Embed Size (px)
DESCRIPTION
Protecting Obfuscation Against Algebraic Attacks. Boaz Barak Sanjam Garg Yael Tauman Kalai Omer Paneth Amit Sahai. Program Obfuscation . Obfuscation. Public Key. Virtual Black-Box (VBB). [ Barak- Goldreich - Impagliazzo - Rudich - Sahai - Vadhan -Yang 01]. - PowerPoint PPT Presentation
Citation preview
Protecting Obfuscation Against Algebraic
Attacks
Boaz Barak Sanjam GargYael Tauman Kalai Omer Paneth Amit Sahai
Program Obfuscation
Public Key
𝑚 cipher
Obfuscation
𝐸𝑛𝑐𝑠𝑘(𝑚)
𝑚 cipher
Virtual Black-Box (VBB)[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm is an obfuscator for a class if:
For every PPT adversary there exists a PPT simulator such that for every :
𝐴 𝑆𝑃 (𝐶 )𝒪(𝐶 )
𝐶
≈
VBB ImpossibilityThere exists contrived “unobfuscatable”
programs.
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Execute on
itself𝑆𝒪(𝐶 )
𝐶
𝐶 Secret
Secret
Code of a program
equivalent to
First Candidate Obfuscation[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
What is the security of the candidate?Assumption:
The [GGHRSW13] obfuscator is an Indistingushability Obfuscator.
No known attacks except [BGIRSVY01].Indistinguishability Obfuscation ():For every pair of equivalent circuits :
This Work
A variant of the [GGHRSW13] obfuscator is VBB for all circuits
in a generic model (underlying algebra is idealized)
Multilinear Maps[Boneh-Silverberg 03, Garg-Gentry-Halevi 13]
Encoding of under a set .
1. iff
Idealy: any other operation is hard.
The Generic MM Model
𝐶 𝒪(𝐶 )
AddMultiply
ZT𝑥
𝐶 (𝑥)
𝑥
𝐶 (𝑥)
?
𝐸11
Our Result
Virtual Black-Box obfuscation in the generic MM model:
1. For .2. For assuming LWE.
Avoiding VBB Impossibility
Execute on
itself𝒪(𝐶 )
𝐶 Secret
Secret
Code of a program equivalent to
AddMulZT
In the Generic MM Model
Secure obfuscation against “algebraic
attacks”.
Warning:Non-algebraic attacks do exist [BGIRSVY01].
Interpretation
Interpretation IIThis Work:
VBB with Generic Multilinear Maps
