Post on 16-Aug-2020
transcript
New Techniques for Obfuscating Conjunctions
0
James Bartusek (Princeton)Tancrède Lepoint (SRI & )Fermi Ma (Princeton)Mark Zhandry (Princeton)
1
Motivating Scenario: Password Check Program
P π₯ :if π₯ = βcorrecthorsebatterystapleβ:
output 1 (accept)else:
output 0 (reject)
Light Blue
HEX 09B6C9
2
Slightly Better Solution
Pβ² π₯ :if SHA256 π₯ == βcbe6beb26479b568e5f15b
50217c6c83c0ee051dc4e522b9840d8e291d6aaf46β:
output 1 (accept)else:
output 0 (reject)
Compute SHA256(βcorrecthorsebatterystapleβ)= cbe6beb26479b568e5f15
b50217c6c83c0ee051dc4e522b9840d8e291d6aaf46
Light Blue
HEX 09B6C9
3
Obf(P) π₯ :if SHA256 π₯ == βcbe6beb26479b568e5f15b50217c6c83c0ee051dc4e522b9840d8e291d6aaf46β:
output 1 (accept)else:
output 0 (reject)
This is a simple example of program obfuscation [BGIRSVY]for point functions [Can97,CMR98,LPS04,Wee05,BP12,β¦]
Informally, want Obf to satisfy:β’ (correctness) Obf(P)(π₯) = P(π₯) for
all π₯β’ (virtual black box) Obf(P) reveals
nothing beyond what can be learned from black box access to P
P π₯ :if x = βcorrecthorsebatterystapleβ
output 1 (accept)else:
output 0 (reject)
Apply Obf
4
Obfuscation for General ProgramsMany candidates: [GGHRSW13,AGIS14,AB15,Zim15,LV16,Lin16,GMMSSZ16,AS16,LT17,FRS17,BGMZ18,CVW18,AJS18,LM18,Agr18,GJK18,β¦]
Obfuscation for Specific Functionalitiesβ’ Point Functions
[Can97,CMR98,LPS04,Wee05,CD08,DKL09,GKPV10,BP12,β¦]
β’ Compute-and-Compare Programs [GKW17,WZ17]
β’ Hamming Balls [DS05]
β’ Hyperplane Membership [CRV09]
β’ Conjunctions [BVWW16,GKW17,WZ17,β¦]
We study conjunctions, but techniques apply to hamming balls, affine spaces, etc.
Focus of this work: simple techniques to obfuscate specific functionalities.
5
πππ‘ = 1*10*(match) 11100
(mismatch) 10001(match) 10101
(mismatch) 01111
π9:; π₯ :if π₯ matches πππ‘ output 1else output 0
bitstring π₯ matches πππ‘ if it equals πππ‘ except on *
Obfuscation for Conjunctions(βpattern-matching with wildcardsβ)
6
πππ‘ = 1*10*(match) 11100
(mismatch) 10001(match) 10101
(mismatch) 01111
π9:; π₯ :if π₯ matches πππ‘ output 1else output 0
bitstring π₯ matches πππ‘ if it equals πππ‘ except on *
Obfuscation for Conjunctions(βpattern-matching with wildcardsβ)
Our work: Allow evaluation of ππππ‘
without leaking anything about πππ‘
7
πππ‘ = 1*10*(match) 11100
(mismatch) 10001(match) 10101
(mismatch) 01111
π9:; π₯ :if π₯ matches πππ‘ output 1else output 0
bitstring π₯ matches πππ‘ if it equals πππ‘ except on *
Our work: Allow evaluation of ππππ‘
without leaking anything about πππ‘
When is this goal feasible? A: πππ‘ must be drawn from a
distribution where accepting inputs to π9:; are hard to find [BBCKPS13]
Obfuscation for Conjunctions(βpattern-matching with wildcardsβ)
8
Assumption or Model
[BR13] Multilinear Maps
[BVWW16] Entropic Ring LWE
[GKW17],[WZ17] LWE
[BKMPRS18] Generic Group Model
Prior Conjunction Obfuscators
Our starting point: the [BKMPRS18] construction
9
Assumption or Model
Security holds whenpattern is sampled from:
[BKMPRS18] Generic Group Model π=[ππ], where π < 0.774
Construction 1 Generic Group Model* π=[π β π log π ]
Construction 2 Learning Parity with Noise π=[ππ] where π < 1
Construction 3(see paper)
Information theoretic* π=[πK] where 0 β€ π < 1
Our Results: Three Constructions
π=[π€] denotes uniform dist over length π patterns with π€ wildcards
*can be extended beyond uniform distributions (see also [BeuWee19])
10
1. Encoding Conjunctions as Inner Products2. A Group-Based Construction3. Security from LPN/RLC
Talk Outline
11
What Does βSimpleβ Mean?
