1. Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Mohammed Mahmoody (University of Virginia)
Ameer Mohammed (University of Virginia)
Soheil Nematihaji (University of Virginia)
abhi shelat (University of Virginia)
Rafael Pass (Cornell University)

2. Obfuscation Mechanisms𝑀 𝑀′

3. Indistinguishability Obfuscation
Next best thing?
Indistinguishability Obfuscation 𝑀 𝑀′

4. Landscape and Goals Functional Encryption [GGH+13]
Indistinguishability Obfuscation
(iO)
Functional Encryption
[GGH+13]
PKE
Oblivious Transfer
KEM …
(Idealized) Graded Encoding Schemes
[SW14]
[BR14, BGK+14,PST14, GLSW14]
Talk about [AS15] negative result for pFE -> iO(C^f) later
Multilinear Maps (+LWE)
[GGH+13]

5. What assumptions give us iO? Can we use “standard assumptions”?
Computational assumption necessary for result 1
Say that they are informal statements

6. Landscape and Goals OWF CRHF TDP… Indistinguishability Obfuscation
Functional Encryption
[GGH+13]
???
PKE
Oblivious Transfer
KEM …
(Idealized) Graded Encoding Schemes
[SW14]
[BR14, BGK+14,PST14, GLSW14]
Talk about [AS15] negative result for pFE -> iO(C^f) later
Multilinear Maps (+LWE)
[GGH+13]

7. Main results in this talk
If NP ≠ coNP then iO cannot be constructed from OWFs or CRHs in a black-box way
Result 2
For any primitive 𝑃 that can be black-box obtained from 𝒫 :
if 𝑃 ⇒ black−box iO then OWF ⇒ constructive PKE
Computational assumption necessary for result 1
Say that they are informal statements
𝒫: Generic Group Model Graded Encoding Model Random TDP Model

8. Indistinguishability Obfuscation (iO)
𝐶 0
𝐶 1 ≡
Obfuscator
Obfuscator
𝐶 0
𝐶 0 ′
𝐶 1 ′
𝐶 1 ≡
≈ 𝑐 ≡ A
Pr 𝑟 𝑂 𝑟 𝐶 ≡𝐶 =1

9. Approx. Indistinguishability Obfuscation (𝜀-iO)
𝐶 0
𝐶 1 ≡
Obfuscator
Obfuscator
𝐶 0
𝐶 0 ′
𝐶 1 ′
𝐶 1 ≈
≈ 𝑐 ≈ A
Pr 𝑟,𝑥 𝑂 𝑟 𝐶 𝑥 ≠𝐶 𝑥 ≤𝜀 (𝑛)

10. Overview of Techniques
VBB Obfuscation (Not covered in this Talk)
Indistinguishability Obfuscation
𝐕𝐁 𝐁 𝐩𝐨𝐥𝐲−𝐝𝐞𝐠 𝐆𝐄𝐌
[BR13]
𝐢𝐎 𝐩𝐨𝐥𝐲−𝐝𝐞𝐠 𝐆𝐄𝐌
𝐕𝐁 𝐁 𝐎 𝟏 −𝐝𝐞𝐠 𝐆𝐄𝐌
(This Talk)
𝐢𝐎 𝐎 𝟏 −𝐝𝐞𝐠 𝐆𝐄𝐌
[MMN15,Ps15]
Approx. 𝐕𝐁𝐁
Impossible [BP13]
𝐕𝐁 𝐁 𝐆𝐆𝐌
PKC from OWF
𝐢𝐎 𝐆𝐆𝐌
𝐕𝐁 𝐁 𝐑𝐓𝐏
𝐢𝐎 𝐑𝐓𝐏
[CKP15]
𝐕𝐁 𝐁 𝐑𝐎
𝐢𝐎 𝐑𝐎
𝐍𝐏=𝐜𝐨𝐍𝐏
(This Talk)
𝐕𝐁𝐁
Impossible [BKI+01]

11. Fully Black-Box (BB) Construction of iO [IR89, RTV04]
A fully BB construction of iO from 𝒫 consists of two PPT oracle algorithms (𝑂,𝑆):
Primitive 𝒫
Construction 𝑂 𝑃
𝑂 𝑃
Correctness: ∀ 𝑃, circuits 𝐶:
Pr 𝑂 𝑃 𝐶 ≡𝐶 =1
Security: ∀ 𝑃,𝐴, if for infinite pairs of equivalent circuits ( 𝐶 0 , 𝐶 1 ):
Pr 𝐴 𝐵 =𝑏;𝑏 $ 0,1 ,𝐵←𝑂( 𝐶 𝑏 ) ≥ 𝑝𝑜𝑙𝑦(𝑛)
Then:
𝑆 𝐴,𝑃 breaks the security of 𝑃
𝑆 𝐴,𝑃 𝐴
Security Reduction 𝑆
Adversary 𝐴

