# OPENING THE BLACK BOX - PowerPoint PPT Presentation

OPENING THE BLACK BOX

1 / 35
OPENING THE BLACK BOX

## OPENING THE BLACK BOX

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. OPENING THE BLACK BOX New Techniques in Cryptography Boaz Barak Institute for Advanced StudyPrinceton, NJ

2. PROGRAMS ARE HARD TO UNDERSTAND • Can’t eliminate bugs • Understanding compiled progs even harder • “Natural state is complete unreadability” • HALTING undecidable • SAT probably hard • Can’t prove lower bounds

3. PROGRAMS AS BLACK BOXES Ignore actual code – only care about function (i.e., input/output relation) • Programming langs – function calls • Algorithms – subroutines, recursion • Complexity – reductions Output Input Very common:

4. PROGRAMS AS BLACK BOXES Ignore actual code – only care about function Output Input Common Intuition:No loss in generality since general code is useless anyway: can’t be understood. Sometimes:Formal Justification (HALTING,SAT) Can we justify it in cryptography?

5. MODERN CRYPTOGRAPHY A Central Activity:Construct scheme and reduce solving (assumed)hard problem to breaking scheme. Show that if 9 a scheme-breaking alg then 9 a problem-solving (e.g. factoring) alg. Implication: Problem actually hard )scheme unbreakable(before sun collapses) If common intuition holds (code useless) it’s • bad for crypto: limits on reductions • good for crypto: can “scramble” programs

6. IN THIS TALK Examine common intuition that “code useless” in crypto. Surprisingly, in many cases intuition is false. This implies: • positive results: more powerful reductions Get new (believed unobtainable) crypto schemes. • negative results: some schemes can’t be obtained

7. TALK PLAN Part I:“Scrambling/Obfuscating Programs”–A negative result [BGI+01]. Part II:“Zero Knowledge on the Internet” – A positive result [B01]. Part III: Some subsequent results [BGGL01,B02,BL02,L02,BLV03,KOS03,PR03,P04] “light” talk – almost no proofs / formal defs

8. PART I: OBFUSCATION Idea: Directly use “code useless” intuition for crypto: Q: Can we take arbitrary prog P and convert to P’ s.t. 1.P’ has same function as P 2.P’ is not much slower/bigger than P 3.P’ is “completely unintelligible” Procedure to convert P  P’ is called “obfuscator”.

9. WHY MIGHT OBFs EXIST? • Because progs are hard to understand (bugs,HALTING,…) • Maybe compiler is already obfuscator?(e.g., “closed source” considered unreadable) • Because in crypto we can do anything :) • Some commercial candidates. Diffie&Hellman (76): Maybe can obtain public key enc. by “obfuscating” a private key enc. scheme?

10. WHY SHOULD WE CARE? • Interesting in its own right. • Constructing OWF-based PK crypto [DH76](Arguably central problem of crypto.) • Software protection. • Digital rights management (DRM) …

11. MAIN RESULT (informal) Thm[BGI+01]: General-purpose obfs, even under very weak defs, do not exist. [BGI+01] Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang “On the (Im)possibility of Obfuscating Programs”, CRYPTO 2001.

12. DEFINING OBFs * “TASTE” OF PROOF Def: O:PP “totally fails” on P if 1.P can be efficiently recovered from O(P)(i.e., complete recovery of source code) 2.P is hard to learn (i.e., can’t recover Pusing BB access to its function) Thm[BGI+01]: 8O9 P s.t. O totally fails on P. (assuming OWF exist)

13. * “TASTE” OF PROOF Thm[BGI+01]: 8O9 P s.t. O totally fails on P. (assuming OWF exist) Pf: Show function family {P,} s.t. O totally fails (code recovery + hard to learn) on random member:  b=0 , x= Define P,(b,x)= , b=1 , x(0,)= 0 otherwise Claim:8O for random , w.h.p. O totally fails on P,

