On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi - - PowerPoint PPT Presentation
On The Complexity of Compressing Obfuscation Gilad Asharov, Naomi Ephraim, Ilan Komargodski, and Rafael Pass Cornell University and Cornell Tech CRYPTO 2018 Indistinguishability Obfuscation (iO) An obfuscator is a compiler which preserves
Cornell University and Cornell Tech CRYPTO 2018
iO
An obfuscator is a compiler which
iO
An obfuscator is a compiler which
x y x y
iO
An obfuscator is a compiler which
x y x y
If C0 and C1 compute the same function and |C0|=|C1|, then iO(C0) and iO(C1) are hard to distinguish
+ standard assumptions
Public-key encryption [SW14] Trapdoor permutations [BPW15] Non-interactive zero knowledge [SW14] One-way functions [KMN+14]
Classical Crypto
Fully homomorphic encryption [CLT+15]
Modern Crypto
+ standard assumptions
Public-key encryption [SW14] Trapdoor permutations [BPW15] Non-interactive zero knowledge [SW14] One-way functions [KMN+14]
Classical Crypto
Multi-input functional encryption [GGG+14, BKS16] Deniable encryption [SW14] Cryptographic hardness of PPAD [BPR15] Constant-round concurrent zero knowledge [CLP15]
Many more!
Fully homomorphic encryption [CLT+15]
Modern Crypto
+ standard assumptions
Public-key encryption [SW14] Trapdoor permutations [BPW15] Non-interactive zero knowledge [SW14] One-way functions [KMN+14]
Classical Crypto
Reduce iO to seemingly weaker building blocks
Reduce iO to seemingly weaker building blocks
cryptographic building block
Reduce iO to seemingly weaker building blocks Reduce the existence of iO to new concrete assumptions
cryptographic building block
Reduce iO to seemingly weaker building blocks Reduce the existence of iO to new concrete assumptions In all of these, the assumption is nonstandard and is vulnerable to attacks
[ADGM17,BBKK17,BWZ14,CGH17,CHLRS15,GHMS14,LV17,MSZ16]
cryptographic building block
Reduce the existence of iO to new concrete assumptions In all of these, the assumption is nonstandard and is vulnerable to attacks
cryptographic building block
[ADGM17,BBKK17,BWZ14,CGH17,CHLRS15,GHMS14,LV17,MSZ16]
Reduce iO to seemingly weaker building blocks
Compact public-key functional encryption (FE) [AJ15,BV15] Collusion- Resistant Secret- Key FE [FKT18]
Compact Randomized Encodings [LPST16]
Compact public-key functional encryption (FE) [AJ15,BV15] Collusion- Resistant Secret- Key FE [FKT18]
Compact Randomized Encodings [LPST16]
+ OWF
Compact public-key functional encryption (FE) [AJ15,BV15] Collusion- Resistant Secret- Key FE [FKT18]
Compact Randomized Encodings [LPST16]
+ OWF
What is the weakest building block that implies iO?
What is the weakest building block that implies iO?
Compact public-key functional encryption (FE) [AJ15,BV15] Collusion- Resistant Secret- Key FE [FKT18]
+ OWF
All building blocks require some form of compression
Compact Randomized Encodings [LPST16]
What is the weakest building block that implies iO?
Compact public-key functional encryption (FE) [AJ15,BV15] Collusion- Resistant Secret- Key FE [FKT18]
+ OWF
All building blocks require some form of compression
Ciphertexts are “short”
Compact Randomized Encodings [LPST16]
What is the weakest building block that implies iO?
Compact public-key functional encryption (FE) [AJ15,BV15] Collusion- Resistant Secret- Key FE [FKT18]
+ OWF
All building blocks require some form of compression
Ciphertexts are “short”
Ciphertexts don’t grow with number of functional keys
Compact Randomized Encodings [LPST16]
What is the weakest building block that implies iO?
