A Simple Obfuscation Scheme for Pattern-Matching with Wildcards - PowerPoint PPT Presentation

A Simple Obfuscation Scheme for Pattern-Matching with Wildcards Allison Bishop ♯ Lucas Kowalczyk ♮ Tal Malkin ♮ Valerio Pastro ♭ Mariana Raykova ♭ Kevin Shi ♮ ♯ : IEX ♮ : Columbia University ♭ : Yale University August 23, 2018 August 23, 2018 1 / 19

Introduction Obfuscation August 23, 2018 2 / 19

Introduction Obfuscation Proprietary algorithm? Cryptographic keys? August 23, 2018 2 / 19

Introduction Obfuscation Proprietary algorithm? Cryptographic keys? August 23, 2018 2 / 19

Introduction Obfuscation August 23, 2018 2 / 19

Introduction Virtual black-box obfuscation August 23, 2018 3 / 19

Introduction Virtual black-box obfuscation Prior work Impossible for general circuits [BGI + 01] Possible for limited function classes such as point functions [LPS04, Wee05] or hyperplane membership [CRV10] Most followup work has focused on weaker notions of obfuscation for general circuits following the construction of [GGH + 13] August 23, 2018 3 / 19

Introduction Virtual black-box obfuscation Prior work Impossible for general circuits [BGI + 01] Possible for limited function classes such as point functions [LPS04, Wee05] or hyperplane membership [CRV10] Most followup work has focused on weaker notions of obfuscation for general circuits following the construction of [GGH + 13] Our work Consider a nontrivial extension and useful to point functions Construct distributional VBB from a simple assumption August 23, 2018 3 / 19

Introduction Pattern matching with wildcards A pattern σ is an element σ ∈ { 0 , 1 , ∗} n f σ ( x ) = 1 if for every bit i , one of the following is true: σ i = x i σ i = ∗ w := number of ∗ ’s can be a constant fraction of n August 23, 2018 4 / 19

Introduction Pattern matching with wildcards A pattern σ is an element σ ∈ { 0 , 1 , ∗} n f σ ( x ) = 1 if for every bit i , one of the following is true: σ i = x i σ i = ∗ w := number of ∗ ’s can be a constant fraction of n Example σ = 01 ∗ ∗ 01 August 23, 2018 4 / 19

Introduction Pattern matching with wildcards A pattern σ is an element σ ∈ { 0 , 1 , ∗} n f σ ( x ) = 1 if for every bit i , one of the following is true: σ i = x i σ i = ∗ w := number of ∗ ’s can be a constant fraction of n Example σ = 01 ∗ ∗ 01 x = 010101, f ( x ) = 1 August 23, 2018 4 / 19

Introduction Pattern matching with wildcards A pattern σ is an element σ ∈ { 0 , 1 , ∗} n f σ ( x ) = 1 if for every bit i , one of the following is true: σ i = x i σ i = ∗ w := number of ∗ ’s can be a constant fraction of n Example σ = 01 ∗ ∗ 01 x = 010101, f ( x ) = 1 x = 011001, f ( x ) = 1 August 23, 2018 4 / 19

Introduction Pattern matching with wildcards A pattern σ is an element σ ∈ { 0 , 1 , ∗} n f σ ( x ) = 1 if for every bit i , one of the following is true: σ i = x i σ i = ∗ w := number of ∗ ’s can be a constant fraction of n Example σ = 01 ∗ ∗ 01 x = 010101, f ( x ) = 1 x = 011001, f ( x ) = 1 x = 110101, f ( x ) = 0 August 23, 2018 4 / 19

Introduction Pattern matching with wildcards A pattern σ is an element σ ∈ { 0 , 1 , ∗} n f σ ( x ) = 1 if for every bit i , one of the following is true: σ i = x i σ i = ∗ w := number of ∗ ’s can be a constant fraction of n Applications Non wildcard slots in σ represent a security flaw in code. Want to check for the presence of this flaw without revealing it σ matches a problematic input. Want to filter out these inputs without making a user aware if he/she is otherwise unaffected August 23, 2018 4 / 19

Introduction Pattern matching with wildcards Prior work This function was previously studied by [BR13, BVWW16] From multilinear maps and from entropic LWE August 23, 2018 5 / 19

Introduction Pattern matching with wildcards Prior work This function was previously studied by [BR13, BVWW16] From multilinear maps and from entropic LWE Our wok Proof of security in the generic group model Simple construction which relies only on elementary algebra to describe and implement August 23, 2018 5 / 19

Introduction Distributional VBB for pattern matching with wildcards Distributional VBB security For every adversary A there exists a simulator S such that for every distribution D ∈ D n and every predicate P : C n → { 0 , 1 } : C ←D n , G , O G , A [ A G ( O G ( f σ , 1 n )) = P ( C )] − C ←D n , S [ S C (1 n ) = P ( C )] | | Pr Pr = negl ( n ) August 23, 2018 6 / 19

Introduction Distributional VBB for pattern matching with wildcards Distributional VBB security For every adversary A there exists a simulator S such that for every distribution D ∈ D n and every predicate P : C n → { 0 , 1 } : C ←D n , G , O G , A [ A G ( O G ( f σ , 1 n )) = P ( C )] − C ←D n , S [ S C (1 n ) = P ( C )] | | Pr Pr = negl ( n ) O ( f σ ) where σ ∼ D Sample a random pattern σ Release obfuscation of f σ August 23, 2018 6 / 19

