OPENING THE BLACK BOX

Boaz BarakInstitute for Advanced Study

Princeton, NJ

New Techniques in Cryptography

PROGRAMS ARE HARD TO UNDERSTAND

• Can’t eliminate bugs

• Understanding compiled progs even harder

• “Natural state is complete unreadability”

• HALTING undecidable

• SAT probably hard

• Can’t prove lower bounds

PROGRAMS AS BLACK BOXES

• Programming langs – function calls• Algorithms – subroutines, recursion• Complexity – reductions

Ignore actual code – only care about function

Very common:

Input Output

(i.e., input/output relation)

PROGRAMS AS BLACK BOXES

Ignore actual code – only care about function

Common Intuition: No loss in generality since general code is useless anyway: can’t be understood.Sometimes: Formal Justification (HALTING,SAT)

Can we justify it in cryptography?

Input Output

MODERN CRYPTOGRAPHY

A Central Activity: Construct scheme and reduce solving (assumed) hard problem to breaking scheme.

Implication: Problem actually hard ) scheme unbreakable (before sun collapses)

If common intuition holds (code useless) it’s

• bad for crypto: limits on reductions

• good for crypto: can “scramble” programs

Show that if 9 a scheme-breaking alg then 9 a problem-solving (e.g. factoring) alg.

IN THIS TALK

Examine common intuition that “code useless” in crypto.

This implies:

• positive results: more powerful reductions

Surprisingly, in many cases intuition is false.

Get new (believed unobtainable) crypto schemes.

• negative results: some schemes can’t be obtained

TALK PLAN

Part I: “Scrambling/Obfuscating Programs”–A negative result [BGI+01].

Part II: “Zero Knowledge on the Internet” – A positive result [B01].

“light” talk – almost no proofs / formal defs

Part III: Some subsequent results [BGGL01,B02,BL02,L02,BLV03,KOS03,PR03,P04]

PART I: OBFUSCATION

Idea: Directly use “code useless” intuition for crypto:

Q: Can we take arbitrary prog P and convert to P’ s.t.

1. P’ has same function as P2. P’ is not much slower/bigger than P3. P’ is “completely unintelligible”

Procedure to convert P P’ is called “obfuscator”.

WHY MIGHT OBFs EXIST?

• Because progs are hard to understand (bugs,HALTING,…)

• Maybe compiler is already obfuscator?(e.g., “closed source” considered unreadable)

• Because in crypto we can do anything :)

• Some commercial candidates.

Diffie&Hellman (76): Maybe can obtain public key enc. by “obfuscating” a private key enc. scheme?

WHY SHOULD WE CARE?

• Interesting in its own right.

• Constructing OWF-based PK crypto [DH76] (Arguably central problem of crypto.)

• Software protection.

• Digital rights management (DRM)…

MAIN RESULT (informal)

Thm [BGI+01]: General-purpose obfs, even under very weak defs, do not exist.

[BGI+01] Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang “On the (Im)possibility of Obfuscating Programs”, CRYPTO 2001.

DEFINING OBFs

Def: O:PP “totally fails” on P if

1. P can be efficiently recovered from O(P)(i.e., complete recovery of source code)

2. P is hard to learn (i.e., can’t recover P using BB access to its function)

Thm [BGI+01]: 8 O 9 P s.t. O totally fails on P. (assuming OWF exist)

* “TASTE” OF PROOF

* “TASTE” OF PROOF

Pf: Show function family {P,} s.t. O totally fails (code recovery + hard to learn) on random member:

Thm [BGI+01]: 8 O 9 P s.t. O totally fails on P. (assuming OWF exist)

DefineP,(b,x)=

b=0 , x=

b=1 , x(0,)=

0 otherwise

Claim: 8O for random , w.h.p. O totally fails on P,

DefineP,(b,x)=

b=0 , x=

b=1 , x(0,)=

0 otherwise

Claim: 8O for random , w.h.p. O totally fails on P,

* “TASTE” OF PROOF

Thm [BGI+01]: 8 O 9 P s.t. O totally fails on P. (assuming OWF exist)

Pf: Show function family {P,} s.t. O totally fails (code recovery + hard to learn) on random member:

Pf:

To recover , from P’=O(P,) - output P’(1,P’)

For random , can’t distinguish bet P, and all-zero function using BB access.