+¿ Multi-Message Semantically-Secure
Multilinear Maps [Pass-Seth-Telang 13]
for P/Poly (assuming
LWE) [Pass-Seth-Telang 13]
Virtual gray-box obfuscation for
[Bitansky-Canetti-Kalai-P 14].
Previous Works in the Generic Colored Matrix
Model
[GGHRSW13]
in the Generic MM Model
[Brakerski-Rothblum13]
VBB in the Generic
MM Model[Brakerski-Rothblum13]
Assuming BSH
This Work
VBB from Black-Box Pseudo-Free
Groups
[Canetti-Vaikuntanathan13]
1. Construction for via branching programs
2. Bootstrap to P/Poly assuming LWE (leveled-FHE with decryption in )
The Construction
Branching Programs
𝑀 10𝑀 2
0𝑀 30𝑀 4
0 𝑀 50𝑀 6
0𝑀 70𝑀 8
0𝑀 90 𝑀 10
0 𝑀 110 𝑀 12
0
𝑀 11𝑀 2
1𝑀 31𝑀 4
1 𝑀 51𝑀 6
1𝑀 71𝑀 8
1𝑀 91 𝑀 10
1 𝑀 111 𝑀 12
1
𝑥1 𝑥2𝑥3 𝑥4Input:
Program:
BP Evaluation
𝑀 10𝑀 2
0𝑀 30𝑀 4
0 𝑀 50𝑀 6
0𝑀 70𝑀 8
0𝑀 90 𝑀 10
0 𝑀 110 𝑀 12
0
𝑀 11𝑀 2
1𝑀 31𝑀 4
1 𝑀 51𝑀 6
1𝑀 71𝑀 8
1𝑀 91 𝑀 10
1 𝑀 111 𝑀 12
1
0110Input:
Program:
⊤ ⊥Output:
or
Obfuscating BP1.Randomizing [Kilian 88]
2.Encoding
Step 1: Randomizing
~𝑀10~𝑀 2
0~𝑀 30~𝑀 4
0~𝑀50~𝑀 6
0~𝑀70~𝑀 8
0~𝑀 90~𝑀10
0 ~𝑀110 ~𝑀12
0
~𝑀11~𝑀 2
1~𝑀 31~𝑀 4
1~𝑀51~𝑀 6
1~𝑀71~𝑀 8
1~𝑀 91 ~𝑀10
1 ~𝑀111 ~𝑀12
1
Program:
⊤ ⊥Output:
or𝑥1 𝑥2𝑥3 𝑥4Input:
Step 1: Randomizing
~𝑀10~𝑀 2
0~𝑀 30~𝑀 4
0~𝑀50~𝑀 6
0~𝑀70~𝑀 8
0~𝑀 90~𝑀10
0 ~𝑀110 ~𝑀12
0
~𝑀11~𝑀 2
1~𝑀 31~𝑀 4
1~𝑀51~𝑀 6
1~𝑀71~𝑀 8
1~𝑀 91 ~𝑀10
1 ~𝑀111 ~𝑀12
1
0110Input:
Program:
⊤ ⊥Output:
or
Step 2: Encoding
~𝑀10~𝑀 2
0~𝑀 30~𝑀 4
0~𝑀50~𝑀 6
0~𝑀70~𝑀 8
0~𝑀 90~𝑀10
0 ~𝑀110 ~𝑀12
0
~𝑀11~𝑀 2
1~𝑀 31~𝑀 4
1~𝑀51~𝑀 6
1~𝑀71~𝑀 8
1~𝑀 91 ~𝑀10
1 ~𝑀111 ~𝑀12
1
Program:
{1} {2 } {3 } {4 } {5 } {6 } {7 } {8 } {9 } {10 } {11} {12}
⊤{1,… ,12 }
Obfuscation includes the encodings:
Proof of Security
⊤
+¿
~𝑀10 ~𝑀 4
0~𝑀50 ~𝑀 8
0~𝑀 90 ~𝑀12
0
~𝑀 21~𝑀 3
1 ~𝑀 61~𝑀7
1 ~𝑀101 ~𝑀11
1
~𝑀 20 ~𝑀 6
0 ~𝑀100
~𝑀11 ~𝑀 3
1~𝑀 41~𝑀5
1 ~𝑀71~𝑀 8
1~𝑀 91 ~𝑀11
1 ~𝑀121
…
¿0?
Simulation Outline
Test every monomial separately: ~𝑀1
0 ~𝑀 40~𝑀5
0 ~𝑀 80~𝑀 9
0 ~𝑀120
~𝑀 21~𝑀 3
1 ~𝑀 61~𝑀7
1 ~𝑀101 ~𝑀11
1
By querying 0110
Problems
1. Inconsistent monomials: ~𝑀1
