Ilan Komargodski, Tal Moran, Moni Naor, Rafael Pass, Alon Rosen, Eylon Yogev
{"title":"单向函数和(我)完美混淆","authors":"Ilan Komargodski, Tal Moran, Moni Naor, Rafael Pass, Alon Rosen, Eylon Yogev","doi":"10.1137/15m1048549","DOIUrl":null,"url":null,"abstract":"SIAM Journal on Computing, Volume 51, Issue 6, Page 1769-1795, December 2022. <br/> Abstract. A program obfuscator takes a program and outputs a “scrambled” version of it, where the goal is that the obfuscated program will not reveal much about its structure beyond what is apparent from executing it. There are several ways of formalizing this goal. Specifically, in indistinguishability obfuscation, first defined by Barak et al. [Advances in Cryptology - CRYPTO, 2001, Lect. Notes Comput. Sci. 2139, Springer, Berlin, Heidelberg, pp. 1–18], the requirement is that the results of obfuscating any two functionally equivalent programs (circuits) will be computationally indistinguishable. In 2013, a fascinating candidate construction for indistinguishability obfuscation was proposed by Garg et al. [Proceedings of the Symposium on Theory of Computing Conference, STOC, ACM, 2013, pp. 467–476]. This has led to a flurry of discovery of intriguing constructions of primitives and protocols whose existence was not previously known (for instance, fully deniable encryption by Sahai and Waters [Proceedings of the Symposium on Theory of Computing, 2014, STOC, pp. 475–484]). Most of them explicitly rely on additional hardness assumptions, such as one-way functions. Our goal is to get rid of this extra assumption. We cannot argue that indistinguishability obfuscation of all polynomial-time circuits implies the existence of one-way functions, since if [math], then program obfuscation (under the indistinguishability notion) is possible. Instead, the ultimate goal is to argue that if [math] and program obfuscation is possible, then one-way functions exist. Our main result is that if [math] and there is an efficient (even imperfect) indistinguishability obfuscator, then there are one-way functions. In addition, we show that the existence of an indistinguishability obfuscator implies (unconditionally) the existence of SZK-arguments for [math]. This, in turn, provides an alternative version of our main result, based on the assumption of hard-on-the-average [math] problems. To get some of our results we need obfuscators for simple programs such as [math] circuits.","PeriodicalId":49532,"journal":{"name":"SIAM Journal on Computing","volume":"8 1","pages":""},"PeriodicalIF":1.2000,"publicationDate":"2022-12-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"One-Way Functions and (Im)perfect Obfuscation\",\"authors\":\"Ilan Komargodski, Tal Moran, Moni Naor, Rafael Pass, Alon Rosen, Eylon Yogev\",\"doi\":\"10.1137/15m1048549\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"SIAM Journal on Computing, Volume 51, Issue 6, Page 1769-1795, December 2022. <br/> Abstract. A program obfuscator takes a program and outputs a “scrambled” version of it, where the goal is that the obfuscated program will not reveal much about its structure beyond what is apparent from executing it. There are several ways of formalizing this goal. Specifically, in indistinguishability obfuscation, first defined by Barak et al. [Advances in Cryptology - CRYPTO, 2001, Lect. Notes Comput. Sci. 2139, Springer, Berlin, Heidelberg, pp. 1–18], the requirement is that the results of obfuscating any two functionally equivalent programs (circuits) will be computationally indistinguishable. In 2013, a fascinating candidate construction for indistinguishability obfuscation was proposed by Garg et al. [Proceedings of the Symposium on Theory of Computing Conference, STOC, ACM, 2013, pp. 467–476]. This has led to a flurry of discovery of intriguing constructions of primitives and protocols whose existence was not previously known (for instance, fully deniable encryption by Sahai and Waters [Proceedings of the Symposium on Theory of Computing, 2014, STOC, pp. 475–484]). Most of them explicitly rely on additional hardness assumptions, such as one-way functions. Our goal is to get rid of this extra assumption. We cannot argue that indistinguishability obfuscation of all polynomial-time circuits implies the existence of one-way functions, since if [math], then program obfuscation (under the indistinguishability notion) is possible. Instead, the ultimate goal is to argue that if [math] and program obfuscation is possible, then one-way functions exist. Our main result is that if [math] and there is an efficient (even imperfect) indistinguishability obfuscator, then there are one-way functions. In addition, we show that the existence of an indistinguishability obfuscator implies (unconditionally) the existence of SZK-arguments for [math]. This, in turn, provides an alternative version of our main result, based on the assumption of hard-on-the-average [math] problems. To get some of our results we need obfuscators for simple programs such as [math] circuits.