Obfuscation: On input πππ‘ β {0,1,β} =Output vector π9:; over π½9
12
What Does βSimpleβ Mean?
Obfuscation: On input πππ‘ β {0,1,β} =Output vector π9:; over π½9
Evaluation: On input π₯ β {0,1} =Write down vector πWAccept if πW
X π9:; = 0
Encoding Conjunctions as Inner Products
βObfuscationβ:π = 3
πππ‘ = *01
Structure of πtaken from [BKMPRS18]
Accept!
π =
00π\00π]
*
0
1
πππ‘
13
π is a uniformly random value in π½9
Encoding Conjunctions as Inner Products
βObfuscationβ:π = 3
πππ‘ = *01
Structure of πtaken from [BKMPRS18]
ππ» β π = 0 $ 0 $ $ 0
00π\00π]
= 0
π₯ = 0 0 1
Evaluation: π₯ = 001
Accept!
(Accepting input)
π =
00π\00π]
*
0
1
πππ‘
14
π is a uniformly random value in π½9
$ denotes arbitrary non-zero value in π½9
Encoding Conjunctions as Inner Products
βObfuscationβ:π = 3
πππ‘ = *01
Structure of πtaken from [BKMPRS18]
ππ» β π = 0 $ 0 $ $ 0
00π\00π]
= 0
π₯ = 0 0 1*
0
1
πππ‘Evaluation: π₯ = 001
Accept!
(Accepting input)
π =
00π\00π]
*
0
1
πππ‘
15
$ denotes arbitrary non-zero value in π½9
π is a uniformly random value in π½9
Encoding Conjunctions as Inner Products
π =
00π\00π]
*
0
1
πππ‘
βObfuscationβ:π = 3
πππ‘ = *01
Structure of πtaken from [BKMPRS18]
ππ» β π = 0 $ $ 0 $ 0
00π\00π]
= $π\
π₯ = 0 1 1*
0
1
πππ‘Evaluation: π₯ = 011
Reject!
(Rejecting input)
16
$ denotes arbitrary non-zero value in π½9
π is a uniformly random value in π½9
17
1. Encoding Conjunctions as Inner Products2. A Group-Based Construction3. Security from LPN/RLC
Talk Outline
18
How can we make this construction secure?
Idea: Avoid giving out π in the clear, but still allow user to
compute ππ» β π for any π that encodes an input π₯ ππ» β π = 0 $ 0 $ $ 0
00π\00π]
= 0
π =
00π\00π]
*
0
1
πππ‘
βObfuscationβ:π = 3
πππ‘ = *01
π₯ = 0 0 1*
0
1
πππ‘Evaluation: π₯ = 001
2π
ππ»π© = 0 $ 0 $ $ 0
19
Slightly Better Construction
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00π\00π]
π©
2π*
0
1
πππ‘
π
Obfuscation:1) Encode πππ‘ in π2) Give out π© i π β π½9=j\ where
π© is a public π + 1 Γ(2π)matrix satisfying Property 1.