0 ~𝑀 40
~𝑀51
~𝑀 80~𝑀 9
0 ~𝑀120
~𝑀 21~𝑀 3
1 ~𝑀 61~𝑀7
1 ~𝑀101 ~𝑀11
1
2. Too many monomials: (~𝑀1
0+~𝑀11 )⋅ (~𝑀 2
0+~𝑀 21 )⋅… ⋅ (~𝑀12
0 +~𝑀 121 )
Changing the Sets
~𝑀10~𝑀 2
0~𝑀 30~𝑀 4
0~𝑀50~𝑀 6
0~𝑀70~𝑀 8
0~𝑀 90~𝑀10
0 ~𝑀110 ~𝑀12
0
~𝑀11~𝑀 2
1~𝑀 31~𝑀 4
1~𝑀51~𝑀 6
1~𝑀71~𝑀 8
1~𝑀 91 ~𝑀10
1 ~𝑀111 ~𝑀12
1
{1} {2 } {3 } {4 } {5 } {6 } {7 } {8 } {9 } {10 } {11} {12}
{1} {2 } {3 } {4 } {5 } {6 } {7 } {8 } {9 } {10 } {11} {12}
⊤{1,… ,12 }
Changing the Sets
~𝑀10~𝑀 2
0~𝑀 30~𝑀 4
0~𝑀50~𝑀 6
0~𝑀70~𝑀 8
0~𝑀 90~𝑀10
0 ~𝑀110 ~𝑀12
0
~𝑀11~𝑀 2
1~𝑀 31~𝑀 4
1~𝑀51~𝑀 6
1~𝑀71~𝑀 8
1~𝑀 91 ~𝑀10
1 ~𝑀111 ~𝑀12
1
{ 11 ′ } { 22 ′} { 33 ′ } { 44 ′} { 55 ′} { 66 ′ } { 77 ′ } { 88 ′ } { 99 ′ } { 1010 ′} { 1111 ′ } { 1212′ }
{ 11 ′ } { 22 ′} { 33 ′ } { 44 ′} { 55 ′} { 66 ′ } { 77 ′ } { 88 ′ } { 99 ′ } { 1010 ′} { 1111 ′ } { 1212′ }
⊤{ 1 ,…,121′ ,…,12′ }
Changing the Sets
~𝑀10 ~𝑀5
0 ~𝑀 90
~𝑀11 ~𝑀5
1 ~𝑀 91
{ 11 ′ } { 55 ′} { 99 ′ }
{ 11 ′ } { 55 ′} { 99 ′ }
Straddling Set System
~𝑀10 ~𝑀5
0 ~𝑀 90
~𝑀11 ~𝑀5
1 ~𝑀 91
{ 15 ′} { 59 ′ } { 91 ′ }
{ 11 ′ } { 55 ′} { 99 ′ }
{ 1 ,5,91′ ,5 ′ ,9 ′}={ 11′ }∪ {55′ }∪{99′ }={ 15 ′}∪{ 59 ′}∪{ 91′ }
-matrices -matrices
Straddling Set System
~𝑀10 ~𝑀5
0 ~𝑀 90
~𝑀11 ~𝑀5
1 ~𝑀 91
{ 15 ′} { 59 ′ } { 91 ′ }
{ 11 ′ } { 55 ′} { 99 ′ }
Straddling Set System
{ 15 ′} { 26 ′ } { 37 ′ } { 48 ′ } { 59 ′ } { 610 ′} { 711 ′} { 812 ′ } { 91 ′ } {102′ } {113 ′ } {124 ′ }
{ 11 ′ } { 22 ′} { 33 ′ } { 44 ′} { 55 ′} { 66 ′ } { 77 ′ } { 88 ′ } { 99 ′ } { 1010 ′} { 1111 ′ } { 1212′ }
Too Many Monomials
( ¿+¿ ) ⋅…⋅ (¿+¿ )
(~𝑀10~𝑀 5
0~𝑀90+~𝑀1
1~𝑀51~𝑀 9
1 )⋅…⋅ (~𝑀 40~𝑀 8
0~𝑀120 +~𝑀 4
1~𝑀 81~𝑀 12
1 )
Pairing Level Together
~𝑀 9
0~𝑀 101
~𝑀 91~𝑀 10
0
From Two Levels to One
~𝑀100~𝑀 9
0
~𝑀101~𝑀 9
1
~𝑀 91~𝑀 10
1
~𝑀 90~𝑀 10
0
{ 812 ′ }{102 ′ }
{ 88 ′ }{ 1010 ′} { 10,810′ ,8 ′}{ 10,810′ ,12 ′}{10,82′ ,8 ′ }{ 10,82′ ,12 ′}
From Two Levels to One
Dual-Input BP
𝑥1 𝑥2𝑥3 𝑥4Input:
Too Many Monomials
(¿ ¿¿¿ ¿ ¿¿¿¿¿+
¿¿¿¿¿¿¿¿)(¿ ¿¿
¿ ¿ ¿¿¿¿¿+¿¿¿¿¿¿¿¿)
Thank You!
