on the complexity of compressing obfuscation
play

On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi - PowerPoint PPT Presentation

On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi Ephraim, Ilan Komargodski, and Rafael Pass Cornell University and Cornell Tech CRYPTO 2018 Indistinguishability Obfuscation (iO) An obfuscator is a compiler which preserves


  1. On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi Ephraim, Ilan Komargodski, and Rafael Pass Cornell University and Cornell Tech CRYPTO 2018

  2. Indistinguishability Obfuscation (iO) An obfuscator is a compiler which ‣ preserves functionality ‣ obfuscated circuit is “unintelligible” i O C C

  3. Indistinguishability Obfuscation (iO) An obfuscator is a compiler which ‣ preserves functionality ‣ obfuscated circuit is “unintelligible” x x i O C C y y

  4. Indistinguishability Obfuscation (iO) An obfuscator is a compiler which ‣ preserves functionality ‣ obfuscated circuit is “unintelligible” x x i O C C y y If C 0 and C 1 compute the same function and |C 0 |=|C 1 |, then iO(C 0 ) and iO(C 1 ) are hard to distinguish

  5. Power of iO

  6. Power of iO Classical Crypto One-way functions [KMN+14] iO Trapdoor permutations + standard [BPW15] Public-key assumptions encryption [SW14] Non-interactive zero knowledge [SW14]

  7. Power of iO Modern Crypto Classical Crypto One-way functions [KMN+14] iO Trapdoor permutations + standard [BPW15] Public-key assumptions encryption [SW14] Fully homomorphic encryption Non-interactive zero [CLT+15] knowledge [SW14]

  8. Power of iO Modern Constant-round concurrent Crypto zero knowledge [CLP15] Classical Crypto Deniable One-way encryption functions [KMN+14] [SW14] iO Trapdoor permutations + standard [BPW15] Public-key assumptions encryption [SW14] Fully homomorphic Cryptographic encryption Non-interactive zero hardness of PPAD [CLT+15] knowledge [SW14] [BPR15] Multi-input functional encryption [GGG+14, BKS16] Many more!

  9. Existence of iO Reduce iO to seemingly weaker building blocks

  10. Existence of iO Reduce iO to seemingly weaker building blocks iO cryptographic building block

  11. Existence of iO Reduce iO to seemingly weaker building blocks iO cryptographic building block Reduce the existence of iO to new concrete assumptions

  12. Existence of iO Reduce iO to seemingly weaker building blocks iO cryptographic building block Reduce the existence of iO to new concrete assumptions In all of these, the assumption is nonstandard and is vulnerable to attacks [ADGM17,BBKK17,BWZ14,CGH17,CHLRS15,GHMS14,LV17,MSZ16]

  13. Existence of iO Reduce iO to seemingly weaker building blocks iO cryptographic building block Reduce the existence of iO to new concrete assumptions In all of these, the assumption is nonstandard and is vulnerable to attacks [ADGM17,BBKK17,BWZ14,CGH17,CHLRS15,GHMS14,LV17,MSZ16]

  14. Existence of iO Compact public-key functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16]

  15. Existence of iO Compact public-key functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] + OWF

  16. Existence of iO Compact public-key functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] + OWF What is the weakest building block that implies iO?

  17. Existence of iO Compact public-key functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] + OWF What is the weakest building block that implies iO? All building blocks require some form of compression

  18. Existence of iO Ciphertexts Compact public-key are “short” functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] + OWF What is the weakest building block that implies iO? All building blocks require some form of compression

  19. Existence of iO Ciphertexts Compact public-key are “short” functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] Ciphertexts don’t + OWF grow with number of functional keys What is the weakest building block that implies iO? All building blocks require some form of compression

  20. Existence of iO Ciphertexts Compact public-key are “short” functional encryption (FE) [AJ15,BV15] iO Collusion- Resistant Secret- Compact Key FE [FKT18] Randomized Encodings [LPST16] Ciphertexts don’t + OWF Encoding grow with number of time is “small” functional keys What is the weakest building block that implies iO? All building blocks require some form of compression

  21. Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) n i O C C time t(s,n) |C| = s |iO(C)| = ℓ (s,n)

  22. Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) t(s,n)= ℓ (s,n)=

  23. Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) iO t(s,n)= poly ( s ) ℓ (s,n)= poly ( s )

  24. Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) iO Trivial t(s,n)= poly ( s ) 2 n · s ℓ (s,n)= poly ( s ) 2 n

  25. Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) time = |truth table| size = smaller than truth table XiO [LPST16] iO Trivial t(s,n)= poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  26. Compressing Obfuscation A (t, ℓ )-compressing obfuscator has: This talk: circuits C Time to obfuscate is t(s,n) - Size s - input length n Size of the obfuscation is ℓ (s,n) time = |truth table| size = smaller than time and size truth table smaller than truth table XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  27. Compression Hierarchy Strength of assumption XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  28. Compression Hierarchy +LWE Strength of assumption XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  29. Compression Hierarchy +LWE Strength of assumption +OWF [KNT18] XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  30. Compression Hierarchy sub- exponential +LWE security Strength of assumption +OWF [KNT18] XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  31. Compression Hierarchy sub- exponential +LWE security Strength of assumption +OWF [KNT18] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  32. Compression Hierarchy sub- exponential +LWE security Strength of assumption +OWF [KNT18] [MMN+16, GMM17] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  33. Compression Hierarchy Can we use only OWF? sub- exponential +LWE security Strength of assumption +OWF [KNT18] [MMN+16, GMM17] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  34. Compression Hierarchy Assume sub-exponential OWF +LWE +OWF [KNT18] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  35. Compression Hierarchy Assume sub-exponential OWF Obfustopia +LWE iO, PKE exist +OWF [KNT18] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

  36. Compression Hierarchy Assume sub-exponential OWF Minicrypt Obfustopia +LWE iO, PKE No PKE exist +OWF [KNT18] + OWF = “holy grail” XiO [LPST16] SXiO [BNPW16] iO Trivial t(s,n)= 2 n (1 − ✏ ) · poly ( s ) poly (2 n , s ) poly ( s ) 2 n · s ℓ (s,n)= 2 n (1 − ✏ ) · poly ( s ) 2 n (1 − ✏ ) · poly ( s ) poly ( s ) 2 n

Recommend


More recommend