Limits on the Locality of Pseudorandom Generators and Applications to Indistinguishability Obfuscation

Lin and Tessaro (ePrint 2017) recently proposed indistinguishability obfuscation (IO) and functional encryption (FE) candidates and proved their security based on two assumptions: a standard assumption on bilinear maps and a non-standard assumption on ``Goldreich-like\u27\u27 pseudorandom generators. In a nutshell, their second assumption requires the existence of pseudorandom generators $G:[q]^n \rightarrow \{0,1\}^m$ for some $\mathsf{poly}(n)$-size alphabet $q$, each of whose output bits depend on at most two input alphabet symbols, and which achieve sufficiently large stretch. We show polynomial-time attacks against such generators, invalidating the security of the IO and FE candidates. Our attack uses tools from the literature on two-source extractors (Chor and Goldreich, SICOMP 1988) and efficient refutation of random $\mathsf{2}$-$\mathsf{XOR}$ instances (Charikar and Wirth, FOCS 2004)

Indistinguishability Obfuscation from Well-Founded Assumptions

In this work, we show how to construct indistinguishability obfuscation from subexponential hardness of four well-founded assumptions. We prove: Let $\tau \in (0,\infty), \delta \in (0,1), \epsilon \in (0,1)$ be arbitrary constants. Assume sub-exponential security of the following assumptions, where $\lambda$ is a security parameter, and the parameters $\ell,k,n$ below are large enough polynomials in $\lambda$: - The SXDH assumption on asymmetric bilinear groups of a prime order $p = O(2^\lambda)$, - The LWE assumption over $\mathbb{Z}_{p}$ with subexponential modulus-to-noise ratio $2^{k^\epsilon}$, where $k$ is the dimension of the LWE secret, - The LPN assumption over $\mathbb{Z}_p$ with polynomially many LPN samples and error rate $1/\ell^\delta$, where $\ell$ is the dimension of the LPN secret, - The existence of a Boolean PRG in $\mathsf{NC}^0$ with stretch $n^{1+\tau}$, Then, (subexponentially secure) indistinguishability obfuscation for all polynomial-size circuits exists

Complexity Theory

Computational Complexity Theory is the mathematical study of the intrinsic power and limitations of computational resources like time, space, or randomness. The current workshop focused on recent developments in various sub-areas including arithmetic complexity, Boolean complexity, communication complexity, cryptography, probabilistic proof systems, pseudorandomness, and quantum computation. Many of the developments are related to diverse mathematical fields such as algebraic geometry, combinatorial number theory, probability theory, representation theory, and the theory of error-correcting codes

Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)

Consider a pseudorandom generator $G$ with $m$ outputs, whose seed contains $n$ blocks of $b$ bits each. Further, assume that this PRG has block-locality $\ell$, i.e. each output bit depends on at most $\ell$ out of the $n$ blocks. The question of the maximum stretch $m$ that such PRGs can have, as a function of $n,b,\ell$ recently emerged in the context of constructing provably secure program obfuscation. It also relates to the question of refuting constraint satisfaction problems on predicates with large alphabets in complexity theory. We show that such $\ell$-block local PRGs can have output length at most $\tilde{O}(2^{\ell b} n^{\lceil \ell/2 \rceil})$, by presenting a polynomial time algorithm that distinguishes inputs of the form $G(x)$ (for any $x$) from inputs where each coordinate is sampled independently according to the marginal distributions of the coordinates of $G$. As a corollary, we refute some conjectures recently made in the context of constructing provably secure indistinguishability obfuscation (iO). This includes refuting the assumptions underlying Lin and Tessaro\u27s \cite{LinT17} recently proposed candidate iO from bilinear maps. Specifically, they assumed the existence of a secure pseudorandom generator $G\colon \{ \pm 1 \}^{nb} \rightarrow \{ \pm 1 \}^{2^{cb}n}$ as above for large enough $c>3$ with $\ell=2$. (Following this work, and an independent work of Lombardi and Vaikuntanthan \cite{LombardiV17a}, Lin and Tessaro retracted the bilinear maps based candidate from their manuscript.) Our results follow from a general framework that handles more general class of pseudorandom generators. Namely they work even if the outputs are not binary valued and are computed using low-degree polynomial over $R$ (instead of the more restrictive local/block-local assumption). Specifically, we prove that for every function $G\colon\{\pm 1\}^n \rightarrow \mathbb R^m$ ($\mathbb R$ = reals), if every output of $G$ is a polynomial (over the real numbers $\mathbb{R}$) of degree at most $d$ of at most $s$ monomials and $m \ge \tilde{\Omega}(sn^{\lceil d/2 \rceil})$, then there is a polynomial time algorithm for the distinguishing task above. This implies that any such map $G$ cannot be a pseudorandom generator. Our results yield, in particular, that natural modifications to notion of generators that are still sufficient for obtaining indistinguishability obfuscation from bilinear maps run into similar barriers. Our algorithms follow the Sum of Squares (SoS) paradigm, and in most cases can even be defined more simply using a semidefinite program. We complement our algorithm by presenting a class of candidate generators with block-wise locality $3$ and constant block size, that resists both Gaussian elimination and sum of squares (SOS) algorithms whenever $m = n^{1.5-\epsilon}$. This class is extremely easy to describe: Let $\mathbb G$ be any simple non-abelian group with the group operation ``$\ast$\u27\u27, and interpret the blocks of $x$ as elements in $\mathbb G$. The description of the pseudorandom generator is a sequence of $m$ triples of indices $(i,j,k)$ chosen at random and each output of the generator is of the form $x_i \ast x_j \ast x_k$

