Black-box obfuscation

Last updated November 25, 2022

In cryptography, black-box obfuscation was a proposed cryptographic primitive which would allow a computer program to be obfuscated in a way such that it was impossible to determine anything about it except its input and output behavior.^[1] Black-box obfuscation has been proven to be impossible, even in principle.^[2]

Impossibility

The unobfuscatable programs

Barak et al. constructed a family of unobfuscatable programs, for which an efficient attacker can always learn more from any obfuscated code than from black-box access.^[2]^[3]

Broadly, they start by engineering a special pair of programs that cannot be obfuscated together. For some randomly selected strings $\alpha ,\beta$ of a fixed, pre-determined length $k$ , define one program to be one that computes

$C_{\alpha ,\beta }(x):={\begin{cases}\beta &{\text{if }}x=\alpha \\0&{\text{otherwise}}\end{cases}}$

and the other program to one that computes

$D_{\alpha ,\beta }(X):={\begin{cases}1&{\text{if }}X(\alpha )=\beta {\text{ and }}X{\text{ runs in time}}\leq {\text{poly}}(k)\\0&{\text{otherwise}}\end{cases}}.$

(Here, $D_{\alpha ,\beta }$ interprets its input as the code for a Turing machine. The second condition in the definition of $D_{\alpha ,\beta }$ is to prevent the function from being uncomputable.)

If an efficient attacker only has black-box access, Barak et al. argued, then the attacker only has an exponentially small chance of guessing the password $\alpha$ , and so cannot distinguish the pair of programs from a pair where $C_{\alpha ,\beta }$ is replaced by some program $Z$ that always outputs "0". However, if the attacker has access to any obfuscated implementations $C'_{\alpha ,\beta },D'_{\alpha ,\beta }$ of $C_{\alpha ,\beta },D_{\alpha ,\beta }$ , then the attacker will find $D'_{\alpha ,\beta }(C'_{\alpha ,\beta })=1$ with probability 1, whereas the attacker will always find $D'_{\alpha ,\beta }(Z)=0$ unless $\beta =0$ (which should happen with negligible probability). This means that the attacker can always distinguish the pair $(C'_{\alpha ,\beta },D'_{\alpha ,\beta })$ from the pair $(Z,D'_{\alpha ,\beta })$ with obfuscated code access, but not black-box access. Since no obfuscator can prevent this attack, Barak et al. conclude that no black-box obfuscator for pairs of programs exists.^[2]^[3]

To conclude the argument, Barak et al. define a third program to implement the functionality of the two previous:

$F_{\alpha ,\beta }(b,x):={\begin{cases}C_{\alpha ,\beta }(x)&{\text{if }}b=0\\D_{\alpha ,\beta }(x)&{\text{if }}b=1\\\end{cases}}.$

Since equivalently efficient implementations of $C_{\alpha ,\beta },D_{\alpha ,\beta }$ can be recovered from one of $F_{\alpha ,\beta }$ by hardwiring the value of $b$ , Barak et al. conclude that $F_{\alpha ,\beta }$ cannot be obfuscated either, which concludes their argument.^[2]

Impossible variants of black-box obfuscation and other types of unobfuscable programs

In their paper, Barak et al. also prove the following (conditional to appropriate cryptographic assumptions):^[2]

There are unobfuscatable circuits.
There is no black-box approximate obfuscator.
There are unobfuscatable, secure, probabilistic private-key cryptosystems.
There are unobfuscatable, secure, deterministic digital signature schemes.
There are unobfuscatable, secure, deterministic message authentication schemes.
There are unobfuscatable, secure pseudorandom functions.
For many protocols that are secure in the random oracle model, the protocol becomes insecure if the random oracle is replaced with an artificial cryptographic hash function; in particular, Fiat-Shamir schemes can be attacked.
There are unobfuscatable circuits in TC0 (that is, constant-depth threshold circuits).
There are unobfuscatable sampling algorithms (in fact, these cannot be obfuscated approximately).
There is no secure software watermarking scheme.

