Ilan Komargodski

One-Way Functions and (Im)Perfect Obfuscation

A program obfuscator takes a program and outputs a scrambled version of it, where the goal is that the obfuscated program will not reveal much about its structure beyond what is apparent from executing it. There are several ways of formalizing this goal. Specifically, in indistinguishability obfuscation, first defined by Barak et al. (CRYPTO 2001), the requirement is that the results of obfuscating any two functionally equivalent programs (circuits) will be computationally indistinguishable. Recently, a fascinating candidate construction for indistinguishability obfuscation was proposed by Garg et al. (FOCS 2013). This has led to a flurry of discovery of intriguing constructions of primitives and protocols whose existence was not previously known (for instance, fully deniable encryption by Sahai and Waters, STOC 2014). Most of them explicitly rely on additional hardness assumptions, such as one-way functions. Our goal is to get rid of this extra assumption. We cannot argue that indistinguishability obfuscation of all polynomial-time circuits implies the existence of one-way functions, since if P ≠ NP, then program obfuscation (under the indistinguishability notion) is possible. Instead, the ultimate goal is to argue that if P ≠ NP and program obfuscation is possible, then one-way functions exist. Our main result is that if NP ⊈; io-BPP and there is an efficient (even imperfect) indistinguishability obfuscator, then there are one-way functions. In addition, we show that the existence of an indistinguishability obfuscator implies (unconditionally) the existence of SZK-arguments for NP. This, in turn, provides an alternative version of our main result, based on the assumption of hard-on-the average NP problems. To get some of our results we need obfuscators for simple programs such as 3CNF formulas

Improved Average-Case Lower Bounds for DeMorgan Formula Size

We give an explicit function h: {0, 1}n → {0, 1} such that every deMorgan formula of size n3-o(1)/r2 agrees with h on at most a fraction of 1/2+2-Ω(r) of the inputs. This improves the previous average-case lower bound of Komargodski and Raz (STOC, 2013). Our technical contributions include a theorem that shows that the expected shrinkage result of Haastad (SIAM J. Comput., 1998) actually holds with very high probability (where the restrictions are chosen from a certain distribution that takes into account the structure of the formula), combining ideas of both Impagliazzo, Meka and Zuckerman (FOCS, 2012) and Komargodski and Raz. In addition, using a bit-fixing extractor in the construction of h allows us to simplify a major part of the analysis of Komargodski and Raz1.

Average-case lower bounds for formula size

We give an explicit function h:{0,1}ⁿ->{0,1} such that any deMorgan formula of size O(n^2.499) agrees with h on at most 1/2 + ε fraction of the inputs, where ε is exponentially small (i.e. ε = 2^{-n^Ω(1)}). We also show, using the same technique, that any boolean formula of size O(n^1.999) over the complete basis, agrees with h on at most 1/2 + ε fraction of the inputs, where ε is exponentially small (i.e. ε = 2^{-n^Ω(1)}). Our construction is based on Andreevs Ω(n^2.5-o(1)) formula size lower bound that was proved for the case of exact computation.

Leakage Resilient One-Way Functions: The Auxiliary-Input Setting

Most cryptographic schemes are designed in a model where perfect secrecy of the secret key is assumed. In most physical implementations, however, some form of information leakage is inherent and unavoidable. To deal with this, a flurry of works showed how to construct basic cryptographic primitives that are resilient to various forms of leakage. n nDodis et al. FOCS 10 formalized and constructed leakage resilient one-way functions. These are one-way functions f such that given a random image fx and leakage gx it is still hard to invert fx. Based on any one-way function, Dodis et al. constructed such a one-way function that is leakage resilient assuming that an attacker can leak any lossy function g of the input. n nIn this work we consider the problem of constructing leakage resilient one-way functions that are secure with respect to arbitrary computationally hiding leakage a.k.a auxiliary-input. We consider both types of leakage -- selective and adaptive -- and prove various possibility and impossibility results. n nOn the negative side, we show that if the leakage is an adaptively-chosen arbitrary one-way function, then it is impossible to construct leakage resilient one-way functions. The latter is proved both in the random oracle model without any further assumptions and in the standard model based on a strong vector-variant of DDH. On the positive side, we observe that when the leakage is chosen ahead of time, there are leakage resilient one-way functions based on a variety of assumption.

Functional Encryption for Randomized Functionalities in the Private-Key Setting from Minimal Assumptions

We present a construction of a private-key functional encryption scheme for any family of randomized functionalities based on any such scheme for deterministic functionalities that is sufficiently expressive. Instantiating our construction with existing schemes for deterministic functionalities, we obtain schemes for any family of randomized functionalities based on a variety of assumptions (including the LWE assumption, simple assumptions on multilinear maps, and even the existence of any one-way function) offering various trade-offs between security and efficiency.

From Minicrypt to Obfustopia via Private-Key Functional Encryption

Private-key functional encryption enables fine-grained access to symmetrically-encrypted data. Although private-key functional encryption (supporting an unbounded number of keys and ciphertexts) seems significantly weaker than its public-key variant, its known realizations all rely on public-key functional encryption. At the same time, however, up until recently it was not known to imply any public-key primitive, demonstrating our poor understanding of this extremely-useful primitive.

Hardness preserving reductions via cuckoo hashing

A common method for increasing the usability and uplifting the security of pseudorandom function families (PRFs) is to hash the inputs into a smaller domain before applying the PRF. This approach, known as Levins trick, is used to achieve PRF domain extension (using a short,e.g,fixed, input length PRF to get a variable-length PRF), and more recently to transform non-adaptive PRFs to adaptive ones. Such reductions, however, are vulnerable to a birthday attack: after

White-Box vs. Black-Box Complexity of Search Problems: Ramsey and Graph Property Testing

sqrt{|mathcal{U}}

Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)

queries to the resulting PRF, where

Collision Resistant Hashing for Paranoids: Dealing with Multiple Collisions

mathcal{U}