Lower Bounds on Assumptions behind Indistinguishability Obfuscation Mohammed Mahmoody (University of Virginia) Ameer Mohammed (University of Virginia) Soheil Nematihaji (University of Virginia) abhi shelat (University of Virginia) Rafael Pass (Cornell University)

Obfuscation Mechanisms 𝑀 𝑀′

Indistinguishability Obfuscation Next best thing? Indistinguishability Obfuscation 𝑀 𝑀′

Landscape and Goals Functional Encryption [GGH+13] Indistinguishability Obfuscation (iO) Functional Encryption [GGH+13] PKE Oblivious Transfer KEM … (Idealized) Graded Encoding Schemes [SW14] [BR14, BGK+14,PST14, GLSW14] Talk about [AS15] negative result for pFE -> iO(C^f) later Multilinear Maps (+LWE) [GGH+13]

What assumptions give us iO? Can we use “standard assumptions”? Computational assumption necessary for result 1 Say that they are informal statements

Landscape and Goals OWF CRHF TDP… Indistinguishability Obfuscation Functional Encryption [GGH+13] ??? PKE Oblivious Transfer KEM … (Idealized) Graded Encoding Schemes [SW14] [BR14, BGK+14,PST14, GLSW14] Talk about [AS15] negative result for pFE -> iO(C^f) later Multilinear Maps (+LWE) [GGH+13]

Main results in this talk If NP ≠ coNP then iO cannot be constructed from OWFs or CRHs in a black-box way Result 2 For any primitive 𝑃 that can be black-box obtained from 𝒫 : if 𝑃 ⇒ black−box iO then OWF ⇒ constructive PKE Computational assumption necessary for result 1 Say that they are informal statements 𝒫: Generic Group Model Graded Encoding Model Random TDP Model

Indistinguishability Obfuscation (iO) 𝐶 0 𝐶 1 ≡ Obfuscator Obfuscator 𝐶 0 𝐶 0 ′ 𝐶 1 ′ 𝐶 1 ≡ ≈ 𝑐 ≡ A Pr 𝑟 𝑂 𝑟 𝐶 ≡𝐶 =1

Approx. Indistinguishability Obfuscation (𝜀-iO) 𝐶 0 𝐶 1 ≡ Obfuscator Obfuscator 𝐶 0 𝐶 0 ′ 𝐶 1 ′ 𝐶 1 ≈ ≈ 𝑐 ≈ A Pr 𝑟,𝑥 𝑂 𝑟 𝐶 𝑥 ≠𝐶 𝑥 ≤𝜀 (𝑛)

Overview of Techniques VBB Obfuscation (Not covered in this Talk) Indistinguishability Obfuscation 𝐕𝐁 𝐁 𝐩𝐨𝐥𝐲−𝐝𝐞𝐠 𝐆𝐄𝐌 [BR13] 𝐢𝐎 𝐩𝐨𝐥𝐲−𝐝𝐞𝐠 𝐆𝐄𝐌 𝐕𝐁 𝐁 𝐎 𝟏 −𝐝𝐞𝐠 𝐆𝐄𝐌 (This Talk) 𝐢𝐎 𝐎 𝟏 −𝐝𝐞𝐠 𝐆𝐄𝐌 [MMN15,Ps15] Approx. 𝐕𝐁𝐁 Impossible [BP13] 𝐕𝐁 𝐁 𝐆𝐆𝐌 PKC from OWF 𝐢𝐎 𝐆𝐆𝐌 𝐕𝐁 𝐁 𝐑𝐓𝐏 𝐢𝐎 𝐑𝐓𝐏 [CKP15] 𝐕𝐁 𝐁 𝐑𝐎 𝐢𝐎 𝐑𝐎 𝐍𝐏=𝐜𝐨𝐍𝐏 (This Talk) 𝐕𝐁𝐁 Impossible [BKI+01]

Fully Black-Box (BB) Construction of iO [IR89, RTV04] A fully BB construction of iO from 𝒫 consists of two PPT oracle algorithms (𝑂,𝑆): Primitive 𝒫 Construction 𝑂 𝑃 𝑂 𝑃 Correctness: ∀ 𝑃, circuits 𝐶: Pr 𝑂 𝑃 𝐶 ≡𝐶 =1 Security: ∀ 𝑃,𝐴, if for infinite pairs of equivalent circuits ( 𝐶 0 , 𝐶 1 ): Pr 𝐴 𝐵 =𝑏;𝑏 $ 0,1 ,𝐵←𝑂( 𝐶 𝑏 ) ≥ 1 2 + 1 𝑝𝑜𝑙𝑦(𝑛) Then: 𝑆 𝐴,𝑃 breaks the security of 𝑃 𝑆 𝐴,𝑃 𝐴 Security Reduction 𝑆 Adversary 𝐴

