New Negative Results on Differing-Inputs Obfuscation May 12, 2016 EUROCRYPT 2016 Mihir Bellare Igors Stepanovs Brent Waters 1
Our Main Result at a Glance Bellare, Stepanovs, Waters - EUROCRYPT 2016 Differing-inputs obfuscation (Barak et al., 2001) Differing-inputs obfuscation is implausible [GGHW14]: … because it cannot coexist with another form of obfuscation that seems to be weaker. This work: Differing-inputs obfuscation is impossible … assuming sub-exponentially secure one-way functions. 2
Our Main Result at a Glance Bellare, Stepanovs, Waters - EUROCRYPT 2016 Differing-inputs obfuscation (Barak et al., 2001) for circuits Differing-inputs obfuscation is implausible [GGHW14]: … because it cannot coexist with another form of obfuscation that seems to be weaker. sub-exp secure for TMs This work: Differing-inputs obfuscation is impossible … assuming sub-exponentially secure one-way functions. 3
Obfuscation Bellare, Stepanovs, Waters - EUROCRYPT 2016 Program P * Program P Obfuscator Circuits or Turing Machines 1. Correctness: 2. Security: functionally equivalent, no more useful and i.e. P (x) = P * (x) for all x. than an oracle for 4
Obfuscation Bellare, Stepanovs, Waters - EUROCRYPT 2016 Program P * Program P Obfuscator Circuits or Turing Machines 1. Correctness: 2. Security: functionally equivalent, no more useful and i.e. P (x) = P * (x) for all x. than an oracle for [BGIRSVY01]: Virtual Black Box Obfuscation is impossible! 5
Obfuscation Bellare, Stepanovs, Waters - EUROCRYPT 2016 Program P * Program P Obfuscator Circuits or Turing Machines 1. Correctness: 2. Security: functionally equivalent, no more useful and i.e. P (x) = P * (x) for all x. than an oracle for [BGIRSVY01]: Virtual Black Box Obfuscation is impossible! Are there weaker forms of obfuscation that are achievable and useful ? – point-function obfuscation [ C97, CMR98, LPS04, ... ] PO – virtual grey box obfuscation [ BC10, ... ] VGBO – indistinguishability obfuscation [ BGIRSVY01, GGHRSW13, SW13, ... ] iO – differing-inputs obfuscation [ BGIRSVY01, BCP13, ABGSZ13, ... ] diO 6
Indistinguishability and Differing-Inputs Obfuscation [BGIRSVY01] Bellare, Stepanovs, Waters - EUROCRYPT 2016 b ∈ {left, right} Left world: $ Security of indistinguishability obfuscation (iO): P̃ Obf (P 0 ) P̃ Obf is iO-secure if: (P 0 , P 1 ) G D For all PT adversaries G that output Right world: (P 0 , P 1 ) such that P 0 ≡ P 1 $ P̃ P̃ Obf (P 1 ) no PT adversary D can distinguish left from right. aux computationally hard PT adversaries: G – Generator; D – Distinguisher; 7
Indistinguishability and Differing-Inputs Obfuscation [BGIRSVY01] Bellare, Stepanovs, Waters - EUROCRYPT 2016 b ∈ {left, right} Left world: $ Security of indistinguishability obfuscation (iO): P̃ Obf (P 0 ) P̃ Obf is iO-secure if: (P 0 , P 1 ) G D For all PT adversaries G that output Right world: (P 0 , P 1 ) such that P 0 ≡ P 1 $ P̃ P̃ Obf (P 1 ) no PT adversary D can distinguish left from right. aux Security of differing-inputs obfuscation (diO): Obf is diO-secure if: PT adversaries: For all PT adversaries G that output G – Generator; (P 0 , P 1 ) such that it is computationally hard D – Distinguisher; to find x satisfying P 0 (x) ≠ P 1 (x) no PT adversary D can distinguish left from right. 8
Indistinguishability and Differing-Inputs Obfuscation [BGIRSVY01] Bellare, Stepanovs, Waters - EUROCRYPT 2016 b ∈ {left, right} Left world: $ Security of indistinguishability obfuscation (iO): P̃ Obf (P 0 ) P̃ Obf is iO-secure if: (P 0 , P 1 ) G D For all PT adversaries G that output Right world: (P 0 , P 1 ) such that P 0 ≡ P 1 $ P̃ P̃ Obf (P 1 ) no PT adversary D can distinguish left from right. aux Security of differing-inputs obfuscation (diO): Obf is diO-secure if: PT adversaries: (P 0 , P 1 ) G I x For all PT adversaries G that output G – Generator; (P 0 , P 1 ) such that it is computationally hard D – Distinguisher; aux to find x satisfying P 0 (x) ≠ P 1 (x) I – Inverter. no PT adversary D can distinguish left from right. 9
Indistinguishability and Differing-Inputs Obfuscation [BGIRSVY01] Bellare, Stepanovs, Waters - EUROCRYPT 2016 b ∈ {left, right} Left world: $ Security of indistinguishability obfuscation (iO): P̃ Obf (P 0 ) P̃ Obf is iO-secure if: (P 0 , P 1 ) G D For all PT adversaries G that output Right world: (P 0 , P 1 ) such that P 0 ≡ P 1 $ P̃ P̃ Obf (P 1 ) no PT adversary D can distinguish left from right. aux Security of differing-inputs obfuscation (diO): Obf is diO-secure if: PT adversaries: (P 0 , P 1 ) G I x For all PT adversaries G that output G – Generator; (P 0 , P 1 ) such that it is computationally hard D – Distinguisher; aux to find x satisfying P 0 (x) ≠ P 1 (x) I – Inverter. no PT adversary D can distinguish left from right. polynomially hard (1) Polynomially diO-secure We consider two security levels: (2) Sub-exponentially diO-secure sub-exponentially hard 10
