Protecting Obfuscation Against Algebraic Attacks
description
Transcript of Protecting Obfuscation Against Algebraic Attacks
Protecting Obfuscation Against Algebraic
Attacks
Boaz Barak Sanjam GargYael Tauman Kalai Omer Paneth Amit Sahai
Program Obfuscation
Public Key
𝑚 cipher
Obfuscation
𝐸𝑛𝑐𝑠𝑘(𝑚)
𝑚 cipher
Virtual Black-Box (VBB)[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm is an obfuscator for a class if:
For every PPT adversary there exists a PPT simulator such that for every :
𝐴 𝑆𝑃 (𝐶 )𝒪(𝐶 )
𝐶
≈
VBB ImpossibilityThere exists contrived “unobfuscatable”
programs.
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Execute on
itself𝑆𝒪(𝐶 )
𝐶
𝐶 Secret
Secret
Code of a program
equivalent to
First Candidate Obfuscation[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
What is the security of the candidate?Assumption:
The [GGHRSW13] obfuscator is an Indistingushability Obfuscator.
No known attacks except [BGIRSVY01].Indistinguishability Obfuscation ():For every pair of equivalent circuits :
This Work
A variant of the [GGHRSW13] obfuscator is VBB for all circuits
in a generic model (underlying algebra is idealized)
Multilinear Maps[Boneh-Silverberg 03, Garg-Gentry-Halevi 13]
Encoding of under a set .
1. iff
Idealy: any other operation is hard.
The Generic MM Model
𝐶 𝒪(𝐶 )
AddMultiply
ZT𝑥
𝐶 (𝑥)
𝑥
𝐶 (𝑥)
?
𝐸11
Our Result
Virtual Black-Box obfuscation in the generic MM model:
1. For .2. For assuming LWE.
Avoiding VBB Impossibility
Execute on
itself𝒪(𝐶 )
𝐶 Secret
Secret
Code of a program equivalent to
AddMulZT
In the Generic MM Model
Secure obfuscation against “algebraic
attacks”.
Warning:Non-algebraic attacks do exist [BGIRSVY01].
Interpretation
Interpretation IIThis Work:
VBB with Generic Multilinear Maps
+¿ Multi-Message Semantically-Secure
Multilinear Maps [Pass-Seth-Telang 13]
for P/Poly (assuming
LWE) [Pass-Seth-Telang 13]
