Post on 27-Jan-2021
New Techniques for Obfuscating Conjunctions
0
James Bartusek (Princeton)Tancrède Lepoint (SRI & )Fermi Ma (Princeton)Mark Zhandry (Princeton)
1
Motivating Scenario: Password Check Program
P " :if " = “correcthorsebatterystaple”:
output 1 (accept)else:
output 0 (reject)
2
Motivating Scenario: Password Check Program
P " :if " = “correcthorsebatterystaple”:
output 1 (accept)else:
output 0 (reject)
Problem: No security if attacker sees program implementation!
Light Blue
HEX 09B6C9
3
Slightly Better Solution
P′ # :if SHA256 # == “cbe6beb26479b568e5f15b
50217c6c83c0ee051dc4e522b9840d8e291d6aaf46”:
output 1 (accept)else:
output 0 (reject)
Compute SHA256(“correcthorsebatterystaple”)
= cbe6beb26479b568e5f15b50217c6c83c0ee051dc4e522b9840d8e291d6aaf46
Light Blue
HEX 09B6C9
4
Obf(P) ! :if SHA256 ! == “cbe6beb26479b568e5f15b50217c6c83c0ee051dc4e522b9840d
8e291d6aaf46”:
output 1 (accept)else:
output 0 (reject)
This is a simple example of program obfuscation [BGIRSVY]for point functions [Can97,CMR98,LPS04,Wee05,BP12,…]
Informally, want Obf to satisfy:
• (correctness) Obf(P)(!) = P(!)for all !
• (virtual black box) Obf(P) reveals nothing beyond input/output behavior of P
P ! :if x = “correcthorsebatterystaple”
output 1 (accept)
else:output 0 (reject)
Apply Obf
5
Today: Obfuscation for Conjunctions(or “pattern-matching with wildcards”)
!"# = 1*10*(match) 11100
(mismatch) 10001(match) 10101
(mismatch) 01111
$%&' ( :if ( matches !"# output 1else output 0
bitstring ( matches !"# if it equals !"# except on *
6
Today: Obfuscation for Conjunctions(or “pattern-matching with wildcards”)
!"# = 1*10*(match) 11100
(mismatch) 10001(match) 10101
(mismatch) 01111
$%&' ( :if ( matches !"# output 1else output 0
bitstring ( matches !"# if it equals !"# except on *
Goal: Allow public evaluation of $%&' (on any input)without leaking any information about !"#
7
Today: Obfuscation for Conjunctions(or “pattern-matching with wildcards”)
Restriction: !"# drawn from distribution where accepting inputs to $%&' ( are hard to find [BBCKPS13]
Intuition: If I can’t find accepting inputs to $%&' ( , black box
access reveals nothing about pat
Goal: Allow public evaluation of $%&' (on any input)without leaking any information about !"#
8
Assumption or Model
[BR13] Multilinear Maps
[BVWW16] Entropic Ring LWE
[GKW17],[WZ17] LWE
[BKMPRS18] Generic Group Model
Prior Conjunction Obfuscators
Our Work:An investigation of simple conjunction
obfuscators, inspired by [BKMPRS18].
9
Assumption or Model Obfuscation is secure whenpattern is sampled from:
[BKMPRS18] Generic Group Model !"[$%], where $ < 0.774
This work(see paper)
Generic Group Model* !"[% − - log % ]
This work Learning Parity with Noise !"[$%] where $ < 1
This work(see paper)
Information theoretic* !"[%2] where 0 ≤ 4 < 1
Our Results: Extending the [BKMPRS18] Approach
!"[5] denotes uniform distribution over length % patterns with 5 wildcards
*can be extended beyonduniform distributions(see also [BeuWee19])
10
1. A Trivial Construction with No Security2. Modifying the Trivial Construction3. Security from LPN
Talk Outline
11
What Does “Simple” Mean?
Obfuscation: On input !"# ∈ {0,1,∗} +Output vector ,-./ over 0-
12
What Does “Simple” Mean?
Obfuscation: On input !"# ∈ {0,1,∗} +Output vector ,-./ over 0-
Evaluation: On input 1 ∈ {0,1} +Write down vector 23Accept if 234 ,-./ = 0
Intuition: A Trivially Insecure Construction
Obfuscation:! = 3
$%& = *01
Structure of 'taken from [BKMPRS18]
Accept!
