Copyright by Venkata Vivek Kumar Koppula 2018

Copyright by Venkata Vivek Kumar Koppula 2018 The Dissertation Committee for Venkata Vivek Kumar Koppula certiﬁes that this is the approved version of the following dissertation:

Program Obfuscation: New Applications and Constructions from Standard Assumptions

Committee:

Brent Waters, Supervisor

Adam Klivans

Amit Sahai

David Zuckerman Program Obfuscation: New Applications and Constructions from Standard Assumptions

Venkata Vivek Kumar Koppula,

DISSERTATION Presented to the Faculty of the Graduate School of The University of Texas at Austin in Partial Fulﬁllment of the Requirements for the Degree of

DOCTOR OF PHILOSOPHY

THE UNIVERSITY OF TEXAS AT AUSTIN August 2018 Acknowledgments

First, I am extremely thankful to my advisor, Brent Waters, without whose guidance and support this thesis would not have been possible. His enthusiasm towards research has been a great source of motivation, and I feel truly indebted to him. I am also grateful to Amit Sahai for hosting me at UCLA on multiple occasions, and for his engaging discussions.

This thesis mainly consists of two separate projects, and I wish to thank my collaborators Allison Bishop, Rishab (L.C.) Goyal and Brent Waters for the numerous discussions on these works. Special thanks to Rishab for both the technical as well as non-technical conversations we’ve had over the last four years. I am also thankful to colleagues with whom I had the pleasure to do research (that is not part of this thesis). Many thanks to my PhD committee members (Adam Klivans, Amit Sahai and David Zuckerman) for their valuable feedback on my thesis. Finally, I thank my friends and family for their constant support and conﬁdence in me.

iv Program Obfuscation: New Applications and Constructions from Standard Assumptions

Publication No.

Venkata Vivek Kumar Koppula, Ph.D. The University of Texas at Austin, 2018

Supervisor: Brent Waters

Code obfuscation has been one of the main focal points of cryptographic research over the last few years. This proposed thesis studies two different aspects of program obfuscation. In the first part, we examine the power of indistinguishability obfuscation. This notion of indistinguishability obfuscation requires that the obfuscation of two functionally identical programs must be computationally indistinguishable. In this work, we show how obfuscation for circuits can be used to obfuscate Turing machines. Our obfuscation scheme satisfies the succinctness requirement; that is, the obfuscation of a Turing machine M has size polynomial in the machine description |M| and a maximum bound on the input length n. Previous works that addressed this problem required an additional bound on the maximum space used by the Turing machine. Our construction is based on indistinguishability obfuscation for circuits, one way functions and injective pseudo random generators.

v In the second part of the proposed dissertation, we study constructions of obfuscation for restricted function classes under standard assumptions. We introduce the notion of lockable obfuscation. In a lockable obfuscation scheme there exists an obfuscation algorithm that takes as input a security parameter, a program P , a message m and “lock value” α and outputs an obfuscated program P˜. One can evaluate the obfuscated program P˜ on any input x where the output of evaluation is the message m if P (x) = α and otherwise receives a rejecting symbol. We proceed to provide a construction of lockable obfuscation and prove it secure under the Learning with Errors (LWE) assumption. Previ- ous constructions of obfuscation under standard assumptions worked for much weaker function classes such as point functions and conjunctions. Next, we describe multiple applications of lockable obfuscation. The ﬁrst application is a generic transformation of any attribute-based encryption (ABE) scheme into one in which the attributes used to encrypt the message are hidden from any user that is not authorized to decrypt the message. Similarly, we show how to upgrade broadcast encryption schemes to have one-sided anonymity. We also show applications of lockable obfuscation to separation and uninstantiability results.

vi Table of Contents

Acknowledgments iv

Abstract v

Chapter 1. Introduction 1 1.1 A Brief History of Program Obfuscation ...... 2 1.2 Summary of Our Results ...... 12 1.2.1 Indistinguishability Obfuscation for Turing Machines . . 13 1.2.2 Lockable Obfuscation ...... 16

Chapter 2. Indistinguishability Obfuscation for Turing Machines 22 2.1 Overview of our scheme ...... 22 2.2 Preliminaries ...... 30 2.2.1 Notations ...... 30 2.2.2 Puncturable Pseudorandom Functions ...... 31 2.2.3 Obfuscation ...... 32 2.3 iO-compatible Primitives ...... 33 2.3.1 Iterators ...... 33 2.3.1.1 Construction ...... 36 2.3.1.2 Security ...... 38 2.4 Positional Accumulators ...... 42 2.4.1 Construction ...... 48 2.4.1.1 Correctness ...... 52 2.4.1.2 Security ...... 53 2.4.2 Splittable Signatures ...... 61 2.4.3 Construction ...... 66 2.4.3.1 Proofs of Security ...... 69 2.5 Message Hiding Encodings ...... 85

vii 2.5.1 Construction ...... 86 2.5.2 Proof of Security ...... 89 2.5.3 Proof of Lemma 2.11 ...... 99 2.5.4 Proof of Lemma 2.12 ...... 106 2.5.5 Proof of Lemma 2.13 ...... 119 2.5.5.1 Analysis ...... 123 2.5.6 Proof of Lemma 2.14 ...... 128 2.5.6.1 Analysis ...... 129 2.5.7 Proof of Lemma 2.15 ...... 130 2.5.7.1 Analysis ...... 133 2.6 Machine Hiding Encodings ...... 135 2.6.1 Construction ...... 137 2.6.2 Proof of Security ...... 140 2.6.3 Proof Outline for Lemma 2.16 ...... 145 2.6.4 Proof of Lemma 2.17 ...... 162 2.6.5 Proof of Lemma 2.18 ...... 178 2.6.5.1 Analysis ...... 180 2.6.6 Extensions and Variations ...... 181

Chapter 3. Lockable Obfuscation 183 3.1 Overview of our Lockable Obfuscation Construction ...... 183 3.2 Preliminaries ...... 191 3.2.1 Lattice Preliminaries ...... 193 3.2.2 Branching Programs ...... 197 3.2.3 Public Key Encryption ...... 198 3.2.4 Homomorphic Encryption ...... 200 3.2.4.1 Leveled Homomorphic Encryption ...... 200 3.2.4.2 Fully Homomorphic Encryption ...... 202 3.2.5 Pairwise Independent Hash Functions ...... 203 3.2.6 Low-Depth Pseudorandom Generators with Polynomial Stretch ...... 204 3.3 Lockable Obfuscation ...... 205 3.3.1 Correctness ...... 206

viii 3.3.2 Security ...... 208 3.3.3 Extending the Message Space ...... 209 3.3.4 Relationship with Existing Cryptographic Primitives . . 211 3.4 Our Construction ...... 212 3.4.1 Security ...... 217 3.4.1.1 Simulator Sim ...... 217 3.4.1.2 Sequence of Hybrid Games ...... 218 3.4.1.3 Analysis ...... 224 3.4.2 On the Need for a Pseudo Random Generator ...... 231 3.5 Predicate Encryption: Achieving 1-Sided Security ...... 233 3.5.1 Key-Policy ABE with Bounded Decryption Depth and Size233 3.5.2 Generalizing to Other Types ...... 245 3.5.3 Encrypting to a Hidden Public Key ...... 248 3.6 Separating IND-CPA security and Circular Security ...... 249 3.6.1 Separating IND-CPA Security from n-Circular Security . 252 3.6.2 Separating IND-CPA Security from 1-Circular Security for Bit Encryption ...... 258 3.6.3 Creating an Unbounded Public Key Cycle Tester . . . . 261 3.7 Uninstantiability of the Fujisaki-Okamoto and Related Trans- formations ...... 264 3.7.1 The Fujisaki-Okamoto Transformation ...... 266 3.8 Indistinguishability Obfuscation for Rejecting Programs . . . . 276 3.8.1 Deﬁning Indistinguishability Obfuscation for Rejecting Programs ...... 278 3.8.2 Witness Encryption ...... 280 3.8.3 Construction of Rejecting Indistinguishability Obfuscator from Witness Encrytion ...... 281 3.8.3.1 Security ...... 283 3.9 Upgrading Broadcast Encryption to Anonymous Broadcast En- cryption ...... 286 3.9.1 Preliminaries ...... 287 3.9.1.1 Security ...... 288 3.9.2 Upgrading Broadcast Encryption to One-Sided Anony- mous Broadcast Encryption ...... 290 3.9.2.1 Security ...... 293

ix Index 302

Bibliography 303

x Chapter 1

Introduction

Cryptography (derived from Greek words krypt´os meaning ‘secret’ and graphein meaning ‘to write’) is the art of hiding secrets. Traditionally, cryp- tographers have been interested in hiding secrets in messages – transforming secret plaintext messages into scrambled text such that only authorized parties can recover the underlying plaintext message. Decades of research resulted in very eﬃcient solutions for hiding secrets.

Since the dawn of the software industry, a diﬀerent ‘secret-hiding’ problem has emerged : hiding secrets in programs. Suppose Alice has an exciting software P . How can Alice ‘scramble’ this program P into a program P 0 such that P 0 works exactly as P , but hides the implementation of P ? We refer to this problem as code obfuscation, and it is a well-studied problem, both in theory and practice.

1 1.1 A Brief History of Program Obfuscation

The goal of code obfuscation is to make programs ‘maximally unintel- ligible’. An obfuscator takes as input the description of a program P 1 and compiles it into a program P 0 such that P and P 0 have identical functionality, yet P 0 ‘hides’ the internal logic of P . The idea of code obfuscation has been around for many years. Diﬃe and Hellman, in their seminal work on public- key encryption [241], envisioned that such one-way compilers could be used to transform any private-key encryption schemes to a public-key encryption schemes. In practice, there exist multiple commercial solutions for code obfuscation. However, all these solutions are primarily heuristic approaches, and there are no hardness guarantees.

Theoretical Foundations of Code Obfuscation: A theoretical study of obfuscation was initiated by the seminal work of Barak, Goldreich, Impagli- azzo, Rudich, Sahai, Vadhan and Yang [61], who proposed various deﬁnitions for code obfuscation. One of the deﬁnitions they proposed was called virtual black box(VBB) obfuscation, which (informally) states that having an obfuscation of program P is similar to having oracle access to P (that is, any predicate that can be computed in polynomial time from the obfuscated code can be simulated via oracle access to the program). This notion captures our intuition of a compiler hiding internal logic, because any information that can

1Here, a program could be any form of computation; for instance, it could be a circuit, a piece of code in a high level language, etc.

2 be learned given the VBB obfuscation of a program can be learned from oracle access to the program. As discussed by Barak et al. , VBB obfuscation for general (polynomial time) computations would have immense applications in cryptography/security. Such obfuscators can be used for software protection, homomorphic encryption [485], replacing random oracles [89] and transforming private-key encryption schemes to public-key schemes. Unfortunately, Barak et al. showed that under certain cryptographic assumptions, there exist (con- trived) function classes which cannot be VBB obfuscated. Later, Goldwasser and Kalai [320] showed that in the presence of auxiliary input, there exists a “wide and natural class of functions” that cannot be VBB obfuscated.

Therefore, if we wish to have obfuscation for general functions, then one must aim for weaker notions of obfuscation. The work of Barak et al. proposed a couple of such notions, one of them being indistinguishability obfuscation (iO). An obfuscator O is said to be an indistinguishability obfuscator if it has the following security guarantee - for any two circuits C0,C1 of same size that have identical functionality (that is, for all inputs x, C0(x) = C1(x)), obfuscation of C0 is indistinguishable from obfuscation of C1. Note that the security guarantee holds only if the two circuits are identical on all inputs. At ﬁrst, it is not clear why this security notion would be useful, since the security guarantee only holds for functionally identical circuits. Goldwasser and Rothblum [324] gave some evidence of its usefulness; their work showed that indistinguishability obfuscation is the ‘best possible obfuscation’. Other than that, over the next few years, indistinguishability obfuscation did not

3 receive much immediate attention since (1) there were no such obfuscation candidates at the time and (2) the perceived lack of applications due to the fact that it only guaranteed security between two functionally equivalent circuits.

First Candidate iO Scheme and Applications of iO: However, the landscape changed dramatically in 2013. In a breakthrough result, Garg, Gentry, Halevi, Raykova, Sahai and Waters [287] gave the ﬁrst candidate indistinguishability obfuscation scheme for all circuits, and used iO (together with some standard cryptographic primitives) to construct a powerful primitive called functional encryption. Shortly thereafter, Sahai and Waters [500] showed that iO (together with some basic assumptions) can be used to construct a wide range of cryptographic primitives such as public key encryption, short signatures, non-interactive zero knowledge proofs, and advanced primitives such as deniable encryption. Their ‘punctured programming’ technique gave rise to a plethora of applications, including some of the applications of VBB obfuscation discussed by Barak et al. [61].

This ﬁrst wave of applications had one broad common feature - all of them used obfuscation of circuits. Although circuits represent a general model of computation, they have the drawback that the size of a circuit description of a computation is proportional to the worst case running time of a computation. This might be much longer than the time required to simply describe the computation in a diﬀerent form. For this reason, it is desirable to develop an obfuscator for Turing Machines (or other similar models) where the obfus-

4 cation time grows polynomially with the machine description size, as opposed to its worst case running time. In addition to serving as its own application, such a construction would pave the way for other applications such as delegation/veriﬁcation of computation. Let us consider the following scenario where a party, say Alice, that has a Turing machine P , input x and string y, and Alice wants to check whether P (x) = y. Alice does not have the resources to compute P (x), and therefore needs to delegate this task to a server. This problem can be solved if Alice could obfuscate Turing machines. Alice can choose a uniformly random string r and compute an obfuscation of Prog[P, x, y, r], where the program Prog[P, x, y, r] takes no input, and outputs r if P (x) = y, else it outputs a special symbol ⊥. The server simply evaluates the obfuscated program and sends the output to Alice. If Alice receives r, then she can be convinced that P (x) = y. In this scenario, it is crucial that the time to obfuscate Prog[P, x, y, r] does not grow with the running time of Prog[P, x, y, r]. If the time to obfuscate grows with the running time of Prog[P, x, y, r] (which is equal to the running time of P on input x), then this defeats the entire goal of delegating this computation! Using the security property of indistinguishability obfuscation, one can argue that if P (x) 6= y, then no (polynomial time) cheating prover can convince Alice that P (x) = y (an outline of this proof is described in Section 2.1).

Indistinguishability Obfuscation for Turing Machines: Let us consider the most natural approach for constructing a Turing Machine obfuscator

5 from a circuit obfuscator: using an obfuscated circuit to perform the step functions of a Turing Machine. At each time step, the obfuscated program will take in authenticated and encrypted state/tape symbols. It then veriﬁes the signature, decrypts, and calculates the next state/tape symbols which it then encrypts, signs, and outputs. In such a construction, the obfuscating time will be proportional to the size of the machine M, while the evaluation on input x will call the obfuscated program up to T times, where T is the running time of x on M. Such an approach can be fairly easily analyzed and proven secure if we assume the circuit obfuscator satisﬁes the Virtual Black Box (VBB) notion of security for obfuscation. This is because we can then treat the obfuscated program as an oracle. However, as mentioned above, there exist many functionalities that cannot be VBB obfuscated, and it is not clear which functionalities can be VBB obfuscated. This motivates the current practice of searching for solutions that do not depend on VBB obfuscation.

An initial line of research addressed [144, 30] this problem using differing- inputs obfuscation (diO). The notion of differing inputs obfuscation was also proposed by Barak et al. [61] as a weakening of VBB, and its security guarantee is as follows - if there exists a (polynomial time) adversary A that can distinguish between an obfuscation of C0 and an obfuscation of C1, then there exists a polynomial time ‘extractor’ that can extract a differing-input x such that C0(x) 6= C1(x). Due to this extractability nature, this assumption is also considered to be risky. Garg, Gentry, Halevi and Wichs [289] gave recent evidence that there might exist functionalities that cannot be diO obfuscated.

6 Later, Bellare, Stepanovs and Waters [91] showed additional negative results for diO, thus potentially putting diO security into a similar situation as VBB. More recently, [369] proposed more restricted form of differing inputs obfuscation called public-coin differing-inputs obfuscation (pc-diO) and showed how a circuit obfuscator could be bootstrapped to a Turing Machine obfuscator using this notion. An advantage of the public-coin restriction is that it circumvents the implausibility results of [289, 91]. At the same time, even pc-diO inherently has a stronger extraction flavor. Moreover, unlike iO, we currently do have any approaches for basing the security of pc-diO on ‘simpler’ assumptions.2 Therefore, it is desirable to have an iO scheme for Turing machines based on iO for circuit.

Two concurrent works partially addressed this problem. The works of Bitansky et al. [100] and Canetti et al. [189] constructed iO for Turing machines with bounded space and bounded length inputs, assuming iO for circuits. In both these results, the size of the obfuscated program grows with both the input bound as well as the space complexity of the Turing machine. This is not desirable, because there exist many programs where the space complexity is close to the time complexity, in which case this approach is as ineﬃcient as expressing the program as a circuit and using iO for circuits. Even if the space required is less than the time complexity, it could still be much larger than the input size, and using the obfuscation schemes of [100, 189], the size of the obfuscation grows with the space complexity.

2See Page 8 for some approaches towards proving security of iO.

7 In a joint work with Lewko and Waters [392], we proposed an obfuscation scheme for Turing machines without the memory restriction. Our construction, based on iO for circuits, required new tools and techniques. More- over, these tools and techniques led to several follow-up works on functional encryption for Turing machines [37], delegating and garbling RAM computations [188, 32, 178], time-lock puzzles [102], patchable obfuscation [35] and so on.

Understanding Security of iO Candidates: When the potential of indistinguishability obfuscation was exposed, attention naturally moved to establishing security of obfuscation candidates. All existing iO constructions are based on (noisy versions of) multilinear maps. The notion of multilinear maps (mmaps) was introduced by Boneh and Silverberg [132]. Informally, a k-linear map consists of a group G and a ‘target group’ GT , both of order p, and a k-ary map e : G × G × ... × G → GT . This map e is a non-trivial k-linear map; that is, if g is a generator of G, then for all a1, . . . , ak ∈ Zp,

a a a Q a e(g 1 , g 2 , . . . , g k ) = e(g, g, . . . , g) i i .

Bilinear maps (where k = 2) are extremely well studied objects in cryptography/cryptanalysis, and the corresponding assumptions have been exam- ined for nearly two decades now. However, there were no candidates for multilinear maps with multilinearity greater than 2. In a revolutionary work, Garg, Gentry and Halevi [285] proposed the ﬁrst candidate for (noisy) multilinear

8 maps based on ideal lattices. Shortly thereafter, other candidates [226, 298] for noisy multilinear maps and related objects were proposed. The first candidate obfuscation scheme by Garg et al. was based on the multilinear maps candidate of [285], and that was followed by different candidates based on different mmap candidates.

Initial work towards establishing security of obfuscation candidates at- tempted to prove security under certain multilinear map models or assumptions [60, 153, 467, 300, 301]. However, the security guarantees delivered from such proofs could only be as strong as the underlying multilinear map candidates [285, 226, 298, 228] which have been under a steady stream of cryptanalysis (see e.g. [227, 211, 223, 147, 224, 225, 137, 364, 348, 210, 444, 212, 39] and the references therein). To combat this, there have been new multilinear map candidates proposed as well as models meant to capture most existing attacks [50, 292, 424, 72]. While these techniques present progress in defense against currently known cryptanalysis, it is unclear whether they can be connected to standard assumptions.

Another set of works [104, 33, 34, 413, 417, 414, 37, 416] have shown connections between certain types of ‘functional encryption’ schemes and indistinguishability obfuscation3 with results showing that a constant degree multilinear maps combined with a constant depth pseudorandom generator give indistinguishability obfuscation. The current state-of-the-art in this di-

3[104, 33, 34] showed that subexponentially secure functional encryption implies indistinguishability obfuscation.

9 rection [416] gives us an indistinguishability obfuscation scheme for circuits, using degree three multilinear maps and ‘block-wise’ pseudorandom generators. The same work also gave an iO construction based on bilinear maps and 2-blockwise local PRGs. Unfortunately, the 2-blockwise local PRGs are ‘too good to be true’, and recent works [420, 59] have shown polynomial time attacks against such PRGs. Moreover, constant-blockwise local PRGs in general need further cryptanalysis.

Obfuscation from Standard Assumptions: An alternate approach is to anchor ourselves to the existing standard assumptions in cryptography, and try to build obfuscation for large function classes. Currently, there exist few VBB schemes for restricted functionalities such as point functions [174, 530, 179], hyperplanes [195], proxy re-encryption [359], conjunctions [158] which are based on (semi-)standard assumptions. Due to the restricted nature of these function classes, their applications are also fairly limited.

Towards Achieving Obfuscation from Learning with Errors Recently, there has been a growing interest towards building new primitives from the Learning with Errors (LWE) assumption. The LWE problem, introduced by Regev [483], can be reduced to the worst-case (quantum) hardness of some well studied lattice problems [483, 469, 151] and therefore believed to be a ‘standard assumption’. Since its inception, this assumption has led to many expressive cryptographic primitives such as fully homomorphic encryption [296, 154],

10 attribute based encryption [327, 328] and so on. Moreover, unlike the group- theoretic assumptions, the limitations of LWE (and other lattice based assumptions) are not clear; hence we believe that this is a plausible tool for achieving obfuscation from standard assumptions.

Initial works in this direction addressed problems which had certain ﬂavor of functional encryption/indistinguishability obfuscation, but were simpler than full-ﬂedged iO. One such problem was constructing circular security separations. A circular secure system considers security in the presence of key cycles. A key cycle of k users consists of k encryptions where the i-th ciphertext cti is an encryption of the i+1 user’s secret key under user i’s public key.

That is ct1 = Enc(pk1, sk2), ct2 = Enc(pk2, sk3) ..., ctk = Enc(pkk, sk1). If a system is k circular secure, then such a cycle should be indistinguishable from an encryption of k arbitrary messages. A natural question is whether any secure encryption scheme is also k-circular secure. If this is true, then it would imply the existence of a fully homomorphic encryption scheme based on LWE, via Gentry’s bootstrapping procedure [296]. Unfortunately, it turns out that there exist secure encryption schemes based on iO/multilinear maps that are not circular secure [490, 395]. In a joint work with Waters [396] (concurrent with [24]), we showed new n-circular separation results based on LWE. Next, we studied the problem of circular security separations where the encryption scheme is a bit encryption scheme. This problem required some new ideas, and in a joint work with Goyal and Waters [332], we showed a secure (private key) bit encryption scheme that is not circular secure. This construction had

11 some similarities to the multilinear maps of [298], and we believed that this scheme could be useful elsewhere.

”However, we believe that the ideas used in this work can be used to prove security of GGH15 mmaps for special graphs/secret distributions (note that GGH15 gave a candidate multilinear maps construction, and it did not have a proof of security for general graphs)” – quote from [332]

Shortly thereafter, in a joint work with Goyal and Waters [329], we constructed (average-case) VBB obfuscation for a large class of functions, which captures previous obfuscators for point functions and conjunctions. We pro- pose the notion of lockable obfuscation and use it to obtain a wide range of applications. Finally, we show a construction based on the Learning with Errors (LWE) assumption [483], which in turn can be reduced to worst-case (quantum) hardness of various lattice problems. A concurrent work by Wichs and Zirdelis [532] achieved similar results. Detailed discussion on lockable obfuscation and its applications can be found in Section 1.2.2.

1.2 Summary of Our Results

In this section, we give an overview of the main contributions of this work. We will start with our obfuscation scheme for Turing machines.

12 1.2.1 Indistinguishability Obfuscation for Turing Machines

Turing Machine Obfuscation from iO for circuits: Previous works and their limitations As mentioned above, two concurrent works addressed this problem partially. The works of Bitansky et al. [101] and Canetti et al. [190] constructed iO for Turing machines with bounded space and bounded length inputs, assuming iO for circuits. Both works ﬁrst build a weaker primitive called succinct randomized encodings (SRE) scheme for Turing machines with bounded space, and use a simple transformation from an SRE scheme for Turing machines with bounded space to iO for Turing machines with bounded space and inputs. A succinct randomized encoding scheme consists of two algorithms - an encoding algorithm and a decoding algorithm. The encoding algorithm takes as input a Turing machine M, input x, and outputs an encoding Mfx. The decoding algorithm takes as input an encoding Mfx, and outputs M(x). There are two requirements from an SRE scheme. First, we require that the encoding is succinct; that is, the time to encode (and therefore the size of the encoding) must only depend on the description of M, x and the security parameter (in particular, the encoding time should not depend on the running time of M on x).4 For security, we require that the encoding of M, x reveals nothing about M other than M(x). Therefore, if we have two machines M0,M1 and an input x such that M0(x) = M1(x), and both have identical running times, then the encoding of M0, x should be indistinguish-

4If we are considering space bounded Turing machines, then the size of encoding is allowed to depend on the space bound.

13 able from the encoding of M1, x. In some sense, randomized encodings can be viewed as iO for ‘machines with a single input’.

Using a randomized encoding scheme for Turing machines, one can easily build an iO scheme for Turing machines with input bound n as follows: the obfuscation of M is an obfuscation of a circuit CM that has M hardwired, takes as input a string x of length at most n, and outputs a randomized encoding of M, x (the randomness for the encoding is obtained via a pseudorandom function). Let this obfuscation be M˜ . To evaluate M˜ on input y, one needs to ﬁrst run the program on input y. This outputs a randomized encoding Mfy, which can then be evaluated to obtain M(y). Security follows via a sequence of 2n intermediate hybrid experiments, which results in a 2n factor security loss; that is, if any polynomial time adversary has advantage at most in breaking the randomized encoding scheme, then any (polynomial time) adversary has advantage at most O(·2n) in breaking the security of the obfuscation scheme. This means the security parameter for the obfuscation scheme needs to be set depending on the input bound n, which is the main reason why this approach for building obfuscation can only handle Turing machines with bounded length inputs. The bounded space restriction in the obfuscation scheme, however, arises because the randomized encoding schemes of [101, 190] work only for bounded space Turing machines.

Our Approach We also build iO for Turing machines via the ‘randomized- encodings route’. However, unlike the SRE schemes of [101, 190], our SRE

14 scheme works for general Turing machines without any bounded-space restriction. Before discussing our SRE scheme, we ﬁrst present a simpler primitive that we call message-hiding encodings (MHEs). Suppose a party has a TM M, an input x, and a message msg, and wishes to give an encoding that will disclose the message to any decoder if M(x) = 1. As in the case of SRE, we are interested in succicntness - the time to encode must depend (polynomially) only on the size of M, x and msg and the security parameter (the running time/space of M on x can be much larger than the size of M and x; we require that the size of the encoding must not grow with the running time/space). For security, we require that if M(x) = 0, then an encoding of M, x, msg should hide msg. Such a solution gives rise to applications where we want to disclose information based on certain conditions, and has applications in delegation of computation [101, 190]. We prove the following theorem.

Theorem 1.1. Assuming the existence of (sub-exponentially secure) iO for circuits and injective pseudorandom generators, there exists a succinct message hiding encoding scheme for Turing machines.

The notion of message hiding encodings for Turing machines is a delib- erate weakening of SREs for Turing machines (in the context of randomized encodings for circuits, similar weakenings of security have been studied [370], where the goal was to achieve better eﬃciency by relaxing the security requirement). One important diﬀerence between MHEs and SREs is that in MHEs, we do not need to hide intermediate computation. On the other hand, a secure SRE scheme must not reveal the intermediate states/symbols during the

15 computation. However, this simpler primitives precisely captures the technical hurdles that arise due to the ‘succinctness’ requirement. Using the ideas from our MHE scheme, we show a succinct randomized encoding scheme for Turing machines. This immediately gives us an obfuscation scheme for Turing machines with bounded-length inputs that is iO secure. More formally, we prove the following theorem.

Theorem 1.2. Assuming the existence of (sub-exponentially secure) iO for circuits and injective pseudorandom generators, there exists a succinct randomized encoding scheme for Turing machines.

1.2.2 Lockable Obfuscation

We begin by informally introducing the notion of lockable obfuscation. A lockable obfuscation scheme consists of an obfuscation and evalution algorithms. The (randomized) obfuscation algorithm Obf takes as input a security parameter λ, a program P , a message msg and lock value α and outputs an obfuscated program Pe. The evaluation algorithm Eval takes as input an obfuscated program Pe and an input x. If P (x) = α then the evaluation algorithm outputs the message msg, where P , msg and α were the program, message and lock values input to create Pe. Otherwise, if P (x) 6= α the evaluation algorithm (with high probability) outputs the ⊥ symbol to indicate rejection.

Intuitively, security states that if the lock value is chosen at random and kept from the attacker, then the attacker cannot learn anything about the program and message other than their sizes. That is there exist a simulator

16 Sim such that for all program message pairs P, msg

λ m(λ) λ |P | |msg| {Obf(1 ,P, msg, α): α ← {0, 1} } ≈c Sim(1 , 1 , 1 ).

We show how to construct a lockable obfuscation scheme for any polynomial sized circuit of suﬃcient output length from the Learning with Errors (LWE) assumption.

Theorem 1.3. Fix any polynomials d, ìn, òut such that òut = ω(log(λ)). Let

C be the set of all circuits of depth at most d(λ), and mapping `in(λ) bits to

`out(λ) bits. Assuming the Learning with Errors assumption with subexponential modulus, there exists a lockable obfuscation scheme for C.

Next, we present some applications of lockable obfuscation.

Application 1: Hiding Attributes in Attribute-Based Encryption Attribute-Based Encryption (ABE) is a powerful extension of public key encryption. In a (key-policy) ABE system [497] a user will encrypt a message msg under an attribute string x. A private key, as issued by an authority, will be associated with a boolean function f. When a user holding a secret key for function f attempts to decrypt a ciphertext he will learn the message if and only if f(x) = 1. Otherwise, the message remains hidden. While an ABE ciphertext will securely hide a private message, its security deﬁnition provides no guarantees about hiding the attribute string x. This can be problematic in many practical scenarios. Suppose we use ABE to encrypt email messages

17 and use header metadata such as the sender, recipients, time and subject as attributes, where access functions are written over these attributes. In many settings this metadata itself will be very sensitive and disclosing it as part of the ciphertext is undesirable.

Almost all expressive5 ABE systems built from standard tools6 allow for an attacker to learn the attribute string associated with a ciphertext. One notable exception is the work of Gorbunov, Vaikuntanathan and Wee [328] that achieves ‘one-sided security’ in hiding attributes. Their construction hides the attribute string x as long as f(x) = 0 for all functions f that the adversary has a secret key for. This gives a much improved security picture to before as in our example an attacker will not be able to learn the header metadata of the emails so long as they are not authorized to decrypt them. We will call such a scheme a predicate encryption scheme with one-sided security.

The GVW construction was built by adapting the ABE system of Boneh et al. [121] and required an intricate knowledge of the original system in order to utilize certain special mathematical properties. The resulting construction achieves the same functionality of bounded depth circuits as the original as well as maintains selective security under the Learning with Errors assumption.

In this paper we show how to use lockable obfuscations (sometimes in

5We note that there are constructions of more limited expressivity such as vector match- ing [135] or inner product testing [385] that hide the attributes too. 6For the purposes of this discussion we roughly consider number theoretic constructions grounded on RSA, bilinear maps and (Ring) LWE to be standard tools and those based on multilinear maps or indistinguishability obfuscation not to be.

18 combination with fully homomorphic encryption) to generically transform any ABE scheme into a predicate encryption scheme with one-sided security with corresponding functionality. An advantage of using a generic transformation is that it can take advantages of the features or forms of ABE constructions that have been introduced over the last 10+ years, including key-policy [336], ciphertext-policy [98], adaptive security (without complexity leveraging) [407], multi-authority [199, 200, 409], and efficient expression of keys as deterministic finite automata [526, 47] and circuits [327, 121]. Currently, there is no single ABE construction from standard tools that simultaneously delivers all such features. The most desirable ABE form can vary significantly between applications. Our transformations will allow one to inherent the properties of the underlying ABE scheme and at the same obtain one-sided hiding of the ciphertext attributes.

Separation and Uninstantiability Results We now demonstrate the power of lockable obfuscation for achieving negative results in cryptography by fo- cusing on two families of separation and uninstantiability results.

In recent years there has been a signiﬁcant interest on the problem of circular security [166, 398, 10] perhaps in large part due to Gentry’s [297] result showing that a leveled homomorphic encryption scheme that is circular secure implies unbounded fully homomorphic encryption. Roughly, an encryption system is circular secure if it maintains security in the setting where there are n pairs of public keys and ciphertexts arranged such that the ith ciphertext

19 encrypts the (i + 1)th secret key.

There have been several separation results [8, 197, 491, 395, 430, 99, 24, 396, 331, 332] showing that such security does not come for free. In particular, they show in diﬀerent contexts that there exist schemes that are IND-CPA secure, but not circular secure. (We discuss this prior work in detail in Sec- tion 3.6). A natural dichotomy of these results is between separations achieved using indistinguishability obfuscation [395, 331] and those built from standard assumptions [8, 197, 99, 24, 396, 332] such as assumptions on bilinear groups or LWE.

Separations built on indistinguishability obfuscation have the advantage that they can be developed relatively rapidly and are also relatively simple as one can build constructions using “normal” programs without diving into number theory. The disadvantage is that indistinguishability is not currently known from any standard assumptions. On the ﬂip side, the number theoretic constructions are based on much more standard assumptions. However, developing and understanding such solutions is a much more arduous task.

In Section 3.6 we show how to translate existing two indistinguishability obfuscation separation results due to Koppula, Ramchen and Waters [395] and one result due Goyal, Koppula and Waters [331] to rely on lockable obfuscation. The translations are extremely straightforward and our resulting solutions are almost identical with the exception that we use lockable obfuscation. The main insight is that the programs obfuscated in the above results come in a lockable friendly form. In particular, they perform a sequence of computations

20 on the input that result in a value s. Then the program tests and reports if PRG(s) = t for a pseudorandom generator PRG and hardwired value t. Using lockable obfuscation one simply uses s as the output (which is a possible lock value).

Our translations of these prior works to lockable obfuscation lead to separations that can be built on the Learning with Errors assumption. Con- cretely, we obtain new results from LWE that were previously known only from indistinguishability obfuscation. (1) We show how to build a public key bit encryption scheme that is not circular secure and (2) we show a separation for unbounded length cycles.

Our second family of negative results relate to a grouping of constructions related to the well known Fujisaki-Okamoto transformation that achieves chosen ciphertext security in the random oracle model from any scheme which is IND-CPA secure. Included in this grouping are: the Bellare et al. [79] transformation from an IND-CPA scheme to an injective trapdoor function, two transformations from IND-CPA to IND-CCA security due to Fujisaki and Okamoto [278, 279] and the deterministic encryption construction of Bellare, Boldyreva and O’Neill [77].

All of the constructions follow a similar paradigm where they encrypt a string x under random coins determined from H(x). (How the string x is construed varies somewhat between the schemes.) The works above show that if H is presented as an oracle access to a random function, the transformation results in a secure scheme under the relevant deﬁnition.

21 Chapter 2

Indistinguishability Obfuscation for Turing Machines

2.1 Overview of our scheme

A High Level Overview of our MHE scheme: Recall, a Turing machine M consists of a worktape, a set of states (which includes a ‘start’ state,‘accept’ state and ‘reject’ state) and a ‘next-step’ circuit. The next-step circuit takes as input a state, symbol and outputs the next state, symbol to be written and tape movement (left or right). Initially, the worktape has the input x, the tape head (which indicates the bit to be read from the worktape) is at location 1, and the computation starts with the ‘start’ state. At each step, the next-step circuit reads the current state and the symbol at the current tapehead, and outputs the new state, the symbol to be written at the current tape head, and the tape head movement (left or right). The machine accepts input x if it reaches the ‘accept’ state, and outputs 0 if it reaches the ‘reject’ state.

We will now present a simpliﬁed version of our MHE scheme. In our approach, the MHE for machine M, input x and message msg consists of an

1A preliminary version of this chapter appeared in [393].

22 obfuscated circuit CM,msg, a hash hinit of the input x and a signature on hinit together with the initial state and symbol. The circuit CM,msg takes as input a state st, symbol sym, position pos of tape head, hash h of worktape, and a signature σ. It first verifies the signature, uses the hash to verify that sym is indeed the symbol at position pos. If both these verifications pass, then it computes the next state st0, sym0 and tape movement. If the state is the accepting state, then the circuit outputs the message msg. Else, it updates the hash to h0, computes a signature σ0 on (h0, st0, sym0), and outputs all these components.

It is easy to check the correctness of this scheme. To evaluate this obfuscation of M, one needs to iteratively evaluate the CM,msg on appropriate inputs. The evaluation starts with hinit and signature on hinit together with starting state/symbol (recall these are provided as part of the encoding). The obfuscated circuit outputs the next state, symbol, hash and signature, which are used in the next iteration. Suppose M accepts input x in T steps. Then, after repeating T such iterations, the circuit CM,msg either outputs msg or ⊥, depending on whether M(x) = 1 or not. Let us now analyse the size of circuit CM,msg. This circuit (i) verifies the signature/hash, (ii) computes the new state/symbol (iii) updates the hash, (iv) computes a new signature. As a result, the size of CM,msg depends only on the size of M, msg and the security parameter, provided the signatures can be verified/computed succinctly, and the hash can be verified/updated succinctly. Both these goals can be achieved easily via standard techniques, and therefore the size of the encoding only

23 depends on |M|, |msg| and the security parameter.

Let us now consider the security of this scheme. Intuitively, we want that the circuit CM,msg does not reveal the message msg. Using the security of the signature scheme and the hash function, we can hope that the adversary can never deviate from the correct computation. As a result, if an adversary is given an encoding of M, x, msg such that M(x) = 0, then showing that the adversary does not deviate from correct computation suﬃces to argue secrecy of the message msg. However, since we are working with indistinguishability obfuscation, translating this intuition to an actual proof presents several challenges. In particular, one main issue is that standard signature schemes and hash functions are not iO-friendly

A natural proof strategy is to proceed via a sequence of hybrids where in Hybrid i the program is “hardwired” to demand at timestep t = i that the output mout (that is, the new state, symbol, tape movement, hash and

∗ signature) match the honestly computed value mi . The goal is to iterate the proof hardwiring until the step t∗ where the honest computation will hit the reject state and halt. As we move along from Hybrid i to Hybrid i + 1, it is important that the proof will “clean up” the hardwiring on step i as it places new hardwiring on step i + 1. Otherwise, the ﬁnal circuit of the proof would contain hardwirings for all t∗ steps of the computation. If this occured, the obfuscated step circuit of the real computation would need to be padded to this length to make iO arguments go through (recall that iO security only works for circuits of identical size and functionality), which would defeat the

24 entire point of aiming for Turing Machines.

A central diﬃculty comes from the fact that each computational step i will not only require the signed TM state computed at step i − 1, but also needs a tape symbol that may have been written at a much earlier time period. The main challenge is how to enforce that the hardwiring of the output of step i − 1 can be translated into a correct wiring of step i without having the obfuscated program pass the entire storage (i.e. tape conﬁguration) at each step. In addition, we wish to avoid any encoding which requires programming proportional to the maximum storage.

To overcome this challenge, we introduce our technique of ”selective enforcement”. Here we ﬁrst create a primitive called a positional accumulator, which is a special hash function that is compatible with iO. A positional accumulator, as standard hash functions, allows for a small commitment to a much larger storage. The commitment is unconditionally sound for a select piece of the storage. Moreover, we are able to computationally hide which portion of the storage is unconditionally enforced. The idea of the selective enforcement primitive is to use such an ”iO-friendly” tool that allows us to make two different programs equivalent at diﬀerent stages of a proof. In particular, if we are at hybrid step i which reads tape position pos, then we want unconditional soundness at this tape position.

More speciﬁcally, a positional accumulator behaves somewhat similarly to standard notations of accumulators [96]. It has a setup algorithm Setup-Acc(1λ,S) that takes in a security parameter (in unary) and a maxi-

25 mum storage size S in binary (which can be assumed to be exponential in the security parameter). It outputs parameters PP, an initial accumulator value w0, and storage value store0. In addition, the system has algorithms for writing to the storage, updating the accumulator to reﬂect writes, and proving and verifying reads. Writes will be of a message m to an index in [0,S − 1] and reads will be from a certain index. The accumulator value will stay small while the storage will grow with the number of unique indices written to. Similarly, the update and verify read algorithms should be polynomial in lg(S) and λ. In addition to the normal setup, there is a separate setup al-

λ ∗ gorithm Setup-Acc-EnfR(1 ,T, (m1, index1),..., (mk, indexk), index ). This algorithm takes in a sequence of message and index pairs as well as a special index∗. Informally, this setup has the property that if one writes the messages in the order given (and updates the accumulator from w0 to wk honestly) then it is unconditionally impossible to give a false proof for index∗ on accumulator value wk. Moreover, the output of this setup algorithm is computationally indistinguishable from the output of a standard setup. There is also an analogous setup algorithm for selectively enforcing correct updates on the accumulator. Our construction uses iO, puncturable PRFs, and public key encryption — thus it can be done from iO and one way functions. The construction uses a form of a Merkle hash tree that ﬁlls out the Merkle tree dynamically, using an obfuscated circuit as the main hash function.

With these ideas in place, we can describe our main proof steps at a high level. At Hybrid i the obfuscated step circuit will be hardwired to

26 only output a “good” signature if the derived output is the correct tuple

(stout, wout, vout, posout) representing the correct output TM state, positional accumulator value, iterator value, and tape position.2

We next transition to an intermediate hybrid where (stout, wout, vout, posout) are hardwired into the input of the next stage i+1. Thus the changes from this proof step move across iterations. Executing this step involves many small hybrids and the use of another iO friendly tool that we introduce called splittable signatures. We again defer further details to the main body.

To complete the hybrid argument we need to be able to transition from hardwiring the inputs of step i + 1 to hardwiring the outputs. This is where the selective enforcement enters the picture. In general, using a normal setup does not guarantee the equivalence of hardwiring the correct inputs versus hardwiring the correct outputs. However, if we ﬁrst (indistinguishably) change the accumulator and iterator to be unconditionally enforcing at the right places, then we can use iO to change the hardwiring from the input to the output. We then cleanup by changing the accumulator and iterator to normal setup. In contrast to the last, this proof step makes its hardwiring changes within a timestep.

Taken all together, our proof can iterate through these hybrids until we can change the hardwiring to the step t∗ and then use iO to erase the message from the program. We also remark that are selective enforcement approach

2 We also deﬁne a second tool of an iterator that is allows for a diﬀerent kind of selective enforcement. We defer further explanation to the main body.

27 has a similar ﬂavor to the somewhere statistically binding hash of Hubacek and Wichs [365] used in the context of secure function evaluation.

Finally, we consider the time bound T . In practice we could set T to be 2λ. Since the overhead of obfuscating is a ﬁxed polynomial in lg(T ) and λ, applying this setting would give a ﬁxed polynomial in λ. At the same time the construction would then work for computations whose running time was any polynomial in λ. Note that this may result in a negligible correctness error. Consider a class of computations whose running time is some polynomial function p(·). There must exists some constant λ0 such that for all λ ≥ λ0 we have p(λ) ≤ 2λ and the system will be correct for all those values. Thus a particular poly-time computation will only incorrect for a constant number of λ values and have negligible error asymptotically.

Succinct Randomized Encodings : Hiding the Computation We now move toward the more complex case of hiding the computation. Here we consider oblivious Turing Machines [474] whose tape movements can be calculated by a function d(t) of the time step. Second, instead of writing the state and tape symbols in the clear they will be encrypted by the obfuscated step circuit under a public key derived (via a puncturable PRF) from the time step t on which they were written.

To prove security we will show that an encoding of (M0, x) is indistinguishable from a simulated encoding that does not reﬂect either computation other than the ﬁnal output, input, tape movement, and time taken. We will

28 prove this by a hybrid which erases both the machine logic inside the obfuscated program as well as the state and tape symbols it writes out. The high level strategy is to iteratively replace the normal logic at step i with a program that on any valid signature will simply output an encryption of a distinct erase symbol erase to both the state and tape. We ﬁrst observe that such a hybrid strategy will not work well if it follows the computation in the forward direction from start to ﬁnish. Suppose we have just erased the logic of the i-th step, then the i-th step will write erase to a tape position which is read at some later time step j > i. However, since time step j has not yet been changed, it will not know how to handle the erase symbol and the proof cannot proceed.

For this reason, our proof proceeds in the reverse direction from Hybrid t∗ to Hybrid 0, where t∗ is the number of steps the computation takes. At Hybrid i all steps j where i ≤ j < t∗ are hardwired to be erasing. Step t∗ is

∗ wired to the output M0(x) and steps j > t simply abort. Steps j < i are as in the real construction.

The proof proceeds with two major steps. First we deﬁne an intermediate variant of Hybrid i where steps j ≥ i are erasing as describe above and steps j < i−1 are as in the normal scheme. The signiﬁcant change is that step i − 1 is hardwired to the correct output of the computation. We do this by essentially using our proof techniques from the message-hiding case as a sub- routine for hardwiring the correct output at i − 1. Next, we use the security of the encryption scheme plus some iO tricks to switch i − 1 from the correct computation to an erasing one, thus moving down to Hybrid i − 1. Once we

29 get to the bottom hybrid step, the proof is complete. The main theme is that the enforcement ideas from before plus a little additional encryption is enough to hide the computation.

2.2 Preliminaries 2.2.1 Notations

In this work, we will use the following notations for Turing machines.

Turing machines A Turing machine is a 7-tuple M = hQ, Σtape, Σinp, δ, q0, qacc, qreji with the following properties:

- Q: set of ﬁnite states, Σinp: input symbols, Σtape : tape symbols. We will

assume Σinp ⊂ Σtape and there is a special blank symbol ‘ ’ ∈ Σtape \Σinp.

- δ : Q × Σtape → Q × Σtape × {+1, −1}: the transition function.

- q0 ∈ Q is the start state, qacc ∈ Q is the accept state and qrej ∈ Q is the

reject state, where qacc 6= qrej.

For any i ≤ T , we deﬁne the following variables:

T T - Mtape,i ∈ Σtape :A T dimensional vector which gives the description of tape before ith step.

T - Mpos,i : An integer which describes the position of Turing machine header before ith step.

T - Mstate,i ∈ Q : the state of the Turing machine before step i.

30 T T T T Initially, Mtape,1 = ( ) , Mpos,1 = 0 and Mstate,1 = q0. At each time step, the Turing machine reads the tape at the head position and based on the current state, computes what needs to be written on the tape, the next state and whether the header must move left or right. More formally, let (q, α, β) =

T T T T T T T δ(Mstate,i,Mtape,i[Mpos,i]). Then, Mtape,i+1[Mpos,i] = α, Mpos,i+1 = Mpos,i + β

T T and Mstate,i+1 = q. M accepts at time t if Mstate,t+1 = qacc. Given any Turing

T machine M and time bound T , let ΠM = 1 if M accepts within T steps, else

T ΠM = 0.

2.2.2 Puncturable Pseudorandom Functions

The notion of constrained PRFs was introduced in the concurrent works of [136, 145, 386]. Punctured PRFs, ﬁrst termed by [501] are a special class of constrained PRFs.

A PRF F : K×X → Y is a puncturable pseudorandom function if there is an additional key space Kp and three polynomial time algorithms F.setup, F.eval and F.puncture as follows:

• F.setup(1λ) is a randomized algorithm that takes the security parameter λ as input and outputs a description of the key space K, the punctured

key space Kp and the PRF F .

• F.puncture(K, x) is a randomized algorithm that takes as input a PRF

key K ∈ K and x ∈ X, and outputs a key Kx ∈ Kp.

0 • F.eval(Kx, x ) is a deterministic algorithm that takes as input a punc-

31 0 tured key Kx ∈ Kp and x ∈ X. Let K ∈ K, x ∈ X and Kx ← F.puncture(K, x). For correctness, we need the following property:

( 0 0 0 F (K, x ) if x 6= x F.eval(Kx, x ) = ⊥ otherwise

In this work, we will only need selectively secure puncturable PRFs. The selective security game between the challenger and the adversary A consists of the following phases.

Challenge Phase A sends a challenge x∗ ∈ X. The challenger chooses uniformly at random a PRF key K ← K and a bit b ← {0, 1}. It computes K{x∗} ← F.puncture(K, x∗). If b = 0, the challenger sets y = F (K, x∗), else y ← Y. It sends K{x∗}, y to A.

Guess A outputs a guess b0 of b.

