Exploring Efficient iO and Its Applications

io with exponential efficiency n.w
1 / 42
Embed
Share

Delve into the world of efficient indistinguishability obfuscation (iO) and its plethora of applications, examining the potential for identifying qualitatively weaker notions that suffice for various uses. Explore the efficiency and challenges of iO constructions based on multilinear maps, and consider the implications of slightly nontrivial obfuscation.

  • iO
  • Obfuscation
  • Applications
  • Efficiency
  • Quantum Computing
rayaanacharya
jditz Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. iO with Exponential Efficiency Huijia Lin (USB), Rafael Pass (Cornell) Karn Seth (Cornell -> Google) Sid Telang (Cornell -> Google)

  2. IO Plethora of Applications For example: SW14, BCP14, BZ14, GGHR14, BGL+15, CHJV14, KLW14 May plausibly exist Candidates: GGH+13b, BR 13, BGK+13, PST14, GLSW14 Avoids impossibility results for stronger notions e.g., those of BGI+01, GK05, CKP15, PS15, MMN15, LPST15

  3. IO However: All concrete constructions based on multilinear maps [GGH13a, CLT13, GGH15, CLT15] All MLM constructions have nontrivial attacks [CHL+15, MF15, ]

  4. Can we identify qualitatively weaker notions that suffice for applications? E.g., Compact FE -> iO [AJ15,BV15] Today: Today: XiO XiO ( (iO iO with with exponential efficiency ) exponential efficiency ) May plausibly exists unconditionally May plausibly exists unconditionally

  5. Recap: IO C1 = C2

  6. Recap: IO C1 iO = iO C2

  7. Recap: IO C1 iO(C1) iO = iO C2 iO(C2)

  8. Inefficient iO C iO(C)

  9. Inefficient iO n = input length C iO(C) Time to obfuscate = poly( , |C|) * 2n Size of obfuscation = poly( , |C|) * 2n

  10. Inefficient iO x C(x) 11011 01010 11111 11000 00000 01010 11100 00111 000 001 010 011 100 101 110 111 Trivial C Time to obfuscate = poly( , |C|) * 2n Size of obfuscation = poly( , |C|) * 2n

  11. Inefficient iO slightly nontrivial C iO(C) Time to obfuscate = poly( , |C|) * 2n Size of obfuscation = poly( , |C|) * 2n(1- ) for < 1

  12. Inefficient iO slightly nontrivial C iO(C) Time to obfuscate = poly( , |C|, 2n) Size of obfuscation = poly( , |C|) * 2n(1- ) for < 1

  13. Exponentially Efficient iO (XiO) slightly nontrivial C iO(C) Time to obfuscate = poly( , |C|, 2n) Size of obfuscation = poly( , |C|) * 2n(1- ) for < 1

  14. YES YES Is XiO useful? d dunno unno.. .. Can perfect/statistical perfect/statistical XiO exist?

  15. Function Compression [Kabanets and Kolokolova 13] You get black-box access to a function {0,1}n->{0,1} You can run in time poly(2 poly(2n n) ) Need to output a description of length poly(C) * 2n(1- ) XiO can be viewed as Function compression with witness

  16. Theorem: Assume the existence of XiO XiO for for circuits with circuits with short inputs short inputs and the hardness of LWE, both with subexponential security. Then, there exists standard iO standard iO for circuits.

  17. Proof Outline Proof Outline XiO + LWE -> short-cipertext FE short-ciphertext FE + LWE -> iO [LPST 15]

  18. Functional Encryption Enc(x): x C skC: C(x) Dec(skC, Enc(x)):

  19. Functional Encryption If C(m0) = C(m1) m1 m0 C C

  20. Non-Compact Enc time polynomial in circuit size m C

  21. Compact/Sublinear [AJ 15,BV 15] Enc time polylog/subliner in circuit size time only m C Thm Thm [AJ 15,BV 15]: SubExp Secure Sublinear FE -> iO

  22. Short FE [LPST15] Length Length of ciphertext sublinear in circuit size m |Enc(m)| = poly( ,|m|) * |C|1- for >0 C Thm Thm [LPST 15]: SubExp Secure Short FE + LWE -> iO

  23. Succinct [GKP+14] Depends only polylogarithmically on circuit size m (But only works for circuits with 1-bit output) C Thm Thm [GKP+ 14,GVW 13]: LWE -> Succinct FE

  24. Goal m m XiO C C Succinct FE Short FE

  25. Idea m, i Encrypt pairs (m,i) C

  26. Idea m, i Encrypt pairs (m,i) Change to C such that C (m, i) = yi, the ith C output bit of C(m)

  27. Idea m, 1 m, t Now, to encrypt m, instead encrypt all pairs (m,i) for 1 i t C

  28. Idea m, 1 m, t Now, to encrypt m, instead encrypt all pairs (m,i) for 1 i t C To decrypt, apply skC to each, and combine results y0 y1 yt y =

