From obfuscation to white-box crypto: relaxation and security notions

Size: px

Start display at page:

Download "From obfuscation to white-box crypto: relaxation and security notions"

Angelica Curtis
5 years ago
Views:

1 From obfuscation to white-box crypto: relaxation and security notions Matthieu Rivain WhibOx 26, 4 Aug, UCB

2 What does this program do? ([]+/H/)[&>>]+(+[[]+(-~<<)+(~+e)+(%)+( >> )+(~+e)+(.^!)])[[([]+!![ ])[^]+[[}]+}][/.&][]]+([[]+/!][+!][([}]+})[e>>]+[[],[]+}][&>> ][ []]+([]+[][])[&]+[},e,!+}][~~(.+.)][^<<]+(/!}+})[-~<<]+[!! }+[]][+(>)][[]+]+(/^/[.]+/&/)[.^!]+[},[}]+},][&>>][+e+]+([]+!!})[.^!]+([]+}+[])[[]+]+[!!}+}][!+!][[]+]]+[])[(!/~/+})[ <<]+[/=/,[]+[][]][ &>>][&>>]+([]+})[~~(.+.)]+[,!+}][%][^<<]+(/[]+//)[~+e+~]+[!!/-/+[]][+(>)][]]((<<^)+((+(<))==([]+/-/[(!![]+[])[+!]+(!!/-/+})[-~]+([ ]+!/~/)[-~]+(!!/-/+})[!+!]])[%]),-~>>)](~-~e<<<<)+([]+:}+[] )[.%.*e!]+(}+/w/)[+~e-(~*.<<)]+(+[[]+( >>)+( >> )+(- >>)+(e>> )+(e>>)+(>>)+(>>>)])[[(!!}+[])[>>>]+[[]+}][.^!][%]]+ ([/[]+[]][%][([}]+[}])[e>>]+[[],[}]+[}]][ >> ][ []]+([][]+[])[[]+ ]+[},e,![]+/~/][<<!<<][<<^]+(/!+})[+>>]+[!!/-/+}][+(>)][%]+ ([][]+/&/)[&>>]+[},[]+}+[],][[]+][-~+>>]+([]+!!/-/)[>>]+([]+})[ >> ]+[[]+!!}][>>>][&]]+[])[(!}+[])[^<<]+[/=/,[]+[][]][<<>>][!+!]+([] +}+[])[<<^>>]+[,![]+[]][ >>][ << ]+(/[]+//)[-~>>]+[!![]+}][+[]] [ >>]]((e-)+((&>>)==([]+/-/[(!!}+})[+(>)]+(!!/-/+})[ <<]+(!+})[ << ]+(!!/-/+})[.>>.]])[&>>]),-~<<)](~-~e<<<<)+(/^!/+[])[+!![%]]

3 What does this program do? ([]+/H/)[&>>]+(+[[]+(-~<<)+(~+e)+(%)+( >> )+(~+e)+(.^!)])[[([]+!![ ])[^]+[[}]+}][/.&][]]+([[]+/!][+!][([}]+})[e>>]+[[],[]+}][&>> ][ []]+([]+[][])[&]+[},e,!+}][~~(.+.)][^<<]+(/!}+})[-~<<]+[!! }+[]][+(>)][[]+]+(/^/[.]+/&/)[.^!]+[},[}]+},][&>>][+e+]+([]+!!})[.^!]+([]+}+[])[[]+]+[!!}+}][!+!][[]+]]+[])[(!/~/+})[ <<]+[/=/,[]+[][]][ &>>][&>>]+([]+})[~~(.+.)]+[,!+}][%][^<<]+(/[]+//)[~+e+~]+[!!/-/+[]][+(>)][]]((<<^)+((+(<))==([]+/-/[(!![]+[])[+!]+(!!/-/+})[-~]+([ ]+!/~/)[-~]+(!!/-/+})[!+!]])[%]),-~>>)](~-~e<<<<)+([]+:}+[] )[.%.*e!]+(}+/w/)[+~e-(~*.<<)]+(+[[]+( >>)+( >> )+(- >>)+(e>> )+(e>>)+(>>)+(>>>)])[[(!!}+[])[>>>]+[[]+}][.^!][%]]+ ([/[]+[]][%][([}]+[}])[e>>]+[[],[}]+[}]][ >> ][ []]+([][]+[])[[]+ ]+[},e,![]+/~/][<<!<<][<<^]+(/!+})[+>>]+[!!/-/+}][+(>)][%]+ ([][]+/&/)[&>>]+[},[]+}+[],][[]+][-~+>>]+([]+!!/-/)[>>]+([]+})[ >> ]+[[]+!!}][>>>][&]]+[])[(!}+[])[^<<]+[/=/,[]+[][]][<<>>][!+!]+([] +}+[])[<<^>>]+[,![]+[]][ >>][ << ]+(/[]+//)[-~>>]+[!![]+}][+[]] [ >>]]((e-)+((&>>)==([]+/-/[(!!}+})[+(>)]+(!!/-/+})[ <<]+(!+})[ << ]+(!!/-/+})[.>>.]])[&>>]),-~<<)](~-~e<<<<)+(/^!/+[])[+!![%]] Answer: it prints hello world