12. Semi-Black-Box Construction of iO (RTV04)
A semi-BB construction of iO from 𝒫 consists of two PPT oracle algorithms (𝑂,𝑆):
Primitive 𝒫
Construction 𝑂 𝑃
𝑂 𝑃
Correctness: ∀ 𝑃, circuits 𝐶:
Pr 𝑂 𝑃 𝐶 ≡𝐶 =1
Security: ∀ 𝑃,𝐴, if for infinite pairs of equivalent circuits ( 𝐶 0 , 𝐶 1 ):
Pr 𝐴 𝐵 =𝑏;𝑏 $ 0,1 ,𝐵←𝑂( 𝐶 𝑏 ) ≥ 𝑝𝑜𝑙𝑦(𝑛)
Then:
𝑆 𝐴,𝑃 breaks the security of 𝑃
𝑆 𝑃 (𝐴) 𝐴
Security Reduction 𝑆
Efficient Adversary 𝐴

13. Black-Box Separation of iO from OWF
Known constructions that use iO as a primitive yield non-black-box constructions naturally.
Still meaningful to explore whether we can get black-box constructions of iO.
Analogy: ZK Proofs for polynomial size circuits

14. Main Result 1: iO in RO Model ⇒NP ≠ coNP
Theorem 1
If NP ≠ coNP then iO can be broken in the random oracle model. So if 𝑃 that can be obtained (in black-box way) from Random Oracle
then: 𝑃 ⇏ 𝐵𝐵 iO
Note: Perfect completeness necessary here
Corollary: iO from (OWF/CRHF) ⇒NP ≠ coNP
OWP (for large enough n?)

15. Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse
Lemma 1
For PPT 𝑂, then ∀( 𝐶 0 , 𝐶 1 ) either:
Distinguish: There exists poly-query 𝐴 that can distinguish between 𝑂( 𝐶 0 ) and 𝑂 𝐶 1
Or Witness: There exists a way to obfuscate 𝐶 0 and 𝐶 1 into the same circuit 𝐶′  a “proof/witness” that 𝐶 0 ≡ 𝐶 1
Typo: you assumed equivalence.
Note that if Case 2 happens then C0 MUST be equiv to C1. If C1 \neq C0, Case 2 cannot happen by PERFECT completeness of iO
Two circuits equivalent: coNP-complete

16. Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse
Corollary of Lemma 1
For PPT 𝑂, either:
Distinguish: There exists poly-query 𝐴 and infinite sequence 𝐶 0 𝑖 , 𝐶 1 𝑖 𝑖 where 𝐶 0 𝑖 ≡ 𝐶 1 𝑖 s.t. for all 𝑖,𝐴 can distinguish between 𝑂( 𝐶 0 𝑖 ) and 𝑂 𝐶 1 𝑖 ,
Or Witness: For all but a finite number of pairs of equivalent 𝐶 0 𝑖 , 𝐶 1 𝑖 𝑖 there exists a “short” witness that shows 𝐶 0 𝑖 ≡ 𝐶 1 𝑖 .
Thus NP = coNP.

17. Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse
Proof of Lemma 1: Distinguish or Witness
Follows from [MP12]
Case 1:
𝐴 𝑓 𝐶 0 , 𝐶 1 , 𝑂 𝑟 𝑓 𝐶 𝑏 learns likely queries of 𝑂 𝑓 and try to guess 𝑏
If 𝑏=0 more probable or 𝑏=1 more probable  A could guess b well
( 𝐶 0 , 𝐶 1 )
( 𝐶 0 , 𝐶 1 ) 𝑓
𝑂 𝑓
𝑂 𝑟 𝑓 𝐶 𝑏
𝐴 𝑓
NIC in ROM but will rephrase the proof to be in context of iO

18. Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse
Proof of Lemma 1: Distinguish or Witness
Follows from [MP12]
Case 2:
𝐴 𝑓 𝐶 0 , 𝐶 1 , 𝑂 𝑟 𝑓 𝐶 𝑏 learns likely queries of 𝑂 𝑓 and try to guess 𝑏
Both 𝑏=0 and 𝑏=1 have at least 𝜌 chance of being chosen by 𝑂𝑏𝑓
( 𝐶 0 , 𝐶 1 )
( 𝐶 0 , 𝐶 1 ) 𝑓
𝑂 𝑓
𝑂 𝑟 𝑓 𝐶 𝑏
𝐴 𝑓
NIC in ROM but will rephrase the proof to be in context of iO
 We can sample oracle f and Obf( 𝐶 0 )=Obf( 𝐶 1 )

19. Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse
Proof of Theorem 1 using Lemma 1
Assume NP ≠ coNP and let 𝑃 be OWF
By Lemma 1, there exists (computationally unbounded) poly-query 𝐴 and 𝐶 0 𝑖 , 𝐶 1 𝑖 𝑖 where 𝐶 0 𝑖 ≡ 𝐶 1 𝑖 s.t. for all 𝑖:
Pr 𝐴 𝐵 =𝑏;𝑏 $ 0,1 ,𝐵← 𝑂(𝐶 𝑏 𝑖 ) ≥1− 1 𝑝𝑜𝑙𝑦 𝑛

20. Main Result 1: iO in RO Model ⇒𝐏𝐇 collapse
(Contd.) Proof of Theorem 1 using Lemma 1
By definition of fully BB, security reduction + poly-query attacker, together break one-wayness of random function (which is trivially impossible).

