Computational indistinguishability

Abstract: In this work, we study indistinguishability obfuscation and functional encryption for general circuits: Indistinguishability obfuscation requires that given any two equivalent circuits $C_0$ and $C_1$ of similar size, the obfuscations of $C_0$ and $C_1$ should be computationally indistinguishable. In functional encryption, ciphertexts encrypt inputs $x$ and keys are issued for circuits $C$. Using the key $\mathrm{SK}_C$ to decrypt a ciphertext $\mathrm{CT}_x={\sf Enc}(x)$ yields the value $C(x)$ but does not reveal anything else about $x$. Furthermore, no collusion of secret key holders should be able to learn anything more than the union of what they can each learn individually. We give constructions for indistinguishability obfuscation and functional encryption that supports all polynomial-size circuits. We accomplish this goal in three steps: (1) We describe a candidate construction for indistinguishability obfuscation for $\mathbf{NC}^1$ circuits. The security of this construction is based on a new al...

Abstract: We define a notion of semantic security of multilinear (a.k.a. graded) encoding schemes, which stipulates security of a class of algebraic “decisional” assumptions: roughly speaking, we require that for every nuPPT distribution D over two constant-length sequences m0,m1 and auxiliary elements z such that all arithmetic circuits (respecting the multilinear restrictions and ending with a zero-test) are constant with overwhelming probability over (m b , z), b ∈ {0,1}, we have that encodings of m0, z are computationally indistinguishable from encodings of m1, z. Assuming the existence of semantically secure multilinear encodings and the LWE assumption, we demonstrate the existence of indistinguishability obfuscators for all polynomial-size circuits.

Abstract: Randomizing polynomials allow representing a function f(x) by a low-degree randomized mapping $$\hat{f}(x, r)$$ whose output distribution on an input x is a randomized encoding of f(x). It is known that any function f in uniform $$\bigoplus$$ L/poly (and in particular in NC1) can be efficiently represented by degree-3 randomizing polynomials. Such a degree-3 representation gives rise to an NC 4 0 representation, in which every bit of the output depends on only four bits of the input. In this paper, we study the relaxed notion of computationally private randomizing polynomials, where the output distribution of $$\hat{f}(x, r)$$ should only be computationally indistinguishable from a randomized encoding of f(x). We construct degree-3 randomizing polynomials of this type for every polynomial-time computable function, assuming the existence of a cryptographic pseudorandom generator (PRG) in uniform $$\bigoplus$$ L/poly. (The latter assumption is implied by most standard intractability assumptions used in cryptography.) This result is obtained by combining a variant of Yao's garbled circuit technique with previous "information-theoretic" constructions of randomizing polynomials. We present several applications of computationally private randomizing polynomials in cryptography. In particular, we relax the sufficient assumptions for parallel constructions of cryptographic primitives, obtain new parallel reductions between primitives, and simplify the design of constant-round protocols for multiparty computation.

Abstract: We construct obfuscators of point functions with multibit output and other related functions A point function with multibit output returns a fixed string on a single input point and zero everywhere else Obfuscation of such functions has a useful application as a strong form of symmetric encryption which guarantees security even when the key has very low entropy: Essentially, learning information about the plaintext is paramount to finding the key via exhaustive search on the key space Although the constructions appear to be simple and modular, their analysis turns out to be quite intricate In particular, we uncover some weaknesses in the current definitions of obfuscation One weakness is that current definitions do not guarantee security even under very weak forms of composition We thus define a notion of obfuscation that is preserved under an appropriate composition operation The constructions can use any obfuscator of point functions under the proposed definition Alternatively, they can use perfect one way (POW) functions with statistical indistinguishability, or with computational indistinguishability at the price of somewhat weaker security