Differing-Inputs Obfuscation and Applications

Authors: P. Ananth, D. Boneh, S. Garg, A. Sahai, and M. Zhandry

In this paper, we study of the notion of differing-input obfuscation, introduced by Barak et al. (CRYPTO 2001, JACM 2012). For any two circuits C_0 and C_1, a differing-input obfuscator diO guarantees that the non-existence of an adversary that can find an input on which C_0 and C_1 differ implies that diO(C_0) and diO(C_1) are computationally indistinguishable. We show many applications of this notion:

  • We define the notion of a differing-input obfuscator for Turing machines and give a construction for the same (without converting it to a circuit) with input-specific running times. More specifically, for each input, our obfuscated Turning machine takes time proportional to the running time of the Turing machine on that specific input rather than the machine's worst-case running time.
  • We give a functional encryption scheme that allows for secret-keys to be associated with Turing machines, and thereby achieves input-specific running times. Further, we can equip our functional encryption scheme with delegation properties.
  • We construct a multi-party non-interactive key exchange protocol with no trusted setup where all parties post only logarithmic-size messages. It is the first such scheme with such short messages. We similarly obtain a broadcast encryption system where the ciphertext overhead and secret-key size is constant (i.e. independent of the number of users), and the public key is logarithmic in the number of users.
All our constructions make inherent use of the power provided by differing-input obfuscation. It is not currently known how to construct systems with these properties from the weaker notion of indistinguishability obfuscation.

Cryptology ePrint Archive: Report 2013/689

Full paper: pdf