Compact public-key functional encryption (FE) [AJ15,BV15] Collusion- Resistant Secret- Key FE [FKT18]
+ OWF
All building blocks require some form of compression
Ciphertexts are “short”
Ciphertexts don’t grow with number of functional keys
Compact Randomized Encodings [LPST16]
Encoding time is “small”
A (t,ℓ)-compressing obfuscator has: Time to obfuscate is t(s,n) Size of the obfuscation is ℓ(s,n)
time t(s,n)
C
|C| = s
n
|iO(C)| = ℓ(s,n)
This talk: circuits C
C
iO
t(s,n)= ℓ(s,n)=
This talk: circuits C
A (t,ℓ)-compressing obfuscator has: Time to obfuscate is t(s,n) Size of the obfuscation is ℓ(s,n)
t(s,n)= ℓ(s,n)=
iO poly(s) poly(s)
This talk: circuits C
A (t,ℓ)-compressing obfuscator has: Time to obfuscate is t(s,n) Size of the obfuscation is ℓ(s,n)
t(s,n)= ℓ(s,n)= Trivial 2n · s 2n
iO poly(s) poly(s)
This talk: circuits C
A (t,ℓ)-compressing obfuscator has: Time to obfuscate is t(s,n) Size of the obfuscation is ℓ(s,n)
t(s,n)= ℓ(s,n)= Trivial 2n · s 2n
iO poly(s) poly(s)
This talk: circuits C
time = |truth table| size = smaller than truth table
XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s)
A (t,ℓ)-compressing obfuscator has: Time to obfuscate is t(s,n) Size of the obfuscation is ℓ(s,n)
t(s,n)= ℓ(s,n)= Trivial 2n · s 2n
iO poly(s) poly(s)
This talk: circuits C
time = |truth table| size = smaller than truth table
XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s)
time and size smaller than truth table
SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
A (t,ℓ)-compressing obfuscator has: Time to obfuscate is t(s,n) Size of the obfuscation is ℓ(s,n)
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
Strength of assumption
iO poly(s) poly(s) Trivial 2n · s 2n
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
+LWE
Strength of assumption
iO poly(s) poly(s) Trivial 2n · s 2n
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
+LWE
+OWF [KNT18]
Strength of assumption
iO poly(s) poly(s) Trivial 2n · s 2n
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
+LWE
+OWF [KNT18]
Strength of assumption
sub- exponential security
iO poly(s) poly(s) Trivial 2n · s 2n
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
+LWE
+OWF [KNT18]
Strength of assumption
sub- exponential security
+ OWF = “holy grail”
iO poly(s) poly(s) Trivial 2n · s 2n
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
+LWE
+OWF [KNT18]
Strength of assumption
sub- exponential security
+ OWF = “holy grail”
iO poly(s) poly(s)
[MMN+16, GMM17]
Trivial 2n · s 2n
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
+LWE
+OWF [KNT18]
Strength of assumption
sub- exponential security
+ OWF = “holy grail”
Can we use
iO poly(s) poly(s)
[MMN+16, GMM17]
Trivial 2n · s 2n
+ OWF = “holy grail”
+LWE
+OWF [KNT18]
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s)
Assume sub-exponential OWF
iO poly(s) poly(s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s) Trivial 2n · s 2n
+ OWF = “holy grail”
+LWE
+OWF [KNT18]
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s)
Obfustopia
iO, PKE exist
Assume sub-exponential OWF
iO poly(s) poly(s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s) Trivial 2n · s 2n
+ OWF = “holy grail”
+LWE
+OWF [KNT18]
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s)
Minicrypt
