174 research outputs found
Foundations and applications of program obfuscation
Code is said to be obfuscated if it is intentionally difficult for humans to understand.
Obfuscating a program conceals its sensitive implementation details and
protects it from reverse engineering and hacking. Beyond software protection, obfuscation
is also a powerful cryptographic tool, enabling a variety of advanced applications.
Ideally, an obfuscated program would hide any information about the original
program that cannot be obtained by simply executing it. However, Barak et al.
[CRYPTO 01] proved that for some programs, such ideal obfuscation is impossible.
Nevertheless, Garg et al. [FOCS 13] recently suggested a candidate general-purpose
obfuscator which is conjectured to satisfy a weaker notion of security called indistinguishability
obfuscation.
In this thesis, we study the feasibility and applicability of secure obfuscation:
- What notions of secure obfuscation are possible and under what assumptions?
- How useful are weak notions like indistinguishability obfuscation?
Our first result shows that the applications of indistinguishability obfuscation go
well beyond cryptography. We study the tractability of computing a Nash equilibrium
vii
of a game { a central problem in algorithmic game theory and complexity theory.
Based on indistinguishability obfuscation, we construct explicit games where a Nash
equilibrium cannot be found efficiently.
We also prove the following results on the feasibility of obfuscation. Our starting
point is the Garg at el. obfuscator that is based on a new algebraic encoding scheme
known as multilinear maps [Garg et al. EUROCRYPT 13].
1. Building on the work of Brakerski and Rothblum [TCC 14], we provide the first
rigorous security analysis for obfuscation. We give a variant of the Garg at el.
obfuscator and reduce its security to that of the multilinear maps. Specifically,
modeling the multilinear encodings as ideal boxes with perfect security, we prove
ideal security for our obfuscator. Our reduction shows that the obfuscator resists
all generic attacks that only use the encodings' permitted interface and do not
exploit their algebraic representation.
2. Going beyond generic attacks, we study the notion of virtual-gray-box obfusca-
tion [Bitansky et al. CRYPTO 10]. This relaxation of ideal security is stronger
than indistinguishability obfuscation and has several important applications
such as obfuscating password protected programs. We formulate a security
requirement for multilinear maps which is sufficient, as well as necessary for
virtual-gray-box obfuscation.
3. Motivated by the question of basing obfuscation on ideal objects that are simpler
than multilinear maps, we give a negative result showing that ideal obfuscation
is impossible, even in the random oracle model, where the obfuscator is given access
to an ideal random function. This is the first negative result for obfuscation
in a non-trivial idealized model
Obfuscating Conjunctions under Entropic Ring LWE
We show how to securely obfuscate conjunctions, which are functions f(x[subscript 1], . . . , x[subscript n]) = ∧[subscript i∈I] y[superscript i] where
I ⊆ [n] and each literal y[subscript i] is either just x[subscript i] or ¬x[subscript i] e.g., f(x[subscript 1], . . . , x_n) = x[subscript 1] ⊆ ¬ x[subscript 3] ⊆ ¬ x[subscript 7] · · · ⊆ x[subscript n−1]. Whereas prior work of Brakerski and Rothblum (CRYPTO 2013) showed how to achieve this using a
non-standard object called cryptographic multilinear maps, our scheme is based on an “entropic” variant of the Ring Learning with Errors (Ring LWE) assumption. As our core tool, we prove that hardness assumptions on the recent multilinear map construction of Gentry, Gorbunov and Halevi (TCC 2015) can be established based on entropic Ring LWE. We view this as a first step towards proving the security of additional multilinear map based constructions, and in particular program obfuscators, under standard
assumptions. Our scheme satisfies virtual black box (VBB) security, meaning that the obfuscated program reveals nothing more than black-box access to f as an oracle, at least as long as (essentially) the conjunction is chosen from a distribution having sufficient entropy
On the Impossibility of Virtual Black-Box Obfuscation in Idealized Models
The celebrated work of Barak et. al (Crypto\u2701) ruled out the possibility of virtual black-box (VBB) obfuscation for general circuits. The recent work of Canetti, Kalai, and Paneth (TCC\u2715) extended this impossibility to the random oracle model, assuming the existence of trapdoor permutations (TDPs). On the other hand, the works of Barak et. al (Crypto\u2714) and Brakerski and Rothblum (TCC\u2714) showed that general VBB obfuscation is indeed possible in idealized graded encoding models. The recent work of Pass and Shelat (Cryptology ePrint 2015/383) complemented this result by ruling out general VBB obfuscation in idealized graded encoding models that enable
evaluation of constant-degree polynomials in finite fields.
