Implementing BP-Obfuscation Using Graph-Induced Encoding

We implemented (a simplified version of) the branching-program obfuscator due to Gentry et al. (GGH15), which is itself a variation of the first obfuscation candidate by Garg et al. (GGHRSW13). To keep within the realm of feasibility, we had to give up on some aspects of the construction, specifically the ``multiplicative bundling\u27\u27 factors that protect against mixed-input attacks. Hence our implementation can only support read-once branching programs. To be able to handle anything more than just toy problems, we developed a host of algorithmic and code-level optimizations. These include new variants of discrete Gaussian sampler and lattice trapdoor sampler, efficient matrix-manipulation routines, and many tradeoffs. We expect that these optimizations will find other uses in lattice-based cryptography beyond just obfuscation. Our implementation is the first obfuscation attempt using the GGH15 graded encoding scheme, offering performance advantages over other graded encoding methods when obfuscating finite-state machines with many states. In out most demanding setting, we were able to obfuscate programs with input length of 20 nibbles (80 bits) and over 100 states, which seems out of reach for prior implementations. Although further optimizations are surely possible, we do not expect any implementation of current schemes to be able to handle much larger parameters

구분불가능한 난독화의 수학적분석에 관한 연구

학위논문(박사)--서울대학교 대학원 :자연과학대학 수리과학부,2020. 2. 천정희.Indistinguishability obfuscation (iO) is a weak notion of the program obfuscation which requires that if two functionally equivalent circuits are given, their obfuscated programs are indistinguishable. The existence of iO implies numerous cryptographic primitives such as multilinear map, functional encryption, non interactive multi-party key exchange. In gen- eral, many iO schemes are based on branching programs, and candidates of multilinear maps represented by GGH13, CLT13 and GGH15. In this thesis, we present cryptanalyses of branching program based iO over multilinear maps GGH13 and GGH15. First, we propose cryptanaly- ses of all existing branching program based iO schemes over GGH13 for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroiz- ing, which can be applied to a wide range of obfuscation constructions. We then show that there exists polynomial time reduction from the NTRU problem to all known branching program based iO over GGH13. Moreover, we propose a new attack on iO based on GGH15 which exploits statistical properties rather than algebraic approaches. We apply our attack to recent two obfuscations called CVW and BGMZ obfuscations. Thus, we break the CVW obfuscation under the current parameter setup, and show that algebraic security model of BGMZ obfuscation is not enough to achieve ideal security. We show that our attack is lying outside of the algebraic security model by presenting some parameters not captured by the proof of the model.