No PKE
Obfustopia
iO, PKE exist
Assume sub-exponential OWF
iO poly(s) poly(s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s) Trivial 2n · s 2n
+ OWF = “holy grail”
+LWE
+OWF [KNT18]
t(s,n)= ℓ(s,n)= XiO [LPST16] 2n(1−✏) · poly(s) poly(2n, s)
Minicrypt
No PKE
Obfustopia
iO, PKE exist
Assume sub-exponential OWF
iO poly(s) poly(s) SXiO [BNPW16] 2n(1−✏) · poly(s) 2n(1−✏) · poly(s) Trivial 2n · s 2n
Compressing obfuscation as an independent primitive
Compressing obfuscation as an independent primitive
XiO + one-way functions ⇏ public-key encryption in a black-box way
Compressing obfuscation as an independent primitive
XiO + one-way functions ⇏ public-key encryption in a black-box way
Compressing obfuscation as an independent primitive
XiO + one-way functions ⇏ public-key encryption in a black-box way
Compressing obfuscation as an independent primitive
Constructions for “powerful” class of circuits (e.g., AC0) Unlikely to exist with stronger compression
XiO + one-way functions ⇏ public-key encryption in a black-box way
Compressing obfuscation as an independent primitive
Constructions for “powerful” class of circuits (e.g., AC0) Unlikely to exist with stronger compression
XiO + one-way functions ⇏ public-key encryption in a black-box way Approximately-correct (S)XiO + polynomial LWE + NIZK ⇒ correct (S)XiO
Compressing obfuscation as an independent primitive
Constructions for “powerful” class of circuits (e.g., AC0) Unlikely to exist with stronger compression
+ OWF = “holy grail”
Minicrypt
No PKE
+LWE
+OWF [KNT18]
t(s,n)= ℓ(s,n)=
iO poly(s) poly(s)
Assume sub-exponential OWF
XiO 2n(1−✏) · poly(s) poly(2n, s) Trivial 2n · s 2n
Obfustopia
iO, PKE exist
SXiO 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
+ OWF = “holy grail”
Minicrypt
No PKE
+LWE
+OWF [KNT18]
t(s,n)= ℓ(s,n)=
iO poly(s) poly(s)
Assume sub-exponential OWF
XiO 2n(1−✏) · poly(s) poly(2n, s) +subexp OWF Trivial 2n · s 2n
Obfustopia
iO, PKE exist
SXiO 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
+ OWF = “holy grail”
Minicrypt
No PKE
t(s,n)= ℓ(s,n)= iO poly(s) poly(s)
+LWE
+OWF [KNT18]
+subexp OWF XiO 2n(1−✏) · poly(s) poly(2n, s)
Obfustopia
iO, PKE exist
SXiO 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
Assume sub-exponential OWF
Trivial 2n · s 2n
+ OWF = “holy grail”
Minicrypt
No PKE
t(s,n)= ℓ(s,n)= iO poly(s) poly(s)
+LWE
+OWF [KNT18]
+subexp OWF XiO 2n(1−✏) · poly(s) poly(2n, s)
Obfustopia
iO, PKE exist
SXiO 2n(1−✏) · poly(s) 2n(1−✏) · poly(s)
Approximate XiO
+polynomial LWE, NIZK
Assume sub-exponential OWF
Trivial 2n · s 2n
XiO + one-way functions ⇏ public-key encryption in a black-box way Approximately-correct (S)XiO + polynomial LWE + NIZK ⇒ correct (S)XiO Constructions for “powerful” class of circuits (e.g., AC0) Unlikely to exist with stronger compression
Recall: XiO + LWE ⇒ iO
Public Key Crypto Secret Key Crypto
Recall: XiO + LWE ⇒ iO
Public Key Crypto Secret Key Crypto
Theorem: XiO + OWF ⇏ PKE in a black-box way Recall: XiO + LWE ⇒ iO
Enc(pk,m): Sample r and evaluate pk
pk ← iO.Obf
secret-key encryption
m r ct
[SW14]
ciphertexts!
Enc(pk,m): Sample r and evaluate pk
pk ← iO.Obf
secret-key encryption
m r ct
[SW14]
ciphertexts!
Enc(pk,m): Sample r and evaluate pk
pk ← iO.Obf(
m r ct
[SW14]
f
ciphertexts!
