82 pointsby fbrusch3 days ago2 comments
  • stouseta day ago
    I’m reasonably familiar with cryptography but the formalism of obfuscation given here makes no sense to me.

    > The precise formalism typically used, indistinguishability obfuscation, says that if you are given obfuscations of two different programs that have the same functionality, you can't tell which is which.

    This seems… not that useful? A sufficiently advanced optimizing compiler would be capable of transforming two input programs with identical functionality into one or the other, or both into some third representation. Either approach meets this criteria but doesn’t seem to me to provide any useful purpose.

    And in practice, do two identically-functioning but different programs even exist in the wild? Two superficially identical programs of nontrivial complexity will almost certainly have divergent behavior somewhere (bugs, edge cases), at which point this formalism becomes moot.

    • killerstorma day ago
      It's a formalism use to analyze security properties, it's not how it is used in practice.

      The practical goal is to hide a secret key inside a program, so e.g. implement an algorithm which might involve decryption and signing a message without giving external parties ability to decrypt messages.

      The connection between indistinguishable obfuscation formalism and "can't extract secret key" property is not obvious. Here's a quote from a paper which Vitalik linked:

      > it is not immediately clear how useful indistinguishability obfuscators would be. Perhaps the strongest philosophical justification for indistinguishability obfuscators comes from the work of Goldwasser and Rothblum, who showed that (efficiently computable) indistinguishability obfuscators achieve the notion of Best-Possible Obfuscation : Informally, a best-possible obfuscator guarantees that its output hides as much about the input circuit as any circuit of a certain size

    • binyua day ago
      I think that Vitalik is collapsing a lot of dense math and cryptography onto a more understable language aimed at the blockchain developers/community.

      In a sense, Vitalik is "recruiting" with this post, his goal being lower the barrier of entry to this discipline.

      • Qisiona day ago
        > blockchain developers

        Is there still such a thing?

    • mahemma day ago
      The tl;dr on why IO is important is you can just use (effectively) one program, but stuff different secrets inside them with a guarantee that no one can pull those secrets back out.

      Cryptographers have proven that it's possible to use this as a primitive from which you can rebuild the rest of common cryptographic primitives (public encryption, symmetric encryption, etc). So--if it's possible to put this together it'll be a novel construction for every cryptographic primitive that also dodges some of the problems with key distribution and negotiation.

    • some_furrya day ago
      A friend once explained to me that the general goal of iO is basically DRM but with an inverted power dynamic: Imagine being able to deploy containers to cloud providers (AWS, GCP, etc.), whereby the Cloud provider cannot see what software you are running. Even if the government commanded them to do so. That's how I understand it, informally.

      The formalisms of "indistinguishability" in the blog posts are indeed weird.

      Some security proofs argue that an attacker cannot distinguish between some plaintext and a string of NUL bytes of the same length being encrypted just by observing ciphertexts. That seems to be what Vitalik is, vaguely, gesturing towards?

      (I'm not affiliated with the author or any of their numerous projects, so take my remarks with an appropriate dose of salt.)

      • trollbridgea day ago
        Thanks for this explanation. Wish he’d had it at the top of his post.
      • Ar-Curunira day ago
        The formalisms are not an invention of the blog post, just the formal definition of iO
        • some_furrya day ago
          Correct, I didn't mean to make it sound like they were foreign to iO overall. Just that the formalisms were in the blog post.

          (The iO research field, overall, is still pretty weird to me.)

    • pseudohadamard20 hours ago
      Nor does the claim "The most powerful primitive that has been conceived in cryptography is obfuscation". A good test for how useful a cryptographic primitive is is "if you magically removed this from existence, would any attackers notice?". For this one the answer would be "no".

      I'd say the actual most powerful primitive in crypto is KDFs/MACs (there's some overlap, e.g. HKDF). Remove that and pretty much everything that requires security would collapse overnight. Not just the obvious TLS and SSH but the global payments infrastructure and a lot of other less-visible things.

  • vrightera day ago
    this guy seems so full of himself. Everything I read of his triggers my bullshit alarm. Stuff like claiming feasible solutions to problems that have been mathematically proven don't have any
    • Ar-Curunira day ago
      What? iO research is an active field in cryptography