A Simple Obfuscation Scheme for Pattern-Matching with Wildcards - - PowerPoint PPT Presentation

A Simple Obfuscation Scheme for Pattern-Matching with Wildcards

Allison Bishop♯ Lucas Kowalczyk♮ Tal Malkin♮ Valerio Pastro♭ Mariana Raykova♭ Kevin Shi♮

♯: IEX ♮: Columbia University ♭: Yale University

August 23, 2018

August 23, 2018 1 / 19

Introduction

Obfuscation

August 23, 2018 2 / 19

Introduction

Obfuscation

Proprietary algorithm? Cryptographic keys?

August 23, 2018 2 / 19

Introduction

Obfuscation

Proprietary algorithm? Cryptographic keys?

August 23, 2018 2 / 19

Introduction

Obfuscation

August 23, 2018 2 / 19

Introduction

Virtual black-box obfuscation

August 23, 2018 3 / 19

Introduction

Virtual black-box obfuscation

Prior work Impossible for general circuits [BGI+01] Possible for limited function classes such as point functions [LPS04, Wee05] or hyperplane membership [CRV10] Most followup work has focused on weaker notions of obfuscation for general circuits following the construction of [GGH+13]

August 23, 2018 3 / 19

Introduction

Virtual black-box obfuscation

Prior work Impossible for general circuits [BGI+01] Possible for limited function classes such as point functions [LPS04, Wee05] or hyperplane membership [CRV10] Most followup work has focused on weaker notions of obfuscation for general circuits following the construction of [GGH+13] Our work Consider a nontrivial extension and useful to point functions Construct distributional VBB from a simple assumption

August 23, 2018 3 / 19

Introduction

Pattern matching with wildcards

A pattern σ is an element σ ∈ {0, 1, ∗}n fσ(x) = 1 if for every bit i, one of the following is true: σi = xi σi = ∗ w := number of ∗’s can be a constant fraction of n

August 23, 2018 4 / 19

Introduction

Pattern matching with wildcards

A pattern σ is an element σ ∈ {0, 1, ∗}n fσ(x) = 1 if for every bit i, one of the following is true: σi = xi σi = ∗ w := number of ∗’s can be a constant fraction of n Example σ = 01 ∗ ∗01

August 23, 2018 4 / 19

Introduction

Pattern matching with wildcards

A pattern σ is an element σ ∈ {0, 1, ∗}n fσ(x) = 1 if for every bit i, one of the following is true: σi = xi σi = ∗ w := number of ∗’s can be a constant fraction of n Example σ = 01 ∗ ∗01 x = 010101, f (x) = 1

August 23, 2018 4 / 19

Introduction

Pattern matching with wildcards

A pattern σ is an element σ ∈ {0, 1, ∗}n fσ(x) = 1 if for every bit i, one of the following is true: σi = xi σi = ∗ w := number of ∗’s can be a constant fraction of n Example σ = 01 ∗ ∗01 x = 010101, f (x) = 1 x = 011001, f (x) = 1

August 23, 2018 4 / 19

Introduction

Pattern matching with wildcards

A pattern σ is an element σ ∈ {0, 1, ∗}n fσ(x) = 1 if for every bit i, one of the following is true: σi = xi σi = ∗ w := number of ∗’s can be a constant fraction of n Example σ = 01 ∗ ∗01 x = 010101, f (x) = 1 x = 011001, f (x) = 1 x = 110101, f (x) = 0

August 23, 2018 4 / 19

Introduction

Pattern matching with wildcards

A pattern σ is an element σ ∈ {0, 1, ∗}n fσ(x) = 1 if for every bit i, one of the following is true: σi = xi σi = ∗ w := number of ∗’s can be a constant fraction of n Applications Non wildcard slots in σ represent a security flaw in code. Want to check for the presence of this flaw without revealing it σ matches a problematic input. Want to filter out these inputs without making a user aware if he/she is otherwise unaffected

August 23, 2018 4 / 19

Introduction

Pattern matching with wildcards

Prior work This function was previously studied by [BR13, BVWW16] From multilinear maps and from entropic LWE

August 23, 2018 5 / 19

Introduction

Pattern matching with wildcards

Prior work This function was previously studied by [BR13, BVWW16] From multilinear maps and from entropic LWE Our wok Proof of security in the generic group model Simple construction which relies only on elementary algebra to describe and implement