21. Main Result 2: iO from 𝒫 ⇒ PKE from OWF
Random (Ideal) TDP
Model (RTP)
Generic Group Model (GGM)
𝑂(1)-degree Generic Encoding Model (GEM)
Theorem 2
For any primitive 𝑃 that can be obtained (in “BB way”) from “Ideal Model” 𝒫,
if 𝑃⇒iO then OWF ⇒ PKE
This is not an impossibility result, and simply says that if P => iO then you might as well have found a construction of PKE from OWF (not BB so IR result does not apply here).

22. Main Result 2: iO from 𝒫⇒ PKE from OWF
Approximately correct and approximately secure
𝑖 𝑂 𝒫
[MMN15, PS15]
𝜀−𝑖𝑂
Approx.
PKE
[Hol14]
PKE
OWF

23. OWF + 𝜀-iO → approx. PKE Follows from [SW14] construction:
𝐺𝑒𝑛 1 𝑛 : 𝑝𝑘=𝑖𝑂( 𝐹 𝑘 ) 𝑠𝑘=𝑘
𝐸𝑛𝑐 𝑏;𝑟 : ( 𝑐 1 , 𝑐 2 )←𝑝𝑘 𝑟,𝑏
𝐷𝑒𝑐 𝑠𝑘,𝑐 : 𝑏= 𝑐 2 ⊕𝑃𝑅𝐹 𝑘, 𝑐 1
𝐹 𝑘 𝑟,𝑚 ≔ 𝑃𝑅𝐺 𝑟 ,𝑃𝑅𝐹 𝑘,𝑃𝑅𝐺 𝑟 ⊕𝑏
Note that security does not rely on correctness of 𝑖𝑂
Security is proved in [SW14] by showing that:
𝑝𝑘, 𝐹 𝑘 𝑟,0 and 𝑝𝑘, 𝐹 𝑘 𝑟,1
are indistinguishable by PPT adversaries

24. OWF + 𝜀-iO → approx. PKE Follows from [SW14] construction:
𝐺𝑒𝑛 1 𝑛 : 𝑝𝑘=𝜀−𝑖𝑂( 𝐹 𝑘 ) 𝑠𝑘=𝑘
𝐸𝑛𝑐 𝑝𝑘,𝑏;𝑟 : ( 𝑐 1 , 𝑐 2 )←𝑝𝑘 𝑟,𝑏
𝐷𝑒𝑐 𝑠𝑘,𝑐 : 𝑏= 𝑐 2 ⊕𝑃𝑅𝐹 𝑘, 𝑐 1
𝐹 𝑘 𝑟,𝑚 ≔ 𝑃𝑅𝐺 𝑟 ,𝑃𝑅𝐹 𝑘,𝑃𝑅𝐺 𝑟 ⊕𝑏

25. Pr 𝑟,𝑏 𝐷𝑒𝑐 𝑠𝑘,𝐸𝑛𝑐 𝑝𝑘,𝑏 =𝑏;𝑝𝑘←𝜀𝑖𝑂 𝐹 𝑘 ≥1− 𝜀
OWF + 𝜀-iO → approx. PKE
Approx. correctness: By approx. correctness of 𝜀−𝑖𝑂,
Pr 𝑟,𝑏 𝐷𝑒𝑐 𝑠𝑘,𝐸𝑛𝑐 𝑝𝑘,𝑏 =𝑏;𝑝𝑘←𝜀𝑖𝑂 𝐹 𝑘 ≥1− 𝜀
Approx. security: By approx. correctness of 𝜀−𝑖𝑂,
𝑝𝑘, 𝐹 𝑘 𝑟,0 ≈ 𝜀 𝑝𝑘,𝑂 𝐹 𝑘 𝑟,0
𝑝𝑘, 𝐹 𝑘 𝑟,1 ≈ 𝜀 𝑝𝑘,𝑂 𝐹 𝑘 𝑟,1
Thus, if original 𝑖𝑂 provides ≤ 1 2 +𝑛𝑒𝑔𝑙 𝑛 security
then 𝜀𝑖𝑂 provides ≤ 1 2 +𝑛𝑒𝑔𝑙 𝑛 +𝜀 security

26. Main Result 2: iO from 𝒫⇒ PKE from OWF
Approximately correct and approximately secure
𝑖 𝑂 𝒫
[MMN15, PS15]
𝜀−𝑖𝑂
Approx.
PKE
[Hol14]
PKE
OWF

27. Conclusion
1. Constructing iO from OWFs and CRHs is not possible unless NP=coNP
2. Constructing iO from almost all “classical primitives” in Crypto is “extremely hard” : as hard as basing public-key enc on private-key enc.