Weaker variants

In their original paper exploring black-box obfuscation, Barak et al. defined two weaker notions of cryptographic obfuscation which they did not rule out: indistinguishability obfuscation and extractability obfuscation (which they called "differing-inputs obfuscation".) Informally, an indistinguishability obfuscator should convert input programs with the same functionality into output programs such that the outputs cannot be efficiently related to the inputs by a bounded attacker, and an extractability obfuscator should be an obfuscator such that if the efficient attacker could relate the outputs to the inputs for any two programs, then the attacker could also produce an input such that the two programs being obfuscated produce different outputs. (Note that an extractability obfuscator is necessarily an indistinguishability obfuscator.) ^[2]^[4]

As of 2020^[update], a candidate implementation of indistinguishability obfuscation is under investigation.^[5] In 2013, Boyle et al. explored several candidate implementations of extractability obfuscation.^[4]

Related Research Articles

A low-pass filter is a filter that passes signals with a frequency lower than a selected cutoff frequency and attenuates signals with frequencies higher than the cutoff frequency. The exact frequency response of the filter depends on the filter design. The filter is sometimes called a high-cut filter, or treble-cut filter in audio applications. A low-pass filter is the complement of a high-pass filter.

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems. Not being one-to-one is not considered sufficient for a function to be called one-way.

In group theory, a branch of mathematics, the baby-step giant-step is a meet-in-the-middle algorithm for computing the discrete logarithm or order of an element in a finite abelian group by Daniel Shanks. The discrete log problem is of fundamental importance to the area of public key cryptography.

Pollard's rho algorithm for logarithms is an algorithm introduced by John Pollard in 1978 to solve the discrete logarithm problem, analogous to Pollard's rho algorithm to solve the integer factorization problem.

In mathematics, Riemann's differential equation, named after Bernhard Riemann, is a generalization of the hypergeometric differential equation, allowing the regular singular points to occur anywhere on the Riemann sphere, rather than merely at 0, 1, and $. The equation is also known as the Papperitz equation .$

In cryptography, higher-order differential cryptanalysis is a generalization of differential cryptanalysis, an attack used against block ciphers. While in standard differential cryptanalysis the difference between only two texts is used, higher-order differential cryptanalysis studies the propagation of a set of differences between a larger set of texts. Xuejia Lai, in 1994, laid the groundwork by showing that differentials are a special case of the more general case of higher order derivates. Lars Knudsen, in the same year, was able to show how the concept of higher order derivatives can be used to mount attacks on block ciphers. These attacks can be superior to standard differential cryptanalysis. Higher-order differential cryptanalysis has notably been used to break the KN-Cipher, a cipher which had previously been proved to be immune against standard differential cryptanalysis.

In relativistic physics, the electromagnetic stress–energy tensor is the contribution to the stress–energy tensor due to the electromagnetic field. The stress–energy tensor describes the flow of energy and momentum in spacetime. The electromagnetic stress–energy tensor contains the negative of the classical Maxwell stress tensor that governs the electromagnetic interactions.

The covariant formulation of classical electromagnetism refers to ways of writing the laws of classical electromagnetism in a form that is manifestly invariant under Lorentz transformations, in the formalism of special relativity using rectilinear inertial coordinate systems. These expressions both make it simple to prove that the laws of classical electromagnetism take the same form in any inertial coordinate system, and also provide a way to translate the fields and forces from one frame to another. However, this is not as general as Maxwell's equations in curved spacetime or non-rectilinear coordinate systems.

In mathematical finance, the SABR model is a stochastic volatility model, which attempts to capture the volatility smile in derivatives markets. The name stands for "stochastic alpha, beta, rho", referring to the parameters of the model. The SABR model is widely used by practitioners in the financial industry, especially in the interest rate derivative markets. It was developed by Patrick S. Hagan, Deep Kumar, Andrew Lesniewski, and Diana Woodward.

In probability theory and statistics, the half-normal distribution is a special case of the folded normal distribution.

In cryptography, the socialist millionaire problem is one in which two millionaires want to determine if their wealth is equal without disclosing any information about their riches to each other. It is a variant of the Millionaire's Problem whereby two millionaires wish to compare their riches to determine who has the most wealth without disclosing any information about their riches to each other.

Combinatory categorial grammar (CCG) is an efficiently parsable, yet linguistically expressive grammar formalism. It has a transparent interface between surface syntax and underlying semantic representation, including predicate–argument structure, quantification and information structure. The formalism generates constituency-based structures and is therefore a type of phrase structure grammar.

An alpha beta filter is a simplified form of observer for estimation, data smoothing and control applications. It is closely related to Kalman filters and to linear state observers used in control theory. Its principal advantage is that it does not require a detailed system model.

