Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Published byLoren Norton Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz."— Presentation transcript:

1 1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz Barak

2 2 Recall our high-level goal Ensure properties of a distributed computation when parties are mutually untrusting, faulty, leaky & malicious.

3 3 PrimitiveAttacksGuaranteesFunction ality Communi cation Assumpti ons Leakag e TamperingCorrectne ss SecrecyFunction class Output form FHEANYnoneYES CircuitsEncryptedMinimalComputati onal ANYno Arguments (CS proofs / PCD / SNARG) ANY YESnoRAM, distributed PlaintextMinimalExotic computati onal / oracle MPCANY YES ANYPlaintextHeavy interaction Mild computati onal Garbled circuits ANYnoneYES CircuitsPlaintextPreproces sing + minimal Mild computati onal ANYno Leakage resilience VariesnoneYES VariesPlaintextMinimalVaries anyno Tamper resilience VariesVARIESVaries PlaintextMinimalVaries ObfuscationANY YES PlaintextMinimal0=1 TPMSecure hardware

4 4 Garbled circuits: variants of functionality (summary of whiteboard discussion) “Honest-but-curious” model Offline-online evaluation for public circuits Circuit U is public, Alice chooses x, Bob learns U(x) and nothing else. Offline-online evaluation for secret circuits Alice chooses C and x, Bob learns C(x) and nothing else. Obtained from previous by making U a universal circuit and plugging in the description of C.

5 5 Garbled circuits: construction (summary of whiteboard discussion) The garbled circuits Choose random keys for each value for each wire. Output: Gate tables (double-encryption of output keys under input keys, permuted) Keys of output wires The garbled inputs Keys for chosen values in input wires Evaluation Gate-by-gate, using double decryption.

6 6 An obfuscator: an algorithm O such that for any program P, O(P) is a program such that: O(P) has the same functionality as P O(P) is infeasible to analyze / “reverse-engineer”. Intuition: an obfuscator should provide a “virtual black- box” in the sense that giving someone O(P) should be equivalent to giving her a black-box that computes P. What Is an Obfuscator?

7 7 Practical Reasons: Understanding code is very difficult Obfuscation used (successfully?) in practice for security purposes Theoretical Reasons: All canonical hard problems are problems of reverse engineering: SAT, HALTING Rice’s Theorem: You can’t look at the code (Turing Machine description) of a function and find out a non-trivial property of it. Why might obfuscators exist?

8 8 “Digital right management” Converting symmetric-key encryption to asymmetric- key encryption Removing Random Oracles for specific natural protocols. Give someone ability to sign/decrypt a restricted subset of the message space. Applications for obfuscators

9 9 Definition 1 An algorithm O is an obfuscator if for any circuit C: 1.(functionality) O(C) ~ C (i.e., O(C) computes the same function as C) 2.(polynomial slowdown) |O(C)|  p(|C|) for some polynomial p( ). We say that O is efficient if it runs in polynomial time. Defining obfuscators

10 10 A Natural Formal Interpretation: For any adversary A there’s a simulator S such that for any circuit C A(O(C))  C.I. S C (1 |C| ) “Anything that can be learned from the obfuscated form, could have been learned by merely observing the circuit’s input-output behavior (i.e., by treating the circuit as a black-box)’’ This definition is impossible to meet! Defining security

11 11 Relaxation: simulator should only compute a specific function (even predicate) rather than generate an indistinguishable output. Weak Obfuscators:  p.p.t. adversary A  (poly time) predicate p:{0,1} *  {0,1}  S such that for all circuits C Pr [ A(O(C)) = p(C) ]  Pr [ S C (1 |C| ) = p(C) ] + negl(|C|) Note: may be too weak for desired applications, but still we’ll prove that it is impossible to meet. Defining security (2)

12 12 Definition 2 A (efficiently computable) function ensemble { F t } ( F t :{0,1} |t|  {0,1} |t| ) is an unobfuscatable function ensemble (UF) if it satisfies: There’s a poly time predicate p:{0,1} *  {0,1} such that: (a) (p easy to compute with a circuit) There’s a p.p.t A such that for any circuit C such that C ~ F t :A(C) = p(F t ) (b) (p hard to compute with black-box access) For any p.p.t S, for random t  {0,1} n : Pr [ S F t (1 n ) = p(t) ]  ½ + negl(n) Theorem 1:  unobfuscatable functions   “very weak” obfuscators. Inherently Unobfuscatable Functions

13 13 There exist unobfuscatable functions (if there exist OWFs).  Efficient (even weak) obfuscators do not exist. Moreover: There exist unobfuscatable encryption schemes (if any exist). There exist unobfuscatable signature schemes (if any exist). Natural relaxations of obfuscation (e.g., approximate correctness) are still impossible. State of the art Constructions for very simple classes (e.g., point functions) In practice, heuristics to slow down reverse engineering. Results (summary of whiteboard discussion)

Download ppt "1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz."

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Security Seminar, Fall 2003 On the (Im)possibility of Obfuscating Programs Boaz Barak, Oded Goldreich, Russel Impagliazzo, Steven Rudich, Amit Sahai, Salil.

Security Seminar, Fall 2003 On the (Im)possibility of Obfuscating Programs Boaz Barak, Oded Goldreich, Russel Impagliazzo, Steven Rudich, Amit Sahai, Salil.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 2: Crypto review, fault attacks Eran Tromer (This lecture was given mostly.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 2: Crypto review, fault attacks Eran Tromer (This lecture was given mostly.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser.

Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Similar presentations

Ads by Google