Indistinguishability Obfuscation Without Multilinear Maps: New Paradigms via Low Degree Weak Pseudorandomness and Security Amplification

The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, significantly expanding the scope of problems amenable to cryptographic study. All known approaches to constructing iO rely on $d$-linear maps. While secure bilinear maps are well established in cryptographic literature, the security of candidates for $d>2$ is poorly understood. We propose a new approach to constructing iO for general circuits. Unlike all previously known realizations of iO, we avoid the use of $d$-linear maps of degree $d \ge 3$. At the heart of our approach is the assumption that a new weak pseudorandom object exists. We consider two related variants of these objects, which we call perturbation resilient generator ($\Delta$RG) and pseudo flawed-smudging generator (PFG), respectively. At a high level, both objects are polynomially expanding functions whose outputs partially hide (or smudge) small noise vectors when added to them. We further require that they are computable by a family of degree-3 polynomials over $\mathbb{Z}$. We show how they can be used to construct functional encryption schemes with weak security guarantees. Finally, we use novel amplification techniques to obtain full security. As a result, we obtain iO for general circuits assuming: - Subexponentially secure LWE - Bilinear Maps - $\textrm{poly}(\lambda)$-secure 3-block-local PRGs - $\Delta$RGs or PFG

Structured-Seed Local Pseudorandom Generators and their Applications

In this note, we introduce structured-seed local pseudorandom generators, a relaxation of local pseudorandom generators. We provide constructions of this primitive under the sparse-LPN assumption, and explore its implications

Indistinguishability Obfuscation from Trilinear Maps and Block-Wise Local PRGs

We consider the question of finding the lowest degree $L$ for which $L$-linear maps suffice to obtain IO. The current state of the art (Lin, EUROCRYPT\u2716, CRYPTO \u2717; Lin and Vaikunthanathan, FOCS\u2716; Ananth and Sahai, EUROCRYPT \u2717) is that $L$-linear maps (under suitable security assumptions) suffice for IO, assuming the existence of pseudo-random generators (PRGs) with output locality $L$. However, these works cannot answer the question of whether $L < 5$ suffices, as no polynomial-stretch PRG with locality lower than $5$ exists. In this work, we present a new approach that relies on the existence of PRGs with block-wise locality $L$, i.e., every output bit depends on at most $L$ (disjoint) input blocks, each consisting of up to $\log \lambda$ input bits. We show that the existence of PRGs with block-wise locality is plausible for any $L \geq 3$, and also provide: * A construction of a general-purpose indistinguishability obfuscator from $L$-linear maps and a subexponentially-secure PRG with block-wise locality $L$ and polynomial stretch. * A construction of general-purpose functional encryption from $L$-linear maps and any slightly super-polynomially secure PRG with block-wise locality $L$ and polynomial stretch. All our constructions are based on the SXDH assumption on $L$-linear maps and subexponential Learning With Errors (LWE) assumption, and follow by instantiating our new generic bootstrapping theorems with Lin\u27s recently proposed FE scheme (CRYPTO \u2717). Inherited from Lin\u27s work, our security proof requires algebraic multilinear maps (Boneh and Silverberg, Contemporary Mathematics), whereas security when using noisy multilinear maps is based on a family of more complex assumptions that hold in the generic model. Our candidate PRGs with block-wise locality are based on Goldreich\u27s local functions, and we show that the security of instantiations with block-wise locality $L \ge 3$ is backed by similar validation as constructions with (conventional) locality $5$. We further complement this with hardness amplification techniques that further weaken the pseudorandomness requirements