4 What does this program do? #define _ -F< --F-OO--; int F=,OO=;main()F_OO();printf("%.3f\n",4.*-F/OO/OO);}F_OO() _-_-_- -_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_- -_-_-_ }

5 What does this program do? #define _ -F< --F-OO--; int F=,OO=;main()F_OO();printf("%.3f\n",4.*-F/OO/OO);}F_OO() _-_-_- -_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_-_-_-_-_- -_-_-_-_-_-_- -_-_-_ } Answer: it computes π

6 What is (cryptographic) obfuscation?

7 What is obfuscation? Obfuscation is the deliberate act of creating obfuscated code, i.e. [...] that is difficult for humans to understand. Obfuscators make reverse engineering more difficult [...] but do not alter the behavior of the obfuscated application. wikipedia

8 What is obfuscation? Obfuscation is the deliberate act of creating obfuscated code, i.e. [...] that is difficult for humans to understand. Obfuscators make reverse engineering more difficult [...] but do not alter the behavior of the obfuscated application. wikipedia make a program unintelligible while preserving its functionality

9 Why obfuscation? To protect some secret inside a program the algorithm itself (e.g. a factoring program) efficient N = p q factoring (p, q) algorithm intelligble program some private data used by the program (e.g. conditional data access) pwd, f private data if pwd correct then disclose f(data) f(data) Obfuscating a hello-word program is useless

10 Defining obfuscation Program word in a formal (programming) language P L function execute L, }, } execute (P, in) out P implements a function f A B if a A execute(p, a) = f(a) denoted P f P and P 2 are functionally equivalent if P f P 2 for some f denoted P P 2

11 Defining obfuscation Obfuscator algorithm O mapping a program P to a program O(P ) st: functionality: O(P ) P efficiency: O(P ) is efficiently executable security: (informal) O(P ) is hard to understand (informal) O(P ) protects its data How to formally define the security property?

12 Virtual Black-Box (VBB) Obfuscation O(P ) reveals nothing more than the I/O behavior of P Any adversary on O(P ) can be simulated with a black-box access to P

13 Virtual Black-Box (VBB) Obfuscation O(P ) reveals nothing more than the I/O behavior of P Any adversary on O(P ) can be simulated with a black-box access to P P x P (x) O(P ) A Adversary imulator Pr[A(O(P ))) = ] Pr[ P ( ) = ] ε

14 Impossibility result VBB-O does not exist on general programs (CRYPTO ) Counterexample: uint28_t cannibal ( prog P, uint28_t password ) uint28_t secret = xe75b4f4eabf4377caa722c8ccccb ; uint28_t secret2 = x94ff8ec88de3bd8223a62e4cb7c84a4 ; if ( password == secret ) return secret2 ; if ( execute (P, null, secret ) == secret2 ) return secret ; } return ; O(cannibal)(O(cannibal), ) = secret

15 Indistinguishability obfuscation (io) Restricted to circuits i.e. programs without branches/loops For any two programs P and P 2 st P P 2 and P = P 2, the obfuscated programs O(P ) and O(P 2 ) are indistinguishable O(P ) A O(P 2 ) A Pr[A(O(P )) = ] Pr[A(O(P 2 )) = ] ε

