opening the black box boaz barak institute for advanced study princeton, nj new techniques in...
TRANSCRIPT
OPENING THE BLACK BOX
Boaz BarakInstitute for Advanced Study
Princeton, NJ
New Techniques in Cryptography
PROGRAMS ARE HARD TO UNDERSTAND
• Can’t eliminate bugs
• Understanding compiled progs even harder
• “Natural state is complete unreadability”
• HALTING undecidable
• SAT probably hard
• Can’t prove lower bounds
PROGRAMS AS BLACK BOXES
• Programming langs – function calls• Algorithms – subroutines, recursion• Complexity – reductions
Ignore actual code – only care about function
Very common:
Input Output
(i.e., input/output relation)
PROGRAMS AS BLACK BOXES
Ignore actual code – only care about function
Common Intuition: No loss in generality since general code is useless anyway: can’t be understood.Sometimes: Formal Justification (HALTING,SAT)
Can we justify it in cryptography?
Input Output
MODERN CRYPTOGRAPHY
A Central Activity: Construct scheme and reduce solving (assumed) hard problem to breaking scheme.
Implication: Problem actually hard ) scheme unbreakable (before sun collapses)
If common intuition holds (code useless) it’s
• bad for crypto: limits on reductions
• good for crypto: can “scramble” programs
Show that if 9 a scheme-breaking alg then 9 a problem-solving (e.g. factoring) alg.
IN THIS TALK
Examine common intuition that “code useless” in crypto.
This implies:
• positive results: more powerful reductions
Surprisingly, in many cases intuition is false.
Get new (believed unobtainable) crypto schemes.
• negative results: some schemes can’t be obtained
TALK PLAN
Part I: “Scrambling/Obfuscating Programs”–A negative result [BGI+01].
Part II: “Zero Knowledge on the Internet” – A positive result [B01].
“light” talk – almost no proofs / formal defs
Part III: Some subsequent results [BGGL01,B02,BL02,L02,BLV03,KOS03,PR03,P04]
PART I: OBFUSCATION
Idea: Directly use “code useless” intuition for crypto:
Q: Can we take arbitrary prog P and convert to P’ s.t.
1. P’ has same function as P2. P’ is not much slower/bigger than P3. P’ is “completely unintelligible”
Procedure to convert P P’ is called “obfuscator”.
WHY MIGHT OBFs EXIST?
• Because progs are hard to understand (bugs,HALTING,…)
• Maybe compiler is already obfuscator?(e.g., “closed source” considered unreadable)
• Because in crypto we can do anything :)
• Some commercial candidates.
Diffie&Hellman (76): Maybe can obtain public key enc. by “obfuscating” a private key enc. scheme?
WHY SHOULD WE CARE?
• Interesting in its own right.
• Constructing OWF-based PK crypto [DH76] (Arguably central problem of crypto.)
• Software protection.
• Digital rights management (DRM)…
MAIN RESULT (informal)
Thm [BGI+01]: General-purpose obfs, even under very weak defs, do not exist.
[BGI+01] Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang “On the (Im)possibility of Obfuscating Programs”, CRYPTO 2001.
DEFINING OBFs
Def: O:PP “totally fails” on P if
1. P can be efficiently recovered from O(P)(i.e., complete recovery of source code)
2. P is hard to learn (i.e., can’t recover P using BB access to its function)
Thm [BGI+01]: 8 O 9 P s.t. O totally fails on P. (assuming OWF exist)
* “TASTE” OF PROOF
* “TASTE” OF PROOF
Pf: Show function family {P,} s.t. O totally fails (code recovery + hard to learn) on random member:
Thm [BGI+01]: 8 O 9 P s.t. O totally fails on P. (assuming OWF exist)
DefineP,(b,x)=
b=0 , x=
b=1 , x(0,)=
0 otherwise
Claim: 8O for random , w.h.p. O totally fails on P,
DefineP,(b,x)=
b=0 , x=
b=1 , x(0,)=
0 otherwise
Claim: 8O for random , w.h.p. O totally fails on P,
* “TASTE” OF PROOF
Thm [BGI+01]: 8 O 9 P s.t. O totally fails on P. (assuming OWF exist)
Pf: Show function family {P,} s.t. O totally fails (code recovery + hard to learn) on random member:
Pf:
To recover , from P’=O(P,) - output P’(1,P’)
For random , can’t distinguish bet P, and all-zero function using BB access.
