tmpa-2013 keynote: zakharov obfuscation

Ìàòåìàòè÷åñêèå

àñïåêòû çàäà÷è

îáôóñêàöèè ïðîãðàìì

Â.À. Çàõàðîâ

ô-ò ÂÌèÊ ÌÃÓ èì. Ì.Â. Ëîìîíîñîâà

ÎÁÔÓÑÊÀÖÈß ÏÐÎÃÐÀÌÌ

� ýòî òàêàÿ ðàçíîâèäíîñòü ýêâèâàëåíòíûõïðåîáðàçîâàíèé ïðîãðàìì, êîòîðàÿ ïðåäíàçíà÷åíàäëÿ çàòðóäíåíèÿ ïîíèìàíèÿ ïðîãðàìì èèçâëå÷åíèÿ èç íèõ ïîëåçíîé èíôîðìàöèè îáàëãîðèòìàõ, ñòðóêòóðàõ äàííûõ, ñåêðåòíûõêëþ÷àõ, ñîäåðæàùèõñÿ â ïðîãðàììàõ.

Îñíîâíûå çàäà÷è

I Êàê ïîñòðîèòü îáôóñêàòîð ïðîãðàìì?I Êàê îöåíèòü ñòîéêîñòü îáôóñêàöèè?

ÄÂÀ ÍÀÏÐÀÂËÅÍÈß ÈÑÑËÅÄÎÂÀÍÈÉ

Îáôóñêàöèÿ äëÿ íóæä êðèïòîãðàôèè

Di�e W., Hellman M. New directions in cryptography. IEEETransactions in Information Theory, 1976.

Îáôóñêàöèÿ ïîçâîëÿåò ïðåîáðàçîâûâàòü êðèïòîñèñòåìû ññåêðåòíûì êëþ÷îì â êðèïòîñèñòåìû ñ îòêðûòûì êëþ÷îì.

Äëÿ ýòîãî äîñòàòî÷íî ïîäâåðãíóòü îáôóñêàöèè ïðîãðàììó,ðåàëèçóþùóþ àëãîðèòì øèôðîâàíèÿ ñ âñòàâëåííûì â íååñåêðåòíûì êëþ÷îì. Ïðåîáðàçîâàííóþ òàêèì îáðàçîìïðîãðàììó ìîæíî èñïîëüçîâàòü â êà÷åñòâå ïðîãðàììûøèôðîâàíèÿ êðèïòîñèñòåìû ñ îòêðûòûì êëþ÷îì.



Îáôóñêàöèÿ ïðîãðàìì ïîçâîëÿåò

I ïðåâðàùàòü êðèïòîñèòåìû ñ ñåêðåòíûì êëþ÷îì âêðèïòîñèñòåìû ñ îòêðûòûì êëþ÷îì,

I ñòðîèòü ñèñòåìû âû÷èñëåíèé íàä çàøèôðîâàííûìèäàííûìè (êðèïòîñèñòåìû ãîìîìîðôíûõ âû÷èñëåíèé),

I èçáàâèòüñÿ îò ìîäåëè ñëó÷àéíîãî îðàêóëà âêðèïòîãðàôè÷åñêèõ ïðîòîêîëàõ,

I ñîçäàâàòü âåðèôèöèðóåìûå ñèñòåìû òàéíîãî ãîëîñîâàíèÿ,

I îáåñïå÷èòü êîíôèäåíöèàëüíîñòü â ïîèñêîâûõ ñèñòåìàõ èáàçàõ äàííûõ.



Íî äëÿ ýòîãî îáôóñêàöèÿ äîëæíà óäîâëåòâîðÿòü î÷åíü ñòðîãèìòðåáîâàíèÿì ñòîéêîñòè, ïðèíÿòûì â êðèïòîãðàôèè.

Ñîâðåìåííîå ñîñòîÿíèå äåë â ýòîì íàïðàâëåíèèèññëåäîâàíèé òàêîâî:

I î÷åíü ìíîãî îòðèöàòåëüíûõ ðåçóëüòàòîâ,

I è î÷åíü ìàëî ïîëîæèòåëüíûõ äîñòèæåíèé.


Îáôóñêàöèÿ äëÿ îáåñïå÷åíèÿ êîìïüþòåðíîéáåçîïàñíîñòè

Collberg C., Thomborson C., Low D. A taxonomy of obfuscating

transformations, Tech. Report, N 148, Dept. of Computer Science,University of Auckland, 1997.

