Private Programs: Obfuscation, a survey Guy Rothblum Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang Lynn, Prabhakaran and Sahai Goldwasser and R Using slides by Boaz Barak, Yael Kalai
Private Programs:Obfuscation, a survey
Guy Rothblum
Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and YangLynn, Prabhakaran and Sahai Goldwasser and RUsing slides by Boaz Barak, Yael Kalai
Program Obfuscation 101
Obfuscate [verb]“to make obscure or unclear”
ObfuscatorA compiler that takes programs and makes them difficult to understand.
Obf(P)
Code Obfuscation: what is it?
• To intentionally make a program unintelligible, while preserving its functionality.
Obf
• Goal: Change program so still has same I/O behavior but is impossible to understand
P
for (i=0; i < M.length; i++) { // Adjust position of clock hands var ML=(ns)?document.layers['nsMinutes'+i]:ieMinutes[i].style; ML.top=y[i]+HandY+(i*HandHeight)*Math.sin(min)+scrll; ML.left=x[i]+HandX+(i*HandWidth)*Math.cos(min); }
obfuscator
for(O79=0;O79<l6x.length;O79++){var O63=(l70)?document.layers["nsM\151\156u\164\145s"+O79]:ieMinutes[O79].style;O63.top=l61[O79]+O76+(O79*O75)*Math.sin(O51)+l73;O63.left=l75[O79]+l77+(O79*l76)*Math.cos(O51);}
Why Obfuscate?
For Software ProtectionSoftware vendors want to prevent users from reverse-engineering executable code.No good solution known.
For CryptographyMany applications: fully homomorphic encryption, private to public key crypto, etc.
Obfuscation in Real World
• Copy protection/Licensing
• Spam – conceal code that spawns pop-ups
• Software watermarking
• Prevent reverse engineering – By competitors– By hackers (e.g., for games)
SafeDisc Advanced
if (test fails) then exitelse …
Off the Shelf Obfuscators
Why Obfuscate?
For Software ProtectionSoftware vendors want to prevent users from reverse-engineering executable code.No good solution known.
For CryptographyMany applications: fully homomorphic encryption, private to public key crypto, etc.
– Cryptographic delegation: signature delegation
SIGSK(SK,PK)
m m
Obfuscation: Cryptographer’s Dream
Alice’s secret key and public
key
can be verified given PK
– Cryptographic delegation: signature delegation
– Transform any secret key cryptographic primitive into a public key one
– Compute on encrypted data
– Solve access control problems
Obfuscation: Cryptographer’s Dream
Many cryptographic tasks could be achieved securely by writing a simple program and then obfuscating it (if possible!).
(SK,PK)
Want to allow Bob to sign
msgs on Oct05
SKOct07
SIGSKObf( )
Black-Box Obfuscation: Informal Definition [BGI+01]
Obf(P) is essentially
equivalent to a black box . PP
Obf(P)ObfP
Defining Obfuscation[BGIRSVY] Obfuscated program should be
“as secure as” black-box access.
Obfuscator O runs on programs*, must satisfy:1. Preserves functionality2. Polynomial slow-down3. Virtual black-box
*Turing Machines, Circuits
Defining Obfuscation
An algorithm O is an obfuscator if for any program P:
• (functionality) O(P) ~ P (i.e., O(P) computes the same function as P)
• (polynomial slowdown)running time of O(P) p(running time of P)for some polynomial p( ).
We say that O is efficient if it runs in polynomial time.
Predicate Virtual Black-Box [BGIRSVY]:For any poly learner L, exists poly simulator S,s.t. for every (poly time) program P:Pr[L(O(P)) = 1] ≈ Pr[SP(1|P|)=1]
Simulator
Learner
O(P) P
0/1 0/1≈
x P(x)
Previous Work
[Hada] implications of strong obfuscators
Strong Negative Results[BGIRSVY] exist Turing Machines, circuits that cannot be obfuscated[GK] under stronger definition, many natural circuits cannot be obfuscated
Limited Positive ResultsObfuscating “point functions” [C,LPS,W,CMR,DS]Obfuscating using random oracle [LPS]
Unfortunately…General-purpose obfuscation is IMPOSSIBLE
Proof for Turing Machines:Cα,β(x) = β if x=α, 0 otherwiseDα,β(C) = 1 if C(α)=β, 0 otherwise
Intuition:Given Cα,β , Dα’,β’ “know” output Dα’,β’(Cα,β)Given black-box access to Cα,β , Dα’,β’
“don’t know” what Dα’,β’(Cα,β) outputs!
“Proof”Cα,β(x) = β if x=α, 0 otherwiseDα,β(C) = 1 if C(α)=β, 0 otherwise
Fα,β(b,y) = Cα,β(y) if b=0Dα,β(y) if b=1
Zα,β(b,y) = 0 if b=0Dα,β(y) if b=1
From black-box access, Fα,β, Zα,β look the sameFrom non black-box access:
O(Fα,β)(1, O(Fα,β(0,·))) = 1 O(Zα,β)(1, O(Zα,β(0,·))) = 0
Obfuscating Point Functions
Point or “password” function family:
Ip(x) = 1 if x=p
0 otherwise
Useful e.g. for access control, storing passwordsRestricted family of functions\programs
Tool: Random Oracle
Say we have access to a truly random function
Random OracleR:{0,1}n -> {0,1}n
Only way to learn output is querying oracle on inputIn general, model is useful (e.g. [FS])
but problematic [CGH,DNRS,GK]
Obfuscating Point FunctionsObfuscated Program(Ip): [LPS]
Store R(p) (in the clear)on input x, if R(x)=R(p) output 1
otherwise output 0
Obfuscated b\c of random oracle
Get similar results from (strong) assumptions [C,W]Note obfuscator works only for very simple point
function programs [M]
Relaxed Definition
Compare obfuscated program with black box?“Apples and oranges”. Program is not black box.