기능성이 같은 두 프로그램과, 그 난독화된 프로그램들이 있을 때, 난독화된 프로그 램들을 구분할 수 없다면 구분불가능한 난독화라고 한다. 구분불가능한 난독화가 존재한다면, 다중선형함수, 함수암호, 다자간 키교환 등 많은 암호학적인 응용들이 존재하기 때문에, 구분불가능한 난독화를 설계하는 것은 매우 중요한 문제 중 하나 이다. 일반적으로, 많은 구분불가능한 난독화들은 다중선형함수 GGH13, CLT13, GGH15를 기반으로 하여 설계되었다. 본 학위 논문에서는, 다중선형함수를 기반으로 하는 난독화 기술들에 대한 안 전성 분석을 진행한다. 먼저, GGH13 다중선형함수를 기반으로 하는 모든 난독화 기술들은 현재 파라미터 하에 안전하지 않음을 보인다. 프로그램 변환(program converting), 행렬 제로화 공격(matrix zeroizing attack)이라는 두 가지 새로운 방 법을 제안하여 안전성을 분석하였고, 그 결과, 현존하는 모든 GGH13 다중선형함수 기반 난독화 기술이 다항식 시간 내에 NTRU 문제로 환원됨을 보인다. 또한, GGH15 다중선형함수를 기반으로 하는 난독화 기술에 대한 통계적인 공격방법을 제안한다. 통계적 공격방법을 최신 기술인 CVW 난독화, BGMZ 난독 화에 적용하여, CVW 난독화가 현재 파라미터에서 안전하지 않음을 보인다. 또한 BGMZ 난독화에서 제안한 대수적 안전성 모델이 이상적인 난독화 기술을 설계하 는데 충분하지 않다는 것을 보인다. 실제로, BGMZ 난독화가 안전하지 않은 특이한 파라미터를 제안하여, 우리 공격이 BGMZ에서 제안한 안전성 모델에 해당하지 않 음을 보인다.1. Introduction 1 1.1 Indistinguishability Obfuscation 1 1.2 Contributions 4 1.2.1 Mathematical Analysis of iO based on GGH13 4 1.2.2 Mathematical Analysis of iO based on GGH15 5 1.3 List of Papers 6 2 Preliminaries 7 2.1 Basic Notations 7 2.2 Indistinguishability Obfuscation 8 2.3 Cryptographic Multilinear Map 9 2.4 Matrix Branching Program 10 2.5 Tensor product and vectorization . 11 2.6 Background Lattices . 12 3 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH13 Multilinear Map 13 3.1 Preliminaries 14 3.1.1 Notations 14 3.1.2 GGH13 Multilinear Map 14 3.2 Main Theorem 17 3.3 Attackable BP Obfuscations 18 3.3.1 Randomization for Attackable Obfuscation Model 20 3.3.2 Encoding by Multilinear Map 21 3.3.3 Linear Relationally Inequivalent Branching Programs 22 3.4 Program Converting Technique 23 3.4.1 Converting to R Program 24 3.4.2 Recovering and Converting to R/ Program 27 3.4.3 Analysis of the Converting Technique 28 3.5 Matrix Zeroizing Attack 29 3.5.1 Existing BP Obfuscations 31 3.5.2 Attackable BP Obfuscation, General Case 34 4 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH15 Multilinear Map 37 4.1 Preliminaries 38 4.1.1 Notations 38 4.2 Statistical Zeroizing Attack . 39 4.2.1 Distinguishing Distributions using Sample Variance 42 4.3 Cryptanalysis of CVW Obfuscation 44 4.3.1 Construction of CVW Obfuscation 45 4.3.2 Cryptanalysis of CVW Obfuscation 48 4.4 Cryptanalysis of BGMZ Obfuscation 56 4.4.1 Construction of BGMZ Obfuscation 56 4.4.2 Cryptanalysis of BGMZ Obfuscation 59 5 Conclusions 65 6 Appendix 66 6.1 Appendix of Chapter 3 66 6.1.1 Extended Attackable Model 66 6.1.2 Examples of Matrix Zeroizing Attack 68 6.1.3 Examples of Linear Relationally Inequivalent BPs 70 6.1.4 Read-once BPs from NFA 70 6.1.5 Input-unpartitionable BPs from Barringtons Theorem 71 6.2 Appendix of Chapter 5 73 6.2.1 Simple GGH15 obfuscation 73 6.2.2 Modified CVW Obfuscation . 75 6.2.3 Transformation of Branching Programs 76 6.2.4 Modification of CVW Obfuscation 77 6.2.5 Assumptions of lattice preimage sampling 78 6.2.6 Useful Tools for Computing the Variances 79 6.2.7 Analysis of CVW Obfuscation 84 6.2.8 Analysis of BGMZ Obfuscation 97 Abstract (in Korean) 117Docto