\",\"PeriodicalId\":49532,\"journal\":{\"name\":\"SIAM Journal on Computing\",\"volume\":\"8 1\",\"pages\":\"\"},\"PeriodicalIF\":1.2000,\"publicationDate\":\"2022-12-20\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"SIAM Journal on Computing\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1137/15m1048549\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"SIAM Journal on Computing","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1137/15m1048549","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
引用次数: 0
摘要
SIAM Journal on Computing, vol . 51, Issue 6, Page 1769-1795, December 2022。摘要。程序混淆器接受一个程序并输出它的“混乱”版本,其目标是混淆后的程序除了执行它时显而易见的内容外,不会透露太多有关其结构的信息。有几种方法可以形式化这个目标。具体来说,在不可区分混淆中,首先由Barak等人定义。[密码学进展- CRYPTO, 2001,选]。指出第一版。Sci. 2139, Springer, Berlin, Heidelberg, pp. 1-18],其要求是混淆任何两个功能等效的程序(电路)的结果将在计算上不可区分。2013年,Garg等人提出了一个引人入胜的不可区分混淆候选结构[计算理论会议论文集,STOC, ACM, 2013, pp. 467-476]。这导致了一系列有趣的原语和协议结构的发现,这些原语和协议的存在以前并不知道(例如,Sahai和Waters的完全可否认加密[计算理论研讨会论文集,2014年,STOC,第475-484页])。它们中的大多数显式地依赖于额外的硬度假设,例如单向函数。我们的目标是去掉这个额外的假设。我们不能争辩说所有多项式时间电路的不可区分混淆意味着单向函数的存在,因为如果[数学],那么程序混淆(在不可区分概念下)是可能的。相反,最终目标是论证如果[数学]和程序混淆是可能的,那么单向函数是存在的。我们的主要结果是,如果[math]和有一个有效的(甚至不完美的)不可区分混淆器,那么就有单向函数。此外,我们证明了不可区分混淆器的存在(无条件地)意味着[math]的szk参数的存在。这反过来又为我们的主要结果提供了另一种版本,该结果基于对平均难度[数学]问题的假设。为了得到我们的一些结果,我们需要对简单的程序(如[数学]电路)使用混淆器。
SIAM Journal on Computing, Volume 51, Issue 6, Page 1769-1795, December 2022. Abstract. A program obfuscator takes a program and outputs a “scrambled” version of it, where the goal is that the obfuscated program will not reveal much about its structure beyond what is apparent from executing it. There are several ways of formalizing this goal. Specifically, in indistinguishability obfuscation, first defined by Barak et al. [Advances in Cryptology - CRYPTO, 2001, Lect. Notes Comput. Sci. 2139, Springer, Berlin, Heidelberg, pp. 1–18], the requirement is that the results of obfuscating any two functionally equivalent programs (circuits) will be computationally indistinguishable. In 2013, a fascinating candidate construction for indistinguishability obfuscation was proposed by Garg et al. [Proceedings of the Symposium on Theory of Computing Conference, STOC, ACM, 2013, pp. 467–476]. This has led to a flurry of discovery of intriguing constructions of primitives and protocols whose existence was not previously known (for instance, fully deniable encryption by Sahai and Waters [Proceedings of the Symposium on Theory of Computing, 2014, STOC, pp. 475–484]). Most of them explicitly rely on additional hardness assumptions, such as one-way functions. Our goal is to get rid of this extra assumption. We cannot argue that indistinguishability obfuscation of all polynomial-time circuits implies the existence of one-way functions, since if [math], then program obfuscation (under the indistinguishability notion) is possible. Instead, the ultimate goal is to argue that if [math] and program obfuscation is possible, then one-way functions exist. Our main result is that if [math] and there is an efficient (even imperfect) indistinguishability obfuscator, then there are one-way functions. In addition, we show that the existence of an indistinguishability obfuscator implies (unconditionally) the existence of SZK-arguments for [math]. This, in turn, provides an alternative version of our main result, based on the assumption of hard-on-the-average [math] problems. To get some of our results we need obfuscators for simple programs such as [math] circuits.
期刊介绍:
The SIAM Journal on Computing aims to provide coverage of the most significant work going on in the mathematical and formal aspects of computer science and nonnumerical computing. Submissions must be clearly written and make a significant technical contribution. Topics include but are not limited to analysis and design of algorithms, algorithmic game theory, data structures, computational complexity, computational algebra, computational aspects of combinatorics and graph theory, computational biology, computational geometry, computational robotics, the mathematical aspects of programming languages, artificial intelligence, computational learning, databases, information retrieval, cryptography, networks, distributed computing, parallel algorithms, and computer architecture.