Semi-Black-Box Construction of iO (RTV04) A semi-BB construction of iO from 𝒫 consists of two PPT oracle algorithms (𝑂,𝑆): Primitive 𝒫 Construction 𝑂 𝑃 𝑂 𝑃 Correctness: ∀ 𝑃, circuits 𝐶: Pr 𝑂 𝑃 𝐶 ≡𝐶 =1 Security: ∀ 𝑃,𝐴, if for infinite pairs of equivalent circuits ( 𝐶 0 , 𝐶 1 ): Pr 𝐴 𝐵 =𝑏;𝑏 $ 0,1 ,𝐵←𝑂( 𝐶 𝑏 ) ≥ 1 2 + 1 𝑝𝑜𝑙𝑦(𝑛) Then: 𝑆 𝐴,𝑃 breaks the security of 𝑃 𝑆 𝑃 (𝐴) 𝐴 Security Reduction 𝑆 Efficient Adversary 𝐴

Black-Box Separation of iO from OWF Known constructions that use iO as a primitive yield non-black-box constructions naturally. Still meaningful to explore whether we can get black-box constructions of iO. Analogy: ZK Proofs for polynomial size circuits

Main Result 1: iO in RO Model ⇒NP ≠ coNP Theorem 1 If NP ≠ coNP then iO can be broken in the random oracle model. So if 𝑃 that can be obtained (in black-box way) from Random Oracle then: 𝑃 ⇏ 𝐵𝐵 iO Note: Perfect completeness necessary here Corollary: iO from (OWF/CRHF) ⇒NP ≠ coNP OWP (for large enough n?)

Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse Lemma 1 For PPT 𝑂, then ∀( 𝐶 0 , 𝐶 1 ) either: Distinguish: There exists poly-query 𝐴 that can distinguish between 𝑂( 𝐶 0 ) and 𝑂 𝐶 1 Or Witness: There exists a way to obfuscate 𝐶 0 and 𝐶 1 into the same circuit 𝐶′  a “proof/witness” that 𝐶 0 ≡ 𝐶 1 Typo: you assumed equivalence. Note that if Case 2 happens then C0 MUST be equiv to C1. If C1 \neq C0, Case 2 cannot happen by PERFECT completeness of iO Two circuits equivalent: coNP-complete

Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse Corollary of Lemma 1 For PPT 𝑂, either: Distinguish: There exists poly-query 𝐴 and infinite sequence 𝐶 0 𝑖 , 𝐶 1 𝑖 𝑖 where 𝐶 0 𝑖 ≡ 𝐶 1 𝑖 s.t. for all 𝑖,𝐴 can distinguish between 𝑂( 𝐶 0 𝑖 ) and 𝑂 𝐶 1 𝑖 , Or Witness: For all but a finite number of pairs of equivalent 𝐶 0 𝑖 , 𝐶 1 𝑖 𝑖 there exists a “short” witness that shows 𝐶 0 𝑖 ≡ 𝐶 1 𝑖 . Thus NP = coNP.

Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse Proof of Lemma 1: Distinguish or Witness Follows from [MP12] Case 1: 𝐴 𝑓 𝐶 0 , 𝐶 1 , 𝑂 𝑟 𝑓 𝐶 𝑏 learns likely queries of 𝑂 𝑓 and try to guess 𝑏 If 𝑏=0 more probable or 𝑏=1 more probable  A could guess b well ( 𝐶 0 , 𝐶 1 ) ( 𝐶 0 , 𝐶 1 ) 𝑓 𝑂 𝑓 𝑂 𝑟 𝑓 𝐶 𝑏 𝐴 𝑓 NIC in ROM but will rephrase the proof to be in context of iO

Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse Proof of Lemma 1: Distinguish or Witness Follows from [MP12] Case 2: 𝐴 𝑓 𝐶 0 , 𝐶 1 , 𝑂 𝑟 𝑓 𝐶 𝑏 learns likely queries of 𝑂 𝑓 and try to guess 𝑏 Both 𝑏=0 and 𝑏=1 have at least 𝜌 chance of being chosen by 𝑂𝑏𝑓 ( 𝐶 0 , 𝐶 1 ) ( 𝐶 0 , 𝐶 1 ) 𝑓 𝑂 𝑓 𝑂 𝑟 𝑓 𝐶 𝑏 𝐴 𝑓 NIC in ROM but will rephrase the proof to be in context of iO  We can sample oracle f and Obf( 𝐶 0 )=Obf( 𝐶 1 )

Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse Proof of Theorem 1 using Lemma 1 Assume NP ≠ coNP and let 𝑃 be OWF By Lemma 1, there exists (computationally unbounded) poly-query 𝐴 and 𝐶 0 𝑖 , 𝐶 1 𝑖 𝑖 where 𝐶 0 𝑖 ≡ 𝐶 1 𝑖 s.t. for all 𝑖: Pr 𝐴 𝐵 =𝑏;𝑏 $ 0,1 ,𝐵← 𝑂(𝐶 𝑏 𝑖 ) ≥1− 1 𝑝𝑜𝑙𝑦 𝑛

Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse (Contd.) Proof of Theorem 1 using Lemma 1 By definition of fully BB, security reduction + poly-query attacker, together break one-wayness of random function (which is trivially impossible).

