On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi Ephraim, Ilan Komargodski, and Rafael Pass Cornell University and Cornell Tech CRYPTO 2018
Indistinguishability Obfuscation (iO) An obfuscator is a compiler which ‣ preserves functionality ‣ obfuscated circuit is “unintelligible” i O C C
Indistinguishability Obfuscation (iO) An obfuscator is a compiler which ‣ preserves functionality ‣ obfuscated circuit is “unintelligible” x x i O C C y y
Indistinguishability Obfuscation (iO) An obfuscator is a compiler which ‣ preserves functionality ‣ obfuscated circuit is “unintelligible” x x i O C C y y If C 0 and C 1 compute the same function and |C 0 |=|C 1 |, then iO(C 0 ) and iO(C 1 ) are hard to distinguish
Power of iO
Power of iO Classical Crypto One-way functions [KMN+14] iO Trapdoor permutations + standard [BPW15] Public-key assumptions encryption [SW14] Non-interactive zero knowledge [SW14]
Power of iO Modern Crypto Classical Crypto One-way functions [KMN+14] iO Trapdoor permutations + standard [BPW15] Public-key assumptions encryption [SW14] Fully homomorphic encryption Non-interactive zero [CLT+15] knowledge [SW14]
Power of iO Modern Constant-round concurrent Crypto zero knowledge [CLP15] Classical Crypto Deniable One-way encryption functions [KMN+14] [SW14] iO Trapdoor permutations + standard [BPW15] Public-key assumptions encryption [SW14] Fully homomorphic Cryptographic encryption Non-interactive zero hardness of PPAD [CLT+15] knowledge [SW14] [BPR15] Multi-input functional encryption [GGG+14, BKS16] Many more!
Existence of iO Reduce iO to seemingly weaker building blocks
Existence of iO Reduce iO to seemingly weaker building blocks iO cryptographic building block
Existence of iO Reduce iO to seemingly weaker building blocks iO cryptographic building block Reduce the existence of iO to new concrete assumptions
Existence of iO Reduce iO to seemingly weaker building blocks iO cryptographic building block Reduce the existence of iO to new concrete assumptions In all of these, the assumption is nonstandard and is vulnerable to attacks [ADGM17,BBKK17,BWZ14,CGH17,CHLRS15,GHMS14,LV17,MSZ16]
Existence of iO Reduce iO to seemingly weaker building blocks iO cryptographic building block Reduce the existence of iO to new concrete assumptions In all of these, the assumption is nonstandard and is vulnerable to attacks [ADGM17,BBKK17,BWZ14,CGH17,CHLRS15,GHMS14,LV17,MSZ16]
Existence of iO Compact public-key functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16]
Existence of iO Compact public-key functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] + OWF
Existence of iO Compact public-key functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] + OWF What is the weakest building block that implies iO?
Existence of iO Compact public-key functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] + OWF What is the weakest building block that implies iO? All building blocks require some form of compression
Existence of iO Ciphertexts Compact public-key are “short” functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] + OWF What is the weakest building block that implies iO? All building blocks require some form of compression
Existence of iO Ciphertexts Compact public-key are “short” functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] Ciphertexts don’t + OWF grow with number of functional keys What is the weakest building block that implies iO? All building blocks require some form of compression
Existence of iO Ciphertexts Compact public-key are “short” functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] Ciphertexts don’t + OWF Encoding grow with number of time is “small” functional keys What is the weakest building block that implies iO? All building blocks require some form of compression
Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) n i O C C time t(s,n) |C| = s |iO(C)| = ℓ (s,n)
Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) t(s,n)= ℓ (s,n)=
Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) iO t(s,n)= poly ( s ) ℓ (s,n)= poly ( s )
Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) iO Trivial t(s,n)= poly ( s ) 2 n · s ℓ (s,n)= poly ( s ) 2 n
Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) time = |truth table| size = smaller than truth table XiO [LPST16] iO Trivial t(s,n)= poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) time = |truth table| size = smaller than time and size truth table smaller than truth table XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compression Hierarchy Strength of assumption XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compression Hierarchy +LWE Strength of assumption XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compression Hierarchy +LWE Strength of assumption +OWF [KNT18] XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compression Hierarchy sub- exponential +LWE security Strength of assumption +OWF [KNT18] XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compression Hierarchy sub- exponential +LWE security Strength of assumption +OWF [KNT18] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compression Hierarchy sub- exponential +LWE security Strength of assumption +OWF [KNT18] [MMN+16, GMM17] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compression Hierarchy Can we use only OWF? sub- exponential +LWE security Strength of assumption +OWF [KNT18] [MMN+16, GMM17] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compression Hierarchy Assume sub-exponential OWF +LWE +OWF [KNT18] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compression Hierarchy Assume sub-exponential OWF Obfustopia +LWE iO, PKE exist +OWF [KNT18] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Compression Hierarchy Assume sub-exponential OWF Minicrypt Obfustopia +LWE iO, PKE No PKE exist +OWF [KNT18] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n
Recommend
More recommend