DefineP,(b,x)=
b=0 , x=
b=1 , x(0,)=
0 otherwise
Claim: 8O for random , w.h.p. O totally fails on P,
Note: In paper, rule out OBFs for programs with bounded input length.
Black-box access is useless:
Can recover source from obf’d code:
MEANING OF RESULT
Proved: No general-purpose obf exists.
Maybe “virtually general-purpose” obf exists?
Counter Ex.
“Useful” progs (DES,RSA,AES,SHA,…)
Similar to critique of NP-completeness results.
O secure
MEANING OF RESULT
Proved: No general-purpose obf exists.
Maybe “virtually general-purpose” obf exists?
Similar to critique of NP-completeness results.
PROBLEM W/ THIS ARGUMENT
“Useful” progs (DES,RSA,AES,SHA,…)
Counter Ex.
O secure
PROBLEM W/ THIS ARGUMENT
“Useful” progs (DES,RSA,AES,SHA,…)
O secure
Q: If Alice writes new prog P, how can she know O is secure on P?
“assured” progs
A: Maker should provide well-defined set of “assured secure” progs.
Problem: in many metrics, counter ex. close to “useful”.
Counter Ex.
TALK PLAN
Part I: “Scrambling/Obfuscating Programs”–A negative result [BGI+01].
Part II: “Zero Knowledge on the Internet” – A positive result [B01].
Part III: Some subsequent results [BGGL01,B02,L02,BLV03,KOS03,PR03,P04]
PART II: ZERO KNOWLEDGE
Recall: Central crypto activity –Construct scheme S s.t.
9alg A breaks S ) 9alg B factors integers
Standard Pf: B uses A as BB subroutine
Q: Can B gain anything by using A’s code?
Intuition: NO – don’t know anything about adversary.
[B01]:Intuition is false – obtain results previously proven impossible to obtain w/ black-box pf.
ZERO-KNOWLEDGE [GMR85]
Roughly: Proof with “no added value”:
Alice proves X true (e.g., G 3-colorable) to Bob.Bob learns only that X is true
Motivation:
• Interesting in own right.
• Identification protocols (prove I know password/secret w/o giving any info [FS86])
• General Protocols – voting/auctions/poker (prove I acted properly w/o compromising my secrets)
Ex: Alice knows witness (3-coloring) to X=“G is 3col”, wants to convince Bob is true w/o leaking info about witness.
ZERO-KNOWLEDGE [GMR85]
Roughly: Proof with “no added value”:
A central crypto thm of 80’s [GMW86,FS89,BCY89,GK96]:
Anything can be proven in zero knowledge.
A central question of 90’s [DNS98]:
Is knowledge leaked in a concurrent execution?
CONCURRENT ZK
Alice proves X true (e.g., G 3-colorable) to Bob.Bob learns only that X is true
(a.k.a. “zero-knowledge on the internet”)
(using only O(1) communication rounds).
CONCURRENT ZKA central question of 90’s [DNS98]:
Is knowledge leaked in a concurrent execution?
Alice
Bob1
Bob2
Bob3
…
Bobn
Known: Coordinated “Bob” may learn something.
CONCURRENT ZKA central question of 90’s [DNS98]:
Is knowledge leaked in a concurrent execution?
Thm [RK99]: Anything can be proven in concurrent ZK
# rounds: O~(log n) [KPR00,PRS02]
Thm [CKPR01]: Protocols w/ black-box proofs require ~(log n) rounds.
Thm [B01]: Anything can be proven in O(1)-round concurrent ZK.
Uses (inherently) non-BB proof
* “TASTE” OF PROOF
skip(concurrent = bounded concurrent)
* “TASTE” OF PROOF
Tool: Witness Indistinguishable (WI) proofs [FS89]
Weaker property than ZK:When proving a statement X of form AÇB only required to hide from Bob if A or B is true.
