File(s) not publicly available

Factoring and Pairings Are Not Necessary for IO: Circular-Secure LWE Suffices

conference contribution
posted on 2023-11-29, 18:26 authored by Zvika Brakerski, Nico DöttlingNico Döttling, Sanjam Garg, Giulio Malavolta
We construct indistinguishability obfuscation (iO) solely under circular-security properties of encryption schemes based on the Learning with Errors (LWE) problem. Circular-security assumptions were used before to construct (non-leveled) fully-homomorphic encryption (FHE), but our assumption is stronger and requires circular randomness-leakage-resilience. In contrast with prior works, this assumption can be conjectured to be post-quantum secure; yielding the first provably secure iO construction that is (plausibly) post-quantum secure. Our work follows the high-level outline of the recent work of Gay and Pass [STOC 2021], who showed a way to remove the heuristic step from the homomorphic-encryption based iO approach of Brakerski, Döttling, Garg, and Malavolta [EUROCRYPT 2020]. They thus obtain a construction proved secure under circular security assumption of natural homomorphic encryption schemes – specifically, they use homomorphic encryption schemes based on LWE and DCR, respectively. In this work we show how to remove the DCR assumption and remain with a scheme based on the circular security of LWE alone. Along the way we relax some of the requirements in the Gay-Pass blueprint and thus obtain a scheme that is secure under a different assumption. Specifically, we do not require security in the presence of a key-cycle, but rather only in the presence of a key-randomness cycle. An additional contribution of our work is to point out a problem in one of the building blocks used by many iO candidates, including all existing provable post-quantum candidates. Namely, in the transformation from exponentially-efficient iO (XiO) from Lin, Pass, Seth and Telang [PKC 2016]. We show why their transformation inherently falls short of achieving the desired goal, and then rectify this situation by showing that shallow XiO (i.e. one where the obfuscator is depth-bounded) does translate to iO using LWE.


Preferred Citation

Zvika Brakerski, Nico Döttling, Sanjam Garg and Giulio Malavolta. Factoring and Pairings Are Not Necessary for IO: Circular-Secure LWE Suffices. In: International Colloquium on Automata, Languages and Programming (ICALP). 2022.

Primary Research Area

  • Algorithmic Foundations and Cryptography

Name of Conference

International Colloquium on Automata, Languages and Programming (ICALP)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_3960, title = "Factoring and Pairings Are Not Necessary for IO: Circular-Secure LWE Suffices", author = "Brakerski, Zvika and Döttling, Nico and Garg, Sanjam and Malavolta, Giulio", booktitle="{International Colloquium on Automata, Languages and Programming (ICALP)}", year="2022", }

Usage metrics


    No categories selected


    Ref. manager