ISC conference, September 2009, Pisa, Italy Outline Towards Security Notions for • Motivation: White-Box Cryptography White-Box Cryptography • The Theory of Obfuscation Brecht Wyseur – (im)possibility results ISC 2009, September 2009 – Obfuscation vs. White-Box Cryptography yp g p y Pisa, Italy • Towards a formal model for white-box cryptography Joint work with Amitabh Saxena • (Im)possibility results and Bart Preneel • Conclusion and future research Motivation 3 threat models • Our research: • Traditional cryptography (black-box cryptography) – How can we implement cryptographic primitives in software in a secure way? • Not: implementation itself (bugs, efficiency) • But: threats that arise when deploying cryptographic software • Observable cryptography (side-channel attacks) implementations in systems • Threat model: Adversary has full access to the implementation of cryptographic primitives – DRM scenario: decryption device on untrusted machine (set- top box / PC) • White-box cryptography (software – Mobile agents implementations) – Online-gaming WBC in practice Objective • WB-DES, WB-AES constructions [S. Chow, P. Eisen, H. • Our main question: do “secure” white-box Johnson, and P.C. van Oorschot, 2002] implementations exist ? (and how do they look like?) – Hardwire secret keys, and scramble internal operations ‘black-box’ ‘white-box’ 08 C1 EE 18 33 78 08 0F B6 C6 33 3C 85 80 50 14 95 80 4C 00 08 C1 E8 45 AES D8 C1 E9 10 0F B6 WB-AES C9 C4 89 49 54 0F 4D C1 9C 8B 14 95 5D CC C1 E8 18 7D E D0 85 D4 55 94 E3 6C 0F 8B 5D 1C 5F k • Subsequent work: – (differential & algebraic) cryptanalysis (2002, 2004, 2007) – improvements (2002, 2004, 2006) • Broader perspective: can the security that was achieved – (algebraic) cryptanalysis of classes of WB implementations (2008, 2009) in ‘black-box’ be maintained in ‘white-box’? (Beyond the confidentiality of secret keys) Brecht Wyseur 1
ISC conference, September 2009, Pisa, Italy Concepts Theory of Obfuscation • [Barak et al. , 2001] : comparison between the ‘real world’ • Our formal model includes and its simulated counterpart in an idealized setting. – Security notions (to capture “secure algorithm”) 1 n – Theoretic models for Obfuscation O (P) P P A A b b – Example: predicate-based definition: – Other definitions include distinguisher-based definitions (im)possibility results Obfuscation vs. White-Box Crypto • The main impossibility result [Barak et al ., 2001] • No agreement on which model of obfuscation would be suitable for cryptographic purposes – There exists an unobfuscatable function the cannibalistic function construction. – Predicate-based definitions: too weak (meaningless) – Distinguisher-based definitions: too strong (nothing interesting is possible: deterministic & obfuscatable If (input function must be learnable) function must be learnable) behaves like me) { • Cryptographic schemes are generally not learnable Leak my secret (predictable) SECRET ; } • Definitions of obfuscation do not capture ‘context’ and ‘objective’ ? SECRET • Positive results: obfuscation of Point Functions [Lynn, Need for a model that captures “White-Box Prahbakaran and Sahai, 2004 – Wee, 2005] Cryptography” Security Notions Formal model • Security in ‘black-box’ • Pin down obfuscation models to cryptographic primitives – Family Q – Security notions – Keyspace K; q $ K • Attack goals – Instantiated cryptographic primitive Q[q] • Attacker capabilities (described as a game between a • We follow the game-based approach [Bellare et al. ,1997] challenger and the adversary) • An example: IND-CCA2 (1 k , sn) (1 k , O(Q i ) , sn) Black-box game White-box game Challenger Adversary context m 0 ,m 1 E k b $ {0,1} A A r $ R D k s s c = E K (m b ,r) WIN? WIN? meaning b b but not on b input c Brecht Wyseur 2
ISC conference, September 2009, Pisa, Italy Obfuscatability Formal model (1 k , sn) Q 1 [q 1 ] • Comparison between the white-box game, and its idealized version • Black-box game Q 2 [q 2 ] (1 k , sn) (1 k , O(Q i ) , sn) A Black-box game White-box game Q 3 [q 3 ] • IND-CCA2 game s A A … Challenger Challenger Adversary Adversary s s WIN? WIN? m 0 ,m 1 E k b $ {0,1} b b r $ R D k E K (m b ,r) ? b but not on • Obfuscatable family Q • O is a secure obfuscator for Q i , under the sn security notion, if input c 14 Negative Results Positive result • There exists an obfuscator O that turns a IND-CPA • For any non-learnable family Q, there exist a secure, symmetric encryption scheme into an IND- non-obfuscatable security notion (this is stronger CPA secure asymmetric encryption scheme than Barak et al. , 2001) – Based on the bi-linear Diffie-Hellman assumption (1 k , sn) (1 k , O(Q ) , sn) Q[q] Q[q] E Q 1 [q 1 ] Q 1 [q 1 ] WIN? WIN? • There exists approximately learnable families that q can be universally obfuscated (e.g., point functions) • Obfuscation is not trivially composable 16 Conclusion and Future Work The End • A formal model for White-Box Cryptography was • Thank you. presented, based on – Theoretic models on obfuscation – The authors would like to thank the ISC chairs for organizing the event, – Security notions – and the anonymous referees for their valuable comments. • Some security notions are inherently unobfuscatable • (Im)possibility results • Future Work – Extend the (im)possibility results towards other (reasonable) security notions and cryptographic primitives – Capture probabilistic encryption schemes (initial steps are included in the full version; see e-print report 2008/273) – Design of a new white-boxing strategy (e.g., AES WB’-AES) Brecht Wyseur 3
Recommend
More recommend