Îáôóñêèðóþùèå ïðåîáðàçîâàíèÿ ìîæíî èñïîëüçîâàòü äëÿ

I çàùèòû èíòåëëåêòóàëüíîé ñîáñòâåííîñòè íà ïðîãðàììíîåîáåñïå÷åíèå,

I èíôîðìàöèîííîé çàùèòû ìîáèëüíûõ àãåíòîâ èìèêðîýëåêòðîííûõ ñõåì íà ýòàïå ïðîåêòèðîâàíèÿ,

à òàêæå äëÿ

I ñîêðûòèÿ èñêóññòâåííûõ óÿçâèìîñòåé â ïðîãðàììàõ ,

I ìàñêèðîâêè êîìïüþòåðíûõ ¾âèðóñîâ¿ ,

I óäàëåíèÿ ¾âîäÿíûõ çíàêîâ¿ èç ïðîãðàìì .



Öåëü îáôóñêàöèè � îêàçàòü ïðîòèâîäåéñòâèå ìåòîäàìîáðàòíîé èíæåíåðèè è àëãîðèòìàì ñòàòè÷åñêîãî èäèíàìè÷åñêîãî àíàëèçà ïðîãðàìì.

Ñîâðåìåííîå ñîñòîÿíèå äåë â ýòîì íàïðàâëåíèèèññëåäîâàíèé òàêîâî:

I ìíîãî ¾ýâðèñòè÷åñêèõ¿ ìåòîäîâ îáôóñêàöèè,

I è íèêàêèõ îöåíîê èõ ñòîéêîñòè.



C. Wang, ¾A Security Architecture for survivability Mechanisms¿,PhD thesis, Dep. of Computer Science, University of Virginia, 2000.

G. Wroblewski, ¾General Method of Program Code Obfuscation¿,PhD thesis, Wroclaw University, 2002.

À.Â. ×åðíîâ, ¾Èññëåäîâàíèå è ðàçðàáîòêà ìåòîäîëîãèèìàñêèðîâêè ïðîãðàìì¿, Äèññ. íà ñîèñêàíèå ó÷. ñò. ê.ô.-ì.í,ÂÌÊ ÌÃÓ, 2003.

Y. T. Kalai, ¾Attacks on the Fiat-Shamir Paradigm and ProgramObfuscation¿, PhD thesis, MIT, 2006



S. Drape, ¾Obfuscation of Abstract Data-Types¿, PhD thesis,University of Oxford, 2004.

Ä.À. Ùåëêóíîâ, ¾Ðàçðàáîòêà ìåòîäèê çàùèòû ïðîãðàìì îòàíàëèçà è ìîäèôèêàöèè íà îñíîâå çàïóòûâàíèÿ êîäà èäàííûõ¿, Äèññ. íà ñîèñêàíèå ó÷. ñò. ê.ò.íàóê, ÌÃÒÓ èì. Í.Ý.Áàóìàíà, 2009.

Mila Dalla Preda, ¾Code Obfuscation and Malware Detection byAbstract Interpretation¿, Ph.D. Thesis. Universita degli Studi diVerona, 2007.



Í.À. Êîíîíîâ, ¾Ñòðóêòóðíàÿ îïòèìèçàöèÿ è îáôóñêàöèÿêîìáèíàöèîííûõ öèôðîâûõ ñõåì â áàçèñå ÏËÈÑ/ÑÁÌÊ¿,Äèññ. íà ñîèñêàíèå ó÷. ñò. ê.ò.í., ÌÈÝÒ, 2011.

J. Cappaert, ¾Code Obfuscation Techniques for SoftwareProtection¿, PhD thesis, Katholieke Universiteit Leuven, B. Preneel(promotor), 112+14 pages, 2012.

C. Collberg, J. Nagra. ¾Surreptitious Software: Obfuscation,Watermarking, and Tamperproo�ng for Program Protection.¿Addison-Wesley Professional, 2009.


