In
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, indistinguishability obfuscation (abbreviated IO or iO) is a type of
software obfuscation with the defining property that obfuscating any two programs that compute the same
mathematical function
In mathematics, a function from a set to a set assigns to each element of exactly one element of .; the words map, mapping, transformation, correspondence, and operator are often used synonymously. The set is called the domain of the functi ...
results in programs that cannot be distinguished from each other. Informally, such obfuscation hides the implementation of a program while still allowing users to run it.
Formally, IO satisfies the property that obfuscations of two circuits of the same size which implement the same function are
computationally indistinguishable
In Analysis of algorithms, computational complexity and cryptography, two families of distributions are computationally indistinguishable if no efficient algorithm can tell the difference between them except with negligible probability.
Formal def ...
.
Indistinguishability obfuscation has several interesting theoretical properties. Firstly, iO is the "best-possible" obfuscation (in the sense that any secret about a program that can be hidden by any obfuscator at all can also be hidden by iO). Secondly, iO can be used to construct nearly the entire gamut of
cryptographic primitives, including both mundane ones such as
public-key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
and more exotic ones such as
deniable encryption
In cryptography and steganography, plausibly deniable encryption describes encryption techniques where the existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that the plaintext data exists.
The users ...
and
functional encryption
Functional encryption (FE) is a generalization of public-key encryption in which possessing a secret key allows one to learn a function of what the ciphertext is encrypting.
Formal definition
More precisely, a functional encryption scheme for a g ...
(which are types of cryptography that no-one previously knew how to construct
), but with the notable exception of collision-resistant
hash function
A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually u ...
families. For this reason, it has been referred to as "crypto-complete". Lastly, unlike many other kinds of cryptography, indistinguishability obfuscation continues to exist even if
P=NP
The P versus NP problem is a major unsolved problem in theoretical computer science. In informal terms, it asks whether every problem whose solution can be quickly verified can also be quickly solved.
The informal term ''quickly'', used abov ...
(though it would have to be constructed differently in this case), though this does not necessarily imply that iO exists unconditionally.
Though the idea of cryptographic software obfuscation has been around since 1996, indistinguishability obfuscation was first proposed by Barak et al. (2001), who proved that iO exists if P=NP is the case. For the P!=NP case (which is harder, but also more plausible
), progress was slower: Garg et al. (2013)
proposed a construction of iO based on a
computational hardness assumption
In computational complexity theory, a computational hardness assumption is the hypothesis that a particular problem cannot be solved efficiently (where ''efficiently'' typically means "in polynomial time"). It is not known how to prove (uncondition ...
relating to
multilinear map
In linear algebra, a multilinear map is a function of several variables that is linear separately in each variable. More precisely, a multilinear map is a function
:f\colon V_1 \times \cdots \times V_n \to W\text
where V_1,\ldots,V_n and W are ...
s, but this assumption was later disproven. A construction based on "well-founded assumptions" (hardness assumptions that have been well-studied by cryptographers, and thus widely assumed secure) had to wait until Jain, Lin, and Sahai (2020). (Even so, one of these assumptions used in the 2020 proposal is not secure against
quantum computers
Quantum computing is a type of computation whose operations can harness the phenomena of quantum mechanics, such as superposition, interference, and entanglement. Devices that perform quantum computations are known as quantum computers. Though ...
.)
Currently known indistinguishability obfuscation candidates are very far from being practical. As measured by a 2017 paper, even obfuscating the
toy function which outputs the
logical conjunction
In logic, mathematics and linguistics, And (\wedge) is the truth-functional operator of logical conjunction; the ''and'' of a set of operands is true if and only if ''all'' of its operands are true. The logical connective that represents this ...
of its thirty-two
Boolean data type
In computer science, the Boolean (sometimes shortened to Bool) is a data type that has one of two possible values (usually denoted ''true'' and ''false'') which is intended to represent the two truth values of logic and Boolean algebra. It is name ...
inputs produces a program nearly a dozen
gigabyte
The gigabyte () is a multiple of the unit byte for digital information. The prefix ''giga'' means 109 in the International System of Units (SI). Therefore, one gigabyte is one billion bytes. The unit symbol for the gigabyte is GB.
This defini ...
s large.
Formal definition
Let
be some uniform
probabilistic polynomial-time algorithm. Then
is called an ''indistinguishability obfuscator'' if and only if it satisfies both of the following two statements:
* Completeness or Functionality: For any
Boolean circuit
In computational complexity theory and circuit complexity, a Boolean circuit is a mathematical model for combinational digital logic circuits. A formal language can be decided by a family of Boolean circuits, one circuit for each possible input ...
''C'' of input length ''n'' and input
, we have
* Indistinguishability: For every pair of circuits
of the same size ''k'' that implement the same functionality, the distributions
and
are computationally indistinguishable. In other words, for any probabilistic polynomial-time
adversary
An adversary is generally considered to be a person, group, or force that opposes and/or attacks.