August 23, 2018 5 / 19

Introduction

Distributional VBB for pattern matching with wildcards

Distributional VBB security For every adversary A there exists a simulator S such that for every distribution D ∈ Dn and every predicate P : Cn → {0, 1}: | Pr

C←Dn,G,OG,A[AG(OG(fσ, 1n)) = P(C)] −

Pr

C←Dn,S[SC(1n) = P(C)]|

= negl(n)

August 23, 2018 6 / 19

Introduction

Distributional VBB for pattern matching with wildcards

Distributional VBB security For every adversary A there exists a simulator S such that for every distribution D ∈ Dn and every predicate P : Cn → {0, 1}: | Pr

C←Dn,G,OG,A[AG(OG(fσ, 1n)) = P(C)] −

Pr

C←Dn,S[SC(1n) = P(C)]|

= negl(n) O(fσ) where σ ∼ D Sample a random pattern σ Release obfuscation of fσ

August 23, 2018 6 / 19

Introduction

Distributional VBB for pattern matching with wildcards

Distributional VBB security For every adversary A there exists a simulator S such that for every distribution D ∈ Dn and every predicate P : Cn → {0, 1}: | Pr

C←Dn,G,OG,A[AG(OG(fσ, 1n)) = P(C)] −

Pr

C←Dn,S[SC(1n) = P(C)]|

= negl(n) O(fσ) where σ ∼ D Sample a random pattern σ Release obfuscation of fσ Simulator S Build 0-function simulator E Run A on E

August 23, 2018 6 / 19

Introduction

Generic group model

Setup n × 2 table of 2n ”handles” in H, where hij corresponds to xi = j x0 x1 x2 · · · xn−1 h00 h10 h20 · · · h(n−1)0 1 h01 h11 h21 · · · h(n−1)1

August 23, 2018 7 / 19

Introduction

Generic group model

Setup n × 2 table of 2n ”handles” in H, where hij corresponds to xi = j x0 x1 x2 · · · xn−1 h00 h10 h20 · · · h(n−1)0 1 h01 h11 h21 · · · h(n−1)1 Group oracle Constructs a map Φ : G → H Given h1, h2 ∈ ImΦ, compute Φ(Φ−1(h1), Φ−1(h2))

August 23, 2018 7 / 19

Introduction

Generic group model

Setup n × 2 table of 2n ”handles” in H, where hij corresponds to xi = j x0 x1 x2 · · · xn−1 h00 h10 h20 · · · h(n−1)0 1 h01 h11 h21 · · · h(n−1)1 Group oracle Constructs a map Φ : G → H Given h1, h2 ∈ ImΦ, compute Φ(Φ−1(h1), Φ−1(h2)) Proper evaluation Choose h0x0, · · · , h(n−1)xn−1 and do some math using group oracle

August 23, 2018 7 / 19

Construction

Proper evaluation

Handle symmetry Given the pattern σ = 01∗, the following need to behave identically: x=010 x0 x1 x2 h00 h10 h20 1 h01 h11 h21 x=011 x0 x1 x2 h00 h10 h20 1 h01 h11 h21

August 23, 2018 8 / 19

Construction

Polynomial interpolation

Setup Sample and fix a degree-n polynomial p ∈ Zp[x] such that p(0) = 0 a1, · · · , an ∼ Zp and f (x) = a1x + · · · + anxn

August 23, 2018 9 / 19

Construction

Polynomial interpolation

Setup Sample and fix a degree-n polynomial p ∈ Zp[x] such that p(0) = 0 a1, · · · , an ∼ Zp and f (x) = a1x + · · · + anxn Handle distribution σi = j : ˜ hij is random in Zp Example for σ = 01∗ x0 x1 x2 r 1 r

August 23, 2018 9 / 19

Construction

Polynomial interpolation

Setup Sample and fix a degree-n polynomial p ∈ Zp[x] such that p(0) = 0 a1, · · · , an ∼ Zp and f (x) = a1x + · · · + anxn Handle distribution σi = j : ˜ hij is random in Zp σi = j : ˜ hij = p(2i + j) Example for σ = 01∗ x0 x1 x2 p(0) r 1 r p(3)