Property 1: Any π + 1 Γ π + 1submatrix of π© is full rank over π½9
(ex: Vandermonde)
π + 1
Evaluation:On input π₯ = 001 pick π β π½9=j\ so that
encodes π₯
(i.e. solve for π to make these π entries of ππ»π© equal 0)
Accept if ππ»π©π = π
π₯ = 0 0 1
Why does π© help security?
20
Property 1: Any π + 1 Γ π + 1submatrix of π© is full rank over π½9
(ex: Vandermonde)
Why does π© help security?
Informal Lemma 1 (No Linear Attacks): If πππ‘ is drawn with enough entropy, then for any π β π½9=j\, ππ»π©π is a uniformly random scalar.
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00π\00π]
π©
2π*
0
1
πππ‘
πππ»
(π\ π] πg πh)π + 1
21
Informal Lemma 1 (No Linear Attacks): If πππ‘ is drawn with enough entropy, then for any π β π½9=j\, ππ»π©π is a uniformly random scalar.
ππ»π©π ππ»π©π ππ»π©π ππ»π©π ππ»π©π ππ»π©π
00π\00π]
2π
πππ»π©
(π©π denotes πth column of π©)*
0
1
πππ‘
1) At most π out of 2π entries of ππ»π©can be 0 (Property 1).
2) If πππ‘ has enough entropy, then with overwhelming probability one of the π non-zero entries of ππ»π© will coincide with a non-zero entries in π.
3) If so, (ππ»π©)π will be a random scalar.
Property 1: Any π + 1 Γ π + 1submatrix of π© is full rank over π½9
(ex: Vandermonde)
Why does π© help security?
22
Group-Based* ConstructionObfuscation: Encode πππ‘ as π, compute
π©π and output:
ππ©π = π π©π x, π π©π y, β¦ . , π π©π {|x
(same evaluation procedure works in exponent)
*Idea due to [BKMPRS18]: this construction can be viewed as βdualβ to their construction.**Can be extended to more general distributions (see our paper and [BeuWee19])
Theorem: Generic Group adversary [Nac94,Sho97] cannot distinguish ππ©π from π + 1random group elements if πππ‘ is uniformly random** with π β π(log π) wildcards.
Proof: generic adversaries limited to linear attacks
Informal Lemma 1 (No Linear Attacks): If πππ‘ is drawn with enough entropy, then for any π β π½9=j\, ππ»π©π is a uniformly random scalar.
23
1. Encoding Conjunctions as Inner Products2. A Group-Based Construction3. Security from LPN/RLC
Talk Outline
Step 1: Sample a length 2π vector π:
If πππ‘^ = β, π]^~\π]^ = 0
0
If πππ‘^ = 0, π]^~\π]^ = π
0 for π β π½9
If πππ‘^ = 1, π]^~\π]^ = 0
π for π β π½9
24
Step 2: Define π© β π½9=j\ Γ]= whose
π, π th entry is:π©^,οΏ½ = π^
Compute the vector π©π β π½9=j\
Obfuscation: ππ©π
π£\π£]π£gπ£h
=
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00π\00π]
π©π
π*
0
1
Group-Based Construction
(π© is a fixed public matrix)
Step 1: Sample a length 2π vector π:
If πππ‘^ = β, π]^~\π]^ = 0
0
If πππ‘^ = 0, π]^~\π]^ = π
0 for π β π½9
If πππ‘^ = 1, π]^~\π]^ = 0
π for π β π½9
25
Step 2: Define π© β π½9=j\ Γ]= whose
π, π th entry is:π©^,οΏ½ = π^
Compute the vector π©π β π½9=j\
Obfuscation: π©π?
π£\π£]π£gπ£h
=
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00π\00π]
π©π
π*
0
1
Group-Based Construction
(π© is a fixed public matrix)
Step 1: Sample a length 2π vector π:
If πππ‘^ = β, π]^~\π]^ = 0
0
If πππ‘^ = 0, π]^~\π]^ = π
0 for π β π½9
If πππ‘^ = 1, π]^~\π]^ = 0
π for π β π½9
26
Obfuscation: π©,π©π
π£\π£]π£gπ£h
=
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00π\00π]
π©π
π*
0
1
New Construction
Step 2: Sample a uniformly random matrix π© β π½9
=j\ Γ]=.
