New Techniques for Obfuscating Conjunctions

0

James Bartusek (Princeton)Tancrède Lepoint (SRI & )Fermi Ma (Princeton)Mark Zhandry (Princeton)

1

Motivating Scenario: Password Check Program

P " :if " = “correcthorsebatterystaple”:

output 1 (accept)else:

output 0 (reject)

2

Motivating Scenario: Password Check Program

P " :if " = “correcthorsebatterystaple”:

output 1 (accept)else:

output 0 (reject)

Problem: No security if attacker sees program implementation!

Light Blue

HEX 09B6C9

3

Slightly Better Solution

P′ # :if SHA256 # == “cbe6beb26479b568e5f15b

50217c6c83c0ee051dc4e522b9840d8e291d6aaf46”:

output 1 (accept)else:

output 0 (reject)

Compute SHA256(“correcthorsebatterystaple”)

= cbe6beb26479b568e5f15b50217c6c83c0ee051dc4e522b9840d8e291d6aaf46

Light Blue

HEX 09B6C9

4

Obf(P) ! :if SHA256 ! == “cbe6beb26479b568e5f15b50217c6c83c0ee051dc4e522b9840d

8e291d6aaf46”:

output 1 (accept)else:

output 0 (reject)

This is a simple example of program obfuscation [BGIRSVY]for point functions [Can97,CMR98,LPS04,Wee05,BP12,…]

Informally, want Obf to satisfy:

• (correctness) Obf(P)(!) = P(!)for all !

• (virtual black box) Obf(P) reveals nothing beyond input/output behavior of P

P ! :if x = “correcthorsebatterystaple”

output 1 (accept)

else:output 0 (reject)

Apply Obf

5

Today: Obfuscation for Conjunctions(or “pattern-matching with wildcards”)

!"# = 1*10*(match) 11100

(mismatch) 10001(match) 10101

(mismatch) 01111

$%&' ( :if ( matches !"# output 1else output 0

bitstring ( matches !"# if it equals !"# except on *

6

Today: Obfuscation for Conjunctions(or “pattern-matching with wildcards”)

!"# = 1*10*(match) 11100

(mismatch) 10001(match) 10101

(mismatch) 01111

$%&' ( :if ( matches !"# output 1else output 0

bitstring ( matches !"# if it equals !"# except on *

Goal: Allow public evaluation of $%&' (on any input)without leaking any information about !"#

7

Today: Obfuscation for Conjunctions(or “pattern-matching with wildcards”)

Restriction: !"# drawn from distribution where accepting inputs to $%&' ( are hard to find [BBCKPS13]

Intuition: If I can’t find accepting inputs to $%&' ( , black box

access reveals nothing about pat

Goal: Allow public evaluation of $%&' (on any input)without leaking any information about !"#

8

Assumption or Model

[BR13] Multilinear Maps

[BVWW16] Entropic Ring LWE

[GKW17],[WZ17] LWE

[BKMPRS18] Generic Group Model

Prior Conjunction Obfuscators

Our Work:An investigation of simple conjunction

obfuscators, inspired by [BKMPRS18].

9

Assumption or Model Obfuscation is secure whenpattern is sampled from:

[BKMPRS18] Generic Group Model !"[$%], where $ < 0.774

This work(see paper)

Generic Group Model* !"[% − - log % ]

This work Learning Parity with Noise !"[$%] where $ < 1

This work(see paper)

Information theoretic* !"[%2] where 0 ≤ 4 < 1

Our Results: Extending the [BKMPRS18] Approach

!"[5] denotes uniform distribution over length % patterns with 5 wildcards

*can be extended beyonduniform distributions(see also [BeuWee19])

10

1. A Trivial Construction with No Security2. Modifying the Trivial Construction3. Security from LPN

Talk Outline

11

What Does “Simple” Mean?

Obfuscation: On input !"# ∈ {0,1,∗} +Output vector ,-./ over 0-

12

What Does “Simple” Mean?

Obfuscation: On input !"# ∈ {0,1,∗} +Output vector ,-./ over 0-

Evaluation: On input 1 ∈ {0,1} +Write down vector 23Accept if 234 ,-./ = 0

Intuition: A Trivially Insecure Construction

Obfuscation:! = 3

$%& = *01

Structure of 'taken from [BKMPRS18]

Accept!