Virtual gray-box obfuscation for
[Bitansky-Canetti-Kalai-P 14].
Previous Works in the Generic Colored Matrix
Model
[GGHRSW13]
in the Generic MM Model
[Brakerski-Rothblum13]
VBB in the Generic
MM Model[Brakerski-Rothblum13]
Assuming BSH
This Work
VBB from Black-Box Pseudo-Free
Groups
[Canetti-Vaikuntanathan13]
1. Construction for via branching programs
2. Bootstrap to P/Poly assuming LWE (leveled-FHE with decryption in )
The Construction
Branching Programs
𝑀 10𝑀 2
0𝑀 30𝑀 4
0 𝑀 50𝑀 6
0𝑀 70𝑀 8
0𝑀 90 𝑀 10
0 𝑀 110 𝑀 12
0
𝑀 11𝑀 2
1𝑀 31𝑀 4
1 𝑀 51𝑀 6
1𝑀 71𝑀 8
1𝑀 91 𝑀 10
1 𝑀 111 𝑀 12
1
𝑥1 𝑥2𝑥3 𝑥4Input:
Program:
BP Evaluation
𝑀 10𝑀 2
0𝑀 30𝑀 4
0 𝑀 50𝑀 6
0𝑀 70𝑀 8
0𝑀 90 𝑀 10
0 𝑀 110 𝑀 12
0
𝑀 11𝑀 2
1𝑀 31𝑀 4
1 𝑀 51𝑀 6
1𝑀 71𝑀 8
1𝑀 91 𝑀 10
1 𝑀 111 𝑀 12
1
0110Input:
Program:
⊤ ⊥Output:
or
Obfuscating BP1.Randomizing [Kilian 88]
2.Encoding
Step 1: Randomizing
~𝑀10~𝑀 2
0~𝑀 30~𝑀 4
0~𝑀50~𝑀 6
0~𝑀70~𝑀 8
0~𝑀 90~𝑀10
0 ~𝑀110 ~𝑀12
0
~𝑀11~𝑀 2
1~𝑀 31~𝑀 4
1~𝑀51~𝑀 6
1~𝑀71~𝑀 8
1~𝑀 91 ~𝑀10
1 ~𝑀111 ~𝑀12
1
Program:
⊤ ⊥Output:
or𝑥1 𝑥2𝑥3 𝑥4Input:
Step 1: Randomizing
~𝑀10~𝑀 2
0~𝑀 30~𝑀 4
0~𝑀50~𝑀 6
0~𝑀70~𝑀 8
0~𝑀 90~𝑀10
0 ~𝑀110 ~𝑀12
0
~𝑀11~𝑀 2
1~𝑀 31~𝑀 4
1~𝑀51~𝑀 6
1~𝑀71~𝑀 8
1~𝑀 91 ~𝑀10
1 ~𝑀111 ~𝑀12
1
0110Input:
Program:
⊤ ⊥Output:
or
Step 2: Encoding
~𝑀10~𝑀 2
0~𝑀 30~𝑀 4
0~𝑀50~𝑀 6
0~𝑀70~𝑀 8
0~𝑀 90~𝑀10
0 ~𝑀110 ~𝑀12
0
~𝑀11~𝑀 2
1~𝑀 31~𝑀 4
1~𝑀51~𝑀 6
1~𝑀71~𝑀 8
1~𝑀 91 ~𝑀10
1 ~𝑀111 ~𝑀12
1
Program:
{1} {2 } {3 } {4 } {5 } {6 } {7 } {8 } {9 } {10 } {11} {12}
⊤{1,… ,12 }
Obfuscation includes the encodings:
Proof of Security
⊤
+¿
~𝑀10 ~𝑀 4
0~𝑀50 ~𝑀 8
0~𝑀 90 ~𝑀12
0
~𝑀 21~𝑀 3
1 ~𝑀 61~𝑀7
1 ~𝑀101 ~𝑀11
1
~𝑀 20 ~𝑀 6
0 ~𝑀100
~𝑀11 ~𝑀 3
1~𝑀 41~𝑀5
1 ~𝑀71~𝑀 8
1~𝑀 91 ~𝑀11
1 ~𝑀121
…
¿0?
Simulation Outline
Test every monomial separately: ~𝑀1
0 ~𝑀 40~𝑀5
0 ~𝑀 80~𝑀 9
0 ~𝑀120
~𝑀 21~𝑀 3
1 ~𝑀 61~𝑀7
1 ~𝑀101 ~𝑀11
1
By querying 0110
Problems
1. Inconsistent monomials: ~𝑀1
0 ~𝑀 40
~𝑀51
~𝑀 80~𝑀 9
0 ~𝑀120
~𝑀 21~𝑀 3
1 ~𝑀 61~𝑀7
