Indistinguishability obfuscation
This article may be too technical for most readers to understand.(May 2021) |
Indistinguishability obfuscation (IO) is a cryptographic primitive that provides a formal notion of program obfuscation. Informally, obfuscation hides the implementation of a program while still allowing users to run it.[1] Formally, IO satisfies the property that any two obfuscations of two circuits of the same size which implement the same function are computationally indistinguishable.[2]
History[]
The origin of this idea came from Amit Sahai in 1996 from the notion of a zero-knowledge proof.[3]
In 2001, Barak et al., showing that black-box obfuscation is impossible, also proposed the idea of an indistinguishability obfuscator, and constructed an inefficient one.[3][4][5][2][verification needed]Although this notion seemed relatively weak, Goldwasser and Rothblum (2007) showed that an efficient indistinguishability obfuscator would be a best-possible obfuscator, and any best-possible obfuscator would be an indistinguishability obfuscator.[3][6] (However, for inefficient obfuscators, no best-possible obfuscator exists unless the polynomial hierarchy collapses to the second level.[6])
Candidate constructions[]
Barak et al. (2001) proved that an inefficient indistinguishability obfuscator exists for circuits; that is, the lexicographically first circuit that computes the same function.[4] If P = NP holds, then an indistinguishability obfuscator exists, even though no other kind of cryptography would also exist.[2]
A candidate construction of IO with provable security under concrete hardness assumptions relating to multilinear maps was published in 2013,[2][7][8] but this assumption was later invalidated.[7][8] (Previously, Garg, Gentry, and Halevi (2012) had constructed a candidate version of a multilinear map based on heuristic assumptions.[9])
Starting from 2016, Lin began to explore constructions of IO based on less strict versions of multilinear maps, constructing a candidate based on maps of degree up to 30, and eventually a candidate based on maps of degree up to 3.[8] Finally, in 2020, Jain, Lin, and Sahai proposed a construction of IO based on the symmetric external Diffie-Helman, learning with errors, and learning plus noise assumptions,[8][10] as well as the existence of a super-linear stretch pseudorandom generator in the function class NC0.[10] (The existence of pseudorandom generators in NC0 (even with sub-linear stretch) was a long-standing open problem until 2006.[11]) It is possible that this construction could be broken with quantum computing, but there is an alternative construction that may be secure even against that (although the latter relies on less established security assumptions).[8][speculation?]
Practicability?[]
There have been attempts to implement and benchmark IO candidates.[2] For example, as of 2017, an obfuscation of the function at a security level of 80 bits took 23.5 minutes to produce and measured 11.6 GB, with an evaluation time of 77 ms.[2] Additionally, an obfuscation of the Advanced Encryption Standard hash function at a security level of 128 bits would measure 18 PB and have an evaluation time of about 272 years.[2] An open-source software implementation of an IO candidate was created in 2015.[12]
Potential applications[]
Indistinguishability obfuscators, if they exist, could be used for an enormous range of cryptographic applications, so much so that it has been referred to as a "central hub" for cryptography[1][8] or "crypto-complete".[2] Concretely, an indistinguishability obfuscator (with the additional assumption of the existence of one-way functions[2]) could be used to construct the following kinds of cryptography:
- Indistinguishability obfuscation for programs in the RAM model[10] and for Turing machines[13][14]
- Public-key cryptography (and an IND-CCA-secure version)[15]
- Short digital signatures[15]
- IND-CCA-secure key encapsulation schemes[15]
- Perfectly zero-knowledge non-interactive zero-knowledge proofs and succinct non-interactive arguments[15]
- Constant-round concurrent zero-knowledge protocols[10]
- Multilinear maps with bounded polynomial degrees[10]
- Injective trapdoor functions[15]
- Fully homomorphic encryption[10]
- [10][2]
- Functional encryption[2]
- Secret sharing for any monotone NP language[10]
- Semi-honest oblivious transfer[15]
- Deniable encryption (both sender-deniable and fully-deniable)[15][10][2]
- Multiparty, non-interactive key exchange[10]
- Adaptively secure succinct garbled RAM[10]
- Correlation intractable functions[10]
- Attribute-based encryption[10]
- Oblivious transfer[2]
- Traitor tracing[2]
- Graded encoding schemes[2]
(Additionally, we can also prove that problems in the PPAD complexity class are hard.[10]) However, indistinguishability obfuscation cannot be used to construct every possible cryptographic protocol: for example, no black-box construction can convert an indistinguishability obfuscator to a collision-resistant hash function family, even with a trapdoor permutation, unless with an exponential loss of security.[16]
See also[]
- Black-box obfuscation, a stronger form of obfuscation proven to be impossible
References[]
- ^ a b Klarreich, Erica (2014-02-03). "Cryptography Breakthrough Could Make Software Unhackable". Quanta Magazine.
