360 likes | 524 Vues
OPENING THE BLACK BOX. New Techniques in Cryptography. Boaz Barak Institute for Advanced Study Princeton, NJ. PROGRAMS ARE HARD TO UNDERSTAND. Can’t eliminate bugs Understanding compiled progs even harder “Natural state is complete unreadability” HALTING undecidable SAT probably hard
E N D
OPENING THE BLACK BOX New Techniques in Cryptography Boaz Barak Institute for Advanced StudyPrinceton, NJ
PROGRAMS ARE HARD TO UNDERSTAND • Can’t eliminate bugs • Understanding compiled progs even harder • “Natural state is complete unreadability” • HALTING undecidable • SAT probably hard • Can’t prove lower bounds
PROGRAMS AS BLACK BOXES Ignore actual code – only care about function (i.e., input/output relation) • Programming langs – function calls • Algorithms – subroutines, recursion • Complexity – reductions Output Input Very common:
PROGRAMS AS BLACK BOXES Ignore actual code – only care about function Output Input Common Intuition:No loss in generality since general code is useless anyway: can’t be understood. Sometimes:Formal Justification (HALTING,SAT) Can we justify it in cryptography?
MODERN CRYPTOGRAPHY A Central Activity:Construct scheme and reduce solving (assumed)hard problem to breaking scheme. Show that if 9 a scheme-breaking alg then 9 a problem-solving (e.g. factoring) alg. Implication: Problem actually hard )scheme unbreakable(before sun collapses) If common intuition holds (code useless) it’s • bad for crypto: limits on reductions • good for crypto: can “scramble” programs
IN THIS TALK Examine common intuition that “code useless” in crypto. Surprisingly, in many cases intuition is false. This implies: • positive results: more powerful reductions Get new (believed unobtainable) crypto schemes. • negative results: some schemes can’t be obtained
TALK PLAN Part I:“Scrambling/Obfuscating Programs”–A negative result [BGI+01]. Part II:“Zero Knowledge on the Internet” – A positive result [B01]. Part III: Some subsequent results [BGGL01,B02,BL02,L02,BLV03,KOS03,PR03,P04] “light” talk – almost no proofs / formal defs
PART I: OBFUSCATION Idea: Directly use “code useless” intuition for crypto: Q: Can we take arbitrary prog P and convert to P’ s.t. 1.P’ has same function as P 2.P’ is not much slower/bigger than P 3.P’ is “completely unintelligible” Procedure to convert P P’ is called “obfuscator”.
WHY MIGHT OBFs EXIST? • Because progs are hard to understand (bugs,HALTING,…) • Maybe compiler is already obfuscator?(e.g., “closed source” considered unreadable) • Because in crypto we can do anything :) • Some commercial candidates. Diffie&Hellman (76): Maybe can obtain public key enc. by “obfuscating” a private key enc. scheme?
WHY SHOULD WE CARE? • Interesting in its own right. • Constructing OWF-based PK crypto [DH76](Arguably central problem of crypto.) • Software protection. • Digital rights management (DRM) …
MAIN RESULT (informal) Thm[BGI+01]: General-purpose obfs, even under very weak defs, do not exist. [BGI+01] Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang “On the (Im)possibility of Obfuscating Programs”, CRYPTO 2001.
DEFINING OBFs * “TASTE” OF PROOF Def: O:PP “totally fails” on P if 1.P can be efficiently recovered from O(P)(i.e., complete recovery of source code) 2.P is hard to learn (i.e., can’t recover Pusing BB access to its function) Thm[BGI+01]: 8O9 P s.t. O totally fails on P. (assuming OWF exist)
* “TASTE” OF PROOF Thm[BGI+01]: 8O9 P s.t. O totally fails on P. (assuming OWF exist) Pf: Show function family {P,} s.t. O totally fails (code recovery + hard to learn) on random member: b=0 , x= Define P,(b,x)= , b=1 , x(0,)= 0 otherwise Claim:8O for random , w.h.p. O totally fails on P,
b=0 , x= Define P,(b,x)= , b=1 , x(0,)= 0 otherwise * “TASTE” OF PROOF Thm[BGI+01]: 8O9 P s.t. O totally fails on P. (assuming OWF exist) Pf: Show function family {P,} s.t. O totally fails (code recovery + hard to learn) on random member: Claim:8O for random , w.h.p. O totally fails on P,
b=0 , x= Define P,(b,x)= , b=1 , x(0,)= 0 otherwise Claim:8O for random , w.h.p. O totally fails on P, Pf: Black-box access is useless: For random , can’t distinguish bet P, and all-zero function using BB access. Can recover source from obf’d code: To recover , from P’=O(P,) - output P’(1,P’) Note: In paper, rule out OBFs for programs with bounded input length.
