Private Programs: Obfuscation, a survey

1
Private ProgramsObfuscation, a survey
Guy Rothblum
Barak, Goldreich, Impagliazzo, Rudich, Sahai,
Vadhan and Yang Lynn, Prabhakaran and Sahai
Goldwasser and R Using slides by Boaz Barak,
Yael Kalai
2
Program Obfuscation 101

• Obfuscate verbto make obscure or unclear
• ObfuscatorA compiler that takes programs and
  makes them difficult to understand.

3
Code Obfuscation what is it?

• To intentionally make a program unintelligible,
  while preserving its functionality.

Obf(P)
Obf
P

• Goal Change program so still has same I/O
• behavior but is impossible to
  understand

4
for (i0 i lt M.length i) // Adjust
position of clock hands var
ML(ns)?document.layers'nsMinutes'iieMinutesi
.style ML.topyiHandY(iHandHeight)Math.
sin(min)scrll ML.leftxiHandX(iHandWidt
h)Math.cos(min)
obfuscator
for(O790O79ltl6x.lengthO79)var
O63(l70)?document.layers "nsM\151\156u\164\145s"
O79ieMinutesO79.style O63.topl61O79O76(
O79O75)Math.sin(O51)l73 O63.leftl75O79l77
(O79l76)Math.cos(O51)
5
Why Obfuscate?

• For Software ProtectionSoftware vendors want to
  prevent users from reverse-engineering executable
  code.No good solution known.
• For CryptographyMany applications fully
  homomorphic encryption, private to public key
  crypto, etc.

6
Obfuscation in Real World

• Copy protection/Licensing
• Spam
• conceal code that spawns pop-ups
• Software watermarking
• Prevent reverse engineering
• By competitors
• By hackers (e.g., for games)

if (test fails) then exit else
7
Off the Shelf Obfuscators
8
Why Obfuscate?

• For Software ProtectionSoftware vendors want to
  prevent users from reverse-engineering executable
  code.No good solution known.
• For CryptographyMany applications fully
  homomorphic encryption, private to public key
  crypto, etc.

9
Obfuscation Cryptographers Dream

• Cryptographic delegation signature delegation

m
m
SIGSK
(SK,PK)
can be verified given PK
Alices secret key and public key
10
Obfuscation Cryptographers Dream

• Cryptographic delegation signature delegation
• Transform any secret key cryptographic primitive
  into a public key one
• Compute on encrypted data
• Solve access control problems

Obf( )
Want to allow Bob to sign msgs on Oct05
SK
(SK,PK)
Many cryptographic tasks could be achieved
securely by writing a simple program and then
obfuscating it (if possible!).
11
Black-Box Obfuscation Informal Definition
BGI01
Obf(P)
Obf
P
Obf(P) is essentially equivalent to a black
box .
P
12
Defining Obfuscation

• BGIRSVY Obfuscated program should beas secure
  as black-box access.
• Obfuscator O runs on programs, must satisfy
• Preserves functionality
• Polynomial slow-down
• Virtual black-box
• Turing Machines, Circuits

13
Defining Obfuscation

• An algorithm O is an obfuscator if for any
  program P
• (functionality) O(P) P (i.e., O(P) computes the
  same function as P)
• (polynomial slowdown)running time of O(P) ?
  p(running time of P)for some polynomial p( ).
• We say that O is efficient if it runs in
  polynomial time.

14

• Predicate Virtual Black-Box BGIRSVYFor any
  poly learner L, exists poly simulator S,s.t. for
  every (poly time) program PPrL(O(P)) 1
  PrSP(1P)1

P
x
P(x)

0/1
0/1
15
Previous Work

• Hada implications of strong obfuscators
• Strong Negative ResultsBGIRSVY exist Turing
  Machines, circuits that cannot be obfuscatedGK
  under stronger definition, many natural circuits
  cannot be obfuscated
• Limited Positive ResultsObfuscating point
  functions C,LPS,W,CMR,DSObfuscating using
  random oracle LPS

16
Unfortunately

• General-purpose obfuscation is IMPOSSIBLE
• Proof for Turing Machines
• Ca,ß(x) ß if xa, 0 otherwise
• Da,ß(C) 1 if C(a)ß, 0 otherwise
• IntuitionGiven Ca,ß , Da,ß know output
  Da,ß(Ca,ß)
• Given black-box access to Ca,ß , Da,ß dont
  know what Da,ß(Ca,ß) outputs!

17
Proof

• Ca,ß(x) ß if xa, 0 otherwise
• Da,ß(C) 1 if C(a)ß, 0 otherwise
• Fa,ß(b,y) Ca,ß(y) if b0 Da,ß(y) if b1
• Za,ß(b,y) 0 if b0 Da,ß(y) if b1
• From black-box access, Fa,ß, Za,ß look the same
• From non black-box access
• O(Fa,ß)(1, O(Fa,ß(0,))) 1
• O(Za,ß)(1, O(Za,ß(0,))) 0

18
What to Do?

• Look at more specific programsPoint Functions
• Relax the DefinitionNo more black box!

19
Obfuscating Point Functions

• Point or password function family
• Ip(x) 1 if xp
• 0 otherwise
• Useful e.g. for access control, storing passwords
• Restricted family of functions\programs

20
Tool Random Oracle

• Say we have access to a truly random function
• Random Oracle
• R0,1n -gt 0,1n
• Only way to learn output is querying oracle on
  input
• In general, model is useful (e.g. FS)but
  problematic CGH,DNRS,GK

21
Obfuscating Point Functions

• Obfuscated Program(Ip) LPSStore R(p) (in the
  clear)on input x, if R(x)R(p) output
  1 otherwise output 0
• Obfuscated b\c of random oracle
• Get similar results from (strong) assumptions
  C,W
• Note obfuscator works only for very simple point
  function programs M

22
What to Do?

• Look at more specific programsPoint Functions
• Relax the DefinitionNo more black box!