Indistinguishability Obfuscation (iO) Bellare, Stepanovs, Waters - EUROCRYPT 2016 Is iO achievable? Why should I care?! [SW13, ...] [GGHRSW13, …] We can build many crypto Here is a candidate primitives from iO! construction! “iO as a central hub of cryptography” 11
Indistinguishability Obfuscation (iO) Bellare, Stepanovs, Waters - EUROCRYPT 2016 Is iO achievable? Why should I care?! [SW13, ...] [GGHRSW13, …] We can build many crypto Here is a candidate primitives from iO! construction! “iO as a central hub of cryptography” Heavy, ad-hoc assumptions. Constructions are getting broken. proposed Does iO exist? broken 12
Indistinguishability Obfuscation (iO) Bellare, Stepanovs, Waters - EUROCRYPT 2016 Is iO achievable? Why should I care?! [SW13, ...] [GGHRSW13, …] We can build many crypto Here is a candidate primitives from iO! construction! “iO as a central hub of cryptography” Heavy, ad-hoc assumptions. Candidate iO constructions conjectured to meet diO. (Proven in idealized models by BR13, BGKPS13). Constructions are getting broken. proposed We make progress towards Does iO exist? settling the existence of iO by providing negative results for diO. broken 13
Implausibility of Differing-Inputs Obfuscation Bellare, Stepanovs, Waters - EUROCRYPT 2016 [GGHW14] Theorem ([GGHW14]): Polynomially secure diO for circuits does not exist if: there exists an existentially unforgeable digital signature scheme DS, and there exists a collision-resistant hash function H, and there exists a special-purpose obfuscator for H and DS. A novel, ad-hoc assumption introduced by [GGHW14]. Is it more plausible than diO? Differing-inputs obfuscation is implausible! [GGHW14] 14
Our Results Bellare, Stepanovs, Waters - EUROCRYPT 2016 Theorem A. Sub-exponentially secure diO for TMs does not exist if: The proof uses iO! sub-exponentially secure one-way functions exist. Theorem B. Polynomially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist, and sub-exponentially secure indistinguishability obfuscation for circuits exists. 15
Our Results Bellare, Stepanovs, Waters - EUROCRYPT 2016 Theorem A. Sub-exponentially secure diO for TMs does not exist if: The proof uses iO! sub-exponentially secure one-way functions exist. Theorem B. Polynomially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist, and sub-exponentially secure indistinguishability obfuscation for circuits exists. Type of programs Assumptions [GGHW14] theorem Circuits Special- purpose obfuscation, … Theorem A Turing Machines Sub-exponentially secure OWFs [and sub-exponentially secure iO] 16
Our Results Bellare, Stepanovs, Waters - EUROCRYPT 2016 Theorem A. Sub-exponentially secure diO for TMs does not exist if: The proof uses iO! sub-exponentially secure one-way functions exist. Theorem B. Polynomially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist, and sub-exponentially secure indistinguishability obfuscation for circuits exists. Type of programs Assumptions [GGHW14] theorem Circuits Special- purpose obfuscation, … Theorem A Turing Machines Sub-exponentially secure OWFs [and sub-exponentially secure iO] Obtain a corollary for circuits from: FHE + diO for circuits + SNARKs diO for TMs. [ABGSZ13, BCP14] 17
Our Results Bellare, Stepanovs, Waters - EUROCRYPT 2016 Theorem A. Sub-exponentially secure diO for TMs does not exist if: The proof uses iO! sub-exponentially secure one-way functions exist. Theorem B. Polynomially secure diO for TMs does not exist if: sub-exponentially secure one-way functions exist, and sub-exponentially secure indistinguishability obfuscation for circuits exists. Type of programs Assumptions [GGHW14] theorem Circuits Special- purpose obfuscation, … Theorem A Turing Machines Sub-exponentially secure OWFs [and sub-exponentially secure iO] Obtain a corollary for circuits from: FHE + diO for circuits + SNARKs diO for TMs. [ABGSZ13, BCP14] When natural problems are hard, Sub-exponential (Factoring, DLOG, LWE, SVP, ...). assumptions?! they appear to be sub-exponentially hard. 18
[GGHW14] Attack Bellare, Stepanovs, Waters - EUROCRYPT 2016 Construct generator G using: digital signature scheme DS, “special-purpose obfuscator” spO, hash function H. (C 0 , C 1 ) G aux Let Obf be any obfuscator. It is not diO-secure if: (1) It is easy to distinguish Obf(C 0 ) from Obf(C 1 ). (2) It is hard to find x such that C 0 (x) ≠ C 1 (x). 19
Recommend
More recommend