52 research outputs found
Indistinguishability Obfuscation from Trilinear Maps and Block-Wise Local PRGs
We consider the question of finding the lowest degree for which -linear maps suffice to obtain IO. The current state of the art (Lin, EUROCRYPT\u2716, CRYPTO \u2717; Lin and Vaikunthanathan, FOCS\u2716; Ananth and Sahai, EUROCRYPT \u2717) is that -linear maps (under suitable security assumptions) suffice for IO, assuming the existence of pseudo-random generators (PRGs) with output locality . However, these works cannot answer the question of whether suffices, as no polynomial-stretch PRG with locality lower than exists.
In this work, we present a new approach that relies on the existence of PRGs with block-wise locality , i.e., every output bit depends on at most (disjoint) input blocks, each consisting of up to input bits. We show that the existence of PRGs with block-wise locality is plausible for any , and also provide:
* A construction of a general-purpose indistinguishability obfuscator from -linear maps and a subexponentially-secure PRG with block-wise locality and polynomial stretch.
* A construction of general-purpose functional encryption from -linear maps and any slightly super-polynomially secure PRG with block-wise locality and polynomial stretch.
All our constructions are based on the SXDH assumption on -linear maps and subexponential Learning With Errors (LWE) assumption, and follow by instantiating our new generic bootstrapping theorems with Lin\u27s recently proposed FE scheme (CRYPTO \u2717). Inherited from Lin\u27s work, our security proof requires algebraic multilinear maps (Boneh and Silverberg, Contemporary Mathematics), whereas security when using noisy multilinear maps is based on a family of more complex assumptions that hold in the generic model.
Our candidate PRGs with block-wise locality are based on Goldreich\u27s local functions, and we show that the security of instantiations with block-wise locality is backed by similar validation as constructions with (conventional) locality . We further complement this with hardness amplification techniques that further weaken the pseudorandomness requirements
Limits on the Locality of Pseudorandom Generators and Applications to Indistinguishability Obfuscation
Lin and Tessaro (ePrint 2017) recently proposed indistinguishability obfuscation (IO) and functional encryption (FE) candidates and proved their security based on two assumptions: a standard assumption on bilinear maps and a non-standard assumption on ``Goldreich-like\u27\u27 pseudorandom generators. In a nutshell, their second assumption requires the existence of pseudorandom generators for some -size alphabet , each of whose output bits depend on at most two input alphabet symbols, and which achieve sufficiently large stretch.
We show polynomial-time attacks against such generators, invalidating the security of the IO and FE candidates. Our attack uses tools from the literature on two-source extractors (Chor and Goldreich, SICOMP 1988) and efficient refutation of random - instances (Charikar and Wirth, FOCS 2004)
Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)
Consider a pseudorandom generator with outputs, whose seed contains blocks of bits each. Further, assume that this PRG has block-locality , i.e. each output bit depends on at most out of the blocks. The question of the maximum stretch that such PRGs can have, as a function of recently emerged in the context of constructing provably secure program obfuscation. It also relates to the question of refuting constraint satisfaction problems on predicates with large alphabets in complexity theory.
We show that such -block local PRGs can have output length at most , by presenting a polynomial time algorithm that distinguishes inputs of the form (for any ) from inputs where each coordinate is sampled independently according to the marginal distributions of the coordinates of .
As a corollary, we refute some conjectures recently made in the context of constructing provably secure indistinguishability obfuscation (iO). This includes refuting the assumptions underlying Lin and Tessaro\u27s \cite{LinT17} recently proposed candidate iO from bilinear maps. Specifically, they assumed the existence of a secure pseudorandom generator as above for large enough with . (Following this work, and an independent work of Lombardi and Vaikuntanthan \cite{LombardiV17a}, Lin and Tessaro retracted the bilinear maps based candidate from their manuscript.)
Our results follow from a general framework that handles more general class of pseudorandom generators. Namely they work even if the outputs are not binary valued and are computed using low-degree polynomial over (instead of the more restrictive local/block-local assumption). Specifically, we prove that for every function ( = reals), if every output of is a polynomial (over the real numbers ) of degree at most of at most monomials and , then there is a polynomial time algorithm for the distinguishing task above. This implies that any such map cannot be a pseudorandom generator. Our results yield, in particular, that natural modifications to notion of generators that are still sufficient for obtaining indistinguishability obfuscation from bilinear maps run into similar barriers.