Ðàçðûâ ïðîëåãàåò ìåæäó

ôîðìàëüíîé ïîñòàíîâêîé çàäà÷è îáôóñêàöèè èïðèëîæåíèÿìè :Îáëàñòü ïðèìåíåíèÿ îáôóñêàöèè îáøèðíà, íî ëèøü âðåäêèõ ñëó÷àÿõ óäàâàëîñü äîáèòüñÿ ñòðîãîéìàòåìàòè÷åñêîé ïîñòàíîâêè çàäà÷è îáôóñêàöèè ñïîäõîäÿùèì îïðåäåëåíèåì ñòîéêîñòè îáôóñêàöèè.

ïîëîæèòåëüíûìè è îòðèöàòåëüíûìè ðåçóëüòàòàìè :Åñòü ìíîãî ðåçóëüòàòîâ î íåâîçìîæíîñòè ïîñòðîåíèÿóíèâåðñàëüíûõ îáôóñêàòîðîâ, íî ìàëî ÷òî èçâåñòíî îâîçìîæíîñòè ñòîéêîé îáôóñêàöèè äëÿ îòäåëüíûõñïåöèàëüíûõ êëàññîâ ïðîãðàìì.

òåîðèåé è ïðàêòèêîé îáôóñêàöèè :Èçâåñòíî ìíîãî ïðàêòè÷åñêèõ ìåòîäîâ îáôóñêàöèèïðîãðàìì, îäíàêî, íà íèõ íå îêàçàëè íèêàêîãî âëèÿíèÿîñíîâîïîëàãàþùèå ðåçóëüòàòû èç îáëàñòè êðèïòîãðàôèè.


Äàëüíåéøèé ïðîãðåññ

áóäåò âîçìîæåí, åñëè óäàñòñÿ ñáëèçèòü îáà ýòèõíàïðàâëåíèÿ èññëåäîâàíèé çà ñ÷åò ñîçäàíèÿñîãëàñîâàííîé ñèñòåìû òðåáîâàíèé ñòîéêîñòè, êîòîðûåìîæíî áóäåò ïðèìåíÿòü äëÿ ðàçðàáîòêè ðàçíûõ ìåòîäîâîáôóñêàöèè ïðîãðàìì â ðàçíûõ ïðèëîæåíèÿõ.

Áëàãîäàðÿ ýòîìó ìîæíî áóäåò

I ïîíÿòü, êàêèì òðåáîâàíèÿì ñòîéêîñòè äîëæíûóäîâëåòâîðÿòü òå èëè èíûå ðàçíîâèäíîñòè îáôóñêàöèèïðîãðàìì;

I îöåíèòü, êàêèìè äîñòîèíñòâàìè è íåäîñòàòêàìè îáëàäàþòðàçíûå ìåòîäû îáôóñêàöèè,

I ïðèñïîñîáèòü ôîðìàëüíûå ìåòîäû òåîðèè âû÷èñëåíèé èêðèïòîãðàôèè äëÿ íóæä îáôóñêàöèè ïðîãðàìì.

ÎÁÔÓÑÊÀÖÈß ×ÀÑÒÈ×ÍÎ ÇÀÙÈÙÅÍÍÛÕÏÐÎÃÐÀÌÌ

R. Ostrovsky, E�cient computation on oblivious RAM, Proc. of22nd ACM Symposium on Theory of Computing (STOC-90)

Çàùèùåííûé ïðîöåññîð P èìååò îòêðûòóþ ïàìÿòü M :

M ⇐⇒ P

Òåîðåìà

Åñëè ñóùåñòâóþò îäíîñòîðîííèå ôóíêöèè, òî ëþáóþïðîãðàììó π ìîæíî ïðåîáðàçîâàòü â ýêâèâàëåíòíóþ ïðîãðàììóO(π) òàê, ÷òî:1. Time(O(π)) = Time(π)× log3(Time(π));

2. Ïðè âûïîëíåíèè O(π) íà âû÷èñëèòåëüíîì óñòðîéñòâå ñçàêðûòûì ïðîöåññîðîì P è îòêðûòîé ïàìÿòüþ M íèêàêîéïðîòèâíèê, îãðàíè÷åííûé ïîëèíîìèàëüíûì âðåìåíåì, íåñïîñîáåí ðàñïîçíàòü ïðîãðàììó O(π) ïîïîñëåäîâàòåëüíîñòè åå îáðàùåíèé ê ïàìÿòè.