Osecure Counter Ex. “Useful” progs (DES,RSA,AES,SHA,…) MEANING OF RESULT Maybe “virtually general-purpose” obf exists? Proved: No general-purpose obf exists. Similar to critique of NP-completeness results.
Osecure Counter Ex. “Useful” progs (DES,RSA,AES,SHA,…) PROBLEM W/ THIS ARGUMENT MEANING OF RESULT Maybe “virtually general-purpose” obf exists? Proved: No general-purpose obf exists. Similar to critique of NP-completeness results.
“assured” progs Counter Ex. PROBLEM W/ THIS ARGUMENT Osecure Q: If Alice writes new prog P, how can she know O is secure on P? “Useful” progs (DES,RSA,AES,SHA,…) A: Maker should provide well-defined set of “assured secure” progs. Problem:in many metrics, counter ex. close to “useful”.
TALK PLAN Part I: “Scrambling/Obfuscating Programs”–A negative result [BGI+01]. Part II:“Zero Knowledge on the Internet” – A positive result [B01]. Part III: Some subsequent results [BGGL01,B02,L02,BLV03,KOS03,PR03,P04]
PART II: ZERO KNOWLEDGE Recall: Central crypto activity –Construct scheme S s.t. 9alg A breaks S )9alg B factors integers Standard Pf:B uses A as BB subroutine Q:Can B gain anything by using A’s code? Intuition:NO – don’t know anything about adversary. [B01]:Intuition is false – obtain results previously proven impossible to obtain w/ black-box pf.
ZERO-KNOWLEDGE [GMR85] Roughly: Proof with “no added value”: Alice proves X true(e.g., G 3-colorable) to Bob.Bob learns only that X is true Ex: Alice knows witness (3-coloring) to X=“G is 3col”, wants to convince Bob is true w/o leaking info about witness. Motivation: • Interesting in own right. • Identification protocols (prove I know password/secret w/o giving any info [FS86]) • General Protocols – voting/auctions/poker (prove I acted properly w/o compromising my secrets)
ZERO-KNOWLEDGE [GMR85] CONCURRENT ZK Roughly: Proof with “no added value”: Alice proves X true(e.g., G 3-colorable) to Bob.Bob learns only that X is true A central crypto thm of 80’s [GMW86,FS89,BCY89,GK96]: Anything can be proven in zero knowledge. (using only O(1) communication rounds). A central question of 90’s [DNS98]: Is knowledge leaked in a concurrent execution? (a.k.a. “zero-knowledge on the internet”)
CONCURRENT ZK A central question of 90’s [DNS98]: Is knowledge leaked in a concurrent execution? Bob1 Bobn Alice Bob2 … Bob3 Known: Coordinated “Bob” may learn something.