Implementing conjunction obfuscation under entropic ring LWE

We address the practicality challenges of secure program obfuscation by implementing, optimizing, and experimentally assessing an approach to securely obfuscate conjunction programs proposed in [1]. Conjunction programs evaluate functions $f (x_1, . . . , x_L) = \wedge_{i \in I}$ $y_i$, where $y_i$ is either $x_i$ or $\neg x_i$ and $I \subseteq [L]$, and can be used as classifiers. Our obfuscation approach satisfies distributional Virtual Black Box (VBB) security based on reasonable hardness assumptions, namely an entropic variant of the Ring Learning with Errors (Ring-LWE) assumption. Prior implementations of secure program obfuscation techniques support either trivial programs like point functions, or support the obfuscation of more general but less efficient branching programs to satisfy Indistinguishability Obfuscation (IO), a weaker security model. Further, the more general implemented techniques, rather than relying on standard assumptions, base their security on conjectures that have been shown to be theoretically vulnerable. Our work is the first implementation of non-trivial program obfuscation based on polynomial rings. Our contributions include multiple design and implementation advances resulting in reduced program size, obfuscation runtime, and evaluation runtime by many orders of magnitude. We implement our design in software and experimentally assess performance in a commercially available multi-core computing environment. Our implementation achieves runtimes of 6.7 hours to securely obfuscate a 64-bit conjunction program and 2.5 seconds to evaluate this program over an arbitrary input. We are also able to obfuscate a 32-bit conjunction program with 53 bits of security in 7 minutes and evaluate the obfuscated program in 43 milliseconds on a commodity desktop computer, which implies that 32-bit conjunction obfuscation is already practical. Our graph-induced (directed) encoding implementation runs up to 25 levels, which is higher than previously reported in the literature for this encoding. Our design and implementation advances are applicable to obfuscating more general compute-and-compare programs and can also be used for many cryptographic schemes based on lattice trapdoors

Return of GGH15: Provable Security Against Zeroizing Attacks

The GGH15 multilinear maps have served as the foundation for a number of cutting-edge cryptographic proposals. Unfortunately, many schemes built on GGH15 have been explicitly broken by so-called ``zeroizing attacks,\u27\u27 which exploit leakage from honest zero-test queries. The precise settings in which zeroizing attacks are possible have remained unclear. Most notably, none of the current indistinguishability obfuscation (iO) candidates from GGH15 have any formal security guarantees against zeroizing attacks. In this work, we demonstrate that all known zeroizing attacks on GGH15 implicitly construct algebraic relations between the results of zero-testing and the encoded plaintext elements. We then propose a ``GGH15 zeroizing model as a new general framework which greatly generalizes known attacks. Our second contribution is to describe a new GGH15 variant, which we formally analyze in our GGH15 zeroizing model. We then construct a new iO candidate using our multilinear map, which we prove secure in the GGH15 zeroizing model. This implies resistance to all known zeroizing strategies. The proof relies on the Branching Program Un-Annihilatability (BPUA) Assumption of Garg et al. [TCC 16-B] (which is implied by PRFs in NC^1 secure against P/Poly) and the complexity-theoretic p-Bounded Speedup Hypothesis of Miles et al. [ePrint 14] (a strengthening of the Exponential Time Hypothesis)

Cryptanalysis of FRS Obfuscation based on the CLT13 Multilinear Map

We present a classical polynomial time attack against the FRS branching program obfuscator of Fernando-Rasmussen-Sahai (Asiacrypt’17) (with one zerotest parameter), which is robust against all known classical cryptanalyses on obfuscators, when instantiated with the CLT13 multilinear map. The first step is to recover a plaintext modulus of CLT13 multilinear map. To achieve the goal, we apply the Coron and Notarnicola (Asiacrypt\u2719) algorithm. However, because of parameter issues, the algorithm cannot be used directly. In order to detour the issue, we convert a FRS obfuscator into a new program containing a small message space. Through the conversion, we obtain two zerotest parameters and encodings of zero except for two nonzero slots. Then, they are used to mitigate parameter constraints of the message space recovering algorithm. Then, we propose a cryptanalysis of the FRS obfuscation based on the recovered message space. We show that there exist two functionally equivalent programs such that their obfuscated programs are computationally distinguishable. Thus, the FRS scheme does not satisfy the desired security without any additional constraints

Zeroizing Attacks on Indistinguishability Obfuscation over CLT13

In this work, we describe a new polynomial-time attack on the multilinear maps of Coron, Lepoint, and Tibouchi (CLT13), when used in candidate iO schemes. More specifically, we show that given the obfuscation of the simple branching program that computes the always zero functionality previously considered by Miles, Sahai and Zhandry (Crypto 2016), one can recover the secret parameters of CLT13 in polynomial time via an extension of the zeroizing attack of Coron et al. (Crypto 2015). Our attack is generalizable to arbitrary oblivious branching programs for arbitrary functionality, and allows (1) to recover the secret parameters of CLT13, and then (2) to recover the randomized branching program entirely. Our analysis thus shows that several of the single-input variants of iO over CLT13 are insecure