In this work, we extend the above two impossibility results for general VBB obfuscation in idealized models. In particular we prove the following two results both assuming the existence of trapdoor permutations:
* There is no general VBB obfuscation in the generic group model of Shoup (Eurocrypt\u2797) for any abelien group. By applying our techniques to the setting of Pass and Shelat we extend their result to any (even non-commutative) finite ring.
* There is no general VBB obfuscation in the random trapdoor permutation oracle model. Note that as opposed to the random oracle which is an idealized primitive for symmetric primitives, random trapdoor permutation is an idealized public-key primitive
Shorter Circuit Obfuscation in Challenging Security Models
The study of program obfuscation is seeing great progress in recent years,
which is crucially attributed to the introduction of graded encoding schemes
by Garg, Gentry and Halevi (Eurocrypt 2013). In such schemes, elements of a
ring can be encoded such that the content of the encoding is hidden, but
restricted algebraic manipulations, followed by zero-testing, can be performed
publicly. This primitive currently underlies all known constructions of
general-purpose obfuscators.
However, the security properties of the current candidate graded encoding
schemes are not well understood, and new attacks frequently introduced. It is
therefore important to assume as little as possible about the security of the
graded encoding scheme, and use as conservative security models as possible.
This often comes at a cost of reducing the efficiency or the functionality of
the obfuscator.
In this work, we present a candidate obfuscator, based on composite-order
graded encoding schemes, which obfuscates circuits directly a la Zimmerman
(Eurocrypt 2015) and Applebaum-Brakerski (TCC 2015). Our construction requires
a graded encoding scheme with only ``plaintext slots\u27\u27 (= sub-rings of the
underlying ring), which is directly related to the size and complexity of the
obfuscated program. We prove that our obfuscator is superior to previous works
in two different security models.
1. We prove that our obfuscator is indistinguishability-secure (iO) in the
\emph{Unique Representation Generic Graded Encoding} model. Previous works
either required a composite-order scheme with polynomially many slots, or were
provable in a milder security model. This immediately translates to a
polynomial improvement in efficiency, and shows that improved security does
not come at the cost of efficiency in this case.
2. Following Badrinarayanan et al.\ (Eurocrypt 2016), we consider a model
where finding any ``non-trivial\u27\u27 encoding of zero breaks the security of the
encoding scheme. We show that, perhaps surprisingly, secure obfuscation is
possible in this model even for some classes of \emph{non-evasive functions}
(for example, any class of conjunctions). We define the property required of
the function class, formulate an appropriate (generic) security model, and
prove that our aforementioned obfuscator is virtual-black-box (VBB) secure in
this model
Indistinguishability Obfuscation: From Approximate to Exact
We show general transformations from subexponentially-secure approximate indistinguishability obfuscation (IO) where the obfuscated circuit agrees with the original circuit on a 1/2+ϵ fraction of inputs on a certain samplable distribution, into exact indistinguishability obfuscation where the obfuscated circuit and the original circuit agree on all inputs. As a step towards our results, which is of independent interest, we also obtain an approximate-to-exact transformation for functional encryption. At the core of our techniques is a method for “fooling” the obfuscator into giving us the correct answer, while preserving the indistinguishability-based security. This is achieved based on various types of secure computation protocols that can be obtained from different standard assumptions.
Put together with the recent results of Canetti, Kalai and Paneth (TCC 2015), Pass and Shelat (TCC 2016), and Mahmoody, Mohammed and Nemathaji (TCC 2016), we show how to convert indistinguishability obfuscation schemes in various ideal models into exact obfuscation schemes in the plain model.National Science Foundation (U.S.) (Grant CNS-1350619)National Science Foundation (U.S.) (Grant CNS-1414119
Cryptographic agents
Over the last decade or so, thanks to remarkable breakthroughs in cryptographic techniques, a wave of ''cryptographic objects'' -- identity-based encryption, fully-homomorphic encryption, functional encryption, and most recently, various forms of obfuscation -- have opened up exciting new possibilities for computing on encrypted data. Initial foundational results on this front consisted of strong impossibility results. Breakthrough constructions, as they emerged, often used specialized security definitions which avoided such impossibility results. However, as these objects and their constructions have become numerous and complex, often building on each other, the connections among these disparate cryptographic objects, and among their various security definitions, have become increasingly confusing.