' =
00)*00)+
*
0
1
$%&
13
Intuition: A Trivially Insecure Construction
Obfuscation:! = 3
$%& = *01
Structure of 'taken from [BKMPRS18]
() ⋅ ' = 0 1 0 1 1 0
00-.00-/
= 0
0 = 0 0 1Evaluation: 0 = 001
Accept!
(Accepting input)
' =
00-.00-/
*
0
1
$%&
14
Intuition: A Trivially Insecure Construction
Obfuscation:! = 3
$%& = *01
Structure of 'taken from [BKMPRS18]
() ⋅ ' = 0 1 0 1 1 0
00-.00-/
= 0
0 = 0 0 1*
0
1
$%&Evaluation: 0 = 001
Accept!
(Accepting input)
' =
00-.00-/
*
0
1
$%&
15
Intuition: A Trivially Insecure Construction
! =
00$%00$&
*
0
1
'()
Obfuscation:* = 3
'() = *01
Structure of !taken from [BKMPRS18]
,- ⋅ ! = 0 1 1 0 1 0
00$%00$&
= $%
0 = 0 1 1*
0
1
'()Evaluation: 0 = 011
Reject!
(Rejecting input)
16
17
1. A Trivial Construction with No Security2. Modifying the Trivial Construction3. Security from LPN
Talk Outline
18
Why is this construction broken?
Adversary can simply read !
"# ⋅ ! = 0 1 0 1 1 0
00()00(*
= 0
! =
00()00(*
*
0
1
+,-
Obfuscation:. = 3
+,- = *01
0 = 0 0 1*
0
1
+,-Evaluation: 0 = 000
2.
19
Why is this construction broken?
Adversary can simply read !
Equivalently:Current scheme does not prevent adversary from learning "# ⋅ ! for "# = 1 0 0…0 , 0 1 0…0 , etc. "
# ⋅ ! = 0 1 0 1 1 0
00*+00*,
= 0
! =
00*+00*,
*
0
1
-./
Obfuscation:0 = 3
-./ = *01
2 = 0 0 1*
0
1
-./Evaluation: 2 = 000
20
00"#00"$
20
Fixing the Construction (Approach 1)
1 2 3 4 5 61$ 2$ 3$ 4$ 5$ 6$1+ 2+ 3+ 4+ 5+ 6+1, 2, 3, 4, 5, 6,
00"#00"$-
2.
. + 1
1 2 3 4 5 61$ 2$ 3$ 4$ 5$ 6$1+ 2+ 3+ 4+ 5+ 6+1, 2, 3, 4, 5, 6,
-
2.
. + 1
*
0
1
012
*
0
1
012
3 3
2.
Instead of 3, use 4 = - 6 3
Claim 1: Any . + 1 × . + 1
submatrix of - is full rank over 89
21
1 2 3 4 5 61' 2' 3' 4' 5' 6'1( 2( 3( 4( 5( 6(1) 2) 3) 4) 5) 6)
00+,00+'-
2.
1 2 3 4 5 61' 2' 3' 4' 5' 6'1( 2( 3( 4( 5( 6(1) 2) 3) 4) 5) 6)
-
2.
. + 1
*
0
1
012
345
(7, 7' 7( 7)). + 1
Instead of 3, use 9 = - ; 3
459
7, 7' 7( 7)
22
1 2 3 4 5 61' 2' 3' 4' 5' 6'1( 2( 3( 4( 5( 6(1) 2) 3) 4) 5) 6)
*
2+
+ + 1
Instead of -, use . = * 0 -
12.
34 3' 3( 3)
545'5(5)
=+ + 1
=
12*6 12*7 12*8 12*9 12*: 12*;
00=400='
2+*
0
1
>?@
-12*At most + out of 2+ entries of 12* can be 0.
(*A denotes Bth column of *)
Fixing the Construction (Approach 1)
Claim 1: Any + + 1 × + + 1
submatrix of * is full rank over DE
23
!"!#!$!%
=1 2 3 4 5 61# 2# 3# 4# 5# 6#1$ 2$ 3$ 4$ 5$ 6$1% 2% 3% 4% 5% 6%
00."00.#/
20*
0
1
123
4
0 + 1
6
If 1237 = ∗::#7;":#7 =
00
If 1237 = 0::#7;":#7 =
.0 for . ← =>
If 1237 = 1::#7;":#7 =
0. for . ← =>
Evaluation: represent ? = 001 as vector @A/ with 0 entries at indices encoding ?.
