1 / 13

Eran Tromer Slides credit: Boaz Barak

Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013 Lecture 10: Garbled circuits and obfuscation. Eran Tromer Slides credit: Boaz Barak. Recall our high-level goal. Ensure properties of a distributed computation when parties are mutually untrusting ,

dewey
Download Presentation

Eran Tromer Slides credit: Boaz Barak

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security – Theory vs. Reality 0368-4474-01, Winter 2012-2013Lecture 10: Garbled circuits and obfuscation Eran TromerSlides credit: Boaz Barak

  2. Recall our high-level goal Ensure properties of adistributed computationwhen parties aremutually untrusting, faulty, leaky&malicious.

  3. Garbled circuits: variants of functionality(summary of whiteboard discussion) “Honest-but-curious” model • Offline-online evaluation for public circuitsCircuit U is public, Alice chooses x, Bob learns U(x) and nothing else. • Offline-online evaluation for secret circuitsAlice chooses C and x, Bob learns C(x) and nothing else.Obtained from previous by making U a universal circuit and plugging in the description of C.

  4. Garbled circuits: construction(summary of whiteboard discussion) The garbled circuits Choose random keys for each value for each wire. Output: • Gate tables (double-encryption of output keys under input keys, permuted) • Keys of output wires The garbled inputs Keys for chosen values in input wires Evaluation Gate-by-gate, using double decryption.

  5. What Is an Obfuscator? • An obfuscator: an algorithm O such that for any program P , O(P) is a program such that: • O(P) has the same functionality as P • O(P) is infeasible to analyze / “reverse-engineer”. Intuition: an obfuscator should provide a “virtual black-box” in the sense that giving someone O(P) should be equivalent to giving her a black-box that computes P.

  6. Why might obfuscators exist? • Practical Reasons: • Understanding code is very difficult • Obfuscation used (successfully?) in practice for security purposes • Theoretical Reasons: • All canonical hard problems are problems of reverse engineering: SAT, HALTING • Rice’s Theorem: You can’t look at the code (Turing Machine description) of a function and find out a non-trivial property of it.

  7. Applications for obfuscators • “Digital right management” • Converting symmetric-key encryption to asymmetric-key encryption • Removing Random Oracles for specific natural protocols. • Give someone ability to sign/decrypt a restricted subset of the message space.

  8. Defining obfuscators • Definition 1 An algorithm O is an obfuscatorif for any circuit C: • (functionality) O(C)~ C(i.e., O(C) computes the same function as C) • (polynomial slowdown) |O(C)|  p(|C|) for some polynomial p( ). • We say that O is efficient if it runs in polynomial time.

  9. Defining security “Anything that can be learned from the obfuscated form, could have been learned by merely observing the circuit’s input-output behavior (i.e., by treating the circuit as a black-box)’’ A Natural Formal Interpretation: For any adversary A there’s a simulator S such that for any circuit C A(O(C)) C.I. SC(1|C|) This definition is impossible to meet!

  10. Defining security (2) Relaxation: simulator should only compute a specific function (even predicate) rather than generate an indistinguishable output. Weak Obfuscators: "p.p.t. adversary A" (poly time) predicate p:{0,1}*{0,1}$ S such that for all circuits C Pr[ A(O(C)) = p(C) ]£Pr[ SC(1|C|) = p(C) ] + negl(|C|) Note: may be too weak for desired applications, but still we’ll prove that it is impossible to meet.

  11. Inherently Unobfuscatable Functions Definition 2 A (efficiently computable) function ensemble { Ft }( Ft:{0,1}|t|{0,1}|t| ) is an unobfuscatable function ensemble (UF) if it satisfies: There’s a poly time predicate p:{0,1}*{0,1} such that: • (a) (p easy to compute with a circuit)There’s a p.p.t A such that for any circuit C such that C ~ Ft : A(C) = p(Ft) • (b) (p hard to compute with black-box access)For any p.p.t S , for random t {0,1}n : • Pr [ SFt (1n) = p(t) ] £ ½ + negl(n) Theorem 1: unobfuscatable functions   “very weak” obfuscators.

  12. Results(summary of whiteboard discussion) • There exist unobfuscatable functions (if there exist OWFs). • <proof intuition> • Efficient (even weak) obfuscators do not exist. • Moreover: • There exist unobfuscatable encryption schemes (if any exist). • There exist unobfuscatable signature schemes (if any exist). • Natural relaxations of obfuscation (e.g., approximate correctness) are still impossible. • State of the art • Constructions for very simple classes (e.g., point functions) • In practice, heuristics to slow down reverse engineering.

More Related