[PDF] Top 20 Lower Bounds on Assumptions behind Indistinguishability Obfuscation

... hardness assumptions, the assumptions behind the constructions of iO seem to be qualitatively differ- ent compared to other cryptographic primitives, even in comparison with very powerful primitives ... See full document

... of indistinguishability obfuscation and functional encryption for oracle-aided circuits (see Sections ...security assumptions – which are already captured by most frameworks for black-box ... See full document

... Constrained PRFs. Recall that constrained PRFs, needed in iO proofs of security, are PRFs for which there are constrained keys than enable the evaluation of the PRF at a subset of the PRF domain and nowhere else [BW13, ... See full document

... Such assumptions are arguably not ...standard assumptions where it possible to algorithmically study the best possible “breakers”, here we do not even have an algorithmic way to test whether a given ... See full document

... We now discuss implications of pa-iO to iO for TMs. We first recall that all recent progress on achieving iO for TMs/RAMs[CHJV15, BGL + 15, KLW15, CH16, CCC + 16] from iO for circuits has required a polynomial bound ` to ... See full document

... The notion of concurrent zero knowledge, first introduced and achieved in the paper by Dwork, Naor and Sahai [DNS04], considers the execution of zero-knowledge proofs in an asynchronous and concurrent setting. More ... See full document

... is define as f (x) = xg. We’ll regard the ring as the plaintext space, and all possible encodings as the encoding space. Secondly, in order to simulate the cyclic group operation ag +bg = (a+b)g, the encoding system have ... See full document

... Unfortunately, so far, the existence of IO remain uncertain. Most known candidate IO schemes [GGH + 13b, BR14, BGK + 14, PST14, AGIS14, GLSW15, Zim15, AB15, GMS16, MSZ16, DGG + 16] are built from the so-called graded ... See full document

... to assumptions, which although strong, are not known to be uninstantiable under existence of ...indeed indistinguishability obfuscation ...stronger assumptions on the base schemes (such as ... See full document

... between assumptions we believe and ...of indistinguishability, namely the adversary is allowed to distinguish between N and N + e with 1/ poly probability in their case, whereas we require standard ... See full document

... Presently, known constructions of public-key FE with security against unbounded collusions rely upon iO and one-way functions [GGH + 13b, Wat14] or specific assumptions on composite-order multilinear maps ... See full document

... weaker assumptions suffices for obtaining obfuscation (and they do not imply the aGDDH as- sumption), the weak notion of semantical security suffices for obtaining witness encryption [GGSW13]— roughly ... See full document

... actual obfuscation of one of the program ...of assumptions, there is no ...of assumptions against polynomial-time adversaries, whereas our assumption requires security against sub-exponential ... See full document

... Despite the key role of one-way permutations in the foundations of cryptography, only very few candidates have been suggested over the years. Whereas one-way functions can be based on an extremely wide variety of ... See full document

... While the research direction of using iO to build other cryptographic primitives has met much success, building iO itself from standard cryptographic assumptions has so far proven to be notoriously difficult. The ... See full document

... Our proof builds on ideas by BST, and we will come back to their result in the context of presenting our proof techniques. We note that for our security proof, we assume AIPO in addition to iO and thereby are able to ... See full document

... the initial posting of our papers. During this time, with regard to the minimum level of multilinearity needed for constructing iO, certain milestones were reached at different times. In particular, our group had the ... See full document

... iO is a weaker primitive than VBB obfuscation. In fact, it is not hard to see that we cannot even hope to prove that iO implies one-way functions: Indeed, if P = NP then one-way functions do not exist but iO does ... See full document

... In the past few years, functional encryption (FE) schemes with different efficiency and se- curity features were constructed from various computational assumptions. A central measure of interest (in general and in ... See full document

... On the flip side, the tremendous power of IO also begets its reliance on strong and untested computational assumptions. Indeed, it has been a major cryptographic quest to come up with a construction of IO based on ... See full document