14. b=0 , x= Define P,(b,x)= , b=1 , x(0,)= 0 otherwise * “TASTE” OF PROOF Thm[BGI+01]: 8O9 P s.t. O totally fails on P. (assuming OWF exist) Pf: Show function family {P,} s.t. O totally fails (code recovery + hard to learn) on random member: Claim:8O for random , w.h.p. O totally fails on P,

15. b=0 , x= Define P,(b,x)= , b=1 , x(0,)= 0 otherwise Claim:8O for random , w.h.p. O totally fails on P, Pf: Black-box access is useless: For random , can’t distinguish bet P, and all-zero function using BB access. Can recover source from obf’d code: To recover , from P’=O(P,) - output P’(1,P’) Note: In paper, rule out OBFs for programs with bounded input length.

16. Osecure Counter Ex. “Useful” progs (DES,RSA,AES,SHA,…) MEANING OF RESULT Maybe “virtually general-purpose” obf exists? Proved: No general-purpose obf exists. Similar to critique of NP-completeness results.

17. Osecure Counter Ex. “Useful” progs (DES,RSA,AES,SHA,…) PROBLEM W/ THIS ARGUMENT MEANING OF RESULT Maybe “virtually general-purpose” obf exists? Proved: No general-purpose obf exists. Similar to critique of NP-completeness results.

18. “assured” progs Counter Ex. PROBLEM W/ THIS ARGUMENT Osecure Q: If Alice writes new prog P, how can she know O is secure on P? “Useful” progs (DES,RSA,AES,SHA,…) A: Maker should provide well-defined set of “assured secure” progs. Problem:in many metrics, counter ex. close to “useful”.

19. TALK PLAN Part I: “Scrambling/Obfuscating Programs”–A negative result [BGI+01]. Part II:“Zero Knowledge on the Internet” – A positive result [B01]. Part III: Some subsequent results [BGGL01,B02,L02,BLV03,KOS03,PR03,P04]

20. PART II: ZERO KNOWLEDGE Recall: Central crypto activity –Construct scheme S s.t. 9alg A breaks S )9alg B factors integers Standard Pf:B uses A as BB subroutine Q:Can B gain anything by using A’s code? Intuition:NO – don’t know anything about adversary. [B01]:Intuition is false – obtain results previously proven impossible to obtain w/ black-box pf.

21. ZERO-KNOWLEDGE [GMR85] Roughly: Proof with “no added value”: Alice proves X true(e.g., G 3-colorable) to Bob.Bob learns only that X is true Ex: Alice knows witness (3-coloring) to X=“G is 3col”, wants to convince Bob is true w/o leaking info about witness. Motivation: • Interesting in own right. • Identification protocols (prove I know password/secret w/o giving any info [FS86]) • General Protocols – voting/auctions/poker (prove I acted properly w/o compromising my secrets)

22. ZERO-KNOWLEDGE [GMR85] CONCURRENT ZK Roughly: Proof with “no added value”: Alice proves X true(e.g., G 3-colorable) to Bob.Bob learns only that X is true A central crypto thm of 80’s [GMW86,FS89,BCY89,GK96]: Anything can be proven in zero knowledge. (using only O(1) communication rounds). A central question of 90’s [DNS98]: Is knowledge leaked in a concurrent execution? (a.k.a. “zero-knowledge on the internet”)

23. CONCURRENT ZK A central question of 90’s [DNS98]: Is knowledge leaked in a concurrent execution? Bob1 Bobn Alice Bob2 … Bob3 Known: Coordinated “Bob” may learn something.

24. CONCURRENT ZK * “TASTE” OF PROOF A central question of 90’s [DNS98]: Is knowledge leaked in a concurrent execution? Thm [RK99]: Anything can be proven in concurrent ZK # rounds:O~(log n) [KPR00,PRS02] Thm [CKPR01]: Protocols w/ black-box proofs require ~(log n) rounds. Thm [B01]: Anything can be proven in O(1)-round concurrent ZK. Uses (inherently) non-BB proof (concurrent = bounded concurrent) skip