Our algorithms follow the Sum of Squares (SoS) paradigm, and in most cases can even be defined more simply using a semidefinite program. We complement our algorithm by presenting a class of candidate generators with block-wise locality and constant block size, that resists both Gaussian elimination and sum of squares (SOS) algorithms whenever . This class is extremely easy to describe: Let be any simple non-abelian group with the group operation ``\u27\u27, and interpret the blocks of as elements in . The description of the pseudorandom generator is a sequence of triples of indices chosen at random and each output of the generator is of the form
Indistinguishability Obfuscation from Well-Founded Assumptions
In this work, we show how to construct indistinguishability obfuscation from
subexponential hardness of four well-founded assumptions. We prove:
Let be arbitrary
constants. Assume sub-exponential security of the following assumptions, where
is a security parameter, and the parameters below are
large enough polynomials in :
- The SXDH assumption on asymmetric bilinear groups of a prime order ,
- The LWE assumption over with subexponential
modulus-to-noise ratio , where is the dimension of the LWE
secret,
- The LPN assumption over with polynomially many LPN samples
and error rate , where is the dimension of the LPN
secret,
- The existence of a Boolean PRG in with stretch
,
Then, (subexponentially secure) indistinguishability obfuscation for all
polynomial-size circuits exists
Recommended from our members
Complexity Theory
Computational Complexity Theory is the mathematical study of the intrinsic power and limitations of computational resources like time, space, or randomness. The current workshop focused on recent developments in various sub-areas including arithmetic complexity, Boolean complexity, communication complexity, cryptography, probabilistic proof systems, pseudorandomness, and quantum computation. Many of the developments are related to diverse mathematical ïŹelds such as algebraic geometry, combinatorial number theory, probability theory, representation theory, and the theory of error-correcting codes
Sum-of-Squares Meets Program Obfuscation, Revisited
We develop attacks on the security of variants of pseudo-random generators computed by quadratic polynomials. In particular we give a general condition for breaking the one-way property of mappings where every output is a quadratic polynomial (over the reals) of the input. As a corollary, we break the degree-2 candidates for security assumptions recently proposed for constructing indistinguishability obfuscation by Ananth, Jain and Sahai (ePrint 2018) and Agrawal (ePrint 2018). We present conjectures that would imply our attacks extend to a wider variety of instances, and in particular offer experimental evidence that they break assumption of Lin-Matt (ePrint 2018).
Our algorithms use semidefinite programming, and in particular, results on low-rank recovery (Recht, Fazel, Parrilo 2007) and matrix completion (Gross 2009)
Matrix PRFs: Constructions, Attacks, and Applications to Obfuscation
We initiate a systematic study of pseudorandom functions (PRFs) that are
computable by simple matrix branching programs; we refer to these objects as
âmatrix PRFsâ. Matrix PRFs are attractive due to their simplicity, strong
connections to complexity theory and group theory, and recent applications in
program obfuscation.
Our main results are:
* We present constructions of matrix PRFs based on the conjectured hardness of
some simple computational problems pertaining to matrix products.
* We show that any matrix PRF that is computable by a read-c, width w
branching program can be broken in time poly(w^c); this means that any matrix
PRF based on constant-width matrices must read each input bit omega(log
lambda) times. Along the way, we simplify the âtensor switching lemmasâ
introduced in previous IO attacks.
* We show that a subclass of the candidate local-PRG proposed by Barak et al.
[Eurocrypt 2018] can be broken using simple matrix algebra.
* We show that augmenting the CVW18 IO candidate with a matrix PRF provably
immunizes the candidate against all known algebraic and statistical zeroizing
attacks, as captured by a new and simple adversarial model
Indistinguishability Obfuscation Without Multilinear Maps: New Paradigms via Low Degree Weak Pseudorandomness and Security Amplification
The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, significantly expanding the scope of problems amenable to cryptographic study. All known approaches to constructing iO rely on -linear maps.
While secure bilinear maps are well established in cryptographic literature, the security of candidates for is poorly understood. We propose a new approach to constructing iO for general circuits. Unlike all previously known realizations of iO, we avoid the use of -linear maps of degree .
At the heart of our approach is the assumption that a new weak pseudorandom object exists. We consider two related variants of these objects, which we call perturbation resilient generator (RG) and pseudo flawed-smudging generator (PFG), respectively. At a high level, both objects are polynomially expanding functions whose outputs partially hide (or smudge) small noise vectors when added to them. We further require that they are computable by a family of degree-3 polynomials over . We show how they can be used to construct functional encryption schemes with weak security guarantees. Finally, we use novel amplification techniques to obtain full security.
As a result, we obtain iO for general circuits assuming:
- Subexponentially secure LWE
- Bilinear Maps
- -secure 3-block-local PRGs
- RGs or PFG
- âŠ