Indistinguishability Obfuscation Without Multilinear Maps: New Methods for Bootstrapping and Instantiation

Abstract

Constructing indistinguishability obfuscation (\(\mathsf{iO}\)) [17] is a central open question in cryptography. We provide new methods to make progress towards this goal. Our contributions may be summarized as follows:

1. 1.

   Bootstrapping. In a recent work, Lin and Tessaro [71] (LT) show that \(\mathsf{iO}\) may be constructed using (i) Functional Encryption (\(\mathsf {FE}\)) for polynomials of degree L, (ii) Pseudorandom Generators (\(\mathsf{PRG}\)) with blockwise locality L and polynomial expansion, and (iii) Learning With Errors (\(\mathsf{LWE}\)). Since there exist constructions of \(\mathsf {FE}\) for quadratic polynomials from standard assumptions on bilinear maps [16, 68], the ideal scenario would be to set \(L=2\), yielding \(\mathsf{iO}\) from widely believed assumptions

   Unfortunately, it was shown soon after [18, 73] that \(\mathsf{PRG}\) with block locality 2 and the expansion factor required by the LT construction, concretely \(\varOmega (n \cdot 2^{b(3+\epsilon )})\), where n is the input length and b is the block length, do not exist. In the worst case, these lower bounds rule out 2-block local \(\mathsf{PRG}\) with stretch \(\varOmega (n \cdot 2^{b(2+\epsilon )})\). While [18, 73] provided strong negative evidence for constructing \(\mathsf{iO}\) based on bilinear maps, they could not rule out the possibility completely; a tantalizing gap has remained. Given the current state of lower bounds, the existence of 2 block local \(\mathsf{PRG}\) with expansion factor \(\varOmega (n \cdot 2^{b(1+\epsilon )})\) remains open, although this stretch does not suffice for the LT bootstrapping, and is hence unclear to be relevant for \(\mathsf{iO}\).

   In this work, we improve the state of affairs as follows.

   1. (a)

      Weakening requirements on Boolean PRGs: In this work, we show that the narrow window of expansion factors left open by lower bounds do suffice for \(\mathsf{iO}\). We show a new method to construct \(\mathsf {FE}\) for \(\mathsf {NC}_1\) from (i) \(\mathsf {FE}\) for degree L polynomials, (ii) \(\mathsf{PRG}\)s of block locality L and expansion factor \(\tilde{\varOmega }(n \cdot 2^{b(1+\epsilon )})\), and (iii) \(\mathsf{LWE}\) (or \(\mathsf{RLWE}\)).

   2. (b)

      Broadening class of sufficient randomness generators: Our bootstrapping theorem may be instantiated with a broader class of pseudorandom generators than hitherto considered for \(\mathsf{iO}\), and may circumvent lower bounds known for the arithmetic degree of \(\mathsf{iO}\)-sufficient \(\mathsf{PRG}\)s [18, 73]; in particular, these may admit instantiations with arithmetic degree 2, yielding \(\mathsf{iO}\) with the additional assumptions of \(\mathsf{SXDH}\) on Bilinear maps and \(\mathsf{LWE}\). In more detail, we may use the following two classes of \(\mathsf{PRG}\):

      1. i.

         Non-Boolean PRGs: We may use pseudorandom generators whose inputs and outputs need not be Boolean but may be integers restricted to a small (polynomial) range. Additionally, the outputs are not required to be pseudorandom but must only satisfy a milder indistinguishability property (We note that our notion of non Boolean PRGs is qualitatively similar to the notion of \(\varDelta \) RGs defined in the concurrent work of Ananth, Jain and Sahai [9]. We emphasize that the methods of [9] and the present work are very different, but both works independently discover the same notion of weak PRG as sufficient for building \(\mathsf{iO}\).).

      2. ii.

         Correlated Noise Generators: We introduce an even weaker class of pseudorandom generators, which we call correlated noise generators (\(\mathsf{CNG}\)) which may not only be non-Boolean but are required to satisfy an even milder (seeming) indistinguishability property than \(\varDelta \) RG.

   3. (c)

      Assumptions and Efficiency. Our bootstrapping theorems can be based on the hardness of the Learning With Errors problem or its ring variant (\(\mathsf{LWE}/ \mathsf{RLWE}\)) and can compile \(\mathsf {FE}\) for degree L polynomials directly to \(\mathsf {FE}\) for \(\mathsf {NC}_1\). Previous work compiles \(\mathsf {FE}\) for degree L polynomials to \(\mathsf {FE}\) for \(\mathsf {NC}_0\) to \(\mathsf {FE}\) for \(\mathsf {NC}_1\) to \(\mathsf{iO}\) [12, 45, 68, 72].

      Our method for bootstrapping to \(\mathsf {NC}_1\) does not go via randomized encodings as in previous works, which makes it simpler and more efficient than in previous works.

2. 2.

   Instantiating Primitives. In this work, we provide the first direct candidate of \(\mathsf {FE}\) for constant degree polynomials from new assumptions on lattices. Our construction is new and does not go via multilinear maps or graded encoding schemes as all previous constructions. Together with the bootstrapping step above, this yields a completely new candidate for \(\mathsf{iO}\) (as well as \(\mathsf {FE}\) for \(\mathsf {NC}_1\)), which makes no use of multilinear or even bilinear maps. Our construction is based on the ring learning with errors assumption (\(\mathsf{RLWE}\)) as well as new untested assumptions on NTRU rings.

   We provide a detailed security analysis and discuss why previously known attacks in the context of multilinear maps, especially zeroizing and annihilation attacks, do not appear to apply to our setting. We caution that our construction must yet be subject to rigorous cryptanalysis by the community before confidence can be gained in its security. However, we believe that the significant departure from known multilinear map based constructions opens up a new and potentially fruitful direction to explore in the quest for \(\mathsf{iO}\).

   Our construction is based entirely on lattices, due to which one may hope for post quantum security. Note that this feature is not enjoyed by instantiations that make any use of bilinear maps even if secure instances of weak PRGs, as identified by the present work, the follow-up by Lin and Matt [69] and the independent work by Ananth, Jain and Sahai [9] are found.