ÑÒÎÉÊÎÑÒÜ ÎÁÔÓÑÊÀÖÈÈ Â ÌÎÄÅËÈÂÈÐÒÓÀËÜÍÎÃÎ ¾×ÅÐÍÎÃÎ ßÙÈÊÀ¿

[Barak B., Goldreich O., Impagliazzo R., et al., 2001]

Âåðîÿòíîñòíûé àëãîðèòì O íàçûâàåòñÿ îáôóñêàòîðîì,ñòîéêèì â ìîäåëè ¾÷åðíîãî ÿùèêà¿, åñëè îíóäîâëåòâîðÿåò ñëåäóþùèì òðåáîâàíèÿì:

1. (ôóíêöèîíàëüíîñòü) äëÿ ëþáîé ìàøèíû Òüþðèíãà M

M ≈ O(M).

2. (ïîëèíîìèàëüíîå çàìåäëåíèå) Ñóùåñòâóåò òàêîé ïîëèíîìp(·), ÷òî äëÿ ëþáîé ìàøèíû Òüþðèíãà M

size(O(M)) ≤ p(size(M)), time(O(M)) ≤ p(time(M)).

3. (ñòîéêîñòü) Äëÿ ëþáîé PPT A (ïðîòèâíèêà ) ñóùåñòâóåòPPT S (ñèìóëÿòîð ) è ïðåíåáðåæèìî ìàëàÿ ôóíêöèÿ ν,òàêèå ÷òî íåðàâåíñòâî

|Pr{A(O(M))=1} − Pr{SM(1size(M))=1}| ≤ ν(size(M))

âûïîëíÿåòñÿ äëÿ ëþáîé ìàøèíû Òüþðèíãà M.


Òåîðåìà [Barak B., Goldreich O.,Impagliazzo R., et al., 2001]

Îáôóñêàòîðîâ, ñòîéêèõ â ìîäåëè

¾÷åðíîãî ÿùèêà¿, íå ñóùåñòâóåò .


Äîêàçàòåëüñòâî.

Ñóùåñòâóþò òàêèå âû÷èñëèìûå ôóíêöèè, ÷òî ëþáóþ èõïðîãðàììíóþ ðåàëèçàöèþ íåâîçìîæíî îáôóñêèðîâàòü.

Fα,β(x) =

{β, åñëè x = α ,

0 â îñòàëüíûõ ñëó÷àÿõ .

Gγ,δ(x) =

{1, åñëè x(γ) = δ ,

0 â îñòàëüíûõ ñëó÷àÿõ .

Hα,β,γ,δ(x , y) =

{Fα,β(x), åñëè y = 0 ,

Gγ,δ(x), åñëè y 6= 0.


Äîêàçàòåëüñòâî.

Ïðåäïîëîæèì, ÷òî π � ïðîãðàììà, âû÷èñëÿþùàÿôóíêöèþ Hα,β,γ,δ, è O(π) � ýòî îáôóñêàöèÿ ïðîãðàììû π.

Ðàñïîëàãàÿ ïðîãðàììîé O(π), òðåáóåòñÿ âûÿñíèòü, ïðàâäàëè, ÷òî α = γ è β = δ.

Åñëè òåêñò ïðîãðàììû O(π) íåäîñòóïåí, òî ýòî ìîæíîñäåëàòü òîëüêî ïîëíûì ïåðåáîðîì.

Åñëè òåêñò ïðîãðàììû O(π) äîñòóïåí, òî äîñòàòî÷íîâû÷èñëèòü

O(π)[O(π)[·, 0], 1] .

ÑÒÎÉÊÎÑÒÜ ÎÁÔÓÑÊÀÖÈÈ Â ÌÎÄÅËÈÂÈÐÒÓÀËÜÍÎÃÎ ¾ÑÅÐÎÃÎ ßÙÈÊÀ¿

Âåðîÿòíîñòíûé àëãîðèòì O íàçûâàåòñÿ îáôóñêàòîðîì,ñòîéêèì â ìîäåëè ¾ñåðîãî ÿùèêà¿, åñëè îí óäîâëåòâîðÿåòñëåäóþùèì òðåáîâàíèÿì:

1. (ôóíêöèîíàëüíîñòü)2. (ïîëèíîìèàëüíîå çàìåäëåíèå)3. (ñòîéêîñòü) Äëÿ ëþáîé PPT A (ïðîòèâíèêà) ñóùåñòâóåò

PPT S (ñèìóëÿòîð) è ïðåíåáðåæèìî ìàëàÿ ôóíêöèÿ ν,òàêèå ÷òî íåðàâåíñòâî

|Pr{A(O(M))=1} − Pr{STr(M)(1size(M))=1}| ≤ ν(size(M))

âûïîëíÿåòñÿ äëÿ ëþáîé ìàøèíû Òüþðèíãà M.