August 23, 2018 9 / 19

Construction

Polynomial interpolation

Setup Sample and fix a degree-n polynomial p ∈ Zp[x] such that p(0) = 0 a1, · · · , an ∼ Zp and f (x) = a1x + · · · + anxn Handle distribution σi = j : ˜ hij is random in Zp σi = j : ˜ hij = p(2i + j) σi = ∗ : ˜ hij = p(2i + j) ∀j Example for σ = 01∗ x0 x1 x2 p(0) r p(4) 1 r p(3) p(5)

August 23, 2018 9 / 19

Construction

Function evaluation

Function evaluation Pick the samples {˜ hixi}n−1

i=0

Constructing interpolating polynomial ˆ p Output 1 if ˆ p(0) = 0

August 23, 2018 10 / 19

Construction

Attacks in the clear

Error-correction for Reed-Solomon codes Treat the table of 2n handles as 2n samples of a degree-n polynomial with some number of errors e = n − w Berlekamp-Welch algorithm can decode if w > n 2

August 23, 2018 11 / 19

Construction

Attacks in the clear

Error-correction for Reed-Solomon codes Treat the table of 2n handles as 2n samples of a degree-n polynomial with some number of errors e = n − w Berlekamp-Welch algorithm can decode if w > n 2 Observations Attacks require nonlinear computations over input-output pairs Correct evaluation of ˆ p(0) only requires a linear computation

August 23, 2018 11 / 19

Construction

Construction (in the exponent)

Setup Sample and fix a degree-n polynomial p ∈ Zp[x] such that p(0) = 0 Fix a cyclic group G with generator g and prime order p

August 23, 2018 12 / 19

Construction

Construction (in the exponent)

Setup Sample and fix a degree-n polynomial p ∈ Zp[x] such that p(0) = 0 Fix a cyclic group G with generator g and prime order p Handle distribution σi = j : hij is random in G σi = j : hij = gp(2i+j) σi = ∗ : hij = gp(2i+j) ∀j Example for σ = 01∗ x0 x1 x2 gp(0) r gp(4) 1 r gp(3) gp(5)

August 23, 2018 12 / 19

Construction

Polynomial interpolation in the exponent

Function evaluation p(x) =

n−1

• i=0

yibi(x): Lagrange interpolating polynomial over {(xi, yi)}

August 23, 2018 13 / 19

Construction

Polynomial interpolation in the exponent

Function evaluation p(x) =

n−1

• i=0

yibi(x): Lagrange interpolating polynomial over {(xi, yi)} Compute Lagrange coefficients Ci := bi(0) =

j=i −2j−xj 2i−xi−xj+2j

August 23, 2018 13 / 19

Construction

Polynomial interpolation in the exponent

Function evaluation p(x) =

n−1

• i=0

yibi(x): Lagrange interpolating polynomial over {(xi, yi)} Compute Lagrange coefficients Ci := bi(0) =

j=i −2j−xj 2i−xi−xj+2j

Compute

n−1

• i=0

hCi

ixi

August 23, 2018 13 / 19

Construction

Polynomial interpolation in the exponent

Function evaluation p(x) =

n−1

• i=0

yibi(x): Lagrange interpolating polynomial over {(xi, yi)} Compute Lagrange coefficients Ci := bi(0) =

j=i −2j−xj 2i−xi−xj+2j

Compute

n−1

• i=0

hCi

ixi

Correctness If each hixi = gp(2i+xi), then

n−1

• i=0

hCi

ixi = g n

i=1 p(2i+xi)Ci = gp(0)

If any hixi is a random group element, then output is random

August 23, 2018 13 / 19

Construction

Generic group simulators

August 23, 2018 14 / 19

Construction

Generic group simulators

Internal group representation S: G Example element gp(3)

August 23, 2018 14 / 19

Construction

Generic group simulators

Internal group representation S: G E: (Zp[c1, · · · , c2n], +) Example element gp(3) c11

August 23, 2018 14 / 19

Construction

Generic group simulators

Internal group representation S: G E: (Zp[c1, · · · , c2n], +) M: (Zp[a1, · · · , an, b1, · · · , bn−w], +) Example element gp(3) c11 3a1 + 9a2

August 23, 2018 14 / 19

Construction

Generic group simulators

Internal group representation S: G E: (Zp[c1, · · · , c2n], +) M: (Zp[a1, · · · , an, b1, · · · , bn−w], +) Example element gp(3) c11 3a1 + 9a2 b1

August 23, 2018 14 / 19

Construction

Security game

Things to keep track of in generic group model Correspondence between handles and internal group elements When two different generic group simulators differ

August 23, 2018 15 / 19

Construction

Security game

Things to keep track of in generic group model Correspondence between handles and internal group elements When two different generic group simulators differ Definition (Simultaneous oracle game) An adversary is given access to a pair of oracles (GM, G∗), where G∗ is GM with probability 1/2 and GS with probability 1/2. In each round, the adversary asks the same query to both oracles. The adversary wins the game if he guesses correctly the identity of G∗.