Sum-of-Squares Meets Program Obfuscation, Revisited

We develop attacks on the security of variants of pseudo-random generators computed by quadratic polynomials. In particular we give a general condition for breaking the one-way property of mappings where every output is a quadratic polynomial (over the reals) of the input. As a corollary, we break the degree-2 candidates for security assumptions recently proposed for constructing indistinguishability obfuscation by Ananth, Jain and Sahai (ePrint 2018) and Agrawal (ePrint 2018). We present conjectures that would imply our attacks extend to a wider variety of instances, and in particular offer experimental evidence that they break assumption of Lin-Matt (ePrint 2018). Our algorithms use semidefinite programming, and in particular, results on low-rank recovery (Recht, Fazel, Parrilo 2007) and matrix completion (Gross 2009)

Limits on the Pseudorandomness of Low-Degree Polynomials over the Integers

We initiate the study of a problem called the Polynomial Independence Distinguishing Problem (PIDP). The problem is parameterized by a set of polynomials Q = (q_1, ... , q_m) of n variables and an input distribution D over the reals. The goal of the problem is to distinguish a tuple of the form {q_i, q_i(x)}_{i in [m]} from {q_i, q_i(x_i)}_{i in [m]} where x, x_1, ... , x_m are each sampled independently from the distribution D^n. Refutation and search versions of this problem are conjectured to be hard in general for polynomial time algorithms (Feige, STOC 02) and are also subject to known theoretical lower bounds for various hierarchies (such as Sum-of-Squares and Sherali-Adams). Nevertheless, we show polynomial time distinguishers for the problem in several scenarios, including settings where such lower bounds apply to the search or refutation versions of the problem