Compute the vector π©π β π½9=j\
random π©
Idea: Randomize π©!
Why would this be secure?
27
Learning Parity with Noise Assumption over π½9(Random Linear Codes Assumption)
πβ² βοΏ½π΄ +,
Standard LPNset each entryβ’ 0 w/ prob 1 β πΌβ’ π^οΏ½ β π½9 w/ prob πΌ
uniform
π π΄π
πK
uniform
π’,π΄uniform
uniformuniform
28
βοΏ½π΄ +,uniform
π π΄π
πK
uniform
π’,π΄uniform
uniformuniform
Exact LPN [JKPT12]set exactly πΌπ entries non-zero(polynomially equivalent)
πβ²
Learning Parity with Noise Assumption over π½9(Random Linear Codes Assumption)
Standard LPNset each entryβ’ 0 w/ prob 1 β πΌβ’ π^οΏ½ β π½9 w/ prob πΌ
29
βοΏ½π΄ +,uniform
π π΄π
πK
uniform
π’,π΄uniform
uniformuniform
Exact LPN [JKPT12]set exactly πΌπ entries non-zero(polynomially equivalent)
Last modification: switch to βdualβ
πβ²
Learning Parity with Noise Assumption over π½9(Random Linear Codes Assumption)
Standard LPNset each entryβ’ 0 w/ prob 1 β πΌβ’ π^οΏ½ β π½9 w/ prob πΌ
30
π΄
πK
π»π
Compute π― with full row-rank such that:
π β πK = π
Last modification: switch to βdualβ
31
π΄ +uniform
π
πK
π»π
π β πK
π΄
πK
π»π
Compute π― with full row-rank such that:
π β πK = πObserve
= π»
Last modification: switch to βdualβ
πβ² πβ²
32
(Dual) Exact LPN Assumption(polynomially equivalent to LPN)
βοΏ½π»,uniform
π»πβ πKπ
uniformπ’,π»
uniform
uniformexactly πΌπ non-zero values
Notice π―,π―πβ² looks like the obfuscation π©,π©π
πβ²
33
π£\π£]π£gπ£h
=
1 2 3 4 5 61] 2] 3] 4] 5] 6]1g 2g 3g 4g 5g 6g1h 2h 3h 4h 5h 6h
00π\00π]
π©π
π*
0
1
random π©π£\π£]β¦
π£=~=οΏ½=
1 2 3 41] 2] 3] 4]1g 2g 3g 4g1h 2h 3h 4h
π\0π]πg0
πβ²π
randomπ―
π―
Dual Exact LPN Assumption: (π―,π―πβ²) looks random
Obfuscation
π© is π + 1 Γ 2πβ’ Sample random π© over π½9β’ Sample π as uniformly random 2π
dimensional vector with exactly πΌπnon-zero entries, conditioned on each pair of positions 2i β 1, 2i having at least one 0 entry.
π― is (π β πK) Γ πβ’ Sample randomπ― over π½9β’ Sample πβ² as uniformly random π
dimensional vector with exactly πΌπnon-zero entries.
random length π pattern, 1 β πΌ π wildcards
LPN for poly samples, field π½9constant noise πΌ, [JKPT12] βexactβ error
(Dual) Exact LPN
34
uniformly random 2π-dimensional vector with exactly πΌπ non-zero entries conditioned on each pair of positions 2i β 1, 2i having at least one 0 entry.
uniformly random π-dimensional vector with exactly πΌπ non-zero entries.
βunstructured errorββstructured errorβ
00
0
0
π\
0
π]πg0
0
π\οΏ½0π]οΏ½πgοΏ½0πβ²
π
(Dual) Exact LPN Obfuscation
This distribution arises if πππ‘ is uniformly random with 1 β πΌ π wildcards.
