Private Programs:Obfuscation, a survey

Guy Rothblum

Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and YangLynn, Prabhakaran and Sahai Goldwasser and RUsing slides by Boaz Barak, Yael Kalai

Program Obfuscation 101

Obfuscate [verb]“to make obscure or unclear”

ObfuscatorA compiler that takes programs and makes them difficult to understand.

Obf(P)

Code Obfuscation: what is it?

• To intentionally make a program unintelligible, while preserving its functionality.

Obf

• Goal: Change program so still has same I/O behavior but is impossible to understand

P

for (i=0; i < M.length; i++) { // Adjust position of clock hands var ML=(ns)?document.layers['nsMinutes'+i]:ieMinutes[i].style; ML.top=y[i]+HandY+(i*HandHeight)*Math.sin(min)+scrll; ML.left=x[i]+HandX+(i*HandWidth)*Math.cos(min); }

obfuscator

for(O79=0;O79<l6x.length;O79++){var O63=(l70)?document.layers["nsM\151\156u\164\145s"+O79]:ieMinutes[O79].style;O63.top=l61[O79]+O76+(O79*O75)*Math.sin(O51)+l73;O63.left=l75[O79]+l77+(O79*l76)*Math.cos(O51);}

Why Obfuscate?

For Software ProtectionSoftware vendors want to prevent users from reverse-engineering executable code.No good solution known.

For CryptographyMany applications: fully homomorphic encryption, private to public key crypto, etc.

Obfuscation in Real World

• Copy protection/Licensing

• Spam – conceal code that spawns pop-ups

• Software watermarking

• Prevent reverse engineering – By competitors– By hackers (e.g., for games)

SafeDisc Advanced

if (test fails) then exitelse …

Off the Shelf Obfuscators

Why Obfuscate?

For Software ProtectionSoftware vendors want to prevent users from reverse-engineering executable code.No good solution known.

For CryptographyMany applications: fully homomorphic encryption, private to public key crypto, etc.

– Cryptographic delegation: signature delegation

SIGSK(SK,PK)

m m

Obfuscation: Cryptographer’s Dream

Alice’s secret key and public

key

can be verified given PK

– Cryptographic delegation: signature delegation

– Transform any secret key cryptographic primitive into a public key one

– Compute on encrypted data

– Solve access control problems

Obfuscation: Cryptographer’s Dream

Many cryptographic tasks could be achieved securely by writing a simple program and then obfuscating it (if possible!).

(SK,PK)

Want to allow Bob to sign

msgs on Oct05

SKOct07

SIGSKObf( )

Black-Box Obfuscation: Informal Definition [BGI+01]

Obf(P) is essentially

equivalent to a black box . PP

Obf(P)ObfP

Defining Obfuscation[BGIRSVY] Obfuscated program should be

“as secure as” black-box access.

Obfuscator O runs on programs*, must satisfy:1. Preserves functionality2. Polynomial slow-down3. Virtual black-box

*Turing Machines, Circuits

Defining Obfuscation

An algorithm O is an obfuscator if for any program P:

• (functionality) O(P) ~ P (i.e., O(P) computes the same function as P)

• (polynomial slowdown)running time of O(P) p(running time of P)for some polynomial p( ).

We say that O is efficient if it runs in polynomial time.

Predicate Virtual Black-Box [BGIRSVY]:For any poly learner L, exists poly simulator S,s.t. for every (poly time) program P:Pr[L(O(P)) = 1] ≈ Pr[SP(1|P|)=1]

Simulator

Learner

O(P) P

0/1 0/1≈

x P(x)

Previous Work

[Hada] implications of strong obfuscators

Strong Negative Results[BGIRSVY] exist Turing Machines, circuits that cannot be obfuscated[GK] under stronger definition, many natural circuits cannot be obfuscated

Limited Positive ResultsObfuscating “point functions” [C,LPS,W,CMR,DS]Obfuscating using random oracle [LPS]

Unfortunately…General-purpose obfuscation is IMPOSSIBLE

Proof for Turing Machines:Cα,β(x) = β if x=α, 0 otherwiseDα,β(C) = 1 if C(α)=β, 0 otherwise

Intuition:Given Cα,β , Dα’,β’ “know” output Dα’,β’(Cα,β)Given black-box access to Cα,β , Dα’,β’

“don’t know” what Dα’,β’(Cα,β) outputs!

“Proof”Cα,β(x) = β if x=α, 0 otherwiseDα,β(C) = 1 if C(α)=β, 0 otherwise

Fα,β(b,y) = Cα,β(y) if b=0Dα,β(y) if b=1

Zα,β(b,y) = 0 if b=0Dα,β(y) if b=1

From black-box access, Fα,β, Zα,β look the sameFrom non black-box access:

O(Fα,β)(1, O(Fα,β(0,·))) = 1 O(Zα,β)(1, O(Zα,β(0,·))) = 0

What to Do?

Look at more specific programsPoint Functions

Relax the DefinitionNo more black box!

Obfuscating Point Functions

Point or “password” function family:

Ip(x) = 1 if x=p

0 otherwise

Useful e.g. for access control, storing passwordsRestricted family of functions\programs

Tool: Random Oracle

Say we have access to a truly random function

Random OracleR:{0,1}n -> {0,1}n

Only way to learn output is querying oracle on inputIn general, model is useful (e.g. [FS])

but problematic [CGH,DNRS,GK]

Obfuscating Point FunctionsObfuscated Program(Ip): [LPS]

Store R(p) (in the clear)on input x, if R(x)=R(p) output 1

otherwise output 0

Obfuscated b\c of random oracle

Get similar results from (strong) assumptions [C,W]Note obfuscator works only for very simple point

function programs [M]

What to Do?