0 F A wins if b = b . The advantage of A is advA(λ) = Pr[A wins] − 1/2.

Deﬁnition 2.1. The PRF F is a selectively secure puncturable PRF if for all

F probabilistic polynomial time adversaries A, advA(λ) is negligible in λ.

2.2.3 Obfuscation

We recall the deﬁnition of indistinguishability obfuscation from [286, 501].

Deﬁnition 2.2. (Indistinguishability Obfuscation) Let C = {Cλ}λ∈N be a family of polynomial-size circuits. Let iO be a uniform PPT algorithm that

32 takes as input the security parameter λ, a circuit C ∈ Cλ and outputs a circuit

0 C . iO is called an indistinguishability obfuscator for a circuit class {Cλ} if it satisﬁes the following conditions:

• (Preserving Functionality) For all security parameters λ ∈ N, for all C ∈ 0 0 λ Cλ, for all inputs x, we have that C (x) = C(x) where C ← iO(1 ,C).

• (Indistinguishability of Obfuscation) For any (not necessarily uniform) PPT distinguisher B = (Samp, D), there exists a negligible function negl(·) such that the following holds: if for all security parameters λ ∈

λ N, Pr[∀x, C0(x) = C1(x):(C0; C1; σ) ← Samp(1 )] > 1 − negl(λ), then

λ λ | Pr[D(σ, iO(1 ,C0)) = 1 : (C0; C1; σ) ← Samp(1 )]−

λ λ Pr[D(σ, iO(1 ,C1)) = 1 : (C0; C1; σ) ← Samp(1 )]| ≤ negl(λ).

We remark that (Samp, D) are two algorithms that pass state, which can be viewed equivalently as a single stateful algorithm B. In our proofs we employ the latter approach, although here we state the deﬁnition as it appears in prior work.

2.3 iO-compatible Primitives 2.3.1 Iterators

In this section, we deﬁne the notion of cryptographic iterators and show a construction based on indistinguishability obfuscator, selectively secure puncturable PRFs, and IND-CPA secure PKE. A cryptographic iterator

33 essentially consists of a small state that is updated in an iterative fashion as messages are received. An update to apply a new message given current state is performed via some public parameters.

Since states will remain relatively small regardless of the number of messages that have been iteratively applied, there will in general be many sequences of messages that can lead to the same state. However, our security requirement will capture that the normal public parameters are computationally indistinguishable from specially constructed “enforcing” parameters that ensure that a particular single state can be only be obtained as an output as an update to precisely one other state, message pair. Note that this enforcement is a very localized property to a particular state, and hence can be achieved information-theoretically when we ﬁx ahead of time where exactly we want this enforcement to be.

Syntax Let ` be any polynomial. An iterator I with message space Mλ =

`(λ) {0, 1} and state space Sλ consists of three algorithms - Setup-Itr, Setup-Itr-Enforce and Iterate deﬁned below.

Setup-Itr(1λ,T ) The setup algorithm takes as input the security parameter λ (in unary), and an integer bound T (in binary) on the number of

iterations. It outputs public parameters PP and an initial state v0 ∈ Sλ.

λ Setup-Itr-Enforce(1 ,T, m = (m1, . . . , mk)) The enforced setup algorithm takes as input the security parameter λ (in unary), an integer bound T (in bi-

34 `(λ) nary) and k messages (m1, . . . , mk), where each mi ∈ {0, 1} and k is some polynomial in λ. It outputs public parameters PP and a state

v0 ∈ S.

Iterate(PP, vin, m) The iterate algorithm takes as input the public parameters

`(λ) PP, a state vin, and a message m ∈ {0, 1} . It outputs a state vout ∈ Sλ.

For simplicity of notation, we will drop the dependence of ` on λ. Also,

k for any integer k ≤ T , we will use the notation Iterate (PP, v0, (m1, . . . , mk)) to denote Iterate(PP, vk−1, mk), where vj = Iterate(PP, vj−1, mj) for all 1 ≤ j ≤ k − 1.

Security Let I = (Setup-Itr, Setup-Itr-Enforce, Iterate) be an interator with

` message space {0, 1} and state space Sλ. We require the following notions of security.

Deﬁnition 2.3 (Indistinguishability of Setup). An iterator I is said to satisfy indistinguishability of Setup phase if any PPT adversary A’s advantage in the security game Exp-Setup-Itr(1λ, I, A) at most is negligible in λ, where Exp-Setup-Itr is deﬁned as follows.

Exp-Setup-Itr(1λ, I, A)

1. The adversary A chooses a bound T ∈ Θ(2λ) and sends it to challenger.

` 2. A sends k messages m1, . . . , mk ∈ {0, 1} to the challenger.

35 3. The challenger chooses a bit b. If b = 0, the challenger outputs (PP, v0) ←

λ λ k Setup-Itr(1 ,T ). Else, it outputs (PP, v0) ← Setup-Itr-Enforce(1 ,T, 1 , m =

(m1, . . . , mk)). 4. A sends a bit b0.

A wins the security game if b = b0.

Deﬁnition 2.4 (Enforcing). Consider any λ ∈ N, T ∈ Θ(2λ), k < T and ` λ m1, . . . , mk ∈ {0, 1} . Let (PP, v0) ← Setup-Itr-Enforce(1 ,T, m = (m1, . . . , mk))

j and vj = Iterate (PP, v0, (m1, . . . , mj)) for all 1 ≤ j ≤ k. Then, I = (Setup-Itr, Setup-Itr-Enforce, Iterate) is said to be enforcing if

0 0 0 0 vk = Iterate(PP, v , m ) =⇒ (v , m ) = (vk−1, mk).

Note that this is an information-theoretic property.

2.3.1.1 Construction

We will now describe our iterator construction. The main idea is that states (generated by the normal setup algorithm) will correspond to ciphertexts encrypting 0 in a PKE scheme, and the public parameters will be an obfuscated program that computes randomness for a new encryption by evaluating a puncturable PRF on the current state. To enforce the information-theoretic property at a particular state, we will use a sequence of hybrids to switch to using a punctured key, replace the randomness at that punctured point with a fresh value, and exchange a hardwired fresh encryption of 0 with a fresh encryption of 1. Perfect correctness for the PKE scheme will ensure that this

36 value cannot be obtained at any other input, since all other inputs will produce encryptions of 0.

Let iO be an indistinguishability obfuscator, PKE = (PKE.setup, PKE.enc, PKE.dec) a public key encryption scheme with message space {0, 1} and ciphertext space

CPKE. We will assume PKE.enc uses r bits of randomness. Let F a puncturable pseudorandom function with key space K, punctured key space Kp, domain {0, 1}λ, range {0, 1}r and algorithms F.setup,F.eval,F.puncture. Our iterator I = (Setup-Itr, Setup-Itr-Enforce, Iterate) with message space {0, 1}` and state space CPKE × N is deﬁned as follows.

• Setup-Itr(1λ,T ): The setup algorithm chooses (pk, sk) ← PKE.setup(1λ) and puncturable PRF key K ← F.setup(1λ). It sets PP ← iO(Prog{K, pk}),

where Prog is deﬁned in Figure 2.1. Let ct0 ← PKE.enc(pk, 0). The ini-

tial state v0 = (ct0, 0).

Program Prog

Constants: Puncturable PRF key K, PKE public key pk. ` Input: State vin = (ctin, j) ∈ CPKE × [T ], message m ∈ {0, 1} .

1. Compute r = F (K, (vin, m)).

2. Let ctout = PKE.enc(pk, 0; r). Output vout = (ctout, j + 1).

Figure 2.1: Program Prog

λ k • Setup-Itr-Enforce(1 ,T, 1 , m = (m1, . . . , mk)): The ‘enforced’ setup algorithm chooses (pk, sk) ← PKE.setup(1λ). Next, it chooses K ← F.setup(1λ).

It computes ct0 ← PKE.enc(pk, 0) and sets v0 = (ct0, 0). For j = 1

37 to k − 1, it computes rj = F (K, (vj−1, mj)), ctj = PKE.enc(pk, 0; rj)

and sets vj = (ctj, j). It computes a punctured key K{(vk−1, mk)} ←

r F.puncture(K, (vk−1, mk)), chooses rk ← {0, 1} and sets ctk = PKE.enc(pk, 1; rk). Finally, it computes the public parameters PP ← iO(Prog-Enforce{k,

vk−1, mk, K{(vk−1, mk)}, ctk, pk}), where Prog-Enforce is deﬁned in Fig- ure 2.2.

Program Prog-Enforce

` Constants: Integer k ∈ [T ], state vk−1, message mk ∈ {0, 1} , Puncturable PRF key K{(vk−1, mk)}, ctk ∈ CPKE, PKE public key pk. ` Input: State vin = (ctin, j) ∈ CPKE × [T ], message m ∈ {0, 1} .

1. If vin = vk−1 and m = mk, output vout = (ctk, k)

2. Else, compute r = F (K, (vin, m)).

3. Let ctout = PKE.enc(pk, 0; r). Output vout = (ctout, j + 1).

Figure 2.2: Program Prog-Enforce

• Iterate(PP, vin, m): The iterator algorithm simply outputs PP(vin, m).

Eﬃciency The construction runs in time polynomial of lg(T ) and λ.

2.3.1.2 Security

We will now show that the construction described in Section 2.3.1.1 satisﬁes indistinguishability of Setup phase and is enforcing.

Lemma 2.1 (Indistinguishability of Setup Phase). Assuming iO is a secure indistinguishability obfuscator, PKE is a IND-CPA secure public key encryption

38 scheme and F is a selectively secure puncturable pseudorandom function, any PPT adversary A has at most negligible advantage in the Exp-Setup-Itr security game.

Proof. In order to prove this lemma, we will deﬁne a sequence of intermediate hybrid experiments Hyb0,..., Hyb3. Hyb0 corresponds to the case where the challenger sends public parameters PP generated using Setup-Itr, while

Hyb3 corresponds to the case where the challenger sends PP generated using Setup-Itr-Enforce.

Hyb0 In this experiment, the challenger computes PP using Setup-Itr.

1. A sends T ∈ Θ(2λ).

` 2. A sends k messages m1, . . . , mk ∈ {0, 1} . 3. Challenger chooses (pk, sk) ← PKE.setup(1λ) and K ← F.setup(1λ).

r It chooses r0 ← {0, 1} , sets ct0 = PKE.enc(pk, 0; r) and v0 = (ct0, 0).

4. It sets PP ← iO(Prog{K, pk}) and sends (PP, v0) to A. 5. A sends a bit b0.

Hyb1 This experiment is similar to the previous one, except that the challenger sends an obfuscation of Prog-Enforce. The program Prog-Enforce uses a punctured PRF key, and has the PRF output hardwired at the punctured point.

39 4. Next, it computes rj = F (K, (vj−1, mj)), sets ctj = PKE.enc(pk, 0; rj)

and vj = (ctj, j) for all j ≤ k.

It computes a punctured PRF key K{(vk−1, mk−1)} ← F.puncture(K, (vk−1, mk−1)).

It sets PP ← iO(Prog-Enforce{k, vk−1, mk−1,K{(vk−1, mk−1)}, ctk, pk})

and sends (PP, v0) to A.

Hyb2 In this hybrid experiment, the ciphertext ctk is computed using true randomness, instead of a pseudorandom string.

4. Next, it computes rj = F (K, (vj−1, mj)), sets ctj = PKE.enc(pk, 0; rj)

and vj = (ctj, j) for all j < k.

r For j = k, it chooses rk ← {0, 1} , sets ctk = PKE.enc(pk, 0; rk) and

vk = (ctk, k).

Hyb3 In this experiment, the challenger outputs PP computed using Setup-Itr-Enforce.

It is similar to the previous experiment, except that ctk is an encryption of 1.

r 4. For j = k, it chooses rk ← {0, 1} , sets ctk = PKE.enc(pk, 1; rk) and

vk = (ctk, k).

Claim 2.1. Assuming iO is a secure indistinguishability obfuscator, for any PPT adversary A,

Pr[A outputs 0 in Hyb0] − Pr[A outputs 0 in Hyb1] ≤ negl(λ).

40 Proof. Here, the behavior of Prog and Prog-Enforce are identical, as the hardwired value ctk for Prog-Enforce is computed precisely as it is computed in Prog.

Claim 2.2. Assuming F is a selectively secure puncturable PRF, for any PPT adversary A,

Pr[A outputs 0 in Hyb1] − Pr[A outputs 0 in Hyb2] ≤ negl(λ).

Proof. Here, the only diﬀerence is that the value of the F at the punctured point is replaced by a fresh random string. Since A is only receiving PP formed from a punctured key, this follows immediately from the selective security of F .

Claim 2.3. Assuming PKE is an IND-CPA secure public key encryption scheme, for any PPT adversary A,

Pr[A outputs 0 in Hyb2] − Pr[A outputs 0 in Hyb3] ≤ negl(λ).

Proof. The only diﬀerence between these two hybrids is that ctk changes from a fresh encryption of 0 to a fresh encryption of 1. Hence this follows immediately from the IND-CPA security of PKE.

In summary, it follows that if iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, and PKE is IND-CPA secure, then any PPT adversary A has negligible advantage in Exp-Setup-Itr(1λ, I, A).

41 Lemma 2.2 (Enforcing). Assuming PKE is a perfectly correct public key encryption scheme, I = (Setup-Itr, Setup-Itr-Enforce, Iterate) is enforcing.

Proof. This follows immediately from perfect correctness of PKE because the hardwired value ctk in Prog-Enforce is an encryption of 1, and all other states produced by Prog-Enforce are encryptions of 0.

2.4 Positional Accumulators

We will now deﬁne the notion of positional accumulators, and then show a construction based on iO, puncturable PRFs, and public key encryption.

Intuitively, a positional accumulator will be a cryptographic data structure that maintains two values: a storage value and an accumulator value. The storage value will be allowed to grow comparatively large, while the accumulator value will be constrained to be short. Messages can be written to various positions in the the underlying storage, and new accumulated values can be computed as a stream, knowing only the previous accumulator value and the newly written message and its position in the data structure. Since the accumulator values are small, one cannot hope to recover everything written in the storage from the accumulator value alone. However, we deﬁne “helper” algorithms that essentially allow a party who is maintaining the full storage to help a more restricted party who is only maintaining the accumulator values recover the data currently written at an arbitrary location. The helper is not necessarily trusted, so the party maintaining the accumulator values performs

42 a veriﬁcation procedure in order to be convinced that they are indeed reading the correct messages.

A positional accumulator for message space Mλ consists of the following algorithms.

Setup-Acc(1λ,T ) The setup algorithm takes as input a security parameter λ in unary and an integer T in binary representing the maximum number of values that can stored. It outputs public parameters PP, an initial

accumulator value w0, and an initial storage value store0.

λ ∗ Setup-Acc-EnfR(1 ,T, (m1, index1),..., (mk, indexk), index ) The setup enforce read algorithm takes as input a security parameter λ in unary, an integer T in binary representing the maximum number of values that can be stored, and a sequence of symbol, index pairs, where each index

is between 0 and T − 1, and an additional index∗ also between 0 and

T −1. It outputs public parameters PP, an initial accumulator value w0,

and an initial storage value store0.

λ Setup-Acc-EnfW(1 ,T, (m1, index1),..., (mk, indexk)) The setup enforce write algorithm takes as input a security parameter λ in unary, an integer T in binary representing the maximum number of values that can be stored, and a sequence of symbol, index pairs, where each index is between 0 and T −1. It outputs public parameters PP, an initial accumulator value

w0, and an initial storage value store0.

43 PrepR(PP, storein, index) The prep-read algorithm takes as input the public

parameters PP, a storage value storein, and an index between 0 and T − 1. It outputs a symbol m (that can be ) and a value π.

PrepW(PP, storein, index) The prep-write algorithm takes as input the pub-

lic parameters PP, a storage value storein, and an index between 0 and T − 1. It outputs an auxiliary value aux.

VerifyR(PP, win, mread, index, π) The verify-read algorithm takes as input the

public parameters PP, an accumulator value win, a symbol, mread, an index between 0 and T − 1, and a value π. It outputs True or False.

WriteS(PP, storein, index, m) The write-store algorithm takes in the public

parameters, a storage value storein, an index between 0 and T − 1, and

a symbol m. It outputs a storage value storeout.

Update(PP, win, mwrite, index, aux) The update algorithm takes in the public

parameters PP, an accumulator value win, a symbol mwrite, and index between 0 and T − 1, and an auxiliary value aux. It outputs an accumu-

lator value wout or Reject.

In general we will think of the Setup-Acc algorithm as being randomized and the other algorithms as being deterministic. However, one could consider non-deterministic variants.

44 Correctness We consider any sequence (m1, index1),..., (mk, indexk) of symbols m1, . . . , mk and indices index1,..., indexk each between 0 and T −1.

λ We fix any PP, w0, store0 ← Setup-Acc(1 ,T ). For j from 1 to k, we define storej iteratively as storej := WriteS(PP, storej−1, indexj, mj). We similarly define auxj and wj iteratively as auxj := PrepW(PP, storej−1, indexj) and wj := Update(PP, wj−1, mj, indexj, auxj). Note that the algorithms other than Setup-Acc are deterministic, so these definitions fix precise values, not random values (conditioned on the fixed starting values PP, w0, store0).

We require the following correctness properties:

1. For every index between 0 and T −1, PrepR(PP, storek, index) returns

mi, π, where i is the largest value in [k] such that indexi = index. If

no such value exists, then mi = .

2. For any index, let (m, π) ← PrepR(PP, storek, index). Then VerifyR(PP,

wk, m, index, π) = True.

Remarks on Eﬃciency In our construction, all algorithms will run in time polynomial in their input sizes. More precisely, Setup-Acc will be polynomial in λ and log(T ). Also, accumulator and π values should have size polynomial in λ and log(T ), so VerifyR and Update will also run in time polynomial in λ and log(T ). Storage values will have size polynomial in the number of values stored so far. WriteS, PrepR, and PrepW will run in time polynomial in λ and T .

45 Security Let Acc = (Setup-Acc, Setup-Acc-EnfR, Setup-Acc-EnfW, PrepR, PrepW, VerifyR, WriteS, Update) be a positional accumulator for symbol set M. We require Acc to satisfy the following notions of security.

Deﬁnition 2.5 (Indistinguishability of Read Setup). A positional accumulator Acc is said to satisfy indistinguishability of read setup if any PPT adversary A’s advantage in the security game Exp–Acc(1λ, Acc, A) is at most negligible in λ, where Exp–Acc is deﬁned as follows.

Exp–Acc(1λ, Acc, A)

1. Adversary chooses a bound T ∈ Θ(2λ) and sends it to challenger.

2. A sends k messages m1, . . . , mk ∈ M and k indices index1,...,

indexAk ∈ {0,...,T − 1} to the challenger.

3. The challenger chooses a bit b. If b = 0, the challenger outputs (PP, w0, store0) ←

λ λ Setup-Acc(1 ,T ). Else, it outputs (PP, w0, store0) ← Setup-Acc-EnfR(1 ,

T ,(m1, index1), ...,(mk, indexk)). 4. A sends a bit b0.

A wins the security game if b = b0.

Deﬁnition 2.6 (Indistinguishability of Write Setup). A positional accumulator Acc is said to satisfy indistinguishability of write setup if any PPT adversary A’s advantage in the security game Exp–Acc(1λ, Acc, A) is at most negligible in λ, where Exp–Acc is deﬁned as follows.

Exp–Acc(1λ, Acc, A)

46 1. Adversary chooses a bound T ∈ Θ(2λ) and sends it to challenger.

2. A sends k messages m1, . . . , mk ∈ M and k indices index1,...,

indexAk ∈ {0,...,T − 1} to the challenger.

3. The challenger chooses a bit b. If b = 0, the challenger outputs (PP, w0, store0) ←

λ λ Setup-Acc(1 ,T ). Else, it outputs (PP, w0, store0) ← Setup-Acc-EnfW(1 ,

T ,(m1, index1), ...,(mk, indexk)). 4. A sends a bit b0.

A wins the security game if b = b0.

λ Deﬁnition 2.7 (Read Enforcing). Consider any λ ∈ N, T ∈ Θ(2 ), m1, . . . , mk ∈ ∗ M, index1,..., indexk ∈ {0,...,T − 1} and any index ∈ {0,...,T − 1}.

λ Let (PP, w0, st0) ← Setup-Acc-EnfR(1 , T ,(m1, index1), ...,(mk, indexk),

∗ index ). For j from 1 to k, we deﬁne storej iteratively as storej :=

WriteS(PP, storej−1, indexj, mj). We similarly deﬁne auxj and wj iteratively as auxj := PrepW(PP, storej−1, indexj) and wj := Update(PP, wj−1, mj, indexj, auxj). Acc is said to be read enforcing if VerifyR(PP, wk, m,

∗ ∗ index , π) = T rue, then either index ∈/ {index1,..., indexk} and m = ,

∗ or m = mi for the largest i ∈ [k] such that indexi = index . Note that this is an information-theoretic property: we are requiring that for all other symobls m, values of π that would cause VerifyR to output T rue at index∗ do no exist.

λ Deﬁnition 2.8 (Write Enforcing). Consider any λ ∈ N, T ∈ Θ(2 ), m1,

..., mk ∈ M, index1, ..., indexk ∈ {0,...,T − 1}. Let (PP, w0, st0) ←

λ Setup-Acc-EnfW(1 , T ,(m1, index1), ...,(mk, indexk)). For j from 1 to k,

47 we deﬁne storej iteratively as storej := WriteS(PP, storej−1, indexj, mj).

We similarly deﬁne auxj and wj iteratively as auxj := PrepW(PP, storej−1, indexj) and wj := Update(PP, wj−1, mj, indexj, auxj). Acc is said to be write enforcing if Update(PP, wk−1, mk, indexk, aux) = wout 6= Reject, for any aux, then wout = wk. Note that this is an information-theoretic property: we are requiring that an aux value producing an accumulated value other than wk or Reject deos not exist.

2.4.1 Construction

In this section, we will construct a positional accumulator Acc = (Setup-Acc, Setup-Acc-EnfR, Setup-Acc-EnfW, PrepR, PrepW, VerifyR, WriteS, Update) for the symbol set M := {0, 1}`0 . Let iO be an indistinguishability obfuscator and let F be a selectively secure puncturable PRF with key space K, punc-

≤2`+d z tured key space Kp, domain {0, 1} , range {0, 1} , and algorithms F.setup, F.puncture, and F.eval. We let PKE = (PKE.setup, PKE.enc, PKE.dec) denote a public key encryption scheme with message space {0, 1} that is perfectly correct and uses z bits of randomness for encryption. We set ` to be suﬃ- ciently large so that ciphertext produces by PKE, the special sympbol ⊥, and all symbols in M are represented as unique `-bit strings.

Without loss of generality, we assume that T = 2d for some integer d = poly(λ). Our storage will take the form of a binary tree containing up to T leaves, with each node indexed by a binary string of length ≤ d. A node in

≤d the tree indexed by a binary string x1x2 . . . xj ∈ {0, 1} is a child of the node

48 indexed by x1 . . . xj−1. An internal node contains an `-bit string, as well as pointers to its left and right children. If either child does not exist, the pointer takes a default value ⊥. A leaf node contains a symbol ∈ M. The accumulated values will correspond to the ` bit strings stored at the root node.

• Setup-Acc(1λ,T ): The setup algorithm chooses a random key K for the puncturable PRF, and a secret key, public key pair sk, pk ← PKE.setup. We let H denote the program in Figure 2.3.

Program H

Constants: Puncturable PRF key K, PKE public key pk. ` `

1. Compute r = F (K, (h1, h2, index)). 2. Output PKE.enc(pk, 0; r).

Figure 2.3: Program H

The public parameters are PP := iO(H). The initial value w0 is ⊥, and

the initial store0 is a single root node with value ⊥.

λ ∗ • Setup-Acc-EnfR(1 ,T, (m1, index1),..., (mk, indexk), index ): The setup algorithm chooses a random key K for the puncturable PRF, and a secret key, public key pair sk, pk ← PKE.setup. It creates ciphertexts

ct0,..., ctd−1 by encrypting 1 using PKE.enc with d independently sampled values for the randomness. For notational convenience, we also

∗ ∗ ∗ deﬁne ctd := mi∗ where i is the largest integer such that i = index .

∗ If no such i exists, ctd := .

49 It deﬁnes store0 to be a single root node with value ⊥ and w0 := ⊥. It then deﬁnes the program H as in Setup-Acc above, and iteratively runs

WriteS(H, storei−1, indexi, mi) → storei to produce storek. We let

∗ indexj denote the j-bit preﬁx of index.

We let H0 denote the program in Figure 2.4.

Program H0

Constants: Puncturable PRF key K, PKE public key pk, index∗, values ∗ d of nodes in storek for preﬁxes of index and their siblings, {ctj}j=0. ` `

1. If index is a preﬁx of index∗ of length j < d, check if the value among {h1, h2} corresponding to the child that is a length j + 1 preﬁx of index is equal to ctj+1, and the other value among {h1, h2} is checked against the corresponding node value in storek. If both of these comparisons yield equality, output ctj.

2. Otherwise, compute r = F (K, (h1, h2, index)) and output PKE.enc(pk, 0; r).

Figure 2.4: Program H0

The public parameters are PP := iO(H0).

λ • Setup-Acc-EnfW(1 ,T, (m1, index1),..., (mk, indexk)): This algorithm

λ ∗ simply calls Setup-Acc-EnfR(1 , T ,(m1, index1), ...,(mk, indexk), index =

indexk).

• PrepR(PP, storein, index): Here, index is interpreted as a d-bit string. We let j ∈ {1, . . . , d} denote the largest value such that the node in

storein corresponding to the length j preﬁx of index is deﬁned (i.e.

50 not ⊥). If j = d, then the leaf node corresponding to index is deﬁned, and contains some symbol which is assigned to m. Otherwise, m := . π is formed as an ordered tuple of the `-bit strings stored from the root

down the path to the ancestor of index at level j, as well as the strings stored at each sibling of a node along this path.

• PrepW(PP, storein, index): Similarly to PrepR, we interpret index as a d-bit string, and let j ∈ {1, . . . , d} be the largest value such that the

node in storein corresponding to the length j preﬁx of index is deﬁned. aux is formed as ordered tuple of the `-bit strings stored from the root

down the path to the ancestor of index at level j, as well as the strings stored at each sibling of these nodes.

• VerifyR(PP, win, mread, index, π): If the value of j reﬂected in π is < d

and mread 6= , then the VerifyR algorithm outputs F alse. Otherwise, for

each level i from 0 to j − 1, the algorithm deﬁnes h1,i+1 and h2,i+1 to the be `-bit strings given in π for the two children on level i + 1 of the node

at level i on the path to index. It computes PP(h1,i+1, h2,i+1, indexi),

where indexi denotes the i-bit preﬁx of index. If this output does not equal the `-bit string given in π for this node, it outputs F alse. Similarly,

if the root value given in π does not match win, it outputs F alse. If all of these checks pass, it outputs T rue. Note that when j = d, the value

mread is one of the input `-bit strings for the check at level d − 1.

• WriteS(PP, storein, index, m): First, if there are any nodes correspond-

51 ing to preﬁxes of index or siblings of preﬁxes of index that are not yet

initialized in storein, they are initialized with ⊥ values. Next, the `-bit string associated with the node index is set to m. For each i from 0

to d − 1, we deﬁne h1,i+1, h2,i+1 denote the `-bit strings (or ⊥) values associated with the two children of the node corresponding to the i-bit

prefix of index. We iteratively update the values for the prefixes of index, starting with i = d − 1 and setting the value at the i-bit prefix

equal to PP(h1,i, h2,i, indexi) (again, indexi denotes the i-bit preﬁx of index). After these changes are made all the way up through the root,

the resulting tree is output as storeout.

• Update(PP, win, mwrite, index, aux): The update algorithm ﬁrst performs the same checks as described in the VerifyR algorithm. If any of these fail, it outs Reject. Otherwise, using the values in aux, it re-computes the

`-bit values for the nodes whose preﬁxes of index as described in the WriteS algorithm, starting by replacing the value at index itself with

mwrite (note that the values given in aux suﬃce for this). It outputs the

new root value as wout.

2.4.1.1 Correctness

We consider any sequence (m1, index1),..., (mk, indexk) of symbols m1, . . . , mk and indices index1,..., indexk each between 0 and T − 1. We

λ ﬁx any PP, w0, store0 ← Setup-Acc(1 ,T ). For j from 1 to k, we deﬁne storej iteratively as storej := WriteS(PP, storej−1, indexj, mj). We sim-

52 ilarly deﬁne auxj and wj iteratively as auxj := PrepW(PP, storej−1, indexj) and wj := Update(PP, wj−1, mj, indexj, auxj).

By deﬁnition of the algorithm WriteS, it is immediate that a leaf of storek corresponding to any index contains the value mi for the largest i such that indexi = index if such an i exists, otherwise it is uninitialized or has the ⊥ value. The PrepR algorithm therefore correctly returns mi or in these cases respectively. This ensures correctness property 1.

To see that correctness property 2 also holds, we observe that every call of WriteS maintains the invariant that for any initialized internal node (at some index) the `-bit string that it stores is equal to PP(h1, h2, index), where h1 and h2 are the values stored at its children. Thus, the checks performed by VerifyR will pass because the output path produced by PrepR maintains this invariant.

2.4.1.2 Security

We now prove our construction above satisﬁes indistinguishability of read and write setup:

Lemma 2.3. Assuming that F is a selectively secure puncturable PRF and iO is an indistinguishability obfuscator, our construction satisﬁes indistinguishability of read setup.

Proof. We let Exp–Acc0 denote the version of the security experiment where b = 0 (i.e. we are running the real Setup-Acc algorithm), and Exp–Acc1 denote

53 the version of the security experiment where b = 1 (i.e. we are running the Setup-Acc-EnfR algorithm). We will show these two experiments are computationally indistinguishably using a hybrid argument that gradually transitions from Exp–Acc0 to Exp–Acc1.

Our intermediary experiments will be parameterized by a depth parameter z between 0 and d − 1. In all experiments, the challenger will choose K, pk, sk as is common to the Setup-Acc, Setup-Acc-EnfR algorithms, and will deﬁne ct0,..., ctd, storek as in the Setup-Acc-EnfR algorithm. The experiments will diﬀer only in the program to be obfuscated to form the public parameters.

We ﬁrst deﬁne the hybrid experiments as follows:

Exp–Acc0.1,z In this experiment, the program to be obfuscated is H0,1,z (see

∗ ∗ Figure 2.5) and it is deﬁned as follows. We ﬁrst set r := F (K, h1,z, h2,z, indexz),

∗ ∗ where indexz denotes the length z preﬁx of index , whichever of {h1,z, h2,z}

∗ corresponds to the length z + 1 preﬁx of index is set to be Cz+1, and the other is set equal to the corresponding value in storek. We also compute

∗ ∗ K{(h1,z, h2,z, indexz)} ← F.puncture(K, (h1,z, h2,z, indexz)). Finally the program H0,1,z (deﬁned in Figure 2.5) is obfuscated.

Exp–Acc0.2,z In this experiment, the program to be obfuscated is H0,2,z (see

∗ Figure 2.6). To deﬁne this program, we again let indexz denote the length

∗ z preﬁx of index , whichever of {h1,z, h2,z} corresponds to the length z + 1

54 Program H0.1,z

∗ Constants: Punctured PRF key K{(h1,z, h2,z, indexz)}, PKE public key ∗ ∗ pk, randomness r , h1,z, h2,z, index , values of nodes in storek for preﬁxes ∗ d of index and their siblings, {ctj}j=0. ` `

1. If index is a preﬁx of index∗ of length z < j < d, check if the value among {h1, h2} corresponding to the child that is a length j + 1 preﬁx of index is equal to ctj+1, and the other value among {h1, h2} is checked against the corresponding node value in storek. If both of these comparisons yield equality, output ctj.

∗ 2. If index is a preﬁx of index of length z, h1 = h1,z, and h2 = h2,z, output PKE.enc(pk, 0; r∗).

3. Otherwise, compute r = F (K, (h1, h2, index)) and output PKE.enc(pk, 0; r).

Figure 2.5: Program H0.1,z

∗ preﬁx of index is set to be Cz+1, and the other is set equal to the cor-

∗ responding value in storek. We also compute K{(h1,z, h2,z, indexz)} ←

∗ ∗ F.puncture(K, (h1,z, h2,z, indexz)). We set r to be a fresh random string.

Exp–Acc0.3,z In this experiment, the program to be obfuscated is H0,3,z (see

∗ ∗ Figure 2.7). We again let indexz denote the length z preﬁx of index ,

∗ whichever of {h1,z, h2,z} corresponds to the length z + 1 preﬁx of index is set to be Cz+1, and the other is set equal to the corresponding value in storek. We

∗ ∗ also compute K{(h1,z, h2,z, index z)} ← F.puncture(K, (h1,z, h2,z, index z)). We set r∗ to be a fresh random string.

55 Program H0.2,z

∗ 2. If index is a preﬁx of index of length z, h1 = h1,z, and h2 = h2,z, output PKE.enc(pk, 0; r∗).

3. Otherwise, compute r = F (K, (h1, h2, index)) and output PKE.enc(pk, 0; r).

Figure 2.6: Program H0.2,z Program H0.3,z

∗ Constants: Punctured PRF key K{(h1,z, h2,z, index z)}, PKE public key ∗ ∗ pk, randomness r , h1,z, h2,z, index , values of nodes in storek for preﬁxes ∗ d of index and their siblings, {ctj}j=0. ` `

∗ 2. If index is a preﬁx of index of length z, h1 = h1,z, and h2 = h2,z, output PKE.enc(pk, 1; r∗).

3. Otherwise, compute r = F (K, (h1, h2, index)) and output PKE.enc(pk, 0; r).

Figure 2.7: Program H0.3,z

56 Exp–Acc0.4,z In this experiment, the program to be obfuscated is H0,4,z (see

∗ Figure 2.8) and it is deﬁned as follows. We again let indexz denote the length z

∗ preﬁx of index , whichever of {h1,z, h2,z} corresponds to the length z+1 preﬁx

∗ of index is set to be Cz+1, and the other is set equal to the corresponding

∗ value in storek. We set r to be a fresh random string.

Program H0.4,z Constants: Punctured PRF key K, PKE public key pk, randomness r∗, ∗ ∗ h1,z, h2,z, index , values of nodes in storek for preﬁxes of index and d their siblings, {ctj}j=0. ` `

∗ 2. If index is a preﬁx of index of length z, h1 = h1,z, and h2 = h2,z, output PKE.enc(pk, 1; r∗).

3. Otherwise, compute r = F (K, (h1, h2, index)) and output PKE.enc(pk, 0; r).

Figure 2.8: Program H0.4,z

Now that we have these experiments deﬁned, we will argue that we can start with Exp–Acc0, transition to Exp–Acc0.1,d−1, then to Exp–Acc0.2,d−1, then to Exp–Acc0.3,d−1, then to Exp–Acc0.4,d−1, then to Exp–Acc0.1,d−2, and so on.

We ﬁnally arrive at Exp–Acc0.4,0, which is identical to Exp–Acc1.

We make the following claims for each z from d−1 to 0. For notational convenience, we consider Exp–Acc0.4,d to be another name for Exp–Acc0.

57 Claim 2.4. Assuming iO is a secure indistinguishability obfuscator, for any PPT adversary A,

Pr[A outputs 0 in Exp–Acc0.4,z+1] − Pr[A outputs 0 in Exp–Acc0.1,z] ≤ negl(λ).

∗ Proof. To see this, note that the hardwired value r in the program H0.1,z is the same that will be computed from the unpunctured key in the program H0.4,z+1.

We also note that the ciphertext produces in line 2. of H0.4,z+1 is distributed identically to ctz+1, so hardwired the randomness in H0.4,z+1 and hard-coding ctz+1 in H0.1,z does not cause a diﬀerence. The input/output behavior of H0.1,z and H0.4,z+1 are hence identical, so the iO security applies.

Claim 2.5. Assuming F is a selectively secure puncturable PRF, for any PPT adversary A,

Pr[A outputs 0 in Exp–Acc0.1,z] − Pr[A outputs 0 in Exp–Acc0.2,z] ≤ negl(λ).

Proof. The only change being made between H0.1,z and H0.2,z is that the hardwired output of F at the punctured point is replaced by a freshly random, hardwired r∗ value. Computationally indistinguishability then follows immediately from the selective security of F .

Claim 2.6. Assuming PKE is an IND-CPA secure public key encryption scheme, for any PPT adversary A,

Pr[A outputs 0 in Exp–Acc0.1,z] − Pr[A outputs 0 in Exp–Acc0.2,z] ≤ negl(λ).

58 Proof. This follows immediately from the deﬁnition of CPA security, as the only change is that a (freshly random) encryption of 0 is replaced by a (freshly random) encryption of 1.

Claim 2.7. Assuming iO is a secure indistinguishability obfuscator, for any PPT adversary A,

Pr[A outputs 0 in Exp–Acc0.3,z] − Pr[A outputs 0 in Exp–Acc0.4,z] ≤ negl(λ).

Proof. Here, the behavior of the programs H0.3,z and H0.4,z are identical, because the punctured point value is never computed. Hence the iO security guarantee applies.

Lemma 2.4. Assuming that F is a selectively secure puncturable PRF and iO is an indistinguishability obfuscator, our construction satisﬁes indistinguishability of write setup.

Proof. This follows immediately from Lemma 2.3, as the Setup-Acc-EnfW algorithm simply calls an instance of the Setup-Acc-EnfR algorithm.

We now establish that our construction satisﬁes the required information- theoretic enforcement properties:

Lemma 2.5. Our construction is Read Enforcing.

59 ∗ Proof. We consider a sequence (m1, index1),..., (mk, indexk) and a index ,

λ and we let PP, w0, store0 ← Setup-Acc-EnfR(1 , T ,(m1, index1), ...,(mk, indexk),

∗ index ). We let wk, storek denote the resulting accumulator and storage values after then storing and updating this sequence using PP, starting from

∗ w0, store0. The “right” m to be read at index is mi for the largest i ∈

∗ {1, . . . , k} such that indexi = index , if such an i exists. Otherwise, m := .

We suppose (for contradiction) that for somem ˜ 6= m, there exists a

∗ valueπ ˜ such that VerifyR(PP, wk, m,˜ index , π˜) = True. Now, by deﬁnition of

0 the program H that is obfuscated to form PP, wk will be the value ct0 (the value stored at the root of the tree in storek). Since this is an encryption of 1 and the scheme PKE is perfectly correct, it will never be an output produced by line 2. of the program H. Hence, the only values for its children that will pass the check performed by VerifyR are the unique values that are checked in line 1. of H0. Applying this reasoning iteratively down the tree, we see that the values in π must match the true values stored in the tree in storek at these nodes, and hence this applies also at the leaf where m is stored (or where the path to index∗ reaches a ⊥). Thus, we cannot havem ˜ 6= m and still have a successful veriﬁcation.

Lemma 2.6. Our construction is Write Enforcing.

Proof. As in the proof of Lemma 2.5, we have that the only value of aux that will pass the checks performed by the Update algorithm is the true values along the relevant path as stored in storek. This will then deterministically

60 produce wk as the output of Update.

2.4.2 Splittable Signatures

In this section, we will deﬁne the syntax and correctness/security properties of splittable signatures and then show a construction based on indistinguishability obfuscation and pseudorandom generators.

A splittable signature scheme will essentially consist of a normal signature scheme, augmented by some additional algorithms that produce alternative signing and verification keys with differing capabilities. More precisely, there will be “all but one” keys that work correctly except for a single message m∗, and there will be ”one” keys that work only for m∗. There will also be a reject-verification key that always outputs reject when used to verify a signature.

Our required security properties will be closer in spirit to the typical security properties of MACs as opposed to signatures, since we do not provide access to a signing oracle in our security games. Our properties are nonetheless sufficient for our application, and avoiding unnecessary signing oracles makes it possible to argue that these different kinds of verification keys are computationally indistinguishable, the attacker is not provided with a signature on which they behave differently.

Syntax A splittable signature scheme S for message space M consists of the following algorithms:

61 Setup-Spl(1λ) The setup algorithm is a randomized algorithm that takes as input the security parameter λ and outputs a signing key sk, a veriﬁcation

key VK and reject-veriﬁcation key VKrej.

Sign-Spl(sk, m) The signing algorithm is a deterministic algorithm that takes as input a signing key sk and a message m ∈ M. It outputs a signature σ.

Verify-Spl(VK, m, σ) The veriﬁcation algorithm is a deterministic algorithm that takes as input a veriﬁcation key VK, signature σ and a message m. It outputs either 0 or 1.

Split(sk, m∗) The splitting algorithm is randomized. It takes as input a se-

∗ cret key sk and a message m ∈ M. It outputs a signature σ(1) =

∗ Sign-Spl(sk, m ), a one-message veriﬁcation key VK(1) , an all-but-one

signing key skabo and an all-but-one veriﬁcation key VKabo.

Sign-Spl-abo(skabo, m) The all-but-one signing algorithm is deterministic. It

takes as input an all-but-one signing key skabo and a message m, and outputs a signature σ.

∗ λ Correctness Let m ∈ M be any message. Let (sk, VK, VKrej) ← Setup-Spl(1 )

∗ and (σ(1) , VK(1) , skabo, VKabo) ← Split(sk, m ). Then, we require the following correctness properties:

1. For all m ∈ M, Verify-Spl(VK, m, Sign-Spl(sk, m)) = 1.

62 ∗ 2. For all m ∈ M, m 6= m , Sign(sk, m) = Sign-Spl-abo(skabo, m).

∗ ∗ 3. For all σ, Verify-Spl(VK(1) , m , σ) = Verify-Spl(VK, m , σ).

∗ 4. For all m 6= m and σ, Verify-Spl(VK, m, σ) = Verify-Spl(VKabo, m, σ).

∗ 5. For all m 6= m and σ, Verify-Spl(VK(1) , m, σ) = 0.

∗ 6. For all σ, Verify-Spl(VKabo, m , σ) = 0.

7. For all σ and all m ∈ M, Verify-Spl(VKrej, m, σ) = 0.

Security We will now deﬁne the security notions for splittable signature schemes. Each security notion is deﬁned in terms of a security game between a challenger and an adversary A.

Deﬁnition 2.9 (VKrej indistinguishability). A splittable signature scheme S is said to be VKrej indistinguishable if any PPT adversary A has negligible advantage in the following security game:

λ Exp-VKrej(1 , S, A):

λ 1. Challenger computes (sk, VK, VKrej) ← Setup-Spl(1 ) .Next, it chooses

b ← {0, 1}. If b = 0, it sends VK to A. Else, it sends VKrej. 2. A sends its guess b0.

A wins if b = b0.

63 We note that in the game above, A never receives any signatures and has no ability to produce them. This is why the diﬀerence between VK and

VKrej cannot be tested.

Deﬁnition 2.10 (VK(1) indistinguishability). A splittable signature scheme S is said to be VK(1) indistinguishable if any PPT adversary A has negligible advantage in the following security game:

λ Exp-VK(1) (1 , S, A):

1. A sends a message m∗ ∈ M.

λ 2. Challenger computes (sk, VK, VKrej) ← Setup-Spl(1 ). Next, it computes

∗ (σ(1) , VK(1) , skabo, VKabo) ← Split(sk, m ). It chooses b ← {0, 1}. If

b = 0, it sends (σ(1) , VK(1) ) to A. Else, it sends (σ(1) , VK) to A. 3. A sends its guess b0.

A wins if b = b0.

We note that in the game above, A only receives the signature σ(1) on

∗ m , on which VK and VKone behave identically.

Deﬁnition 2.11 (VKabo indistinguishability). A splittable signature scheme

S is said to be VKabo indistinguishable if any PPT adversary A has negligible advantage in the following security game:

λ Exp-VKabo(1 , S, A):

64 1. A sends a message m∗ ∈ M.

λ 2. Challenger computes (sk, VK, VKrej) ← Setup-Spl(1 ). Next, it computes

∗ (σ(1) , VK(1) , skabo, VKabo) ← Split(sk, m ). It chooses b ← {0, 1}. If

b = 0, it sends (skabo, VKabo) to A. Else, it sends (skabo, VK) to A. 3. A sends its guess b0.

A wins if b = b0.

We note that in the game above, A does not receive or have the ability to create a signature on m∗. For all signatures A can create by signing with skabo, VKabo and VK will behave identically.

Deﬁnition 2.12 (Splitting indistinguishability). A splittable signature scheme S is said to be splitting indistinguishable if any PPT adversary A has negligible advantage in the following security game:

Exp-Spl(1λ, S, A):

1. A sends a message m∗ ∈ M.

λ 0 0 0 2. Challenger computes (sk, VK, VKrej) ← Setup-Spl(1 ), (sk , VK , VKrej) ←

λ ∗ Setup-Spl(1 ). Next, it computes (σ(1) , VK(1) , skabo, VKabo) ← Split(sk, m ),

0 0 0 0 0 ∗ (σ(1) , VK(1) , skabo, VKabo) ← Split(sk , m ). . It chooses b ← {0, 1}. If

0 0 b = 0, it sends (σ(1) , VK(1) , skabo, VKabo) to A. Else, it sends (σ(1) , VK(1) ,

skabo, VKabo) to A. 3. A sends its guess b0.

65 A wins if b = b0.

In the game above, A is either given a system of σ(1) , VK(1) , skabo, VKabo

0 0 generated together by one call of Setup-Spl or a “split” system of (σ(1) , VK(1) , skabo, VKabo) where the all but one keys are generated separately from the signature and key for the one message m∗. Since the correctness conditions do not link the behaviors for the all but one keys and the one message values, this split generation is not detectable by testing veriﬁcation for the σ(1) that

A receives or for any signatures that A creates honestly by signing with skabo.

2.4.3 Construction

Let M be the message space. For simplicity of notations, we will assume M = {0, 1}`, where ` is polynomial in the security parameter λ. Let F be a puncturable pseudorandom function with key space K, punctured key

λ space Kp, domain M, range {0, 1} and algorithms F.setup, F.puncture and F.eval. Finally, we will also use an indistinguishability obfuscator iO and an injective pseudorandom generator PRG : {0, 1}λ → {0, 1}2λ. (The pseudorandom generator will be used in the proof, but will not be needed in the actual scheme.) We will now deﬁne the algorithms Setup-Spl, Sign-Spl, Verify-Spl, Split and Sign-Spl-abo.

• Setup-Spl(1λ) The setup algorithm takes as input security parameter

λ λ and chooses puncturable PRF keys K1 ← F.setup(1 ) and K2 ← F.setup(1λ). Next, it chooses x ← {0, 1}λ. The secret key sk is set to be

66 (K1,K2, x), the veriﬁcation key is an obfuscation of the program Prog-VK

deﬁned in Figure 2.9; VK ← iO(Prog-VK), and VKrej ← iO(Prog-VKrej),

where Prog-VKrej is deﬁned in Figure 2.10.

Prog-VK

λ Constants Puncturable PRF keys K1,K2 ∈ K, x ∈ {0, 1} . Inputs Message m ∈ M, signature σ = (σ1, σ2).

1. If σ1 = (F (K1, m) ⊕ x) and σ2 = F (K2, m) output 1. Else output 0.

Figure 2.9: Prog-VK

Prog-VKrej

Inputs: Message m ∈ M, signature σ = (σ1, σ2).

1. Output 0.

Figure 2.10: Prog-VKrej

• Sign-Spl(sk, m) The signing algorithm takes as input the secret key sk =

(K1,K2, x) and message m ∈ M. It outputs σ = (F (K1, m)⊕x, F (K2, m)).

• Verify-Spl(VK, m, σ) The veriﬁcation algorithm simply executes the ver- iﬁcation key with inputs m and σ. It outputs VK(m, σ).

• Split(sk, m∗) The splitting algorithm takes as input secret key sk =

∗ ∗ (K1,K2, x) and a message m ∈ M. It computes σ(1) = Sign(sk, m ).

Next, it computes VK(1) ← iO(Prog-VK(1) ), skabo ← iO(Prog-skabo) and

67 Prog-VK(1)

λ ∗ Constants Signature components s1, s2 ∈ {0, 1} , message m ∈ M. 2λ Inputs Message m ∈ M, signature σ = (σ1, σ2) ∈ {0, 1} .

1. If m 6= m∗ output 0. 2. If σ1 = s1 and σ2 = s2 output 1. Else output 0.

Figure 2.11: Prog-VK(1)

Prog-skabo

∗ ∗ ∗ Constants Message m ∈ M, punctured PRF keys K1{m },K2{m } ∈ λ Kp, x ∈ {0, 1} . Inputs Message m ∈ M.