The goal of this work is to provide a clean and unifying framework for diverse cryptographic objects and their various security definitions, equipped with powerful 'reduction' and 'composition' theorems. We model the functionality desired from a cryptographic object via a 'schema' in an ideal world. Our new security definition, indistinguishability preservation, is parametrized by a family of 'test' functions. We say that a scheme securely implements a schema against a test family in the real world if for every test in the family, if test is able to hide some bit of information from all adversaries in the ideal world, then this bit should be hidden in the real world too. By choosing test families appropriately, we are able to place known security definitions (along with new ones) for a given object on the same canvas, enabling comparative analysis.
Next, we explore the implications of a meaningful relaxation of our security definition, the one obtained by considering all-powerful adversaries in the ideal world. Thanks to our framework, we are not only able to substantially generalize known results connecting two important flavors of security definitions (simulation and indistinguishability) in cryptography under this relaxation, but significantly simplify them too.
We also initiate a systematic study of the security of fundamental cryptographic primitives like public-key encryption under a new class of attacks that had not been considered so far in the literature. Once again, owing to the flexibility of our framework, we are able to model such attacks, along with existing ones, in a clean and satisfactory way
Obfuscation for Evasive Functions
An evasive circuit family is a collection of circuits C such that for every input x, a random circuit from C outputs 0 on x with overwhelming probability.
We provide a combination of definitional, constructive, and impossibility results regarding obfuscation for evasive functions:
- The (average case variants of the) notions of virtual black box obfuscation (Barak et al, CRYPTO \u2701) and virtual gray box obfuscation (Bitansky and Canetti, CRYPTO \u2710) coincide for evasive function families. We also define the notion of input-hiding obfuscation for evasive function families, stipulating that for a random c \in C it is hard to find, given O(c), a value outside the preimage of 0. Interestingly, this natural definition, also motivated by applications, is likely not implied by the seemingly stronger notion of average-case virtual black-box obfuscation.
- If there exist average-case virtual gray box obfuscators for all evasive function families, then there exist (quantitatively weaker) average-case virtual gray obfuscators for all function families.
- There does not exist a worst-case virtual black box obfuscator even for evasive circuits, nor is there an average-case virtual gray box obfuscator for evasive Turing machine families.
- Let C be an evasive circuit family consisting of functions that test if a low-degree polynomial (represented by an efficient arithmetic circuit) evaluates to zero modulo some large prime p.
Then under a natural analog of the discrete logarithm assumption in a group supporting multilinear maps, there exists an input-hiding obfuscator O for C. Under a new perfectly-hiding multilinear encoding assumption, there is an average-case virtual black box obfuscator for the family C
Indistinguishability Obfuscation from Semantically-Secure Multilinear Encodings
We define a notion of semantic security of multilinear (a.k.a. graded) encoding schemes, which stipulates security of class of algebraic ``decisional\u27\u27 assumptions: roughly speaking, we require that for every nuPPT distribution over two \emph{constant-length} sequences and auxiliary elements such that all arithmetic circuits (respecting the multilinear restrictions and ending with a zero-test) are \emph{constant} with overwhelming probability over , , we have that encodings of are computationally indistinguishable from encodings of . Assuming the existence of semantically secure multilinear encodings and the LWE assumption, we demonstrate the existence of indistinguishability obfuscators for all polynomial-size circuits. We additionally show that if we assume subexponential hardness, then it suffices to consider a \emph{single} (falsifiable) instance of semantical security (i.e., that semantical security holds w.r.t to a particular distribution ) to obtain the same result.
We rely on the beautiful candidate obfuscation constructions of Garg et al (FOCS\u2713), Brakerski and Rothblum (TCC\u2714) and Barak et al (EuroCrypt\u2714) that were proven secure only in idealized generic multilinear encoding models, and develop new techniques for demonstrating security in the standard model, based only on semantic security of multilinear encodings (which trivially holds in the generic multilinear encoding model).
We also investigate various ways of defining an ``uber assumption\u27\u27 (i.e., a super-assumption) for multilinear encodings, and show that the perhaps most natural way of formalizing the assumption that ``any algebraic decision assumption that holds in the generic model also holds against nuPPT attackers\u27\u27 is false
- …