# Protecting Obfuscation Against Algebraic Attacks

EUROCRYPT, pp. 221-238, 2013.

EI

Keywords:

Wei bo:

Abstract:

Recently, Garg, Gentry, Halevi, Raykova, Sahai, and Waters (FOCS 2013) constructed a general-purpose obfuscating compiler for NC1 circuits. We describe a simplified variant of this compiler, and prove that it is a virtual black box obfuscator in a generic multilinear map model. This improves on Brakerski and Rothblum (eprint 2013) who gav...More

Code:

Data:

Introduction

- The goal of general-purpose program obfuscation is to make an arbitrary computer program “unintelligible” while preserving its functionality.
- The work of Goyal et al [10] shows that there exists an oracle that can be implemented with trusted hardware of size that is only a fixed polynomial in the security parameter, with respect to which virtual black-box obfuscation is possible.
- Once again, the focus of the paper is to consider oracles that abstract the natural algebraic functionality underlying actual plain-model candidates for general-purpose obfuscation.

Highlights

- The goal of general-purpose program obfuscation is to make an arbitrary computer program “unintelligible” while preserving its functionality
- Work done while the author was an intern at Microsoft Research New England
- Work done in part while visiting Microsoft Research, New England
- Research supported in part from a DARPA/ONR PROCEED award, NSF grants 1228984, 1136174, 1118096, and 1065276, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant
- We prove that the obfuscator O described in Section 5 is a good Virtual Black Box obfuscator for NC1 in the ideal graded encoding model

Results

- A branching program of width w and length n for -bit inputs is given by a permutation matrix Preject ∈ {0, 1}w×w such that Preject = Iw×w, and by a sequence: BP =
- Note that by the way the authors defined the set ind(j) for input bit j ∈ [ ], and by the way the elements of Sj are indexed, Siin,bp11(i) ∈ Sinp1(i) and Siin,bp22(i) ∈ Sinp2(i).
- To show that the zero testing call to the oracle M does not fail the authors need to show that the index set of the elements corresponding to h and h is the entire universe.
- It follows from Theorem 2.1 that there exist polynomial functions n and w such that on input circuit C ∈ C , the branching program BP computed by O is of size n(|C|), width w(|C|), and computes on (|C|)-bit inputs.
- To prove that O satisfies the virtual black-box property, the authors construct a simulator Sim that is given 1|C|, the description of an adversary A, and oracle access to the circuit C.
- Instead the authors show how Sim can efficiently simulate the zero-test queries given oracle access to the circuit C.
- Each single-input element has a value that depends on a subset of the formal variables that correspond to a specific input to the branching program.

Conclusion

- Since the values of the α variables are chosen at random by the obfuscation, it is unlikely that the adversary makes a query where the value of two single-input elements “cancel each other” and result in a zero.
- If the authors think of e as an intermediate element in the evaluation of the branching program on some input x, the input-profile prof(e) represents the partial information that can be inferred about x based on the formal variables that appear in the value of e.
- Given an input element e, D outputs a set of single-input elements with distinct input-profiles such that e = s∈D(e) s, where the equality between the elements means that their values compute the same function.

Summary

- The goal of general-purpose program obfuscation is to make an arbitrary computer program “unintelligible” while preserving its functionality.
- The work of Goyal et al [10] shows that there exists an oracle that can be implemented with trusted hardware of size that is only a fixed polynomial in the security parameter, with respect to which virtual black-box obfuscation is possible.
- Once again, the focus of the paper is to consider oracles that abstract the natural algebraic functionality underlying actual plain-model candidates for general-purpose obfuscation.
- A branching program of width w and length n for -bit inputs is given by a permutation matrix Preject ∈ {0, 1}w×w such that Preject = Iw×w, and by a sequence: BP =
- Note that by the way the authors defined the set ind(j) for input bit j ∈ [ ], and by the way the elements of Sj are indexed, Siin,bp11(i) ∈ Sinp1(i) and Siin,bp22(i) ∈ Sinp2(i).
- To show that the zero testing call to the oracle M does not fail the authors need to show that the index set of the elements corresponding to h and h is the entire universe.
- It follows from Theorem 2.1 that there exist polynomial functions n and w such that on input circuit C ∈ C , the branching program BP computed by O is of size n(|C|), width w(|C|), and computes on (|C|)-bit inputs.
- To prove that O satisfies the virtual black-box property, the authors construct a simulator Sim that is given 1|C|, the description of an adversary A, and oracle access to the circuit C.
- Instead the authors show how Sim can efficiently simulate the zero-test queries given oracle access to the circuit C.
- Each single-input element has a value that depends on a subset of the formal variables that correspond to a specific input to the branching program.
- Since the values of the α variables are chosen at random by the obfuscation, it is unlikely that the adversary makes a query where the value of two single-input elements “cancel each other” and result in a zero.
- If the authors think of e as an intermediate element in the evaluation of the branching program on some input x, the input-profile prof(e) represents the partial information that can be inferred about x based on the formal variables that appear in the value of e.
- Given an input element e, D outputs a set of single-input elements with distinct input-profiles such that e = s∈D(e) s, where the equality between the elements means that their values compute the same function.