Look at more specific programsPoint Functions

Relax the DefinitionNo more black box!

Relaxed Definition

Compare obfuscated program with black box?“Apples and oranges”. Program is not black box.

Relax requirement:Compare obfuscated program with other programs, we want obfuscation that is “more secure” than any other program!Best possible obfuscation.

Best Possible Obfuscation [GR]:

For every poly learner L, exists poly simulator S s.t. forevery circuit C1, for every equivalent C2 (|C1| = |C2|)distributions L(O(C1)) and S(C2) indistinguishable.

Simulator

Learner

O(C1)

0/1 0/1≈

C2

Output Output

x C(x)Computation

alStatisticalPerfect

C

Meaningful Guarantee?

Guarantee from definition:Anything that can be learned from O(C) can be learned from any equivalent circuit of same size as C. O(C) is “more secure” than all these circuits.

Obfuscator has to output some circuit equivalent to C, definition guarantees the output is best possible.

Indistinguishability Obfuscators

[BGIRSVY] Indistinguishability ObfuscatorObfuscations of equivalent circuits of the same size should be computationally indistinguishable.

Definitions equivalent for efficient obfuscation (but not for inefficient obfuscation).

Best-Possible Obfuscation ResultsBest possible vs. black box obfuscation

– Black-box implies best-possible.– A “natural” obfuscation task can be achieved under best-

possible but not under black-box definition.Unconditionally (statistically) best-possible

– If P=NP can best-possible obfuscate all circuits.– Unconditionally best possible obfuscation for AC0 implies

PH collapses to second level.Obfuscation and Random Oracles

– Can use random-oracle to build (simple, natural) circuits that cannot be best-possible obfuscated.

Best Possiblevs.

Black-Box Obfuscation

Best-Possible vs. Black-Box

Claim: black-box obfuscator → best-possible obfuscator

Proof Intuition:Suppose obfuscator not best-possible:

Obfuscations of equivalent C1 and C2 are distinguishable from non-black-box access,but circuits indistinguishable from black-box access!

Predicate Adversary“guesses” whether obfuscation is of C1 or C2.

Obfuscator is not black-box!

Best-Possible vs. Black-Box (2)OBDDs: log-space programs with read-once left-to-

right access to their input tape.

Claim: Can efficiently best-possible* obfuscate OBDDs as OBDDs.

Proof: OBDDs have efficiently computable canonical representation [Bryant].

Claim: OBDDs cannot be black-box obfuscated as OBDDs.Proof: Extract non black-box information from canonical

representation.

Restriction:

Require that obfuscator maintains complexity measures of obfuscated program.

Interesting both for positive and negative results.

Statistically Best-PossibleObfuscation

If P=NP…

Can perfectly best-possible obfuscate any circuit!Obfuscator: output the lexicographically first smallest

equivalent circuit (efficient if P=NP).Simulator: also output the lexicographically first

smallest equivalent circuit (efficient if P=NP).

PERFECTLY best-possible obfuscation.

Statistically Best-Possible?

Goal: unconditionally best-possible obfuscation?

Approaches:Techniques from secure multi-party computation,“Randomizing” circuits,Focusing on low complexity classes.

Statistically Best-Possible → PH Collapse

Theorem:If CNF circuits can be statistically best-possible

obfuscated (even inefficiently),then polynomial hierarchy collapses.

Suppose O is statistically best possible obfuscator.

Idea:Use O to get AM protocol for Co-NP complete language. Collapses poly hierarchy [F,AH,BHZ].

Co-NP complete language L:circuit-equivalence, (C1,C2) in L iff C1 ≡ C2

Stat. Best-Possible → PH Collapse (2)

Stat. Best-Possible → PH Collapse (3)On input (C1,C2) use distributions S(C1),S(C2)

If (C1,C2) not equivalent: O(C1), O(C2) disjoint by preserving functionality so S(C1), S(C2) stat.-far by best-possible property

If (C1,C2) equivalent:O(C1), S(C1) stat.-close by best-possible propertyO(C1), S(C2) stat.-close by best-possible propertyconclude S(C1),S(C2) also stat. close

Reduced circuit equivalence to statistical distance,a problem in AM [SV].

Random Oraclesand

Obfuscation

Random Oracles and Obfuscation

[LPS] use random oracles to help obfuscation.

If one could realize random oracles, would this necessarily help obfuscation?

Not necessarily: can also use random oracles to build un-obfuscatable circuits!

Random Oracles and Obfuscation

Theorem:There exists a simple family of circuits implementing

point function functionalities that cannot be best-possible obfuscated.

Circuits in the family make oracle calls.

Does not rule out that every (non-oracle) circuit can be best-possible obfuscated.

Unobfuscatable Circuit Cp,M for Ip

p|[n]\M

R

x1 x2 x3 x4 x5 xn. . .

R(p|M)

Λ

For a point p {0,1}n , choose subset M [n]

M

==

Any Circuit computed from Cp,M and preserving functionality must call oracle on x|M.Exposes non black-box info on M!

Conclusions and Open Problems

Black-Box ObfuscationMore natural impossibility results [GK]More Positive Results [HRsV]Constant-depth circuits?

New Best-Possible ObfuscatorsCurrent positive results have flavor of “finding canonical representations”.Goal: more examples of best-possible obfuscation.

Think outside the (black) boxHardness Results?

Best-possible obfuscation hardness results likely to be different from black-box results.

THE ENDThank You