Lattice-Based SNARGs and Their Application to More Efficient Obfuscation [chapter]

Dan Boneh, Yuval Ishai, Amit Sahai, David J. Wu
2017 Lecture Notes in Computer Science  
Succinct non-interactive arguments (SNARGs) enable verifying NP computations with substantially lower complexity than that required for classical NP verification. In this work, we first construct a lattice-based SNARG candidate with quasi-optimal succinctness (where the argument size is quasilinear in the security parameter). Further extension of our methods yields the first SNARG (from any assumption) that is quasi-optimal in terms of both prover overhead (polylogarithmic in the security
more » ... ter) as well as succinctness. Moreover, because our constructions are lattice-based, they plausibly resist quantum attacks. Central to our construction is a new notion of linear-only vector encryption which is a generalization of the notion of linear-only encryption introduced by Bitansky et al. (TCC 2013). We conjecture that variants of Regev encryption satisfy our new linear-only definition. Then, together with new information-theoretic approaches for building statistically-sound linear PCPs over small finite fields, we obtain the first quasi-optimal SNARGs. We then show a surprising connection between our new lattice-based SNARGs and the concrete efficiency of program obfuscation. All existing obfuscation candidates currently rely on multilinear maps. Among the constructions that make black-box use of the multilinear map, obfuscating a circuit of even moderate depth (say, 100) requires a multilinear map with multilinearity degree in excess of 2 100 . In this work, we show that an ideal obfuscation of both the decryption function in a fully homomorphic encryption scheme and a variant of the verification algorithm of our new lattice-based SNARG yields a general-purpose obfuscator for all circuits. Finally, we give some concrete estimates needed to obfuscate this "obfuscation-complete" primitive. We estimate that at 80-bits of security, a (black-box) multilinear map with ≈ 2 12 levels of multilinearity suffices. This is over 2 80 times more efficient than existing candidates, and thus, represents an important milestone towards implementable program obfuscation for all circuits. * This is a preliminary full version of [BISW17]. polylogarithmic in the running time of the NP verifier for the language. Notably, the size of the argument is polylogarithmic in the size of the NP witness. Kilian [Kil92] gave the first succinct four-round interactive argument system for NP based on collision-resistant hash functions and probabilistically-checkable proofs (PCPs). Subsequently, Micali [Mic00] showed how to convert Kilian's four-round argument into a single-round argument for NP by applying the Fiat-Shamir heuristic [FS86]. Micali's "computationally-sound proofs" (CS proofs) is the first candidate construction of a succinct non-interactive argument (i.e., a "SNARG" [GW11]) in the random oracle model. In the standard model, single-round argument systems are impossible for sufficiently hard languages, so we consider the weaker goal of two-message succinct argument systems where the verifier's initial message is generated independently of the statement being proven. This message is often referred to as the common reference string (CRS). In this work, we are interested in minimizing the prover complexity and proof length of SNARGs. Concretely, for a security parameter λ, we measure the asymptotic cost of achieving soundness against provers of circuit size 2 λ with negl(λ) error. We say that a SNARG has quasi-optimal succinctness if its proof length is O(λ) and that it is quasi-optimal if in addition, the SNARG prover's running time is larger than that of a classical prover by only a polylogarithmic factor (in λ and the running time). In this paper, we construct the first SNARG that is quasi-optimal in this sense. The soundness of our SNARG is based on a new plausible intractability assumption, which is in the spirit of assumptions on which previous SNARGs were based (see Section 1.2). Moreover, based on a stronger variant of the assumption, we get a SNARK [BCCT12] (i.e., a SNARG of knowledge) with similar complexity (see Remark 4.9). All previous SNARGs, including heuristic ones, were suboptimal in at least one of the two measures by a factor of Ω(λ). For a detailed comparison with previous approaches, see Table 1 . We give two SNARG constructions: one with quasi-optimal succinctness based on standard lattices, and another that is quasi-optimal based on ideal lattices over polynomial rings. Because all of our SNARGs are lattice-based, they plausibly resist known quantum attacks. All existing SNARGs with quasi-optimal succinctness rely, at the minimum, on number-theoretic assumptions such as the hardness of discrete log. Thus, they are vulnerable to quantum attacks [Sho94, Sim97] . 1 Application to efficient obfuscation. Independently of their asymptotic efficiency, our SNARGs can also be used to significantly improve the concrete efficiency of program obfuscation. Program obfuscation is the task of making code unintelligible such that the obfuscated program reveals nothing more about the implementation details beyond its functionality. The theory of program obfuscation was first formalized by Barak et al. [BGI + 01]. In their work, they introduced the natural notion of virtual black-box (VBB) obfuscation, and moreover, showed that VBB obfuscation for all circuits is impossible in the standard model. In the same work, Barak et al. also introduced the weaker notion of indistinguishability obfuscation (iO); subsequently, Garg et al. [GGH + 13b] gave the first candidate construction of iO for general circuits based on multilinear maps [BS03, GGH13a, CLT13, GGH15]. Since the breakthrough result of Garg et al., there has been a flurry of works showcasing the power of iO [GGH + 13b, SW14, BZ14, GGHR14, BPW16]. However, in spite of the numerous constructions and optimizations that have been developed in the last few years [BGK + 14, BR14, AGIS14, BMSZ16, Zim15, AB15], concrete instantiations of program obfuscation remain purely theoretical. Even obfuscating a relatively simple function such as the AES block cipher requires
doi:10.1007/978-3-319-56617-7_9 fatcat:5qejnchovjbzdht444ph35yiry