Why does iO imply OWF according to Gentry's explanation?

Question

I bumped into this presentation from Craig Gentry in which he explains why iO implies OWF under the assumption that NP is not in BPP. Can you help me understand the proof he provides? I especially don't get why the adversary would succeed in reverting $f$ in the case of circuit unsatisfiability

Answer 1

Fix an arbitrary unsatisfiable circuit $Z$ of size $n$. Let

$f(x) = iO(Z;x)$

If there is no OWF, then $f$ is not a OWF: there exists an adversary $\mathsf{Adv}$ which, with non-negligible probability over the choice of $x$, successfully finds a preimage $x'$ of $y$ given as input $y = f(x)$.

Then, the demonstration goes as follows:

• For any circuit $C_0$ of size $n$, if $C_0$ is unsatisfiable, then $Z$ and $C_0$ are functionally equivalent (they both output $0$ on all inputs). By definition of iO, that means that no polytime adversary can distinguish (with non-negligible probability) $iO(Z;x)$ from $iO(C_0;x)$ for a random $x$. In particular, this means that $\mathsf{Adv}$ must necessarily succeed (with non-negligible probability) in finding $x'$ such that $f(x') = iO(C_0;x)$. Otherwise, we could use $\mathsf{Adv}$ to distinguish the two: run $\mathsf{Adv}$ on the obfuscated circuit (let's denote it $y$), and if it inverts (i.e. finds $x'$ such that $f(x')=y$), outputs "the obfuscated circuit was $Z$", otherwise guess at random between $Z$ and $C_0$. It's a simple probability calculation to check that this algorithm finds the correct answer with probability at least $1/2+\varepsilon$ for some non-negligible $\varepsilon$.
• For any circuit $C_1$ of size $n$ that is satisfiable, if your obfuscation is perfectly correct, then it is completely impossible to find a preimage $x'$ such that $f(x') = iO(C_1;x)$: if there was such an $x'$, we would have $iO(Z;x') = iO(C_1;x)$. But the left-hand side is an unsatisfiable circuit (by perfect correctness of the obfuscation), and the right-hand side is satisfiable (by perfect correctness again), so they cannot possibly be identical!

Therefore, for any circuit $C$ of size $n$, we have an adversary $\mathsf{Adv}$ that finds preimages to $y = iO(C;x)$ with non-negligible probability over the choice of $x$ when $C$ is unsatisfiable, and never when $C$ is satisfiable. Running $\mathsf{Adv}$ with many different random $x$'s (to amplify it's probability of inversion to $2/3$) gives us a probabilistic polytime algorithm (i.e. \mathsf{BPP} algorithm) that decides (in the worst case) whether a circuit is satisfiable (i.e. solves $\mathsf{NP}$).

Note: there is a much more involved paper that proves that the same result holds even for imperfect iO (the above answer crucially assumes perfect correctness), but the generalization is considerably more complex.