Yael Tauman-Kalai Omer Paneth.

Similar presentations

Ads by Google