CONCURRENT ZK * “TASTE” OF PROOF A central question of 90’s [DNS98]: Is knowledge leaked in a concurrent execution? Thm [RK99]: Anything can be proven in concurrent ZK # rounds:O~(log n) [KPR00,PRS02] Thm [CKPR01]: Protocols w/ black-box proofs require ~(log n) rounds. Thm [B01]: Anything can be proven in O(1)-round concurrent ZK. Uses (inherently) non-BB proof (concurrent = bounded concurrent) skip
* “TASTE” OF PROOF Thm [B01]: Anything can be proven in O(1)-round concurrent ZK. Tool:Witness Indistinguishable (WI) proofs [FS89] Weaker property than ZK: When proving a statement X of form AÇB only required to hide from Bob if A or B is true. What we need to know: • Anything can be proven in O(1)-round WI. • Unlike ZK, WI composes concurrently[FS89]
r 2R {0,1} 10n WIP X true or KC(r)<5n Next:show no info leaked in 2 executions… skip * “TASTE” OF PROOF Thm [B01]: Anything can be proven in O(1)-round concurrent ZK. Our Proof System:To prove statement X do: Alice Bob KC(r) = length of min-sized TM M s.t. M()=r ( KC(r)<5n=|r|/2 means r is “compressible” ) A random r is “incompressible” w.h.p. and so protocol is sound.
r=Bob1() r’=Bob2(p-dialog) WIP X true or KC(r)<5n WIP X true or KC(r’)<5n Suppose Bob learns f(X) after 2 concurrent sessions. We show f(X) is easy to compute (even w/o talking to Alice!) Algorithm to compute f(X) will use Bob’s code! Sample execution: Alice Bob1 Bob2 f(X)=Bob3(dialog)
We show f(X) is easy to compute (even w/o talking to Alice!) r=Bob1() r’=Bob2(p-dialog) WIP X true or KC(r)<5n WIP X true or KC(r’)<5n Suppose Bob learns f(X) after 2 concurrent sessions. Algorithm to compute f(X) will use Bob’s code! Sample execution: Alice Bob1 Bob2 f(X)=Bob3(dialog)
r=Bob1() r’=Bob2(p-dialog) WIP X true or KC(r)<5n WIP X true or KC(r’)<5n We show f(X) is easy to compute (even w/o talking to Alice!) Compute (w/o Alice!) string monolog indisting from dialog. Thus Bob3(monolog)=Bob3(dialog)=f(X) Sample execution: Look ma, no Alice! X Alice Bob1 Bob2 ? ? f(X)=Bob3(dialog) =Bob3(monolog)
Compute (w/o Alice!) string monolog indisting from dialog. r=Bob1() r’=Bob2(p-dialog) WIP X true or KC(r’)<5n WIP X true or KC(r)<5n We show f(X) is easy to compute (even w/o talking to Alice!) Thus Bob3(monolog)=Bob3(dialog)=f(X) Look ma, no Alice! X Alice Bob1 Bob2 ? ? f(X)=Bob3(dialog) =Bob3(monolog)
r=Bob1() r’=Bob2(p-dialog) WIP X true or KC(r’)<5n WIP X true or KC(r)<5n Compute (w/o Alice!) string monolog indisting from dialog. Using some tools (pseudorandom gens, PCP thm), can ensure |Bob1|,|Bob2|,|p-dialog|<n Look ma, no Alice! X Alice Bob1 Bob2 ? ! ? ! f(X)=Bob3(dialog) =Bob3(monolog)
TALK PLAN Part I: “Scrambling/Obfuscating Programs” –A negative result [BGI+01]. Part II: “Zero Knowledge on the Internet” – A positive result [B01]. Part III: Some subsequent results [BGGL01,B02,L02,BLV03,KOS03,PR03,P04]
PART III: OTHER RESULTS Positive results using our non-BB techniques: • Non-Malleable Commitments (MIM attack) [B02] • Resettable model (e.g., smartcards) [BGGL01] • Strict poly-time extraction [BL02] • General bounded-concurrent computation [L03,PR03,P04] • Constant-round multi-party computation [KOS03,P04] • Password-based authentication prots [P04] Other directions: • Limits on non-BB techniques [BLV03] • More separations bet BB and non-BB [BGGL01,BL02,L03]
OPEN QUESTIONS Understand power of non-black-box techniques in other contexts in crypto and complexity. Can we construct public key encryption based on one-way functions? (impossible using black-box proofs [IR94]) Prove more negative results for non-black-boxtechniques. ( Interesting connections to other areas [DNRS00,BLV03])