1. If m = m∗, output ⊥. ∗ ∗ 2. Compute σ1 = F.eval(K1{m }, m) ⊕ x and σ2 = F.eval(K{m }, m). Output σ = (σ1, σ2).

Figure 2.12: Prog-skabo

VKabo ← iO(Prog-VKabo), where the programs Prog-VK(1) , Prog-skabo

and Prog-VKabo are deﬁned in Figures 2.11, 2.12 and 2.13 respectively.

Prog-VKabo

∗ ∗ ∗ Constants Message m ∈ M, punctured PRF keys K1{m },K2{m } ∈ K, x ∈ {0, 1}λ. Inputs message m ∈ M, signature σ = (σ1, σ2).

1. If m = m∗, output 0. ∗ ∗ 2. If σ1 = F.eval(K1{m }, m) ⊕ x and σ2 = F.eval(K2{m }, m) output 1. Else output 0.

Figure 2.13: Prog-VKabo

68 Correctness For correctness, note that Properties 1, 3, 5 and 6 follow directly from construction, while Properties 2 and 4 follow from the correctness of puncturable PRF keys.

2.4.3.1 Proofs of Security

We will now show that S = (Setup-Spl, Sign-Spl, Verify-Spl, Split, Sign-Spl-abo) satisﬁes VKrej indistinguishability, VK(1) indistinguishability, VKabo indistinguishability and splitting indistinguishability.

Lemma 2.7. Assuming iO is a secure indistinguishability obfuscator and PRG an injective pseudorandom generator, any PPT adversary A has negligible

λ advantage in Exp-VKrej(1 , S, A).

Proof. We will deﬁne a sequence of hybrid experiments Hyb0,..., Hyb3, and then show that the outputs of each hybrid are computationally indistinguishable.

Hyb0 In this experiment, the challenger sends VK to A.

λ 1. Challenger chooses puncturable PRF keys K1 ← F.setup(1 ), K2 ←

λ λ F.setup(1 ) and x ← {0, 1} . It sends VK ← iO(Prog-VK{K1,K2, x}) to A.

0 Hyb1 In this experiment, the challenger outputs an obfuscation of Prog-VKrej (deﬁned in Figure 2.14).

69 λ 1. Challenger chooses puncturable PRF keys K1 ← F.setup(1 ), K2 ← F.setup(1λ) and x ← {0, 1}λ. It computes y = PRG(x) sends VK ←

0 iO(Prog-VKrej{K1,K2, y}) to A.

0 Prog-VKrej

2λ Constants Puncturable PRF keys K1,K2 ∈ K, y ∈ {0, 1} . Inputs Message m ∈ M, signature σ = (σ1, σ2).

1. If y = PRG(F (K1, m) ⊕ σ1) and σ2 = F (K2, m) output 1. Else output 0.

0 Figure 2.14: Prog-VKrej

Hyb2 This experiment is similar to the previous one, except that the challenger chooses y as a uniformly random λ bit string.

λ 1. Challenger chooses puncturable PRF keys K1 ← F.setup(1 ), K2 ←

λ 2λ 0 F.setup(1 ). It chooses y ← {0, 1} and sends VK ← iO(Prog-VKrej{K1,K2, y}) to A.

Hyb3 In this experiment, the challenger outputs an obfuscation of Prog-VKrej.

1. Challenger sends VK ← iO(Prog-VKrej) to A.

Analysis Let pA,i denote the probability that A outputs 1 in Hybi.

Claim 2.8. Assuming iO is a secure indistinguishability obfuscator, for any

PPT adversary A, |pA,0 − pA,1| ≤ negl(λ).

70 Proof. This follows from the fact that PRG is injective, and hence the programs

0 Prog-VK{K1,K2, x} and Prog-VKrej{K1,K2, y} are functionally identical. As a result, their obfuscations are computationally indistinguishable by the iO security requirement.

Claim 2.9. Assuming PRG is a secure pseudorandom generator, for any PPT

A, |pA,1 − pA,2| ≤ negl(λ).

Proof. Now that the pre-image x is no longer referenced in the veriﬁcation program, the fact that a random image y can be replaced by a uniformly random value in {0, 1}2λ follows directly from the security of PRG.

Claim 2.10. Assuming iO is a secure indistinguishability obfuscator, for any

PPT adversary A, |pA,2 − pA,3| ≤ negl(λ).

Proof. Note that since y is chosen uniformly at random in Hyb2, with overwhelming probability, it does not lie in the range of PRG. As a result,

0 Prog-VKrej outputs 0 on all inputs, making it functionally identical to Prog-VKrej. Therefore, their obfuscations are computationally indistinguishable by the iO security requirement.

Lemma 2.8. Assuming iO is a secure indistinguishability obfuscator, F a secure puncturable PRF and PRG a secure pseudorandom generator, any PPT

λ adversary A has negligible advantage in Exp-VK(1) (1 , S, A).

71 Proof. To prove this lemma, we will deﬁne a sequence of hybrid experiments

Hyb0,..., Hyb7.

Hyb0 In this experiment, the challenger computes (σ(1) , VK) as in the original scheme.

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1,K2 ← F.setup(1 ), x ← {0, 1}λ.

∗ ∗ It sets s1 = F (K1, m ) ⊕ x, s2 = F (K2, m ), σ(1) = (s1, s2), VK ←

iO(Prog-VK{K1K2, x}) and sends (σ(1) , VK) to A.

Hyb1 This experiment is similar to the previous one, except that the challenger hardwires a punctured PRF key instead of K1 in the veriﬁcation key VK, and y = PRG(x) is used to check instead of x itself:

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1,K2 ← F.setup(1 ), x ← {0, 1}λ.

∗ ∗ ∗ It computes K1{m } ← F.puncture(K1, m ), s1 = F (K1, m ) ⊕ x, s2 =

∗ F (K2, m ), σ(1) = (s1, s2).

∗ ∗ It sets y = PRG(x), VK ← iO(Prog-VK-Alt{m ,K1{m },K2, y, σ(1) })

(Prog-VK-Alt is deﬁned in Figure 2.15) and sends (σ(1) , VK) to A.

72 Prog-VK-Alt

∗ ∗ Constants Message m ∈ M, punctured PRF key K1{m } ∈ Kp, PRF 2λ λ λ key K2 ∈ K, y ∈ {0, 1} , s ∈ {0, 1} × {0, 1} . 2λ Inputs Message m ∈ M, Signature tuple σ = (σ1, σ2) ∈ {0, 1} .

1. If m 6= m∗ ∗ (a) If y = PRG((F.eval(K1{m }, m) ⊕ σ1)) and σ2 = F (K2, m) output 1. Else output 0. 2. Else if m 6= m∗

(a) If s = (σ1, σ2) output 1. Else output 0.

Figure 2.15: Prog-VK-Alt

∗ Hyb2 In this experiment, F (K1, m ) is set to be a uniformly random string in {0, 1}λ.

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1,K2 ← F.setup(1 ), x ← {0, 1}λ.

∗ ∗ λ It computes K1{m } ← F.puncture(K1, m ), chooses r ← {0, 1} and

∗ sets s1 = r ⊕ x, s2 = F (K2, m ), σ(1) = (s1, s2).

∗ ∗ It sets y = PRG(x), VK ← iO(Prog-VK-Alt{m ,K1{m },K2, y, σ(1) }) and

sends (σ(1) , VK) to A.

λ Hyb3 In this experiment, s1 is chosen uniformly at random from {0, 1} .

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1,K2 ← F.setup(1 ), x ← {0, 1}λ.

73 ∗ ∗ λ It computes K1{m } ← F.puncture(K1, m ), chooses s1 ← {0, 1} , sets

∗ s2 = F (K2, m ), σ(1) = (s1, s2).

∗ ∗ It sets y = PRG(x), VK ← iO(Prog-VK-Alt{m ,K1{m },K2, y, σ(1) }) and

sends (σ(1) , VK) to A.

Hyb4 This experiment is identical to the previous one, except that the challenger sets y to be a uniformly random 2λ bit string, instead of PRG(x).

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1,K2 ← F.setup(1 ), x ← {0, 1}λ.

∗ ∗ λ It computes K1{m } ← F.puncture(K1, m ), chooses s1 ← {0, 1} , sets

∗ s2 = F (K2, m ), σ(1) = (s1, s2).

2λ ∗ ∗ It chooses y ← {0, 1} , sets VK ← iO(Prog-VK-Alt{m ,K1{m },K2, y, σ(1) })

and sends (σ(1) , VK) to A.

Hyb5 In this experiment, the challenger outputs an obfuscation of Prog-VK(1) .

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1,K2 ← F.setup(1 ), x ← {0, 1}λ.

λ ∗ It chooses s1 ← {0, 1} , sets s2 = F (K2, m ), σ(1) = (s1, s2).

∗ It sets VK ← iO(Prog-VK(1) {m , σ(1) }) and sends (σ(1) , VK) to A.

74 Hyb6 This experiment is identical to the previous one, the only diﬀerence being a syntactical change. It chooses r ← {0, 1}λ, x ← {0, 1}λ and sets s1 = r ⊕ x.

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1,K2 ← F.setup(1 ), x ← {0, 1}λ.

∗ ∗ λ It computes K1{m } ← F.puncture(K1, m ), chooses r, x ← {0, 1} and

∗ sets s1 = r ⊕ x, s2 = F (K2, m ), σ(1) = (s1, s2).

∗ It sets VK ← iO(Prog-VK(1) {m , σ(1) }) and sends (σ(1) , VK) to A.

∗ Hyb7 In this experiment, the challenger sets s1 = F (K1, m ) ⊕ x.

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1,K2 ← F.setup(1 ), x ← {0, 1}λ.

∗ ∗ λ It computes K1{m } ← F.puncture(K1, m ), chooses x ← {0, 1} and

∗ ∗ sets s1 = F (K1, m ) ⊕ x, s2 = F (K2, m ), σ(1) = (s1, s2).

∗ It sets VK ← iO(Prog-VK(1) {m , σ(1) }) and sends (σ(1) , VK) to A.

Analysis Let pA,i denote the probability that A outputs 1 in Hybi.

Claim 2.11. Assuming iO is a secure indistinguishability obfuscator, for any

PPT adversary A, |pA,0 − pA,1| ≤ negl(λ).

75 Proof. To use the security of iO, we need to argue that Prog-VK{K1,K2, x} and

∗ ∗ Prog-VK-Alt{m ,K1{m },K2, y, σ(1) } have identical functionality. However, this follows directly from the correctness of F and the fact that PRG is injective.

Claim 2.12. Assuming F is a secure puncturable PRF, for any PPT A, |pA,1− pA,2| ≤ negl(λ).

Proof. Now that the program being obfuscated only depends upon the punc-

∗ ∗ tured key K1{m }, we can replace F (K1, m ) with a random value by invoking the security of the punctured PRF.

Claim 2.13. Hyb2 and Hyb3 are identical, and hence, pA,2 = pA,3.

Proof. This follows immediately because we have merely made a syntactic change and re-parameterized the same uniform distribution over {0, 1}λ.

Claim 2.14. Assuming PRG is a secure pseudorandom generator, for any

PPT A, |pA,3 − pA,4| ≤ negl(λ).

Proof. Now that the preimage x is no longer referenced, we can rely on the security of PRG to change y from being a random image of PRG to a uniformly random string in {0, 1}2λ.

Claim 2.15. Assuming iO is a secure indistinguishability obfuscator, for any

PPT A, |pA,4 − pA,5| ≤ negl(λ).

76 Proof. Note that with overwhelming probability, a uniformly random y does not lie in the range of PRG, and hence Step 1(a) of Prog-VK-Alt always outputs

0. Therefore Prog-VK-Alt and Prog-VK(1) are functionally identical with all but negligible probability, and in this case the iO security guarantee applies.

Claim 2.16. Hyb5 and Hyb6 are identical, and hence, pA,5 = pA,6.

Proof. This is simply a reversal of our prior syntactic change.

Claim 2.17. Assuming F is a secure puncturable PRF, for any PPT A, |pA,6− pA,7| ≤ negl(λ).

Proof. This is again simply a reversal of our prior change, and follows analogously from the security guarantee of the puncturable PRF.

Combining the above claims, it follows that

| Pr[A outputs 1 in Exp-VK(1) |b = 0]−Pr[A outputs 1 in Exp-VK(1) |b = 0]| ≤ negl(λ).

Lemma 2.9. Assuming iO is a secure indistinguishability obfuscator, F a secure puncturable PRF and PRG a secure pseudorandom generator, any PPT

λ adversary A has negligible advantage in Exp-VKabo(1 , S, A).

λ Proof. Let A be a PPT adversary such that Exp-VKabo(1 , S, A) = . As in the previous proof, we will deﬁne a sequence of hybrids Hyb0,..., Hyb4, where

λ Hyb0 and Hyb4 correspond to the two modes of Exp-VKabo(1 , S, A).

77 Hyb0 In this experiment, the challenger outputs (skabo, VK) as in the original scheme.

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1 ← F.setup(1 ), K2 ← F.setup(1λ) and x ← {0, 1}λ.

∗ ∗ ∗ ∗ It computes K1{m } ← F.puncture(K1, m ),K2{m } ← F.puncture(K2, m ).

∗ ∗ ∗ It computes skabo ← iO(Prog-skabo{m ,K1{m },K2{m }, x}) and VK ←

iO(Prog-VK{K1,K2, x}).

It sends (skabo, VK) to A.

0 Hyb1 In this experiment, the challenger uses the program Prog-VK-Alt (de- ﬁned in Figure 2.16) to compute the veriﬁcation key VK.

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1 ← F.setup(1 ), K2 ← F.setup(1λ) and x ← {0, 1}λ.

∗ ∗ ∗ ∗ It computes K1{m } ← F.puncture(K1, m ),K2{m } ← F.puncture(K2, m ).

∗ ∗ It sets w = PRG(F (K2, m )). It computes skabo ← iO(Prog-skabo{m ,

∗ ∗ 0 0 ∗ ∗ K1{m }, K2{m }, x}) and VK ← iO(Prog-VK-Alt {m ,K1,K2{m }, w, x}).

It sends (skabo, VK) to A.

78 Prog-VK-Alt0

∗ ∗ Constants Message m ∈ M, punctured PRF keys K1,K2{m } ∈ Kp, w ∈ {0, 1}2λ, x ∈ {0, 1}λ. λ λ Inputs Message m ∈ M, signature σ = (σ1, σ2) ∈ {0, 1} × {0, 1} .

1. If m 6= m∗ ∗ (a) If σ1 = F (K1, m) ⊕ x and σ2 = F.eval(K2{m }, m) output 1. Else output 0. 2. Else,

(a) If σ1 = F (K1, m) ⊕ x and w = PRG(σ2) output 1. Else output 0.

Figure 2.16: Prog-VK-Alt0

Hyb2 This hybrid is similar to the previous one, except that the challenger computes w = PRG(r) for some random r ← {0, 1}λ.

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1 ← F.setup(1 ), K2 ← F.setup(1λ) and x ← {0, 1}λ.

∗ ∗ ∗ ∗ It computes K1{m } ← F.puncture(K1, m ),K2{m } ← F.puncture(K2, m ).

λ ∗ it chooses r ← {0, 1} and sets w = PRG(r), computes skabo ← iO(Prog-skabo{m ,

∗ ∗ 0 0 ∗ ∗ K1{m }, K2{m }, x}) and VK ← iO(Prog-VK-Alt {m , K1, K2{m }, w, x}).

It sends (skabo, VK) to A.

Hyb3 In this experiment, the challenger chooses a uniformly random 2λ bit for w instead of using PRG to compute it.

1. A sends a message m∗ ∈ M.

79 λ 2. Challenger chooses puncturable PRF keys K1 ← F.setup(1 ), K2 ← F.setup(1λ) and x ← {0, 1}λ.

∗ ∗ ∗ ∗ It computes K1{m } ← F.puncture(K1, m ),K2{m } ← F.puncture(K2, m ).

2λ ∗ Next, it chooses w ← {0, 1} . It computes skabo ← iO(Prog-skabo{m ,

∗ ∗ 0 0 ∗ ∗ K1{m }, K2{m }, x}) and VK ← iO(Prog-VK-Alt {m ,K1,K2{m }, w, x}).

It sends (skabo, VK) to A.

Hyb4 This experiment is similar to the previous one except that the challenger outputs an obfuscation of Prog-VKabo as the veriﬁcation key.

1. A sends a message m∗ ∈ M.

λ 2. Challenger chooses puncturable PRF keys K1 ← F.setup(1 ), K2 ← F.setup(1λ) and x ← {0, 1}λ.

∗ ∗ ∗ ∗ It computes K1{m } ← F.puncture(K1, m ),K2{m } ← F.puncture(K2, m ).

∗ ∗ ∗ It computes VKabo ← iO(Prog-VKabo{m ,K1{m },K2{m }, x}), skabo ←

∗ ∗ ∗ iO(Prog-skabo{m ,K1{m }, K2{m }, x}).

It sends (skabo, VK) to A.

Analysis Let pi,A denote the probability that A outputs 1 in Hybi.

Claim 2.18. Assuming iO is a secure indistinguishability obfuscator, for any

PPT adversary A, |p0,A − p1,A| ≤ negl(λ).

Proof. Note that since PRG is injective and F satisﬁes the correctness property

∗ of puncturable PRFs, circuits Prog-VK{K1,K2, x} and Prog-VK-Alt{m ,K1,

80 ∗ K2{m }, x} are functionally identical. As a result, their obfuscations are computationally indistinguishable by iO security, and hence |p0,A − p1,A| ≤ negl(λ).

Claim 2.19. Assuming F is a secure puncturable PRF, for any PPT adversary

A, |p1,A − p2,A| ≤ negl(λ).

Proof. This follows directly from the selective security deﬁnition of punc-

∗ turable PRFs, as only the punctured key K2{m } is reﬂected in the programs given to A.

Claim 2.20. Assuming PRG is a secure pseudorandom generator, for any

PPT adversary A, |p2,A − p3,A| ≤ negl(λ).

Proof. This follows immediately from the security of PRG, as the preimage r is uniformly random and only w is hardwired into the veriﬁcation program.

Claim 2.21. Assuming iO is a secure indistinguishability obfuscator, for any

PPT adversary A, |p3,A − p4,A| ≤ negl(λ).

Proof. Note that since w is chosen uniformly at random, with overwhelming

0 ∗ probability, it does not lie in the range of PRG. In this case, Prog-VK-Alt {m ,K1,

∗ ∗ K2{m }, w, x} outputs 0 on all inputs with message component m . Hence,

0 ∗ ∗ ∗ ∗ ∗ Prog-VK-Alt {m ,K1, K2{m }, w, x} and Prog-VKabo{m , K1{m }, K2{m }, x} are functionally identical (with overwhelming probability).

81 Combining the above claims, it follows that any PPT adversary has negligible advantage in Exp-VKabo.

Lemma 2.10. Assuming iO is a secure indistinguishability obfuscator, F a secure puncturable PRF and PRG a secure pseudorandom generator, any PPT adversary A has negligible advantage in Exp-Spl(1λ, S, A).

Proof. Let A be a PPT adversary with advantage in Exp-Spl(1λ, S, A). We will deﬁne a sequence of hybrids Hyb0,..., Hyb4 and compare A’s advantage in each of these hybrids.

Hyb0 In this experiment, the challenger sends all components corresponding to the same singing key, veriﬁcation key pair.

1. A sends message m∗ ∈ M.

λ λ 2. Challenger chooses PRF keys K1 ← F.setup(1 ), K2 ← F.setup(1 ) and x ∈ {0, 1}λ.

∗ ∗ ∗ ∗ It computes K1{m } ← F.puncture(K1, m ), K2{m } ← F.puncture(K2, m ),

∗ ∗ ∗ σ(1) = (F (K1, m ) ⊕ x, F (K2, m )), VK(1) ← iO(Prog-VK(1) {m , σ(1) }),

∗ ∗ ∗ ∗ skabo ← iO(Prog-skabo{m , K1{m }, K2{m }, x}) and VKabo ← iO(Prog-VKabo{m ,

∗ ∗ K1{m }, K2{m }, x}).

It sends (σ(1) , VK(1) , skabo, VKabo) to A.

∗ ∗ Hyb1 In this hybrid, the challenger replaces F (K1, m ) and F (K2, m ) with uniformly random λ bit strings.

82 λ λ 2. It chooses r1 ← {0, 1} , r2 ← {0, 1} and sets σ(1) = (r1 ⊕ x, r2).

It computes VK(1) , skabo and VKabo as in previous hybrid and sends

(σ(1) , VK(1) , skabo, VKabo) to A.

Hyb2 This experiment is exactly identical to the previous one, except for a notational change, where the ﬁrst component of σ(1) is set to be uniformly random.

λ λ 2. It chooses r1 ← {0, 1} , r2 ← {0, 1} and sets σ(1) = (r1, r2).

0 λ 0 Hyb3 In this experiment, the challenger chooses x ← {0, 1} and uses x to compute the ﬁrst component of σ(1) . This is a notational change, and this hybrid is identical to the previous one.

0 λ λ λ 2. The challenger chooses x ← {0, 1} , r1 ← {0, 1} , r2 ← {0, 1} and sets

0 σ(1) = (r1 ⊕ x , r2).

0 0 Hyb4 In this experiment, the challenger chooses keys K1,K2 and computes

0 0 the signature σ(1) using K1,K2.

λ λ 2. Challenger chooses PRF keys K1 ← F.setup(1 ), K2 ← F.setup(1 ),

0 λ 0 λ λ 0 λ K1 ← F.setup(1 ), K2 ← F.setup(1 ) and x ∈ {0, 1} , x ← {0, 1} . It

∗ ∗ ∗ ∗ computes K1{m } ← F.puncture(K1, m ), K2{m } ← F.puncture(K2, m ).

0 0 ∗ 0 0 ∗ Next, it sets σ(1) = (F (K1, m ) ⊕ x ,F (K2, m )).

83 Analysis We will now analyse A’s advantage in the above experiments. As before, let pi,A denote the probability that A outputs 1 in Hybi.

Claim 2.22. Assuming F is a selectively secure puncturable PRF, for any

PPT adversary A, |p0,A − p1,A| ≤ negl(λ).

Proof. Since only the punctured keys are reﬂected in the programs given to A, it follows from the security of the puncturable PRF that we can replace

∗ ∗ F (K1, m ) and F (K2, m ) with uniformly random strings.

Claim 2.23. Experiments Hyb1 and Hyb2 are identical, and therefore, p1,A = p2,A.

Proof. This is just a notation change, as the distribution of σ(1) is the same.

Claim 2.24. Experiments Hyb2 and Hyb3 are identical, and therefore, p2,A = p3,A.

Proof. This is similarly just a notation change that does not aﬀect the distribution of σ(1) .

Claim 2.25. Assuming F is a selectively secure puncturable PRF, for any

PPT adversary A, |p3,A − p4,A| ≤ negl(λ).

Proof. Here, we can apply the selective security for the puncturable PRF in

0 ∗ 0 ∗ reverse, replace random strings with the values F (K1, m ) and F (K2, m ) at the punctured points.

84 λ Noting that Hyb0 and Hyb4 represent the two scenarios in Exp-Spl(1 , S, A) and combining the above claims, it follows that any PPT adversary A has negligible advantage in Exp-Spl(1λ, S, A).

2.5 Message Hiding Encodings

We will now describe a simpler primitive called message hiding encodings for Turing machines. Let M be a Turing machine, inp an input to M, and

T T an integer. Recall that ΠM (inp) denotes whether M accepts inp within T steps. A message hiding encoding scheme MHE for message space M consists of algorithms MHE.enc and MHE.dec described as follows.

MHE.enc(1λ,M,T, inp, msg) The encoding algorithm takes as input the security parameter λ (in unary), the description of a Turing machine M, time bound T (in binary), input inp and message msg ∈ M. It outputs an encoding Enc.

MHE.dec(1λ,M, inp,T, Enc) The decoding algorithm takes as input the security parameter λ (in unary), the description of a Turing machine M, time bound T and encoding Enc. It outputs either a message msg ∈ M or ⊥.

85 Correctness For all Turing machines M, time bounds T , inputs inp and

T messages msg ∈ M, if ΠM (inp) = 1, then

MHE.dec(1λ,M, inp,T, MHE.enc(1λ,M,T, inp, msg)) = msg.

Eﬃciency For eﬃciency, we require that the encoding procedure MHE.enc should run in time poly(λ, |M|, |inp|, lg T ), while the decoding procedure MHE.dec’s running time is bounded by poly(λ, |M|, |inp|, lg T, t∗), where t∗ is the time at which M halts on input inp. Note that this implies the size of encoding Enc is bounded by poly(λ, |M|, |inp|, lg T ).

Security The security notion for message hiding encoding schemes can be formalized as follows.

Deﬁnition 2.13 (MHE Security). A message hiding encoding scheme MHE for message space M is secure if for all security parameters λ, messages msg0, msg1 ∈

T M, Turing machines M, time bounds T , inputs inp such that ΠM (inp) = 0, for all PPT adversaries A,

λ Pr A(MHE.enc(1 ,M,T, inp, msgb)) = b : b ← {0, 1} − 1/2 ≤ negl(λ) where the probability is over the choice of b, the random coins used during encoding, and the adversary’s random coins.

2.5.1 Construction

We now describe our message hiding encoding scheme for Turing machines and message space M. We will assume the number of states of any

86 input Turing machine, and the input time bound T are polynomial in λ, and therefore expressible using λ bits. Let Acc = (Setup-Acc, Setup-Acc-EnfR, Setup-Acc-EnfW, PrepR, PrepW, VerifyR, WriteS, Update) be an accumulator for message space Σtape with accumulated value of size `Acc bits, Itr = (Setup-Itr,

Setup-Itr-Enforce, Iterate) an iterator for message space {0, 1}2λ+Àcc with iterated value of size Ìtr bits and S = (Setup-Spl, Sign-Spl, Verify-Spl, Split, Sign-Spl-abo) a splittable signature scheme with message space {0, 1}Ìtr+Àcc+2λ. We will assume that Setup-Spl uses `rnd bits of randomness. Let F a puncturable PRF

λ `rnd with key space K, punctured key space Kp, domain {0, 1} , range {0, 1} and algorithms F.setup, F.puncture, F.eval. The algorithms MHE.enc and MHE.dec are deﬁned as follows.

λ • MHE.enc(1 ,M,T, inp, msg) The encoding algorithm ﬁrst computes (PPAcc,

λ we0, store^ 0) ← Setup-Acc(1 ,T ). Let `inp = |inp|. It computes store^ j

= WriteS(PPAcc, store^ j−1, j − 1, inpj), auxj = PrepW(PPAcc, store^ j−1,

j − 1), wej = Update(PPAcc, wej−1, inpj, j − 1, auxj) for 1 ≤ j ≤ ìnp. Finally, it sets w = w and s = . 0 eìnp 0 store^ ìnp

λ Next, it computes (PPItr, v0) ← Setup-Itr(1 ,T ), chooses a puncturable

λ PRF key KA ← F.setup(1 ), and computes an obfuscation P ← iO(Prog{M,

T , PPAcc, PPItr, KA}) where Prog is deﬁned in Figure 2.17.

λ Let rA = F (KA, 0), (sk0, VK0) = Setup-Spl(1 ; rA) and σ0 = Sign-Spl(sk0,

(v0, q0, w0, 0)). It outputs Enc = (P, w0, v0, σ0, store0).

87 Program Prog

Constants: Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , message msg, Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF key KA ∈ K.

Input: Time t ∈ [T ], symbol symin ∈ Σtape, position posin ∈ [T ], state ` stin ∈ Q, accumulator value win ∈ {0, 1} Acc , Iterator value vin, signature σin, accumulator proof π, auxiliary value aux.

1. Veriﬁcations

(a) If VerifyR(PPAcc, win, symin, posin, π) = 0 output ⊥. (b) Let F (KA, t − 1) = rA. Compute (skA, VKA, VKA,rej) = λ Setup-Spl(1 ; rA). (c) Let min = (vin, stin, win, posin). If Verify-Spl(VKA, min, σin) = 0 output ⊥.

2. Computing next state and symbol

(a) Let (stout, symout, β) = δ(stin, symin) and posout = posin + β. (b) If stout = qrej output ⊥. (c) If stout = qacc output msg.

3. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, symout, posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (stin, win, posin)). 0 0 0 0 (c) Let F (KA, t) = rA. Compute (skA, VKA, VKA,rej) ← λ 0 Setup-Spl(1 ; rA). (d) Let mout = (vout, stout, wout, posout) and σout = 0 Sign-Spl(skA, mout).

4. Output symout, stout, posout, wout, vout, σout. Figure 2.17: Program Prog

λ T • MHE.dec(1 ,M, inp, 1 , Enc) Let M = hQ, Σtape, δ, q0, qacc, qreji and Enc =

(P, w0, v0, σ0, store0). Let pos0 = 0, st0 = q0.

88 For i = 1 to T , compute

1. Let (symi−1, πi−1) = PrepR(PPAcc, storei−1, posi−1).

2. Compute auxi−1 ← PrepW(PPAcc, store−1, posi−1).

3. Let out = P (i, symi−1, posi−1, sti−1, wi−1, vi−1, πi−1, auxi−1). If out ∈ M ∪ {⊥} output out.

Else parse out as (symw,i, posi, sti, wi, vi, σi).

4. Compute storei = WriteS(PPAcc, storei−1, posi−1, symw,i).

The basic idea of this construction is that input can accumulated as a preprocessing step, and then an initial signature is produced. This then allows for the main program to step through the computation, taking one transition of the Turing Machine at a time. We note that the decryption only takes t∗ steps rather than T , as we have a condition in line 3. above that breaks out of the for loop when the computation is ﬁnished.

2.5.2 Proof of Security

Theorem 2.1. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, Itr is an iterator satisfying Definitions 2.3 and 2.4, Acc is an accumulator satisfying Definitions 2.5, 2.6, 2.7 and 2.8, S is a splittable signature scheme satisfying security Definitions 2.9, 2.10, 2.11 and 2.12, MHE is a secure message hiding encoder.

89 Proof. Suppose there exists a security parameter λ, machine M, time bound T ,

λ input inp, messages msg0, msg1 and PPT adversary A s.t. Pr[A(MHE.enc(1 ,

M, T , inp, msgb)) = 1] − 1/2 = which is non-negligible. To arrive at a contradiction, we will ﬁrst deﬁne a sequence of outer hybrid experiments

Hyb0,..., Hyb4 and then show that any two consecutive hybrid experiments are computationally indistinguishable. Let us assume M accepts/rejects inp at time t∗ < T .

Hyb0 This hybrid corresponds to the real security game.

Hyb1 This hybrid is similar to the previous one, except that the challenger chooses another PRF key KB to be used for signing/verifying ‘B’ type signa-

λ ture. The challenger computes KB ← F.setup(1 ) and outputs an obfuscation of Prog-1{M, T , PPAcc, PPItr, KA, KB}. (deﬁned in Figure 2.18). In this program, the program checks for ‘B’ type signatures, and if the incoming message has a ‘B’ type signature, then the program signs the outgoing message as a ‘B’ type signature. Also, if the incoming signature is ‘B’ type and t < t∗, then the program rejects if state is qrej or qacc.

∗ 0 ∗ We will now deﬁne 2t hybrids Hyb2,i alphand Hyb2,i for 0 ≤ i < t .

Hyb2,i In this hybrid, the challenger ﬁrst computes the ‘correct message’ mi to be signed at step i. The message mi is computed as follows:

90 Let st0 = q0, pos0 = 0. For j = 1 to i:

1.( symj, πj) = PrepR(PPAcc, storej−1, posj−1).

2. auxj = PrepW(PPAcc, storej−1, posj−1).

3.( stj, symw,j, β) = δ(stj−1, symj−1).

4. wj = Update(PPAcc, wj−1, symw,j, posj−1, auxj).

5. vj = Iterate(PPItr, vj−1, (stj−1, wj−1, posj−1)).

6. storej = WriteS(PPAcc, storej−1, posj−1, symw,j).

7. posj = posj−1 + β.

It sets mi = (vi, sti, wi, posi) and computes the obfuscation of Prog-2-i{i,

M, T , msgb, PPAcc, PPItr, KA, KB, mi} (defined in Figure 2.19), which accepts only ‘A’ type signatures for the first i time steps. Also, if the state output is qacc in the first i steps, it outputs ⊥ instead of outputting message. For the output, if t = i and the message to be signed is the ‘correct message’, it outputs an ‘A’ type signature, else it outputs a ‘B’ type signature. For t > i, the type of signature output is the same as type of signature input.

0 0 Hyb2,i In this hybrid, the challenger outputs the obfuscation of Prog -2-i{i,

M, T , msgb, PPAcc, PPItr, KA, KB, mi} (deﬁned in Figure 2.20), which accepts only ‘A’ type signatures for the ﬁrst i + 1 time steps. If the state is qacc at (i + 1)th step, it outputs ⊥. For the output, if t = i + 1 and the input message is the ‘correct message’, it outputs an ‘A’ type signature, else it outputs a ‘B’

91 type signature. For t > i + 1, the type of signature output is the same as type of signature input.

Hyb3 In this hybrid, the challenger outputs an obfuscation of P3 = Prog-3{M,

∗ T , t , PPAcc, PPItr, msgb, KA, KB} (described in Figure 2.21). Note that

∗ F (KA, t ) will not be computed in this hybrid. Also, the only inputs for which a ‘B’ type signature can possibly be output correspond to t = t∗.

Hyb4 In this hybrid, the challenger outputs the obfuscation of Pb = Prog-4{M,

∗ T , t , PPAcc, PPItr, KA, KB} (deﬁned in Figure 2.22), a program that outputs ⊥ for all t > t∗, including the case when the signature is a valid ‘A’ type signature. As a result, it doesn’t output msg at any instant, and hence P0 and

P1 are identical.

x 0x Analysis Let advA denote the advantage of adversary A in Hybx, and advA 0 the advantage of A in Hybx.

Lemma 2.11. Assuming iO is a secure indistinguishability obfuscator, F is a secure puncturable PRF and S is a splittable signature scheme satisfying

0 1 Deﬁnition 2.9, for any PPT adversary A, |advA − advA| ≤ negl(λ).

The proof of this lemma is contained in Section 2.5.3.

92 Claim 2.26. Assuming iO is a secure indistinguishability obfuscation, for any

1 2,0 PPT A, |advA − advA | ≤ negl(λ).

Proof. Programs Prog-2-0 and Prog-1 are functionally identical. As a result, their obfuscations are computationally indistinguishable, by the security requirement of iO.

Lemma 2.12. Let 1 ≤ i ≤ t∗. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF and S is a splittable signature scheme satisfying deﬁnitions 2.9, 2.10, 2.11 and 2.12, for any PPT

2,i 02,i adversary A, |advA − advA | ≤ negl(λ).

The proof of this lemma is contained in Section 2.5.4.

Lemma 2.13. Let 1 ≤ i ≤ t∗. Assuming iO is a secure indistinguishability obfuscator, Itr is an iterator satisfying indistinguishability of Setup (Defini- tion 2.3) and is enforcing (Definition 2.4), and Acc is an accumulator satisfying indistinguishability of Read/Write Setup (Definitions 2.5 and 2.6) and is Read/Write enforcing (Definitions 2.7 and 2.8), for any PPT adversary A,

02,i 2,i+1 |advA − advA | ≤ negl(λ).

The proof of this lemma is contained in Section 2.5.5.

Lemma 2.14. Assuming iO is a secure indistinguishability obfuscator and Acc satisﬁes indistinguishability of Read Setup (Deﬁnition 2.5), for any PPT

02,t∗−1 3 adversary A, |advA − advA| ≤ negl(λ).

93 The proof of this lemma is contained in Section 2.5.6.

Lemma 2.15. Assuming S satisﬁes VKrej indistinguishability (Deﬁnition 2.9), iO is a secure indistinguishability obfuscator and F is a selectively secure pseu-

3 4 dorandom function, for any adversary A, |advA − advA| ≤ negl(λ).

The proof of this lemma is contained in Section 2.5.7.

Claim 2.27. Any adversary A has 0 advantage in Hyb4.

∗ Proof. Prog-4{M, T, t , PPAcc, PPItr,KA, KB} is independent of message msgb. As a result, any adversary has 0 advantage in guessing b.

94 Prog-1

Constants: Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , message msg, Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF key KA,K B ∈ K.

1. Veriﬁcations

(a) If VerifyR(PPAcc, win, symin, posin, π) = 0 output ⊥. (b) Let F (KA, t − 1) = rA, F (KB, t − 1) = rB. Compute λ (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA),(skB, VKB, VKB,rej) = λ Setup-Spl(1 ; rB). (c) Let α =‘-’ and min = (vin, stin, win, posin). If Verify-Spl(VKA, min, σin) = 1 set α =‘A’. If α =‘-’ and t > t∗ output ⊥. If α 6= ‘A’ and Verify-Spl(VKB, min, σin) = 1, set α =‘B’. If α =‘-’, output ⊥ .

2. Computing next state and symbol

(a) Let (stout, symout, β) = δ(stin, symin) and posout = posin + β. (b) If stout = qrej output ⊥. (c) If stout = qacc and α =‘B’, output ⊥. Else if stout = qacc and α =‘A’, output msg.

3. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, symout, posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (stin, win, posin)). 0 0 (c) Let F (KA, t) = rA, F (KB, t) = rB. Compute 0 0 0 λ 0 (skA, VKA, VKA,rej) ← Setup-Spl(1 ; rA). (d) Let mout = (vout, stout, wout, posout) and σout = 0 0 0 0 λ 0 Sign-Spl(skA, mout),( skB, VKB, VKB,rej) = Setup-Spl(1 ; rB).

4. Output symout, stout, posout, wout, vout, σout. Figure 2.18: Prog-1

95 Prog-2-i

1. Veriﬁcations

(a) If VerifyR(PPAcc, win, symin, posin, π) = 0 output ⊥. (b) Let F (KA, t − 1) = rA, F (KB, t − 1) = rB. Compute λ (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA), (skB, VKB, VKB,rej) = λ Setup-Spl(1 ; rB). (c) Let α =‘-’ and min = (vin, stin, win, posin). If Verify-Spl(VKA, min, σin) = 1 set α =‘A’. (d) If α =‘-’ and (t > t∗ or t ≤ i) output ⊥. (e) If α 6= ‘A’ and Verify-Spl(VKB, min, σin) = 1, set α =‘B’. (f) If α =‘-’, output ⊥ . 2. Computing next state and symbol

(a) Let (stout, symout, β) = δ(stin, symin) and posout = posin + β. (b) If stout = qrej output ⊥. (c) If stout = qacc and α =‘B’, output ⊥. Else if stout = qacc and α = ‘A’ and t ≤ i, output ⊥. Else if stout = qacc, output msg. 3. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, symout, posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (stin, win, posin)). 0 0 (c) Let F (KA, t) = rA, F (KB, t) = rB. Compute 0 0 0 λ 0 0 0 0 (skA, VKA, VKA,rej) ← Setup-Spl(1 ; rA), (skB, VKB, VKB,rej) ← λ 0 Setup-Spl(1 ; rB). (d) Let mout = (vout, stout, wout, posout). 0 If t = i and mout = mi, σout = Sign-Spl(skA, mout). 0 Else if t = i and mout 6= mi, σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

4. Output symout, stout, posout, wout, vout, σout. Figure 2.19: Prog-2-i 96 Prog0-2-i

1. Veriﬁcations (d) If α =‘-’ and (t > t∗ or t ≤ i + 1) output ⊥. (e) If α 6= ‘A’ and Verify-Spl(VKB, min, σin) = 1, set α =‘B’. (f) If α =‘-’, output ⊥ . 2. Computing next state and symbol

(c) If stout = qacc and α =‘B’, output ⊥. Else if stout = qacc and α = ‘A’ and t ≤ i + 1, output ⊥. Else if stout = qacc, output msg. 3. Update accumulator, iterator and compute new signature

(d) Let mout = (vout, stout, wout, posout). 0 If t = i + 1 and min = mi, σout = Sign-Spl(skA, mout). 0 Else if t = i + 1 and min 6= mi, σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

4. Output symout, stout, posout, wout, vout, σout.

Figure 2.20: Prog0-2-i

97 Prog-3

1. Veriﬁcations

(c) Let min = (vin, stin, win, posin). If Verify-Spl(VKA, min, σin) = 0 output ⊥. 2. Computing next state and symbol ∗ (c) If stout = qacc and t < t , output ⊥. 3. Update accumulator, iterator and compute new signature

(d) Let mout = (vout, stout, wout, posout). ∗ 0 If t = t , σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skA, mout).

4. Output symout, stout, posout, wout, vout, σout. Figure 2.21: Prog-3

Prog-4

0. If t > t∗ output ⊥. 1. Veriﬁcations : Same as previous hybrid. 2. Computing next state and symbol

(c) If stout = qacc output ⊥. 3. Update accumulator, iterator and compute new signature : Same as before 4. Output posout, symout, stout, wout, vout, σout. Figure 2.22: Prog-4

98 2.5.3 Proof of Lemma 2.11

∗ Formal proof We will ﬁrst deﬁne t intermediate hybrids H0,...,Ht∗ , and then show that any two consecutive hybrids are computationally indistinguishable.

Hybrid Hi In this experiment, the challenger outputs an obfuscation of

Prog-0-i{i, M, T , PPAcc, PPItr, KA, KB} (deﬁned in Figure 2.23).

Clearly, Ht∗ corresponds to Hyb0 and H0 to Hyb1. Therefore, it suﬃces i to show that Hi and Hi−1 are computationally indistinguishable. Let advA denote the advantage of A in Hi.

Claim 2.28. Assuming iO is a secure indistinguishability obfuscator, F is a secure puncturable PRF and S is a splittable signature scheme satisfying

i i−1 Deﬁnition 2.9, for any PPT adversary A, |advA − advA | ≤ negl(λ).

Proof. We will ﬁrst deﬁne intermediate hybrid experiments Hi,a,...,Hi,f .

Hybrid Hi,a In this hybrid, the challenger outputs an obfuscation of Prog-0-i-a{i,M,

T , PPAcc, PPItr, KA, KB} (described in Figure 2.24), which is functionally identical to Prog-0-i{i,M, T , PPAcc, PPItr, KA, KB}.

99 Hybrid Hi,b In this hybrid, the challenger ﬁrst punctures the PRF key KB on input i − 1. It computes KB{i − 1} ← F.puncture(KB, i − 1). Next, it

λ computes rC = F (KB, i − 1) and (skC , VKC , VKC,rej) = Setup-Spl(1 ; rC ). It hardwires KB{i − 1} and VKC,rej in the program Prog-0-i-b{i,M, T , PPAcc,

PPItr, KA, KB{i − 1}, VKC,rej} (deﬁned in Figure 2.25).

Hybrid Hi,c This experiment is similar to Hi,b, except that rC is chosen uniformly at random from {0, 1}λ. More formally, the challenger computes

λ KB{i − 1} as before. However, it chooses (skC , VKC , VKC,rej) ← Setup-Spl(1 ).

The obfuscated program has VKC,rej hardwired as before.

Hybrid Hi,d In this hybrid, the challenger chooses (skC , VKC , VKC,rej) ←

λ Setup-Spl(1 ) as before. However, instead of hardwiring VKC,rej, it hardwires

VKC .

Hybrid Hi,e In this hybrid, the challenger uses a pseudorandom string to compute (skC , VKC , VKC,rej). More formally, the challenger computes rC =

λ F (KB, i − 1), (skC , VKC , VKC,rej) = Setup-Spl(1 ; rC ).

Hybrid Hi,f This experiment corresponds to Hi−1.

i,x i Analysis Let advA denote the advantage of A in Hi,x, and let advA denote the advantage of A in Hi.

100 Claim 2.29. Assuming iO is a secure indistinguishability obfuscator, for any

i i,a PPT A, |advA − advA | ≤ negl(λ).

Proof. First, since Verify-Spl(VKB,rej, min, σin) = 0 for all min, σin, both programs output ⊥ when α =‘B’ and t = i. For inputs corresponding to t 6= i or t > t∗, both programs have same functionality. Therefore, both programs have identical functionality, and their obfuscations are computationally indistinguishable.

Claim 2.30. Assuming iO is a secure indistinguishability obfuscator, for any

i,a i,b PPT A, |advA − advA | ≤ negl(λ).

Proof. The only diﬀerence between Prog-0-i-a and Prog-0-i-b is that the latter uses a unctured PRF key KB{i − 1} at steps 1(b) and 3(c). At step 1(b), functionality is preserved since the correct veriﬁcation key is hardwired as

VKC in the hybrid. Next, note that step 3(c) functionality can possibly diﬀer only if t = i − 1 and α =‘B’. However, by deﬁnition of the program, this case is not possible.

Claim 2.31. Assuming F is a selectively secure puncturable PRF, for any

i,b i,c PPT adversary A, |advA − advA | ≤ negl(λ).

Proof. Note that both programs depend only on KB{i−1}. As a result, we can replace F (KB, i − 1) with a random value. From the security of puncturable PRFs, it follows that these two hybrids are computationally indistinguishable.

101 Claim 2.32. Assuming S is a splittable signature scheme satisfying VKrej in- i,c i,d distinguishability (Deﬁnition 2.9), for any PPT adversary A, |advA −advA | ≤ negl(λ).

Proof. Here, we rely crucially on the fact that skC was not hardwired in the program. As a result, given only VKC or VKC,rej, the experiments are indistinguishable.

Claim 2.33. Assuming F is a selectively secure puncturable PRF, for any

i,d i,e PPT adversary A, |advA − advA | ≤ negl(λ).

Proof. This step is similar to the proof of Claim 2.31, and follows analogously from the security of the puncturable PRF.

Claim 2.34. Assuming iO is a secure indistinguishability obfuscator, for any

i,e i,f PPT A, |advA − advA | ≤ negl(λ).

Proof. The only diﬀerence between Hi,e and Hi,f is that Hi,e uses a PRF key

KB{i − 1} punctured at i − 1, while Hi,f uses KB itself. Using the correctness property of puncturable PRFs, we can argue that the programs output in Hi,e and Hi,f are functionally identical, and therefore Hi,e and Hi,f are computationally indistinguishable (implied by the security of iO).

0 To conclude, for any PPT adversary A, if A has advantage advA in 1 0 1 Hyb0 and advA in Hyb1, then |advA − advA| ≤ negl(λ).

102 Prog-0-i

Constants: i, Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , message msg, Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys KA,KB ∈ K.

1. Veriﬁcations

(a) If VerifyR(PPAcc, win, symin, posin, π) = 0 output ⊥. (b) Let F (KA, t − 1) = rA, F (KB, t − 1) = rB. Compute λ (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA), (skB, VKB, VKB,rej) = λ Setup-Spl(1 ; rB). (c) Let α =‘-’ and min = (vin, stin, win, posin). If Verify-Spl(VKA, min, σin) = 1 set α =‘A’ . If α =‘-’ and (t > t∗ or t ≤ i) output ⊥. If α = ‘-’ and Verify-Spl(VKB, min, σin) = 1, set α =‘B’. If α =‘-’, output ⊥ .

2. Computing next state and symbol

3. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, symout, posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (stin, win, posin)). 0 0 (c) Let F (KA, t) = rA, F (KB, t) = rB. Compute 0 0 0 λ 0 0 0 0 (skA, VKA, VKA,rej) ← Setup-Spl(1 ; rA), (skB, VKB, VKB,rej) ← λ 0 Setup-Spl(1 ; rB). 0 (d) Let mout = (vout, stout, wout, posout), σout = Sign-Spl(skα, mout).

4. Output symout, stout, posout, wout, vout, σout. Figure 2.23: Prog-0-i

103 Prog-0-i-a

1. Veriﬁcations

(b) Let F (KA, t − 1) = rA, F (KB, t − 1) = rB. Compute λ (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA), (skB, VKB, VKB,rej) = λ Setup-Spl(1 ; rB), VK = VKrej. (c) Let α =‘-’ and min = (vin, stin, win, posin). If Verify-Spl(VKA, min, σin) = 1 set α =‘A’ . If α =‘-’ and (t > t∗ or t ≤ i − 1) output ⊥. If α =‘-’ and t = i and Verify-Spl(VK, min, σin) = 0 output ⊥ If α = ‘-’ and Verify-Spl(VKB, min, σin) = 1, set α =‘B’. If α =‘-’, output ⊥ . 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature: Same as before. 4. Output posout, symout, stout, wout, vout, σout. Figure 2.24: Prog-0-i-a

104 Prog-0-i-b

1. Veriﬁcations

(b) If t 6= i, let F (KA, t − 1) = rA, F.eval(KB{i − 1}, t − λ 1) = rB. Compute (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA), λ (skB, VKB, VKB,rej) = Setup-Spl(1 ; rB), VK = VKB,rej. Else VK = VKC . 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature 0 0 (c) Let rA = F (KA, t), rB = F.eval(KB{i − 1}, t). Compute 0 0 0 λ 0 0 0 0 (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA), (skB, VKB, VKB,rej) = λ 0 Setup-Spl(1 ; rB).