What we need to know:
• Anything can be proven in O(1)-round WI.
• Unlike ZK, WI composes concurrently [FS89]
Thm [B01]: Anything can be proven in O(1)-round concurrent ZK.
* “TASTE” OF PROOF
Alice Bob
WIP X true or KC(r)<5n
Our Proof System: To prove statement X do:
KC(r) = length of min-sized TM M s.t. M()=r
( KC(r)<5n=|r|/2 means r is “compressible” )
r 2R {0,1} 10n
Thm [B01]: Anything can be proven in O(1)-round concurrent ZK.
A random r is “incompressible” w.h.p. and so protocol is sound.
Next: show no info leaked in 2 executions…skip
Suppose Bob learns f(X) after 2 concurrent sessions.
We show f(X) is easy to compute (even w/o talking to Alice!)
Algorithm to compute f(X) will use Bob’s code!
Alice Bob1r=Bob1() Bob2
r’=Bob2(p-dialog)
f(X)=Bob3(dialog)
Sample execution:
WIP X true or KC(r)<5n
WIP X true or KC(r’)<5n
Suppose Bob learns f(X) after 2 concurrent sessions.
Algorithm to compute f(X) will use Bob’s code!
Alice Bob1r=Bob1() Bob2
r’=Bob2(p-dialog)
f(X)=Bob3(dialog)
Sample execution:
WIP X true or KC(r)<5n
WIP X true or KC(r’)<5n
We show f(X) is easy to compute (even w/o talking to Alice!)
We show f(X) is easy to compute (even w/o talking to Alice!)
Compute (w/o Alice!) string monolog indisting from dialog.
Alice Bob1r=Bob1() Bob2
r’=Bob2(p-dialog)
f(X)=Bob3(dialog)
Sample execution:
Thus Bob3(monolog)=Bob3(dialog)=f(X)
=Bob3(monolog)
Look ma, no Alice!
??
X
WIP X true or KC(r’)<5n
WIP X true or KC(r)<5n
We show f(X) is easy to compute (even w/o talking to Alice!)
Alice Bob1r=Bob1() Bob2
r’=Bob2(p-dialog)
f(X)=Bob3(dialog)
Thus Bob3(monolog)=Bob3(dialog)=f(X)
=Bob3(monolog)
Look ma, no Alice!
??
X
WIP X true or KC(r’)<5n
WIP X true or KC(r)<5n
Compute (w/o Alice!) string monolog indisting from dialog.
Compute (w/o Alice!) string monolog indisting from dialog.
Alice Bob1r=Bob1() Bob2
r’=Bob2(p-dialog)
f(X)=Bob3(dialog)
Using some tools (pseudorandom gens, PCP thm), can ensure |Bob1|,|Bob2|,|p-dialog|<n
=Bob3(monolog)
Look ma, no Alice!
?
X
WIP X true or KC(r’)<5n
WIP X true or KC(r)<5n!
?!
TALK PLAN
Part I: “Scrambling/Obfuscating Programs” –A negative result [BGI+01].
Part II: “Zero Knowledge on the Internet” – A positive result [B01].
Part III: Some subsequent results [BGGL01,B02,L02,BLV03,KOS03,PR03,P04]
PART III: OTHER RESULTSPositive results using our non-BB techniques:
• Non-Malleable Commitments (MIM attack) [B02]
• Resettable model (e.g., smartcards) [BGGL01]
• Strict poly-time extraction [BL02]
• General bounded-concurrent computation [L03,PR03,P04]
• Constant-round multi-party computation [KOS03,P04]
• Password-based authentication prots [P04]
Other directions:
• Limits on non-BB techniques [BLV03]
• More separations bet BB and non-BB [BGGL01,BL02,L03]
OPEN QUESTIONS
Can we construct public key encryption based on one-way functions?
Understand power of non-black-box techniques in other contexts in crypto and complexity.
(impossible using black-box proofs [IR94])
Prove more negative results for non-black-boxtechniques.
( Interesting connections to other areas [DNRS00,BLV03])
THANK YOU!