Îðàêóë Tr(M) â îòâåò íà çàïðîñ x âûäàåò ïàðó (y , trM(x)),ñîñòîÿùóþ èç

I ðåçóëüòàòà âû÷èñëåíèÿ y = M(x)I òðàññû trM(x) âûïîëíåíèÿ ÌÒ M íà âõîäå x .


Ðàññìîòðèì ñåìåéñòâî ðåàãèðóþùèõ ÌÒ (RMT), íà âõîäêîòîðûõ ïîäàåòñÿ áåñêîíå÷íûé ïîòîê äàííûõ (çàïðîñîâ)x1, x2, . . . , xn, . . . . RMT âû÷èñëÿåò áåñêîíå÷íûé ïîòîê âûõîäíûõäàííûõ (îòêëèêîâ) y1, y2, . . . , yn, . . . :

yn = Fn(x1, x2, . . . , xn).

Òåîðåìà[Âàðíîâñêèé Í.Ï., 2002]

Åñëè ñóùåñòâóþò îäíîñòîðîííèåôóíêöèè, òî îáôóñêàòîðîâ, ñòîéêèõ âìîäåëè âèðòóàëüíîãî ¾ñåðîãî ÿùèêà¿,äëÿ ðåàãèðóþùèõ ÌÒ íå ñóùåñòâóåò .


Îòêðûòàÿ ïðîáëåìà

À ñóùåñòâóþò ëè îáôóñêàòîðû,

ñòîéêèå â ìîäåëè âèðòóàëüíîãî

¾ñåðîãî ÿùèêà¿, äëÿ îáû÷íûõ

ìàøèí Òüþðèíãà?

ÎÁÔÓÑÊÀÖÈß ÄËß ÇÀÙÈÒÛÀËÃÎÐÈÒÌÎÂ

Âåðîÿòíîñòíûé àëãîðèòì O íàçûâàåòñÿ îáôóñêàòîðîì,ñòîéêî çàùèùàþùèì àëãîðèòìû, åñëè îí óäîâëåòâîðÿåòñëåäóþùèì òðåáîâàíèÿì:

1. (ôóíêöèîíàëüíîñòü)

2. (ïîëèíîìèàëüíîå çàìåäëåíèå)

3. (ñòîéêîñòü) Äëÿ ëþáîé PPT A (ïðîòèâíèêà) ñóùåñòâóåòPPT S (ñèìóëÿòîð) è ïðåíåáðåæèìî ìàëàÿ ôóíêöèÿ ν,òàêèå ÷òî íåðàâåíñòâî

|Pr{A(O(M),N)=1} − Pr{SM(1size(M),N)=1}|≤ν(size(M))

âûïîëíÿåòñÿ äëÿ ëþáîé òàêîé ïàðû ÌÒ (M,N), êîòîðàÿóäîâëåòâîðÿåò óñëîâèÿì

I M ≈ N,

I size(N) = poly(size(M)).


Òåîðåìà

Ñóùåñòâóåò îáôóñêàòîð, ñòîéêîçàùèùàþùèé àëãîðèòìû ,

ïðåäñòàâëåííûå äåòåðìèíèðîâàííûìèêîíå÷íûìè àâòîìàòàìè.

Îáôóñêàòîð äåòåðìèíèðîâàííûõ êîíå÷íûõ àâòîìàòîâ � ýòîïðîñòî àëãîðèòì ìèíèìèçàöèè êîíå÷íûõ àâòîìàòîâ.

Ýòî òèïè÷íûé ïðèìåð òðèâèàëüíîé îáôóñêàöèè àëãîðèòìîâïóòåì ýôôåêòèâíîãî ïðèâåäåíèÿ ïðîãðàìì ê åäèíñòâåííîéíîðìàëüíîé ôîðìå (ñòðîãàÿ íîðìàëèçóåìîñòü).