4. Output posout, symout, stout, wout, vout, σout. Figure 2.25: Prog-0-i-b

105 2.5.4 Proof of Lemma 2.12

Formal Proof To prove Lemma 2.12, we will ﬁrst deﬁne a sequence of hybrids H0,...,H13, where H0 corresponds to Hyb2,i and H13 corresponds to 0 Hyb2,i.

Hybrid H0 This experiment corresponds to Hyb2,i.

Hybrid H1 In this experiment, the challenger punctures key KA,KB at input i, uses F (KA, i) and F (KB, i) to compute (skC , VKC ) and (skD, VKD) respectively. More formally, it computes KA{i} ← F.puncture(KA, i), rC =

λ F (K, i), (skC , VKC , VKC,rej) = Setup-Spl(1 ; rC ) and KB{i} ← F.puncture(KB, i),

λ rD = F (K, i), (skD, VKD, VKD,rej) = Setup-Spl(1 ; rD).

It then hardwires KA{i},KB{i}, skC , VKC , skD, VKD in an altered program P = Prog-2-i-1{KA{i}, KB{i}, skC , VKC , skD, VKD, mi}(deﬁned in Figure 2.26) and outputs its obfuscation. P is identical to Prog-2-i, except that it uses a punctured PRF key KA{i} instead of KA, and KB{i} instead of

KB. On input corresponding to i, P uses the hardwired keys.

Hybrid H2 In this hybrid, the challenger chooses rC , rD uniformly at random instead of computing them using F (KA, i) and F (KB, i). In other words, the

λ secret key/veriﬁcation key pairs are sampled as (skC , VKC ) ← Setup-Spl(1 )

λ and (skD, VKD) ← Setup-Spl(1 ).

106 Prog-2-i-1

Constants: Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , message msg, Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, punctured PRF keys KA{i},KB{i} ∈ Kp, secret/veriﬁcation keys skC , skD, VKD, VKD, message mi.

Input: Time t ∈ [T ], position posin ∈ [T ], symbol symin ∈ Σtape, state ` stin ∈ Q, accumulator value win ∈ {0, 1} Acc , Iterator value vin, signature σin, accumulator proof π, auxiliary value aux.

1. Veriﬁcations

(b) If t 6= i+1, let rA = F.eval(KA{i}, t−1), rB = F.eval(KB{i}, t− λ 1). Compute (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA), λ (skB, VKB, VKB,rej) = Setup-Spl(1 ; rB). Else set VKA = VKC , VKB = VKD. 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature 0 0 (c) If t 6= i, let rA = F.eval(KA{i}, t), rB = F.eval(KB{i}, t). 0 0 0 λ 0 Compute (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA), 0 0 0 λ 0 (skB, VKB, VKB,rej) = Setup-Spl(1 ; rB). 0 0 Else set skA = skC , skB = skD.

(d) Let mout = (vout, stout, wout, posout). 0 If t = i and mout = mi, σout = Sign-Spl(skA, mout). 0 Else if t = i and mout 6= mi, σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

4. Output posout, symout, stout, wout, vout, σout. Figure 2.26: Prog-2-i-1

Hybrid H3 In this hybrid, the challenger computes constrained signing keys using the Split algorithm. As in the previous hybrids, it ﬁrst computes the ith message mi. Then, it computes (σC,(1) , VKC,(1) , σC,abo, VKC,abo) = Split(skC , mi) and (σD,(1) , VKD,(1) , σD,abo, VKD,abo) = Split(skD, mi).

107 It then hardwires σC,(1) , skD,abo in P = Prog-2-i-2{KA{i}, KB{i}, σC,(1) ,

VKC , skD,abo, VKD, mi} (deﬁned in Figure 2.27) and outputs an obfuscation of P . Note that the only diﬀerence between Prog-2-i-2 and Prog-2-i-1 is that Prog-2-i-1, on input corresponding to step i, signs the outgoing message m using skC if m = mi, else it signs using skD. On the other hand, at step i,

Prog-2-i-2 outputs σC,(1) if the outgoing message m = mi, else it signs using skC,abo.

Prog-2-i-2

Constants: Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , message msg, Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, punctured PRF keys KA{i},KB{i} ∈ Kp, constrained secret/veriﬁcation keys σC,(1) , VKC , skabo,D, VKD, message mi.

1. Veriﬁcations: Same as before. 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature: 0 0 (c) If t 6= i, let rA = F.eval(KA{i}, t), rB = F.eval(KB{i}, t). 0 0 0 λ 0 Compute (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA), 0 0 0 λ 0 (skB, VKB, VKB,rej) = Setup-Spl(1 ; rB). 0 0 Else set skA = σC,(1) , skB = skabo,D. (d) Let mout = (vout, stout, wout, posout). If t = i and mout = mi, σout = σC,abo . 0 Else if t = i and mout 6= mi, σout = Sign-Spl-abo(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

4. Output posout, symout, stout, wout, vout, σout. Figure 2.27: Prog-2-i-2

108 Hybrid H4 This hybrid is similar to the previous one, except that the challenger hardwires VKC,(1) in Prog-2-i-2 instead of VKC ; that is, it computes

(σC,(1) , VKC,(1) , σC,abo, VKC,abo) = Split(skC , mi) and (σD,(1) , VKD,(1) , σD,abo,

VKD,abo) = Split(skD, mi) and outputs an obfuscation of W4 = Prog-2-i-2{KA{i},

KB{i}, σC,(1) , VKC,(1) , skD,abo, VKD, mi}).

Hybrid H5 In this hybrid, the challenger hardwires VKD,abo instead of VKD.

As in the previous hybrid, it uses Split to compute (σC,(1) , VKC,(1) , σC,abo,

VKC,abo) and (σD,(1) , VKD,(1) , σD,abo, VKD,abo) from skC and skD respectively.

However, it outputs an obfuscation of W5 = Prog-2-i-2{KA{i}, KB{i}, σC,(1) ,

VKC,(1) , skD,abo, VKD,abo, mi}.

Hybrid H6 In this hybrid, the challenger outputs an obfuscation of P =

Prog-2-i-3{KA{i}, KB{i}, σC,(1) , VKC,(1) , skC,abo,VKC,abo,mi} (described in Fig- ure 2.28). This program performs extra checks before computing the signature. In particular, the program additionally checks if the input corresponds to step i + 1. If so, it checks whether min = mi or not, and accordingly outputs either ‘A’ or ‘B’ type signature.

Hybrid H7 In this hybrid, the challenger makes the accumulator ‘read enforcing’. It computes the first i ‘correct inputs’ for the accumulator. Initially, the state is st0 = q0. Let tape be a T dimensional vector, the first ìnp entries

109 Prog-2-i-3

1. Veriﬁcations: Same as before. 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature

(d) Let mout = (vout, stout, wout, posout). If t = i and mout = mi, σout = σC,abo . 0 Else if t = i and mout 6= mi, σout = Sign-Spl-abo(skB, mout). 0 Else if t = i + 1 and min = mi, σout = Sign-Spl(skA, mout). 0 Else if t = i + 1 and min 6= mi, σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

4. Output posout, symout, stout, wout, vout, σout. Figure 2.28: Prog-2-i-3 of tape correspond to the input inp. The remaining are ‘ ’. Let sym0 = tape[0] and pos0 = 0. For j = 1 to i

1. Let (stj, symw,j, β) = δ(stj−1, symj−1).

2. Set tape[posj−1] = symw,j, posj = posj−1 + β, symj = tape[posj].

Let enf = ((inp , 0),..., (inp , ` −1), (sym , pos ),..., (sym , pos )). 1 `inp inp w,1 0 w,i i−1 λ The challenger computes (PPAcc, we0, store^ 0) ← Setup-Acc-EnfR(1 ,T, enf, posi).

110 Hybrid H8 In this hybrid, the challenger outputs an obfuscation of program

W8 = Prog-2-i-4{KA{i}, KB{i}, σC,(1) , VKC,(1) , skD,abo, VKD,abo, mi} (deﬁned in Figure 2.29). This program outputs ⊥ if on (i+1)th step, the input signature

‘A’ veriﬁes, and the output state is qacc. Note that the accumulator is ‘read enforced’ in this hybrid.

Prog-2-i-4

1. Veriﬁcations: Same as before. 2. Computing next state and symbol

(c) If stout = qacc and α =‘B’ output ⊥. Else if stout = qacc and α = ‘A’ and t ≤ i + 1 output ⊥. Else if stout = qacc and α =‘A’ output msg. 3. Update accumulator, iterator and compute new signature: Same as before 4. Output posout, symout, stout, wout, vout, σout. Figure 2.29: Prog-2-i-4

Hybrid H9 In this hybrid, the challenger uses normal setup for the accumulator related parameters; that is, it computes (PPAcc, w0, store0) ← Setup-Acc(1λ,T ). The remaining steps are exactly identical to the corresponding ones in the previous hybrid.

111 Hybrid H10 In this hybrid, the challenger computes (σC,(1) , VKC,(1) , σC,abo,

VKC,abo) = Split(skC , mi), but does not compute (skD, VKD). Instead, it outputs an obfuscation of W10 = Prog-2-i-4{KA{i}, KB{i}, σC,(1) , VKC,(1) , skC,abo,VKC,abo,mi}.

Note that the hardwired keys for veriﬁcation/signing (that is, σC,(1) , VKC,(1) , skC,abo,VKC,abo) are all derived from the same signing key skC , whereas in the previous hybrid, the ﬁrst two components were derived from skC while the next two from skD.

Hybrid H11 In this hybrid, the challenger obfuscates a program Prog-2-i-5 (deﬁned in Figure 2.30) which has a secret key, veriﬁcation key pair hardwired, instead of the four components in Prog-2-i-4. More formally, the challenger

λ chooses (skC , VKC ) ← Setup-Spl(1 ) and outputs an obfuscation of W11 =

Prog-2-i-5{KA{i}, KB{i}, skC , VKC }.

Hybrid H12 In this hybrid, the challenger chooses the randomness rC used to compute (skC , VKC ) pseudorandomly; that is, it sets rC = F (KA, i).

0 Hybrid H13 This corresponds to the hybrid Hyb2,i.

i Analysis Let advA denote the advantage of A in hybrid experiment Hi.

Claim 2.35. Assuming iO is a secure indistinguishability obfuscator, for any

0 1 PPT adversary A, |advA − advA| ≤ negl(λ).

112 Prog-2-i-5

1. Veriﬁcations

(b) If t 6= i+1, let rA = F.eval(KA{i}, t−1), rB = F.eval(KB{i}, t− λ 1). Compute (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA), λ (skB, VKB, VKB,rej) = Setup-Spl(1 ; rB). Else set VKA = VKC . (c) Let α =‘-’ and min = (vin, stin, win, posin). (d) If Verify-Spl(VKA, min, σin) = 1 set α =‘A’ . If α =‘-’ and (t > t∗ or t ≤ i + 1) output ⊥. If α = ‘-’ and Verify-Spl(VKB, min, σin) = 1, set α =‘B’. If α =‘-’, output ⊥ . 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature 0 0 (c) If t 6= i, let rA = F.eval(KA{i}, t), rB = F.eval(KB{i}, t). 0 0 0 λ 0 Compute (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA), 0 0 0 λ 0 (skB, VKB, VKB,rej) = Setup-Spl(1 ; rB). 0 Else set skA = skC . (d) Let mout = (vout, stout, wout, posout). 0 If t = i, σout = Sign-Spl(skA, mout). 0 Else if t = i + 1 and min = mi, Sign-Spl(skA, mout). 0 Else if t = i + 1 and min 6= mi, Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout). Figure 2.30: Prog-2-i-5

Proof. The only diﬀerence between H0 and H1 is that H0 uses program Prog-2-i, while H1 uses Prog-2-i-1. From the correctness of puncturable PRFs, it follows

113 that both programs have identical functionality for t 6= i. For t = i, the two programs have identical functionality because (skC , VKC ) and (skD, VKD) are correctly computed using F (KA, i) and F (KB, i) respectively. Therefore, by the security of iO, it follows that the obfuscations of the two programs are computationally indistinguishable.

Claim 2.36. Assuming F is a selectively secure puncturable PRF, for any

1 2 adversary A, |advA − advA| ≤ negl(λ).

Proof. We will construct an intermediate experiment H, where rC is chosen uniformly at random, while rD = F (KB, i). Now, if an adversary can distinguish between H1 and H, then we can construct a reduction algorithm that breaks the security of F . The reduction algorithm sends i as the challenge,

λ and receives KA{i}, r. It then uses r to compute (skC , VKC ) = Setup-Spl(1 ; r). Depending on whether r is truly random or not, B simulates either hybrid H or H1. Clearly, if A can distinguish between H1 and H with advantage , then B breaks the PRF security with advantage .

Claim 2.37. Assuming iO is a secure indistinguishability obfuscator, for any

2 3 PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. This follows from correctness property 2 of splittable signatures. This correctness property ensures that Prog-2-i-1 and Prog-2-i-2 have identical functionality.

Claim 2.38. Assuming S satisﬁes VK(1) indistinguishability (Deﬁnition 2.10),

3 4 for any PPT adversary A, |advA − advA| ≤ negl(λ).

114 3 4 Proof. Suppose there exists an adversary A such that |advA − advA| = .

Then we can construct a reduction algorithm B that breaks the VK(1) indistinguishability of S. B sends mi to the challenger. The challenger chooses

λ (skC , VKC , VKC,rej) ← Setup-Spl(1 ), (σC,(1) , VKC,(1) , skC,abo, VKC,abo) and receives (σ, VK), where σ = σC,(1) and VK = VKC or VKC,(1) . It chooses the remaining components (including skD,abo and VKD), and computes Prog-2-i-2{KA{i},

KB{i}, σ, VK, skD,abo, VKD,mi}. Now, note that B perfectly simulates either

H4 or H5, depending on whether the challenge message was a

Claim 2.39. Assuming S satisﬁes VKabo indistinguishability (Deﬁnition 2.11),

4 5 for any PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. This proof is similar to the previous one. If there exists an adversary

4 5 A such that advA − advA = , then there exists a reduction algorithm B that breaks the VKabo security of S with advantage . In this case, the reduction algorithm uses the challenger’s output to set up skD,abo and VK, which is either

VKD or VKD,abo.

Claim 2.40. Assuming iO is a secure indistinguishability obfuscator, for any

5 6 PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. Let P0 = Prog-2-i-2{KA{i}, KB{i}, σC,(1) , VKC,(1) , skD,abo, VKD,abo, mi} and P1 = Prog-2-i-3{KA{i}, KB{i}, σC,(1) , VKC,(1) , skC,abo,VKC,abo,mi}, where the constants of both programs are computed identically. It suﬃces to show that P0 and P1 have identical functionality. Note that the only inputs

115 where P0 and P1 can possibly diﬀer correspond to step i + 1. Fix any input

(i + 1, min = (vin, stin, win, posin), symin, π, aux. Let us consider two cases:

(a) min = mi. In this case, using the correctness properties 1 and 3, we

0 can argue that for both programs, α =‘A’. Now, P0 outputs Sign-Spl(skα, mout), 0 while P1 is hardwired to output Sign-Spl(skA, mout. Therefore, both programs have the same output in this case.

(b) min 6= mi. Here, we use the correctness property 5 to argue that

α 6=‘A’, and correctness properties 2, 1 and 6 to conclude that α =‘B’. P1 is

0 0 hardwired to output Sign-Spl(skB, mout), while P0 outputs Sign-Spl(skα, mout).

Claim 2.41. Assuming Acc satisﬁes indistinguishability of Read Setup (Deﬁ-

6 7 nition 2.5), for any PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. This follows from Deﬁnition 2.5. Suppose, on the contrary, there ex-

6 7 ists an adversary A such that |advA − advA| = which is non-negligible in λ. We will construct an algorithm B that uses A to break the Read Setup indistinguishability of Acc. B ﬁrst computes the ﬁrst i tuples to be accumulated. It computes (symw,j, posj) for j ≤ i as described in Hybrid H7, and sends (symw,j, posj) for j < i, and posi to the challenger, and receives

(PPAcc, we0, store^ 0). B uses these components to compute the encoding. Note that the remaining steps are identical in both hybrids, and therefore, B can simulate them perfectly. Finally, using A’s guess, B guesses whether the setup was normal or read-enforced.

116 Claim 2.42. Assuming iO is a secure indistinguishability obfuscator, for any

7 8 PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. Let P0 = Prog-2-i-3{KA{i}, KB{i}, σC,(1) , VKC,(1) , skC,abo,VKC,abo,mi} and P1 = Prog-2-i-4{KA{i}, KB{i}, σC,(1) , VKC,(1) , skC,abo,VKC,abo,mi}. We need to show that P0 and P1 have identical functionality. Note the only difference could be in the case where t = i + 1. If Verify-Spl(VKC,(1) , min, σin) = 1 and the remaining inputs are such that stout = qacc, then both programs can have diﬀerent functionality. We will show that this case cannot happen.

From the correctness property 5, it follows that if Verify-Spl(VKC,(1) , min, σin) = 1, then min = mi. As a result, win = wi, posin = posi, stin = sti.

Therefore, (symin = or VerifyR(PPAcc, symin, wi, posi, π) = 1) =⇒ symin = symi, which implies stout = sti+1. However, since M is not accepting, sti+1 6= qacc. Therefore, t = i + 1 and Verify-Spl(VKC,(1) , min, σin) = 1 and stout = qacc cannot take place.

Claim 2.43. Assuming Acc satisﬁes indistinguishability of Read Setup (Deﬁ-

8 9 nition 2.5), for any PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. This step is a reversal of the step from H6 to H7, and therefore the proof of this claim is similar to that of Claim 2.41.

Claim 2.44. Assuming S satisﬁes splitting indistinguishability (Deﬁnition

9 10 2.12), for any PPT adversary A, |advA − advA | ≤ negl(λ).

117 Proof. We will use the splittable indistinguishability property (Deﬁnition 2.12)

9 10 for this claim. Assume there is a PPT adversary A such that |advA−advA | = . We will construct an algorithm B that uses A to break the splitting indistinguishability of S. B ﬁrst receives as input from the challenger a tuple

(σ(1) , VK(1) , skabo, VKabo), where either all components are derived from the same secret key, or the ﬁrst two are from one secret key, and the last two from another secret key. Using this tuple, B can deﬁne the constants required for Prog-2-i-4. It computes KA{i},KB{i}, PPAcc, PPItr, mi as described in hybrid H9 and hardwires σ(1) , VK(1) , skabo, VKabo in the program. In this way, B can simulate either H9 or H10, and therefore, use A’s advantage to break the splitting indistinguishability.

Claim 2.45. Assuming S satisﬁes splitting indistinguishability (Deﬁnition

10 11 2.12), for any PPT adversary A, advA − advA ≤ negl(λ).

Proof. This claim follows from correctness properties of S. Note that the programs W10 and W11 can possibly diﬀer only if t = i + 1. Let us consider all the possible scenarios. Each of those can be addressed using one/more of the correctness properties of S.

1. Signatures verify and stin = qacc. Both programs output ⊥.

2. Verify-Spl(VKC,(1) , min, σin) = 1 and stout 6= qacc. In this case, W10 outputs 0 Sign-Spl(skA, mout). Note that using correctness properties 3 and 5, we 0 get that min = mi, and therefore, W11 outputs Sign-Spl(skA, mout).

118 3. Verify-Spl(VKC,(1) , min, σin) = 0 but Verify-Spl(VKC,abo, min, σin) = 1. In 0 this case, W10 sets α =‘B’, and therefore the program outputs Sign-Spl(skB,

mout). Using property 6, it follows that min 6= mi, and hence W11 also gives the same output. 4. Signatures do not verify at both steps. In this case, both programs output ⊥.

Claim 2.46. Assuming F is a selectively secure puncturable PRF scheme, for

11 12 any PPT adversary A, |advA − advA | ≤ negl(λ).

Proof. The proof of this claim is identical to the proof of Claim 2.36.

Claim 2.47. Assuming iO is a secure indistinguishability obfuscator, for any

12 13 PPT adversary A, |advA − advA | ≤ negl(λ).

Proof. This proof is identical to the proof of Claim 2.35; it follows directly from the correctness of puncturable PRFs.

2.5.5 Proof of Lemma 2.13

Formal Proof We will ﬁrst deﬁne a sequence of hybrid experiments H0,...,H8,

0 where H0 corresponds to Hyb2,i and H9 corresponds to Hyb2,i+1.

0 Hybrid H0 This corresponds to Hyb2,i.

119 Hybrid H1 In this hybrid, the challenger uses ‘read enforced’ setup for the accumulator. The challenger computes the first ìnp + i ‘correct tuples’ for the accumulator. Initially, the state is st0 = q0. Let tape be a T dimensional vector, the first ìnp entries of tape correspond to the input inp. The remaining are ‘ ’. Let sym0 = tape[0] and pos0 = 0. For j = 1 to i

1. Let (stj, symw,j, β) = δ(stj−1, symj−1).

2. Set tape[posj−1] = symw,j, posj = posj−1 + β, symj = tape[posj].

Let enf = ((inp[0], 0), ...,(inp[`inp − 1], `inp − 1), (symw,1, pos0), ...,

λ (symw,i, posi−1)). The challenger computes (PPAcc, we0, store^ 0) ← Setup-Acc-EnfR(1 ,

T , enf, posi). The remaining steps are same as in the previous hybrid.

Hybrid H2 In this hybrid, the challenger uses program P2 (deﬁned in Figure

0 2.31), which is similar to Prog -2-i. However, in addition to checking if min = mi, it also checks if (vout, posout, stout) = (vi+1, posi+1, sti+1).

Hybrid H3 In this experiment, the challenger uses normal setup instead of ‘read enforced’ setup for the accumulator.

Hybrid H4 In this hybrid, the challenger ‘write enforces’ the accumulator. As in hybrid H1, the challenger computes the ﬁrst `inp + i + 1 ‘correct tuples’ to be accumulated. Let symw,j, posj be the symbol output and the

th position after the j step. The challenger computes (PPAcc, we0, store^ 0) ←

120 P2

0 Input: Time t ∈ [T ], position posin ∈ [T ], symbol symin ∈ Σtape, state ` stin ∈ Q, accumulator value win ∈ {0, 1} Acc , Iterator value vin, signature σin, accumulator proof π, auxiliary value aux.

1. Veriﬁcations: Same as before. 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature

(d) Let mout = (vout, stout, wout, posout). If t = i + 1 and min = mi and (vout, posout, stout) = 0 (vi+1, posi+1, sti+1), σout = Sign-Spl(skA, mout). Else if t = i + 1 and (min 6= mi or (vout, posout, stout) 6= 0 (vi+1, posi+1, sti+1)), σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

4. Output posout, symout, stout, wout, vout, σout.

Figure 2.31: P2

λ Setup-Acc-EnfW(1 ,T, enf), where enf = ((inp[0], 0),..., (inp[`inp − 1], `inp −

1), (symw,1, pos0),..., (symw,i, posi−1), (symw,i+1, posi)). The remaining computation is same as in previous step.

Hybrid H5 In this experiment, the challenger outputs an obfuscation of

P5 = P5{i, KA,KB, mi, mi+1}, which is similar to P2. However, on input where t = i + 1, before computing signature, it also checks if wout = wi+1. Therefore, it checks whether min = mi and mout = mi+1.

121 P5

1. Veriﬁcations: Same as before. 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature

(d) Let mout = (vout, stout, wout, posout). If t = i + 1 and min = mi and mout = mi+1, σout = 0 Sign-Spl(skA, mout). Else if t = i + 1 and (min 6= mi or mout 6= mi+1), σout = 0 Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

4. Output posout, symout, stout, wout, vout, σout.

Figure 2.32: P5

Hybrid H6 This experiment is similar to the previous one, except that the challenger uses normal setup for accumulator instead of ‘enforcing write’.

Hybrid H7 This experiment is similar to the previous one, except that the challenger uses enforced setup for iterator instead of normal setup. It ﬁrst computes PPAcc, w0, store0 as in the previous hybrid. Next, it computes the

ﬁrst i + 1 ‘correct messages’ for the iterator. Let st0 = q0 and pos0 = 0. For j = 1 to i + 1

1.( symj, πj) = PrepR(PPAcc, storej−1, posj−1).

122 2. Let (stj, symw,j, β) = δ(stj−1, symj−1).

3. auxj = PrepW(PPAcc, storej−1, posj−1).

4. wj = Update(PPAcc, wj−1, symw,j, posj−1, auxj).

5. storej = WriteS(PPAcc, storej−1, posj−1, symw,j).

6. posj = posj−1 + β.

Let enf = ((st0, w0, pos0),..., (sti, wi, posi)). It computes (PPItr, v0) ← Setup-Itr-Enforce(1λ,T, enf). The remaining hybrid proceeds as the previous one.

Hybrid H8 In this experiment, the challenger outputs an obfuscation of

P8 = P8{i, KA,KB, mi+1} (deﬁned in Figure 2.33), which is similar to P5, except that it only checks if mout = mi+1.

Hybrid H9 This corresponds to Hyb2,i+1. The only diﬀerence between this experiment and the previous one is that this uses normal Setup for iterator.

2.5.5.1 Analysis

i Let advA denote the advantage of A in hybrid Hi.

Claim 2.48. Assuming Acc satisﬁes indistinguishability of Read Setup (Deﬁ-

0 1 nition 2.5), for any PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. This proof is identical to the proof of Claim 2.41; it follows from Read Setup indistinguishability (Deﬁnition 2.5) of Acc.

123 P8

Constants: Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , message msg, Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys KA,KB ∈ K, message mi+1.

1. Veriﬁcations: Same as before. 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature

(d) Let mout = (vout, stout, wout, posout). 0 If t = i + 1 and mout = mi+1 set σout = Sign-Spl(skA, mout). Else if t = i + 1 and (mout 6= mi+1), set σout = 0 Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

4. Output posout, symout, stout, wout, vout, σout.

Figure 2.33: P8

Claim 2.49. Assuming Acc is Read enforcing (Deﬁnition 2.7) and iO is a se-

1 2 cure indistinguishability obfuscator, for any PPT adversary A, |advA −advA| ≤ negl(λ).

0 Proof. In order to prove this claim, it suﬃces to show that P0 = Prog -2-i{i,

M, T , msgb, PPAcc, PPItr, KA, KB, mi} and P1 = Prog-2-i-b{i, M, T , msgb,

PPAcc, PPItr, KA, KB, mi, vi+1, posi+1, sti+1} are functionally identical. P0 and P1 are functionally identical iﬀ min = mi =⇒ (vout, posout, stout) =

(vi+1, posi+1, sti+1). Here, we will use the Read enforcing property. Note that min = mi =⇒ win = wi, vin = vi, stin = sti and posin = posi. From Deﬁnition

2.7 and the deﬁnition of H1/H2, it follows that if VerifyR(PPAcc, wi, symin, posin, π) =

124 1, then symin = symi. This, together with stin, vin, posin implies that vout = vi+1, posout = posi+1 and stout = sti+1. This completes our proof.

Claim 2.50. Assuming Acc satisﬁes indistinguishability of Read Setup (Deﬁ-

2 3 nition 2.5), for any PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. This step is a reversal of the step from H0 to H1; its proof is identical to that of Claim 2.35.

Claim 2.51. Assuming Acc satisﬁes indistinguishability of Write Setup (Def-

3 4 inition 2.6), for any PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. This proof follows from the Write Setup indistinguishability (Deﬁni-

3 tion 2.6) of Acc. Suppose there exists an adversary A such that advA − 4 advA = . We will construct an algorithm B that uses A to break the

Write Setup indistinguishability of Acc. B first computes the first ìnp + i + 1 tuples to be accumulated - enf = ((inp[0], 0),..., (inp[ìnp − 1], ìnp −

1), (symw,1, pos0),..., (symw,i+1, posi)). Next, it sends enf to the challenger, and receives PPAcc, we0, store^ 0. The remaining encoding computation is identical in both hybrids, and therefore, B can simulate it perfectly using PPAcc, we0, store^ 0. In this manner, B can perfectly simulate either H3 or H4, depending on the challenger’s input, and then use A’s response to win the security game with non-negligible advantage.

Claim 2.52. Assuming Acc is Write enforcing (Deﬁnition 2.8) and iO is

4 a secure indistinguishability obfuscator, for any PPT adversary A, |advA − 5 advA| ≤ negl(λ).

125 Proof. Let P0 = Prog-2-i-b{msgb, mi, vi+1, posi+1, sti+1} and P1 = Prog-2-i-c{msgb, mi, mi+1}. In order to prove that P0 and P1 have identical functionality, it suﬃces to show that min = mi and (vout, posout, stout)=(vi+1, posi+1, sti+1)

=⇒ wout = wi+1. Here, we will use the Write enforcing property (Deﬁni- tion 2.8). Using the Write enforcing property, we can conclude that wout =

Update(PPAcc, wi, symw,i+1, posi, aux) =⇒ wout = wi+1 or wout = Reject. In either case, we get that the functionality of P0 and P1 is identical, therefore implying that their obfuscations are indistinguishable.

Claim 2.53. Assuming Acc satisﬁes indistinguishability of Write Setup (Def-

5 6 inition 2.6), for any PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. This step is a reversal of the step from H3 to H4; its proof is identical to that of Claim 2.51.

Claim 2.54. Assuming Itr satisﬁes indistinguishability of Setup (Deﬁnition

6 7 2.3), for any PPT adversary A, |advA − advA| ≤ negl(λ).

6 7 Proof. Suppose there exists an adversary A such that |advA − advA| is non- negligible. We will construct an algorithm B that breaks the Setup indistinguishability of Itr (Deﬁnition 2.3). B computes the ﬁrst i + 1 tuples to be

‘iterated’ upon. Let stj, wj and posj be the state, accumulated value and po-

th sition after j step (as described in hybrid H7). B sets enf = ((st0, w0, pos0),

...,(sti, wi, posi)) and sends it to the Itr challenger. It receives PPItr, v0 from the challenger. The remaining computation is identical in both hybrids. Fi- nally, it sends the encoding to A and using A’s response, it computes the

126 6 7 output to challenger. Since |advA − advA| is non-negligible, B’s advantage is also non-negligible.

Claim 2.55. Assuming Itr is enforcing (Deﬁnition 2.4) and iO is a secure

7 8 indistinguishability obfuscator, for any PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. In order to prove this claim, we need to argue that P5 = P5{i, KA,KB, mi, mi+1} and P8 = P8{i, KA,KB, mi+1} are computationally indistinguishable. If we can show that P5 and P8 are functionally identical, then using iO security, we can argue that their obfuscations are computationally indistinguishable. Note that the only diﬀerence between P5 and P8 is in Step

3d: P5 checks if (min = mi) and (mout = mi+1), while P8 only checks if

(mout = mi+1). Therefore, we need to show that mout = mi+1 =⇒ min = mi. This follows directly from the enforcing property of Itr (recall in both hybrids,

PPItr, v0 are computed using Setup-Itr-Enforce). Since vout = vi+1, it implies vin = vi and (stin, win, posin) = (sti, wi, posi). This concludes our proof.

Claim 2.56. Assuming Itr satisﬁes indistinguishability of Setup (Deﬁnition

8 9 2.3), for any PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. This is a reversal of the step from H7 to H8, and its proof is similar to that of Claim 2.54.

127 2.5.6 Proof of Lemma 2.14

We will now describe a sequence of hybrids, where the ﬁrst hybrid

0 ∗ ∗ corresponds to Prog -2-t − 1{M,T , t , PPAcc, PPItr, msgb, KA, KB, mt∗−1}

∗ and the last hybrid corresponds to Prog-3{M,T , t , PPAcc, PPItr, msgb, KA,

KB}.

Hybrid H1 In this hybrid, the challenger computes the parameters for the accumulator using read-enforced setup at position post∗−1. It ﬁrst computes

∗ the ﬁrst t −1 ‘correct inputs’ to be accumulated. Initially, the state is st0 = q0.

Let tape be a T dimensional vector, the ﬁrst `inp entries of tape correspond to the input inp. The remaining are ‘ ’. Let sym0 = tape[0] and pos0 = 0. For j = 1 to t∗ − 1

1. Let (stj, symw,j, β) = δ(stj−1, symj−1).

2. Set tape[posj−1] = symw,j, posj = posj−1 + β, symj = tape[posj].

Let enf = ((inp[0], 0), ...,(inp[`inp − 1], `inp − 1), (symw,1, pos0), ...,

λ (symw,t∗−1, post∗−2)) and let (PPAcc, we0, store^ 0) ← Setup-Acc-EnfR(1 ,T, enf, post∗−1). 0 The remaining hybrid proceeds as Hyb2,t∗−1.

Hybrid H2 In this hybrid, the challenger outputs an obfuscation of W2 =

∗ Prog-3{M,T , t , PPAcc, PPItr, msgb, KA, KB}.

Hybrid H3 In this program, the challenger uses Setup-Acc for Acc instead of using Setup-Acc-EnfR. Note that this corresponds to Hyb3.

128 2.5.6.1 Analysis

i Let advA denote the advantage of an adversary A in hybrid Hi.

Claim 2.57. Assuming Acc satisﬁes indistinguishability of Read Setup (Deﬁ-

0 1 nition 2.5), for any PPT adversary A, advA − advA ≤ negl(λ).

Proof. This proof is identical to the proof of Claim 2.41; it follows from Read Setup indistinguishability (Deﬁnition 2.5) of Acc.

Claim 2.58. Assuming iO is a secure indistinguishability obfuscator, for any

1 2 PPT adversary A, advA − advA ≤ negl(λ).

0 ∗ Proof. To prove this claim, we need to argue that W1 = Prog -2-t − 1{M,T ,

∗ ∗ t , PPAcc, PPItr, msgb, KA, KB, mt∗−1} and W2 = Prog-3{M,T , t , PPAcc,

PPItr, msgb, KA, KB} have identical functionality. The only possible reason for diﬀering functionality is that W1 could output ‘A’ type signature when min = mt∗−1, while W2 could output ‘B’ type signature. The critical observation here is that since min = mt∗−1, both programs output ⊥. Since min = mt∗−1, win = wt∗−1, posin = post∗−1 and stin = stt∗−1. If we can show that symin = symt∗−1, then it follows that stout = stt∗ = qrej.

Since setup is read enforced at post∗−1, there are two possibilities:

1. VerifyR(PPAcc, wt∗−1, symin, post∗−1, π) = 0, in which case both programs output ⊥.

2. VerifyR(PPAcc, wt∗−1, symin, post∗−1, π) = 1, in which case, symin = symt∗−1.

This implies stout = qrej, and therefore, both programs output ⊥.

129 Hence, both programs have identical functionality. As a result, by the security of iO, their obfuscations are computationally indistinguishable.

Claim 2.59. Assuming Acc satisﬁes indistinguishability of Read Setup (Deﬁ-

2 3 nition 2.5), for any PPT adversary A, advA − advA ≤ negl(λ).

Proof. This step is a reversal of the step from H0 to H1; the proof is identical to the proof of Claim 2.41.

2.5.7 Proof of Lemma 2.15

˜ ∗ We will deﬁne t = T − t + 1 hybrids H0,...,Ht˜, and show that they are computationally indistinguishable.

Hi In this hybrid, the challenger outputs an obfuscation of Prog-3-i{i, msgb,

KA, KB, mt∗−1} (deﬁned in Figure 2.34).

Clearly, programs Prog-3 and Prog-3-t∗ are functionally identical, and therefore Hyb3 and Ht∗ are computationally indistinguishable. In order to show that Hi and Hi+1 are computationally indistinguishable, we will deﬁne intermediate hybrid experiments Hi,a,...,Hi, such that Hi,a corresponds to Hi and Hi,f corresponds to Hi+1.

Hi,a This corresponds to Hi.

130 Prog-3-i

Constants: i, Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound ∗ T , halt-time t , message msg, Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys KA,KB ∈ K, mt∗−1.

1. Veriﬁcations

(c) Let α =‘A’ and min = (vin, stin, win, posin). If t∗ < t ≤ i output ⊥. If Verify-Spl(VKA, min, σin) = 0 output ⊥. 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature

(d) Let mout = (vout, stout, wout, posout). ∗ 0 If t = t , σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

4. Output posout, symout, stout, wout, vout, σout. Figure 2.34: Prog-3-i

Hi,b In this hybrid, the challenger ﬁrst punctures the PRF key KA at input i; that is, KA{i} ← F.puncture(KA, i). Next, it computes rC = F (KA, i),

λ (skC , VKC , VKC,rej) = Setup-Spl(1 ; rC ) and ﬁnally, outputs an obfuscation of

Pi,b = Prog-3-i-b{i, msgb, KA, KB{i}, mt∗−1, VKC } (deﬁned in Figure 2.35). It has veriﬁcation key VKC hardwired.

λ Hi,c In this hybrid, the challenger chooses (skC , VKC , VKC,rej) ← Setup-Spl(1 ) using true randomness instead of pseudorandom string. It then hardwires VKC

131 Prog-3-i-b

1. Veriﬁcations

(b) If t 6= i + 1, let rA = F.eval(KA{i}, t − 1), rB = F (KB, t − 1). λ Compute (skA, VKA, VKA,rej) = Setup-Spl(1 ; rA). Else let VKA = VK. (c) Let α =‘A’ and min = (vin, stin, win, posin). If t∗ < t ≤ i output ⊥. If Verify-Spl(VKA, min, σin) = 0 output ⊥. 2. Computing next state and symbol: Same as before. 3. Update accumulator, iterator and compute new signature: Same as before. 4. Output posout, symout, stout, wout, vout, σout. Figure 2.35: Prog-3-i-b in Prog-3-i-b.

λ Hi,d In this hybrid, the challenger chooses (skC , VKC , VKC,rej) ← Setup-Spl(1 ) as before, but instead of hardwiring VKC , it hardwires VKC,rej in Prog-3-i-b; that is, it outputs an obfuscation of Prog-3-i-b{i, msgb, KA, KB{i}, mt∗−1,

VKC,rej}.

Hi,e In this hybrid, the challenger chooses (skC , VKC , VKC,rej) using F (K, i).

λ It computes rC = F (K, i), (skC , VKC , VKC,rej) = Setup-Spl(1 ; rC ), iO(Prog-3-i-b{i,

132 msgb, KA, KB{i}, mt∗−1, VKC,rej}).

Hi,f This hybrid corresponds to Hi+1.

2.5.7.1 Analysis

We will ﬁrst show that Hi and Hi+1 are computationally indistinguish-

i able. Let advA denote the advantage of adversary A in H0.

Claim 2.60. Assuming iO is a secure indistinguishability obfuscator, for any

i,a i,b PPT adversary A, advA − advA ≤ negl(λ).

Proof. The only difference between Hi,a and Hi,b is that Hi,a outputs an obfuscation of Prog-3-i, while Hi,b outputs an obfuscation of Prog-3-i-b. Prog-3-i uses puncturable PRF key KA, while Prog-3-i-b uses punctured key KA{i} punctured at i. Prog-3-i-b also has verification key VKC hardwired, which is computed using F (KA, i). For t 6= i + 1, both programs have identical functionality (this follows from the correctness of puncturable PRFs). For t = i+1, the verification part is identical, since VKC hardwired is computed correctly. Also, note that the corresponding secret key is not required at t = i (for t = i, both programs do not output an ‘A’ type signature). As a result, the programs have identical functionality. Therefore, this claim follows from the security of iO.

Claim 2.61. Assuming F is a selectively secure puncturable PRF, for any

i,b i,c PPT adversary A, advA − advA ≤ negl(λ).

133 Proof. The proof of this claim follows from the security of puncturable PRFs.

Claim 2.62. Assuming S satisﬁes VKrej indistinguishability, for any PPT ad-

i,c i,d versary A, advA − advA ≤ negl(λ).

Proof. Note that the secret key skC is not used in both the hybrids. As a result,

i,c i,d if there exists a PPT adversary A such that advA −advA is non-negligible, then there exists a PPT algorithm that breaks the VKrej indistinguishability of S. B receives a verification key VK from the challenger, which is either a normal verification key or a reject-verification key. It hardwires VK in Prog-3-i-b. The remaining steps are identical in both hybrids. Based on A’s guess, B guesses whether VK is a normal verification key or if it always rejects. Since

i,c i,d advA − advA is non-negligible, B’s advantage is also non-negligible.

Claim 2.63. Assuming F is a selectively secure puncturable PRF, for any

i,d i,e PPT adversary A, advA − advA ≤ negl(λ).

Proof. This step is the reverse of the step from Hi,b to Hi,c; the proof follows from the security of puncturable PRFs.

Claim 2.64. Assuming iO is a secure indistinguishability obfuscator, for any

i,e i,f PPT adversary A, advA − advA ≤ negl(λ).

Proof. The only diﬀerences between the programs Prog-3-i-b and Prog-3-i + 1 are:

134 1. Prog-3-i-b uses a punctured PRF key KA{i}, and has the reject-veriﬁcation

key computed using F (KA, i). As a result, it outputs ⊥ for all inputs corresponding to t = i + 1. Prog-3-i + 1, on the other hand, uses a punc-

turable PRF key KA, and for inputs corresponding to t = i + 1, directly outputs ⊥.

Using the correctness of puncturable PRFs, and the fact that VKrej always outputs ⊥, we get that the two programs are functionally identical, and therefore,

Hi,e and Hi,f are computationally indistinguishable.

2.6 Machine Hiding Encodings

In this section, we will describe machine hiding encodings. Let M be a Turing machine, x an input to the Turing machine, and T the time bound.

T As before, let ΠM (x) be a function runs M on input x for at most T steps, and if M does not halt in T steps, it outputs 0. A machine hiding encoding scheme McHE consists of algorithms Mc.enc and Mc.dec described below.

Mc.enc(1λ, M, T, x) The encoding algorithm is a randomized algorithm that takes as input the security parameter λ (in unary), the description of a Turing machine M, time bound T (in binary) and an input x. It outputs an encoding Enc.

Mc.dec(1λ, M, T, x, Enc) The decoding algorithm takes as input the security parameter λ (in unary), the description of Turing machine M, time bound T (in binary), input x and an encoding Enc. It outputs 0/1.

135 Correctness Fix any security parameter λ, Turing machine M, input x and time bound T . Then, the following holds:

λ λ T Mc.dec(1 , M, x, Mc.enc(1 , M, T, x)) = ΠM (x).

Eﬃciency We require that Mc.enc outputs the encoding in time poly(λ, |M|, |x|, lg T ) (which implies the size of encoding is poly(λ, |M|, |x|, lg T )), while Mc.dec runs in time poly(λ, |M|, |x|, t∗), where t∗ is the running time of M on input x.

Security We consider the following indistinguishability based security notion. Let M0,M1 be any Turing machines, T a time bound and x an input to the Turing machines. M0 and M1 are said to be conforming on input x if

∗ M0(x) = M1(x) and both halt in t < T steps.

Deﬁnition 2.14. A machine hiding encoding scheme McHE is said to be secure if for all PPT adversaries A, for all security parameters λ, machines M0,M1 with equally-sized descriptions, time bounds T and inputs x such that M0 and

M1 are conforming on input x,

λ | Pr[A(Mc.enc(1 ,Mb, T, x)) = b] − 1/2| ≤ negl(λ).

Here, when we say that M0 and M1 are “conforming” on x, we mean

∗ that M0(x) = M1(x), and both halt at the same time t .

Remark 2.6.1. For our construction, we will assume the encoding function also receives as input the tape movement function for machine M on input x, and

136 that M0 and M1 have identical tape movement functions on input x; that is

tmfM0,x and tmfM1,x are identical functions. We can make this assumption without loss of generality because both M0 and M1 can be compiled into oblivious Turing machines OTM0 and OTM1 such that they have identical tape movement functionality. The overhead associated with converting them into oblivious Turing machines is only polylog(T ) [474].

2.6.1 Construction

In this section, we will construct a machine hiding encoding scheme McHE = (Mc.enc, Mc.dec). This construction is similar to the message hiding encoding scheme construction described in Section 2.5.1. As mentioned in Remark 2.6.1, we will assume the encoding function is also given the tape movement function tmfM (·).

Let PKE = (Setup-PKE, Enc-PKE, Dec-PKE) be a public key encryption scheme. We will assume Setup-PKE uses `1 = `1(λ) bits of randomness, and Enc-PKE uses `2 = `2(λ) bits of randomness, where `1 and `2 are polynomials and let `rnd = `1 + 2`2. We will let `3 denote the bit length of ciphertexts produced by Enc-PKE. Let iO be a secure indistinguishability obfuscator, Acc =(Setup-Acc, Setup-Acc-EnfR, Setup-Acc-EnfW, PrepR, PrepW, VerifyR, WriteS, Update) a positional accumulator scheme with message

`3+lg T space {0, 1} and producing accumulator values of bit length `Acc, Itr =

(Setup-Itr, Setup-Itr-Enforce, Iterate) an iterator for message space {0, 1}`3+`Acc+lg T with iterated value of size `Itr bits and S = (Setup-Spl, Sign-Spl, Verify-Spl, Split,

137 Sign-Spl-abo) a splittable signature scheme with message space {0, 1}`Itr+`3+`Acc+lg T .

For simplicity of notation, we will assume Setup-Spl uses `rnd(λ) bits of randomness. Let F a puncturable PRF with key space K, punctured key space

`rnd(λ) Kp, domain [T ], range {0, 1} and algorithms F.setup, F.puncture, F.eval. The algorithms Mc.enc and Mc.dec are deﬁned as follows.

• Mc.enc(1λ, M, T, x, tmf) The encoding algorithm ﬁrst chooses puncturable

λ λ PRF keys KE ← F.setup(1 ), KA ← F.setup(1 ). KE will be used for

computing an encryption of the symbol and state, and KA to compute

the secret key/veriﬁcation key for signature scheme. Let (r0,1, r0,2, r0,3) =

λ F (KE, 0), (pk, sk) = Setup-PKE(1 ; r0,1).

λ It computes (PPAcc, we0, store] 0) ← Setup-Acc(1 ,T ). Let `inp = |x|. It en-

crypts each bit of x separately; that is, it computes cti = Enc-PKE(pk, xi)

for 1 ≤ i ≤ `inp. These ciphertexts are ‘accumulated’ using the accumula-

tor. It computes store] j = WriteS(PPAcc, store] j−1, j − 1, (ctj, 0)), auxj =

PrepW(PPAcc, store] j−1, j −1), wej = Update(PPAcc, wej−1, inpj, j −1, auxj) for 1 ≤ j ≤ ` . Finally, it sets w = w and s = store . inp 0 e`inp 0 ] `inp

λ Next, it computes (PPItr, v0) ← Setup-Itr(1 ,T ), Finally, it computes an

obfuscation P ← iO(Prog{M, T , PPAcc, PPItr, KE, KA}) where Prog is deﬁned in Figure 2.36.

It computes ctst ← Enc-PKE(pk, q0). Let rA = F (KA, 0), (sk0, VK0) =

λ Setup-Spl(1 ; rA) and σ0 = Sign-Spl(skA, (v0, ctst, w0, 0)). It outputs Enc =

(P, w0, v0, σ0, store0).

138 Program Prog

Input: Time t ∈ [T ], encrypted symbol and last-write time (ctsym,in, lw), ` encrypted state ctst,in, accumulator value win ∈ {0, 1} Acc , Iterator value vin, signature σin, accumulator proof π, auxiliary value aux.

1. Let posin = tmf(t − 1) and posout = tmf(t). 2. Veriﬁcations

(a) If VerifyR(PPAcc, win, (ctsym,in, lw), posin, π) = 0 or lw ≥ t, output ⊥. (b) Let F (KA, t − 1) = rS,A. Compute (skA, VKA, VKA,rej) = λ Setup-Spl(1 ; rS,A). (c) Let min = (vin, ctst,in, win, posin). If Verify-Spl(VKA, min, σin) = 0 output ⊥. 3. Computing next state and symbol

(a) Let (rlw,1, rlw,2, rlw,3) = F (KE, lw), (pklw, sklw) = λ Setup-PKE(1 ; rlw,1), sym = Dec-PKE(sklw, ctsym,in). (b) Let (rt−1,1, rt−1,2, rt−1,3) = F (KE, t − 1), (pkst, skst) = λ Setup-PKE(1 , rt−1,1), st = Dec-PKE(skst, ctst,in). (c) Let (st0, sym0, β) = δ(st, sym). (d) If stout = qrej output 0. (e) If stout = qacc output 1. 0 0 (f) Compute (rt,1, rt,2, rt,3) = F (KE, t), (pk , sk ) = λ 0 0 0 Setup-PKE(1 ; rt,1), ctsym,out = Enc-PKE(pk , sym ; rt,2) and 0 0 ctst,out = Enc-PKE(pk , st ; rt,3). 4. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)). 0 0 0 0 (c) Let F (KA, t) = rS,A. Compute (skA, VKA, VKA,rej) ← λ 0 Setup-Spl(1 ; rS,A). (d) Let mout = (vout, ctst,out, wout, posout) and σout = 0 Sign-Spl(skA, mout).