Main Result 2: iO from 𝒫 ⇒ PKE from OWF Random (Ideal) TDP Model (RTP) Generic Group Model (GGM) 𝑂(1)-degree Generic Encoding Model (GEM) Theorem 2 For any primitive 𝑃 that can be obtained (in “BB way”) from “Ideal Model” 𝒫, if 𝑃⇒iO then OWF ⇒ PKE This is not an impossibility result, and simply says that if P => iO then you might as well have found a construction of PKE from OWF (not BB so IR result does not apply here).

Main Result 2: iO from 𝒫⇒ PKE from OWF Approximately correct and approximately secure 𝑖 𝑂 𝒫 [MMN15, PS15] 𝜀−𝑖𝑂 Approx. PKE [Hol14] PKE OWF

OWF + 𝜀-iO → approx. PKE Follows from [SW14] construction: 𝐺𝑒𝑛 1 𝑛 : 𝑝𝑘=𝑖𝑂( 𝐹 𝑘 ) 𝑠𝑘=𝑘 𝐸𝑛𝑐 𝑏;𝑟 : ( 𝑐 1 , 𝑐 2 )←𝑝𝑘 𝑟,𝑏 𝐷𝑒𝑐 𝑠𝑘,𝑐 : 𝑏= 𝑐 2 ⊕𝑃𝑅𝐹 𝑘, 𝑐 1 𝐹 𝑘 𝑟,𝑚 ≔ 𝑃𝑅𝐺 𝑟 ,𝑃𝑅𝐹 𝑘,𝑃𝑅𝐺 𝑟 ⊕𝑏 Note that security does not rely on correctness of 𝑖𝑂 Security is proved in [SW14] by showing that: 𝑝𝑘, 𝐹 𝑘 𝑟,0 and 𝑝𝑘, 𝐹 𝑘 𝑟,1 are indistinguishable by PPT adversaries

OWF + 𝜀-iO → approx. PKE Follows from [SW14] construction: 𝐺𝑒𝑛 1 𝑛 : 𝑝𝑘=𝜀−𝑖𝑂( 𝐹 𝑘 ) 𝑠𝑘=𝑘 𝐸𝑛𝑐 𝑝𝑘,𝑏;𝑟 : ( 𝑐 1 , 𝑐 2 )←𝑝𝑘 𝑟,𝑏 𝐷𝑒𝑐 𝑠𝑘,𝑐 : 𝑏= 𝑐 2 ⊕𝑃𝑅𝐹 𝑘, 𝑐 1 𝐹 𝑘 𝑟,𝑚 ≔ 𝑃𝑅𝐺 𝑟 ,𝑃𝑅𝐹 𝑘,𝑃𝑅𝐺 𝑟 ⊕𝑏

Pr 𝑟,𝑏 𝐷𝑒𝑐 𝑠𝑘,𝐸𝑛𝑐 𝑝𝑘,𝑏 =𝑏;𝑝𝑘←𝜀𝑖𝑂 𝐹 𝑘 ≥1− 𝜀 OWF + 𝜀-iO → approx. PKE Approx. correctness: By approx. correctness of 𝜀−𝑖𝑂, Pr 𝑟,𝑏 𝐷𝑒𝑐 𝑠𝑘,𝐸𝑛𝑐 𝑝𝑘,𝑏 =𝑏;𝑝𝑘←𝜀𝑖𝑂 𝐹 𝑘 ≥1− 𝜀 Approx. security: By approx. correctness of 𝜀−𝑖𝑂, 𝑝𝑘, 𝐹 𝑘 𝑟,0 ≈ 𝜀 𝑝𝑘,𝑂 𝐹 𝑘 𝑟,0 𝑝𝑘, 𝐹 𝑘 𝑟,1 ≈ 𝜀 𝑝𝑘,𝑂 𝐹 𝑘 𝑟,1 Thus, if original 𝑖𝑂 provides ≤ 1 2 +𝑛𝑒𝑔𝑙 𝑛 security then 𝜀𝑖𝑂 provides ≤ 1 2 +𝑛𝑒𝑔𝑙 𝑛 +𝜀 security

Main Result 2: iO from 𝒫⇒ PKE from OWF Approximately correct and approximately secure 𝑖 𝑂 𝒫 [MMN15, PS15] 𝜀−𝑖𝑂 Approx. PKE [Hol14] PKE OWF

Conclusion 1. Constructing iO from OWFs and CRHs is not possible unless NP=coNP 2. Constructing iO from almost all “classical primitives” in Crypto is “extremely hard” : as hard as basing public-key enc on private-key enc.