@A/ = 0 $ 0 $ $ 0? = 0 0 1
20
24
!"!#!$!%
=1 2 3 4 5 61# 2# 3# 4# 5# 6#1$ 2$ 3$ 4$ 5$ 6$1% 2% 3% 4% 5% 6%
00."00.#/
20*
0
1
123
4
0 + 1
6
If 1237 = ∗::#7;":#7 =
00
If 1237 = 0::#7;":#7 =
.0 for . ← =>
If 1237 = 1::#7;":#7 =
0. for . ← =>
Evaluation: represent ? = 001 as vector @A/ with 0 entries at indices encoding ?.
@A/ = 0 $ 0 $ $ 0? = 0 0 1
Find any @ that makes entries of @A/ equal 0 in these 0 positions (@ is length 0 + 1, only 0 constraints)
Accept if @A6 = C
20
25
!"!#!$!%
=1 2 3 4 5 61# 2# 3# 4# 5# 6#1$ 2$ 3$ 4$ 5$ 6$1% 2% 3% 4% 5% 6%
00."00.#/
20*
0
1
123
4
0 + 1
6Lemma 1 (No Linear Attacks): For any fixed 7 ∈ 9:;
26
!"!#!$!%
=1 2 3 4 5 61# 2# 3# 4# 5# 6#1$ 2$ 3$ 4$ 5$ 6$1% 2% 3% 4% 5% 6%
00."00.#
/
20*
0
1
123
4
0 + 1
6
1) Due to Claim 1, 78/ ∈ :;#< is non-zero in at least 0 positions =", =#, … , =
27
!"!#!$!%
=1 2 3 4 5 61# 2# 3# 4# 5# 6#1$ 2$ 3$ 4$ 5$ 6$1% 2% 3% 4% 5% 6%
00."00.#/
20*
0
1
123
4
0 + 1
6
Claim 1: Any 0 + 1 × 0 + 1
submatrix of / is full rank over 89
Construction: obfuscation is encoding of 6 = /4 in group exponent*::6 = :;, … . , :;AB<
*Idea due to [BKMPRS18]: this construction can be viewed as “dual” to their construction.
Lemma 1 (No Linear Attacks): For any fixed C ∈ 89EF", if 4 is an encoding of 123 (from “nice” distribution), CG6 = CG/4 is a random scalar (with overwhelming probability).
28
Obfuscation: encoding of ! = #$ in group exponent*:%! = %&', %&), … . , %&,-'
Security in Generic Group Model (GGM) [Nac94,Sho97]
Lemma 1 (No Linear Attacks): For any fixed . ∈ 01234, if $ is an encoding of 567 (from “nice” distribution), .8! = .8#$ is a random scalar (with overwhelming probability).
*Idea due to [BKMPRS18]: this construction can be viewed as “dual” to their construction.
29
Obfuscation: encoding of ! = #$ in group exponent*:%! = %&', %&), … . , %&,-'
Security in Generic Group Model (GGM) [Nac94,Sho97]
Lemma 1 (No Linear Attacks): For any fixed . ∈ 01234, if $ is an encoding of 567 (from “nice” distribution), .8! = .8#$ is a random scalar (with overwhelming probability).
[BKMPRS18]: Security in GGM if 567 is uniformly random with 9: wildcards, if 9 ≤ .774.
[This work]: Lemma 1 implies security in GGM if 567 is uniformly
random with : − ?(log :) wildcards (optimal).
(see paper and [BeuWee19] for entropic setting)
*Idea due to [BKMPRS18]: this construction can be viewed as “dual” to their construction.