5. Output posin, ctsym,out, ctct,out, wout, vout, σout.

Figure 2.36: Program Prog

139 • Mc.dec(Enc) The decoding algorithm receives as input Enc = ((P , ctst,0,

w0, v0, σ0, store0)). Let pos0 = 0. For i = 1 to T ,

1. Let ((ctsym,lw, lw), π) = PrepR(PPAcc, storei−1, posi−1).

2. Let aux = PrepW(PPAcc, storei−1, posi−1).

3. Compute (posi,(ctsym,i, lw), ctst,i, wi, vi, σi) = P (t,(ctsym,lw, lw), ctst,i−1,

wi−1, vi−1, σi−1, aux, π). If P has output 0, 1, or ⊥, then output the same.

4. Otherwise, compute storei = WriteS(PPAcc, storei−1, posi, (ctsym,i, i)).

2.6.2 Proof of Security

Theorem 2.2. Assuming PKE is IND-CPA secure, iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, Itr is an iterator satisfying Definitions 2.3 and 2.4, Acc is an accumulator satisfying Definitions 2.5, 2.6, 2.7 and 2.8, S is a splittable signature scheme satisfying security Definitions 2.9, 2.10, 2.11 and 2.12, McHE is a secure machine hiding encoding scheme (Definition 2.14).

Proof. Consider any Turing machines M0 and M1, input x and time bound T such that M0 and M1 are conforming on input x. Let tmf(·) be the tape move-

∗ ment function corresponding to M0 and M1, and let t < T be the instance at which the machines halt on input x. For the proof, we wil deﬁne a sequence of

‘outer’ hybrid experiments Hyb0,..., Hyb, and then show that any two outer hybrids are computationally indistinguishable.

140 Hyb0 This hybrid corresponds to the real security game. The challenger

λ chooses b ← {0, 1} and honestly computes Enc ← Mc.enc(1 ,Mb, T, x, tmf(·)). It sends Enc to A and A sends its guess b0.

∗ ∗ Hyb1 In this hybrid, the challenger outputs an obfuscation of Prog-1{t ,KA,KE, b } (deﬁned in Figure 2.37) as part of the encoding. This program is similar to Prog, however, for input t > t∗, it outputs ⊥. At t = t∗, it outputs b∗, which is hardwired by the challenger to be Mb(x).

0 Next, we deﬁne a sequence of hybrids Hyb2,i and Hyb2,i, where 1 ≤ i ≤

∗ t . Let erase be a symbol not present in Σtape.

∗ Hyb2,i In this hybrid, the challenger outputs an obfuscation of Prog-2-i{i, t ,

∗ ∗ KE, KA, F b } as part of the encoding. Prog-2-i also rejects on input t > t , and outputs b∗ on t∗ if the signature is the correct one. For t < i, its input output behavior is similar to that of Prog. However, for i ≤ t < t∗, on receiving a valid signature, it simply outputs encryptions of erase as the encryption of the state and symbol. It accumulates and iterates accordingly.

0 Hyb2,i In this hybrid, the challenger chooses b ∈ {0, 1}, runs Mb for i−1 steps and computes the state st∗ and symbol sym∗ written at (i − 1)th step. Next, it

λ computes (ri−1,1, ri−1,2, ri−1,3) = F (KE, i − 1), (pk, sk) = Setup-PKE(1 ; ri−1,1),

141 Prog-1

Constants: Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , ∗ halt-time t ≤ T , message msg, Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys KE,KA ∈ K, output b∗.

∗ 1. If t > t , output ⊥. Else let posin = tmf(t − 1) and posout = tmf(t). 3. Computing next state and symbol (a) If t = t∗, output b∗. (b) Let (rlw,1, rlw,2, rlw,3) = F (KE, lw), (pklw, sklw) = λ Setup-PKE(1 ; rlw,1), sym = Dec-PKE(sklw, ctsym,in). (c) Let (rt−1,1, rt−1,2, rt−1,3) = F (KE, t − 1), (pkst, skst) = λ Setup-PKE(1 , rt−1,1), st = Dec-PKE(skst, ctst,in). (d) Let (st0, sym0, β) = δ(st, sym). (e) If stout = qrej output 0. (f) If stout = qacc output 1. 0 0 (g) Compute (rt,1, rt,2, rt,3) = F (KE, t), (pk , sk ) = λ 0 0 0 Setup-PKE(1 ; rt,1), ctsym,out = Enc-PKE(pk , sym ; rt,2) and 0 0 ctst,out = Enc-PKE(pk , st ; rt,3).

Figure 2.37: Prog-1

∗ ∗ ct1 = Enc-PKE(pk, sym ; ri−1,2) and ct2 = Enc-PKE(pk, st ; ri−1,3). It then

0 ∗ ∗ computes the obfuscation of Wi,b = Prog -2-i{i, t ,KE,KA, ct1, ct2, b }, which has the ciphertexts ct1 and ct2 hardwired. On input corresponding to step i − 1, Wi,b checks if the signature is valid, and if so, it outputs ct1 and ct2 without decrypting.

142 Prog-2-i

3. Computing next state and symbol (a) If t = t∗, output b∗. (b) If i ≤ t < t∗ 0 0 i. Compute (rt,1, rt,2, rt,3) = F (KE, t), (pk , sk ) = λ 0 Setup-PKE(1 ; rt,1). 0 ctsym,out = Enc-PKE(pk , erase; rt,2) and ctst,out = 0 Enc-PKE(pk , erase; rt,3).

(c) Else let (rlw,1, rlw,2, rlw,3) = F (KE, lw), (pklw, sklw) = λ Setup-PKE(1 ; rlw,1), sym = Dec-PKE(sklw, ctsym,in). (d) Let (rt−1,1, rt−1,2, rt−1,3) = F (KE, t − 1), (pkst, skst) = λ Setup-PKE(1 , rt−1,1), st = Dec-PKE(skst, ctst,in). (e) Let (st0, sym0, β) = δ(st, sym). (f) If stout = qrej output 0. (g) If stout = qacc output 1. 0 0 (h) Compute (rt,1, rt,2, rt,3) = F (KE, t), (pk , sk ) = λ 0 0 0 Setup-PKE(1 ; rt,1), ctsym,out = Enc-PKE(pk , sym ; rt,2) and 0 0 ctst,out = Enc-PKE(pk , st ; rt,3).

Figure 2.38: Prog-2-i

x Analysis Let advA denote the advantage of adversary A in hybrid Hybx, and 0x 0 advA the advantage of A in Hybx.

Lemma 2.16. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, Itr is an iterator satisfying Deﬁnitions 2.3 and 2.4, Acc is an accumulator satisfying Deﬁnitions 2.5, 2.6, 2.7 and 2.8, S

143 Prog0-2-i

Constants: i, Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound ∗ T , halt-time t ≤ T , Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys KE,Kst ∈ K, output ∗ b , ciphertexts ct1, ct2. Input: Time t ∈ [T ], encrypted symbol and last-write time (ctsym,in, lw), ` encrypted state ctst,in ∈ Q, accumulator value win ∈ {0, 1} Acc , Iterator value vin, signature σin, accumulator proof π, auxiliary value aux.

3. Computing next state and symbol (a) If t = t∗, output b∗. (b) If i ≤ t < t∗ 0 0 i. Compute (rt,1, rt,2, rt,3) = F (KE, t), (pk , sk ) = λ 0 0 Setup-PKE(1 ; rt,1), ctsym,out = Enc-PKE(pk , erase; rt,2) 0 and ctst,out = Enc-PKE(pk , erase; rt,3). (c) Else if t = i − 1,

i. Set ctsym,out = ct1 and ctst,out = ct2.

Figure 2.39: Prog0-2-i is a splittable signature scheme satisfying security Deﬁnitions 2.9, 2.10, 2.11

0 1 and 2.12, for any PPT adversary A, advA − advA ≤ negl(λ).

The proof of this lemma is contained in Section 2.6.3.

Claim 2.65. Assuming iO is a secure indistinguishability obfuscator, for any

1 2,t∗ adversary A, advA − advA ≤ negl(λ).

Proof. We note that the programs Prog-1 and Prog-2-t∗ are functionally identical.

Lemma 2.17. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, Itr is an iterator satisfying Deﬁnitions 2.3

144 and 2.4, Acc is an accumulator satisfying Deﬁnitions 2.5, 2.6, 2.7 and 2.8, S is a splittable signature scheme satisfying security Deﬁnitions 2.9, 2.10, 2.11

2,i 02,i and 2.12, for any PPT adversary A, advA − advA ≤ negl(λ).

The proof of this lemma is contained in Section 2.6.4.

Lemma 2.18. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, PKE is IND-CPA secure, for any adversary

02,i 2,i−1 A, advA − advA ≤ negl(λ).

The proof of this lemma is contained in Section 2.6.5.

2,1 To conclude, we note that advA = 0, as the diﬀerences between M0 and M1 have all been “erased.”

2.6.3 Proof Outline for Lemma 2.16

0 Proof Outline We will ﬁrst deﬁne hybrid experiments Hint,Hint and Habort.

Hybrid Hint In this hybrid, the challenger ﬁrst computes the correct mes-

∗ sage mt∗−1 output at time t − 1. Next, it outputs an obfuscation of Pint =

∗ Pint{t ,KE,KA,KB, mt∗−1} (deﬁned in Figure 2.40) which has mt∗−1 hardwired. It accepts only ‘A’ type signatures. However, at t = t∗ − 1, it checks if

145 Program Pint

Constants: Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound ∗ T , halt-time t ∈ [T ], Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys KE,KA,KB ∈ K, message mt∗−1.

4. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)). 0 0 (c) Let rS,A = F (KA, t), rS,B = F (KB, t). Com- 0 0 0 λ 0 pute (skA, VKA, VKA,rej) ← Setup-Spl(1 ; rS,A), 0 0 0 λ 0 (skB, VKB, VKB,rej) ← Setup-Spl(1 ; rS,B). (d) Let mout = (vout, ctst,out, wout, posout). ∗ 0 If t = t − 1 and mout = mt∗−1, σout = Sign-Spl(skA, mout). ∗ 0 Else if t = t −1 and mout 6= mt∗−1, σout = Sign-Spl(skB, mout). 0 Else, σout = Sign-Spl(skA, mout).

5. Output posin, ctsym,out, ctct,out, wout, vout, σout.

Figure 2.40: Program Pint the outgoing message is mt∗−1. If so, it outputs an ‘A’ type signature, else it outputs a ‘B’ type signature.

0 Hybrid Hint This hybrid is similar to Hint, except that the challenger also

∗ 0 0 ∗ computes b = Mb(x) and outputs an obfuscation of Pint = Pint{t ,KE,KA,KB,

∗ mt∗−1, b } (deﬁned in Figure 2.41). This program is identical to Pint, except for inputs corresponding to t = t∗. At t = t∗, the program veriﬁes the validity of signature, and then outputs b∗ (which it has hardwired). It does not decrypt

146 the ciphertexts.

0 Program Pint

3. Computing next state and symbol (a) If t = t∗ output b∗.

0 Figure 2.41: Program Pint

∗ Hybrid Habort In this hybrid, the challenger outputs an obfuscation of Pabort{t ,

∗ 0 KA, KE, b } (deﬁned in Figure 2.42). This program is similar to Pint, except that it does not output ‘B’ type signatures.

int 0int abort Let advA , advA , advA be the advantages of an adversary A in Hint,

0 0 1 Hint and Habort respectively. Recall advA and advA denote A’s advantage in

Hyb0 and Hyb1 respectively.

Lemma 2.19. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, Itr is an iterator satisfying Definitions 2.3 and 2.4, Acc is an accumulator satisfying Definitions 2.5, 2.6, 2.7 and 2.8, S is a splittable signature scheme satisfying security Definitions 2.9, 2.10, 2.11

0 int and 2.12, |advA − advA | ≤ negl(λ).

147 Program Pabort

Constants: Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound ∗ T , halt-time t ∈ [T ], Public parameters for accumulator PPAcc, Public ∗ parameters for Iterator PPItr, Puncturable PRF keys KE,KA ∈ K, bit b .

3. Computing next state and symbol (a) If t = t∗ output b∗. 4. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)). 0 0 0 0 (c) Let rS,A = F (KA, t). Compute (skA, VKA, VKA,rej) ← λ 0 Setup-Spl(1 ; rS,A). (d) Let mout = (vout, ctst,out, wout, posout). 0 σout = Sign-Spl(skA, mout).

Figure 2.42: Program Pabort

Proof. The proof of this lemma is very similar to the proof of Theorem 2.1. Therefore, in this section, we will give outline of the proof, consisting of the outer hybrids, and refer to proof of Theorem 2.1. We will ﬁrst deﬁne interme-

0 ∗ diate hybrids H0,H1 and H2,j,H2,j for 0 ≤ j < t .

∗ Hybrid H0 The challenger outputs P0 = Prog{t , KE, KA}.

∗ Hybrid H1 The challenger outputs P1 = P1{t , KE, KA,KB} (deﬁned in Figure 2.43). This is similar to Prog-1 deﬁned in Figure 2.18. This program

148 has PRF key KB hardwired and accepts both ‘A’ and ‘B’ type signatures for t < t∗. If the incoming signature is of type α, then so is the outgoing signature.

2. Veriﬁcations

(a) If VerifyR(PPAcc, win, (ctsym,in, lw), posin, π) = 0 or lw ≥ t output ⊥. (b) Let F (KA, t − 1) = rS,A. Compute (skA, VKA, VKA,rej) = λ Setup-Spl(1 ; rS,A). 0 0 0 0 (c) Let F (KA, t) = rS,A. Compute (skA, VKA, VKA,rej) ← λ 0 Setup-Spl(1 ; rS,A). (d) Let F (KB, t − 1) = rS,B. Compute (skB, VKB, VKB,rej) = λ Setup-Spl(1 ; rS,B). 0 0 0 0 (e) Let F (KB, t) = rS,B. Compute (skB, VKB, VKB,rej) ← λ 0 Setup-Spl(1 ; rS,B). (f) Let min = (vin, ctst,in, win, posin) and α =‘-’. If Verify-Spl(VKA, min, σin) = 1 set α =‘A’. If α =‘-’ and t ≥ t∗ output ⊥. If α = ‘-’ and Verify-Spl(VKB, min, σin) = 1 set α =‘B’. If α = ‘-’ output ⊥. 4. Update accumulator, iterator and compute new signature

Figure 2.43: P1

149 ∗ 0 ∗ Next, we deﬁne 2t intermediate circuits - P2,j,P2,j for 0 ≤ j ≤ t − 1. These programs are analogous to Prog-2-i and Prog0-2-i in the proof of Theorem 2.1.

Hybrid H2,j In this hybrid, the challenger outputs an obfuscation of P2,j =

∗ P2,j{j, t ,KE,KA,KB, mj}. This circuit, deﬁned in Figure 2.44, accepts ‘B’ type signatures only for inputs corresponding to j + 1 ≤ t ≤ t∗ − 1. It also has the correct output message for step j - mj hardwired. If an input has j + 1 ≤ t ≤ t∗ − 1, then the output signature, if any, is of the same type as the incoming signature. If t = j, the program outputs an ‘A’ type signature if mout = mj, else it outputs a ‘B’ type signature.

0 0 Hybrid H2,j In this hybrid, the challenger outputs an obfuscation of P2,j =

0 ∗ P2,j{j, t ,KE,KA,KB, mj}. This circuit, deﬁned in Figure 2.45, accepts ‘B’ type signatures only for inputs corresponding to j + 2 ≤ t ≤ t∗ − 1. It also has the correct input message for step j + 1 - mj hardwired. If t = j + 1 and min = mj it outputs an ‘A’ type signature, else it outputs a ‘B’ type signature. If an input has j + 2 ≤ t ≤ t∗ − 1, then the output signature, if any, is of the same type as the incoming signature.

Analysis

Claim 2.66. Assuming iO is a secure indistinguishability obfuscator, F is

150 P2,j

Constants: j, Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound ∗ T , halt-time t ≤ T , Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys KE,KA,KB ∈ K, ∗ output b , message mj.

2. Veriﬁcations

(a) If VerifyR(PPAcc, win, (ctsym,in, lw), posin, π) = 0 or lw ≥ t output ⊥. (b) Let F (KA, t − 1) = rS,A. Compute (skA, VKA, VKA,rej) = λ Setup-Spl(1 ; rS,A). 0 0 0 0 (c) Let F (KA, t) = rS,A. Compute (skA, VKA, VKA,rej) ← λ 0 Setup-Spl(1 ; rS,A). (d) Let F (KB, t − 1) = rS,B. Compute (skB, VKB, VKB,rej) = λ Setup-Spl(1 ; rS,B). 0 0 0 0 (e) Let F (KB, t) = rS,B. Compute (skB, VKB, VKB,rej) ← λ 0 Setup-Spl(1 ; rS,B). (f) Let min = (vin, ctst,in, win, posin) and α =‘-’. If Verify-Spl(VKA, min, σin) = 1 set α =‘A’. If α =‘-’ and (t ≥ t∗ or t ≤ j) output ⊥. If α = ‘-’ and Verify-Spl(VKB, min, σin) = 1 set α =‘B’. If α = ‘-’ output ⊥. 4. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥.

(b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)).

(c) Let mout = (vout, ctst,out, wout, posout). 0 If t = j and mout = mj, σout = Sign-Spl(skA, mout). 0 Else if t = j and mout 6= mj, σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

Figure 2.44: P2,j

151 0 P2,j

2. Veriﬁcations

(a) If VerifyR(PPAcc, win, (ctsym,in, lw), posin, π) = 0 or lw ≥ t output ⊥. (b) Let F (KA, t − 1) = rS,A. Compute (skA, VKA, VKA,rej) = λ Setup-Spl(1 ; rS,A). 0 0 0 0 (c) Let F (KA, t) = rS,A. Compute (skA, VKA, VKA,rej) ← λ 0 Setup-Spl(1 ; rS,A). (d) Let F (KB, t − 1) = rS,B. Compute (skB, VKB, VKB,rej) = λ Setup-Spl(1 ; rS,B). 0 0 0 0 (e) Let F (KB, t) = rS,B. Compute (skB, VKB, VKB,rej) ← λ 0 Setup-Spl(1 ; rS,B). (f) Let min = (vin, ctst,in, win, posin) and α =‘-’. If Verify-Spl(VKA, min, σin) = 1 set α =‘A’. If α =‘-’ and (t ≥ t∗ or t ≤ j + 1) output ⊥. If α = ‘-’ and Verify-Spl(VKB, min, σin) = 1 set α =‘B’. If α = ‘-’ output ⊥. 4. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)). (c) Let mout = (vout, ctst,out, wout, posout). 0 If t = j + 1 and min = mj, σout = Sign-Spl(skA, mout). 0 Else if t = j + 1 and min 6= mj, σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout).

0 Figure 2.45: P2,j

152 a secure puncturable PRF and S is a splittable signature scheme satisfying

0 1 Deﬁnition 2.9, for any PPT adversary A, |advA − advA| ≤ negl(λ).

The proof of this claim is similar to the proof of Lemma 2.11.

Claim 2.67. Assuming iO is a secure indistinguishability obfuscator, for any

1 2 PPT adversary A, |advA − advA| ≤ negl(λ).

Note that P1 and P2,0 have identical functionality.

Claim 2.68. Let 0 ≤ j ≤ t∗ − 1. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF and S is a splittable signature scheme satisfying deﬁnitions 2.9, 2.10, 2.11 and 2.12, for any PPT

2,j 02,j adversary A, |advA − advA | ≤ negl(λ).

The proof of this claim is similar to the proof of Lemma 2.12.

Claim 2.69. Let 0 ≤ j ≤ t∗ − 2. Assuming iO is a secure indistinguishability obfuscator, Itr is an iterator satisfying indistinguishability of Setup (Defini- tion 2.3) and is enforcing (Definition 2.4), and Acc is an accumulator satisfying indistinguishability of Read/Write Setup (Definitions 2.5 and 2.6) and is Read/Write enforcing (Definitions 2.7 and 2.8), for any PPT adversary A,

02,j 2,j+1 |advA − advA | ≤ negl(λ). indistinguishable.

The proof of this claim is similar to the proof of Lemma 2.13.

Claim 2.70. Assuming iO is a secure indistinguishability obfuscator, for any

2,t∗−1 int PPT adversary A, |advA − advA | ≤ negl(λ).

153 Note that P2,t∗−1 and Pint are functionally identical circuits. This completes the proof of our lemma.

Lemma 2.20. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, Itr is an iterator satisfying Definitions 2.3 and 2.4, Acc is an accumulator satisfying Definitions 2.5, 2.6, 2.7 and 2.8, S is a splittable signature scheme satisfying security Definitions 2.9, 2.10, 2.11

int 0int and 2.12, |advA − advA | ≤ negl(λ).

Proof. To prove this lemma, we will deﬁne a sequence of hybrid experiments and show that they are computationally indistinguishable.

Hybrid H0 In this experiment, the challenger outputs an obfuscation of

∗ P0 = Pint{t , KE, KA, KB, mt∗−1}.

Hybrid H1 In this hybrid, the challenger ﬁrst computes the constants for program P1 as follows:

∗ ∗ 1. PRF keys KA and KB are punctured at t − 1 to obtain KA{t − 1} ←

∗ ∗ ∗ F.puncture(KA, t − 1) and KB{t − 1} ← F.puncture(KB, t − 1).

∗ λ 2. Let rc = F (KA, t − 1), (skC , VKC , VKC,rej) = Setup-Spl(1 ; rC ), rD =

∗ λ F (KB, t − 1), (skD, VKD, VKD,rej) = Setup-Spl(1 ; rD).

154 ∗ ∗ ∗ It then outputs an obfuscation of P1 = P1{t ,KE,KA{t − 1},KB{t −

1}, VKC , skC , skD, mt∗−1} (deﬁned in 2.46). P1 is identical to P0 on inputs corresponding to t 6= t∗ − 1, t∗. For t = t∗ − 1, it uses the hardwired signing keys. For t = t∗, it uses the hardwired veriﬁcation key.

Hybrid H2 In this hybrid, rC and rD are chosen uniformly at random; that

λ is, the challenger computes (skC , VKC ) ← Setup-Spl(1 ) and (skD, VKD) ← Setup-Spl(1λ).

Hybrid H3 In this hybrid, the challenger computes constrained secret/veriﬁcation keys. It computes (σC,(1) , VKC,(1) , skC,abo, VKC,abo) ← Split(skC , mt∗−1) and

(σD,(1) , VKD,(1) , skD,abo, VKD,abo) ← Split(skD, mt∗−1). It then outputs an obfus-

∗ ∗ ∗ cation of P3 = P3{i, t ,KE,KA{t −1},KB{t −1}, VKC,(1) , σC,(1) , skD,abo, mt∗−1}

(deﬁned in Figure 2.47). Note that skC , VKC , skD, VKD are not hardwired in this program.

Hybrid H4 In this hybrid, the challenger chooses PPAcc, w0, store0 using

Setup-Acc-EnfR. It then uses PPAcc, w0, store0, and proceeds as in previous

∗ ∗ experiment. It outputs an obfuscation of P3{i, t , PPAcc, KE, KA{t − 1},

∗ KB{t − 1}, VKC,(1) , σC,(1) , skD,abo, mt∗−1}

∗ Hybrid H5 In this hybrid, the challenger ﬁrst computes b = Mb(x).

155 P1

Constants: i, Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , halt-time t∗ ≤ T , Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys ∗ ∗ ∗ KE,KA{t − 1},KB{t − 1} ∈ K, output b , message mt∗−1, VKC , skC , skD.

2. Veriﬁcations

(a) If VerifyR(PPAcc, win, (ctsym,in, lw), posin, π) = 0 or lw ≥ t output ⊥. ∗ ∗ (b) If t 6= t , let rS,A = F.eval(KA{t − 1}, t − 1). Compute λ (skA, VKA, VKA,rej) = Setup-Spl(1 ; rS,A).

Else VKA = VKC . ∗ 0 ∗ (c) If t 6= t − 1, let rS,A = F.eval(KA{t − 1}, t). Compute 0 0 0 λ 0 (skA, VKA, VKA,rej) ← Setup-Spl(1 ; rS,A). ∗ 0 ∗ (d) If t 6= t − 1, rS,B = F.eval(KB{t − 1}, t). Compute 0 0 0 λ 0 (skB, VKB, VKB,rej) ← Setup-Spl(1 ; rS,B). 4. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)). (c) Let mout = (vout, ctst,out, wout, posout). ∗ (d) If t = t − 1 and mout = mt∗−1, σout = Sign-Spl(skC , mout). ∗ Else if t = t − 1 and mout 6= mt∗−1 σout = Sign-Spl(skD, mout). 0 Else σout = Sign-Spl(skA, mout).

Figure 2.46: P1

∗ ∗ It then outputs an obfuscation of P5 = P5{i, t , PPAcc, KE, KA{t −

∗ ∗ 1}, KB{t − 1}, VKC,(1) , σC,(1) , skD,abo, mt∗−1, b } (deﬁned in Figure 2.48).

∗ This program diﬀers from P3 for inputs corresponding to t = t . Instead of

156 P3

2. Veriﬁcations

(a) If VerifyR(PPAcc, win, (ctsym,in, lw), posin, π) = 0 or lw ≥ t output ⊥. ∗ ∗ (b) If t 6= t , let rS,A = F.eval(KA{t − 1}, t − 1). Compute λ (skA, VKA, VKA,rej) = Setup-Spl(1 ; rS,A). Else VKA = VKC,(1) . ∗ 0 ∗ (c) If t 6= t − 1, let rS,A = F.eval(KA{t − 1}, t). Compute 0 0 0 λ 0 (skA, VKA, VKA,rej) ← Setup-Spl(1 ; rS,A). ∗ 0 ∗ (d) If t 6= t − 1, rS,B = F.eval(KB{t − 1}, t). Compute 0 0 0 λ 0 (skB, VKB, VKB,rej) ← Setup-Spl(1 ; rS,B). (e) Let min = (vin, ctst,in, win, posin). If Verify-Spl(VKA, min, σin) = 0 output ⊥. 4. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥.

(b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)).

(c) Let mout = (vout, ctst,out, wout, posout). ∗ (d) If t = t − 1 and mout = mt∗−1, σout = σC,one. ∗ Else if t = t − 1 and mout 6= mt∗−1 σout = Sign-Spl-abo(skD,abo, mout). 0 Else σout = Sign-Spl(skA, mout).

Figure 2.47: P3

157 decrypting, computing the next state and then encrypting, the program uses the hardwired output b∗.

3. Computing next state and symbol (a) If t = t∗ output b∗. (b) Let (rlw,1, rlw,2, rlw,3) = F (KE, lw), (pklw, sklw) = λ Setup-PKE(1 ; rlw,1), sym = Dec-PKE(sklw, ctsym,in). (c) Let (rt−1,1, rt−1,2, rt−1,3) = F (KE, t − 1), (pkst, skst) = λ Setup-PKE(1 , rt−1,1), st = Dec-PKE(skst, ctst,in). (d) Let (st0, sym0, β) = δ(st, sym). (e) If stout = qrej output 0. (f) If stout = qacc output 1. 0 0 (g) Compute (rt,1, rt,2, rt,3) = F (KE, t), (pk , sk ) = λ 0 0 0 Setup-PKE(1 ; rt,1), ctsym,out = Enc-PKE(pk , sym ; rt,2) and 0 0 ctst,out = Enc-PKE(pk , st ; rt,3).

Figure 2.48: P5

Hybrid H6 In this experiment, the challenger uses normal setup for Acc (that is, Setup-Acc) instead of Setup-Acc-EnfR.

0 Hybrid H7 This hybrid is identical to Hint. In this experiment, the chal-

0 lenger outputs an obfuscation of Wint.

158 x Analysis Let advA denote the advantage of adversary A in hybrid Hx.

Claim 2.71. Assuming iO is a secure indistinguishability obfuscator, for any

0 1 PPT A, |advA − advA| ≤ negl(λ).

Proof. The only diﬀerence between P0 and P1 is that P0 uses puncturable PRF

∗ ∗ ∗ keys KA,KB, while P1 uses keys KA{t − 1},KB{t − 1} punctured at t − 1.

It also has the secret key/veriﬁcation key pair (skC , VKC ) hardwired, which

∗ is computed using F (KA, t − 1) and the secret key (skD) computed using

∗ F (KB, t − 1). From the correctness of puncturable PRFs, it follows that the two programs have identical functionality, and therefore their obfuscations are computationally indistinguishable.

Claim 2.72. Assuming F is a selectively secure puncturable PRF, for any

1 2 PPT A, |advA − advA| ≤ negl(λ).

Proof. The proof of this claim is similar to the proof of Claim 2.31; it follows from the selective security of puncturable PRF F .

Claim 2.73. Assuming iO is a secure indistinguishability obfuscator and S

2 satisﬁes VK(1) indistinguishability (Deﬁnition 2.10), for any PPT A, |advA − 3 advA| ≤ negl(λ).

Proof. In order to prove this claim, we consider an intermediate hybrid program in which only the constrained secret keys σC,(1) and skD,abo are hardwired, while VKC is hardwired as the veriﬁcation key. Using the security of iO, we can

159 argue that the intermediate step and H2 are computationally indistinguishable.

Next, we use VK(1) indistinguishability to show that the intermediate step and

H3 are computationally indistinguishable.

Claim 2.74. Assuming Acc satisﬁes indistinguishability of Read Setup (Deﬁ-

3 4 nition 2.5), for any PPT A, |advA − advA| ≤ negl(λ).

Proof. The proof of this claim follows from Read Setup indistinguishability (Deﬁnition 2.5); it is similar to the proof of 2.41.

Claim 2.75. Assuming iO is a secure indistinguishability obfuscator, for any

4 5 PPT A, |advA − advA| ≤ negl(λ).

Proof. This proof is similar to the proof of Claim 2.42. Note that since PPAcc is read enforced, and VKC,(1) accepts only signatures for mt∗−1. As a result, if min = mt∗−1 and PPAcc is read enforced, then stout = stt∗ , which implies that the output is b∗.

Claim 2.76. Assuming Acc satisﬁes indistinguishability of Read Setup (Deﬁ-

5 6 nition 2.5), for any PPT A, |advA − advA| ≤ negl(λ).

Proof. The proof of this claim follows from Read Setup indistinguishability (Deﬁnition 2.5); it is similar to the proof of 2.41.

Claim 2.77. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF and S satisﬁes VK(1) indistinguishability

6 7 (Deﬁnition 2.10), for any PPT A, |advA − advA| ≤ negl(λ).

160 This step is the reverse of the step from H0 to H3. Therefore, using similar intermediate hybrid experiments, a similar proof works here as well.

Lemma 2.21. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, Itr is an iterator satisfying Definitions 2.3 and 2.4, Acc is an accumulator satisfying Definitions 2.5, 2.6, 2.7 and 2.8, S is a splittable signature scheme satisfying security Definitions 2.9, 2.10, 2.11

0int abort and 2.12, |advA − advA | ≤ negl(λ).

The proof of this lemma is almost identical to the proof of Lemma 2.19.

Lemma 2.22. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure PRF and S satisﬁes VKrej indistinguishability (Deﬁnition

abort 1 2.9), for any PPT adversary A, |advA − advA| ≤ negl(λ).

∗ ∗ Proof. Note that at t = t , Pabort either outputs b or outputs ⊥. This allows

∗ us to use VKrej indistinguishability to output ⊥ for all t > t . More formally,

∗ ∗ we will deﬁne T − t + 1 hybrids Habort,i for t ≤ i ≤ T . In hybrid Habort,i,

∗ ∗ the challenger outputs an obfuscation of Pabort,i{t ,KE,KA,KB, b } (deﬁned in Figure 2.49) which aborts if the input corresponds to t > i.

Clearly, Pabort and Pabort,T −1 are functionally identical, and Prog-1 and

Pabort,t∗ are functionally identical. Therefore, all that remains to show is that

Habort,i and Habort,i−1 are computationally indistinguishable.

161 Program Pabort,i

1. If t > i, output ⊥. Let posin = tmf(t − 1) and posout = tmf(t).

Figure 2.49: Program Pabort,i

Claim 2.78. Assuming S satisﬁes VKrej indistinguishability (Deﬁnition 2.9), iO is a secure indistinguishability obfuscator and F is a selectively secure pseu-

abort,i abort,i−1 dorandom function, for any adversary A, |advA − advA | ≤ negl(λ).

The proof of this claim is similar to the proof of Lemma 2.15.

2.6.4 Proof of Lemma 2.17

Proof Outline As discussed in the intuition above, we will ﬁrst deﬁne the

∗ programs Wint = Prog-2-iint{i, t , KE, KA, KB, mi−2} (deﬁned in Figure

0 0 ∗ 2.50) and Wint = Prog -2-iint{i, t , KE, KA, KB, mi−2, ct1, ct2} (deﬁned in

th 2.51). Both the programs have the correct message for the (i−2) step - mi−2 hardwired, and also have a PRF key KB for ‘B’ type signatures. In addition,

0 Wint also has ciphertexts ct1 and ct2 hardwired. These are encryptions of the state and symbol output at (i − 1)th step, computed as described in hybrid

162 0 Hyb2,i.

Wint

2. Veriﬁcations

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥.

(b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)).

(c) Let mout = (vout, ctst,out, wout, posout). 0 If t = i − 2 and mout = mi−2, σout = Sign-Spl(skA, mout). 0 Else if t = i − 2 and mout = mi−2, σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skA, mout).

Figure 2.50: Wint

163 0 Wint

i. Let (rlw,1, rlw,2, rlw,3) = F (KE, lw), (pklw, sklw) = λ Setup-PKE(1 ; rlw,1), sym = Dec-PKE(sklw, ctsym,in). ii. Let (rt−1,1, rt−1,2, rt−1,3) = F (KE, t − 1), (pkst, skst) = λ Setup-PKE(1 , rt−1,1), st = Dec-PKE(skst, ctst,in). iii. Let (st0, sym0, β) = δ(st, sym). iv. If stout = qrej output 0. v. If stout = qacc output 1. 0 0 vi. Compute (rt,1, rt,2, rt,3) = F (KE, t), (pk , sk ) = λ 0 0 0 Setup-PKE(1 ; rt,1), ctsym,out = Enc-PKE(pk , sym ; rt,2) 0 0 and ctst,out = Enc-PKE(pk , st ; rt,3).

0 Figure 2.51: Wint

Let Hint be a hybrid experiment in which the challenger outputs an obfuscation of Wint, along with other elements of the encoding. Similarly, let

0 0 Hint be the hybrid experiment in which the challenger outputs Wint. For any

164 2,i int 0int 02,i+1 PPT adversary A, let advA , advA , advA , advA denote the advantage of 0 0 A in Hyb2,i,Hint,Hint and Hyb2,i respectively.

Lemma 2.23. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, Itr is an iterator satisfying Definitions 2.3 and 2.4, Acc is an accumulator satisfying Definitions 2.5, 2.6, 2.7 and 2.8, S is a splittable signature scheme satisfying security Definitions 2.9, 2.10, 2.11

2,i int and 2.12, |advA − advA | ≤ negl(λ).

Proof. The proof of this lemma is along the same lines as the proof of Lemma 2.19. We will deﬁne similar hybrid experiments here.

∗ Hybrid H0 The challenger outputs P0 = Prog-2-i{i, t , KE, KA}.

∗ Hybrid H1 The challenger outputs P1 = P1{i, t , KE, KA,KB}. This is similar to Prog-1 deﬁned in Figure 2.18. This program has PRF key KB hardwired and accepts both ‘A’ and ‘B’ type signatures for t ≤ i − 2. If the incoming signature is of type α, then so is the outgoing signature. It is deﬁned in Figure 2.52.

0 Next, we deﬁne 2(i − 1) intermediate circuits - P2,j,P2,j for 0 ≤ j ≤ i − 2. These programs are analogous to Prog-2-i and Prog0-2-i in the proof of Theorem 2.1.

165 P1

2. Veriﬁcations

(a) If VerifyR(PPAcc, win, (ctsym,in, lw), posin, π) = 0 or lw ≥ t output ⊥. (b) Let F (KA, t − 1) = rS,A. Compute (skA, VKA, VKA,rej) = λ Setup-Spl(1 ; rS,A). 0 0 0 0 (c) Let F (KA, t) = rS,A. Compute (skA, VKA, VKA,rej) ← λ 0 Setup-Spl(1 ; rS,A). (d) Let F (KB, t − 1) = rS,B. Compute (skB, VKB, VKB,rej) = λ Setup-Spl(1 ; rS,B). 0 0 0 0 (e) Let F (KB, t) = rS,B. Compute (skB, VKB, VKB,rej) ← λ 0 Setup-Spl(1 ; rS,B). (f) Let min = (vin, ctst,in, win, posin) and α =‘A’. If Verify-Spl(VKA, min, σin) = 0 and t ≥ i − 1 output ⊥. Else if Verify-Spl(VKA, min, σin) = 0 set α =‘B’. If α =‘B’ and Verify-Spl(VKB, min, σin) = 0 output ⊥. 4. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)). (c) Let mout = (vout, ctst,out, wout, posout) and σout = 0 Sign-Spl(skα, mout). (d) Output posin, ctsym,out, ctct,out, wout, vout, σout.

Figure 2.52: P1

Hybrid H2,j In this hybrid, the challenger outputs an obfuscation of P2,j =

∗ P2,j{i, j, t ,KE,KA,KB, mj}. This circuit, deﬁned in Figure 2.53, accepts ‘B’

166 type signatures only for inputs corresponding to j + 1 ≤ t ≤ i − 2. It also has the correct output message for step j - mj hardwired. If an input has j + 1 ≤ t ≤ i − 2, then the output signature, if any, is of the same type as the incoming signature.

0 0 Hybrid H2,j In this hybrid, the challenger outputs an obfuscation of P2,j =

0 ∗ P2,j{i, j, t ,KE,KA,KB, mj}. This circuit, deﬁned in Figure 2.54, accepts ‘B’ type signatures only for inputs corresponding to j + 2 ≤ t ≤ i − 2. It also has the correct input message for step j + 1 - mj hardwired. If t = j + 1 and min = mj it outputs an ‘A’ type signature, else it outputs a ‘B’ type signature. If an input has j + 2 ≤ t ≤ i − 2, then the output signature, if any, is of the same type as the incoming signature.

x Analysis Let advA denote the advantage of adversary A in hybrid Hx.

Claim 2.79. Assuming iO is a secure indistinguishability obfuscator, F is a secure puncturable PRF and S is a splittable signature scheme satisfying

0 1 Deﬁnition 2.9, advA − advA ≤ negl(λ).

Proof. The proof of this claim is similar to the proof of Lemma 2.11.

1 Claim 2.80. Assuming iO is a secure indistinguishability obfuscator, advA − 2,0 advA ≤ negl(λ).

Proof. Note that P1 and P2,0 have identical functionality.

167 P2,j

Constants: i, j, Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time ∗ bound T , halt-time t ≤ T , Public parameters for accumulator PPAcc, Pub- lic parameters for Iterator PPItr, Puncturable PRF keys KE,KA,KB ∈ K, ∗ output b , message mj.

2. Veriﬁcations

(a) If VerifyR(PPAcc, win, (ctsym,in, lw), posin, π) = 0 or lw ≥ t output ⊥. (b) Let F (KA, t − 1) = rS,A. Compute (skA, VKA, VKA,rej) = λ Setup-Spl(1 ; rS,A). 0 0 0 0 (c) Let F (KA, t) = rS,A. Compute (skA, VKA, VKA,rej) ← λ 0 Setup-Spl(1 ; rS,A). (d) Let F (KB, t − 1) = rS,B. Compute (skB, VKB, VKB,rej) = λ Setup-Spl(1 ; rS,B). 0 0 0 0 (e) Let F (KB, t) = rS,B. Compute (skB, VKB, VKB,rej) ← λ 0 Setup-Spl(1 ; rS,B). (f) Let min = (vin, ctst,in, win, posin) and α =‘A’. If Verify-Spl(VKA, min, σin) = 0 and (t ≤ j or t ≥ i − 1) output ⊥. Else if Verify-Spl(VKA, min, σin) = 0 set α =‘B’. If Verify-Spl(VKB, min, σin) = 0 output ⊥. 4. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)). (c) Let mout = (vout, ctst,out, wout, posout). 0 If t = j and mout = mj, σout = Sign-Spl(skA, mout). 0 Else if t = j and mout 6= mj, σout = Sign-Spl(skB, mout). 0 Else σout = Sign-Spl(skα, mout). (d) Output posin, ctsym,out, ctct,out, wout, vout, σout.

Figure 2.53: P2,j

168 0 P2,j

2. Veriﬁcations

(a) If VerifyR(PPAcc, win, (ctsym,in, lw), posin, π) = 0 or lw ≥ t output ⊥. (b) Let F (KA, t − 1) = rS,A. Compute (skA, VKA, VKA,rej) = λ Setup-Spl(1 ; rS,A). 0 0 0 0 (c) Let F (KA, t) = rS,A. Compute (skA, VKA, VKA,rej) ← λ 0 Setup-Spl(1 ; rS,A). (d) Let F (KB, t − 1) = rS,B. Compute (skB, VKB, VKB,rej) = λ Setup-Spl(1 ; rS,B). 0 0 0 0 (e) Let F (KB, t) = rS,B. Compute (skB, VKB, VKB,rej) ← λ 0 Setup-Spl(1 ; rS,B). (f) Let min = (vin, ctst,in, win, posin) and α =‘A’. If Verify-Spl(VKA, min, σin) = 0 and (t ≤ j + 1 or t ≥ i − 1) output ⊥. Else if Verify-Spl(VKA, min, σin) = 0 set α =‘B’. If Verify-Spl(VKB, min, σin) = 0 output ⊥.

0 Figure 2.54: P2,j Claim 2.81. Let 0 ≤ j ≤ i − 2. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF and S is a splittable sig-

2,j 02,j nature scheme satisfying deﬁnitions 2.9, 2.10, 2.11 and 2.12, advA −advA ≤ negl(λ).

Proof. The proof of this claim is similar to the proof of Lemma 2.12.

169 Claim 2.82. Let 0 ≤ j ≤ i − 3. Assuming iO is a secure indistinguishability obfuscator, Itr is an iterator satisfying indistinguishability of Setup (Defini- tion 2.3) and is enforcing (Definition 2.4), and Acc is an accumulator satisfying indistinguishability of Read/Write Setup (Definitions 2.5 and 2.6) and is

02,j 2,j+1 Read/Write enforcing (Deﬁnitions 2.7 and 2.8), advA − advA ≤ negl(λ).

Proof. The proof of this claim is similar to the proof of Lemma 2.13.

2,i−2 Claim 2.83. Assuming iO is a secure indistinguishability obfuscator, advA − int advA ≤ negl(λ).

Proof. Note that P2,i−2 and Wint are functionally identical circuits.

Lemma 2.24. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, Itr is an iterator satisfying Definitions 2.3 and 2.4, Acc is an accumulator satisfying Definitions 2.5, 2.6, 2.7 and 2.8, S is a splittable signature scheme satisfying security Definitions 2.9, 2.10, 2.11

int 0int and 2.12, |advA − advA | ≤ negl(λ).

Proof. The proof of this lemma is similar to the proof of Lemma 2.20. To prove this lemma, we will deﬁne a sequence of hybrid experiments and show that they are computationally indistinguishable.

Hybrid H0 In this experiment, the challenger outputs an obfuscation of

∗ P0 = Wint = Prog-2-i{i, t , KE, KA, KB, mi−2}.

170 Hybrid H1 In this hybrid, the challenger ﬁrst computes the constants for program P1 as follows:

1. PRF keys KA and KB are punctured at i − 2 to obtain KA{i − 2} ←

F.puncture(KA, i − 2) and KB{i − 2} ← F.puncture(KB, i − 2).

λ 2. Let rc = F (KA, i − 2), (skC , VKC , VKC,rej) = Setup-Spl(1 ; rC ), rD =

λ F (KB, i − 2), (skD, VKD, VKD,rej) = Setup-Spl(1 ; rD).

∗ It then outputs an obfuscation of P1 = P1{i, t ,KE,KA{i − 2},KB{i −

2}, VKC,(1) , skC,(1) , skD,abo, mi−2} (deﬁned in 2.55). P1 is identical to P0 on inputs corresponding to t 6= i−1, i−2. However, for i−2, its output signature is computed using either skC or skD. For inputs corresponding to t = i − 1, it uses VKC for the veriﬁcation.

Hybrid H2 In this hybrid, rC and rD are chosen uniformly at random; that

λ is, the challenger computes (skC , VKC ) ← Setup-Spl(1 ) and (skD, VKD) ← Setup-Spl(1λ).

Hybrid H3 In this hybrid, the challenger computes constrained secret/veriﬁcation keys. It computes (σC,(1) , VKC,(1) , skC,abo, VKC,abo) ← Split(skC , mi−2) and (σD,(1) ,

VKD,(1) , skD,abo, VKD,abo) ← Split(skD, mi−2). It then outputs an obfuscation of

∗ P3 = {i, t ,KE,KA{i − 2},KB{i − 2}, VKC,(1) , σC,(1) , skD,abo, mi−2} (deﬁned in

Figure 2.56). Note that skC , VKC , skD, VKD are not hardwired in this program.

171 P1

Constants: i, Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , halt-time t∗ ≤ T , Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys ∗ KE,KA{i − 2},KB{i − 2} ∈ K, output b , message mi−2, VKC , σC , skD.

2. Veriﬁcations

(a) If VerifyR(PPAcc, win, (ctsym,in, lw), posin, π) = 0 or lw ≥ t output ⊥. (b) If t 6= i − 1, let rS,A = F.eval(KA{i − 2}, t − 1). Compute λ (skA, VKA, VKA,rej) = Setup-Spl(1 ; rS,A). Else VKA = VKC,(1) . 0 (c) If t 6= i − 2, let rS,A = F.eval(KA{i − 2}, t). Compute 0 0 0 λ 0 (skA, VKA, VKA,rej) ← Setup-Spl(1 ; rS,A). 0 (d) If t 6= i − 2, rS,B = F.eval(KB{i − 2}, t). Compute 0 0 0 λ 0 (skB, VKB, VKB,rej) ← Setup-Spl(1 ; rS,B). (e) Let min = (vin, ctst,in, win, posin). If Verify-Spl(VKA, min, σin) = 0 output ⊥. 4. Update accumulator, iterator and compute new signature

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥. (b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)). (c) Let mout = (vout, ctst,out, wout, posout). (d) If t = i − 2 and mout = mi−2, σout = Sign-Spl(skC , mout). Else if t = i − 2 and mout 6= mi−2 σout = Sign-Spl(skD, mout). 0 Else σout = Sign-Spl(skA, mout).

Figure 2.55: P1

Hybrid H4 In this hybrid, the challenger chooses PPAcc, w0, store0 using

Setup-Acc-EnfR. It then uses PPAcc, w0, store0, and proceeds as in previous

∗ experiment. It outputs an obfuscation of P1{i, t , PPAcc, KE, KA{i − 2},

172 P3

Constants: i, Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , halt-time t∗ ≤ T , Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys ∗ KE,KA{i − 2},KB{i − 2} ∈ K, output b , message mi−2, VKC,(1) , σC,(1) , skD,abo.

2. Veriﬁcations

(a) Compute wout = Update(PPAcc, win, (ctsym,out, t), posin, aux). If wout = Reject, output ⊥.

(b) Compute vout = Iterate(PPItr, vin, (ctst,in, win, posin)).

(d) If t = i − 2 and mout = mi−2, σout = σC,one.

Else if t = i − 2 and mout 6= mi−2 σout = Sign-Spl-abo(skD,abo, mout). 0 Else σout = Sign-Spl(skA, mout).

(e) Output posin, ctsym,out, ctct,out, wout, vout, σout.

Figure 2.56: P3

173 KB{i − 2}, VKC,(1) , σC,(1) , skD,abo, mi−2}

Hybrid H5 In this hybrid, the challenger ﬁrst computes ciphertexts ct1 and

0 ct2 as described in Hyb2,i.

