On Constructing One-Way Permutations from Indistinguishability Obfuscation

We prove that there is no black-box construction of a one-way permutation family from a one-way function and an indistinguishability obfuscator for the class of all oracle-aided circuits, where the construction is domain invariant (i.e., where each permutation may have its own domain, but these domains are independent of the underlying building blocks). Following the framework of Asharov and Segev (FOCS \u2715), by considering indistinguishability obfuscation for oracle-aided circuits we capture the common techniques that have been used so far in constructions based on indistinguishability obfuscation. These include, in particular, non-black-box techniques such as the punctured programming approach of Sahai and Waters (STOC \u2714) and its variants, as well as sub-exponential security assumptions. For example, we fully capture the construction of a trapdoor permutation family from a one-way function and an indistinguishability obfuscator due to Bitansky, Paneth and Wichs (TCC \u2716). Their construction is not domain invariant and our result shows that this, somewhat undesirable property, is unavoidable using the common techniques. In fact, we observe that constructions which are not domain invariant circumvent all known negative results for constructing one-way permutations based on one-way functions, starting with Rudich\u27s seminal work (PhD thesis \u2788). We revisit this classic and fundamental problem, and resolve this somewhat surprising gap by ruling out all such black-box constructions -- even those that are not domain invariant

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption

Recent breakthroughs in cryptography have positioned indistinguishability obfuscation as a ``central hub\u27\u27 for almost all known cryptographic tasks, and as an extremely powerful building block for new cryptographic tasks resolving long-standing and foundational open problems. However, constructions based on indistinguishability obfuscation almost always rely on non-black-box techniques, and thus the extent to which it can be used as a building block has been completely unexplored so far. We present a framework for proving meaningful negative results on the power of indistinguishability obfuscation. By considering indistinguishability obfuscation for oracle-aided circuits, we capture the common techniques that have been used so far in constructions based on indistinguishability obfuscation. These include, in particular, non-black-box techniques such as the punctured programming approach of Sahai and Waters (STOC \u2714) and its variants, as well as sub-exponential security assumptions. Within our framework we prove the first negative results on the power of indistinguishability obfuscation and of the tightly related notion of functional encryption. Our results are as follows: -- There is no fully black-box construction of a collision-resistant function family from an indistinguishability obfuscator for oracle-aided circuits. -- There is no fully black-box construction of a key-agreement protocol with perfect completeness from a private-key functional encryption scheme for oracle-aided circuits. Specifically, we prove that any such potential constructions must suffer from an exponential security loss, and thus our results cannot be circumvented using sub-exponential security assumptions. Our framework captures constructions that may rely on a wide variety of primitives in a non-black-box manner (e.g., obfuscating or generating a functional key for a function that uses the evaluation circuit of a puncturable pseudorandom function), and we only assume that the underlying indistinguishability obfuscator or functional encryption scheme themselves are used in a black-box manner

Tight Tradeoffs in Searchable Symmetric Encryption

A searchable symmetric encryption (SSE) scheme enables a client to store data on an untrusted server while supporting keyword searches in a secure manner. Recent experiments have indicated that the practical relevance of such schemes heavily relies on the tradeoff between their space overhead, locality (the number of non-contiguous memory locations that the server accesses with each query), and read efficiency (the ratio between the number of bits the server reads with each query and the actual size of the answer). These experiments motivated Cash and Tessaro (EUROCRYPT \u2714) and Asharov et al. (STOC \u2716) to construct SSE schemes offering various such tradeoffs, and to prove lower bounds for natural SSE frameworks. Unfortunately, the best-possible tradeoff has not been identified, and there are substantial gaps between the existing schemes and lower bounds, indicating that a better understanding of SSE is needed. We establish tight bounds on the tradeoff between the space overhead, locality and read efficiency of SSE schemes within two general frameworks that capture the memory access pattern underlying all existing schemes. First, we introduce the ``pad-and-split\u27\u27 framework, refining that of Cash and Tessaro while still capturing the same existing schemes. Within our framework we significantly strengthen their lower bound, proving that any scheme with locality $L$ must use space $\Omega ( N \log N / \log L )$ for databases of size $N$. This is a tight lower bound, matching the tradeoff provided by the scheme of Demertzis and Papamanthou (SIGMOD \u2717) which is captured by our pad-and-split framework. Then, within the ``statistical-independence\u27\u27 framework of Asharov et al. we show that their lower bound is essentially tight: We construct a scheme whose tradeoff matches their lower bound within an additive $O(\log \log \log N)$ factor in its read efficiency, once again improving upon the existing schemes. Our scheme offers optimal space and locality, and nearly-optimal read efficiency that depends on the frequency of the queried keywords: For a keyword that is associated with $n = N^{1 - \epsilon(n)}$ document identifiers, the read efficiency is $\omega(1) \cdot \epsilon(n)^{-1}+ O(\log\log\log N)$ when retrieving its identifiers (where the $\omega(1)$ term may be arbitrarily small, and $\omega(1) \cdot \epsilon(n)^{-1}$ is the lower bound proved by Asharov et al.). In particular, for any keyword that is associated with at most $N^{1 - 1/o(\log \log \log N)}$ document identifiers (i.e., for any keyword that is not exceptionally common), we provide read efficiency $O(\log \log \log N)$ when retrieving its identifiers

Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced Allocations

Searchable symmetric encryption (SSE) enables a client to store a database on an untrusted server while supporting keyword search in a secure manner. Despite the rapidly increasing interest in SSE technology, experiments indicate that the performance of the known schemes scales badly to large databases. Somewhat surprisingly, this is not due to their usage of cryptographic tools, but rather due to their poor locality (where locality is defined as the number of non-contiguous memory locations the server accesses with each query). The only known schemes that do not suffer from poor locality suffer either from an impractical space overhead or from an impractical read efficiency (where read efficiency is defined as the ratio between the number of bits the server reads with each query and the actual size of the answer). We construct the first SSE schemes that simultaneously enjoy optimal locality, optimal space overhead, and nearly-optimal read efficiency. Specifically, for a database of size $N$, under the modest assumption that no keyword appears in more than $N^{1 - 1/\log\log N}$ documents, we construct a scheme with read efficiency $\tilde{O}(\log \log N)$. This essentially matches the lower bound of Cash and Tessaro (EUROCRYPT \u2714) showing that any SSE scheme must be sub-optimal in either its locality, its space overhead, or its read efficiency. In addition, even without making any assumptions on the structure of the database, we construct a scheme with read efficiency $\tilde{O}(\log N)$. Our schemes are obtained via a two-dimensional generalization of the classic balanced allocations (``balls and bins\u27\u27) problem that we put forward. We construct nearly-optimal two-dimensional balanced allocation schemes, and then combine their algorithmic structure with subtle cryptographic techniques

Gene Regulation in Primates Evolves under Tissue-Specific Selection Pressures

Regulatory changes have long been hypothesized to play an important role in primate evolution. To identify adaptive regulatory changes in humans, we performed a genome-wide survey for genes in which regulation has likely evolved under natural selection. To do so, we used a multi-species microarray to measure gene expression levels in livers, kidneys, and hearts from six humans, chimpanzees, and rhesus macaques. This comparative gene expression data allowed us to identify a large number of genes, as well as specific pathways, whose inter-species expression profiles are consistent with the action of stabilizing or directional selection on gene regulation. Among the latter set, we found an enrichment of genes involved in metabolic pathways, consistent with the hypothesis that shifts in diet underlie many regulatory adaptations in humans. In addition, we found evidence for tissue-specific selection pressures, as well as lower rates of protein evolution for genes in which regulation evolves under natural selection. These observations are consistent with the notion that adaptive circumscribed changes in gene regulation have fewer deleterious pleiotropic effects compared with changes at the protein sequence level

The reaction dynamics of the 16O(e,e'p) cross section at high missing energies

We measured the cross section and response functions (R_L, R_T, and R_LT) for the 16O(e,e'p) reaction in quasielastic kinematics for missing energies 25 <= E_miss <= 120 MeV at various missing momenta P_miss <= 340 MeV/c. For 25 < E_miss < 50 MeV and P_miss \approx 60 MeV/c, the reaction is dominated by single-nucleon knockout from the 1s1/2-state. At larger P_miss, the single-particle aspects are increasingly masked by more complicated processes. For E_miss > 60 MeV and P_miss > 200 MeV/c, the cross section is relatively constant. Calculations which include contributions from pion exchange currents, isobar currents and short-range correlations account for the shape and the transversity but only for half of the magnitude of the measured cross section.Comment: 6 pages, 4 figures, submitted to Phys Rev Lett, formatting error fixe