DefineP,(b,x)=

b=0 , x=

b=1 , x(0,)=

0 otherwise

Claim: 8O for random , w.h.p. O totally fails on P,

Note: In paper, rule out OBFs for programs with bounded input length.

Black-box access is useless:

Can recover source from obf’d code:

MEANING OF RESULT

Proved: No general-purpose obf exists.

Maybe “virtually general-purpose” obf exists?

Counter Ex.

“Useful” progs (DES,RSA,AES,SHA,…)

Similar to critique of NP-completeness results.

O secure

MEANING OF RESULT

Proved: No general-purpose obf exists.

Maybe “virtually general-purpose” obf exists?

Similar to critique of NP-completeness results.

PROBLEM W/ THIS ARGUMENT

“Useful” progs (DES,RSA,AES,SHA,…)

Counter Ex.

O secure

PROBLEM W/ THIS ARGUMENT

“Useful” progs (DES,RSA,AES,SHA,…)

O secure

Q: If Alice writes new prog P, how can she know O is secure on P?

“assured” progs

A: Maker should provide well-defined set of “assured secure” progs.

Problem: in many metrics, counter ex. close to “useful”.

Counter Ex.

TALK PLAN

Part I: “Scrambling/Obfuscating Programs”–A negative result [BGI+01].

Part II: “Zero Knowledge on the Internet” – A positive result [B01].

Part III: Some subsequent results [BGGL01,B02,L02,BLV03,KOS03,PR03,P04]

PART II: ZERO KNOWLEDGE

Recall: Central crypto activity –Construct scheme S s.t.

9alg A breaks S ) 9alg B factors integers

Standard Pf: B uses A as BB subroutine

Q: Can B gain anything by using A’s code?

Intuition: NO – don’t know anything about adversary.

[B01]:Intuition is false – obtain results previously proven impossible to obtain w/ black-box pf.

ZERO-KNOWLEDGE [GMR85]

Roughly: Proof with “no added value”:

Alice proves X true (e.g., G 3-colorable) to Bob.Bob learns only that X is true

Motivation:

• Interesting in own right.

• Identification protocols (prove I know password/secret w/o giving any info [FS86])

• General Protocols – voting/auctions/poker (prove I acted properly w/o compromising my secrets)

Ex: Alice knows witness (3-coloring) to X=“G is 3col”, wants to convince Bob is true w/o leaking info about witness.

ZERO-KNOWLEDGE [GMR85]

Roughly: Proof with “no added value”:

A central crypto thm of 80’s [GMW86,FS89,BCY89,GK96]:

Anything can be proven in zero knowledge.

A central question of 90’s [DNS98]:

Is knowledge leaked in a concurrent execution?

CONCURRENT ZK

Alice proves X true (e.g., G 3-colorable) to Bob.Bob learns only that X is true

(a.k.a. “zero-knowledge on the internet”)

(using only O(1) communication rounds).

CONCURRENT ZKA central question of 90’s [DNS98]:

Is knowledge leaked in a concurrent execution?

Alice

Bob1

Bob2

Bob3

…

Bobn

Known: Coordinated “Bob” may learn something.

CONCURRENT ZKA central question of 90’s [DNS98]:

Is knowledge leaked in a concurrent execution?

Thm [RK99]: Anything can be proven in concurrent ZK

# rounds: O~(log n) [KPR00,PRS02]

Thm [CKPR01]: Protocols w/ black-box proofs require ~(log n) rounds.

Thm [B01]: Anything can be proven in O(1)-round concurrent ZK.

Uses (inherently) non-BB proof

* “TASTE” OF PROOF

skip(concurrent = bounded concurrent)

* “TASTE” OF PROOF

Tool: Witness Indistinguishable (WI) proofs [FS89]

Weaker property than ZK:When proving a statement X of form AÇB only required to hide from Bob if A or B is true.