1 ~𝑀101 ~𝑀11
1
2. Too many monomials: (~𝑀1
0+~𝑀11 )⋅ (~𝑀 2
0+~𝑀 21 )⋅… ⋅ (~𝑀12
0 +~𝑀 121 )
Changing the Sets
~𝑀10~𝑀 2
0~𝑀 30~𝑀 4
0~𝑀50~𝑀 6
0~𝑀70~𝑀 8
0~𝑀 90~𝑀10
0 ~𝑀110 ~𝑀12
0
~𝑀11~𝑀 2
1~𝑀 31~𝑀 4
1~𝑀51~𝑀 6
1~𝑀71~𝑀 8
1~𝑀 91 ~𝑀10
1 ~𝑀111 ~𝑀12
1
{1} {2 } {3 } {4 } {5 } {6 } {7 } {8 } {9 } {10 } {11} {12}
{1} {2 } {3 } {4 } {5 } {6 } {7 } {8 } {9 } {10 } {11} {12}
⊤{1,… ,12 }
Changing the Sets
~𝑀10~𝑀 2
0~𝑀 30~𝑀 4
0~𝑀50~𝑀 6
0~𝑀70~𝑀 8
0~𝑀 90~𝑀10
0 ~𝑀110 ~𝑀12
0
~𝑀11~𝑀 2
1~𝑀 31~𝑀 4
1~𝑀51~𝑀 6
1~𝑀71~𝑀 8
1~𝑀 91 ~𝑀10
1 ~𝑀111 ~𝑀12
1
{ 11 ′ } { 22 ′} { 33 ′ } { 44 ′} { 55 ′} { 66 ′ } { 77 ′ } { 88 ′ } { 99 ′ } { 1010 ′} { 1111 ′ } { 1212′ }
{ 11 ′ } { 22 ′} { 33 ′ } { 44 ′} { 55 ′} { 66 ′ } { 77 ′ } { 88 ′ } { 99 ′ } { 1010 ′} { 1111 ′ } { 1212′ }
⊤{ 1 ,…,121′ ,…,12′ }
Changing the Sets
~𝑀10 ~𝑀5
0 ~𝑀 90
~𝑀11 ~𝑀5
1 ~𝑀 91
{ 11 ′ } { 55 ′} { 99 ′ }
{ 11 ′ } { 55 ′} { 99 ′ }
Straddling Set System
~𝑀10 ~𝑀5
0 ~𝑀 90
~𝑀11 ~𝑀5
1 ~𝑀 91
{ 15 ′} { 59 ′ } { 91 ′ }
{ 11 ′ } { 55 ′} { 99 ′ }
{ 1 ,5,91′ ,5 ′ ,9 ′}={ 11′ }∪ {55′ }∪{99′ }={ 15 ′}∪{ 59 ′}∪{ 91′ }
-matrices -matrices
Straddling Set System
~𝑀10 ~𝑀5
0 ~𝑀 90
~𝑀11 ~𝑀5
1 ~𝑀 91
{ 15 ′} { 59 ′ } { 91 ′ }
{ 11 ′ } { 55 ′} { 99 ′ }
Straddling Set System
{ 15 ′} { 26 ′ } { 37 ′ } { 48 ′ } { 59 ′ } { 610 ′} { 711 ′} { 812 ′ } { 91 ′ } {102′ } {113 ′ } {124 ′ }
{ 11 ′ } { 22 ′} { 33 ′ } { 44 ′} { 55 ′} { 66 ′ } { 77 ′ } { 88 ′ } { 99 ′ } { 1010 ′} { 1111 ′ } { 1212′ }
Too Many Monomials
( ¿+¿ ) ⋅…⋅ (¿+¿ )
(~𝑀10~𝑀 5
0~𝑀90+~𝑀1
1~𝑀51~𝑀 9
1 )⋅…⋅ (~𝑀 40~𝑀 8
0~𝑀120 +~𝑀 4
1~𝑀 81~𝑀 12
1 )
Pairing Level Together
~𝑀 9
0~𝑀 101
~𝑀 91~𝑀 10
0
From Two Levels to One
~𝑀100~𝑀 9
0
~𝑀101~𝑀 9
1
~𝑀 91~𝑀 10
1
~𝑀 90~𝑀 10
0
{ 812 ′ }{102 ′ }
{ 88 ′ }{ 1010 ′} { 10,810′ ,8 ′}{ 10,810′ ,12 ′}{10,82′ ,8 ′ }{ 10,82′ ,12 ′}
From Two Levels to One
Dual-Input BP
𝑥1 𝑥2𝑥3 𝑥4Input:
Too Many Monomials
(¿ ¿¿¿ ¿ ¿¿¿¿¿+
¿¿¿¿¿¿¿¿)(¿ ¿¿
¿ ¿ ¿¿¿¿¿+¿¿¿¿¿¿¿¿)
Thank You!