25. * “TASTE” OF PROOF Thm [B01]: Anything can be proven in O(1)-round concurrent ZK. Tool:Witness Indistinguishable (WI) proofs [FS89] Weaker property than ZK: When proving a statement X of form AÇB only required to hide from Bob if A or B is true. What we need to know: • Anything can be proven in O(1)-round WI. • Unlike ZK, WI composes concurrently[FS89]

26. r 2R {0,1} 10n WIP X true or KC(r)<5n Next:show no info leaked in 2 executions… skip * “TASTE” OF PROOF Thm [B01]: Anything can be proven in O(1)-round concurrent ZK. Our Proof System:To prove statement X do: Alice Bob KC(r) = length of min-sized TM M s.t. M()=r ( KC(r)<5n=|r|/2 means r is “compressible” ) A random r is “incompressible” w.h.p. and so protocol is sound.

27. r=Bob1() r’=Bob2(p-dialog) WIP X true or KC(r)<5n WIP X true or KC(r’)<5n Suppose Bob learns f(X) after 2 concurrent sessions. We show f(X) is easy to compute (even w/o talking to Alice!) Algorithm to compute f(X) will use Bob’s code! Sample execution: Alice Bob1 Bob2 f(X)=Bob3(dialog)

28. We show f(X) is easy to compute (even w/o talking to Alice!) r=Bob1() r’=Bob2(p-dialog) WIP X true or KC(r)<5n WIP X true or KC(r’)<5n Suppose Bob learns f(X) after 2 concurrent sessions. Algorithm to compute f(X) will use Bob’s code! Sample execution: Alice Bob1 Bob2 f(X)=Bob3(dialog)

29. r=Bob1() r’=Bob2(p-dialog) WIP X true or KC(r)<5n WIP X true or KC(r’)<5n We show f(X) is easy to compute (even w/o talking to Alice!) Compute (w/o Alice!) string monolog indisting from dialog. Thus Bob3(monolog)=Bob3(dialog)=f(X) Sample execution: Look ma, no Alice! X Alice Bob1 Bob2 ? ? f(X)=Bob3(dialog) =Bob3(monolog)

30. Compute (w/o Alice!) string monolog indisting from dialog. r=Bob1() r’=Bob2(p-dialog) WIP X true or KC(r’)<5n WIP X true or KC(r)<5n We show f(X) is easy to compute (even w/o talking to Alice!) Thus Bob3(monolog)=Bob3(dialog)=f(X) Look ma, no Alice! X Alice Bob1 Bob2 ? ? f(X)=Bob3(dialog) =Bob3(monolog)

31. r=Bob1() r’=Bob2(p-dialog) WIP X true or KC(r’)<5n WIP X true or KC(r)<5n Compute (w/o Alice!) string monolog indisting from dialog. Using some tools (pseudorandom gens, PCP thm), can ensure |Bob1|,|Bob2|,|p-dialog|<n Look ma, no Alice! X Alice Bob1 Bob2 ? ! ? ! f(X)=Bob3(dialog) =Bob3(monolog)

32. TALK PLAN Part I: “Scrambling/Obfuscating Programs” –A negative result [BGI+01]. Part II: “Zero Knowledge on the Internet” – A positive result [B01]. Part III: Some subsequent results [BGGL01,B02,L02,BLV03,KOS03,PR03,P04]

33. PART III: OTHER RESULTS Positive results using our non-BB techniques: • Non-Malleable Commitments (MIM attack) [B02] • Resettable model (e.g., smartcards) [BGGL01] • Strict poly-time extraction [BL02] • General bounded-concurrent computation [L03,PR03,P04] • Constant-round multi-party computation [KOS03,P04] • Password-based authentication prots [P04] Other directions: • Limits on non-BB techniques [BLV03] • More separations bet BB and non-BB [BGGL01,BL02,L03]

34. OPEN QUESTIONS Understand power of non-black-box techniques in other contexts in crypto and complexity. Can we construct public key encryption based on one-way functions? (impossible using black-box proofs [IR94]) Prove more negative results for non-black-boxtechniques. ( Interesting connections to other areas [DNRS00,BLV03])

35. THANK YOU!