30
1. A Trivial Construction with No Security2. Modifying the Trivial Construction3. Security from LPN
Talk Outline
Step 1: Sample a length 2" vector #:If $%&' = ∗,
*+',-*+' =
00
If $%&' = 0, *+',-*+' =
/0 for / ← 12
If $%&' = 1, *+',-*+' =
0/ for / ← 12
31
Step 2: Define 4 ∈ 1267- ×+6 whose 9, ; th entry is:
4',< = ;'Compute the vector = = 4 > # ∈ 1267-
Obfuscation: ?=
@-@+@A@B
=1 2 3 4 5 61+ 2+ 3+ 4+ 5+ 6+1A 2A 3A 4A 5A 6A1B 2B 3B 4B 5B 6B
00/-00/+
4 #=*0
1
Group-Based Construction
Step 1: Sample a length 2" vector #:
If $%&' = ∗, *+',-*+'
= 00
If $%&' = 0, *+',-*+'
=/0 for / ← 12
If $%&' = 1, *+',-*+'
= 0/
for / ← 12
32
Obfuscation: 4, 6
7-7+7879
=
1 2 3 4 5 61+ 2+ 3+ 4+ 5+ 6+
18 28 38 48 58 68
19 29 39 49 59 69
00/-00/+
4#
6*0
1
New Construction
Step 2: Sample a uniformly random matrix 4 ← 12
>?- ×+>.
Compute the vector 6 = 4 A # ∈ 12>?-
random 4
Idea: Randomize 4!
Why would this be secure?
33
Learning Parity with Noise Assumption (over !")
# ≈%& +,
Standard LPNset each entry• 0 w/ prob 1 − +• #, ← !" w/ prob +
uniform
.&//0
uniform
1,&uniform
uniformuniform
34
Learning Parity with Noise Assumption (over !")
# ≈%& +,
Standard LPNset each entry• 0 w/ prob 1 − +• #, ← !" w/ prob +
uniform
.&//0
uniform
1,&uniform
uniformuniform
Exact LPN [JKPT12]set exactly +/ entries non-zero(polynomially equivalent)
35
Learning Parity with Noise Assumption (over !")
# ≈%& +,uniform
)&**+
uniform
,,&uniform
uniformuniform
Exact LPN [JKPT12]set exactly -* entries non-zero(polynomially equivalent)
Last modification: switch to “dual”
Standard LPNset each entry• 0 w/ prob 1 − -• #0 ← !" w/ prob -
36
!"#
$"
Compute $ with full row-rank such that:
" − "# = '
Last modification: switch to “dual”
37
!" +uniform
$%&
'%% − %&
"%&
'%
Compute ' with full row-rank such that:
% − %& = *Observe
= !'
Last modification: switch to “dual”
38
Dual Exact LPN Assumption(polynomially equivalent to LPN)
! ≈#$, uniform$&− &(
&
uniform),$
uniform
uniformexactly *& non-zero values
Observation: $,$+ looks similar to the obfuscation!
39
!"!#!$!%
=
1 2 3 4 5 61# 2# 3# 4# 5# 6#
1$ 2$ 3$ 4$ 5$ 6$
1% 2% 3% 4% 5% 6%
00."00.#
/0
1*
0
1
random /!"!#…
!9:9;
=
1 2 3 41# 2# 3# 4#
1$ 2$ 3$ 4$
1% 2% 3% 4%
."0.#.$0
01
random<
<
Dual Exact LPN Assumption:
(
40
! is " + 1 × 2"• Sample random ! over '(• Sample ) as uniformly random 2"
dimensional vector with exactly *"non-zero entries, conditioned on each pair of indices (2i − 1,2i) having at least one 0 entry.
0 is (" − "1) × "• Sample random 0 over '(• Sample ) as uniformly random "
dimensional vector with exactly *"non-zero entries.
“unstructured error vector” “structured error vector”
Terminology
41
Security Theorem: This construction is secure under the Learning Parity with Noise Assumption (constant noise rate !, over a large field "#) if $%& is uniformly random with 1 − ! )
wildcards for any 0 < ! < 1.
42
! ≈#$%
% − %' $ $(,,
*Want to show:
2%
* !% + 1 *(′≈#
LPN Assumption:
, ,
( unstructured error
(′ structured error
uniform
uniform
uniform
uniform uniform
uniform
This would imply the obfuscation (right-hand side) looks totally random.
43
!" !# !$ !% !&
'
' − ')
Step 1 (generating structured error): Sample ' random columns *",…*-. Replace ! with !′ where each pair of indices (21 − 1,21) is either !4, *4or *4, !4 (pick randomly).
!" *" *# !# *$ !$ !% *% *& !&
2'
' − ')
!′!
Claim: !5 = !75′ where 5 is unstructured error and 57is structured error
44
!" !# !$ !% !& !" '" '# !# '$ !$ !% '% '& !&
00
0
0
)"
0
)#)$0
0
) unstructured errornon-zero entries in *+ randomly chosen positions
)′ structured errornon-zero entries in *+ randomly chosen positions, each pairhas at least one 0
+
+ − +.