S. Goldwasser, G. N. Rothblum, On Best Possible Obfuscation,TCC 2007.

Âåðîÿòíîñòíûé àëãîðèòì O íàçûâàåòñÿ íàèëó÷øèìâîçìîæíûì îáôóñêàòîðîì, åñëè îí óäîâëåòâîðÿåòñëåäóþùèì òðåáîâàíèÿì:



3. (ñòîéêîñòü) Äëÿ ëþáîé PPT L (âûâåäûâàòåëü) ñóùåñòâóåòòàêàÿ PPT S (ñèìóëÿòîð), ÷òî äëÿ äîñòàòî÷íî áîëüøèõ nè äëÿ ïðîèçâîëüíîé ïàðû ÌÒ M1, M2, âû÷èñëÿþùèõ îäíóè òó æå ôóíêöèþ è èìåþùèõ ðàçìåð n, ò. å. M1 ≈ M2,size(M1) = size(M2) = n, äâà ðàñïðåäåëåíèÿ âåðîÿòíîñòåé

L(O(M1)) è S(M2)

âû÷èñëèòåëüíî íåîòëè÷èìû çà ïîëèíîìèàëüíîå âðåìÿ.


Òåîðåìà [S. Goldwasser, G. N. Rothblum, 2007]

Ñóùåñòâóåò íàèëó÷øèé âîçìîæíûéîáôóñêàòîð äëÿ OBDD ïîëèíîìèàëüíîãî

ðàçìåðà.

Òåîðåìà

Åñëè äëÿ ñåìåéñòâà 3-CNF ñóùåñòâóåòíàèëó÷øèé âîçìîæíûé îáôóñêàòîð, òî

Σpoly2 = PSPACE .


[Barak B., Goldreich O., Impagliazzo R., et al., 2001]

Âåðîÿòíîñòíûé àëãîðèòì O îáëàäàåò ñâîéñòâîìíåîòëè÷èìîãî îáôóñêàòîðà, åñëè îí óäîâëåòâîðÿåòñëåäóþùèì òðåáîâàíèÿì:

1. (ôóíêöèîíàëüíîñòü) äëÿ ëþáîé ìàøèíû Òüþðèíãà M

M ≈ O(M).

2. (ïîëèíîìèàëüíîå çàìåäëåíèå) Ñóùåñòâóåò òàêîé ïîëèíîìp(·), ÷òî äëÿ ëþáîé ìàøèíû Òüþðèíãà M

size(O(M)) ≤ p(size(M)), time(O(M)) ≤ p(time(M)).

3. (ñòîéêîñòü) Äëÿ ëþáîé PPT A (ïðîòèâíèêà ) ñóùåñòâóåòòàêàÿ ïðåíåáðåæèìî ìàëàÿ ôóíêöèÿ ν, ÷òî äëÿ ëþáîéïàðû ìàøèí Òüþðèíãà M1,M2, åñëè M1 ∼ M2, òî

|Pr{A(O(M1))=1}−Pr{A(O(M2))=1}|≤ν(size(M1) + size(M2))


Îòêðûòûå ïðîáëåìû

Ñóùåñòâóþò ëè êëàññû ïðîãðàìì, äîïóñêàþùèõíåòðèâèàëüíóþ ñòîéêóþ îáôóñêàöèþ, çàùèùàþùóþ

àëãîðèòìû ?

Ñóùåñòâóþò ëè ïðîãðàììû, íå èìåþùèå ñòîéêîéîáôóñêàöèè, çàùèùàþùåé àëãîðèòìû ?

Êàê ñâÿçàíû äðóã ñ äðóãîì îáôóñêàöèÿ, çàùèùàþùàÿàëãîðèòìû è íàèëó÷øàÿ âîçìîæíàÿ îáôóñêàöèÿ?

ÎÁÔÓÑÊÀÖÈß, ÑÊÐÛÂÀÞÙÀßÊÎÍÑÒÀÍÒÓ

Ïóñòü M � ýòî ïðîãðàììà ñ ïàðàìåòðîì (ïåðåìåííîé) x .Îáîçíà÷èì Mc ïðèìåð ïðîãðàììû M, â êîòîðîé âìåñòîïàðàìåòðà x ïîäñòàâëåíà êîíñòàíòà c ∈ {0, 1}n.