Adversary may also refer to:
* Satan ("adversary" in Hebrew), in Judeo-Christian religion
Entertainment Fiction
* Adversary (comics), villain fro ...
''A'', there is a negligible function
(''i.e.'', a function that eventually grows slower than
for any polynomial ''p'') such that, for every pair of circuits
of the same size ''k'' that implement the same functionality, we have
History
The origin of this idea came from
Amit Sahai
Amit Sahai (born 1974) is an American computer scientist. He is a professor of computer science at UCLA and the director of the Center for Encrypted Functionalities.
Biography
Amit Sahai was born in 1974 in Thousand Oaks, California, to parents wh ...
in 1996 from the notion of a
zero-knowledge proof
In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information a ...
.
In 2001, Barak et al., showing that
black-box obfuscation
In cryptography, black-box obfuscation was a proposed cryptographic primitive which would allow a computer program to be obfuscated in a way such that it was impossible to determine anything about it except its input and output behavior. Black-box ...
is impossible, also proposed the idea of an indistinguishability obfuscator, and constructed an inefficient one.
Although this notion seemed relatively weak, Goldwasser and Rothblum (2007) showed that an efficient indistinguishability obfuscator would be a best-possible obfuscator, and any best-possible obfuscator would be an indistinguishability obfuscator.
(However, for ''inefficient'' obfuscators, no best-possible obfuscator exists unless the
polynomial hierarchy
In computational complexity theory, the polynomial hierarchy (sometimes called the polynomial-time hierarchy) is a hierarchy of complexity classes that generalize the classes NP and co-NP. Each class in the hierarchy is contained within PSPACE. T ...
collapses to the second level.
)
Candidate constructions
Barak et al. (2001) proved that an ''inefficient'' indistinguishability obfuscator exists for circuits; that is, the lexicographically first circuit that computes the same function.
If
P = NP
The P versus NP problem is a major unsolved problem in theoretical computer science. In informal terms, it asks whether every problem whose solution can be quickly verified can also be quickly solved.
The informal term ''quickly'', used abov ...
holds, then an indistinguishability obfuscator exists, even though no other kind of cryptography would also exist.
A candidate construction of IO with
provable security
Provable security refers to any type or level of computer security that can be proved. It is used in different ways by different fields.
Usually, this refers to mathematical proofs, which are common in cryptography. In such a proof, the capabiliti ...
under concrete
hardness assumptions relating to
multilinear maps was published by Garg et al. (2013),
but this assumption was later invalidated.
(Previously, Garg, Gentry, and Halevi (2012) had constructed a candidate version of a multilinear map based on heuristic assumptions.
)
Starting from 2016, Lin began to explore constructions of IO based on less strict versions of multilinear maps, constructing a candidate based on maps of degree up to 30, and eventually a candidate based on maps of degree up to 3.
Finally, in 2020, Jain, Lin, and Sahai proposed a construction of IO based on the
symmetric external Diffie-Helman,
learning with errors
Learning with errors (LWE) is the computational problem of inferring a linear n-ary function f over a finite ring from given samples y_i = f(\mathbf_i) some of which may be erroneous.
The LWE problem is conjectured to be hard to solve, and thus to ...
, and
learning plus noise assumptions,
as well as the existence of a super-linear stretch
pseudorandom generator
In theoretical computer science and cryptography, a pseudorandom generator (PRG) for a class of statistical tests is a deterministic procedure that maps a random seed to a longer pseudorandom string such that no statistical test in the class ...
in the function class
NC0.
(The existence of pseudorandom generators in NC
0 (even with sub-linear stretch) was a long-standing open problem until 2006.) It is possible that this construction could be broken with
quantum computing
Quantum computing is a type of computation whose operations can harness the phenomena of quantum mechanics, such as superposition, interference, and entanglement. Devices that perform quantum computations are known as quantum computers. Though ...
, but there is an alternative construction that may be secure even against that (although the latter relies on less established security assumptions).
Practicality?
There have been attempts to implement and benchmark IO candidates.
For example, as of 2017, an obfuscation of the function
at a security level of 80 bits took 23.5 minutes to produce and measured 11.6 GB, with an evaluation time of 77 ms.
Additionally, an obfuscation of the
Advanced Encryption Standard
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a variant ...
encryption circuit at a security level of 128 bits would measure 18 PB and have an evaluation time of about 272 years.
An
open-source software
Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose. Op ...
implementation of an IO candidate was created in 2015.
Existence
It is useful to divide the question of the existence of iO by using
Russell Impagliazzo's "five worlds", which are five different hypothetical situations about
average-case complexity:
* ''Algorithmica'': In this case
P = NP
The P versus NP problem is a major unsolved problem in theoretical computer science. In informal terms, it asks whether every problem whose solution can be quickly verified can also be quickly solved.