16 Best possible obfuscation Anything that can be learned (efficiently) from O(P ) can be learned from any P P with P P O P P O(P ) A P Adversary imulator Pr[A(O(P ))) = ] Pr[(P ) = ] ε

17 io and BPO are equivalent io BPO O(P ) A O A P

18 io and BPO are equivalent io BPO O(P ) A O A P BPO io O(P ) A O(P 2) A

19 io and BPO are equivalent io BPO O(P ) A O A P BPO io O(P ) A O(P 2) A P

20 io and BPO are equivalent io BPO O(P ) A O A P BPO io O(P ) A O(P 2) A P

21 io and BPO are equivalent io BPO O(P ) A O A P BPO io O(P ) A O(P 2) A P

22 io and BPO are equivalent io BPO O(P ) A O A P BPO io O(P ) A O(P 2) A P

23 io and BPO are equivalent io BPO O(P ) A O A P BPO io O(P ) A O(P 2) A P We use io in the rest of the presentation

24 What is white-box cryptography?

25 What is white-box cryptography? the attacker is assumed to have [...] full access to the encrypting software and control of the execution environment Our main goal is to make key extraction difficult. While an attacker can clearly make use of the software itself [...], forcing an attacker to use the installed instance at hand is often of value to DRM systems providers. Chow et al. (DRM 22)

26 What is white-box cryptography? the attacker is assumed to have [...] full access to the encrypting software and control of the execution environment obfuscation restricted to encryption (or another crypto primitive) Our main goal is to make key extraction difficult. While an attacker can clearly make use of the software itself [...], forcing an attacker to use the installed instance at hand is often of value to DRM systems providers. Chow et al. (DRM 22)

27 What is white-box cryptography? the attacker is assumed to have [...] full access to the encrypting software and control of the execution environment obfuscation restricted to encryption (or another crypto primitive) Our main goal is to make key extraction difficult. relaxed security requirements While an attacker can clearly make use of the software itself [...], forcing an attacker to use the installed instance at hand is often of value to DRM systems providers. Chow et al. (DRM 22)

28 What is white-box cryptography? the attacker is assumed to have [...] full access to the encrypting software and control of the execution environment obfuscation restricted to encryption (or another crypto primitive) Our main goal is to make key extraction difficult. relaxed security requirements While an attacker can clearly make use of the software itself [...], forcing an attacker to use the installed instance at hand is often of value to DRM systems providers. encryption software secret key Chow et al. (DRM 22)

29 What is white-box cryptography? Obfuscation restricted to a specific class of crypto primitives Typically, PN ciphers: k k 2 k 3 k n m LL LL LL LL c Running example: F = AE k ( ) k, } 28 } White-box obfuscator: k WB-AE k AE k ( )

30 trongest possible WBC VBB obfuscation restricted to AE AE k ( ) m c WB-AEk A Adversary imulator Impossibility result does not apply The AE-LUT program achieves VBB but does not fit into TB How to build a compact VBB AE implementation? could be impossible to achieve

31 What does io-ae mean? io restricted to AE: O(P k ) O(P k ) for any P k P k AE k Example of io AE obfuscator:. k extract-key(p k ) 2. return reference implem AE k probably inefficient obfuscator! If a (compact) VBB AE implementation exists O(P k ) O(VBB-AE k ) efficient io VBB o what does io-ae means?

32 Defining WBC simple AE io AE? VBB AE Obfuscation scale We need something relaxed compared to VBB meaningful compared to io

33 Defining WBC simple AE io AE further white-box security notions? VBB AE Obfuscation scale We need something relaxed compared to VBB meaningful compared to io further notions

34 What could we expect from WBC?

35 What could we expect? The least requirement: key extraction must be difficult WB-AE k A k Easy to satisfy for some variant of AE: E k ( ) = AE h ( ) with h = H(k) H one-way simple AE h implem unbreakable We should expect more

36 What could we expect? Code-lifting cannot be avoided the adversary can always use the software Code-lifting could be made unavoidable force the adversary to use the software The software should then constrain the adversary be less convenient to distribute have restricted functionalities include security features

