On Statistically Secure Obfuscation with Approximate Correctness

Goldwasser and Rothblum TCC '07 prove that statistical indistinguishability obfuscation iO cannot exist if the obfuscator must maintain perfect correctness under a widely believed complexity theoretic assumption: $$\mathcal {NP}\not \subseteq \mathcal {SZK}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}$$. However, for many applications of iO, such as constructing public-key encryption from one-way functions one of the main open problems in theoretical cryptography, approximate correctness is sufficient. It had been unknown thus far whether statistical approximate iO saiO can exist. We show that saiO does not exist, even for a minimal correctness requirement, if $$\mathcal {NP}\not \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}$$, and if one-way functions exist. A simple complementary observation shows that if one-way functions do not exist, then average-case saiO exists. Technically, previous approaches utilized the behavior of the obfuscator on evasive functions, for which saiO always exists. We overcome this barrier by using a PRF as a "baseline" for the obfuscated program. We broaden our study and consider relaxed notions of security for iO. We introduce the notion of correlation obfuscation, where the obfuscations of equivalent circuits only need to be mildly correlated rather than statistically indistinguishable. Perhaps surprisingly, we show that correlation obfuscators exist via a trivial construction for some parameter regimes, whereas our impossibility result extends to other regimes. Interestingly, within the gap between the parameters regimes that we show possible and impossible, there is a small fraction of parameters that still allow to build public-key encryption from one-way functions and thus deserve further investigation.

[1]  S. Micali,et al.  How To Construct Randolli Functions , 1984, FOCS 1984.

[2]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[3]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[4]  Yael Tauman Kalai,et al.  On Obfuscation with Random Oracles , 2015, TCC.

[5]  Moni Naor,et al.  One-Way Functions and (Im)Perfect Obfuscation , 2014, 2014 IEEE 55th Annual Symposium on Foundations of Computer Science.

[6]  Amit Sahai,et al.  A complete promise problem for statistical zero-knowledge , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[7]  Guy N. Rothblum,et al.  On Best-Possible Obfuscation , 2007, Journal of Cryptology.

[8]  Rafael Pass,et al.  Output-Compressing Randomized Encodings and Applications , 2016, TCC.

[9]  Mohammad Mahmoody,et al.  On the Impossibility of Virtual Black-Box Obfuscation in Idealized Models , 2016, TCC.

[10]  Whitfield Diffie,et al.  Multiuser cryptographic techniques , 1976, AFIPS '76.

[11]  Thomas Holenstein,et al.  Strengthening key agreement using hard-core sets , 2006 .

[12]  Oded Goldreich,et al.  Computational complexity: a conceptual perspective , 2008, SIGA.

[13]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[14]  Nir Bitansky,et al.  Indistinguishability Obfuscation: From Approximate to Exact , 2016, TCC.

[15]  Abhi Shelat,et al.  Lower Bounds on Assumptions Behind Indistinguishability Obfuscation , 2016, TCC.

[16]  Kouichi Sakurai,et al.  A Note on the (Im)possibility of Using Obfuscators to Transform Private-Key Encryption into Public-Key Encryption , 2007, IWSEC.

[17]  Andrej Bogdanov,et al.  Limits of Provable Security for Homomorphic Encryption , 2013, CRYPTO.

[18]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[19]  Abhi Shelat,et al.  Impossibility of VBB Obfuscation with Ideal Constant-Degree Graded Encodings , 2016, TCC.

[20]  Brent Waters,et al.  Constrained Pseudorandom Functions and Their Applications , 2013, ASIACRYPT.

[21]  Shafi Goldwasser,et al.  Functional Signatures and Pseudorandom Functions , 2014, Public Key Cryptography.

[22]  Silvio Micali,et al.  How to Construct Random Functions (Extended Abstract) , 1984, FOCS.

[23]  Mohammad Mahmoody,et al.  On the Power of Randomized Reductions and the Checkability of SAT , 2010, 2010 IEEE 25th Annual Conference on Computational Complexity.

[24]  Aggelos Kiayias,et al.  Delegatable pseudorandom functions and applications , 2013, IACR Cryptol. ePrint Arch..

[25]  Leslie G. Valiant,et al.  NP is as easy as detecting unique solutions , 1985, STOC '85.

[26]  Nir Bitansky,et al.  On the impossibility of approximate obfuscation and applications to resettable cryptography , 2013, STOC '13.

[27]  Leslie G. Valiant,et al.  NP is as easy as detecting unique solutions , 1985, STOC '85.

[28]  Leslie G. Valiant,et al.  A theory of the learnable , 1984, STOC '84.

[29]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.

[30]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[31]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.