∗ It then outputs an obfuscation of P5 = P5{i, t , PPAcc, KE, KA{i − 2},

KB{i − 2}, VKC,(1) , σC,(1) , skD,abo, mi−2, ct1, ct2} (deﬁned in Figure 2.57). This program diﬀers from P3 for inputs corresponding to t = i − 1. Instead of decrypting, computing the next state and then encrypting, the program uses the hardwired ciphertexts.

Hybrid H6 In this experiment, the challenger uses normal setup for Acc (that is, Setup-Acc) instead of Setup-Acc-EnfR.

Hybrid H7 In this experiment, the challenger outputs an obfuscation of

0 Wint.

x Analysis Let advA denote the advantage of adversary A in hybrid Hx.

Claim 2.84. Assuming iO is a secure indistinguishability obfuscator, for any

0 1 PPT A, |advA − advA| ≤ negl(λ).

Proof. In hybrid H0, program P0 is used, while in H1, program P1 is used.

The only diﬀerence between the two programs is that P1 uses punctured PRF

174 P5

Constants: i, Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound T , halt-time t∗ ≤ T , Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys ∗ KE,KA{i − 2},KB{i − 2} ∈ K, output b , message mi−2, VKC,(1) , σC,(1) , skD,abo, ciphertexts ct1, ct2.

Figure 2.57: P5 keys KA{i − 2} and KB{i − 2}. It also has the secret/veriﬁcation keys computed using F (KA, i − 2) and F (KB, i − 2). As a result, using correctness of puncturable PRFs, it follows that the two programs have identical func-

175 tionality. Therefore, by security of iO, their obfuscations are computationally indistinguishable.

Claim 2.85. Assuming F is a selectively secure puncturable PRF, for any

1 2 PPT A, |advA − advA| ≤ negl(λ).

Proof. The proof of this claim is similar to the proof of Claim 2.31; it follows from the selective security of puncturable PRF F .

Claim 2.86. Assuming iO is a secure indistinguishability obfuscator and S

2 satisﬁes VK(1) indistinguishability (Deﬁnition 2.10), for any PPT A, |advA − 3 advA| ≤ negl(λ).

Next, we use VK(1) indistinguishability to show that the intermediate step and

H3 are computationally indistinguishable.

Claim 2.87. Assuming Acc satisﬁes indistinguishability of Read Setup (Deﬁ-

3 4 nition 2.5), for any PPT A, |advA − advA| ≤ negl(λ).

Proof. The proof of this claim follows from Read Setup indistinguishability (Deﬁnition 2.5); it is similar to the proof of 2.41.

176 Claim 2.88. Assuming iO is a secure indistinguishability obfuscator, for any

4 5 PPT A, |advA − advA| ≤ negl(λ).

Proof. This proof is similar to the proof of Claim 2.42. The only additional property we require here is the correctness of decryption of PKE. Also note that the outputs are identical because the encryption is deterministic once KE is ﬁxed.

Claim 2.89. Assuming Acc satisﬁes indistinguishability of Read Setup (Deﬁ-

5 6 nition 2.5), for any PPT A, |advA − advA| ≤ negl(λ).

Proof. This step is reverse of the step from H3 to H4, and its proof is similar to the proof of Claim 2.41.

Claim 2.90. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF and S satisﬁes VK(1) indistinguishability

6 7 (Deﬁnition 2.10), for any PPT A, |advA − advA| ≤ negl(λ).

This step is the reverse of the step from H0 to H3. Therefore, using similar intermediate hybrid experiments, a similar proof works here as well.

Lemma 2.25. Assuming iO is a secure indistinguishability obfuscator, F is a selectively secure puncturable PRF, Itr is an iterator satisfying Definitions 2.3 and 2.4, Acc is an accumulator satisfying Definitions 2.5, 2.6, 2.7 and 2.8, S is a splittable signature scheme satisfying security Definitions 2.9, 2.10, 2.11

0int 02,i and 2.12, |advA − advA | ≤ negl(λ).

The proof of this lemma is similar to the proof of Lemma 2.23.

177 2.6.5 Proof of Lemma 2.18

0 We will ﬁrst deﬁne hybrids H0,...,H5, where H0 corresponds to Hyb2,i and H5 corresponds to Hyb2,i−1.

0 Hybrid H0 This corresponds to Hyb2,i.

Hybrid H1 In this hybrid, the challenger punctures the PRF key KE on inputs corresponding to t = i − 1. It outputs an obfuscation of program

0 ∗ 0 W1 = Prog -2-i-1{i, t ,KE{i − 1},KA, ct1, ct2} where Prog -2-i-1 is deﬁned in Figure 2.58. Note that the only diﬀerence between Prog0-2-i and Prog0-2-i-1 is that the latter uses a punctured PRF key KE{i − 1} instead of KE.

λ Hybrid H2 In this hybrid, the challenger computes (pk, sk) ← Setup-PKE(1 ) using true randomness. Also, the ciphertexts ct1 and ct2 are computed using

∗ ∗ true randomness; that is, ct1 ← Enc-PKE(pk, sym ) and ct2 ← Enc-PKE(pk, st ).

Hybrid H3 In this hybrid, the challenger sets ct1 = Enc-PKE(pk, erase) and ct2 = Enc-PKE(pk, erase).

Hybrid H4 In this hybrid, the challenger computes the ciphertexts using pseudorandom strings generated using F (KE, ·). More precisely, the challenger

λ computes (ri−1,1, ri−1,2, ri−1,3) = F (KE, i − 1), (pk, sk)Setup-PKE(1 ; ri−1,1), ct1 = Enc-PKE(pk, erase; ri−1,2) and ct2 = Enc-PKE(pk, erase; ri−1,3).

178 Prog0-2-i-1

Constants: i, Turing machine M = hQ, Σtape, δ, q0, qacc, qreji, time bound ∗ T , halt-time t ≤ T , Public parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys KE{i − 1},Kst ∈ K, ∗ output b , ciphertexts ct1, ct2. Input: Time t ∈ [T ], encrypted symbol and last-write time (ctsym,in, lw), ` encrypted state ctst,in ∈ Q, accumulator value win ∈ {0, 1} Acc , Iterator value vin, signature σin, accumulator proof π, auxiliary value aux.

3. Computing next state and symbol (a) If t = t∗, output b∗. (b) If i ≤ t < t∗ 0 0 i. Compute (rt,1, rt,2, rt,3) = F.eval(KE{i − 1}, t),(pk , sk ) = λ 0 0 Setup-PKE(1 ; rt,1), ctsym,out = Enc-PKE(pk , erase; rt,2) 0 and ctst,out = Enc-PKE(pk , erase; rt,3). (c) Else if t = i − 1,

i. Set ctsym,out = ct1 and ctst,out = ct2. (d) Else

i. Let (rlw,1, rlw,2, rlw,3) = F.eval(KE{i − 1}, lw), λ (pklw, sklw) = Setup-PKE(1 ; rlw,1), sym = Dec-PKE(sklw, ctsym,in). ii. Let (rt−1,1, rt−1,2, rt−1,3) = F.eval(KE{i − 1}, t − 1), λ (pkst, skst) = Setup-PKE(1 , rt−1,1), st = Dec-PKE(skst, ctst,in). iii. Let (st0, sym0, β) = δ(st, sym). iv. If stout = qrej output 0. v. If stout = qacc output 1. 0 0 vi. Compute (rt,1, rt,2, rt,3) = F.eval(KE{i − 1}, t),(pk , sk ) = λ 0 0 0 Setup-PKE(1 ; rt,1), ctsym,out = Enc-PKE(pk , sym ; rt,2) 0 0 and ctst,out = Enc-PKE(pk , st ; rt,3).

Figure 2.58: Prog0-2-i-1

Hybrid H5 This corresponds to Hyb2,i−1.

179 2.6.5.1 Analysis

Claim 2.91. Assuming iO is a secure indistinguishability obfuscator, for any

0 1 PPT adversary A, advA − advA ≤ negl(λ).

Proof. To prove this claim, it suﬃces to show that W0 and W1 are functionally identical. The crucial observation for this proof is the fact that F (KE, i − 1) is not used anywhere in program W0. For inputs corresponding to t > i − 1, both programs don’t use F (KE, i − 1) since the programs do not decrypt for t > i−1. For t = i−1, the ciphertexts ct1 and ct2 are hardwired. For t < i−1, note that it only computes F (KE, τ) for τ < i − 1. As a result, F (KE, ·) is not evaluated at input i − 1, and therefore, it is safe to puncture KE on input i − 1 without aﬀecting functionality. The rest follows from the correctness of puncturable PRFs.

Claim 2.92. Assuming F is a selectively secure puncturable PRF, for any

1 2 PPT adversary A, advA − advA ≤ negl(λ).

Proof. The proof of this claim is similar to the proof of Claim 2.31; it follows from the selective security of puncturable PRF F .

Claim 2.93. Assuming PKE is IND-CPA secure, for any PPT adversary A,

2 3 advA − advA ≤ negl(λ).

Proof. Note that the secret key sk is not required in both hybrids H2 and H3.

Suppose there exists an adversary A that can distinguish between H2 and H3

180 with advantage . Then we can construct a PPT algorithm B that breaks the IND-CPA security of PKE with advantage . B receives the public key pk from the challenger. It interacts with A and computes sym∗, st∗. It sends

∗ ∗ m0 = (sym , st ) and m1 = (erase, erase) as the challenge message pairs, and receives a ciphertext pair(ct1, ct2). B can now perfectly simulate H2 or H3 for A, depending on whether (ct1, ct2) are encryptions of m0 or m1. This completes our proof.

Claim 2.94. Assuming F is a selectively secure puncturable PRF, for any

3 4 PPT adversary A, advA − advA ≤ negl(λ).

Proof. This step is the reverse of the step from H1 to H2; its proof is similar to the proof of Claim 2.31.

Claim 2.95. Assuming iO is a secure indistinguishability obfuscator, for any

4 5 PPT adversary A, advA − advA ≤ negl(λ).

Proof. The only diﬀerence between the programs used in the two hybrids is that one uses a punctured key KE{i − 1}, while the other uses KE. Using the correctness of puncturable PRFs, we can argue that they are functionally identical. As a result, from the security of iO, their obfuscations are computationally indistinguishable.

2.6.6 Extensions and Variations

Since our proof is aimed at achieving machine hiding, it does not erase the input. However, the proof could be easily extended at the end to do this

181 via a simple IND-CPA based hybrids. Note that at the end of our current proofs the no steps actually decrypt the cipertexts. If we add this step of hiding the input, the construction can serve as a secure randomized encoding.

182 Chapter 3

Lockable Obfuscation

3.1 Overview of our Lockable Obfuscation Construction

We will now describe our lockable obfuscation scheme for a family of poly-depth circuits. The construction is described in details in Section 3.4. At a high level, our scheme can be divided into three components — (1) A lockable obfuscation scheme for a family of low-depth circuits and 1-bit messages, (2) a bootstrapping mechanism to amplify to lockable obfuscation for a family of poly-depth circuits and 1-bit messages, and (3) extending to lockable obfuscation for a family of poly-depth circuits and multi-bit messages. (Note in our actual construction, we combine the ﬁrst two components into one for technical reasons.)

Lockable Obfuscation for Low-Depth Circuits and 1-Bit Messages. The primary ingredients of our construction are low-depth pseudorandom generators (PRGs), lattice trapdoors [302], telescoping products/cascading can- cellations [396, 24, 298] and oblivious sequence transformation [332].

1A preliminary version of this chapter appeared in [330].

183 First, let us recall the notion of permutation branching programs, lattice trapdoors and oblivious sequence transformation. A permutation branching program of length L and width w can be represented using w states, 2L permutations σj,b over states for each level j ≤ L, an input-selector function inp(·) which determines the input read at each level, and an accepting and rejecting state. The program execution starts at state 1 of level 0. Suppose the branching program reads ﬁrst input bit (say b) at level 1 (i.e., inp(1) = 1).

Then, the state of the program changes to σ1,b(st). Such a process can be carried out (iteratively) to compute the ﬁnal program state at level L. Depending upon the ﬁnal state, the program either accepts or rejects.

A lattice trapdoor generation algorithm can be used to sample a (uniformly looking) matrix A together with a trapdoor TA. The trapdoor can be used to compute, for any matrix U, a low norm matrix S such that A·S = U.2

As a result, the matrix S can be used to ‘transform’ any matrix Ae ≈ A to another matrix Ue ≈ U. Oblivious sequence transformation is a technique that enables sampling a sequence of matrices B1,..., Bw along with some trapdoor such that for any sequence of matrices U1,..., Uw, one can construct a short matrix X such that Bi · X = Ui for all i (and X is oblivious of i).

Moving on to our construction, at a high level the obfuscator starts by ﬁrst generating a sequence of permutation branching programs corresponding

2For ease of exposition, we will use the notation A−1(·) to represent the pre-image operation. In the formal description of our algorithms later, we use the pre-image sampling algorithm SamplePre.

184 to the circuit C (where each branching program computes one output bit), and then encoding the state transition permutations for each level for every branching program using the technique of oblivious sequence transformation. Let ` be the output length of C. In other words, for obfuscating circuit C under lock α with message msg, the obfuscator ﬁrst expresses C as a set of

(i) width 5 permutation branching programs {BP }i of polynomial length L, where for each i ∈ [`] BP(i) computes the ith output bit of circuit C.3 Without loss of generality, we can assume that all branching programs have a common input selector function inp(·) such that inp(j) bit of the input is read at level j. The obfuscation algorithm continues by choosing 5(L + 1)` matrices, one

4 (i) matrix for each (level, state) of each branching program. Let Bj,w be the matrix corresponding to state w ∈ [5] at level j ≤ L for branching program

(i) (i) (i) BP , i ∈ [`]. For every i ∈ [`], the matrices {Bj,1,..., Bj,5} for the ﬁrst L levels (i.e., all but top-level matrices) are sampled such that they have a

(i) common trapdoor Tj , i.e. using oblivious sequence transformation. The top- level matrices, however, are sampled uniformly at random without a trapdoor subject to the constraint that the top-level matrices corresponding to lock string α sum to a special ﬁxed matrix depending upon the message msg. More formally, for each i ∈ [`], let q be the LWE modulus, and acc(i) and rej(i) be the accepting and rejecting states for BP(i), then the obfuscator chooses the

3From Barrington’s Theorem [70], we know that for every NC1 circuits there exists a width 5 permutation branching program of polynomial length. 4Note that if a branching program has length L, then it has L + 1 levels.

185 matrices B(i) , B(i) such that L,acc(i) L,rej(i)

( n×m X (i) X (i) 0 if msg = 0. B + B = L,rej(i) L,acc(i) √ n×(m−n) q · In || 0 if msg = 1. i : αi=0 i : αi=1

For each level j ∈ [L], the obfuscation algorithm also chooses two low-norm ma-

(0) (1) trices Sj and Sj (these are shared across all branching programs), and com- (i,0) (i,1) putes 2` low-norm matrices {Cj , Cj }i,j such that for every state w ∈ [5], (i) (i,0) (0) (i) (i) (i,1) (1) (i) Bj−1,w · Cj ≈ Sj · B (i) and Bj−1,w · Cj ≈ Sj · B (i) . That is, j,σj,0(w) j,σj,1(w) (i,0) (i,1) the matrices Cj and Cj represent the state transition from level j − 1 to j when bit 0 or 1 is read at step j of branching program execution. For each

(i,b) i ∈ [`], j ∈ [L], the Cj matrices can be generated using the lattice trap- (i) (i,0) (i,1) doors Tj . The obfuscation algorithm outputs these matrices {Cj , Cj }i,j (i) together with the base-level matrices {B0,1}i as the ﬁnal obfuscated program.

At a high level, one could visualize the obfuscated program which con-

(i) (i,0) (i,1) sists of the base-level matrices {B0,1}i and matrices {Cj , Cj }i,j as “encodings” of the branching program starting states and state transition permutations, respectively. Therefore, evaluating an obfuscated program on some input x will be analogous to evaluating the branching programs BP(i) on input x directly. Fix some i ∈ [`]. Suppose the ﬁrst input bit x1 is read at level 1. Then evaluation of BP(i) at level 1 would map the state 1 at level 0

(i) to state σ1,x1 at level 1. Analogously, the obfuscation evaluator can compute B(i) · C(i,x1) ≈ S(x1) · B(i) . In general, if the program state at level j − 1 0,1 1 1 1,σ(i) 1,x1 during execution is w, then the evaluator will accumulate the product of the

186 (i) form Γj−1 · Bj,w, where Γj−1 is a product of j − 1 low-norm matrices. This can be easily veriﬁed as follows. Suppose the next bit read is b, then the

(i) new state at level j will be σj,b(w), thus the new accumulated product dur- (i) (i,b) (i) ing obfuscation evaluation will be Γj−1 · Bj,w · Cj ≈ Γj · B (i) , where j+1,σj,b(w) (b) Γj = Γj−1 · Sj . Therefore, the invariant is maintained. Note that the matrix (0) ΓL will be same for all branching programs since the low-norm matrices Sj (1) and Sj are shared across all branching programs.

Continuing this way, the evaluator can iteratively compute the matrix product at the top. Thus, for each branching program, the accumulated product at the top will either be ≈ Γ · B(i) or ≈ Γ · B(i) , depending on L L,acc(i) L L,rej(i) (i) (i) (i) (i) (i) whether C(x)i = 0 or 1. Let ∆ = ΓL · BL,st(i) , where st = acc or rej depending on C(x)i. Finally, the evaluator simply sums the top-level accumulated products (≈ ∆(i)) and checks whether the norm of the ﬁnal summed matrix lies in appropriate range. More concretely, consider the case when

P (i) P (i) n×m C(x) = α and msg = 0, then i ∆ = ΓL · i BL,st(i) = 0 . Since the P (i) ﬁnal top-level matrix sum is close to i ∆ , thus it will have norm close to 0, and hence the evaluator can simply test this and output 0 as the message.

Similarly we could argue correctness for the cases when msg = 1 or C(x) 6= α. However, our current proof techniques do not seem suﬃcient for proving the security of above construction. The reason is that there is an inherent tension in setting scheme parameters while basing security on LWE. This is discussed in detail later in Section 3.4.2. We were able to bypass

187 this problem by obfuscating an “expanded” circuit, which evaluates a low- depth pairwise independent hash function h and a low-depth pseudorandom generator PRG with a large enough polynomial stretch (in succession) on the output of circuit C, instead of directly obfuscating circuit C using the above matrix encoding procedure.

In other words, let Q be the circuit that on input x, outputs PRG(h(C(x))). Observe that if h and PRG can be computed by low-depth circuits (NC1), then Q also can be computed by an NC1 circuit (since C is assumed to be a log- depth circuit). Therefore, Q can be expressed by a set of width 5 permutation branching programs of polynomial length L as well. Additionally, now the matrix component generation procedure will use β = PRG(h(α)) as the lock instead of α. This modiﬁcation is suﬃcient to avoid the tension between scheme parameters, and also allows us to prove security of our scheme under LWE with only polynomial hardness. This completes the description of our lockable obfuscation scheme for low-depth circuits and 1-bit messages.

Bootstrapping Lockable Obfuscation. Let ONC1 be a lockable obfuscator for log-depth circuits. We will use leveled homomorphic encryption (LHE) with

1 an NC decryption circuit to bootstrap ONC1 to an obfuscator that works for any depth d. The obfuscator gets as input a circuit C of depth d, a string α and a message msg. It ﬁrst chooses the LHE secret-evaluation keys and encrypts the circuit C. Let Q be the circuit which takes as input an LHE ciphertext and decrypts it using the hardwired LHE secret key and outputs

188 the decrypted string. Note that the circuit Q is a logarithmic depth circuit.

The obfuscator outputs O ← ONC1 (Q, α, msg) together with the encryption of C and the LHE evaluation key.

Evaluating on input x. Let Ux(·) be the universal circuit with input x hardwired (that is, it takes a circuit C as input and outputs C(x)). The evaluation algorithm ﬁrst homomorphically evaluates the circuit Ux on the encryption of C. This results in an LHE ciphertext ct, which is an encryption of C(x). It then evaluates the obfuscation O on input ct, and outputs the resulting string. Using the correctness of O and the LHE scheme, we can argue that if C(x) = α, then the evaluation outputs msg, and it outputs ⊥ otherwise.

The security proof here is fairly simple. Using the security of the underlying obfuscator ONC1 , we ﬁrst switch the obfuscation O to be a simulated obfuscation. Once the obfuscator O is simulated, the obfuscator no longer needs the LHE secret key. Therefore, we can now replace the LHE encryption of C with encryption of zeros, thereby erasing all the information about circuit C except its size. Therefore, the ﬁnal simulator simply outputs an encryption of zeros, together with a simulated obfuscation, and this is indistinguishable from the honestly computed obfuscation.

Extending Lockable Obfuscation for 1-Bit Messages to Multi-Bit Messages. We would like point out that the standard repitition method for extending message space does not work for lockable obfuscation schemes

189 because the security is only guaranteed when the adversary does not know the lock string α. However, we observe there are still multiple ways to extend its message space. We brieﬂy discuss two possible extensions. One option could be to encode a multi-bit message directly in the top-level matrices. Currently, √ the top-level matrices are set to sum to 0n×m if msg = 0, otherwise to q ·

n×(m−n) In || 0 . However, if we interpret the mesage msg as an integer v <

√ √ n×(m−n) q/2, then we could simply set the sum to be v · q · In || 0 .

The second extension could be carried more generally without exploit- ing the mathematical structure of the underlying obfuscation scheme. The high level idea is to again “expand” the circuit C using a pairwise independent hash function and a pseudorandom generator before obfuscation. Suppose the lock α be a string of length k. Let β = PRG(h(α)) and |β| = ` · k. To obfuscate circuit C under lock α for an `-bit message msg, the multi-bit obfuscator (for each i < `) independently obfuscates the circuit Q[i] under lock

β[i] for message msgi using the 1-bit obfuscation scheme, where circuit Q[i] denotes the circuit that outputs the i·k +1,..., (i+1)·k output bits of circuit

PRG(h(C(·))) and β[i] = βi·k+1, . . . , β(i+1)·k. The security proof follows from a simple hybrid argument.

This completes the technical overview of our lockable obfuscation scheme.

190 3.2 Preliminaries

Notations. We will use lowercase bold letters for vectors (e.g. v) and up- percase bold letters for matrices (e.g. A). For any integer q ≥ 2, we let Zq denote the ring of integers modulo q. We represent Zq as integers in the range

(−q/2, q/2]. For a vector v, we let kvk denote its `2 norm and kvk∞ denote its inﬁnity norm. Similarly, for matrices k·k and k·k∞ denote their `2 and inﬁnity norms (respectively).

We denote the set of all positive integers upto n as [n] := {1, . . . , n}. For any ﬁnite set S, x ← S denotes a uniformly random element x from the set S. Similarly, for any distribution D, x ← D denotes an element x drawn from distribution D. The distribution Dn is used to represent a distribution over vectors of n components, where each component is drawn independently from the distribution D. Two distributions D1 and D2, parameterized by security parameter λ, are said to be computationally indistinguishable, represented by D1 ≈c D2, if for all PPT adversaries A, | Pr[1 ← A(x): x ← D1]-

Pr[1 ← A(x): x ← D2]| ≤ negl(λ). For a family of distributions χ = {χ(λ)}λ over the integers, and integers bounds B = {B(λ)}λ, we say that χ is B- bounded if Pr[|x| ≤ B(λ): x ← χ(λ)] = 1.

This section closely follows [332].

Min-Entropy and Randomness Extraction. The min-entropy of a ran-

def dom variable X is deﬁned as H∞(X) = − log2(maxx Pr[X = x]). Let SD(X,Y )

191 denote the statistical distance between two random variables X and Y . Below we state the Leftover Hash Lemma (LHL) from [353, 252, 251].

Theorem 3.1. Let H = {h : X → Y }h∈H be a universal hash family, then for any random variable W taking values in X, the following holds

1q SD ((h, h(W )) , (h, U )) ≤ 2−H∞(W ) · |Y | . Y 2

We will use the following corollary, which follows from the Leftover Hash Lemma.

Corollary 3.1. Let ` > m · n log2 q + ω(log n) and q a prime. Let R be an k × m matrix chosen as per distribution R, where k = k(n) is polynomial in n and H∞ (R) = `. Let A and B be matrices chosen uniformly in Zqn × k and Zqn × m, respectively. Then the statistical distance between the following distributions is negligible in n.

{(A, A · R)} ≈s {(A, B)}

Proof. The proof of above corollary follows directly from the Leftover Hash

Lemma. Note that for a prime q the family of hash functions hA : Zqk × m →

Zqn × m for A ∈ Zqn × k deﬁned by hA(X) = A · X is universal. There- fore, if R has suﬃcient min-entropy, i.e. ` > m · n log2 q + ω(log n), then the Leftover Hash Lemma states that statistical distance between the distributions (A, A · R) and (A, B) is at most 2−ω(log n) which is negligible in n as desired.

192 3.2.1 Lattice Preliminaries

An m-dimensional lattice L is a discrete additive subgroup of Rm. n×m ⊥ Given positive integers n, m, q and a matrix A ∈ Zq , we let Λq (A) de- m n u note the lattice {x ∈ Z : A · x = 0 mod q}. For u ∈ Zq , we let Λq (A) denote the coset {x ∈ Zm : A · x = u mod q}.

Discrete Gaussians. Let σ be any positive real number. The Gaussian distribution Dσ with parameter σ is deﬁned by the probability distribution

2 2 m function ρσ(x) = exp(−π kxk /σ ). For any set L ⊂ R , deﬁne ρσ(L) = P x∈L ρσ(x). The discrete Gaussian distribution DL,σ over L with parameter

σ is deﬁned by the probability distribution function ρL,σ(x) = ρσ(x)/ρσ(L) for all x ∈ L.

The following lemma (Lemma 4.4 of [442], [302]) shows that if the parameter σ of a discrete Gaussian distribution is small, then any vector drawn from this distribution will be short (with high probability).

n×m Lemma 3.1. Let m, n, q be positive integers with m > n, q ≥ 2. Let A ∈ Zq ˜ ⊥ be a matrix of dimensions n × m, σ = Ω(n) and L = Λq (A). Then

√ Pr[kxk > m · σ : x ← DL,σ] ≤ negl(n).

Truncated Discrete Gaussians. The truncated discrete Gaussian distri-

m bution over Z with parameter σ, denoted by De Zm,σ, is same as the discrete

Gaussian distribution Dσ except it outputs 0 whenever the `∞ norm exceeds

193 √ √ m · σ. Note that, by deﬁnition, De Zm,σ is m · σ-bounded. Also, note that

De Zm,σ ≈s DZm,σ.

Learning with Errors (LWE). The Learning with Errors (LWE) problem was introduced by Regev [483]. The LWE problem has four parameters: the dimension of the lattice n, the number of samples m, the modulus q and the error distribution χ = χ(n).

Assumption 3.1 (Learning with Errors). Let n, m and q be positive integers and χ a noise distribution over Zq. The Learning with Errors assumption (n, m, q, χ)-LWE, parameterized by n, m, q, χ, states that the following distributions are computationally indistinguishable:

n×m n×m > > A ← Zq , > A ← Zq , (A, s · A + e ): n m ≈c (A, u ): m s ← Zq , e ← χ u ← Zq

Under a quantum reduction, Regev [483] showed that for certain noise distributions, LWE is as hard as worst case lattice problems such as the decisional approximate shortest vector problem (GapSVP) and approximate shortest independent vectors problem (SIVP). Later works [469, 152] showed classical reductions from LWE to GapSVPγ.

These works show that for B-bounded discretized Gaussian error distributions χ, solving (n, m, q, χ)-LWE is as hard as approximating GapSVPγ ˜ and SIVPγ to a factor of O(n · q/B). Given the current state of art in lattice ˜ n algorithms, GapSVPγ and SIVPγ are believed to be hard for γ = O(2 ) (for

194 ﬁxed ∈ (0, 1/2)), and therefore (n, m, q, χ)-LWE is believed to be hard for B-bounded discretized Gaussian error distributions χ with B = 2−n ·q·poly(n).

LWE with Short Secrets. In this work, we will be using a variant of the LWE problem called LWE with Short Secrets. In this variant, introduced by Applebaum et al. [41], the secret vector is also chosen from the noise distribution χ. They showed that this variant is as hard as LWE for suﬃciently large number of samples m.

Assumption 3.2 (LWE with Short Secrets). Let n, m and q be positive integers and χ a noise distribution on Z. The LWE with Short Secrets assumption (n, m, q, χ)-LWE-ss, parameterized by n, m, q, χ, states that the following distributions are computationally indistinguishable 5:

n×m n×m A ← Zq , A ← Zq , (A, S · A + E): n×n n×m ≈c (A, U): n×m . S ← χ , E ← χ U ← Zq

Lattices with Trapdoors. Lattices with trapdoors are lattices that are statistically indistinguishable from randomly chosen lattices, but have certain ‘trapdoors’ that allow eﬃcient solutions to hard lattice problems.

Deﬁnition 3.1 ([21, 302]). A trapdoor lattice sampler consists of algorithms TrapGen and SamplePre with the following syntax and properties:

5 > n×m n m Applebaum et al. showed that {(A, s · A + e): A ← Zq , s ← χ , e ← χ } ≈c n×m m {(A, u): A ← Zq , u ← Zq }, assuming LWE is hard. However, by a simple hybrid argument, we can replace vectors s, e, u with matrices S, E, U of appropriate dimensions.

195 n m • TrapGen(1 , 1 , q) → (A,TA): The lattice generation algorithm is a randomized algorithm that takes as input the matrix dimensions n, m,

n×m modulus q, and outputs a matrix A ∈ Zq together with a trapdoor

TA.

• SamplePre(A,TA, u, σ) → s: The presampling algorithm takes as input

n a matrix A, trapdoor TA, a vector u ∈ Zq and a parameter σ ∈ R (which m determines the length of the output vectors). It outputs a vector s ∈ Zq .

These algorithms must satisfy the following properties:

n m 1. Correct Presampling: For all vectors u, parameters σ,(A,TA) ← TrapGen(1 , 1 , q), √ and s ← SamplePre(A,TA, u, σ), A · s = u and ksk∞ ≤ m · σ.

2. Well Distributedness of Matrix: The following distributions are statistically indistinguishable:

n m n×m {A :(A,TA) ← TrapGen(1 , 1 , q)} ≈s {A : A ← Zq }.

n m 3. Well Distributedness of Preimage: For all (A,TA) ← TrapGen(1 , 1 , q), √ if σ = ω( n · log q · log m), then the following distributions are statistically indistinguishable:

n {s : u ← Zq , s ← SamplePre(A,TA, u, σ)} ≈s DZm,σ.

These properties are satisﬁed by the gadget-based trapdoor lattice sampler of [440] for parameters m such that m = Ω(n · log q).

196 3.2.2 Branching Programs

Branching programs are a model of computation used to capture space- bounded computations [139, 70]. In this work, we will be using a restricted notion called permutation branching programs.

Deﬁnition 3.2 (Permutation Branching Program). A permutation branching program of length L, width w and input space {0, 1}n consists of a sequence of

2L permutations σi,b :[w] → [w] for 1 ≤ i ≤ L, b ∈ {0, 1}, an input selection function inp :[L] → [n], an accepting state acc ∈ [w] and a rejection state rej ∈ [w]. The starting state st0 is set to be 1 without loss of generality. The branching program evaluation on input x ∈ {0, 1}n proceeds as follows:

• For i = 1 to L,

– Let pos = inp(i) and b = xpos. Compute sti = σi,b(sti−1).

• If stL = acc, output 1. If stL = rej, output 0, else output ⊥.

In a remarkable result, Barrington [70] showed that any circuit of depth d can be simulated by a permutation branching program of width 5 and length 4d.

Theorem 3.2 ([70]). For any boolean circuit C with input space {0, 1}n and depth d, there exists a permutation branching program BP of width 5 and length 4d such that for all inputs x ∈ {0, 1}n, C(x) = BP(x).

197 This permutation property will be useful for proving security of our main construction in Section 3.4. We will also require that the permutation branching program has a ﬁxed input-selector function inp. In our construction, we will have multiple branching programs, and all of them must read the same input bit at any level i ≤ L.

Deﬁnition 3.3. A permutation branching program with input space {0, 1}n is said to have a ﬁxed input-selector inp(·) if for all i ≤ L, inp(i) = i mod n.

Any permutation branching program of length L and input space {0, 1}n can be easily transformed to a ﬁxed input-selector branching program of length n · L. In this work, we only require that all branching programs share the same input selector function inp(·). The input selector which satisﬁes inp(i) = i mod n is just one possibility, and we stick with it for simplicity. We will use the following corollary, which follows from Theorem 3.2.

Corollary 3.2. For any boolean circuit C with input space {0, 1}n and depth d, there exists a ﬁxed-input selector permutation branching program BP of width 5 and length n · 4d such that for all inputs x ∈ {0, 1}n, C(x) = BP(x).

3.2.3 Public Key Encryption

A public key encryption (PKE) scheme E for message spaces M = {M } consists of the following polynomial-time algorithms. λ λ∈N

• Setup(1λ) → (pk, sk). The setup algorithm takes as input the security parameter λ, and outputs a public-secret key pair (pk, sk).

198 • Enc(pk, m ∈ Mλ) → ct. The encryption algorithm takes as input a public key pk and a message m, and outputs a ciphertext ct.

• Dec(sk, ct) → m. The decryption algorithm takes as input a secret key sk and a ciphertext ct, and outputs a message m.

Correctness. A PKE scheme E for message spaces M is said to be correct if

λ for all λ, m ∈ Mλ and (pk, sk) ← Setup(1 ), we have that Dec(sk, Enc(pk, m)) = m.

Security. The standard security notion for PKE schemes is IND-CPA security. Formally, it is deﬁned as follows.

Deﬁnition 3.4. A public key encryption scheme E = (Setup, Enc, Dec) is IND- CPA secure if for every stateful PPT adversary A, there exists a negligible functions negl(·), such that the following function of λ is bounded by negl(·)

λ (pk, sk) ← Setup(1 ); b ← {0, 1} 1 Pr A(ct) = b − (m0, m1) ← A(pk); ct ← Enc(pk, mb) 2

A stronger security notion for PKE schemes is IND-CCA security. For- mally, it is deﬁned as follows.

Deﬁnition 3.5. A public key encryption scheme E = (Setup, Enc, Dec) is IND- CCA secure if for every stateful PPT adversary A, there exists a negligible functions negl(·), such that for all λ ∈ N, the following holds: λ Dec(sk,·) (pk, sk) ← Setup(1 ); b ← {0, 1} 1 Pr A (ct) = b Dec(sk,·) − ≤ negl(λ), (m0, m1) ← A (pk); ct ← Enc(pk, mb) 2 where adversary A must not query ciphertext ct to the decryption oracle.

199 3.2.4 Homomorphic Encryption

Homomorphic encryption [485, 297] is a powerful extension of public key encryption that allows one to evaluate functions on ciphertexts. Homomor- phic encryption schemes can be classiﬁed as either leveled or fully homomorphic encryption schemes. A leveled homomorphic encryption (LHE) scheme allows bounded depth computation over the ciphertexts. The setup algorithm takes as input a ‘level bound’ ` together with the security parameter, and outputs a public-secret key pair. Given an ciphertext ct corresponding to message m, one can use the evaluation algorithm to evaluate a bounded depth circuit C on ct, and the resulting ciphertext ct0, when decrypted using the secret key, outputs C(m) if the depth of C is less than `. Fully homomorphic encryption, on the other hand, allows for arbitrary computation on the ciphertext.

3.2.4.1 Leveled Homomorphic Encryption

A secret key leveled homomorphic encryption scheme HE with message space {0, 1} consists of four algorithms Setup, Enc, Dec, Eval with the following syntax:

1. Setup(1λ, 1`) → (sk, ek) The setup algorithm takes as input the security parameter λ, bound on circuit depth ` and outputs a secret key sk and evaluation key ek.

2. Enc(sk, m ∈ {0, 1}) → ct The encryption algorithm takes as input a secret key sk, message m ∈ {0, 1} and outputs a ciphertext ct.

200 0 3. Eval(ek,C ∈ C`, ct) → ct The evaluation algorithm takes as input an

evaluation key ek, a circuit C ∈ C`, a ciphertext ct and outputs a ciphertext ct0.

4. Dec(sk, ct) → x The decryption algorithm takes as input a secret key sk and ciphertext ct and outputs x ∈ {0, 1} ∪ {⊥}.

We will now deﬁne some properties of leveled homomorphic encryption schemes. Let HE be any homomorphic encryption scheme with message space {0, 1}. First, we have the correctness property, which states that the decryption of a homomorphic evaluation on a ciphertext must be equal to the evaluation on the underlying message.

Deﬁnition 3.6 (Correctness). The scheme HE is said to be (perfectly) correct if for all security parameter λ, circuit-depth bound `,(sk, ek) ← Setup(1λ, 1`), circuit C ∈ C` and message m ∈ {0, 1},

Dec(sk, Eval(ek,C, Enc(sk, m))) = C(m).

Next, we have the compactness property which requires that the size of the output of an evaluation on a ciphertext must not depend upon the evaluation circuit. In particular, we require that there exists one decryption circuit such that this circuit can decrypt any bounded-depth evaluations on ciphertexts.

Deﬁnition 3.7 (Compactness). A homomorphic encryption scheme HE is said

Dec to be compact if for all λ, ` there is a decryption circuit Cλ,` such that for all

201 λ ` Dec (sk, ek) ← Setup(1 , 1 ), m ∈ {0, 1}, C ∈ C`, Cλ,` (sk, Eval(ek, C, Enc(sk, m))) = C(m).

Finally, we require that the depth of the decryption circuit is bounded by a logarithmic function in the security parameter λ.

Deﬁnition 3.8. A compact homomorphic encryption scheme HE is said to

Dec have log-depth decryption circuit if for all λ, `, depth(Cλ,` ) = O(log λ).

For security, we require that the underlying scheme is IND-CPA secure.

Deﬁnition 3.9 (Security). A homomorphic encryption scheme HE is secure if Γ = (Setup, Enc, Dec) is IND-CPA secure (Deﬁnition 3.4).

Starting with the work of Gentry [297], there has been a long line of interesting works seeking to improve the eﬃciency/security of homomorphic encryption schemes. Today, we have LHE schemes [155, 148, 303] with log- depth decryption circuits that can be proven secure under the Learning with Errors assumption.

3.2.4.2 Fully Homomorphic Encryption

Fully homomorphic encryption is a stronger notion of homomorphic encryption where the evaluator can perform unbounded computations on the ciphertext. As a result, the algorithm does not need to take the depth bound as input.

202 A secret key fully homomorphic encryption scheme HE with message space {0, 1} consists of four algorithms Setup, Enc, Dec, Eval with the following syntax:

1. Setup(1λ) → (sk, ek) The setup algorithm takes as input the security parameter λ and outputs a secret key sk and evaluation key ek.

2. Enc(sk, m ∈ {0, 1}) → ct The encryption algorithm takes as input a secret key sk, message m ∈ {0, 1} and outputs a ciphertext ct.

3. Eval(ek,C, ct) → ct0 The evaluation algorithm takes as input an evaluation key ek, a circuit C, a ciphertext ct and outputs a ciphertext ct0.

4. Dec(sk, ct) → x The decryption algorithm takes as input a secret key sk and ciphertext ct and outputs x ∈ {0, 1} ∪ {⊥}.

Deﬁnition 3.10 (Correctness). The scheme HE is said to be (perfectly) correct if for all security parameter λ,(sk, ek) ← Setup(1λ, 1`), circuit C and message m ∈ {0, 1},

Dec(sk, Eval(ek,C, Enc(sk, m))) = C(m).

The security and compactness requirement is same as that for leveled homomorphic encryption.

3.2.5 Pairwise Independent Hash Functions

Deﬁnition 3.11. Let H be a family of hash functions where each h ∈ H has domain {0, 1}` and co-domain {0, 1}`H . The family H is said to be a pairwise

203 independent hash function family if for all x, y ∈ {0, 1}` and a, b ∈ {0, 1}`H s.t. x 6= y, 1 Pr [h(x) = a ∧ h(y) = b] = 2 . h←H (2`H )

A simple family of pairwise independent hash functions is the following set of functions:

`H×` `H {hA,b(x) = Ax + b : A ∈ Z2 , b ∈ Z2 }.

This family can be implemented using log-depth circuits.

3.2.6 Low-Depth Pseudorandom Generators with Polynomial Stretch

In this work, we require polynomial stretch pseudorandom generators which can be implemented by polynomial length branching programs.

Deﬁnition 3.12. Let `, `PRG be polynomials. A circuit class PRG`,`PRG =

`(λ) `PRG(λ) {PRGλ}λ where PRGλ : {0, 1} → {0, 1} , is said to be a pseudorandom generator if for all PPT adversaries A, there exists a negligible function negl(·) such that the following function of λ is bounded by negl(·):

`(λ) `PRG(λ) Pr 1 ← A(PRGλ(s)) : s ← {0, 1} − Pr 1 ← A(u): u ← {0, 1}

Using PRFs in NC1, we can show that there exist PRGs of logarithmic depth which can achieve any polynomial stretch. Low depth PRFs, in turn, can be constructed from the Learning with Errors assumption.

Theorem 3.3 (PRFs in NC1 [57]). For some σ > 0, suitable universal constant C > 0, modulus p ≥ 2, any m = poly(n), let χ = DZ,σ and q ≥

204 √ p · k(Cσ n)k · nω(1), assuming hardness of (n, m, q, χ)-LWE, there exists a

k m×n function family PRF consisting of functions from {0, 1} to Zp that satis- ﬁes pseudorandomness property and the entire function can be computed in TC0 ⊆ NC1.

From Theorems 3.2 and 3.3, the following corollary is immediate.

Corollary 3.3. There exists a polynomial p such that for any polynomial

`PRG, there exists a family of pseudorandom generators {PRGλ} where PRGλ :

`(λ) `PRG(λ) th {0, 1} → {0, 1} , and for all i ∈ [`PRG(λ)], the i bit of PRGλ can be computed by a branching program of length p(λ). This family of pseudorandom generators can be proven secure assuming hardness of (n, m, q, χ)-LWE with parameters as in Theorem 3.3.

3.3 Lockable Obfuscation

In this section, we define the notion of lockable obfuscation, and discuss how it is related to other cryptographic primitives. An lockable obfuscator takes as input a program P , a message msg, and a ‘lock’ α. It outputs an obfuscated program Pe which has the same domain as the program P . The program Pe, on input x, outputs the message msg if P (x) = α. If not, then with overwhelming probability, it will output ⊥. For security, we require that for all programs P and messages msg, Pe for a uniformly random α can be efficiently simulated given only the sizes of P and msg. We will now present the syntax, correctness and security definition.

205 Let n, m, d be polynomials, and Cn,m,d(λ) be the class of depth d(λ) circuits with n(λ) bit input and m(λ) bit output. A lockable obfuscator for

Cn,m,d consists of algorithms Obf and Eval with the following syntax. Let M be the message space.

• Obf(1λ,P, msg, α) → P.e The obfuscation algorithm is a randomized algo-

rithm that takes as input the security parameter λ, a program P ∈ Cn,m,d, message msg ∈ M and ‘lock string’ α ∈ {0, 1}m(λ). It outputs a program

Pe.

• Eval(Pe , x) → y ∈ M ∪ {⊥}. The evaluator is a deterministic algorithm that takes as input a program Pe and a string x ∈ {0, 1}n(λ). It outputs y ∈ M ∪ {⊥}.

3.3.1 Correctness

For correctness, we require that if P (x) = α, then the obfuscated program Pe ← Obf(1λ,P, msg, α), evaluated on input x, outputs msg, and if P (x) 6= α, then Pe outputs ⊥ on input x. Here, we give three correctness deﬁnitions, which diﬀer in the case where P (x) 6= α.

Deﬁnition 3.13 (Perfect Correctness). Let n, m, d be polynomials. A lockable obfuscation scheme for Cn,m,d and message space M is said to be perfectly correct if it satisﬁes the following properties:

n(λ) 1. For all security parameters λ, inputs x ∈ {0, 1} , programs P ∈ Cn,m,d

206 and messages msg ∈ M, if P (x) = α, then

Eval(Obf(1λ,P, msg, α)), x) = msg.

n(λ) 2. For all security parameters λ, inputs x ∈ {0, 1} , programs P ∈ Cn,m,d and messages msg ∈ M, if P (x) 6= α, then

Eval(Obf(1λ,P, msg, α)), x) = ⊥ .

Deﬁnition 3.14 (Statistical Correctness). An lockable obfuscation scheme is said to be statistically correct if it satisﬁes the following properties:

n(λ) 1. For all security parameters λ, inputs x ∈ {0, 1} , programs P ∈ Cn,m,d and messages msg ∈ M, if P (x) = α, then

Eval(Obf(1λ,P, msg, α)), x) = msg.

m(λ) 2. For all security parameters λ, programs P ∈ Cn,m,d, α ∈ {0, 1} and msg ∈ M,

Pr[∃ x s.t. P (x) 6= α and Eval(Obf(1λ,P, msg, α), x) = msg] ≤ negl(λ)

where the probability is taken over the random coins used during obfuscation.

Deﬁnition 3.15 (Semi-statistical Correctness). Let n, m, d be polynomials.

A lockable obfuscation scheme for Cn,m,d and message space M is said to be semi-statistical correct if it satisﬁes the following properties:

207 n(λ) 1. For all security parameters λ, inputs x ∈ {0, 1} , programs P ∈ Cn,m,d and messages msg ∈ M, if P (x) = α, then

Eval(Obf(1λ,P, msg, α)), x) = msg.

n(λ) 2. For all security parameters λ, inputs x ∈ {0, 1} , programs P ∈ Cn,m,d, α ∈ {0, 1}m(λ) such that P (x) 6= α and msg ∈ M,

Pr[Eval(Obf(1λ,P, msg, α), x) = msg] ≤ negl(λ)

where the probability is taken over the random coins used during obfuscation.

Looking ahead, our construction satisﬁes the semi-statistical correctness condition, and will be suﬃcient for our applications.

3.3.2 Security

Deﬁnition 3.16. Let n, m, d be polynomials. A lockable obfuscation scheme

(Obf, Eval) for Cn,m,d and message space M is said to be secure if there exists a PPT simulator Sim such that for all PPT adversaries A = (A0, A1), there exists a negligible function negl(·) such that the following function is bounded by negl(·):

 λ  (P ∈ Cn,m,d, msg ∈ M, st) ← A0(1 ) m(λ)  ˜ b ← {0, 1}, α ← {0, 1}  1 Pr A1(Pb, st) = b : ˜ λ  −  P0 ← Obf(1 ,P, msg, α)  2 ˜ λ |P | |msg| P1 ← Sim(1 , 1 , 1 )

208 3.3.3 Extending the Message Space

In this section, we show that an lockable obfuscation scheme with message space {0, 1} can be extended to an lockable obfuscation scheme with message space {0, 1}l for any polynomial l.

Let (Obf, Eval) be an lockable obfuscation scheme with message space {0, 1}. We will also require the following tools for this transformation:

- A pairwise independent hash function family H with domain {0, 1}`out

and co-domain {0, 1}`H

- A pseudorandom generator PRG : {0, 1}`H → {0, 1}l·λ

Consider the following lockable obfuscation scheme (Obf0, Eval0) for circuit class

l C`in,`out,d and message space {0, 1} .

0 λ th • Obf (1 ,P, msg, α): Let msgi denote the i bit of msg for i ≤ l, and s[i,j] be substring of s consisting starting with the ith bit of s and ending with the jth bit.

The obfuscation algorithm ﬁrst chooses a hash function h. Let Qi be a

`in circuit that takes as input x ∈ {0, 1} and outputs PRG(h(P (x)))[(i−1)·λ+1,i·λ].

λ i The obfuscation algorithm computes Pei ← Obf(1 ,Q , msgi, PRG(h(α))[(i−1)·λ+1,i·λ]) for each i ≤ l. The ﬁnal obfuscated program is Pe1,..., Pel .

0 • Eval Pe1,..., Pel , x : The evaluation algorithm computes yi = Eval(Pei, x)

for each i ≤ l. If any yi =⊥, it outputs ⊥. Else, it outputs (y1, . . . , yl).

209 Correctness We will show that the above scheme satisfies the semi-statistical correctness definition if the underlying scheme also satisfies the semi-statistical correctness notion. Fix any security parameter λ, program P , string α, input x and message msg. If P (x) = α, then it follows directly that Eval0 Obf0 1λ,P, msg, α , x = msg.