Âåðîÿòíîñòíûé àëãîðèòì O íàçûâàåòñÿ îáôóñêàòîðîì,ñêðûâàþùèì êîíñòàíòó, äëÿ ïàðàìåòðèçîâàííîãî ñåìåéñòâàïðîãðàìì F = {Mc : c ∈ {0, 1}n, n ≥ 1}, åñëè îíóäîâëåòâîðÿåò ñëåäóþùèì òðåáîâàíèÿì:

1. (ôóíêöèîíàëüíîñòü)2. (ïîëèíîìèàëüíîå çàìåäëåíèå)3. (ñòîéêîñòü) Äëÿ ëþáîé PPT A (ïðîòèâíèêà) ñóùåñòâóåò

PPT S (ñèìóëÿòîð) è ïðåíåáðåæèìî ìàëàÿ ôóíêöèÿ ν,òàêèå ÷òî íåðàâåíñòâî

|Pr{A[O(Mc0),Mc]=1} − Pr{SMc0 [1size(Mc0),Mc]=1} ≤ ν(n)

âåðíî äëÿ ëþáîé ïàðû êîíñòàíò c0 ∈ {0, 1}n è c ∈R {0, 1}n.

ÎÁÔÓÑÊÀÖÈß, ÑÊÐÛÂÀÞÙÀßÊÎÍÑÒÀÍÒÓ

ÃÈÏÎÒÅÇÀÑòîéêàÿ îáôóñêàöèÿ, ñêðûâàþùàÿêîíñòàíòó,

I íåâîçìîæíà , åñëè Mx � ýòîóíèâåðñàëüíàÿ ìàøèíà Òüþðèíãà;

I âîçìîæíà , åñëè Mx = E (key(x),m) �ýòî ïðîãðàììà øèôðîâàíèÿ ñòîéêîéêðèïòîñèñòåìû ñ îòêðûòûì êëþ÷îìkey(x) è ñåêðåòíûì êëþ÷îì x.

ÎÁÔÓÑÊÀÖÈß ÏÐÅÄÈÊÀÒÎÂ

Âåðîÿòíîñòíûé àëãîðèòì O íàçûâàåòñÿ îáôóñêàòîðîìïðåäèêàòà π, çàäàííîãî íà ñåìåéñòâå ìàøèí Òüþðèíãà F ,åñëè îí óäîâëåòâîðÿåò ñëåäóþùèì òðåáîâàíèÿì:



3. (ñòîéêîñòü) Äëÿ ëþáîé PPT A (ïðîòèâíèêà) ñóùåñòâóåòPPT S (ñèìóëÿòîð) è ïðåíåáðåæèìî ìàëàÿ ôóíêöèÿ ν,òàêèå ÷òî íåðàâåíñòâî

|Pr{A[O(M)]=π(M)} − Pr{SM[1size(M)]=π(M)}|≤neg(size(M))

âåðíî äëÿ êàæäîé ÌÒ M èç F è åå îáôóñêàöèè O(M).


Òî÷å÷íîé íàçûâàåòñÿ ôóíêöèÿ fa : {0, 1}n → {0, 1}, a ∈ {0, 1}n,óäîâëåòâîðÿþùàÿ óñëîâèþ

fa(x) =

{1, åñëè x = a,0, åñëè x 6= a.

Ðàññìîòðèì ñåìåéñòâî Fn, ñîñòîÿùåå èç òî÷å÷íûõ ôóíêöèé{fu : u ∈ {0, 1}n} è ôóíêöèè, òîæäåñòâåííî ðàâíîé 0. Íà ýòîìñåìåéñòâå îïðåäåëåí ïðåäèêàò P(f ) = (f ≡ 0).

Òåîðåìà [Çàõàðîâ Â.À., Âàðíîâñêèé Í.Ï., 2003]

Åñëè ñóùåñòâóþò îäíîñòîðîííèå ïåðåñòàíîâêè, òîïðåäèêàò P, îïðåäåëåííûé íà ñåìåéñòâå ïðîãðàìì,âû÷èñëÿþùèõ ôóíêöèè ñåìåéñòâà Fn, èìååò ñòîéêóþîáôóñêàöèþ.


ÄîêàçàòåëüñòâîÍóæíî ñäåëàòü íåîòëè÷èìûìè äðóã îò äðóãà äâå ïðîãðàììûprog π0 ; prog πa ;var x : string y : bit; var x : string y : bit;input (x) ; const a : string;y = 0; output (y); input (x) ;end of prog if x==a then y=1 else y=0;

output (y);end of prog

Íàì ïîíàäîáèòñÿ îäíîñòîðîííÿÿ ïåðåñòàíîâêà ϕ íà ìíîæåñòâåñòðîê {0, 1}n è ãåíåðàòîð ñëó÷àéíûõ ñòðîê, êîòîðûé ìîæíîïîñòðîèòü íà îñíîâå îäíîñòðîííåé ïåðåñòàíîâêè.