The informal term ''quickly'', used abov ...
, but iO exists.
* ''Heuristica'': In this case NP problems are easy on average; iO does not exist.
*''Pessiland'': In this case,
, but
one-way functions
In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, sp ...
do not exist; as a result, iO does not exist.
*''Minicrypt'': In this case,
one-way functions
In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, sp ...
exist, but secure
public-key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
does not; iO does not exist (because explicit constructions of public-key cryptography from iO and one-way functions are known).
*''Cryptomania'': In this case, secure
public-key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
exists; but iO does not exist.
*''Obfustopia'': In this case, iO is believed to exist.
Potential applications
Indistinguishability obfuscators, if they exist, could be used for an enormous range of
cryptographic
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
applications, so much so that it has been referred to as a "central hub" for cryptography,
the "crown jewel of cryptography",
or "crypto-complete".
Concretely, an indistinguishability obfuscator (with the additional assumption of the existence of
one-way function
In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, s ...
s
) could be used to construct the following kinds of cryptography:
* Indistinguishability obfuscation for programs in the RAM model
and for
Turing machine
A Turing machine is a mathematical model of computation describing an abstract machine that manipulates symbols on a strip of tape according to a table of rules. Despite the model's simplicity, it is capable of implementing any computer algori ...
s
*
IND-CCA-secure
public-key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
* Short
digital signature
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
s
*
IND-CCA-secure
key encapsulation
In cryptographic protocols, a key encapsulation mechanism (KEM) is used to secure symmetric key material for transmission using asymmetric (public-key) algorithms. It is commonly used in hybrid cryptosystems. In practice, public key systems are c ...
schemes
* Perfectly zero-knowledge
non-interactive zero-knowledge proof
Non-interactive zero-knowledge proofs are zero-knowledge proofs where information between a prover and a verifier can be authenticated by the prover, without revealing any of the specific information beyond the validity of the transaction itself. T ...
s and succinct non-interactive arguments
* Constant-round concurrent zero-knowledge protocols
*
Multilinear map
In linear algebra, a multilinear map is a function of several variables that is linear separately in each variable. More precisely, a multilinear map is a function
:f\colon V_1 \times \cdots \times V_n \to W\text
where V_1,\ldots,V_n and W are ...
s with bounded polynomial degrees
*
Injective
In mathematics, an injective function (also known as injection, or one-to-one function) is a function that maps distinct elements of its domain to distinct elements; that is, implies . (Equivalently, implies in the equivalent contrapositiv ...
trapdoor function
In theoretical computer science and cryptography, a trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction (finding its inverse) without special information, called the "trap ...
s
*
Fully homomorphic encryption
Homomorphic encryption is a form of encryption that permits users to perform computations on its encrypted data without first decrypting it. These resulting computations are left in an encrypted form which, when decrypted, result in an identical ...
*
Witness encryption
*
Functional encryption
Functional encryption (FE) is a generalization of public-key encryption in which possessing a secret key allows one to learn a function of what the ciphertext is encrypting.
Formal definition
More precisely, a functional encryption scheme for a g ...
*
Secret sharing
Secret sharing (also called secret splitting) refers to methods for distributing a secret among a group, in such a way that no individual holds any intelligible information about the secret, but when a sufficient number of individuals combine th ...
for any monotone NP language
* Semi-honest
oblivious transfer
*
Deniable encryption
In cryptography and steganography, plausibly deniable encryption describes encryption techniques where the existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that the plaintext data exists.
The users ...
(both sender-deniable and fully-deniable)
* Multiparty, non-interactive
key exchange
Key exchange (also key establishment) is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm.
If the sender and receiver wish to exchange encrypted messages, each ...
* Adaptively secure succinct garbled RAM
* Correlation intractable functions
* Attribute-based encryption
*Oblivious transfer
*Traitor tracing
*Graded encoding schemes
Additionally, if iO and one-way functions exist, then problems in the
PPAD complexity class are provably hard.
However, indistinguishability obfuscation cannot be used to construct ''every'' possible cryptographic protocol: for example, no black-box construction can convert an indistinguishability obfuscator to a collision-resistant
hash function
A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually u ...
family, even with a
trapdoor permutation
In theoretical computer science and cryptography, a trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction (finding its inverse) without special information, called the "tra ...
, unless with an ''exponential'' loss of security.
See also
*
Black-box obfuscation
In cryptography, black-box obfuscation was a proposed cryptographic primitive which would allow a computer program to be obfuscated in a way such that it was impossible to determine anything about it except its input and output behavior. Black-box ...
, a stronger form of obfuscation proven to be impossible
References
{{reflist
Cryptographic primitives
Software obfuscation