2+
2+)"0)#)$0
=
Claim: !) = !1)′ where ) is unstructured error and )1is structured error
!′!
!" #" #$ !$ #% !% !& #& #' !'
45
( ≈*!+
+ − +- ! !.,,LPN Assumption: . unstructured erroruniform
uniform uniform
Result of Step 1:
( ≈* !′.′,,.’ structured erroruniform
!" #" #$ !$ #% !% !& #& #' !'+ − +-
2+
!" #" #$ !$ #% !% !& #& #' !'
46
( ≈*!+
+ − +- ! !.,,LPN Assumption: . unstructured erroruniform
uniform uniform
( ≈* !′.′,,.’ structured erroruniform
!" #" #$ !$ #% !% !& #& #' !'+ − +-
2+
Still need + + 1 rows for the scheme to work. Need +- + 1 additional rows Need +- + 1 additional rows+- + 1
uniform uniform
47
! ≈# $′&′,,&’ structured erroruniform
( − (*
2(
(* + 1uniform uniform$′ $′
.′ .′!’ ?
Naïve Idea: sample additional rows .′ uniformly at random.
But how do we fill in .′&′ without &′?
48
Observation: We know !"#$′ for any row !"# of !′.
Idea: use random linear combinations of rows of H’
& ≈( !′$′,,$’ structured erroruniform
* − *,
2*
uniform uniform!′ !′
49
Observation: We know !"#$′ for any row !"# of !′.
Idea: use random linear combinations of rows of H’
& ≈( !′$′,,$’ structured erroruniform
* − *,
2*
*, + 1uniform uniform!′ !′
0*, + 1* − *,
Sample randommatrix 0:
0!′ 0!′0&0!#$′
So are we done?
50
Observation: We know !"#$′ for any row !"# of !′.
Idea: use random linear combinations of rows of H’
& ≈( !′$′,,$’ structured erroruniform
* − *,
2*
*, + 1uniform uniform!′ !′
0!′ 0!′0!#$′The matrix isn’t random!
(rank is at most * − *,)
0*, + 1* − *,
Sample randommatrix 0:
0&
51
! ≈# $′&′,,&’ structured erroruniform
( − (*
2(
(* + 1uniform uniform$′ $′
.$′ .$′.$/&′
One last idea: we know half the
entries of &′ since we “inserted” (
zeros.
.!
52
One last idea: we know half the
entries of !′ since we “inserted” #
zeros.
$ ≈& '′!′,,!’ structured erroruniform
# − #*
2#
#* + 1uniform uniform'′ '′
.$
(.'0 + 1)!′
Sample matrix 1 with # uniformly random non-zero columns coinciding with # known zero entries of !′. (i.e. 1!0 = 0)
.'0 + 1.'0 + 1
2##* + 1 = 1
all 0’s column uniformly random column
Does this look uniformly random?
! − !#
2!
!# + 1uniform '′
)'* + +
! + 1
2!
,uniform≈? ? ?
53
Does this look uniformly random?
! − !#
2!
!# + 1uniform '′
)'* + +
2!
,-!# + 1
! − !#
!
,Heuristic Argument:
, has many ,- with last !# + 1 rows spanned by first ! − !#:• If ./ with 0 = 223 , any ,- satisfies this property with probability
4/56
26= 4
758693
• 22 choices of ,-; so we expect :(poly ! ) such ,- if 2A + B < 154
! + 1
≈E
55
! ≈# $′&′,,&’ structured erroruniform
( − (*
2(
(* + 1uniform uniform$′ $′
!’
(0$1 + 2)&′0$1 + 20$1 + 2
44 ! 4&′≈#, ,uniform
uniform uniform
≈5
(− 1
2( &’ structured error
Step 1: Double the width of ! and make the error structured.
Step 2: Increase the height of ! with random linear combinations.
Step 3: Break linear correlations with random entries in columns corresponding to 0 entries of "#.
Step 4: Replace with uniform by statistical argument
Reduction Recap
56
57
Conclusion• In the GGM: obfuscate conjunctions by encoding in
a vector and multiplying by a structured matrix• If we multiply by a random matrix, we can avoid
groups and rely on LPNIn the paper:• Obfuscate information theoretically with a hidden
subspace
Thank You!ePrint: ia.cr/2018/936