Preventing CLT Attacks on Obfuscation with Linear Overhead

We describe a defense against zeroizing attacks on indistinguishability obfuscation (iO) over the CLT13 multilinear map construction that only causes an additive blowup in the size of the branching program. This defense even applies to the most recent extension of the attack by Coron et al. (ePrint 2016), under which a much larger class of branching programs is vulnerable. To accomplish this, we describe an attack model for the current attacks on iO over CLT13 by distilling an essential common component of all previous attacks. This leads to the notion of a function being input partionable, meaning that the bits of the function’s input can be partitioned into somewhat independent subsets. We find a way to thwart these attacks by requiring a “stamp” to be added to the input of every function. The stamp is a function of the original input and eliminates the possibility of finding the independent subsets of the input necessary for a zeroizing attack. We give three different constructions of such “stamping functions” and prove formally that they each prevent any input partition. We also give details on how to instantiate one of the three functions efficiently in order to secure any branching program against this type of attack. The technique presented alters any branching program obfuscated over CLT13 to be secure against zeroizing attacks with only an additive blowup of the size of the branching program that is linear in the input size and security parameter. We can also apply our defense to a recent extension of annihilation attacks by Chen et al. (EUROCRYPT 2017) on obfuscation over the GGH13 multilinear map construction

Studying JavaScript Security Through Static Analysis

Mit dem stetigen Wachstum des Internets wächst auch das Interesse von Angreifern. Ursprünglich sollte das Internet Menschen verbinden; gleichzeitig benutzen aber Angreifer diese Vernetzung, um Schadprogramme wirksam zu verbreiten. Insbesondere JavaScript ist zu einem beliebten Angriffsvektor geworden, da es Angreifer ermöglicht Bugs und weitere Sicherheitslücken auszunutzen, und somit die Sicherheit und Privatsphäre der Internetnutzern zu gefährden. In dieser Dissertation fokussieren wir uns auf die Erkennung solcher Bedrohungen, indem wir JavaScript Code statisch und effizient analysieren. Zunächst beschreiben wir unsere zwei Detektoren, welche Methoden des maschinellen Lernens mit statischen Features aus Syntax, Kontroll- und Datenflüssen kombinieren zur Erkennung bösartiger JavaScript Dateien. Wir evaluieren daraufhin die Verlässlichkeit solcher statischen Systeme, indem wir bösartige JavaScript Dokumente umschreiben, damit sie die syntaktische Struktur von bestehenden gutartigen Skripten reproduzieren. Zuletzt studieren wir die Sicherheit von Browser Extensions. Zu diesem Zweck modellieren wir Extensions mit einem Graph, welcher Kontroll-, Daten-, und Nachrichtenflüsse mit Pointer Analysen kombiniert, wodurch wir externe Flüsse aus und zu kritischen Extension-Funktionen erkennen können. Insgesamt wiesen wir 184 verwundbare Chrome Extensions nach, welche die Angreifer ausnutzen könnten, um beispielsweise beliebigen Code im Browser eines Opfers auszuführen.As the Internet keeps on growing, so does the interest of malicious actors. While the Internet has become widespread and popular to interconnect billions of people, this interconnectivity also simplifies the spread of malicious software. Specifically, JavaScript has become a popular attack vector, as it enables to stealthily exploit bugs and further vulnerabilities to compromise the security and privacy of Internet users. In this thesis, we approach these issues by proposing several systems to statically analyze real-world JavaScript code at scale. First, we focus on the detection of malicious JavaScript samples. To this end, we propose two learning-based pipelines, which leverage syntactic, control and data-flow based features to distinguish benign from malicious inputs. Subsequently, we evaluate the robustness of such static malicious JavaScript detectors in an adversarial setting. For this purpose, we introduce a generic camouflage attack, which consists in rewriting malicious samples to reproduce existing benign syntactic structures. Finally, we consider vulnerable browser extensions. In particular, we abstract an extension source code at a semantic level, including control, data, and message flows, and pointer analysis, to detect suspicious data flows from and toward an extension privileged context. Overall, we report on 184 Chrome extensions that attackers could exploit to, e.g., execute arbitrary code in a victim's browser