ÎÁÔÓÑÊÀÖÈß ÏÐÅÄÈÊÀÒÎÂÄëÿ ïðîãðàììû π0 : 1) âûáðàòü äâå ñëó÷àéíûå ñòðîêè w , u,

2) âû÷èñëèòü v = ϕ(w) è σ =n∑

i=1wiui mod 2.

Äëÿ ïðîãðàììû πa : 1) âûáðàòü ñëó÷àéíóþ ñòðîêó u,

2) âû÷èñëèòü v = ϕ(a) è σ = 1 +n∑

i=1aiui mod 2.

Òîãäà êàæäàÿ èç ïðîãðàìì π0 , πa , ãäå a ∈ {0, 1}n ïðèìåò âèä:

prog O(π);var x : string y : bit;const u,v : string, σ : bit;input (x) ;if ϕ(x)==v then

if σ ==n∑

i=1xi ∗ ui mod 2 then y=0 else y=1

else y=0;output (y);end of prog


Òåîðåìà

Ïóñòü O1, O2 � îáôóñêàòîðû ôóíêöèîíàëüíûõ ñâîéñòâπ1, π2 ñîîòâåòñòâåííî, è ïðè ýòîì îáëàñòü çíà÷åíèéîáôóñêàòîðà O2 ñîäåðæèòñÿ â îáëàñòè îïðåäåëåíèÿîáôóñêàòîðà O1.

Òîãäà êîìïîçèöèÿ O = O1O2 ÿâëÿåòñÿ îáôóñêàòîðîìîáîèõ ïðåäèêàòîâ π1 è π2.

ÇÀÊËÞ×ÅÍÈÅ

Íóæíî ïðîäîëæàòü ýòîò ñïèñîê îïðåäåëåíèé,ôîðìóëèðóÿ âñå áîëåå è áîëåå ñëàáûå òðåáîâàíèÿñòîéêîñòè, ïðèãîäíûå äëÿ ðåøåíèÿ äðóãèõïðèëîæåíèé îáôóñêàöèè.

Íóæíî àêòèâíåå ïðèâëåêàòü äëÿ îáôóñêàöèèäîñòèæåíèÿ êðèïòîãðàôèè è òåîðèè ñëîæíîñòè �ñèñòåìû ãîìîìîðôíîãî øèôðîâàíèÿ,òðóäíîðåøàåìûå çàäà÷è.

ÄÎÑÒÈÆÅÍÈß ÏÎÑËÅÄÍÈÕ ËÅÒ

Â èþëå 2013 ã. áûëà îïóáëèêîâàíà ñòàòüÿ

Candidate Indistinguishability Obfuscation and FunctionalEncryption for All Circuits

S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters

â êîòîðîé àâòîðû ïîêàçàëè, ÷òî âåðíà

Òåîðåìà [S. Carg, C. Gentry, et al, 2013]

Íåîòëè÷èìàÿ îáôóñêàöèÿ âîçìîæíà äëÿïðîèçâîëüíûõ ïðîãðàìì

(ïðè íåêîòîðûõ ïðåäïîëîæåíèÿõ î òðóäíîñòèðåøåíèÿ çàäà÷ òåîðèè ãðóïï)

ÄÎÑÒÈÆÅÍÈß ÏÎÑËÅÄÍÈÕ ËÅÒ

30 ñåíòÿáðÿ 2013 ã. áûëà îïóáëèêîâàíà ñòàòüÿ

Virtual Black-Box Obfuscation for All Circuits via GenericGraded Encoding.

Zvika Brakerski, Guy N. Rothblum

We present a new general-purpose obfuscator for all polynomial-sizecircuits. The obfuscator uses graded encoding schemes, ageneralization of multilinear maps. We prove that the obfuscatorexposes no more information than the program's black-boxfunctionality, and achieves virtual black-box security, in the genericgraded encoded scheme model.

Áëàãîäàðþ çà

âíèìàíèå

Âàøè âîïðîñû?

tmpa-2013 keynote: zakharov obfuscation

Documents