' =

00)*00)+

*

0

1

$%&

13

Intuition: A Trivially Insecure Construction

Obfuscation:! = 3

$%& = *01

Structure of 'taken from [BKMPRS18]

() ⋅ ' = 0 1 0 1 1 0

00-.00-/

= 0

0 = 0 0 1Evaluation: 0 = 001

Accept!

(Accepting input)

' =

00-.00-/

*

0

1

$%&

14

Intuition: A Trivially Insecure Construction

Obfuscation:! = 3

$%& = *01

Structure of 'taken from [BKMPRS18]

() ⋅ ' = 0 1 0 1 1 0

00-.00-/

= 0

0 = 0 0 1*

0

1

$%&Evaluation: 0 = 001

Accept!

(Accepting input)

' =

00-.00-/

*

0

1

$%&

15

Intuition: A Trivially Insecure Construction

! =

00$%00$&

*

0

1

'()

Obfuscation:* = 3

'() = *01

Structure of !taken from [BKMPRS18]

,- ⋅ ! = 0 1 1 0 1 0

00$%00$&

= $%

0 = 0 1 1*

0

1

'()Evaluation: 0 = 011

Reject!

(Rejecting input)

16

17

1. A Trivial Construction with No Security2. Modifying the Trivial Construction3. Security from LPN

Talk Outline

18

Why is this construction broken?

Adversary can simply read !

"# ⋅ ! = 0 1 0 1 1 0

00()00(*

= 0

! =

00()00(*

*

0

1

+,-

Obfuscation:. = 3

+,- = *01

0 = 0 0 1*

0

1

+,-Evaluation: 0 = 000

2.

19

Why is this construction broken?

Adversary can simply read !

Equivalently:Current scheme does not prevent adversary from learning "# ⋅ ! for "# = 1 0 0…0 , 0 1 0…0 , etc. "

# ⋅ ! = 0 1 0 1 1 0

00*+00*,

= 0

! =

00*+00*,

*

0

1

-./

Obfuscation:0 = 3

-./ = *01

2 = 0 0 1*

0

1

-./Evaluation: 2 = 000

20

00"#00"$

20

Fixing the Construction (Approach 1)

1 2 3 4 5 61$ 2$ 3$ 4$ 5$ 6$1+ 2+ 3+ 4+ 5+ 6+1, 2, 3, 4, 5, 6,

00"#00"$-

2.

. + 1

1 2 3 4 5 61$ 2$ 3$ 4$ 5$ 6$1+ 2+ 3+ 4+ 5+ 6+1, 2, 3, 4, 5, 6,

-

2.

. + 1

*

0

1

012

*

0

1

012

3 3

2.

Instead of 3, use 4 = - 6 3

Claim 1: Any . + 1 × . + 1

submatrix of - is full rank over 89

21

1 2 3 4 5 61' 2' 3' 4' 5' 6'1( 2( 3( 4( 5( 6(1) 2) 3) 4) 5) 6)

00+,00+'-

2.

1 2 3 4 5 61' 2' 3' 4' 5' 6'1( 2( 3( 4( 5( 6(1) 2) 3) 4) 5) 6)

-

2.

. + 1

*

0

1

012

345

(7, 7' 7( 7)). + 1

Instead of 3, use 9 = - ; 3

459

7, 7' 7( 7)

22

1 2 3 4 5 61' 2' 3' 4' 5' 6'1( 2( 3( 4( 5( 6(1) 2) 3) 4) 5) 6)

*

2+

+ + 1

Instead of -, use . = * 0 -

12.

34 3' 3( 3)

545'5(5)

=+ + 1

=

12*6 12*7 12*8 12*9 12*: 12*;

00=400='

2+*

0

1

>?@

-12*At most + out of 2+ entries of 12* can be 0.

(*A denotes Bth column of *)

Fixing the Construction (Approach 1)

Claim 1: Any + + 1 × + + 1

submatrix of * is full rank over DE

23

!"!#!$!%

=1 2 3 4 5 61# 2# 3# 4# 5# 6#1$ 2$ 3$ 4$ 5$ 6$1% 2% 3% 4% 5% 6%

00."00.#/

20*

0

1

123

4

0 + 1

6

If 1237 = ∗::#7;":#7 =

00

If 1237 = 0::#7;":#7 =

.0 for . ← =>

If 1237 = 1::#7;":#7 =

0. for . ← =>

Evaluation: represent ? = 001 as vector @A/ with 0 entries at indices encoding ?.