37 Less convenient to distribute Example: make the implementation huge and incompressible WB-AE k > GB A AE k < KB Possible use case: DRM

38 Restrict the software functionalities Example: make the implementation one-way m WB-AE k A m c Namely: turning AE into a public-key cryptosystem Possible use case: light-weight signature scheme

39 Include security features Example: adding a password ˆπ m WB-AE k,π if (ˆπ == π) return AE k (m) else return A c = AE k (m) c takes time O(2 π ) WB implem software secure element Possible use case: payment with token

40 Include security features Example: include a tracing mechanism WB-AE k,id A Π AE k( ) T id T st A WB-AE k,id Π AE k ( ) T (Π) = id Possible use case: pay-tv

41 Include security features Example: include a tracing mechanism WB-AE k,id WB-AE k,id2 A Π AE k( ) T id id, id 2,..., id t} WB-AE k,idt T st A WB-AE k,id Π AE k ( ) T (Π) = id Possible use case: pay-tv

42 White-box security notions

43 ecurity notions for symmetric ciphers Encryption scheme: E = (K, M, E, D) E, D K M M E(k, ) = D(k, ) White-box compiler: C E (k, r) [Ek r ] E(k, ) Attack model: target: a white-box encryption program [E k ] = C E (k, $) CPA (chosen plaintext attack) unavoidable CCA (chosen ciphertext attack) oracle for D(k, ) RCA (recompilation attack) oracle for C E (k, $) Attack goals: break (extract k), compress, inverse, be untraced

44 Unbreakability k $, r $ [E r k ] = C E(k, r) ˆk? = k Challenger [E r k ] ˆk A m c [E r k ] D(k, ) C E (k, $) UBK-CCA UBK-RCA C E is (τ, ε)-secure wrt UBK-CPA/CCA/RCA} A running in time τ : Pr[ˆk = k] ε

45 One-Wayness k $, r $ [E r k ] = C E(k, r) m $ c = E(k, m) ˆm? = m Challenger [E r k ], c ˆm A m c [E r k ] D(k, ) C E (k, R) OW-CCA OW-RCA C E is (τ, ε)-secure wrt OW-CPA/CCA/RCA} A running in time τ : Pr[ ˆm = m] ε

46 Incompressibility Distance between a program P and a function f X Y (P, f) = If (P, f) = then P f x X st P (x) f(x)} X

47 Incompressibility k $, r $ [Ek r] = C E(k, r) (P, E(k, ))? δ and P <? λ Challenger [E r k ] P A m c [E r k ] D(k, ) C E (k, $) INC-CCA INC-RCA C E is (τ, ε)-secure wrt (λ, δ)-inc-cpa/cca/rca} A running in time τ : Pr[ (P, E(k, )) δ P λ] ε

48 Incompressibility (λ, δ)-inc only makes sense for: and δ ref implem < λ < min k,r [E r k ]

49 Toy example Encryption scheme E E (k, m) m e G D (k, m) m e mod ω G k = (G, ω, e) G : RA group with secret order ω e [2, ω) coprime to ω White-box compiler C E (k, r) [Ek r] [Ek r] computes mf in G blinded exponent: f = e + r ω

50 Toy example C E is OW-CPA under RA[G] RA[G]: it s hard to compute x /e for x $ G C E is (λ, )-INC-CPA (with λ log f) under ORD[G] ORD[G]: it s hard to compute the order of x $ G wrt an adversary producing algebraic programs

51 Toy example Disclaimer: toy example OW part = RA INC part inefficient (linear in the size) Designing E with (efficient) OW C E = designing a PK encryption scheme Designing E with (efficient) INC C E = designing an incompressible encryption scheme White-box crypto is about designing a compiler for an existing encryption scheme Real challenge: design a OW and/or INC compiler for AE

52 Traceability White-box implem of the decryption (pay-tv use case) Principle: include secret perturbations of the decryption functionality [D r k,c ] = C E(k, r; C) where [Dk,C r ](c) = if c C M D k (c) otherwise