If P (x) 6= α, then we need to show that with high probability (over the coins of obfuscation), the evaluation algorithm outputs ⊥. Let β = PRG(h(α)),

i and let β = β[(i−1)·λ+1,i·λ] for simplicity of notation. Fix any i ∈ [l], and let Badi

i denote the event that PRG(h(P (x)))[(i−1)·λ+1,i·λ] = β , and let Ei be the event that Eval(Pei, x) 6=⊥. Using the pairwise independence property, we can argue

−`H that Pr[Badi] ≤ 2 , and using the underlying obfuscator’s semi-statistical correctness, we get that Pr[Ei | Badi] ≤ negl(λ). This implies Pr[Ei] ≤ negl(λ), and hence with overwhelming probability, the evaluation algorithm outputs ⊥.

Security Security follows from a hybrid argument. The simulator will run the underlying scheme’s simulator l times. To prove that this is indistinguishable from the honestly computed obfuscation, we deﬁne l + 2 intermediate hybrid obfuscations. In the ﬁrst hybrid, we switch h(α) to be a uniformly random string. This follows from the Leftover Hash Lemma. Next, we switch PRG(h(α)) to a uniformly random l · λ bit string. This follows from the security of PRG. At this point, each of the locks for each of the l calls to Obf are independent and uniformly random strings. We can now simulate each of

210 them independently. In the (i + 2)th one, the challenger simulates the ﬁrst i obfuscations, and honestly computes the remaining l − i obfuscations. The (i + 1)th and (i + 2)th hybrids are computationally indistinguishable due to security of the underlying obfuscation scheme.

3.3.4 Relationship with Existing Cryptographic Primitives

The notion of lockable obfuscation has some similarities with existing cryptographic primitives such as witness encryption and obfuscation for evasive function classes. In this section, we look at these similarities in more detail, and discuss how this new primitive diﬀers from the existing ones.

Witness Encryption Garg, Gentry, Sahai and Waters [290] introduced the notion of witness encryption. A witness encryption scheme for language L consists of an encryption algorithm and a decryption algorithm. Using the encryption algorithm, one can encrypt a message x for any instance x. If x ∈ L and w is a witness certifying that x ∈ L, then the ciphertext can be decrypted using w. The correctness requirement is natural: let ct be an encryption of m for instance x. If x ∈ L and w is a valid witness, then decryption of ct using w outputs m. Security, on the other hand, is guaranteed only for x∈ / L.

In particular, if x∈ / L, then encryption of m0 for x is indistinguishable from encryption of m1 for x.

An lockable obfuscator for circuit class Cn,m,d can be used to encrypt

211 messages for NP statements of the form:

xP,α = ∃ y s.t. P (y) = α.

However, note that the security of lockable obfuscators works only when α is chosen uniformly at random. Moreover, the ‘lock’ α is not revealed to the adversary. On the other hand, in the security game of witness encryption, the adversary knows the instance xP α, which in turn reveals α.

Obfuscation for Evasive Functions Barak, Bitansky, Canetti, Kalai, Paneth and Sahai [58] studied obfuscation for evasive function families - function families where for any input x in the domain, most functions in the family output 0.

In our case, for any program P ∈ Cn,m,d, message msg and lock α, the function QP,α,msg outputs 1 on input x iﬀ P (x) = α and msg = 1. As a result, if m is signiﬁcantly larger than n, then for any P , the function family

{QP,α,msg}α,msg is an evasive function family. Our deﬁnition of lockable obfuscation is stronger than the notion of VBB for the function class {QP,α,msg}α,msg because in our case, the adversary must not learn even the program P . How- ever, in the cas

3.4 Our Construction

In this section, we present our lockable obfuscation scheme. For any polynomials ìn, òut, d such that òut = ω(log λ), we construct a lockable ob-

212 fuscation scheme O = (Obf, Eval) for the circuit class C`in,`out,d. The message space for our construction will be {0, 1}, although one can trivially extend it to {0, 1}`(λ) for any polynomial `.

The tools required for our construction are as follows:

- A compact leveled homomorphic bit encryption scheme (LHE.Setup, LHE.Enc,

LHE.Eval, LHE.Dec) with decryption circuit of depth dDec(λ) and cipher-

texts of length `ct(λ).

- A pairwise independent hash family H : {0, 1}`out(λ) → {0, 1}`H(λ) which

can be implemented by a circuit of logarithmic depth dH(λ).

- A pseudorandom generator PRG : {0, 1}`H(λ) → {0, 1}`PRG(λ) of depth

dPRG(λ).

For notational convenience, let ìn = ìn(λ), òut = òut(λ), `H = `H(λ), `PRG =

`PRG(λ), dDec = dDec(λ), dH = dH(λ), dPRG = dPRG(λ) and d = d(λ).

Fix any < 1/2. Let χ be a B-bounded discrete Gaussian distribution √ with parameter σ such that B = m · σ. Let n, m, `, σ, q, Bd be parameters with the following constraints:

- n = poly(λ) and q ≤ 2n (for LWE security)

- `H = ω(log λ) (for PRG security)

- `out − `H = ω(log λ) (for strong extraction)

- m = Ω(n · log q) (for SamplePre)

213 √ - σ = ω( n · log q · log m) (for Preimage Well Distributedness)

- `PRG = n · m · log q + ω(log n) (for applying Leftover Hash Lemma)

- `PRG − `H = ω(log λ) (for correctness of scheme)

2 L 1/4 - Bd = `PRG · L · (m · σ) < q (for correctness of scheme)

dDec+dH+dPRG (where L = `out · `ct · 4 )

First, note that it is important that L = λc for some constant c and

L 1/4 Bd = `PRG · L · (m · σ) < q . This crucially relies on the fact that the LHE scheme is compact (so that `ct is bounded by a polynomial) and that the LHE decryption, hash function evaluation and PRG computation can be performed by a log depth circuit (i.e, have poly length branching programs). The constant c depends on the LHE scheme, pairwise independent hash function and PRG.

One possible setting of parameters is as follows: n = λ4c/, m = n1+,

n 2+2 q = 2 , σ = n, `PRG = n and `H = `out/2.

We will now describe the obfuscation and evaluation algorithms.

• Obf(1λ,P, msg, α): The obfuscation algorithm takes as input a program

òut P ∈ Cìn,òut,d, message msg ∈ {0, 1} and α ∈ {0, 1} . The obfuscator proceeds as follows:

1. First, it chooses the LHE key pair as (lhe.sk, lhe.ek) ← LHE.Setup(1λ, 1d log d).6

6We set the LHE depth bound to be d log d, where the extra log factor is to account for the constant blowup involved in using a universal circuit. In particular, we can set the LHE depth bound to be c · d where c is some ﬁxed constant depending on the universal circuit.

214 2. Next, it encrypts the program P . It sets ct ← LHE.Enc(lhe.sk,P ).7

3. It then chooses a pairwise independent hash function h ← H. Let β = PRG(h(α)).

4. Next, consider the following circuit Q which takes as input `out · `ct

bits of input and outputs `PRG bits. Q takes as input `out LHE ciphertexts {ct } , has LHE secret key lhe.sk hardwired and i i≤`out

computes the following — (1) it decrypts each input ciphertext cti

(in parallel) to get string x of length òut bits, (2) it sequentially applies the hash function and PRG on x and outputs PRG(h(x)). Con- cretely, Q(ct1,..., ctòut ) = PRG h LHE.Dec(lhe.sk, ct1) || · · · || LHE.Dec(lhe.sk, ctòut ) .

(i) For i ≤ `PRG, we use BP to denote the ﬁxed-input selector permutation branching program that outputs the ith bit of output of

circuit Q. Note that Q has depth dtot = dDec +dH +dPRG. By Corol- lary 3.2, we know that each branching program BP(i) has length

dtot L = `out · `ct · 4 and width 5.

5. Finally, the obfuscator creates matrix components which enable the evaluator to compute msg if it has an input strings (ciphertexts)

ct1,..., ctòut such that Q(ct1,..., ctòut ) = β. Concretely, it runs the (randomized) routine Comp-Gen (defined in Figure 3.1). This

7Note that LHE scheme supports bit encryption. Therefore, to encrypt P , a multi-bit message, the FHE.Enc algorithm will be run independently on each bit of P . However, for notational convenience throughout this section we overload the notation and use FHE.Enc and FHE.Dec algorithms to encrypt and decrypt multi-bit messages respectively.

215 routine takes as input the circuit Q in the form of `PRG branching

(i) programs {BP }i, string β and message msg. n (i) o n (i,0) (i,1)o (i) Let B0,1 , Cj , Cj ← Comp-Gen({BP }i, β, msg). i i,j 6. The ﬁnal obfuscated program consists of the LHE evaluation key ek = lhe.ek, LHE ciphertexts ct, together with the components n (i) o n (i,0) (i,1) o B0,1 , (Cj , Cj ) . i i,j

• Eval(P˜ , x): The evaluation algorithm takes as input obfuscated program

n (i) o n (i,0) (i,1) o ˜ `in P = ek, ct, B0,1 , (Cj , Cj ) and input x ∈ {0, 1} . It per- i i,j forms the following steps.

1. The evaluator ﬁrst constructs a universal circuit Ux(·) with x hardwired as input. This universal circuit takes a circuit C as input

and outputs Ux(C) = C(x). Using the universal circuit of Cook

and Hoover [222], it follows that Ux(·) has depth O(d).

2. Next, it performs homomorphic evaluation on ct using circuit Ux(·).

It computes cte = LHE.Eval(ek,Ux(·), ct). Note that `ct ·`out denotes th the length of cte (as a bitstring), and let cte i denote the i bit of cte .

3. The evaluator then obliviously evaluates the `PRG branching pro-

grams on input cte using the matrix components. It calls the component evaluation algorithm Comp-Eval (deﬁned in Figure 3.2). Let n (i) o n (i,0) (i,1) o y = Comp-Eval cte , B0,1 , (Cj , Cj ) . The evalua- i i,j tor outputs y.

216 3.4.1 Security

We will now prove the scheme secure as per Definition 3.16. For proving security, we will first need to define a PPT simulator. The simulator Sim gets as input the security parameter λ and size of program 1|P |, and it must output a simulated program.

We emphasize that our proof will use a polynomial number of hybrids and each (computational) reduction will only rely on a primitive being secure against poly-time attackers. Thus we avoid making any subexponential hardness assumptions.

3.4.1.1 Simulator Sim

The simulator ﬁrst chooses the parameters n, m, q, σ, `PRG as in the original scheme. Next, it chooses LHE secret/evaluation keys. It computes (sk, ek) ← LHE.Setup(1λ, 1d log d) (note that the depth d of the circuit class is ﬁxed for the scheme). It then computes an encryption of 0|P |. Let ct ←

|P | (i) n×m LHE.Enc(sk, 0 ). Finally, the simulator chooses `PRG matrices B0,1 ← Zq (i,0) (i,1) (i,b) and low norm matrices {(Cj , Cj )}i,j for i ≤ `PRG, j ≤ L where Cj ← χm×m. The obfuscation consists of the LHE evaluation key ek, ciphertext ct, n (i) o n (i,0) (i,1) o together with the components B0,1 , (Cj , Cj ) . i i,j

To prove security, we will deﬁne a sequence of hybrids, and show that the hybrids are computationally indistinguishable. The ﬁrst hybrid corresponds to the case when the challenger outputs an obfuscation of the program, while the

217 ﬁnal hybrid corresponds to one where the challenger outputs an obfuscation of an ‘all-reject’ program. At a high level, our aim is to replace the LHE encryption of the program P with an encryption of all-zeroes string, and to remove the message msg from the matrix components. To achieve this, we will ﬁrst replace the matrix components with random low-norm matrices. This switch ensures that the matrix components contain no information about the msg or the LHE secret key. We can then switch the encryption of P with encryption of all-zeroes string.

3.4.1.2 Sequence of Hybrid Games

In the security game, the adversary A starts by choosing a program

P ∈ Cìn,òut,d and message msg ∈ {0, 1}. It sends the P, msg to the challenger and the challenger chooses a random bit ζ. If ζ = 0, the challenger computes program Pe as an obfuscation of P for message msg with random lock using the obfuscation algorithm. Otherwise, the challenger computes Pe using the simulator. Now, in the sequence of hybrids described below, Game 0 will correspond to the case ζ = 0 (i.e., the challenger computes the obfuscated program honestly) and (final) Game 5 will correspond to ζ = 1 (i.e., the challenger simulates the obfuscated program).

In the following hybrid description, we only describe the challenger’s execution and in the later games, we only highlight the changes made in each consecutive hybrid. Note that the program P and message msg are provided by A to the challenger.

218 Game 0: As mentioned above, in this game the challenger computes the obfuscated program honestly.

1. The challenger ﬁrst chooses the LWE parameters n, m, q, σ, χ and `PRG. Recall L denotes the length of the branching programs. 2. It chooses (sk, ek) ← LHE.Setup(1λ, 1d log d) and sets ct ← LHE.Enc(sk,P ).

3. Next, it chooses a uniformly random string α ← {0, 1}`out , hash function h ← H and sets β = PRG(h(α)). 4. Next, consider the following program Q. It takes as input an LHE ciphertext ct, has sk hardwired and does the following: it decrypts the input ciphertext ct to get string x and outputs PRG(h(x)). For

(i) th i ≤ `PRG(λ), let BP denote the branching program that outputs the i bit of PRG(h(x)).

(i) 5. It chooses `PRG uniformly random matrices BL of dimensions 5n × m, (i) such that the following constraint is satisﬁed (recall BL,1 represents the (i) (i) (i) ﬁrst n rows of BL , BL,2 represents the next n rows of BL , etc) ( X (i) X (i) 0 if msg = 0. B + B = L,rej(i) L,acc(i) √ n×(m−n) q · In || 0 if msg = 1. i : βi=0 i : βi=1

(i) (i) 5n m 6. For i = 1 to `PRG and j = 0 to L−1, it chooses (Bj ,Tj ) ← TrapGen(1 , 1 , q).

7. Next, it generates the components for each level. For each i ∈ [1, `PRG] and each level level ∈ [1,L], do the following:

(0) (1) n×n (i,0) (i,1) 5n×m (a) Choose matrices Slevel, Slevel ← χ and Elevel , Elevel ← χ for (0) (1) i ≤ `PRG. If either Slevel or Slevel has determinant zero, then set it

to be In.

219 (i,b) (b) For b ∈ {0, 1}, set matrix Dlevel as a permutation of the matrix (i) (i) blocks of Blevel according to the permutation σlevel,b(·). (i,b) (b) (i,b) (i,b) (c) Set Mlevel = I5 ⊗ Slevel · Dlevel + Elevel for i ≤ `PRG. (i,b) (i) (i) (i,b) (d) Compute Clevel ← SamplePre(Blevel−1,Tlevel−1, σ, Mlevel)

8. The ﬁnal obfuscated program consists of the LHE evaluation key ek, LHE n (i) o n (i,0) (i,1) o encryption ct, together with the components B0,1 , (Cj , Cj ) . i i,j

Game 1: In this experiment, the challenger replaces h(α) with a uniformly

0 (0) (1) random string α . Also, it chooses the matrices Slevel, Slevel without checking if their determinant is non-zero.

3. Next, it chooses a hash function h ← H, a uniformly random string

α0 ← {0, 1}`H and sets β = PRG(α0).

7. Next, it generates the components for each level. For each level level ∈ [1,L], do the following:

(0) (1) n×n (i,0) (i,1) 5n×m (a) Choose matrices Slevel, Slevel ← χ and Elevel , Elevel ← χ for

i ≤ `PRG. (i,b) (b) For b ∈ {0, 1}, set matrix Dlevel as a permutation of the matrix (i) (i) blocks of Blevel according to the permutation σlevel,b(·). (i,b) (b) (i,b) (i,b) (c) Set Mlevel = I5 ⊗ Slevel · Dlevel + Elevel for i ≤ `PRG. (i,b) (i) (i) (i,b) (d) Compute Clevel ← SamplePre(Blevel−1,Tlevel−1, σ, Mlevel)

220 Game 2: In this experiment, the challenger replaces the pseudorandom string β = PRG(α0) with a truly random string.

3. Next, it chooses a hash function h ← H, a uniformly random string

β ← {0, 1}`PRG .

Game 3: In this experiment, the challenger chooses the top level matrices uniformly at random.

(i) 5. It chooses `PRG uniformly random matrices BL of dimensions 5n × m, without any constraints.

We will now deﬁne 4L+1 intermediate game Game (4, j∗, 0), Game (4, j∗, 1), Game (4, j∗, 2), Game (4, j∗, 3) for j∗ ∈ {0, 1,...,L − 1} and Game (4, L, 0). The experiment Game (4, 0, 0) will be same as Game 3.

Game (4, j∗, 0): In this experiment, the challenger chooses the top j∗ + 1

(i) ∗ matrices Bj uniformly at random (without a trapdoor). Also, the top j

(i,b) ∗ Cj matrices, for j > L−j , are chosen randomly from the noise distribution χm×m.

6. For i = 1 to `PRG and j = 0 to L − 1,

∗ (i) (i) 5n m • if j < L − j it chooses (Bj ,Tj ) ← TrapGen(1 , 1 , q).

∗ (i) 5n×m • if j ≥ L − j , it chooses Bj uniformly at random from Zq .

221 7. Next, it generates the components for each level. For each level level ∈ [1,L − j∗], do the following:

(0) (1) n×n (i,0) (i,1) 5n×m (a) Choose matrices Slevel, Slevel ← χ and Elevel , Elevel ← χ for

∗ (i,b) m×m For all level > L − j , i ≤ `PRG and b ∈ {0, 1} choose Clevel ← χ .

∗ (i,0) Game (4, j , 1): In this experiment, the challenger chooses Mlevel uniformly ∗ (i,1) at random for level = L − j (Mlevel is same as before).

7. Next, it generates the components for each level. For each level level ∈ [1,L − j∗], do the following:

(0) (1) n×n (i,0) (i,1) 5n×m (a) Choose matrices Slevel, Slevel ← χ and Elevel , Elevel ← χ for

i ≤ `PRG. (i,b) (b) For b ∈ {0, 1}, set matrix Dlevel as a permutation of the matrix (i) (i) blocks of Blevel according to the permutation σlevel,b(·). ∗ (i,0) 5n×m (i,1) (c) If level = L−j , choose Mlevel ← Zq and Mlevel same as previous hybrid.

(i,b) (b) (i,b) (i,b) Else set Mlevel = I5 ⊗ Slevel · Dlevel + Elevel for i ≤ `PRG.

222 (i,b) (i) (i) (i,b) (d) Compute Clevel ← SamplePre(Blevel−1,Tlevel−1, σ, Mlevel)

∗ (i,b) m×m For all level > L − j , i ≤ `PRG and b ∈ {0, 1} choose Clevel ← χ .

∗ (i,b) Game (4, j , 2): In this experiment, the challenger chooses Mlevel uniformly at random for level = L − j∗ and b ∈ {0, 1}.

7. Next, it generates the components for each level. For each level level ∈ [1,L − j∗], do the following:

(0) (1) n×n (i,0) (i,1) 5n×m (a) Choose matrices Slevel, Slevel ← χ and Elevel , Elevel ← χ for

i ≤ `PRG. (i,b) (b) For b ∈ {0, 1}, set matrix Dlevel as a permutation of the matrix (i) (i) blocks of Blevel according to the permutation σlevel,b(·). ∗ (i,b) 5n×m (c) If level = L − j , choose Mlevel ← Zq . (i,b) (b) (i,b) (i,b) Else set Mlevel = I5 ⊗ Slevel · Dlevel + Elevel for i ≤ `PRG. (i,b) (i) (i) (i,b) (d) Compute Clevel ← SamplePre(Blevel−1,Tlevel−1, σ, Mlevel)

∗ (i,b) m×m For all level > L − j , i ≤ `PRG and b ∈ {0, 1} choose Clevel ← χ .

∗ (i,b) Game (4, j , 3): In this experiment, the challenger chooses CL−j∗ from the noise distribution.

7. Next, it generates the components for each level. For each level level ∈ [1,L − j∗], do the following:

223 (0) (1) n×n (i,0) (i,1) 5n×m (a) Choose matrices Slevel, Slevel ← χ and Elevel , Elevel ← χ for

i ≤ `PRG. (i,b) (b) For b ∈ {0, 1}, set matrix Dlevel as a permutation of the matrix (i) (i) blocks of Blevel according to the permutation σlevel,b(·). (i,b) (b) (i,b) (i,b) (c) Set Mlevel = I5 ⊗ Slevel · Dlevel + Elevel for i ≤ `PRG. ∗ (i,b) m×m (d) If level = L − j , then choose CL−j∗ ← χ for b ∈ {0, 1}. (i,b) (i) (i) (i,b) Else compute Clevel ← SamplePre(Blevel−1,Tlevel−1, σ, Mlevel)

∗ (i,b) m×m For all level > L − j , i ≤ `PRG and b ∈ {0, 1} choose Clevel ← χ .

Game 5: In this experiment, the challenger computes an encryption of 0|P | instead of an encryption of P . Note that the LHE secret key sk is not required at any other step in this experiment. This corresponds to the challenger simulating the program.

2. It chooses (sk, ek) ← LHE.Setup(1λ, 1d log d) and sets ct ← LHE.Enc(sk, 0|P |).

3.4.1.3 Analysis

We will now show that the above hybrid experiments are computation-

A ally indistinguishable. For any adversary A, let pi denote the probability that the adversary outputs 1 in Game i.

A A Claim 3.1. For any adversary A, |p0 − p1 | ≤ negl(λ).

Proof. The proof of this claim relies on the fact that a pairwise independent hash function (with appropriate domain and co-domain) is a strong extractor.

224 There are two differences between these two experiments. First, in one case, the challenger chooses h ← H, α ← {0, 1}òut and sets β = PRG(h(α)), while in the other case, the challenger chooses h ← H, α0 ← {0, 1}òut and sets β = PRG(α0). Secondly, in Game 0, the challenger ensures that the matrices

(0) (1) Slevel, Slevel are full-rank, while in Game 1, it chooses these matrices from χ without the rank check. Note that any n×n matrix sampled from χ is full rank with all but negligible probability. Therefore, this switch is indistinguishable. We will now show that switching h(α) to a uniformly random string is also statistically indistinguishable.

A A Suppose there exists an adversary A such that |p0 − p1 | = . We can construct a reduction algorithm B that can break the strong extraction property of H with probability . The reduction algorithm receives (h, γ) from the strong extractor challenger, and P, msg from the adversary A. It chooses LHE keys (sk, ek) ← LHE.Setup(1λ, 1d log d), computes an encryption of P as ct ← LHE.Enc(sk,P ) and sets β = PRG(γ). Next, it deﬁnes the program Q which takes as input an LHE ciphertext, and has sk hardwired. Q ﬁrst decrypts

(i) the input ciphertext to compute y, then computes PRG(h(y)). Let {BP }i be the branching progams corresponding to Q. The reduction algorithm computes

(i) the components using Comp-Gen({BP }i, β, msg), which is identical in both experiments. It sends the components, together with ek and ct, to A and the adversary outputs a bit b0. If b0 = 1, the reduction algorithm guesses that γ is an evaluation of the hash function. The reduction algorithm has advantage

A A |p0 − p1 | = in the strong extractor experiment.

225 A Claim 3.2. Assuming the security of PRG, for any PPT adversary A, |p1 −

A p2 | ≤ negl(λ).

Proof. We describe a reduction algorithm B which plays the indistinguishability based game with PRG challenger.8 B receives β from the PRG challenger, and P, msg from the adversary A. It then chooses (sk, ek) ← LHE.Setup(1λ, 1d log d) and computes ct ← LHE.Enc(sk,P ). Next, it deﬁnes the program Q which takes as input an LHE ciphertext, and has sk hardwired. Q ﬁrst decrypts the

(i) input ciphertext to compute y, then computes PRG(h(y)). Let {BP }i be the branching progams corresponding to Q. The reduction algorithm computes

(i) the components using Comp-Gen({BP }i, β, msg), which is identical in both experiments. It sends the components, together with ek and ct, and the adversary outputs a bit b0. If b0 = 1, the reduction algorithm guesses that β is an evaluation of the hash function.

Note that when the PRG challenger sends a pseudorandom string β = PRG(α0) for a uniformly random α0, then B exactly simulates the view of Game 1 for A. Otherwise if the PRG challenger outputs a uniformly random

A A string, then B exactly simulates the view of Game 2. Therefore, if |p1 − p2 | is non-negligible, then PRG is not a secure pseudorandom generator.

A A Claim 3.3. For any adversary A, |p2 − p3 | ≤ negl(λ).

8Note that if A is a non-uniform attacker, then our reduction algorithm will be non- uniform as well.

226 Proof. This step is information theoretic, and uses the Leftover Hash Lemma (matrix version, Corollary 3.1).

Note that the diﬀerence between Game 2 and 3 is the way top level

(i) matrices BL are sampled during the component generation phase. In Game 2,

(`PRG) matrix B `PRG is chosen as L,stL ( (`PRG) H if msg = 0 B (` ) = √ L,st PRG n×(m−n) L H + q · In || 0 if msg = 1 where H = − P B(i) + P B(i) , st(`PRG) is i≤`PRG−1 : βi=0 L,rej(i) i≤`PRG−1 : βi=1 L,acc(i) L

(`PRG) (`PRG) acc if β`PRG = 1, and rej otherwise. It can be equivalently written as follows h i B(`PRG) = −A·R, A = B(1) || B(1) || ... ||B(`PRG−1) || B(`PRG−1) (`PRG) L,rej(1) L,acc(1) L,rej(`PRG−1) L,acc(`PRG−1) L,stL

> 2`PRG−2 where R = u⊗Im ∈ Zq2m(`PRG − 1) × m, u = (u1, . . . , u2`PRG−2) ∈ {0, 1} and for all i ≤ `PRG − 1, u2i = βi and u2i−1 = 1 − βi. That is, matrix R con-

th sists of 2`PRG − 2 submatrices where if βi = 1, then its 2i submatrix is identity and (2i − 1)th submatrix is zero, otherwise it is the opposite. Let R denote the distribution of matrix R as described above with β drawn uni-

`PRG formly from {0, 1} . Note that H∞(R) = `PRG − 1 (min-entropy of R), and

`PRG > m · n log2 q + ω(log n). Therefore, it follows (from Corollary 3.1) that A, B(`PRG) = −A · R : A ← n × 2m(` − 1), R ← R (`PRG) Zq PRG L,stL

≈s A, B(`PRG) : A ← n × 2m(` − 1), B(`PRG) ← n×m (`PRG) Zq PRG (`PRG) Zq L,stL L,stL A A Thus, |p2 −p3 | is negligible in the security parameter for all adversaries A.

227 ∗ A A Claim 3.4. For all j ∈ [1,L], for all A, |p(4,j∗−1,3) − p(4,j∗,0)| ≤ negl(λ).

Proof. This proof relies on the Matrix Well Distributedness property of TrapGen (see Deﬁnition 3.1). The only diﬀerence in Game (4, j∗−1, 3) and Game (4, j∗, 0)

(i) ∗ (i) is the choice of {BL−j∗ }. In Game (4, j − 1, 3), {BL−j∗ } is chosen with a trap- ∗ door for all i ≤ `PRG. In Game (4, j , 0), these matrices are chosen uniformly at random. Note that in both the experiments, the trapdoors corresponding

(i) (i,b) to BL−j∗ are not used, since the matrix components {CL−j∗+1}i,b are chosen from the noise distribution χ. As a result, using the Matrix Well Distributed- ness property of TrapGen, we can argue that these two games are statistically

A A indistinguishable, and therefore |p(4,j∗−1,3) − p(4,j∗,0)| ≤ negl(λ).

Claim 3.5. Assuming the LWE with short secrets assumption (Assumption 3.2)

∗ A A For all j ∈ [0,L − 1], for all PPT adversaries A, |p(4,j∗,0) − p(4,j∗,1)| ≤ negl(λ)

∗ (i,0) (0) Proof. In Game (4, j , 0), the challenger computes ML−j∗ as I5 ⊗ SL−j∗ · (i,0) (i,0) ∗ DL−j∗ + EL−j∗ . In Game (4, j , 1), this matrix is chosen uniformly at random. We will use the LWE assumption (short secrets version) to prove that these two hybrids are indistinguishable.

Suppose there exists a PPT adversary A that can distinguish between these two games with advantage . Then we can consruct a reduction algorithm B that can break the LWE-ss assumption. First, B receives as LWE-ss challenge two matrices (F, G) of dimensions n×5`PRG ·m, and P, msg from the adversary A. It then partitions F into `PRG submatrices of dimensions n × 5m as [F(1) || ... || F(`PRG)]. Further, each matrix F(i) is parsed into 5 matrices of

228 (i) (i) dimensions n × m as [F1 || ... || F5 ]. Similarly, the matrix G is partitioned (i) into {Gk }i≤`PRG,k≤5.

The reduction algorithm chooses the LHE keys and computes the ciphertext as in the two games. Next, it needs to choose the matrix components.

∗ (i) ∗ First, it chooses the top j − 1 matrices {Bj }i≤`PRG,j>L−j uniformly at ran-

∗ (i,0) (i,1) ∗ dom, and the top j −1 components {(Cj , Cj )}i≤`PRG,j>L−j from the noise (i) (i) distribution. It then sets BL−j∗,k = Fk for all i ≤ `PRG, k ≤ 5.

(i) (i,0) The reduction algorithm then uses Gk to deﬁne ML−j∗ as follows:

 (i)  G σ(i) (1)  L−j∗,0  (i,0)  .  ML−j∗ =  .  .  (i)  G (i) σL−j∗,0(5)

(i,1) The matrix ML−j∗ is computed identically in both the games. Using (i) (i,1) BL−j∗ , the reduction algorithm can compute ML−j∗ . Finally, it computes (i,b) CL−j∗ for all i ≤ `PRG, b ∈ {0, 1}.

The remaining components are computed identically in both games, and the reduction algorithm can perfectly simulate them. Finally, it sends all the components, together with the LHE evaluation key and ciphertext. The adversary sends a bit b0. If b0 = 1, the reduction algorithm guesses that G = S · F + E for some matrices S, E drawn from the noise distribution. If b0 = 0, then the reduction algorithm guesses that G is random.

If G is an LWE sample, then B simulates Game (4, j∗, 0), else it simu-

∗ A A lates Game (4, j , 1). The advantage of B is p(4,j∗,0) − p(4,j∗,1).

229 Claim 3.6. Assuming the LWE with short secrets assumption (Assumption 3.2)

∗ A A For all j ∈ [0,L − 1], for all PPT adversaries A, |p(4,j∗,1) − p(4,j∗,2)| ≤ negl(λ)

∗ (i,1) (1) Proof. In Game (4, j , 1), the challenger computes ML−j∗ as I5 ⊗ SL−j∗ · (i,1) (i,1) ∗ DL−j∗ + EL−j∗ . In Game (4, j , 2), this matrix is chosen uniformly at random. This proof is identical to the previous proof.

∗ A A Claim 3.7. For all j ∈ [0,L − 1], for all A, |p(4,j∗,2) − p(4,j∗,3)| ≤ negl(λ).

Proof. The proof of this claim relies on the preimage well-distributedness property of lattice trapdoor sampler (TrapGen, SamplePre) (Deﬁnition 3.1). Note

(i,b) that the only diﬀerence between these two games is with regard to CL−j∗ . In Game (4, j∗, 2) these matrices are computed using the SamplePre algorithm.

∗ (i,b) In Game (4, j , 3), they’re chosen from the noise distribution χ. Since ML−j∗ is chosen uniformly at random, we can use the preimage well-distributedness property to argue that the two games are statistically indistinguishable.

Claim 3.8. Assuming the LHE scheme is IND-CPA secure, for all PPT ad-

A A versaries A, |p4,L,0 − p5 | ≤ negl(λ).

A A Proof. The only diﬀerence between p4,L,0 and p5 is that the LHE ciphertext is an encryption of P in one case, and an encryption of 0|P | in the other. Note that in both games, the LHE secret key is only used for computing the ciphertext (it is not used by the branching programs BP(i)). Suppose there

230 exists an adversary A that can distinguish between these two games. Then we can construct a reduction algorithm B that breaks the IND-CPA security of the LHE scheme.

The reduction algorithms receives P, msg from the adversary A, and sends P, 0|P | to the LHE challenger. It receives an evaluation key ek and

(i) a ciphertext ct. It then chooses the matrix components B0 uniformly at (i,b) random, and the components {Cj }i,j,b from the noise distribution. Finally, it sends ek, ct and the matrix components to the adversary. The adversary sends a bit b0. If b0 = 1, then the reduction algorithm guesses that ct is an encryption of P , else it guesses that ct is an encryption of 0|P |. Note that the

A A advantage of B in the IND-CPA game is |p(4,L,0) − p5 |.

3.4.2 On the Need for a Pseudo Random Generator

An interesting question is whether the application of a Pseudo Ran- dom Generator is actually necessary for the security of our construction. A natural alternative construction would be to use the same overall struc-

ture with the modiﬁcation that the circuit Q computes Q(ct1,..., ct`out ) =

LHE.Dec(lhe.sk, ct1) || · · · || LHE.Dec(lhe.sk, ct`out ). In particular, Q just performs an LHE decryption and does not compute a pairwise independent hash and pseudo random generator to the result. In this case we set β = α instead of β = PRG(h(α)).

While we do not rule out that such a construction might work, there appear to be some inherent tensions in setting parameters to prove such a

231 system secure. Let’s return to the proof of the scheme as it is. A critical proof step is to move from Game 2 to Game 3 where in Game 2 it chooses the B(i) , B(i) values such that L,acc(i) L,rej(i)

( n×m X (i) X (i) 0 if msg = 0. B + B = L,rej(i) L,acc(i) √ n×(m−n) q · In || 0 if msg = 1. i : βi=0 i : βi=1 Whereas in Game 3 all are chosen uniformly at random. By our choice of parameters we have that `PRG n · m · log q. Therefore, with high probability, there will be many strings w such that P B(i) = 0. It follows that i : wi=0 L,wi (in the case where the message bit is 0) programming the matrices so that on a random β P B(i) = 0 is statistically close to just choosing them i : βi=0 L,βi uniformly at random.

Now if we instead use the alternative construction we have that there are òut pairs of matrices instead at the last level instead of `PRG. In our construction òut < ìn since the input HE ciphertext must be big enough to encrypt α. And ìn < log q due to the noise accumulation in our construction.

So we have that `out log q and the statistical argument we used earlier for going from Game 2 to Game 3 no longer holds. We might instead consider a computational argument for moving between these games where the LWE assumption with binary secrets is a natural candidate. Unfortunately, known conversions [152, 441] between standard LWE and binary LWE require the LWE challenge vector to increase by a factor of log q which would again violate our parameter constraints.

Another interesting question is whether the pairwise independent hash

232 function could be removed from our construction where the circuit Q would go straight from decrypting the HE ciphertext to evaluating a pseudorandom generator. Currently, the pairwise indepdent hash function is in place to as- sure semi-statistical correctness of Definition 3.15. Consider a pseudorandom generator PRG that always ignored its first input bit. Furthermore consider a program P , input x, lock value α such that P (x) =α ˜, whereα ˜ is a bitstring that equals α at all bit positions except the first. Then the triple P , input x, lock value α would violate semi-statistical correctness under the construction where the pairwise independent hash function is removed.

3.5 Predicate Encryption: Achieving 1-Sided Security

Below we first give a formal description of our transformation for the case of a key-policy ABE (KP-ABE) system where the decryption algorithms are of a bounded depth and size. We follow (in this section) by enumerating different forms of Attribute-Based Encryption and informally discussing how our transformation could be adapted to each case. We finally sketch a deriva- tive application where we can encrypt to an arbitrarily formed public key and hide from everyone except the receiver which public key we encrypted to.

3.5.1 Key-Policy ABE with Bounded Decryption Depth and Size

In this section, we construct a PE scheme which achieves 1-sided security from any KP-ABE scheme and a lockable obfuscator. Our construction inherits the attribute space and predicate class of the underlying KP-ABE

233 scheme.

Outline. The central idea is to hide the ciphertext inside an obfuscated circuit. During encryption, instead of encrypting the message m (using the underlying encryption algorithm), the encryptor chooses a lock value α for obfuscation and encrypts the lock value α under the input attribute x to get ciphertext ctα. Next, it obfuscates (under the same lock value α) the decryption circuit of the underlying ABE scheme with the ciphertext ctα (encrypting lock value) hardwired. Now, output of this obfuscated circuit Pe would be set to be the actual message m and the obfuscated circuit Pe will be the ﬁnal ciphertext. Observe that given any valid secret key skC (such that C(x) = 1), one could simply evaluate the obfuscated circuit using the secret key and its output would guaranteed to be message m by correctness of the underlying decryption and evaluation algorithms. At a high level, this hides the attribute x because if the adversary can not decrypt the ciphertext ctα containing the lock value α (i.e, it does not know the secret key for the corresponding attribute), then it has not no information about the lock value α. Therefore, by the obfuscation security, we can guarantee that the circuit Pe (i.e., challenge ciphertext) could be simulated instead. Below we describe our construction PE = (Setup, Enc, KeyGen, Dec) for attribute spaces {X } , predicate classes λ λ∈N {C } and 1-bit messages. λ λ∈N

234 Background: Attribute Based Encryption and Weak Attribute Hid- ing Predicate Encryption A key-policy attribute based encryption (KP- ABE) scheme ABE, for set of attribute spaces X = {X } , predicate classes λ λ∈N C = {C } and message spaces M = {M } , consists of four polytime λ λ∈N λ λ∈N algorithms (Setup, Enc, KeyGen, Dec) with the following syntax:

λ • Setup(1 , Xλ, Cλ, Mλ) → (pp, msk). The setup algorithm takes as input

the security parameter λ and a description of attribute space Xλ, predi-

cate class Cλ and message space Mλ, and outputs the public parameters pp and the master secret key msk.

• Enc(pp, x, m) → ct. The encryption algorithm takes as input public

parameters pp, an attribute x ∈ Xλ and a message m ∈ Mλ. It outputs a ciphertext ct.

• KeyGen(msk,C) → skC . The key generation algorithm takes as input

master secret key msk and a predicate C ∈ Cλ. It outputs a secret key

skC .

• Dec(skC , ct) → m or ⊥. The decryption algorithm takes as input a secret

key skC and a ciphertext ct. It outputs either a message m ∈ Mλ or a special symbol ⊥.

A key-policy attribute based encryption scheme is said to be correct

λ if for all λ ∈ N,(pp, msk) ← Setup(1 , Xλ, Cλ, Mλ), for all x ∈ Xλ, C ∈ Cλ,

235 m ∈ Mλ, skC ← KeyGen(msk,C), ct ← Enc(pp, x, m), the following holds

C(x) = 1 ⇒ Pr [Dec(skC , ct) = m] ≥ 1 − negl1(λ),

C(x) = 0 ⇒ Pr [Dec(skC , ct) = ⊥] ≥ 1 − negl2(λ),

where negl1(·), negl2(·) are negligible functions, and the probabilities are taken over the random coins used during key generation and encryption procedures.

Security. The standard notion of security for a KP-ABE scheme is that of full or adaptive security. It is formally deﬁned as follows.

Deﬁnition 3.17. A key-policy attribute based encryption scheme ABE = (Setup, Enc, KeyGen, Dec) is said to be fully secure if for every stateful PPT adversary A, there exists a negligible function negl(·), such that the following holds:

 λ  (pp, msk) ← Setup(1 , Xλ, Cλ, Mλ) KeyGen(msk,·) KeyGen(msk,·) 1 Pr A (ct) = b : ((m0, m1), x) ← A (pp)  − ≤ negl(λ) 2 b ← {0, 1}; ct ← Enc(pp, x, mb) where every predicate query C, made by adversary A to the KeyGen(msk, ·) oracle, must satisfy the condition that C(x) = 0.

Predicate Encryption

A predicate encryption (PE) scheme PE, for set of attribute spaces X = {X } , predicate classes C = {C } and message spaces M = {M } , λ λ∈N λ λ∈N λ λ∈N consists of four polytime algorithms (Setup, Enc, KeyGen, Dec). They have the same syntax and correctness condition as that of a KP-ABE scheme.

236 The standard notion of security for a PE scheme is that of full attribute hiding (or 2-sided security). A weaker notion of security is of 1-sided security which is captured by the following indistinguishability based definition (one could alternatively define a simulation based definition as in [328]).

Deﬁnition 3.18 (1-Sided Security). A predicate encryption scheme PE = (Setup, Enc, KeyGen, Dec) is said to be 1-sided secure if for every stateful PPT adversary A, there exists a negligible function negl(·), such that the following holds:

 λ  (pp, msk) ← Setup(1 , Xλ, Cλ, Mλ) KeyGen(msk,·) KeyGen(msk,·) 1 Pr A (ct) = b : ((m0, x0), (m1, x1)) ← A (pp)  − ≤ negl(λ) 2 b ← {0, 1}; ct ← Enc(pp, xb, mb) where every predicate query C, made by adversary A to the KeyGen(msk, ·) oracle, must satisfy the condition that C(x0) = C(x1) = 0.

Deﬁnition 3.19 (SIM-1-Sided Security). A predicate encryption scheme PE = (Setup, Enc, KeyGen, Dec) is said to be SIM-1-sided secure if there exists a simulator Sim such that for every stateful PPT adversary A, the following holds:

 λ   (pp, msk) ← Setup(1 , Xλ, Cλ, Mλ)  AKeyGen(msk,·)(ct): (m, x) ← AKeyGen(msk,·)(pp)  ct ← Enc(pp, x, m) 

≈c  λ   (pp, msk) ← Setup(1 , Xλ, Cλ, Mλ)  AKeyGen(msk,·)(ct): (m, x) ← AKeyGen(msk,·)(pp)  ct ← Sim(1λ, pp, 1|x|, 1|m|)  where every predicate query C, made by adversary A to the KeyGen(msk, ·) oracle, must satisfy the condition that C(x) = 0.

237 Construction. Let ABE = (ABE.Setup, ABE.Enc, ABE.KeyGen, ABE.Dec) be a key-policy attribute based encryption scheme for set of attribute spaces {X } , predicate classes {C } and message spaces {M } with de- λ λ∈N λ λ∈N λ λ∈N cryption circuit of depth d(λ) and secret key space {0, 1}`(λ). Also, let O =

(Obf, Eval) be a lockable obfuscator for circuit class C`,k,d (i.e., the class of depth d(λ) circuits with `(λ) bit input and k(λ) bit output). For simplic-

k(λ) ity, assume that Mλ = {0, 1} . Below we describe our construction. For notational convenience, let ` = `(λ), k = k(λ) and d = d(λ).

λ • Setup(1 , Xλ, Cλ) → (pp, msk). The setup algorithm runs ABE.Setup to generate public parameters and master secret key as (pp, msk) ←

λ k ABE.Setup(1 , Xλ, Cλ, 1 ).

• Enc(pp, x, m) → ct. The encryption algorithm chooses a random string

k α ← {0, 1} and encrypts it as ctα ← ABE.Enc(pp, x, α). Next, it ob-

fuscates the decryption circuit with message m and lock α as Pe ←

λ Obf(1 , ABE.Dec(·, ctα), m, α). Finally, it outputs the ciphertext as ct =

Pe.

• KeyGen(msk,C) → skC . The key generation algorithm runs ABE.KeyGen

to generate the secret key as skC ← ABE.KeyGen(msk,C).

• Dec(skC , ct) → m or ⊥ . Let ct = Pe. The decryption algorithm evaluates

the obfuscated program on input skC , and outputs Eval(P,e skC ).

Remark 3.5.1 (Preservation of Algorithms and Retroactive Application). We would like to point out that the above transformation preserves the original

238 ABE setup and key generation algorithms as well as the private key structure. This could allow some ﬂexibility in encryption. If the user encrypting data feels that hiding the attributes is important, he can apply our transformation. If not, he can default to the original scheme. Also, it allows for one-sided predicate encryption to be retroactively applied to an ABE scheme that has already published its public parameters and distributed its keys. Of course, only newly generated ciphertexts generated with using the transformation would have the attributes hidden.

Correctness. For all λ ∈ N, message m ∈ {0, 1}, attribute x ∈ Xλ, public λ parameters and master secret key (pp, msk) ← ABE.Setup(1 , Xλ, Cλ, Mλ), the ciphertext corresponding to message m under attribute x in our scheme is

k an obfuscated circuit Pe, where α ← {0, 1} , ctα ← ABE.Enc(pp, x, α) and

λ Pe ← Obf(1 , ABE.Dec(·, ctα), m, α).

For any predicate C ∈ Cλ, the corresponding secret key in our scheme is simply skC ← ABE.KeyGen(msk,C). Consider the following two cases:

1. C(x) = 1 : We know that if C(x) = 1, then with all but negligible

probability ABE.Dec(skC , ctα) = α. This follows from correctness of the ABE scheme. Next, using correctness of obfuscation, we can conclude

that Eval(P,e skC ) = m as ABE.Dec(skC , ctα) = α. Therefore, if C(x) = 1,

then Pr[Dec(skC , ct = Pe) = m] ≥ 1 − negl(λ).

2. C(x) = 0 : Similarly, we know that if C(x) = 0, then with all but negli-

239 gible probability ABE.Dec(skC , ctα) = ⊥. Also by correctness of obfusca-

tion, we can conclude that if ABE.Dec(skC , ctα) 6= α, then Pr[Eval(P,e skC ) = ⊥] ≥ 1 − negl(λ). Since ⊥ 6= α, therefore combining these two facts we

0 know that if C(x) = 0, then Pr[Dec(skC , ct = Pe) = ⊥] ≥ 1 − negl (λ) for some negligible function negl0(·).

Therefore, PE satisﬁes the predicate encryption correctness condition.

Security. We will now show that the scheme described above achieves 1- sided security as per Deﬁnition 3.18. Formally, we prove the following.

Theorem 3.4. If ABE = (ABE.Setup, ABE.Enc, ABE.KeyGen, ABE.Dec) is a fully secure attribute based encryption for set of attribute spaces {X } , pred- λ λ∈N icate classes {C } and message spaces {M } satisfying Deﬁnition 3.17, λ λ∈N λ λ∈N and O = (Obf, Eval) is a lockable obfuscator for 1-bit messages and circuit class

{C`,k,d}λ satisfying Deﬁnition 3.16, then PE is a secure predicate encryption scheme satisfying 1-sided security as per Deﬁnition 3.18 for 1-bit messages and same attribute space and predicate class as the ABE scheme.

Our proof proceeds via a sequence of hybrid games. Each game is played between the challenger and attacker A. Let A be any PPT adversary that wins the 1-sided security game with non-negligible advantage. We argue that such an adversary must break security of at least one underlying primitive. The ﬁrst game corresponds to the 1-sided security game as described in Deﬁnition 3.18.

240 In the ﬁnal game, the challenge ciphertext is simulated and does not contain any information about the challenge messages.

We will ﬁrst deﬁne the sequence of hybrid games, and then show that they are computationally indistinguishable.

Game 1: In this game, the challenge ciphertext ct is honestly generated, i.e. by ﬁrst choosing a uniformly random lock α, then encrypting it under attribute x to get ciphertext ctα and ﬁnally obfuscating the decryption circuit with lock α and message mb.

1. Setup Phase. The challenger sets up by generating public parameters

λ k and master secret key as (pp, msk) ← ABE.Setup(1 , Xλ, Cλ, 1 ). It sends pp to A.

2. Pre-Challenge Query Phase. A queries the challenger on polynomi-

ally many predicate circuits Ci to receive the corresponding secret keys

as skCi ← ABE.KeyGen(msk,Ci).

3. Challenge. Next, A sends the challenge messages and attributes ((m0, x0), (m1, x1))

to the challenger such that Ci(x0) = Ci(x1) = 0 for all queried predicates. The challenger chooses a random bit b ← {0, 1} and a uniformly random lock string α ← {0, 1}k. It computes ciphertext ct as

ct ← ABE.Enc(pp, xb, α). It also generates obfuscated program Pe as

λ Pe ← Obf(1 , ABE.Dec(·, ct), mb, α), and sends Pe to A.

241 4. Post-Challenge Query Phase. A queries the challenger on polynomi-

ally many predicate circuits Ci as before. The challenger handles these as in pre-challenge query phase.

5. Guess. A outputs it guess b0 and wins if b = b0.

Game 2: This is same as Game 1, except the challenger computes ciphertext ct as an encryption of an all zero string instead of α.