@A/ = 0 $ 0 $ $ 0? = 0 0 1

20

24

!"!#!$!%

=1 2 3 4 5 61# 2# 3# 4# 5# 6#1$ 2$ 3$ 4$ 5$ 6$1% 2% 3% 4% 5% 6%

00."00.#/

20*

0

1

123

4

0 + 1

6

If 1237 = ∗::#7;":#7 =

00

If 1237 = 0::#7;":#7 =

.0 for . ← =>

If 1237 = 1::#7;":#7 =

0. for . ← =>

Evaluation: represent ? = 001 as vector @A/ with 0 entries at indices encoding ?.

@A/ = 0 $ 0 $ $ 0? = 0 0 1

Find any @ that makes entries of @A/ equal 0 in these 0 positions (@ is length 0 + 1, only 0 constraints)

Accept if @A6 = C

20

25

!"!#!$!%

=1 2 3 4 5 61# 2# 3# 4# 5# 6#1$ 2$ 3$ 4$ 5$ 6$1% 2% 3% 4% 5% 6%

00."00.#/

20*

0

1

123

4

0 + 1

6Lemma 1 (No Linear Attacks): For any fixed 7 ∈ 9:;

26

!"!#!$!%

=1 2 3 4 5 61# 2# 3# 4# 5# 6#1$ 2$ 3$ 4$ 5$ 6$1% 2% 3% 4% 5% 6%

00."00.#

/

20*

0

1

123

4

0 + 1

6

1) Due to Claim 1, 78/ ∈ :;#< is non-zero in at least 0 positions =", =#, … , =

27

!"!#!$!%

=1 2 3 4 5 61# 2# 3# 4# 5# 6#1$ 2$ 3$ 4$ 5$ 6$1% 2% 3% 4% 5% 6%

00."00.#/

20*

0

1

123

4

0 + 1

6

Claim 1: Any 0 + 1 × 0 + 1

submatrix of / is full rank over 89

Construction: obfuscation is encoding of 6 = /4 in group exponent*::6 = :;, … . , :;AB<

*Idea due to [BKMPRS18]: this construction can be viewed as “dual” to their construction.

Lemma 1 (No Linear Attacks): For any fixed C ∈ 89EF", if 4 is an encoding of 123 (from “nice” distribution), CG6 = CG/4 is a random scalar (with overwhelming probability).

28

Obfuscation: encoding of ! = #$ in group exponent*:%! = %&', %&), … . , %&,-'

Security in Generic Group Model (GGM) [Nac94,Sho97]

Lemma 1 (No Linear Attacks): For any fixed . ∈ 01234, if $ is an encoding of 567 (from “nice” distribution), .8! = .8#$ is a random scalar (with overwhelming probability).

*Idea due to [BKMPRS18]: this construction can be viewed as “dual” to their construction.

29

Obfuscation: encoding of ! = #$ in group exponent*:%! = %&', %&), … . , %&,-'

Security in Generic Group Model (GGM) [Nac94,Sho97]

Lemma 1 (No Linear Attacks): For any fixed . ∈ 01234, if $ is an encoding of 567 (from “nice” distribution), .8! = .8#$ is a random scalar (with overwhelming probability).

[BKMPRS18]: Security in GGM if 567 is uniformly random with 9: wildcards, if 9 ≤ .774.

[This work]: Lemma 1 implies security in GGM if 567 is uniformly

random with : − ?(log :) wildcards (optimal).

(see paper and [BeuWee19] for entropic setting)

*Idea due to [BKMPRS18]: this construction can be viewed as “dual” to their construction.

30

1. A Trivial Construction with No Security2. Modifying the Trivial Construction3. Security from LPN

Talk Outline

Step 1: Sample a length 2" vector #:If $%&' = ∗,

*+',-*+' =

00

If $%&' = 0, *+',-*+' =

/0 for / ← 12

If $%&' = 1, *+',-*+' =

0/ for / ← 12

31

Step 2: Define 4 ∈ 1267- ×+6 whose 9, ; th entry is:

4',< = ;'Compute the vector = = 4 > # ∈ 1267-

Obfuscation: ?=

@-@+@A@B

=1 2 3 4 5 61+ 2+ 3+ 4+ 5+ 6+1A 2A 3A 4A 5A 6A1B 2B 3B 4B 5B 6B

00/-00/+

4 #=*0

1

Group-Based Construction

Step 1: Sample a length 2" vector #:

If $%&' = ∗, *+',-*+'

= 00

If $%&' = 0, *+',-*+'

=/0 for / ← 12

If $%&' = 1, *+',-*+'

= 0/

for / ← 12

32

Obfuscation: 4, 6

7-7+7879

=

1 2 3 4 5 61+ 2+ 3+ 4+ 5+ 6+

18 28 38 48 58 68

19 29 39 49 59 69

00/-00/+

4#

6*0

1

New Construction

Step 2: Sample a uniformly random matrix 4 ← 12

>?- ×+>.

Compute the vector 6 = 4 A # ∈ 12>?-

random 4

Idea: Randomize 4!

Why would this be secure?

33

Learning Parity with Noise Assumption (over !")

# ≈%& +,

Standard LPNset each entry• 0 w/ prob 1 − +• #, ← !" w/ prob +

uniform

.&//0

uniform

1,&uniform

uniformuniform

34

Learning Parity with Noise Assumption (over !")

# ≈%& +,

Standard LPNset each entry• 0 w/ prob 1 − +• #, ← !" w/ prob +

uniform

.&//0

uniform

1,&uniform

uniformuniform

Exact LPN [JKPT12]set exactly +/ entries non-zero(polynomially equivalent)

35

Learning Parity with Noise Assumption (over !")

# ≈%& +,uniform

)&**+

uniform

,,&uniform

uniformuniform

Exact LPN [JKPT12]set exactly -* entries non-zero(polynomially equivalent)

Last modification: switch to “dual”

Standard LPNset each entry• 0 w/ prob 1 − -• #0 ← !" w/ prob -

36

!"#

$"

Compute $ with full row-rank such that:

" − "# = '

Last modification: switch to “dual”

37

!" +uniform

$%&

'%% − %&

"%&

'%

Compute ' with full row-rank such that:

% − %& = *Observe

= !'

Last modification: switch to “dual”

38

Dual Exact LPN Assumption(polynomially equivalent to LPN)

! ≈#$, uniform$&− &(

&

uniform),$

uniform

uniformexactly *& non-zero values

Observation: $,$+ looks similar to the obfuscation!

39

!"!#!$!%

=

1 2 3 4 5 61# 2# 3# 4# 5# 6#

1$ 2$ 3$ 4$ 5$ 6$

1% 2% 3% 4% 5% 6%

00."00.#

/0

1*

0

1

random /!"!#…

!9:9;

=

1 2 3 41# 2# 3# 4#

1$ 2$ 3$ 4$

1% 2% 3% 4%

."0.#.$0

01

random<

<

Dual Exact LPN Assumption:

(

40

! is " + 1 × 2"• Sample random ! over '(• Sample ) as uniformly random 2"

dimensional vector with exactly *"non-zero entries, conditioned on each pair of indices (2i − 1,2i) having at least one 0 entry.

0 is (" − "1) × "• Sample random 0 over '(• Sample ) as uniformly random "

dimensional vector with exactly *"non-zero entries.

“unstructured error vector” “structured error vector”

Terminology

41

Security Theorem: This construction is secure under the Learning Parity with Noise Assumption (constant noise rate !, over a large field "#) if $%& is uniformly random with 1 − ! )

wildcards for any 0 < ! < 1.

42

! ≈#$%

% − %' $ $(,,

*Want to show:

2%

* !% + 1 *(′≈#

LPN Assumption:

, ,

( unstructured error

(′ structured error

uniform

uniform

uniform

uniform uniform

uniform

This would imply the obfuscation (right-hand side) looks totally random.

43

!" !# !$ !% !&

'

' − ')

Step 1 (generating structured error): Sample ' random columns *",…*-. Replace ! with !′ where each pair of indices (21 − 1,21) is either !4, *4or *4, !4 (pick randomly).

!" *" *# !# *$ !$ !% *% *& !&

2'

' − ')

!′!

Claim: !5 = !75′ where 5 is unstructured error and 57is structured error

44

!" !# !$ !% !& !" '" '# !# '$ !$ !% '% '& !&

00

0

0

)"

0

)#)$0

0

) unstructured errornon-zero entries in *+ randomly chosen positions

)′ structured errornon-zero entries in *+ randomly chosen positions, each pairhas at least one 0

+

+ − +.