Theorem: Assuming LPN over π½9 (noise rate πΌ), obfuscation π©,π©π looks uniformly random if πππ‘ is uniformly at random with 1 β πΌ π wildcards, for 0 < πΌ < 1.
36
π’ βοΏ½π»π
π β πK π» π»πβ²,,
π΅Want to show:
2π
π΅ π’π + 1 π΅πβοΏ½
(Dual) Exact LPN:
, ,
πβ² unstructured error
π structured error
uniform
uniform
uniform
uniform uniform
uniform
Theorem: Assuming LPN over π½9 (noise rate πΌ), obfuscation π©,π©π looks uniformly random if πππ‘ is uniformly at random with 1 β πΌ π wildcards, for 0 < πΌ < 1.
37
π»\ π»] π»g π»h π»οΏ½
π
π β πK
Easy Step: Sample π random columns π\,β¦π=. Replace π― with π² where each pair of indices (2π β 1,2π) is either π»^, π^ or π^, π»^ (pick randomly).
π»\ π\ π] π»] πg π»g π»h πh ποΏ½ π»οΏ½
2π
π β πK
πΎπ»
Claim: π―πβ² = π²π where πβ² is unstructured error and π is structured error.
π’orπ»πβ², π’
orπ»πβ², π’
orπΎπ
=
38
π»\ π»] π»g π»h π»οΏ½ π»\ π\ π] π»] πg π»g π»h πh ποΏ½ π»οΏ½
00
0
0
π\οΏ½
0
π]οΏ½
πgοΏ½
0
0
π unstructured errornon-zero entries in πΌπ randomly chosen positions
π structured errornon-zero entries in πΌπ randomly chosen positions, each pairhas at least one 0
π
π β πK
2ππ\οΏ½0π]οΏ½πgοΏ½0
=πΎπ»
2ππ
Claim: π―πβ² = π²π where πβ² is unstructured error and π is structured error.
πβ²π
π»\ π\ π] π»] πg π»g π»h πh ποΏ½ π»οΏ½
39
π’ βοΏ½π»π
π β πK π» π»πβ²,,(Dual) Exact LPN: πβ² unstructured erroruniform
uniform uniformLPN gives us π β πKrows βfor freeβ
π’ βοΏ½ πΎπ,,π structured erroruniform
π»\ π\ π] π»] πg π»g π»h πh ποΏ½ π»οΏ½π β πK
2π
πΎπΎ
40
π’ βοΏ½π»π
π β πK π» ,,uniform
uniform uniform
π’ βοΏ½ ,,uniform
π β πK
We need π + 1 rows for the obfuscation construction.
Need πK + 1 additional rows Need πK + 1 additional rowsπK + 1
π»πβ²
πβ² unstructured error
πΎπ
π structured error2π
uniform uniformπΎ πΎ
(Dual) Exact LPN:
LPN gives us π β πKrows βfor freeβ
41
π’ βοΏ½ πΎπ,,uniform
π β πK
2π
πK + 1
uniform uniformπΎ πΎπ ππ’β ?
Issue: If we sample additional rows π uniformly at random, we canβt fill in ππ without π.
π structured error
42
Observation: We know πΎ^π for any row πΎ^ of πΎ.
So we can use random linear combinations of rows of πΎ.
π’ βοΏ½ πΎπ,,π structured erroruniform
π β πK
2π
uniform uniformπΎ πΎ
43
π’ βοΏ½ ,,uniform
π β πK
2π
πK + 1
uniform uniform
π πK + 1π β πK
Sample randommatrix π :
π πΎ π πΎπ π’
So are we done?
Observation: We know πΎ^π for any row πΎ^ of πΎ.
So we can use random linear combinations of rows of πΎ.