Related work

- Our work deals with analyzing candidate generalpurpose obfuscators in an idealized mathematical model (the generic multilinear model). There has also been recent work suggesting general-purpose obfuscators in idealized mathematical models which currently do not have candidate instantiations in the standard model: the work of [5] describes a general-purpose obfuscator for NC1 in a generic group setting with a group G = G1×G2×G3×G4, where G1 is a pseudo-free Abelian group, G2 and G3 are pseudo-free non-Abelian groups, and G4 is a group supporting Barrington’s theorem, such as S5. In this generic setting, obfuscator described by [5] achieves Virtual Black-Box security. However, no candidate methods for heuristically implementing such a group G are known, and therefore, the work of [5] does not describe a candidate generalpurpose obfuscator at this time, though this may change with future work10.

We note that question of whether there exists any oracle with respect to which virtual black-box obfuscation for general circuits is possible is a trivial question: one can consider a universal oracle that (1) provides secure encryptions eC for any circuit C to be obfuscated, and (2) given an encrypted circuit

10 Indeed, one way to obtain a heuristic generic group G is by building it using a general-purpose obfuscator, but this would not be useful for the work of [5], since their goal is a general-purpose obfuscator.

eC and an input x outputs C(x). The only way we can see this “solution” as being interesting is if one considers implementing this oracle with trusted hardware. The work of Goyal et al [10] shows that there exists an oracle that can be implemented with trusted hardware of size that is only a fixed polynomial in the security parameter, with respect to which virtual black-box obfuscation is possible. However, once again, the focus of our paper is to consider oracles that abstract the natural algebraic functionality underlying actual plain-model candidates for general-purpose obfuscation.

Funding

- Research conducted while at the IBM Research, T.J.Watson funded by NSF Grant No.1017660
- This material is based upon work supported by the Defense Advanced Research Projects Agency through the U.S Office of Naval Research under Contract N00014-11-1-0389

Reference

- Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. Cryptology ePrint Archive, Report 2013/631 (2013), http://eprint.iacr.org/
- Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. IACR Cryptology ePrint Archive 2001, 69 (2001)
- Barrington, D.A.: Bounded-width polynomial-size branching programs recognize exactly those languages in nc1. In: STOC (1986)
- Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding. Cryptology ePrint Archive, Report 2013/563 (2013), http://eprint.iacr.org/
- Canetti, R., Vaikuntanathan, V.: Obfuscating branching programs using black-box pseudo-free groups. Cryptology ePrint Archive (2013)
- Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013)
- Diffie, W., Hellman, M.E.: Multiuser cryptographic techniques. In: AFIPS National Computer Conference, pp. 109–112 (1976)
- Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17.
- Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. Cryptology ePrint Archive, Report 2013/451 (2013), http://eprint.iacr.org/
- Goyal, V., Ishai, Y., Sahai, A., Venkatesan, R., Wadia, A.: Founding cryptography on tamper-proof hardware tokens. In: Micciancio, D. (ed.) TCC 20LNCS, vol. 5978, pp. 308–326. Springer, Heidelberg (2010)
- Hada, S.: Zero-knowledge and code obfuscation. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 443–457. Springer, Heidelberg (2000)
- Kilian, J.: Founding cryptography on oblivious transfer. In: Simon, J. (ed.) STOC, pp. 20–31. ACM (1988)

Tags

Comments