Rendered at 07:59:36 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
stouset 18 hours ago [-]
I’m reasonably familiar with cryptography but the formalism of obfuscation given here makes no sense to me.
> The precise formalism typically used, indistinguishability obfuscation, says that if you are given obfuscations of two different programs that have the same functionality, you can't tell which is which.
This seems… not that useful? A sufficiently advanced optimizing compiler would be capable of transforming two input programs with identical functionality into one or the other, or both into some third representation. Either approach meets this criteria but doesn’t seem to me to provide any useful purpose.
And in practice, do two identically-functioning but different programs even exist in the wild? Two superficially identical programs of nontrivial complexity will almost certainly have divergent behavior somewhere (bugs, edge cases), at which point this formalism becomes moot.
killerstorm 18 hours ago [-]
It's a formalism use to analyze security properties, it's not how it is used in practice.
The practical goal is to hide a secret key inside a program, so e.g. implement an algorithm which might involve decryption and signing a message without giving external parties ability to decrypt messages.
The connection between indistinguishable obfuscation formalism and "can't extract secret key" property is not obvious. Here's a quote from a paper which Vitalik linked:
> it is not immediately clear how useful indistinguishability obfuscators would be. Perhaps the strongest philosophical justification for indistinguishability obfuscators comes from the work of Goldwasser and Rothblum, who showed
that (efficiently computable) indistinguishability obfuscators achieve the notion of Best-Possible Obfuscation : Informally, a best-possible obfuscator guarantees that its output hides as much about the input circuit as any circuit of a certain size
binyu 17 hours ago [-]
I think that Vitalik is collapsing a lot of dense math and cryptography onto a more understable language aimed at the blockchain developers/community.
In a sense, Vitalik is "recruiting" with this post, his goal being lower the barrier of entry to this discipline.
Qision 15 hours ago [-]
> blockchain developers
Is there still such a thing?
mahemm 14 hours ago [-]
The tl;dr on why IO is important is you can just use (effectively) one program, but stuff different secrets inside them with a guarantee that no one can pull those secrets back out.
Cryptographers have proven that it's possible to use this as a primitive from which you can rebuild the rest of common cryptographic primitives (public encryption, symmetric encryption, etc). So--if it's possible to put this together it'll be a novel construction for every cryptographic primitive that also dodges some of the problems with key distribution and negotiation.
pseudohadamard 5 hours ago [-]
Nor does the claim "The most powerful primitive that has been conceived in cryptography is obfuscation". A good test for how useful a cryptographic primitive is is "if you magically removed this from existence, would any attackers notice?". For this one the answer would be "no".
I'd say the actual most powerful primitive in crypto is KDFs/MACs (there's some overlap, e.g. HKDF). Remove that and pretty much everything that requires security would collapse overnight. Not just the obvious TLS and SSH but the global payments infrastructure and a lot of other less-visible things.
some_furry 18 hours ago [-]
A friend once explained to me that the general goal of iO is basically DRM but with an inverted power dynamic: Imagine being able to deploy containers to cloud providers (AWS, GCP, etc.), whereby the Cloud provider cannot see what software you are running. Even if the government commanded them to do so. That's how I understand it, informally.
The formalisms of "indistinguishability" in the blog posts are indeed weird.
Some security proofs argue that an attacker cannot distinguish between some plaintext and a string of NUL bytes of the same length being encrypted just by observing ciphertexts. That seems to be what Vitalik is, vaguely, gesturing towards?
(I'm not affiliated with the author or any of their numerous projects, so take my remarks with an appropriate dose of salt.)
trollbridge 16 hours ago [-]
Thanks for this explanation. Wish he’d had it at the top of his post.
Ar-Curunir 15 hours ago [-]
The formalisms are not an invention of the blog post, just the formal definition of iO
some_furry 12 hours ago [-]
Correct, I didn't mean to make it sound like they were foreign to iO overall. Just that the formalisms were in the blog post.
(The iO research field, overall, is still pretty weird to me.)
vrighter 16 hours ago [-]
this guy seems so full of himself. Everything I read of his triggers my bullshit alarm. Stuff like claiming feasible solutions to problems that have been mathematically proven don't have any
Ar-Curunir 15 hours ago [-]
What? iO research is an active field in cryptography
> The precise formalism typically used, indistinguishability obfuscation, says that if you are given obfuscations of two different programs that have the same functionality, you can't tell which is which.
This seems… not that useful? A sufficiently advanced optimizing compiler would be capable of transforming two input programs with identical functionality into one or the other, or both into some third representation. Either approach meets this criteria but doesn’t seem to me to provide any useful purpose.
And in practice, do two identically-functioning but different programs even exist in the wild? Two superficially identical programs of nontrivial complexity will almost certainly have divergent behavior somewhere (bugs, edge cases), at which point this formalism becomes moot.
The practical goal is to hide a secret key inside a program, so e.g. implement an algorithm which might involve decryption and signing a message without giving external parties ability to decrypt messages.
The connection between indistinguishable obfuscation formalism and "can't extract secret key" property is not obvious. Here's a quote from a paper which Vitalik linked:
> it is not immediately clear how useful indistinguishability obfuscators would be. Perhaps the strongest philosophical justification for indistinguishability obfuscators comes from the work of Goldwasser and Rothblum, who showed that (efficiently computable) indistinguishability obfuscators achieve the notion of Best-Possible Obfuscation : Informally, a best-possible obfuscator guarantees that its output hides as much about the input circuit as any circuit of a certain size
In a sense, Vitalik is "recruiting" with this post, his goal being lower the barrier of entry to this discipline.
Is there still such a thing?
Cryptographers have proven that it's possible to use this as a primitive from which you can rebuild the rest of common cryptographic primitives (public encryption, symmetric encryption, etc). So--if it's possible to put this together it'll be a novel construction for every cryptographic primitive that also dodges some of the problems with key distribution and negotiation.
I'd say the actual most powerful primitive in crypto is KDFs/MACs (there's some overlap, e.g. HKDF). Remove that and pretty much everything that requires security would collapse overnight. Not just the obvious TLS and SSH but the global payments infrastructure and a lot of other less-visible things.
The formalisms of "indistinguishability" in the blog posts are indeed weird.
Some security proofs argue that an attacker cannot distinguish between some plaintext and a string of NUL bytes of the same length being encrypted just by observing ciphertexts. That seems to be what Vitalik is, vaguely, gesturing towards?
(I'm not affiliated with the author or any of their numerous projects, so take my remarks with an appropriate dose of salt.)
(The iO research field, overall, is still pretty weird to me.)