  29. Problem Not sublinear m, 1 m, t C y0 y1 yt y =

  30. Problem Not sublinear m, 1 m, t Ciphertext grows linearly with t, the number of output bits of C, which is not sublinear in |C|. C y0 y1 yt y =

  31. Problem Not sublinear m, 1 m, t Ciphertext grows linearly with t, the number of output bits of C, which is not sublinear in |C|. C Need to compress ciphertext y0 y1 yt y =

  32. Solution i Instead of a ciphertext, release a circuit G[K,m] that, on input i, generates Enc(m,i) G[K,m] m, i

  33. Solution i Instead of a ciphertext, release a circuit G[K,m] that, on input i, generates Enc(m,i) G[K,m] Use PRF(K,i) as encryption randomness. m, i

  34. Solution i As a ciphertext: release a circuit G[K,m] that, on input i, generates Enc(m,i). G[K,m] Use PRF(K,i) as encryption randomness. Obfuscate the circuit using XiO to hide K and m. m, i

  35. Sublinear |XiO(G[k,m])| = poly( , |G(k,m)|) * 2n(1- ) G[K,m] |G[K,m]| = (PRF evaluation + Encryption) = poly( , |m|)

  36. Sublinear |XiO(G[k,m])| = poly( , |G(k,m)|) * 2n(1- ) G[K,m] |G[K,m]| = (PRF evaluation + Encryption) = poly( , |m|) Input length n = log t log |C|

  37. Sublinear |XiO(G[k,m])| = poly( , |G(k,m)|) * 2n(1- ) G[K,m] |G[K,m]| = (PRF evaluation + Encryption) = poly( , |m|) Input length n = log t log |C|

  38. Sublinear |XiO(G[k,m])| = poly( , |G(k,m)|) * 2n(1- ) poly( , m) * |C|(1- ) G[K,m] |G[K,m]| = (PRF evaluation + Encryption) = poly( , |m|) Input length n = log t log |C|

  39. TODAY: TODAY: XiO + LWE -> short FE SubExp Secure short FE + LWE-> iO [LPST 15]

  40. Theorem: Assume the existence of XiO XiO for for circuits with circuits with short inputs short inputs and the hardness of LWE, both with subexponential security. Then, there exists standard iO standard iO for circuits.

  41. Conclusion: Getting non-trivial compression is what makes iO hard/interesting

  42. Thanks!

Related


Investment Portfolio Performance Update and Market Trends

Investment Portfolio Performance Update and Market Trends

ever
Exponential Decay in Ibuprofen Dosage

Exponential Decay in Ibuprofen Dosage

napoleon
Exponents and Rules

Exponents and Rules

matas
Reliability Functions in Data Analysis

Reliability Functions in Data Analysis

kaitlyn
Logarithmic Functions and Their Inverses

Logarithmic Functions and Their Inverses

gaara
Solving Exponential Equations Algebraically

Solving Exponential Equations Algebraically

havelock
Exponential Growth Functions Based on Gordon's Book

Exponential Growth Functions Based on Gordon's Book

miyah
Microbial Growth Phases

Microbial Growth Phases

alexandria
Moving Averages and Exponential Smoothing Methods

Moving Averages and Exponential Smoothing Methods

daisyl
Exponential Smoothing in Forecasting

Exponential Smoothing in Forecasting

zbayl
Quadratic and Exponential Models for Curved Relationships

Quadratic and Exponential Models for Curved Relationships

dharb
Enhancing Member Missionary Efforts for Exponential Success

Enhancing Member Missionary Efforts for Exponential Success

yescas_g
Forecasting Analysis for Glina Arts Fall 2016 Enrollment

Forecasting Analysis for Glina Arts Fall 2016 Enrollment

tyso_81
Advanced Circuit Simulation Using Matrix Exponential Operators

Advanced Circuit Simulation Using Matrix Exponential Operators

pra_tro
Fitting Exponential Functions to Data: Examples and Applications

Fitting Exponential Functions to Data: Examples and Applications

pjem
Exponential Random Graph Models (ERGMs) in Social Network Analysis

Exponential Random Graph Models (ERGMs) in Social Network Analysis

yema_55
Exponential Notation and Evaluating Expressions with Exponents

Exponential Notation and Evaluating Expressions with Exponents

tole_il
Methods for Evaluating Matrix Exponential

Methods for Evaluating Matrix Exponential

nean207
Microbial Growth: Phases and Dynamics

Microbial Growth: Phases and Dynamics

scol_i
Bacterial Growth and Nutritional Requirements

Bacterial Growth and Nutritional Requirements

sullyos
Exponential Variable Solving in Financial Algebra

Exponential Variable Solving in Financial Algebra

wyn_s
Exponential Growth in Polymerase Chain Reaction (PCR) for Novel Product Production

Exponential Growth in Polymerase Chain Reaction (PCR) for Novel Product Production

nmura

More Related Content