53 Traceability Perturbation-Value Hiding (PVH) security: k $, r $ [D r k,c ] = C E(k, r C) c $ C ˆm =? D(k, c) [D r k,c ], c ˆm A C C [D r k,c ] C E (k, $ C ) Challenger C E is (τ, ε)-secure wrt C-PVH A running in time τ: Pr[ ˆm = D(k, c)] ε

54 Traceability User i gets P i = C E (k, r i ; C i ) for random sets C C 2 C n M Pirate program from t traitors: Π = A(P i, P i2,..., P it ) with (Π, D(k, )) negligible PVH security linear tracing procedure p(i) = Pr[c $ C i /C i Π(c) = D(k, c)] p(i) i i 2 i 3 n

55 Traceability User i gets P i = C E (k, r i ; C i ) for random sets C C 2 C n M Pirate program from t traitors: Π = A(P i, P i2,..., P it ) with (Π, D(k, )) negligible PVH security linear tracing procedure p(i) = Pr[c $ C i /C i Π(c) = D(k, c)] p(i) majority output i i 2 i 3 n

56 Traceability User i gets P i = C E (k, r i ; C i ) for random sets C C 2 C n M Pirate program from t traitors: Π = A(P i, P i2,..., P it ) with (Π, D(k, )) negligible PVH security linear tracing procedure p(i) = Pr[c $ C i /C i Π(c) = D(k, c)] p(i) unanimous output i i 2 i 3 n

57 Traceability User i gets P i = C E (k, r i ; C i ) for random sets C C 2 C n M Pirate program from t traitors: Π = A(P i, P i2,..., P it ) with (Π, D(k, )) negligible PVH security linear tracing procedure p(i) = Pr[c $ C i /C i Π(c) = D(k, c)] p(i) PVH insecurity i i 2 i 3 n

58 Traceability User i gets P i = C E (k, r i ; C i ) for random sets C C 2 C n M Pirate program from t traitors: Π = A(P i, P i2,..., P it ) with (Π, D(k, )) negligible PVH security linear tracing procedure p(i) = Pr[c $ C i /C i Π(c) = D(k, c)] p(i) PVH security i i 2 i 3 n

59 ecurity hierarchy If E is a secure encryption scheme INC OW UBK PVH

60 ecurity hierarchy If E is a secure encryption scheme INC VBB OW UBK PVH VBB

61 ecurity hierarchy If E is a secure encryption scheme VBB INC VBB OW UBK PVH VBB

62 Conclusion

63 Conclusion WBC can be define as a restriction of cryptographic obfuscation subset of programs (e.g. keyed permutation) relaxed security notions More work needed to refine / define alternative security notions build candidate white-box compiler Open challenge: INC/OW/PVH-implementation of AE

64 Final thoughts cience is overstepped by industrial usage in the field of WBC Digital content protection (pay-tv, DRM) Mobile payments oftware protection Yet no secure solution available in the public literature hould we rely on the secret-spec model? Academic cryptographer: over my dead body! Industrial cryptographer: only choice I have (for now) Open question: who beats who? secret-spec designer vs. state-of-the-art cryptanalyst

65 Biblio Obfuscation notions (VBB, io, BPO) On the (Im)possibility of Obfuscating Programs (Barak et al. CRYPTO 2) On Best-Possible Obfuscation (Goldwasser Rothblum, TCC 27) White-box crypto (introduction, first constructions) A White-Box DE Implementation for DRM Applications (Chow et al. DRM 22) White-Box Cryptography and an AE Implementation (Chow et al. AC 22) Presented white-box security notions White-Box ecurity Notions for ymmetric Encryption chemes (Delerablée et al. AC 23) Related works Towards ecurity Notions for White-Box Cryptography (axena Wyseur Preneel, IC 29) White-Box Cryptography Revisited: pace-hard Ciphers (Bogdanov Isobe, CC 25) Efficient and Provable White-Box Primitives (Fouque et al. eprint 26)

66 Questions?

Keynote: White-Box Cryptography

Keynote: White-Box Cryptography Matthieu Rivain PHIIC Workshop, 4 Oct 2016 Outline Context: white-box crypto: big trend in the industry cryptographic obfuscation: big trend in the scientific literature