In cryptography, SWIFFT is a collection of provably secure hash functions. It is based on the concept of the fast Fourier transform (FFT). SWIFFT is not the first hash function based on FFT, but it sets itself apart by providing a mathematical proof of its security. It also uses the LLL basis reduction algorithm. It can be shown that finding collisions in SWIFFT is at least as difficult as finding short vectors in cyclic/ideal lattices in the worst case. By giving a security reduction to the worst-case scenario of a difficult mathematical problem, SWIFFT gives a much stronger security guarantee than most other cryptographic hash functions.

In computational learning theory, Occam learning is a model of algorithmic learning where the objective of the learner is to output a succinct representation of received training data. This is closely related to probably approximately correct (PAC) learning, where the learner is evaluated on its predictive power of a test set.

Logic learning machine (LLM) is a machine learning method based on the generation of intelligible rules. LLM is an efficient implementation of the Switching Neural Network (SNN) paradigm, developed by Marco Muselli, Senior Researcher at the Italian National Research Council CNR-IEIIT in Genoa.

In cryptography, indistinguishability obfuscation is a type of software obfuscation with the defining property that obfuscating any two programs that compute the same mathematical function results in programs that cannot be distinguished from each other. Informally, such obfuscation hides the implementation of a program while still allowing users to run it. Formally, IO satisfies the property that obfuscations of two circuits of the same size which implement the same function are computationally indistinguishable.

In quantum physics, the "monogamy" of quantum entanglement refers to the fundamental property that it cannot be freely shared between arbitrarily many parties.

Quantum secret sharing (QSS) is a quantum cryptographic scheme for secure communication that extends beyond simple quantum key distribution. It modifies the classical secret sharing (CSS) scheme by using quantum information and the no-cloning theorem to attain the ultimate security for communications.

References

↑ Goldwasser, Shafi; Rothblum, Guy N. (2014-07-01). "On Best-Possible Obfuscation" (PDF). Journal of Cryptology. 27 (3): 480–505. doi:10.1007/s00145-013-9151-z. hdl: 1721.1/129413 . ISSN 1432-1378. S2CID 1186014.
1 2 3 4 5 6 Barak, Boaz; Goldreich, Oded; Impagliazzo, Russell; Rudich, Steven; Sahai, Amit; Vadhan, Salil; Yang, Ke (2012-05-03). "On the (im)possibility of obfuscating programs" (PDF). Journal of the ACM. 59 (2): 6:1–6:48. doi:10.1145/2160158.2160159. ISSN 0004-5411. S2CID 2409597.
1 2 "Cryptographic obfuscation and 'unhackable' software". A Few Thoughts on Cryptographic Engineering. 2014-02-21. Retrieved 2021-03-14.
1 2 Boyle, Elette; Chung, Kai-Min; Pass, Rafael (2013). "On Extractability (a.k.a. Differing-Inputs) Obfuscation". Cryptology ePrint Archive.
↑ Klarreich, Erica (November 10, 2020). "Computer Scientists Achieve 'Crown Jewel' of Cryptography". Quanta Magazine. Retrieved 2020-11-10.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Goldwasser, Shafi; Rothblum, Guy N. (2014-07-01). "On Best-Possible Obfuscation" (PDF). Journal of Cryptology. 27 (3): 480–505. doi:10.1007/s00145-013-9151-z. hdl: 1721.1/129413 . ISSN 1432-1378. S2CID 1186014.

[:0-2] 1 2 3 4 5 6 Barak, Boaz; Goldreich, Oded; Impagliazzo, Russell; Rudich, Steven; Sahai, Amit; Vadhan, Salil; Yang, Ke (2012-05-03). "On the (im)possibility of obfuscating programs" (PDF). Journal of the ACM. 59 (2): 6:1–6:48. doi:10.1145/2160158.2160159. ISSN 0004-5411. S2CID 2409597.

[:2-3] 1 2 "Cryptographic obfuscation and 'unhackable' software". A Few Thoughts on Cryptographic Engineering. 2014-02-21. Retrieved 2021-03-14.

[:1-4] 1 2 Boyle, Elette; Chung, Kai-Min; Pass, Rafael (2013). "On Extractability (a.k.a. Differing-Inputs) Obfuscation". Cryptology ePrint Archive.

[5] Klarreich, Erica (November 10, 2020). "Computer Scientists Achieve 'Crown Jewel' of Cryptography". Quanta Magazine. Retrieved 2020-11-10.

[1]

[2]

[3]

[4]

[5]