Indistinguishability Obfuscation Without Multilinear Maps: New Methods for Bootstrapping and Instantiation

Constructing indistinguishability obfuscation (iO) [17] is a central open question in cryptography. We provide new methods to make progress towards this goal. Our contributions may be summarized as follows: 1. Bootstrapping. In a recent work, Lin and Tessaro [71] (LT) show that iO may be constructed using (i) Functional Encryption (FE) for polynomials of degree L, (ii) Pseudorandom Generators (PRG) with blockwise locality L and polynomial expansion, and (iii) Learning With Errors (LWE). Since there exist constructions of FE for quadratic polynomials from standard assumptions on bilinear maps [16,68], the ideal scenario would be to set L = 2, yielding iO from widely believed assumptions Unfortunately, it was shown soon after [18,73] that PRG with block locality 2 and the expansion factor required by the LT construction, concretely Omega(n center dot 2(b(3+epsilon))), where n is the input length and b is the block length, do not exist. In the worst case, these lower bounds rule out 2-block local PRG with stretch Omega(n center dot 2(b(2+epsilon))). While [18,73] provided strong negative evidence for constructing iO based on bilinear maps, they could not rule out the possibility completely; a tantalizing gap has remained. Given the current state of lower bounds, the existence of 2 block local PRG with expansion factor Omega(n center dot 2(b(1+epsilon))) remains open, although this stretch does not suffice for the LT boot-strapping, and is hence unclear to be relevant for iO. In this work, we improve the state of affairs as follows. (a) Weakening requirements on Boolean PRGs: In this work, we show that the narrow window of expansion factors left open by lower bounds do suffice for iO. We show a new method to construct FE for NC1 from (i) FE for degree L polynomials, (ii) PRGs of block locality L and expansion factor (Omega) over tilde (n center dot 2(b(1+epsilon))), and (iii) LWE (or RLWE). (b) Broadening class of sufficient randomness generators: Our boot-strapping theorem may be instantiated with a broader class of pseudorandom generators than hitherto considered for iO, and may circumvent lower bounds known for the arithmetic degree of iO-sufficient PRGs [18,73]; in particular, these may admit instantiations with arithmetic degree 2, yielding iO with the additional assumptions of SXDH on Bilinear maps and LWE. In more detail, we may use the following two classes of PRG: i. Non-Boolean PRGs: We may use pseudorandom generators whose inputs and outputs need not be Boolean but may be integers restricted to a small (polynomial) range. Additionally, the outputs are not required to be pseudorandom but must only satisfy a milder indistinguishability property (We note that our notion of non Boolean PRGs is qualitatively similar to the notion of Delta RGs defined in the concurrent work of Ananth, Jain and Sahai [9]. We emphasize that the methods of [9] and the present work are very different, but both works independently discover the same notion of weak PRG as sufficient for building iO.). ii. Correlated Noise Generators: We introduce an even weaker class of pseudorandom generators, which we call correlated noise generators (CNG) which may not only be non-Boolean but are required to satisfy an even milder (seeming) indistinguishability property than. RG. (c) Assumptions and Efficiency. Our bootstrapping theorems can be based on the hardness of the Learning With Errors problem or its ring variant (LWE/RLWE) and can compile FE for degree L polynomials directly to FE for NC1. Previous work compiles FE for degree L polynomials to FE for NC0 to FE for NC1 to iO [12,45,68,72]. Our method for bootstrapping to NC1 does not go via randomized encodings as in previous works, which makes it simpler and more efficient than in previous works. 2. Instantiating Primitives. In this work, we provide the first direct candidate of FE for constant degree polynomials from new assumptions on lattices. Our construction is new and does not go via multilinear maps or graded encoding schemes as all previous constructions. Together with the bootstrapping step above, this yields a completely new candidate for iO (as well as FE for NC1), which makes no use of multilinear or even bilinear maps. Our construction is based on the ring learning with errors assumption (RLWE) as well as new untested assumptions on NTRU rings. We provide a detailed security analysis and discuss why previously known attacks in the context of multilinear maps, especially zeroizing and annihilation attacks, do not appear to apply to our setting. We caution that our construction must yet be subject to rigorous cryptanalysis by the community before confidence can be gained in its security. However, we believe that the significant departure from known multilinear map based constructions opens up a new and potentially fruitful direction to explore in the quest for iO. Our construction is based entirely on lattices, due to which one may hope for post quantum security. Note that this feature is not enjoyed by instantiations that make any use of bilinear maps even if secure instances of weak PRGs, as identified by the present work, the follow-up by Lin and Matt [69] and the independent work by Ananth, Jain and Sahai [9] are found.