Enc(pk,m): Sample r and evaluate pk
pk ← iO.Obf(
m r ct
[SW14]
OWF OWF
We consider XiO for oracle-aided circuits
We consider XiO for oracle-aided circuits
We consider XiO for oracle-aided circuits
Problem: Separation overcome by new constructions (e.g., PKE from SXiO + OWFs [BNPW16])
We consider XiO for oracle-aided circuits
Problem: Separation overcome by new constructions (e.g., PKE from SXiO + OWFs [BNPW16])
We consider XiO for oracle-aided circuits
Captures known techniques for iO, e.g., “self-feeding” techniques
OWF
Our result — extended model
Problem: Separation overcome by new constructions (e.g., PKE from SXiO + OWFs [BNPW16])
We consider XiO for oracle-aided circuits
Captures known techniques for iO, e.g., “self-feeding” techniques
OWF
Our result — extended model
Problem: Separation overcome by new constructions (e.g., PKE from SXiO + OWFs [BNPW16])
Non-black-box extension of Impagliazzo-Rudich separation [IR89]
XiO + one-way functions ⇏ public-key encryption in a black-box way Approximately-correct (S)XiO + polynomial LWE + NIZK ⇒ correct (S)XiO Constructions for “powerful” class of circuits (e.g., AC0) Unlikely to exist with stronger compression
Main idea: Take advantage of the running time of XiO
Theorem: XiO with output 2n(1−o(1)) length exists for AC0
Main idea: Take advantage of the running time of XiO
Circuit compression [CKK+15]:
f
f(1) f(2) …
Theorem: XiO with output 2n(1−o(1)) length exists for AC0
Main idea: Take advantage of the running time of XiO
Circuit compression [CKK+15]:
f
f(1) f(2) …
Theorem: XiO with output 2n(1−o(1)) length exists for AC0
Construction is black-box, i.e., implies compressing VBB
Main idea: Take advantage of the running time of XiO
Circuit compression [CKK+15]:
f
f(1) f(2) …
Theorem: XiO with output 2n(1−o(1)) length exists for AC0
Stronger compression implies nontrivial speedups for UNSAT
Construction is black-box, i.e., implies compressing VBB
Main idea: Take advantage of the running time of XiO
Circuit compression [CKK+15]:
f
f(1) f(2) …
Theorem: XiO with output 2n(1−o(1)) length exists for AC0
Stronger compression implies nontrivial speedups for UNSAT
Construction is black-box, i.e., implies compressing VBB
Main idea: Take advantage of the running time of XiO
Theorem:
circuits implies UNSAT ∈ AM[2c✏n] for depth 2 (2✏n, 2✏n) for a constant c
Circuit compression [CKK+15]:
f
f(1) f(2) …
Theorem: XiO with output 2n(1−o(1)) length exists for AC0
Stronger compression implies nontrivial speedups for UNSAT
Construction is black-box, i.e., implies compressing VBB
Main idea: Take advantage of the running time of XiO
Theorem:
circuits implies UNSAT ∈ AM[2c✏n] for depth 2 (2✏n, 2✏n) for a constant c
Circuit compression [CKK+15]:
f
f(1) f(2) …
Theorem: XiO with output 2n(1−o(1)) length exists for AC0
Stronger compression implies nontrivial speedups for UNSAT
Construction is black-box, i.e., implies compressing VBB
Main idea: Take advantage of the running time of XiO
Theorem:
circuits implies UNSAT ∈ AM[2c✏n] for depth 2 (2✏n, 2✏n) for a constant c
Compressing obfuscation is unusual!
Compressing obfuscation is unusual!
XiO Compressing obfuscation is unusual!
XiO
Compressing obfuscation is unusual!
XiO
XiO Compressing obfuscation is unusual!
XiO
XiO Compressing obfuscation is unusual!
XiO
XiO Compressing obfuscation is unusual!
XiO
XiO Compressing obfuscation is unusual!
XiO
XiO Compressing obfuscation is unusual!
XiO
XiO
compresses function size
XiO
succinct FE [GKP+13]
compresses function size
XiO
succinct FE [GKP+13]
compresses running time compresses function size
XiO
succinct FE [GKP+13]
compresses running time compresses function size