Introduction Distributional VBB for pattern matching with wildcards Distributional VBB security For every adversary A there exists a simulator S such that for every distribution D ∈ D n and every predicate P : C n → { 0 , 1 } : C ←D n , G , O G , A [ A G ( O G ( f σ , 1 n )) = P ( C )] − C ←D n , S [ S C (1 n ) = P ( C )] | | Pr Pr = negl ( n ) Simulator S O ( f σ ) where σ ∼ D Build 0-function simulator E Sample a random pattern σ Run A on E Release obfuscation of f σ August 23, 2018 6 / 19

Introduction Generic group model Setup n × 2 table of 2 n ”handles” in H , where h ij corresponds to x i = j · · · x 0 x 1 x 2 x n − 1 0 · · · h 00 h 10 h 20 h ( n − 1)0 1 h 01 h 11 h 21 · · · h ( n − 1)1 August 23, 2018 7 / 19

Introduction Generic group model Setup n × 2 table of 2 n ”handles” in H , where h ij corresponds to x i = j x 0 x 1 x 2 · · · x n − 1 0 h 00 h 10 h 20 · · · h ( n − 1)0 1 · · · h 01 h 11 h 21 h ( n − 1)1 Group oracle Constructs a map Φ : G → H Given h 1 , h 2 ∈ ImΦ, compute Φ(Φ − 1 ( h 1 ) , Φ − 1 ( h 2 )) August 23, 2018 7 / 19

Introduction Generic group model Setup n × 2 table of 2 n ”handles” in H , where h ij corresponds to x i = j · · · x 0 x 1 x 2 x n − 1 0 · · · h 00 h 10 h 20 h ( n − 1)0 1 h 01 h 11 h 21 · · · h ( n − 1)1 Group oracle Constructs a map Φ : G → H Given h 1 , h 2 ∈ ImΦ, compute Φ(Φ − 1 ( h 1 ) , Φ − 1 ( h 2 )) Proper evaluation Choose h 0 x 0 , · · · , h ( n − 1) x n − 1 and do some math using group oracle August 23, 2018 7 / 19

Construction Proper evaluation Handle symmetry Given the pattern σ = 01 ∗ , the following need to behave identically: x=010 x 0 x 1 x 2 x=011 x 0 x 1 x 2 0 h 00 h 10 h 20 0 h 00 h 10 h 20 1 1 h 01 h 11 h 21 h 01 h 11 h 21 August 23, 2018 8 / 19

Construction Polynomial interpolation Setup Sample and fix a degree- n polynomial p ∈ Z p [ x ] such that p (0) = 0 a 1 , · · · , a n ∼ Z p and f ( x ) = a 1 x + · · · + a n x n August 23, 2018 9 / 19

Construction Polynomial interpolation Setup Sample and fix a degree- n polynomial p ∈ Z p [ x ] such that p (0) = 0 a 1 , · · · , a n ∼ Z p and f ( x ) = a 1 x + · · · + a n x n Handle distribution Example for σ = 01 ∗ σ i � = j : ˜ h ij is random in Z p x 0 x 1 x 2 0 r 1 r August 23, 2018 9 / 19

Construction Polynomial interpolation Setup Sample and fix a degree- n polynomial p ∈ Z p [ x ] such that p (0) = 0 a 1 , · · · , a n ∼ Z p and f ( x ) = a 1 x + · · · + a n x n Handle distribution Example for σ = 01 ∗ σ i � = j : ˜ h ij is random in Z p x 0 x 1 x 2 σ i = j : ˜ 0 p (0) r h ij = p (2 i + j ) 1 r p (3) August 23, 2018 9 / 19

Construction Polynomial interpolation Setup Sample and fix a degree- n polynomial p ∈ Z p [ x ] such that p (0) = 0 a 1 , · · · , a n ∼ Z p and f ( x ) = a 1 x + · · · + a n x n Handle distribution Example for σ = 01 ∗ σ i � = j : ˜ h ij is random in Z p x 0 x 1 x 2 σ i = j : ˜ 0 p (0) p (4) r h ij = p (2 i + j ) 1 r p (3) p (5) σ i = ∗ : ˜ h ij = p (2 i + j ) ∀ j August 23, 2018 9 / 19

Construction Function evaluation Function evaluation Pick the samples { ˜ h ix i } n − 1 i =0 Constructing interpolating polynomial ˆ p Output 1 if ˆ p (0) = 0 August 23, 2018 10 / 19

Construction Attacks in the clear Error-correction for Reed-Solomon codes Treat the table of 2 n handles as 2 n samples of a degree- n polynomial with some number of errors e = n − w Berlekamp-Welch algorithm can decode if w > n 2 August 23, 2018 11 / 19

Construction Attacks in the clear Error-correction for Reed-Solomon codes Treat the table of 2 n handles as 2 n samples of a degree- n polynomial with some number of errors e = n − w Berlekamp-Welch algorithm can decode if w > n 2 Observations Attacks require nonlinear computations over input-output pairs Correct evaluation of ˆ p (0) only requires a linear computation August 23, 2018 11 / 19

Construction Construction (in the exponent) Setup Sample and fix a degree- n polynomial p ∈ Z p [ x ] such that p (0) = 0 Fix a cyclic group G with generator g and prime order p August 23, 2018 12 / 19