πΎπ
π structured error
πΎ πΎπ πΎπ
44
π’ βοΏ½ ,,uniform
π β πK
2π
πK + 1
uniform uniformπΎ πΎ
π πK + 1π β πK
Sample randommatrix π :
π πΎ π πΎπ π’ π πΎπ
Observation: We know πΎ^π for any row πΎ^ of πΎ.
So we can use random linear combinations of rows of πΎ.
πΎπ
π structured error
The matrix isnβt random!(rank is at most π β πK)
45
One last idea: we know half the
entries of π since we implicitly
βinsertedβ π zeros.
π’ βοΏ½ ,,uniform
π β πK
2π
πK + 1
uniform uniform
π πΎ π πΎπ π’
πΎπ
π structured error
πΎ πΎπ πΎπ
46
One last idea: we know half the
entries of π since we implicitly
βinsertedβ π zeros.
π’ βοΏ½ ,,uniform
π β πK
2π
πK + 1
uniform uniformπ π’
πΎπ
π structured error
Sample matrix π with π uniformly random non-zero columns coinciding with π known zero entries of π. (i.e. ππ = 0)
2ππK + 1 = π
all 0βs column uniformly random columns
π πΎ + π π πΎ + ππΎ πΎ
π πΎπ
47
π β πK
2π
πK + 1
uniform πΎπ πΎ + π
π΅βοΏ½
π+ 1
2π
uniform
???
Does(πΎ, π πΎ + π)
look uniformly random?
48
π β πK
2π
πK + 1
uniform πΎπ πΎ + π
π΅βοΏ½
π+ 1
2π
uniform
???
Heuristic Argument: Entropy Countingπ―οΏ½ πΎ +π―οΏ½ π +π―οΏ½(π)= ποΏ½ # entries in πΎ + ποΏ½ # entries in π
+ ποΏ½ # nonzero entries in π + π= π―οΏ½ π΅ β π]KjοΏ½ + πIf 2π + πΏ < 1, LHL yields (πΎ, π πΎ + π)statistically close to uniform.
π πK + 1
π β πK
2π
πK + 1 π
Does(πΎ, π πΎ + π)
look uniformly random?
π β πK
2π
πΎ
all 0βs
uniform
uniform
uniform
matrices over π½οΏ½, log π = ποΏ½
49
π΅π΅ π’ π΅πβοΏ½, ,
uniform
uniform uniform
βοΏ½
π+ 1
2π
π’ βοΏ½ ,,uniform
π β πK
2π
πK + 1
uniform uniformπ π’
πΎπ
π structured error
π structured error
π πΎ + π π πΎ + ππΎ πΎ
π πΎπ
Another Perspective: Structured Error LPN
For what β is (π΅, π΅π) pseudorandom?
β’ Pseudorandom if β = π β πK, π < 1 (perfectly equivalent to Exact LPN)
β’ [This work] Pseudorandom if β = π + πΒ‘, πΎ < 1/2 (statistically equivalent to Exact LPN)
β’ [AroraGe12] Can solve for π if β = 2π β ποΏ½, πΏ < 1/250
π΅ π΅π,uniform
2π π structured error
β
Another Perspective: Structured Error LPN
For what β is (π΅, π΅π) pseudorandom?
β’ Pseudorandom if β = π β πK, π < 1 (perfectly equivalent to Exact LPN)
β’ [This work] Pseudorandom if β = π + πΒ‘, πΎ < 1/2 (statistically equivalent to Exact LPN)
β’ [AroraGe12] Can solve for π if β = 2π β ποΏ½, πΏ < 1/251
π΅ π΅π,uniform
2π π structured error
β
52
Conclusionβ’ In the GGM: obfuscate conjunctions by encoding in a vector
and multiplying by a structured matrix.β’ If we multiply by a random matrix, we can avoid groups and
rely on LPN.
In the paper:
β’ An information theoretic conjunction obfuscator consisting of a sequence of matrices; evaluation is done by taking asubset-sum of matrices and computing the determinant.
Thank You!ePrint: ia.cr/2018/936slides: cs.princeton.edu/~fermim/talks/crypto-day.pdf