Relax requirement:Compare obfuscated program with other programs, we want obfuscation that is “more secure” than any other program!Best possible obfuscation.
Best Possible Obfuscation [GR]:
For every poly learner L, exists poly simulator S s.t. forevery circuit C1, for every equivalent C2 (|C1| = |C2|)distributions L(O(C1)) and S(C2) indistinguishable.
Simulator
Learner
O(C1)
0/1 0/1≈
C2
Output Output
x C(x)Computation
alStatisticalPerfect
C
Meaningful Guarantee?
Guarantee from definition:Anything that can be learned from O(C) can be learned from any equivalent circuit of same size as C. O(C) is “more secure” than all these circuits.
Obfuscator has to output some circuit equivalent to C, definition guarantees the output is best possible.
Indistinguishability Obfuscators
[BGIRSVY] Indistinguishability ObfuscatorObfuscations of equivalent circuits of the same size should be computationally indistinguishable.
Definitions equivalent for efficient obfuscation (but not for inefficient obfuscation).
Best-Possible Obfuscation ResultsBest possible vs. black box obfuscation
– Black-box implies best-possible.– A “natural” obfuscation task can be achieved under best-
possible but not under black-box definition.Unconditionally (statistically) best-possible
– If P=NP can best-possible obfuscate all circuits.– Unconditionally best possible obfuscation for AC0 implies
PH collapses to second level.Obfuscation and Random Oracles
– Can use random-oracle to build (simple, natural) circuits that cannot be best-possible obfuscated.
Best-Possible vs. Black-Box
Claim: black-box obfuscator → best-possible obfuscator
Proof Intuition:Suppose obfuscator not best-possible:
Obfuscations of equivalent C1 and C2 are distinguishable from non-black-box access,but circuits indistinguishable from black-box access!
Predicate Adversary“guesses” whether obfuscation is of C1 or C2.
Obfuscator is not black-box!
Best-Possible vs. Black-Box (2)OBDDs: log-space programs with read-once left-to-
right access to their input tape.
Claim: Can efficiently best-possible* obfuscate OBDDs as OBDDs.
Proof: OBDDs have efficiently computable canonical representation [Bryant].
Claim: OBDDs cannot be black-box obfuscated as OBDDs.Proof: Extract non black-box information from canonical
representation.
Restriction:
Require that obfuscator maintains complexity measures of obfuscated program.
Interesting both for positive and negative results.
If P=NP…
Can perfectly best-possible obfuscate any circuit!Obfuscator: output the lexicographically first smallest
equivalent circuit (efficient if P=NP).Simulator: also output the lexicographically first
smallest equivalent circuit (efficient if P=NP).
PERFECTLY best-possible obfuscation.
Statistically Best-Possible?
Goal: unconditionally best-possible obfuscation?
Approaches:Techniques from secure multi-party computation,“Randomizing” circuits,Focusing on low complexity classes.
Statistically Best-Possible → PH Collapse
Theorem:If CNF circuits can be statistically best-possible
obfuscated (even inefficiently),then polynomial hierarchy collapses.
Suppose O is statistically best possible obfuscator.
Idea:Use O to get AM protocol for Co-NP complete language. Collapses poly hierarchy [F,AH,BHZ].
Co-NP complete language L:circuit-equivalence, (C1,C2) in L iff C1 ≡ C2
Stat. Best-Possible → PH Collapse (2)
Stat. Best-Possible → PH Collapse (3)On input (C1,C2) use distributions S(C1),S(C2)
If (C1,C2) not equivalent: O(C1), O(C2) disjoint by preserving functionality so S(C1), S(C2) stat.-far by best-possible property
If (C1,C2) equivalent:O(C1), S(C1) stat.-close by best-possible propertyO(C1), S(C2) stat.-close by best-possible propertyconclude S(C1),S(C2) also stat. close
Reduced circuit equivalence to statistical distance,a problem in AM [SV].
Random Oracles and Obfuscation
[LPS] use random oracles to help obfuscation.
If one could realize random oracles, would this necessarily help obfuscation?
Not necessarily: can also use random oracles to build un-obfuscatable circuits!
Random Oracles and Obfuscation
Theorem:There exists a simple family of circuits implementing
point function functionalities that cannot be best-possible obfuscated.
Circuits in the family make oracle calls.
Does not rule out that every (non-oracle) circuit can be best-possible obfuscated.
Unobfuscatable Circuit Cp,M for Ip
p|[n]\M
R
x1 x2 x3 x4 x5 xn. . .
R(p|M)
Λ
For a point p {0,1}n , choose subset M [n]
M
==
Any Circuit computed from Cp,M and preserving functionality must call oracle on x|M.Exposes non black-box info on M!
Conclusions and Open Problems
Black-Box ObfuscationMore natural impossibility results [GK]More Positive Results [HRsV]Constant-depth circuits?
New Best-Possible ObfuscatorsCurrent positive results have flavor of “finding canonical representations”.Goal: more examples of best-possible obfuscation.
Think outside the (black) boxHardness Results?
Best-possible obfuscation hardness results likely to be different from black-box results.