2+

2+)"0)#)$0

=

Claim: !) = !1)′ where ) is unstructured error and )1is structured error

!′!

!" #" #$ !$ #% !% !& #& #' !'

45

( ≈*!+

+ − +- ! !.,,LPN Assumption: . unstructured erroruniform

uniform uniform

Result of Step 1:

( ≈* !′.′,,.’ structured erroruniform

!" #" #$ !$ #% !% !& #& #' !'+ − +-

2+

!" #" #$ !$ #% !% !& #& #' !'

46

( ≈*!+

+ − +- ! !.,,LPN Assumption: . unstructured erroruniform

uniform uniform

( ≈* !′.′,,.’ structured erroruniform

!" #" #$ !$ #% !% !& #& #' !'+ − +-

2+

Still need + + 1 rows for the scheme to work. Need +- + 1 additional rows Need +- + 1 additional rows+- + 1

uniform uniform

47

! ≈# $′&′,,&’ structured erroruniform

( − (*

2(

(* + 1uniform uniform$′ $′

.′ .′!’ ?

Naïve Idea: sample additional rows .′ uniformly at random.

But how do we fill in .′&′ without &′?

48

Observation: We know !"#$′ for any row !"# of !′.

Idea: use random linear combinations of rows of H’

& ≈( !′$′,,$’ structured erroruniform

* − *,

2*

uniform uniform!′ !′

49

Observation: We know !"#$′ for any row !"# of !′.

Idea: use random linear combinations of rows of H’

& ≈( !′$′,,$’ structured erroruniform

* − *,

2*

*, + 1uniform uniform!′ !′

0*, + 1* − *,

Sample randommatrix 0:

0!′ 0!′0&0!#$′

So are we done?

50

Observation: We know !"#$′ for any row !"# of !′.

Idea: use random linear combinations of rows of H’

& ≈( !′$′,,$’ structured erroruniform

* − *,

2*

*, + 1uniform uniform!′ !′

0!′ 0!′0!#$′The matrix isn’t random!

(rank is at most * − *,)

0*, + 1* − *,

Sample randommatrix 0:

0&

51

! ≈# $′&′,,&’ structured erroruniform

( − (*

2(

(* + 1uniform uniform$′ $′

.$′ .$′.$/&′

One last idea: we know half the

entries of &′ since we “inserted” (

zeros.

.!

52

One last idea: we know half the

entries of !′ since we “inserted” #

zeros.

$ ≈& '′!′,,!’ structured erroruniform

# − #*

2#

#* + 1uniform uniform'′ '′

.$

(.'0 + 1)!′

Sample matrix 1 with # uniformly random non-zero columns coinciding with # known zero entries of !′. (i.e. 1!0 = 0)

.'0 + 1.'0 + 1

2##* + 1 = 1

all 0’s column uniformly random column

Does this look uniformly random?

! − !#

2!

!# + 1uniform '′

)'* + +

! + 1

2!

,uniform≈? ? ?

53

Does this look uniformly random?

! − !#

2!

!# + 1uniform '′

)'* + +

2!

,-!# + 1

! − !#

!

,Heuristic Argument:

, has many ,- with last !# + 1 rows spanned by first ! − !#:• If ./ with 0 = 223 , any ,- satisfies this property with probability

4/56

26= 4

758693

• 22 choices of ,-; so we expect :(poly ! ) such ,- if 2A + B < 154

! + 1

≈E

55

! ≈# $′&′,,&’ structured erroruniform

( − (*

2(

(* + 1uniform uniform$′ $′

!’

(0$1 + 2)&′0$1 + 20$1 + 2

44 ! 4&′≈#, ,uniform

uniform uniform

≈5

(− 1

2( &’ structured error

Step 1: Double the width of ! and make the error structured.

Step 2: Increase the height of ! with random linear combinations.

Step 3: Break linear correlations with random entries in columns corresponding to 0 entries of "#.

Step 4: Replace with uniform by statistical argument

Reduction Recap

56

57

Conclusion• In the GGM: obfuscate conjunctions by encoding in

a vector and multiplying by a structured matrix• If we multiply by a random matrix, we can avoid

groups and rely on LPNIn the paper:• Obfuscate information theoretically with a hidden

subspace

Thank You!ePrint: ia.cr/2018/936