August 23, 2018 15 / 19

Construction

Simultaneous oracle game between S and M

August 23, 2018 16 / 19

Construction

Simultaneous oracle game between S and M

Definition (Evaluation map in the exponent) Given fixed values a1, · · · , an, b1, · · · , bn−w, we have the evaluation map φ : Z[a1, · · · , an, b1, · · · , bn−w] − → G F(a1, · · · , an, b1, · · · , bn−w) − → gF(a1,··· ,an,b1,··· ,bn−w)

August 23, 2018 16 / 19

Construction

Simultaneous oracle game between S and M

Definition (Evaluation map in the exponent) Given fixed values a1, · · · , an, b1, · · · , bn−w, we have the evaluation map φ : Z[a1, · · · , an, b1, · · · , bn−w] − → G F(a1, · · · , an, b1, · · · , bn−w) − → gF(a1,··· ,an,b1,··· ,bn−w) Notation Ht

S, Ht M — the set of handles returned by the simulator up to round t

August 23, 2018 16 / 19

Construction

Simultaneous oracle game between S and M

Definition (Evaluation map in the exponent) Given fixed values a1, · · · , an, b1, · · · , bn−w, we have the evaluation map φ : Z[a1, · · · , an, b1, · · · , bn−w] − → G F(a1, · · · , an, b1, · · · , bn−w) − → gF(a1,··· ,an,b1,··· ,bn−w) Notation Ht

S, Ht M — the set of handles returned by the simulator up to round t

Ψ : Ht

M → Ht S — the adversary’s identification of handles returned

by each simulator when given the same query

August 23, 2018 16 / 19

Construction

Simultaneous oracle game between S and M

Definition (Evaluation map in the exponent) Given fixed values a1, · · · , an, b1, · · · , bn−w, we have the evaluation map φ : Z[a1, · · · , an, b1, · · · , bn−w] − → G F(a1, · · · , an, b1, · · · , bn−w) − → gF(a1,··· ,an,b1,··· ,bn−w) Notation Ht

S, Ht M — the set of handles returned by the simulator up to round t

Ψ : Ht

M → Ht S — the adversary’s identification of handles returned

by each simulator when given the same query ΦM : Z[a, b] → HM, ΦS : G → HS — each simulator’s internal mapping of group elements to handles

August 23, 2018 16 / 19

Construction

Inductive hypothesis

Suppose the adversary has made t queries so far and has Ht

S, Ht M

satisfying the following:

August 23, 2018 17 / 19

Construction

Inductive hypothesis

Suppose the adversary has made t queries so far and has Ht

S, Ht M

satisfying the following:

1 For each round i ≤ t and query answers hs

i , hm i , either Ψ(hm i ) = hs i or

both hs

i ∈ Hi−1 S

and hm

i ∈ Hi−1 M

August 23, 2018 17 / 19

Construction

Inductive hypothesis

Suppose the adversary has made t queries so far and has Ht

S, Ht M

satisfying the following:

1 For each round i ≤ t and query answers hs

i , hm i , either Ψ(hm i ) = hs i or

both hs

i ∈ Hi−1 S

and hm

i ∈ Hi−1 M

2 For every hs ∈ Ht

S, ∃!f ∈ Zp[a, b] such that ΦS ◦ φ(f ) = iS(hs) and

Ψ−1(hs) = ΦM(f ) Visualization of (2)

August 23, 2018 17 / 19

Construction

The failure event

Given t rounds of simulation, on round t + 1:

August 23, 2018 18 / 19

Construction

The failure event

Given t rounds of simulation, on round t + 1:

1 Adversary performs the query h1 · h2 to Simulator M and

Ψ(h1) · Ψ(h2) to Simulator S

August 23, 2018 18 / 19

Construction

The failure event

Given t rounds of simulation, on round t + 1:

1 Adversary performs the query h1 · h2 to Simulator M and

Ψ(h1) · Ψ(h2) to Simulator S

2 Simulator M returns hm and Simulator S returns hs August 23, 2018 18 / 19

Construction

The failure event

Given t rounds of simulation, on round t + 1:

1 Adversary performs the query h1 · h2 to Simulator M and

Ψ(h1) · Ψ(h2) to Simulator S

2 Simulator M returns hm and Simulator S returns hs 3 The inductive hypothesis holds for t + 1 unless hm ∈ Ht

M but hs ∈ Ht S

August 23, 2018 18 / 19

Construction

The failure event

Given t rounds of simulation, on round t + 1:

1 Adversary performs the query h1 · h2 to Simulator M and

Ψ(h1) · Ψ(h2) to Simulator S

2 Simulator M returns hm and Simulator S returns hs 3 The inductive hypothesis holds for t + 1 unless hm ∈ Ht

M but hs ∈ Ht S

hm = ΦM(fm) for some fm. By the inductive hypothesis ∃! fs such that ΦS ◦ φ(fs) = iS(hs)

August 23, 2018 18 / 19

Construction

The failure event

Given t rounds of simulation, on round t + 1:

1 Adversary performs the query h1 · h2 to Simulator M and

Ψ(h1) · Ψ(h2) to Simulator S

2 Simulator M returns hm and Simulator S returns hs 3 The inductive hypothesis holds for t + 1 unless hm ∈ Ht

M but hs ∈ Ht S

hm = ΦM(fm) for some fm. By the inductive hypothesis ∃! fs such that ΦS ◦ φ(fs) = iS(hs) Failure event is fs − fm ∈ ker φ but fs − fm is nontrivial

August 23, 2018 18 / 19

Construction

The failure event

Given t rounds of simulation, on round t + 1:

1 Adversary performs the query h1 · h2 to Simulator M and

Ψ(h1) · Ψ(h2) to Simulator S

2 Simulator M returns hm and Simulator S returns hs 3 The inductive hypothesis holds for t + 1 unless hm ∈ Ht

M but hs ∈ Ht S

hm = ΦM(fm) for some fm. By the inductive hypothesis ∃! fs such that ΦS ◦ φ(fs) = iS(hs) Failure event is fs − fm ∈ ker φ but fs − fm is nontrivial This is just a combinatorial probability calculation

August 23, 2018 18 / 19

Construction

Conclusion

August 23, 2018 19 / 19

Construction

Conclusion

We give obfuscation scheme for pattern matching with wildcards from a simpler generic group assumption

August 23, 2018 19 / 19

Construction

Conclusion

We give obfuscation scheme for pattern matching with wildcards from a simpler generic group assumption The construction itself is simple to describe and implement in any standard group library

August 23, 2018 19 / 19

Construction

Conclusion

We give obfuscation scheme for pattern matching with wildcards from a simpler generic group assumption The construction itself is simple to describe and implement in any standard group library We give a new framework for formalizing generic group proofs via the simultaneous oracle game

August 23, 2018 19 / 19

Construction

Conclusion

We give obfuscation scheme for pattern matching with wildcards from a simpler generic group assumption The construction itself is simple to describe and implement in any standard group library We give a new framework for formalizing generic group proofs via the simultaneous oracle game Thanks for listening!

August 23, 2018 19 / 19

Construction

Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. In Advances in Cryptology - CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19-23, 2001, Proceedings, pages 1–18, 2001. Zvika Brakerski and Guy N. Rothblum. Obfuscating conjunctions. In Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II, pages 416–434, 2013. Zvika Brakerski, Vinod Vaikuntanathan, Hoeteck Wee, and Daniel Wichs. Obfuscating conjunctions under entropic ring LWE. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, Cambridge, MA, USA, January 14-16, 2016, pages 147–156, 2016.

August 23, 2018 19 / 19

Construction

Ran Canetti, Guy N. Rothblum, and Mayank Varia. Obfuscation of hyperplane membership. In Theory of Cryptography, 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, February 9-11, 2010. Proceedings, pages 72–89, 2010. Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. In FOCS, 2013. Ben Lynn, Manoj Prabhakaran, and Amit Sahai. Positive results and techniques for obfuscation. In Advances in Cryptology - EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2-6, 2004, Proceedings, pages 20–39, 2004.

August 23, 2018 19 / 19

Construction

Hoeteck Wee. On obfuscating point functions. In Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22-24, 2005, pages 523–532, 2005.

August 23, 2018 19 / 19