Prabhanjan Ananth: Universal Obfuscation and Witness Encryption: Boosting Correctness and Combining Security
Date: Friday, April 22, 2016
Time: 10:30 AM to 12:00 PM
Location: Hewlett, G882
Host: Vinod Vaikuntanathan
Contact: Deborah Lehto, 617.324.7303, firstname.lastname@example.org
Speaker URL: None
TALK: Prabhanjan Ananth: Universal Obfuscation and Witness Encryption: Boosting Correctness and Combining Security
Abstract: Over the last few years a new breed of cryptographic primitives has arisen: on one hand they have previously unimagined utility and on the other hand they are not based on simple to state and tried out assumptions.
With the on-going study of these primitives, we are left with several different candidate constructions
each based on a different, not easy to express, mathematical assumptions, where some even turn out to be insecure.
A combiner for a cryptographic primitive takes several candidate constructions of the primitive and outputs one construction
that is as good as any of the input constructions. Furthermore, this combiner must be efficient:
the resulting construction should remain polynomial-time even when combining polynomially many candidates. Combiners are
especially important for a primitive where there are several competing constructions whose security is hard to evaluate, as is the case for
indistinguishability obfuscation (IO) and witness encryption (WE).
One place where the need for combiners appears is in design of a universal construction, where one wishes to find "one
construction to rule them all" (theoretically): an explicit construction that is secure if any
construction of the primitive exists.
In a recent paper, Goldwasser and Kalai posed as a challenge finding universal constructions for indistinguishability obfuscation
and witness encryption. In this work we resolve this issue: we construct universal schemes for IO, and
for witness encryption, and also resolve the existence of combiners for these primitives along the way.
For IO, our universal construction and combiners can be built based on either assuming DDH, or assuming LWE, with security
against sub-exponential adversaries. For witness encryption, we need only one-way functions secure against
polynomial time adversaries.
Joint work with Aayush Jain, Moni Naor, Amit Sahai and Eylon Yogev.
Created by Deborah Goodwin at Friday, April 01, 2016 at 10:45 AM.