New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation

Constructing indistinguishability obfuscation (iO) [BGI+01] is a central open question in cryptography. We provide new methods to make progress towards this goal. Our contributions may be summarized as follows: 1. {\textbf Bootstrapping}. In a recent work, Lin and Tessaro [LT17] (LT) show that iO may be constructed using i) Functional Encryption (FE) for polynomials of degree $L$ , ii) Pseudorandom Generators (PRG) with blockwise locality $L$ and polynomial expansion, and iii) Learning With Errors (LWE). Since there exist constructions of FE for quadratic polynomials from standard assumptions on bilinear maps [Lin17, BCFG17], the ideal scenario would be to set $L = 2$, yielding iO from widely believed assumptions. Unfortunately, it was shown soon after [LV17,BBKK17] that PRG with block locality $2$ and the expansion factor required by the LT construction, concretely $\Omega(n\cdot 2^{b(3+\epsilon)})$, where $n$ is the input length and $b$ is the block length, do not exist. In the worst case, these lower bounds rule out 2-block local PRG with stretch $\Omega(n \cdot 2^{b(2+\epsilon)})$. While [LV17,BBKK17] provided strong negative evidence for constructing iO based on bilinear maps, they could not rule out the possibility completely; a tantalizing gap has remained. Given the current state of lower bounds, the existence of 2 block local PRG with expansion factor $\Omega(n\cdot 2^{b(1+\epsilon)})$ remains open, although this stretch does not suffice for the LT bootstrapping, and is hence unclear to be relevant for iO. In this work, we improve the state of affairs as follows. (a) Weakening requirements on PRGs: In this work, we show that the narrow window of expansion factors left open by lower bounds do suffice for iO. We show a new method to construct FE for $NC_1$ from i) FE for degree L polynomials, ii) PRGs of block locality $L$ and expansion factor $\Omega(n\cdot2^{b(2+\epsilon)})$, and iii) LWE (or RLWE). Our method of bootstrapping is completely different from all known methods and does not go via randomizing polynomials. This re-opens the possibility of realizing iO from $2$ block local PRG, SXDH on Bilinear maps and LWE. (b) Broadening class of sufficient PRGs: Our bootstrapping theorem may be instantiated with a broader class of pseudorandom generators than hitherto considered for iO, and may circumvent lower bounds known for the arithmetic degree of iO -sufficient PRGs [LV17,BBKK17]; in particular, these may admit instantiations with arithmetic degree $2$, yielding iO with the additional assumptions of SXDH on Bilinear maps and LWE. In more detail, we may use the following two classes of PRG: i) Non-Boolean PRGs: We may use pseudorandom generators whose inputs and outputs need not be Boolean but may be integers restricted to a small (polynomial) range. Additionally, the outputs are not required to be pseudorandom but must only satisfy a milder indistinguishability property. We tentatively propose initializing these PRGs using the multivariate quadratic assumption (MQ) which has been widely studied in the literature [MI88,Wol05,DY09] and against the general case of which, no efficient attacks are known. We note that our notion of non Boolean PRGs is qualitatively equivalent to the notion of $\Delta$ RGs defined in the concurrent work of Ananth, Jain, Khurana and Sahai [AJKS18] except that $\Delta$ RG are weaker, in that they allow the adversary to win the game with $1/poly$ probability whereas we require that the adversary only wins with standard negligible probability. By relying on the security amplification theorem of [AJKS18] in a black box way, our construction can also make do with the weaker notion of security considered by [AJKS18]. ii) Correlated Noise Generators: We introduce an even weaker class of pseudorandom generators, which we call correlated noise generators (CNG) which may not only be non-Boolean but are required to satisfy an even milder (seeming) indistinguishability property. (c) Assumptions and Efficiency. Our bootstrapping theorems can be based on the hardness of the Learning With Errors problem (LWE) or its ring variant (RLWE) and can compile FE for degree $L$ polynomials directly to FE for $NC_1$. Previous work compiles FE for degree $L$ polynomials to FE for $NC_0$ to FE for $NC_1$ to iO [LV16,Lin17,AS17,GGHRSW13]. 2. Instantiating Primitives. In this work, we provide the first direct candidate of FE for constant degree polynomials from new assumptions on lattices. Our construction is new and does not go via multilinear maps or graded encoding schemes as all previous constructions. In more detail, let $\mathcal{F}$ be the class of circuits with depth $d$ and output length $\ell$. Then, for any $f \in \mathcal{F}$, our scheme achieves ${\sf Time({keygen})} = O\big(poly(\kappa, |f|)\big)$, and {\sf Time({encrypt})} =O(|\vecx|\cdot 2^d \cdot \poly(\kappa)) where $\kappa$ is the security parameter. This suffices to instantiate the bootstrapping step above. Our construction is based on the ring learning with errors assumption (RLWE) as well as new untested assumptions on NTRU rings. We provide a detailed security analysis and discuss why previously known attacks in the context of multilinear maps, especially zeroizing attacks and annihilation attacks, do not appear to apply to our setting. We caution that the assumptions underlying our construction must be subject to rigorous cryptanalysis before any confidence can be gained in their security. However, their significant departure from known multilinear map based constructions make them, we feel, a potentially fruitful new direction to explore. Additionally, being based entirely on lattices, we believe that security against classical attacks will likely imply security against quantum attacks. Note that this feature is not enjoyed by instantiations that make any use of bilinear maps even if secure instances of weak PRGs, as defined by the present work, the follow-up by Lin and Matt [LM18] and the independent work by Ananth, Jain, Khurana and Sahai [AJKS18] are found