- ^ a b c d e f g h i j k l m n o Pellet--Mary, Alice (26 May 2020). "Co6GC: Program Obfuscation | COSIC". www.esat.kuleuven.be. Archived from the original on 11 November 2020. Retrieved 22 August 2021.
- ^ a b c Klarreich, Erica (2014-01-30). "Perfecting the Art of Sensible Nonsense". Quanta Magazine. Retrieved 2021-08-22.
- ^ a b Barak, Boaz; Goldreich, Oded; Impagliazzo, Rusell; Rudich, Steven; Sahai, Amit; Vadhan, Salil; Yang, Ke (2001). Kilian, Joe (ed.). "On the (Im)possibility of Obfuscating Programs". Advances in Cryptology — CRYPTO 2001. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer: 1–18. doi:10.1007/3-540-44647-8_1. ISBN 978-3-540-44647-7.
- ^ Barak, Boaz; Goldreich, Oded; Impagliazzo, Russell; Rudich, Steven; Sahai, Amit; Vadhan, Salil; Yang, Ke (2012-05-03). "On the (im)possibility of obfuscating programs". Journal of the ACM. 59 (2): 6:1–6:48. doi:10.1145/2160158.2160159. ISSN 0004-5411.
- ^ a b Goldwasser, Shafi; Rothblum, Guy N. (2007). Vadhan, Salil P. (ed.). "On Best-Possible Obfuscation". Theory of Cryptography. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer: 194–213. doi:10.1007/978-3-540-70936-7_11. hdl:1721.1/129413. ISBN 978-3-540-70936-7.
- ^ a b Sanjam Garg; Craig Gentry; Shai Halevi; Mariana Raykova; Amit Sahai; Brent Waters (2013). "Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits". Focs 2013. IEEE: 40–49. CiteSeerX 10.1.1.672.1968. doi:10.1109/FOCS.2013.13. ISBN 978-0-7695-5135-7.
- ^ a b c d e f Klarreich, Erica (2020-10-10). "Computer Scientists Achieve 'Crown Jewel' of Cryptography". Quanta Magazine.
- ^ Barak, Boaz (29 December 2020). "New Developments in Indistinguishability Obfuscation (iO) | Simons Institute for the Theory of Computing". simons.berkeley.edu. Retrieved 22 August 2021.
- ^ a b c d e f g h i j k l m n Jain, Aayush; Lin, Huijia; Sahai, Amit (2020). "Indistinguishability Obfuscation from Well-Founded Assumptions". arXiv:2008.09317. Cite journal requires
|journal=
(help) - ^ Applebaum, B; Ishai, Y; Kushilevitz, E (2006). "Cryptography in NC0" (PDF). SIAM Journal on Computing. 36 (4): 845–888. doi:10.1137/S0097539705446950.
- ^ Banescu, Sebastian; Ochoa, Martín; Kunze, Nils; Pretschner, Alexander (2015). Piessens, Frank; Caballero, Juan; Bielova, Nataliia (eds.). "Idea: Benchmarking Indistinguishability Obfuscation – A Candidate Implementation" (PDF). Engineering Secure Software and Systems. Lecture Notes in Computer Science. Cham: Springer International Publishing: 149–156. doi:10.1007/978-3-319-15618-7_12. ISBN 978-3-319-15618-7.
- ^ Koppula, Venkata; Lewko, Allison Bishop; Waters, Brent (2015-06-14). "Indistinguishability Obfuscation for Turing Machines with Unbounded Memory" (PDF). Proceedings of the forty-seventh annual ACM symposium on Theory of Computing. STOC '15. Portland, Oregon, USA: Association for Computing Machinery: 419–428. doi:10.1145/2746539.2746614. ISBN 978-1-4503-3536-2.
- ^ Ananth, Prabhanjan; Jain, Abhishek; Sahai, Amit (2017). Katz, Jonathan; Shacham, Hovav (eds.). "Indistinguishability Obfuscation for Turing Machines: Constant Overhead and Amortization" (PDF). Advances in Cryptology – CRYPTO 2017. Lecture Notes in Computer Science. Cham: Springer International Publishing: 252–279. doi:10.1007/978-3-319-63715-0_9. ISBN 978-3-319-63715-0.
- ^ a b c d e f g Sahai, Amit; Waters, Brent (2013). "How to Use Indistinguishability Obfuscation: Deniable Encryption, and More". Cite journal requires
|journal=
(help) - ^ Asharov, Gilad; Segev, Gil (2015). "Limits on the Power of Indistinguishability Obfuscation and Functional Encryption". Cite journal requires
|journal=
(help)
- Cryptographic primitives
- Software obfuscation