23
Relaxed Definition

• Compare obfuscated program with black
  box?Apples and oranges. Program is not black
  box.
• Relax requirementCompare obfuscated program
  with other programs, we want obfuscation that is
  more secure than any other program!Best
  possible obfuscation.

24

• Best Possible Obfuscation GR
• For every poly learner L, exists poly simulator S
  s.t. forevery circuit C1, for every equivalent
  C2 (C1 C2)distributions L(O(C1)) and S(C2)
  indistinguishable.

O(C1)
C
Computational
Statistical
x
C(x)
Perfect

0/1
0/1
Output
Output
25
Meaningful Guarantee?

• Guarantee from definitionAnything that can be
  learned from O(C) can be learned from any
  equivalent circuit of same size as C. O(C) is
  more secure than all these circuits.
• Obfuscator has to output some circuit equivalent
  to C, definition guarantees the output is best
  possible.

26
Indistinguishability Obfuscators

• BGIRSVY Indistinguishability ObfuscatorObfuscat
  ions of equivalent circuits of the same size
  should be computationally indistinguishable.
• Definitions equivalent for efficient obfuscation
  (but not for inefficient obfuscation).

27
Best-Possible Obfuscation Results

• Best possible vs. black box obfuscation
• Black-box implies best-possible.
• A natural obfuscation task can be achieved
  under best-possible but not under black-box
  definition.
• Unconditionally (statistically) best-possible
• If PNP can best-possible obfuscate all circuits.
• Unconditionally best possible obfuscation for AC0
  implies PH collapses to second level.
• Obfuscation and Random Oracles
• Can use random-oracle to build (simple, natural)
  circuits that cannot be best-possible obfuscated.

28
Best Possiblevs.Black-Box Obfuscation
29
Best-Possible vs. Black-Box

• Claim black-box obfuscator ? best-possible
  obfuscator
• Proof Intuition
• Suppose obfuscator not best-possibleObfuscations
  of equivalent C1 and C2 are distinguishable from
  non-black-box access,but circuits
  indistinguishable from black-box access!
• Predicate Adversaryguesses whether obfuscation
  is of C1 or C2.
• Obfuscator is not black-box!

30
Best-Possible vs. Black-Box (2)

• OBDDs log-space programs with read-once
  left-to-right access to their input tape.
• Claim Can efficiently best-possible obfuscate
  OBDDs as OBDDs.
• Proof OBDDs have efficiently computable
  canonical representation Bryant.
• Claim OBDDs cannot be black-box obfuscated as
  OBDDs.
• Proof Extract non black-box information from
  canonical representation.

31
Statistically Best-PossibleObfuscation
32
If PNP

• Can perfectly best-possible obfuscate any
  circuit!
• Obfuscator output the lexicographically first
  smallest equivalent circuit (efficient if PNP).
• Simulator also output the lexicographically
  first smallest equivalent circuit (efficient if
  PNP).
• PERFECTLY best-possible obfuscation.

33
Statistically Best-Possible?

• Goal unconditionally best-possible obfuscation?
• Approaches
• Techniques from secure multi-party computation,
• Randomizing circuits,
• Focusing on low complexity classes.

34
Statistically Best-Possible ? PH Collapse

• Theorem
• If CNF circuits can be statistically
  best-possible obfuscated (even inefficiently),the
  n polynomial hierarchy collapses.

35
Stat. Best-Possible ? PH Collapse (2)

• Suppose O is statistically best possible
  obfuscator.
• IdeaUse O to get AM protocol for Co-NP complete
  language. Collapses poly hierarchy F,AH,BHZ.
• Co-NP complete language Lcircuit-equivalence,
  (C1,C2) in L iff C1 C2

36
Stat. Best-Possible ? PH Collapse (3)

• On input (C1,C2) use distributions S(C1),S(C2)
• If (C1,C2) not equivalent O(C1), O(C2) disjoint
  by preserving functionality so S(C1), S(C2)
  stat.-far by best-possible property
• If (C1,C2) equivalentO(C1), S(C1) stat.-close
  by best-possible propertyO(C1), S(C2)
  stat.-close by best-possible propertyconclude
  S(C1),S(C2) also stat. close
• Reduced circuit equivalence to statistical
  distance,a problem in AM SV.

37
Random OraclesandObfuscation
38
Random Oracles and Obfuscation

• LPS use random oracles to help obfuscation.
• If one could realize random oracles, would this
  necessarily help obfuscation?
• Not necessarily can also use random oracles to
  build un-obfuscatable circuits!

39
Random Oracles and Obfuscation

• Theorem
• There exists a simple family of circuits
  implementing point function functionalities that
  cannot be best-possible obfuscated.
• Circuits in the family make oracle calls.
• Does not rule out that every (non-oracle) circuit
  can be best-possible obfuscated.

40
Unobfuscatable Circuit Cp,M for Ip
pn\M
R(pM)

x1
x2
x3
x4
x5
xn
. . .
M

• For a point p 0,1n , choose subset M n

41
Conclusions and Open Problems

• Black-Box ObfuscationMore natural impossibility
  results GKMore Positive Results
  HRsVConstant-depth circuits?
• New Best-Possible ObfuscatorsCurrent positive
  results have flavor of finding canonical
  representations.
• Goal more examples of best-possible
  obfuscation.
• Think outside the (black) box
• Hardness Results?
• Best-possible obfuscation hardness results
  likely to be different from black-box results.

42

• THE END
• Thank You