Lower bounds on assumptions behind indistinguishability obfuscation

Abstract

Since the seminal work of Garg et al. (FOCS’13) in which they proposed the first candidate construction for indistinguishability obfuscation (iO for short), iO has become a central cryptographic primitive with numerous applications. The security of the proposed construction of Garg et al. and its variants are proved based on multi-linear maps (Garg et al. Eurocrypt’13) and their idealized model called the graded encoding model (Brakerski and Rothblum TCC’14 and Barak et al. Eurocrypt’14). Whether or not iO could be based on standard and well-studied hardness assumptions has remain an elusive open question. In this work we prove lower bounds on the assumptions that imply iO in a black-box way, based on computational assumptions. Note that any lower bound for iO needs to somehow rely on computational assumptions, because if P = NP then statistically secure iO does exist. Our results are twofold:1. There is no fully black-box construction of iO from (exponentially secure) collision-resistant hash functions unless the polynomial hierarchy collapses. Our lower bound extends to (separate iO from) any primitive implied by a random oracle in a black-box way.2. Let P be any primitive that exists relative to random trapdoor permutations, the generic group model for any finite abelian group, or degree-O(1) graded encoding model for any finite ring. We show that achieving a black-box construction of iO from P is as hard as basing public-key cryptography on one-way functions. In particular, for any such primitive P we present a constructive procedure that takes any black-box construction of iO from P and turns it into a construction of semantically secure public-key encryption form any one-way functions. Our separations hold even if the construction of iO from P is semi-black-box (Reingold, Trevisan, and Vadhan, TCC’04) and the security reduction could access the adversary in a non-black-box way.