What we need to know:

• Anything can be proven in O(1)-round WI.

• Unlike ZK, WI composes concurrently [FS89]

Thm [B01]: Anything can be proven in O(1)-round concurrent ZK.

* “TASTE” OF PROOF

Alice Bob

WIP X true or KC(r)<5n

Our Proof System: To prove statement X do:

KC(r) = length of min-sized TM M s.t. M()=r

( KC(r)<5n=|r|/2 means r is “compressible” )

r 2R {0,1} 10n

Thm [B01]: Anything can be proven in O(1)-round concurrent ZK.

A random r is “incompressible” w.h.p. and so protocol is sound.

Next: show no info leaked in 2 executions…skip

Suppose Bob learns f(X) after 2 concurrent sessions.

We show f(X) is easy to compute (even w/o talking to Alice!)

Algorithm to compute f(X) will use Bob’s code!

Alice Bob1r=Bob1() Bob2

r’=Bob2(p-dialog)

f(X)=Bob3(dialog)

Sample execution:

WIP X true or KC(r)<5n

WIP X true or KC(r’)<5n

Suppose Bob learns f(X) after 2 concurrent sessions.

Algorithm to compute f(X) will use Bob’s code!

Alice Bob1r=Bob1() Bob2

r’=Bob2(p-dialog)

f(X)=Bob3(dialog)

Sample execution:

WIP X true or KC(r)<5n

WIP X true or KC(r’)<5n

We show f(X) is easy to compute (even w/o talking to Alice!)

We show f(X) is easy to compute (even w/o talking to Alice!)

Compute (w/o Alice!) string monolog indisting from dialog.

Alice Bob1r=Bob1() Bob2

r’=Bob2(p-dialog)

f(X)=Bob3(dialog)

Sample execution:

Thus Bob3(monolog)=Bob3(dialog)=f(X)

=Bob3(monolog)

Look ma, no Alice!

??

X

WIP X true or KC(r’)<5n

WIP X true or KC(r)<5n

We show f(X) is easy to compute (even w/o talking to Alice!)

Alice Bob1r=Bob1() Bob2

r’=Bob2(p-dialog)

f(X)=Bob3(dialog)

Thus Bob3(monolog)=Bob3(dialog)=f(X)

=Bob3(monolog)

Look ma, no Alice!

??

X

WIP X true or KC(r’)<5n

WIP X true or KC(r)<5n

Compute (w/o Alice!) string monolog indisting from dialog.

Compute (w/o Alice!) string monolog indisting from dialog.

Alice Bob1r=Bob1() Bob2

r’=Bob2(p-dialog)

f(X)=Bob3(dialog)

Using some tools (pseudorandom gens, PCP thm), can ensure |Bob1|,|Bob2|,|p-dialog|<n

=Bob3(monolog)

Look ma, no Alice!

?

X

WIP X true or KC(r’)<5n

WIP X true or KC(r)<5n!

?!

TALK PLAN

Part I: “Scrambling/Obfuscating Programs” –A negative result [BGI+01].

Part II: “Zero Knowledge on the Internet” – A positive result [B01].

Part III: Some subsequent results [BGGL01,B02,L02,BLV03,KOS03,PR03,P04]

PART III: OTHER RESULTSPositive results using our non-BB techniques:

• Non-Malleable Commitments (MIM attack) [B02]

• Resettable model (e.g., smartcards) [BGGL01]

• Strict poly-time extraction [BL02]

• General bounded-concurrent computation [L03,PR03,P04]

• Constant-round multi-party computation [KOS03,P04]

• Password-based authentication prots [P04]

Other directions:

• Limits on non-BB techniques [BLV03]

• More separations bet BB and non-BB [BGGL01,BL02,L03]

OPEN QUESTIONS

Can we construct public key encryption based on one-way functions?

Understand power of non-black-box techniques in other contexts in crypto and complexity.

(impossible using black-box proofs [IR94])

Prove more negative results for non-black-boxtechniques.

( Interesting connections to other areas [DNRS00,BLV03])

THANK YOU!