3. Challenge. Next, A sends the challenge messages and attributes ((m0, x0), (m1, x1))

k ct ← ABE.Enc(pp, xb, 0 ). It also generates obfuscated program Pe as

λ Pe ← Obf(1 , ABE.Dec(·, ct), mb, α), and sends Pe to A.

Game 3: This is same as Game 2, except the challenger does not choose the lock α anymore and it simulates the obfuscated program Pe instead of generating it honestly as an obfuscation of the ABE decryption circuit.

3. Challenge. Next, A sends the challenge messages and attributes ((m0, x0), (m1, x1))

to the challenger such that Ci(x0) = Ci(x1) = 0 for all queried predicates. The challenger chooses a random bit b ← {0, 1}. It generates obfuscated

program Pe as Pe ← O.Sim(1λ, 1s, 1) (where s = |ABE.Dec(·, ct)|), and sends Pe to A.

242 i 0 Let advA = |Pr[b = b] − 1/2| denote the advantage of adversary A in 3 guessing the bit b in Game i. First, note that advA = 0. In other words, A’s advantage in Game 3 is 0. This is because the challenge ciphertext Pe does not contain any information about bit b.

To complete the proof, we establish via a sequence of lemmas that no PPT adversary A can distinguish between each adjacent game with non-

i i+1 negligible probability. We show via a sequence of lemmas that |advA − advA | is negligible for all i = 1, 2. Below we discuss our lemmas in detail.

Lemma 3.2. If ABE = (ABE.Setup, ABE.Enc, ABE.KeyGen, ABE.Dec) is a

1 fully secure attribute based encryption, then for all PPT adversaries A, |advA − 2 advA| is negligible in the security parameter λ.

1 2 Proof. Suppose there exists an adversary A such that |advA − advA| is non- negligible. We construct an algorithm B that can distinguish encryptions of lock α and an all zeros string, therefore break security of the ABE scheme.

The ABE challenger generates a key pair (pp, msk) and sends pp to B. B simply forwards the public parameters pp to adversary A. A queries the reduction algorithm B on polynomially many predicates Ci for corresponding secret keys. B forwards each predicate query Ci to the ABE challenger and

receives back secret key skCi , which it then sends to A as its response. Next, A sends the challenge message-attribute pairs ((m0, x0), (m1, x1)) to B such that

Ci(x0) = Ci(x1) = 0 for all queried predicates. B chooses a random string

k k α ← {0, 1} and bit b ← {0, 1}, and sends t0 = α and t1 = 0 as its challenge

243 messages and xb as the challenge attribute to the ABE challenger. The ABE challenger chooses a random bit β ← {0, 1}, computes the challenge ciphertext

∗ ∗ ∗ ct ← ABE.Enc(pp, xb, tβ) and sends ct to B. After receiving ct from the challenger, B runs Step 3 as in Game 1. That is, B generates obfuscated

λ ∗ program Pe as Pe ← Obf(1 , ABE.Dec(·, ct ), mb, α), and sends Pe to A. Next, A makes more key queries and B answers them as before by forwarding those to ABE challenger. Finally, A outputs its guess b0. If b = b0, then B sends 0 as its guess (i.e., α was encrypted), otherwise it sends 1 as its guess (i.e., 0k was encrypted) to the ABE challenger.

Note that if the ABE challenger encrypted α (i.e., β = 0), then B perfectly simulates Game 1 for adversary A. Otherwise it simulates Game 2

1 2 for A. As a result, if |advA − advA| is non-negligible, then B breaks the ABE scheme’s security with non-negligible advantage.

Lemma 3.3. If O = (Obf, Eval) is a secure lockable obfuscator, then for all

2 3 PPT adversaries A, |advA − advA| is negligible in the security parameter λ.

2 3 Proof. Suppose there exists an adversary A such that |advA − advA| is non- negligible. We construct an algorithm B that can distinguish an obfuscation of the ABE decryption circuit with a random lock from a simulated obfuscated program, therefore break security of the obfuscation scheme.

B samples an ABE key pair (pp, msk) and sends pp to adversary A.

A queries the reduction algorithm B on polynomially many predicates Ci for

corresponding secret keys. B answers each query with secret key skCi , with

244 skCi ← ABE.KeyGen(msk,Ci). Next, A sends the challenge message-attribute pairs ((m0, x0), (m1, x1)) to B such that Ci(x0) = Ci(x1) = 0 for all queried predicates. B chooses a random bit b ← {0, 1} and computes ciphertext ct

k as ct ← ABE.Enc(pp, xb, 0 ). B sends the ABE.Dec(·, ct) circuit along with message mb to the obfuscation challenger, and receives an obfuscated program

Pe. B ﬁnally sends Pe to A as the challenge ciphertext. Next, A makes more key queries and B answers them as before. Finally, A outputs its guess b0. If b = b0, then B sends 0 as its guess (i.e., ABE decryption circuit was obfuscated), otherwise it sends 1 as its guess (i.e., program Pe was simulated) as its guess to the obfuscation challenger.

Note that if the obfuscation challenger obfuscated ABE.Dec(·, ct) for some lock α, then B perfectly simulates Game 2 for adversary A. Otherwise

2 3 it simulates Game 3 for A. As a result, if |advA − advA| is non-negligible, then B breaks the obfuscation scheme’s security with non-negligible advantage.

3.5.2 Generalizing to Other Types

We now brieﬂy discuss other forms of Attribute-Based Encryption and informally describe how our transformation could be adapted to them.

Key-Policy ABE with Unbounded Decryption Depth. The above construction above applies to ABE systems where there is a system wide bound on the depth of the decryption circuit and bounded key size. This can account for both for ABE schemes where there is already such a bound in place such

245 as circuit ABE schemes from LWE or be applied to ABE schemes where no such bound is in place, but one is created for purposes of the transformation. The advantage of this is that the only added assumption is the Learning with Error from lockable obfuscation.

However, in many cases we will want to use systems that don’t have such a bound. For example, most key-policy ABE systems that support keys as arbitrary boolean formulas could have decryption circuits of arbitrary depth. Note that bilinear group ABE systems are the only ones that currently support dual system encryption and adaptive security using only polynomial-hardness assumptions [525, 408, 407].

To accommodate this we modify the transformation by adding an extra FHE layer as follows. The encryption algorithm starts as before by choosing a random lock value α and encrypting the lock value under attribute string x using ABE encryption algorithm. However, it next creates a fresh FHE public-private key pair and encrypts the ABE ciphertext under the FHE public key. Next, it creates a lockable obfuscation that is created with lock value α, the message we want to encrypt and a program that takes as input an FHE ciphertext and decrypts using the FHE secret key. The ciphertext consists of the FHE public key, ciphertext and (lockable) obfuscated program. To decrypt simply use the fully homomorphic decryption algorithm to decrypt the ABE ciphertext inside the FHE ciphertext and then submit the resulting ciphertext as input to the obfuscated program.

The security argument is almost the same as before. In the ﬁrst step

246 ABE security is used to change the ciphertext encrypting α to encrypt the all 0’s string. Next the obfuscated program is changed to a simulated program which looses knowledge of the FHE secret key. Then we can ﬁnally change the FHE ciphertext encrypting the ABE ciphertext to encrypt the all 0’s string.

Such a technique will be applicable to many forms of key-policy Attribute- Based encryption including those that use dual system encryption for adaptive security [525, 407], ABE for boolean formulas [336] and ABE for deterministic ﬁnite automata [526, 47].

Unbounded Size, but Bounded Depth. An in-between variant of our ﬁrst transformation and the methods described above would be to accommodate ABE systems that inherently have decryption circuits that have bounded depth, but not bounded size. A prototypical example is an ABE for circuits scheme from LWE [327, 121]. In this case we can do the same construction as above, except use a leveled homomorphic encryption scheme where the level is chosen to match the maximum ABE circuit decryption depth. The advantage of this approach is that realizations of leveled homomorphic encryption are known from the LWE assumption [155, 148].

Ciphertext Policy Attribute-Based Encryption. An alternate form of Attribute-Based Encryption is ciphertext-policy ABE. In this setting the semantics associated with the keys and ciphertexts get ﬂipped. Here a function f is associated with a ciphertext and an attribute string x with a private key. A

247 user with a private key for x should be able to decrypt a ciphertext associated with f if and only if f(x) = 1. In the setting of one-sided predicate encryption we want to hide the function descriptor f associated with the ciphertext from all those users who cannot decrypt it. Using universal circuits (or formulas) one can build [335] a ciphertext policy-ABE schemes from key-policy ABE scheme, however, this only works for circuits of aprori bounded size.

Using a variant of our approach from Section 3.5.1 we can handle all ABE schemes that have ciphertexts of bounded size. If we add a layer of fully homomorphic encryption the bounded size restriction goes away and we can handle additional schemes including those that are in the multi-authority setting [199, 200, 409] or have ciphertext functions associated with deterministic ﬁnitie automatas [526, 47].

3.5.3 Encrypting to a Hidden Public Key

Our ﬁnal application of this section is that using lockable encryption one can create a ciphertext that encrypts to a public key, but hides the identity of the public key from anyone who does not have the secret key. Such functionality was considered previously, see for example [529, 76, 4] and the references therein. However, in previous cases the hiding would only be among all public keys that shared some common parameter such as all using the same elliptic curve group. Suppose instead that we wanted to encrypt in a way that it is not clear whether it was to someone with a 4096 bit RSA key, a 2048 bit RSA key or using an ECC key.

248 To do this the encryption algorithm first creates a ciphertext ct that encrypts a randomly chosen lock value α using encryption under the recipients public key cryptosystem. Then the encryption algorithm creates a program P that takes as input a decryption circuit description and applies it to the ciphertext ct. The final ciphertext is a lockable obfuscation of this program P under the lock α and the message to be transmitted. The decryption circuit description and program size should be padded to a include all decryption circuits of a chosen class. To attempt to decrypt such a ciphertext, one must first translate their secret key and decryption algorithm into a decryption circuit and then input this circuit description into the obfuscated program.

3.6 Separating IND-CPA security and Circular Secu- rity

A group of n public keys and ciphertexts is said to form a key cycle [166] if the ith ciphertext encrypts the (i + 1)th secret key. A system is said to be n-circular secure if key cycles of length n are indistinguishable from the case where the ciphertexts consists of encryptions to the all zeros message. Achiev- ing circular security is very desirable in some cases. For instance, a leveled homoromorphic encryption scheme that is circular secure implies the existence of a fully homomorphic encryption scheme via Gentry’s [297] bootstrapping technique. As long as the levels of the homomorphic decryption circuit ﬁt within the levels given by evaluation.

There have been several recent works that have shown that circular se-

249 curity, unfortunately, does not come for free. In particular, there exists IND- CPA schemes (in various contexts) that are not circular secure. Achieving such results initially depended on the existence of indistinguishability obfuscation. Subsequent works showed how in some scenarios one could make the desirable trade of assuming learning with errors instead of indistinguishability obfuscation. However, each of these constructions required the introduction of specialized LWE oriented techniques. Here we show that these separation results can instead be achieved by lockable obfuscation. The insight is simply that the original results used iO on programs that were “lockable obfuscation compatible” to begin with. So all we need to do is make very minor tweaks to the programs and then essentially copy the results. (We work things out fully below for completeness.)

The beneﬁts are two fold. First, we are able to achieve some separation results that were not previously known under standard assumptions. And second, the solutions provided via lockable obfuscation are simpler to describe and understand in comparison to direct number theoretic constructions. Of course, direct constructions will likely be more practically eﬃcient, although the importance of this is not clear in the setting of separation results. We now overview our three solutions along with the preceding work in each case. We present our results using the language of cycle testers as introduced by Bishop, Hohenberger and Waters [99].

250 Cycle testers of length n. Acar et al. [8] using the SXDH assumption in bilinear groups provided an IND-CPA scheme that was not two circular secure. Subsequently, Koppula, Ramchen and Waters [395] showed separation results for any n cycle length assuming indistinguishability obfuscation. (Concurrently, Marcedone and Orlandi [430] did this from VBB.) After these works Bishop, Hohenberger and Waters [99] gave a cycle tester under the LWE assumption for n = 2. Finally, Koppula and Waters [396] and Alamati and Peikert [24] gave cycle testers for any a priori bounded length under the learning with errors and ring learning with errors problem.9 Below we will provide a translation of the KRW n cycle testers.

Cycle tester for bit encryption schemes. The above separation results do not apply for when the underlying encryption scheme encrypts single bit messages. Rothblum [491] ﬁrst showed a separation for bit encryption cycles of length one using a high degree and non-noisy multilinear multilinear paper. Koppula, Ramchen and Waters [395] (in a diﬀerent solution from above) showed the separation using indistinguishability obfuscation. Very recently, Goyal, Koppula and Waters [332] gave a bit encryption cycle tester secure under the Learning with Errors assumption. Their cycle tester, however, only worked for secret key encryption while the others were public key. Below we provide a translation of the KRW bit encryption cycle tester.

9In their ring LWE solution Alamati and Peikert [24] built testers for any cycle length that could depend on the security parameter. In their LWE solution the cycle length had to be constant.

251 Cycle testers of unbounded length. Returning to the case of encryption schemes with multi-bit messages Goyal, Koppula and Waters [331] recently provided a cycle tester that had no apriori bound on cycle length. Their solution requires both indistinguishability obfuscation and leveled (bootstrappable) homomorphic encryption. We show how we can swap out indistinguishability obfuscation for lockable obfuscation.

3.6.1 Separating IND-CPA Security from n-Circular Security

In this section, we construct a key cycle tester Γ = (Setup, KeyGen, Enc, Test) from any public key encryption scheme and a lockable obfuscator.

Let E = (Setup, Enc, Dec) be a public key encryption scheme for message space {0, 1}2k(λ) with decryption circuit of depth d(λ), secret key space {0, 1}k(λ) and ciphertext space {0, 1}`(λ). Also, let O = (Obf, Eval) be a lockable obfuscator for 1-bit messages and circuit class Cn·`,k,n·d (i.e., the class of depth n · d(λ) circuits with n · `(λ) bit input and k(λ) bit output). Below we describe our construction. For notational convenience, let k = k(λ).

• Setup(1λ, 1n) : The setup algorithm outputs public parameters as pp = (λ, n).

• KeyGen(pp) : Let pp = (λ, n). The key generation algorithm runs Setup to obtain a public-secret key pair as (pk, sk) ← Setup(1λ). It also chooses a string α uniformly at random as α ← {0, 1}k.

Next, consider the program Progsk described in Figure 3.3. It obfuscates

252 program Progsk with message 1 and lock α as Pe ← Obf(1λ, Progsk, 1, α). Finally, it outputs the key pair as pk = (pk, Pe), sk = (sk, α).

• Enc(pk, m) : Let pk = (pk, Pe). The encryption algorithm computes ciphertext as ct ← Enc(pk, m).

• Test(pk, ct) : Let pk = (pk1,..., pkn) and pk1 = (pk1, Pe1). The test-

ing algorithm evaluates the obfuscated program Pe1 on input ct as b =

Eval(Pe1, ct). If b = ⊥, it outputs 0. Otherwise, it outputs b.

• Dec(sk, ct) : Let sk = (sk, α). The decryption algorithm outputs Dec(sk, ct).10

λ Correctness. For all λ, n ∈ N, public-secret key pairs (pki, ski) ← Setup(1 ) k and strings αi ← {0, 1} (for i ≤ n), a key cycle of length n consists of a sequence of n ciphertexts ct = (ct1,..., ctn), where each ciphertext cti is computed as cti ← Enc pki, (sk(i mod n)+1, α(i mod n)+1) . Also, the program Pe1

λ (which is part of public key pk1) is computed as Pe1 ← Obf(1 , Progsk1, 1, α1).

Let cte = (ctf1,..., ctfn) be encryption of zero strings, where each cipher- 2k text ctfi is computed as ctfi ← Enc(pki, 0 ). For correctness of Test algorithm, we want to argue that it’s advantage in distinguishing a sequence of encryptions of secret keys from encryptions of zeros is non-negligible.

10We would like to point out that cycle tester framework does not contain a decryption algorithm. However, since it is naturally available in our scheme, therefore we also specify it.

253 First, note that Progsk1(ct) = α1 (by construction). Therefore, by correctness of obfuscation Eval(Pe1, ct) = 1. Similarly, Progsk1(cte ) 6= α1 (with all but negligible probability) as α1 is chosen uniformly at random and Progsk1 is independent of string α1. This suggests that Pr[Eval(Pe1, cte ) = ⊥] ≥ 1 − negl(λ).

Therefore, we can conclude that Γ satisﬁes cycle tester correctness condition as it can distinguish key cycles and all zero encryption with non- negligible probability.

Security. We will now show that the scheme described above achieves IND- CPA security as per Deﬁnition 3.4. Formally, we prove the following.

Theorem 3.5. If E = (Setup, Enc, Dec) is an IND-CPA secure public key encryption scheme for message space {0, 1}2k(λ), secret key space {0, 1}k(λ) and ciphertext space {0, 1}`(λ) satisfying Definition 3.4, and O = (Obf, Eval) is a lockable obfuscator for 1-bit messages and circuit class Cn·`,k,d satisfying Definition 3.16, then Γ is a secure cycle tester scheme satisfying IND-CPA security as per Definition 3.4.

Proof. Our proof proceeds via a sequence of hybrid games. Let A be any PPT adversary that wins the IND-CPA security game against Γ with non-negligible advantage. We argue that such an adversary must break security of at least one underlying primitive.

254 We will ﬁrst deﬁne the sequence of hybrid games, and then show that they are computationally indistinguishable.

Game 1: This game is the original IND-CPA security game described in Deﬁnition 3.4.

1. The challenger generates a public-secret key pair as (pk, sk) ← Setup(1λ). It uniformly samples α ← {0, 1}k, and computes the obfuscation of pro-

gram Progsk (described in Figure 3.3) as Pe ← Obf(1λ, Progsk, 1, α). It sends the public key pk = (pk, Pe) to A.

2. A receives pk from the challenger, and computes messages m0, m1. It

sends (m0, m1) as its challenge messages to the challenger.

∗ 3. The challenger chooses bit b ← {0, 1}, computes ct ← Enc(pk, mb), and sends ct∗ to A.

4. A receives challenge ciphertext ct∗ from the challenger, and outputs its guess b0.

5. A wins if it guesses correctly, that is if b = b0.

Game 2: This game is same as Game 1, except the challenger does not choose the lock α anymore and it simulates the obfuscated program Pe instead of generating it honestly as an obfuscation of program Progsk.

255 1. The challenger generates a public-secret key pair as (pk, sk) ← Setup(1λ).

It computes the obfuscated program Pe as Pe ← O.Sim(1λ, 1s, 1), where s = |Progsk|. It sends the public key pk = (pk, Pe) to A.

We now establish via a sequence of lemmas that the adversary’s advan-

i 0 tage between Game 1 and 2 is negligible. Let advA = |Pr[b = b] − 1/2| denote the advantage of adversary A in guessing the bit b in Game i. We show via

1 2 2 a sequence of lemmas that |advA − advA| and advA are negligible. Below we discuss our lemmas in detail.

Lemma 3.4. If O = (Obf, Eval) is a secure lockable obfuscator, then for all

1 2 PPT adversaries A, |advA − advA| is negligible in the security parameter λ.

1 2 Proof. Suppose there exists an adversary A such that |advA − advA| is non- negligible. We construct an algorithm B that can distinguish an obfuscation of program Progsk with a random lock from a simulated obfuscated program, therefore break security of the obfuscation scheme.

B runs step 1 as in Game 1, except it does not compute obfuscated program Pe. Concretely, B chooses a key pair (pk, sk) ← Setup(1λ). B sends the program Progsk along with message 1 to the obfuscation challenger, and receives an obfuscated program Pe. It sets the public key as pk = (pk, Pe) and sends pk to A. It executes steps 2-5 as in Game 1. If the attacker wins (i.e. b0 = b), then B guesses ‘0’ to indicate that Pe was an obfuscation of Progsk; otherwise, it guesses ‘1’ to indicate that it was simulated.

256 Note that if the obfuscation challenger obfuscated Progsk for some lock α, then B perfectly simulates Game 1 for adversary A. Otherwise it simulates

1 2 Game 2 for A. As a result, if |advA − advA| is non-negligible, then B breaks the obfuscation scheme’s security with non-negligible advantage.

Lemma 3.5. If E = (Setup, Enc, Dec) is an IND-CPA secure public key

2 encryption scheme, then for all PPT adversaries A, advA is negligible in the security parameter λ.

2 Proof. Suppose there exists an adversary A such that advA is non-negligible. We construct an algorithm B that can break security of the PKE scheme E.

B receives public key pk from E challenger. It runs step 1 as described in Game 2 with the exception that it uses pk generated by E challenger instead of running the setup algorithm. During challenge phase, B forwards the challenge messages (m0, m1) it receives from A to E challenger as its challenge messages and receives ct∗ as the challenge ciphertext, which it then forwards to A. Finally, B outputs the same guess as A.

We observe that if A wins (i.e. b0 = b), then B also wins because it

2 exactly simulates the view of Game 2 for A. Therefore if advA is non-negligible, B must also have non-negligible advantage against E challenger.

257 3.6.2 Separating IND-CPA Security from 1-Circular Security for Bit Encryption

In this section, we construct a key cycle tester Γ = (Setup, KeyGen, Enc, Test) for 1-bit messages from any public key bit encryption scheme and a lockable obfuscator.

Let E = (Setup, Enc, Dec) be a public key bit encryption scheme with secret key space {0, 1}`1(λ), ciphertext space {0, 1}`2(λ) and decryption circuit of depth d(λ). Also, let O = (Obf, Eval) be a lockable obfuscator for 1-bit

messages and circuit class C(`1+k)·`2,k,d (i.e., the class of depth d(λ) circuits with

(`1(λ) + k(λ)) · `2(λ) bit input and k(λ) bit output). Below we describe our construction. For notational convenience, let k = k(λ), `1 = `1(λ), `2 = `2(λ) and n = k(λ) + `1(λ).

• Setup(1λ) : The setup algorithm runs Setup to obtain a public-secret key pair as (pk, sk) ← Setup(1λ). It also chooses a string α uniformly at random as α ← {0, 1}k.

Next, consider the program BPsk described in Figure 3.4. It obfuscates λ program BPsk with message 1 and lock α as Pe ← Obf(1 , BPsk, 1, α). Finally, it outputs the key pair as pk = (pk, Pe), sk = (sk, α).

• Enc(pk, m) : Let pk = (pk, Pe). The encryption algorithm computes ciphertext as ct ← Enc(pk, m).

• Test(pk, ct) : Let pk = (pk, Pe). The testing algorithm evaluates the

258 obfuscated program Pe on input ct as b = Eval(P,e ct). If b = ⊥, it outputs 0. Otherwise, it outputs b.

• Dec(sk, ct) : Let sk = (sk, α). The decryption algorithm outputs Dec(sk, ct).

Correctness. For every λ, public-secret key pair (pk, sk) ← Setup(1λ) and string α ← {0, 1}k, a key cycle consists of a sequence of n ciphertexts ct = (ct1,..., ctn), where each ciphertext cti is computed as cti ← Enc pk, ski ,

th sk = (skt, α) and ski is i bit of sk. Also, the program Pe (which is part of

λ public key pk) is computed as Pe ← Obf(1 , BPsk, 1, α).

Let cte = (ctf1,..., ctfn) be encryptions of zero, where each ciphertext ctfi is computed as ctfi ← Enc(pk, 0). For correctness of Test algorithm, we want to argue that it’s advantage in distinguishing a sequence of encryptions of secret key bits from encryptions of zeros is non-negligible.

k First, note that BPsk(ct) = α and BPsk(cte ) = 0 (by construction).

Therefore, by correctness of obfuscation Eval(P,e ct) = 1. Also, BPsk(cte ) 6= α (with all but negligible probability) as α is chosen uniformly at random. This suggests that Pr[Eval(P,e cte ) = ⊥] ≥ 1 − negl(λ).

Therefore, we can conclude that Γ satisﬁes bit encryption cycle tester correctness condition as it can distinguish a key cycle and all zero encryption with non-negligible probability.

259 Security. We will now show that the scheme described above achieves IND- CPA security as per Deﬁnition 3.4. Formally, we prove the following.

Theorem 3.6. If E = (Setup, Enc, Dec) is an IND-CPA secure public key bit encryption scheme with secret key space {0, 1}`1(λ) and ciphertext space

{0, 1}`2(λ) satisfying Deﬁnition 3.4, and O = (Obf, Eval) is a lockable obfuscator

for 1-bit messages and circuit class C(`1+k)·`2,k,d satisfying Deﬁnition 3.16, then Γ is a secure bit encryption cycle tester scheme satisfying IND-CPA security as per Deﬁnition 3.4.

The proof of this theorem is identical to proof of Theorem 3.5. There- fore, we only sketch the sequence of hybrid games.

Game 1: This game is the original IND-CPA security game described in Deﬁnition 3.4.

1. The challenger generates a public-secret key pair as (pk, sk) ← Setup(1λ). It uniformly samples α ← {0, 1}k, and computes the obfuscation of pro-

λ gram BPsk (described in Figure 3.4) as Pe ← Obf(1 , BPsk, 1, α). It sends the public key pk = (pk, Pe) to A.

260 2. Next, the challenger chooses bit b ← {0, 1}, computes ct∗ ← Enc(pk, b), and sends ct∗ to A.

3. A receives challenge ciphertext ct∗ from the challenger, and outputs its guess b0. A wins if it guesses correctly, that is if b = b0.

1. The challenger generates a public-secret key pair as (pk, sk) ← Setup(1λ).

It computes the obfuscated program Pe as Pe ← O.Sim(1λ, 1s, 1), where

s = |BPsk|. It sends the public key pk = (pk, Pe) to A.

3.6.3 Creating an Unbounded Public Key Cycle Tester

In this section, we construct a cycle tester Γ = (Setup, KeyGen, Enc, Test) for unbounded length key cycles from any bootstrappable (leveled) homomorphic encryption scheme and a lockable obfuscator.

Let LHE = (LHE.Setup, LHE.Enc, LHE.Eval, LHE.Dec) be a bootstrappable homomorphic bit encryption scheme for message space {0, 1}`(λ) with decryption circuit of depth d(λ), ciphertexts of length `ct(λ) and secret keys of length s(λ). Also, let O = (Obf, Eval) be a lockable obfuscator for 1-bit

261 messages and circuit class C`ct,k,d (i.e., the class of depth d(λ) circuits with

`ct(λ) bit input and k(λ) bit output). Below we describe our construction.

For notational convenience, let k = k(λ), s = s(λ), d = d(λ), `ct = `ct(λ) and ` = `(λ).

• Setup(1λ) : The setup algorithm runs LHE.Setup to obtain a public-secret key pair as (lhe.pk, lhe.sk, lhe.ek) ← LHE.Setup(1λ, 1d). It also chooses a string α uniformly at random as α ← {0, 1}k.

Next, consider the program UPlhe.sk described in Figure 3.5. It obfuscates

λ program UPlhe.sk with message 1 and lock α as Pe ← Obf(1 , UPlhe.sk, 1, α). Finally, it outputs the key pair as pk = (lhe.pk, lhe.ek, Pe), sk = (lhe.sk, α).

• Enc(pk, m) : Let pk = (lhe.pk, lhe.ek, Pe). The encryption algorithm computes ciphertext as ct ← LHE.Enc(lhe.pk, m).

n • Test(1 , pk, ct) : Let pk = (pk1,..., pkn), ct = (ct1,..., ctn) and pki =

(lhe.pki, lhe.eki, Pei) (for all i ≤ n). Also, let circuit Cct be a circuit which takes as input s+k bits and decrypts ciphertext ct using the ﬁrst s bits of

s k the input, i.e. Cct(x || y) = LHE.Dec(x, ct) where x ∈ {0, 1} , y ∈ {0, 1} . The tester algorithm runs as follows.

0 0 First, it sets ctn = ctn. For i = n−1 to i = 1, it computes ciphertexts cti

0 as ct = LHE.Eval(lhe.ek ,C 0 , ct ). Next, it evaluates the obfuscated i i cti+1 i 0 0 program Pe1 on input ct1 as b = Eval(Pe1, ct1). Finally, it outputs b.

262 • Dec(sk, ct) : Let sk = (lhe.sk, α). The decryption algorithm outputs LHE.Dec(lhe.sk, ct).

Correctness. For all λ, n ∈ N, LHE key pairs (lhe.pki, lhe.ski, lhe.eki) ← λ d k LHE.Setup(1 , 1 ) and strings αi ← {0, 1} (for i ≤ n), a key cycle of length n consists of a sequence of n ciphertexts ct = (ct1,..., ctn), where each ciphertext cti is computed as cti ← Enc lhe.pki, (lhe.sk(i mod n)+1, α(i mod n)+1) .

Also, the program Pe1 (which is part of public key pk1) is computed as Pe1 ←

λ Obf(1 , UPlhe.sk1 , 1, α1).

Let cte = (ctf1,..., ctfn) be encryption of zero strings, where each cipher- s+k text ctfi is computed as ctfi ← Enc(pki, 0 ). For correctness of Test algorithm, we want to argue that it’s advantage in distinguishing a sequence of encryptions of secret keys from encryptions of zeros is non-negligible.

0 First, note that LHE.Dec(lhe.skn, ctn) = (sk1, α1). Therefore, ctn−1 =

0 LHE.Eval(lhe.ekn−1,Cctn , ctn−1) is an encryption of (sk1, α1) under key lhe.pkn−1, 0 where ctn = ctn. Therefore, the top-down iterative LHE evaluation during test-

0 ing would ﬁnally result in ciphertext ct1 that will be an encryption of (sk1, α1) under key lhe.pk1. We could prove this by an inductive argument over cycle length n. The base case n = 1 follows directly from the construction. The inductive hypothesis would be that the test algorithm successfully reduces a length k key cycle to a length 1 key cycle. The induction step can be proven by ﬁrst reducing a length k key cycle to a length k −1 key cycle (which follows

263 from the correctness of the LHE scheme) and then applying the hypothesis.

0 Finally, the test algorithm evaluates the obfuscated program Pe1 on ct1 which is encryption of (sk1, α1) under key lhe.pk1. Therefore, by correctness of ob-

0 fuscation scheme Eval(Pe1, ct1) = 1. In other words, we can claim that the test algorithm always outputs 1 in this case (i.e., with probability 1).

0 Similarly, UPlhe.sk1 (cte 1) 6= α1 (with all but negligible probability) as α1 is chosen uniformly at random and neither UPlhe.sk1 nor any of the ciphertexts 0 cti depends on the string α1. This suggests that Pr[Eval(Pe1, cte 1) = ⊥] ≥ 1 − negl(λ).

Therefore, we can conclude that Γ satisﬁes cycle tester correctness condition as it can distinguish key cycles and all zero encryption with non- negligible probability.

The IND-CPA proof of this scheme is identical to the proof of Theo- rem 3.5.

3.7 Uninstantiability of the Fujisaki-Okamoto and Re- lated Transformations

We now move to our second set of separation results where we use lockable obfuscation to show random oracle uninstantiability [183] for a certain family of transformations. These include: the Bellare et al. [79] transformation from an IND-CPA scheme to an injective trapdoor function, the well known Fujisaki-Okamoto [278, 279] transformations from IND-CPA and the deterministic encryption construction of Bellare, Boldyreva and O’Neill [77].

264 All of the constructions follow a similar paradigm where they encrypt a string x under random coins determined from H(x). (How the string x is construed varies somewhat between the schemes.) The works above show that if H is presented as an oracle access to a random function, the transformation results in a secure scheme under the relevant deﬁnition.

An important question is what can be said about the security of these transformations when H is instantiated by a concrete hash function. Assuming indistinguishability obfuscation Brzuska, Farshim and Mittelbach [162] provide negative results on the instantiability of these transformations. In particular assuming iO for circuits they provide encryption schemes that are IND-CPA secure, but where the transformation is insecure when instantiated with any hash function up to an apriori bounded size. Furthermore, if one assumes iO for Turing Machines with unbouded input, the result holds for hash functions of any size.11 The main idea of BFM is to create an encryption scheme that includes an obfuscated program which can be used to break security when the description of H is known.

Here we show that such results can be achieved from lockable obfuscation and thus the Learning with Errors assumption. More speciﬁcally, the uninstantiability results for apriori size bounded hash functions follows from lockable obfuscation and the unrestricted results follow from lockable obfua- cation combined with fully homomorphic encryption. The main insight into

11We note that constructing Turing Machine iO for unbounded length inputs from standard iO remains an open problem.

265 the result is simply that the program breaking in BFM falls within a pattern that matches lockable obfuscation. Once this connection is made the technical argument follows readily. In addition, we again see that for iO programs that match the pattern of lockable obfuscation, fully homomorphic encryption can serve to give the “Turing Machine version” of such programs.

Below we give a proof of uninstantiability for an IND-CPA encryption scheme for the second Fujisaki-Okamoto [279] transformation. We do so in the unrestricted size case using lockable obfuscation along with fully homomorphic encryption. We believe uninstantiability results for the other schemes mentioned above follow in a very similar manner.

3.7.1 The Fujisaki-Okamoto Transformation

The Fujisaki-Okamoto (FO) transformation is a technique to convert an IND-CPA secure public key encryption scheme into an IND-CCA secure public key encryption scheme.12 The transformation relies on a public key encryption scheme, a symmetric encryption scheme and two hash functions (which are modeled as two independent random oracles).

Let PKE = (PKE.Setup, PKE.Enc, PKE.Dec) be a public key encryption scheme, SKE = (SKE.Setup, SKE.Enc, SKE.Dec) be a (deterministic) symmetric encryption scheme, and H1,H2 be two hash functions. As per FO transforma-

12The FO transformation only requires the starting PKE scheme to satisfy one-way security, which is a slightly weaker notion than IND-CPA.

266 tion, an encryption of message m under randomness r is computed as

PKE.Enc(pke.pk, r; H1(m || r)), SKE.Enc(ske.sk = H2(r), m).

H,He More formally, the FO transformed scheme FOPKE,SKE = (Setup, Enc, Dec) is described as follows.

λ • Setup(1 ) → (pk, sk). It chooses two hash functions H1,H2 as H1 ←

Hλ,H2 ← He λ. It also samples a public-secret key pair (pke.pk, pke.sk) for PKE scheme as (pke.pk, pke.sk) ← PKE.Setup(1λ). It outputs the public-

secret keys as pk = (pke.pk,H1,H2) and sk = (pke.pk,H1,H2, pke.sk).

• Enc(pk, m; r) → ct. Let pk = (pke.pk,H1,H2). It computes ciphertext

ct1, ct2 as ct1 = PKE.Enc(pke.pk, r; H1(m || r)) and ct2 = SKE.Enc(H2(r), m).

It outputs the ciphertext as ct = (ct1, ct2).

• Dec(sk, ct) → m or ⊥ . Let sk = (pke.pk,H1,H2, pke.sk) and ct =

(ct1, ct2). It decrypts ct1 as r = PKE.Dec(pke.sk, ct1). Next, it de-

crypts ct2 as m = SKE.Dec(H2(r), ct2). Finally, it checks if ct1 =

PKE.Enc(pke.pk, r; H1(m || r)). If the check succeeds it outputs m, otherwise it outputs ⊥.

In this work, we show that FO transform is uninstantiable in the standard model. Concretely, we prove the following.

Theorem 3.7. If FHE = (FHE.Setup, FHE.Enc, FHE.Dec, FHE.Eval) is a fully homomorphic encryption scheme satisfying Deﬁnition 3.4, and O = (Obf, Eval)

267 is a lockable obfuscator for circuit class {C } satisfying Deﬁnition 3.16, `·`,`,de λ then there exists a public key encryption scheme PKE = (PKE.Setup, PKE.Enc, PKE.Dec) such that for every hash function family H = {H } and H = λ λ∈N e n o He λ , symmetric key encryption scheme SKE = (SKE.Setup, SKE.Enc, λ∈N H,He 13 SKE.Dec), the corresponding FO transformed scheme FOPKE,SKE is not secure.

We prove the above theorem by constructing such a public key encryption scheme PKE = (Setup, Enc, Dec). Consider a public key encryption scheme PKE = (PKE.Setup, PKE.Enc, PKE.Dec) for `-bit messages, a fully homomorphic encryption scheme FHE = (FHE.Setup, FHE.Enc, FHE.Dec, FHE.Eval) for 1-bit messages with decryption circuit of depth d(λ) and ciphertext space {0, 1}`e(λ), and a lockable obfuscator scheme for `-bit messages. Below we describe our construction. For ease of exposition, assume that the FHE setup, FHE encryption, PKE encryption and lockable obfuscator also take ` bits of randomness as inputs.

• Setup(1λ) → (pk, sk). It generates a PKE key pair as (pk, sk) ← PKE.Setup(1λ), and sets public-secret key pair as (pk, sk) = (pk, sk).

• Enc(pk, m; r) → ct. Let pk = pk and r = r0 || r1 || r2 || r3 || r4, where each

ri is ` bits long. It samples an FHE key pair (fhe.pk, fhe.sk, fhe.ek) =

λ FHE.Setup(1 ; r0) and computes ciphertext ct1 as ct1 = PKE.Enc(pk, m; r1).

13 H,He The FO transformed scheme FOPKE,SKE does not even achieve IND-CPA security.

268 14 It encrypts message m under FHE public key as ct2 = FHE.Enc(fhe.pk, m; r2).

It also obfuscates program Progfhe.sk with message m, lock r4 and ran-

λ domness r3 as Pe = Obf(1 , Progfhe.sk, m, r4; r3). Finally, it outputs the

ciphertext as ct = (fhe.ek, ct1, ct2, Pe).

• Dec(sk, ct) → m. Let ct = (fhe.ek, ct1, ct2, Pe). It decrypts ct1 as m =

PKE.Dec(sk, ct1) and outputs m.

First, we prove that the above scheme is IND-CPA secure.

Theorem 3.8. If FHE = (FHE.Setup, FHE.Enc, FHE.Dec, FHE.Eval) is a fully homomorphic encryption scheme satisfying Definition 3.4, O = (Obf, Eval) is a lockable obfuscator for circuit class {C } satisfying Definition 3.16, and `·`,`,de λ PKE = (PKE.Setup, PKE.Enc, PKE.Dec) is a public key encryption scheme for `-bit messages satisfying Definition 3.4, then the scheme PKE = (Setup, Enc, Dec) is IND-CPA secure.

Proof. Our proof proceeds via a sequence of hybrid games. Let A be any PPT adversary that wins the IND-CPA security game against PKE with non- negligible advantage. We argue that such an adversary must break security of at least one underlying primitive.

We will ﬁrst deﬁne the sequence of hybrid games, and then show that they are computationally indistinguishable.

14Note that FHE scheme is a bit encryption scheme, therefore it encrypts one bit at a time. However, we overload the notation and use FHE.Enc to encrypt multi-bit messages as well. So, ct2 is a sequence of ` FHE ciphertexts.

269 Game 1: This game is the original IND-CPA security game described in Deﬁnition 3.4.

1. The challenger generates a public-secret key pair as (pk, sk) ← PKE.Setup(1λ). It sends the public key pk = pk to A.

2. A receives pk from the challenger, and computes messages m0, m1. It

sends (m0, m1) as its challenge messages to the challenger.

3. The challenger chooses bit b ← {0, 1}. It samples an FHE key pair

λ (fhe.pk, fhe.sk, fhe.ek) ← FHE.Setup(1 ) and computes ciphertexts ct1, ct2

as ct1 ← PKE.Enc(pk, mb), ct2 ← FHE.Enc(fhe.pk, mb). It chooses a random ` bit string r and obfuscates program Progfhe.sk with message m

λ and lock r as Pe ← Obf(1 , Progfhe.sk, mb, r). Finally, it outputs the

ciphertext as ct = (fhe.ek, ct1, ct2, Pe). Finally, it sends ct to A.

4. A receives challenge ciphertext ct from the challenger, and outputs its guess b0.

5. A wins if it guesses correctly, that is if b = b0.

Game 2: This game is same as Game 1, except the challenger does not choose the lock r anymore and it simulates the obfuscated program Pe instead of generating it honestly.

1. The challenger chooses bit b ← {0, 1}. It samples an FHE key pair

λ (fhe.pk, fhe.sk, fhe.ek) ← FHE.Setup(1 ) and computes ciphertexts ct1, ct2

270 as ct1 ← PKE.Enc(pk, mb), ct2 ← FHE.Enc(fhe.pk, mb). It computes the

obfuscated program Pe as Pe ← O.Sim(1λ, 1s, 1`), where s = |Progfhe.sk|.

Finally, it outputs the ciphertext as ct = (fhe.ek, ct1, ct2, Pe). Finally, it sends ct to A.

Game 3: This game is same as Game 2, except the challenger computes ct2 as encryption of all zeros string.

1. The challenger chooses bit b ← {0, 1}. It samples an FHE key pair

λ (fhe.pk, fhe.sk, fhe.ek) ← FHE.Setup(1 ) and computes ciphertexts ct1, ct2

` as ct1 ← PKE.Enc(pk, mb), ct2 ← FHE.Enc(fhe.pk, 0 ). It computes the

obfuscated program Pe as Pe ← O.Sim(1λ, 1s, 1`), where s = |Progfhe.sk|.

Finally, it outputs the ciphertext as ct = (fhe.ek, ct1, ct2, Pe). Finally, it sends ct to A.

We now establish via a sequence of claims that the adversary’s advan-

i 0 tage between any two consecutive games is negligible. Let advA = |Pr[b = b] − 1/2| denote the advantage of adversary A in guessing the bit b in Game i. We show

i i+1 3 via a sequence of lemmas that |advA − advA | (for i = 1, 2) and advA are negligible. Below we discuss our lemmas in detail.

Lemma 3.6. If O = (Obf, Eval) is a secure lockable obfuscator, then for all

1 2 PPT adversaries A, |advA − advA| is negligible in the security parameter λ.

1 2 Proof. Suppose there exists an adversary A such that |advA − advA| is non- negligible. We construct an algorithm B that can distinguish an obfuscation of

271 program Progfhe.sk with a random lock from a simulated obfuscated program, therefore break security of the obfuscation scheme.

B runs step 1 as in Game 1, i.e. it samples a PKE public-secret key pair

(pk, sk) and sends pk to A. Next, it receives two challenge messages (m0, m1) from A. B chooses a FHE key pair (fhe.pk, fhe.sk, fhe.ek) ← FHE.Setup(1λ) and random bit b. B sends the program Progfhe.sk along with message mb to the obfuscation challenger, and receives an obfuscated program Pe. It encrypts message mb as ct1 ← PKE.Enc(pk, mb), ct2 ← FHE.Enc(fhe.pk, mb). Finally, it sends the challenge ciphertext ct = (fhe.ek, ct1, ct2, Pe) to A. Next, B receives A’s guess b0. If the attacker wins (i.e. b0 = b), then B guesses ‘0’ to indicate that Pe was an obfuscation of Progfhe.sk; otherwise, it guesses ‘1’ to indicate that it was simulated.

Note that if the obfuscation challenger obfuscated Progfhe.sk for some lock r, then B perfectly simulates Game 1 for adversary A. Otherwise it

1 2 simulates Game 2 for A. As a result, if |advA − advA| is non-negligible, then B breaks the obfuscation scheme’s security with non-negligible advantage.

Lemma 3.7. If FHE = (FHE.Setup, FHE.Enc, FHE.Dec, FHE.Eval) is a fully

2 homomorphic encryption scheme, then for all PPT adversaries A, |advA − 3 advA| is negligible in the security parameter λ.

2 3 Proof. Suppose there exists an adversary A such that |advA − advA| is non- negligible. We construct an algorithm B that can distinguish encryption of message mb and an all zeros string, therefore break security of the FHE scheme.

272 B receives an FHE key pair (fhe.pk, fhe.ek) from the challenger. B runs step 1 as in Game 1, i.e. it samples a PKE public-secret key pair (pk, sk) and sends pk to A. Next, it receives two challenge messages (m0, m1) from

A. B computes the obfuscated program Pe as Pe ← O.Sim(1λ, 1s, 1`), where s = |Progfhe.sk|. It chooses a random bit b and encrypts message mb as

` ct1 ← PKE.Enc(pk, mb). It sends (mb, 0 ) to the FHE challenger as its challenge

∗ ∗ messages. B receives ct from the challenger and sets ct2 = ct . Finally, it sends the challenge ciphertext ct = (fhe.ek, ct1, ct2, Pe) to A. Next, B receives A’s guess b0. If the attacker wins (i.e. b0 = b), then B sends 0 as its guess (i.e.,

` mb was encrypted), otherwise it sends 1 (i.e., 0 was encrypted) as its guess to the FHE challenger.

Note that if the FHE challenger encrypted mb, then B perfectly simulates Game 2 for adversary A. Otherwise it simulates Game 3 for A. Therefore,

2 3 if |advA − advA| is non-negligible, then B breaks the FHE scheme’s security with non-negligible advantage.

Lemma 3.8. If PKE = (PKE.Setup, PKE.Enc, PKE.Dec) is an IND-CPA se-

3 cure public key encryption scheme, then for all PPT adversaries A, advA is negligible in the security parameter λ.

3 Proof. Suppose there exists an adversary A such that advA is non-negligible. We construct an algorithm B that can break security of the PKE scheme PKE.

B receives public key pk from the PKE challenger. It sends pk to A.

Next, it receives two challenge messages (m0, m1) from A. B chooses a FHE

273 key pair (fhe.pk, fhe.sk, fhe.ek) ← FHE.Setup(1λ). It computes the obfuscated program Pe as Pe ← O.Sim(1λ, 1s, 1`), where s = |Progfhe.sk|. It also computes

` ciphertext ct2 as ct2 ← FHE.Enc(fhe.pk, 0 ). It sends (m0, m1) to the PKE challenger as its challenge messages. B receives ct∗ from the challenger and

∗ sets ct1 = ct . Finally, it sends the challenge ciphertext ct = (fhe.ek, ct1, ct2, Pe) to A. Next, B receives A’s guess b0. Finally, B outputs the same guess as A.

We observe that if A wins (i.e. b0 = b), then B also wins because it

3 exactly simulates the view of Game 3 for A. Therefore if advA is non-negligible, B must also have non-negligible advantage against PKE challenger.

This concludes the proof of IND-CPA security of PKE.

Uninstantiability of FO Transformation. Now, we show that for every n o hash function family H = {H } and H = H , symmetric key en- λ λ∈N e e λ λ∈N cryption scheme SKE = (SKE.Setup, SKE.Enc, SKE.Dec), the FO transformed

H,He scheme FOPKE,SKE is not IND-CPA secure. Below we describe an attacker A.

1. The challenger chooses two hash functions H1,H2 as H1 ← Hλ,H2 ←

He λ. It samples a public-secret key pair (pk, sk) for PKE scheme PKE as (pk, sk) ← PKE.Setup(1λ). It sends the public key pk and hash function

descriptions H1,H2 to adversary A.

2. A chooses two `-bit messages m0, m1(6= m0) uniformly at random and sends them as its challenge messages.

274 3. The challenger chooses a random bit b and an `-bit string s ← {0, 1}`.

It computes r = H1(mb || s). Let r = r0 || r1 || r2 || r3 || r4, whereeach ri is ` bits long.

λ It samples an FHE key pair (fhe.pk, fhe.sk, fhe.ek) = FHE.Setup(1 ; r0)

and computes ciphertext ct1 as ct1 = PKE.Enc(pk, s; r1). It also encrypts

s under FHE public key as ct2 = FHE.Enc(fhe.pk, s; r2). It obfuscates

program Progfhe.sk with message s, lock r4 and randomness r3 as Pe =

λ Obf(1 , Progfhe.sk, s, r4; r3). This corresponds to the PKE part of the

ciphertext, i.e. ctPKE = (fhe.ek, ct1, ct2, Pe).

Next, it encrypts message mb using SKE scheme as ctSKE = SKE.Enc(H2(s), mb).

Finally, it sends ct = (ctPKE, ctSKE) as the challenge ciphertext to A.

4. A receives the ciphertext ct = ((fhe.ek, ct1, ct2, Pe), ctSKE) from the chal-

lenger. It ﬁrst homomorphically evaluates the hash function H2 on ct2

and then decrypts the resulting string to decrypt ciphertext ctSKE. Con-

0 cretely, it computes ct = FHE.Eval(fhe.ek, SKE.Dec(H2(·), ctSKE), ct2).

0 Next, it homomorphically evaluates hash function H1 on ct , ct2 as cte = 0 FHE.Eval(fhe.ek,H1(·), (ct , ct2)). Let cte = cte 1,..., cte 5`.

It evaluates program Pe on ciphertexts cte 4`+1,..., cte 5` as t = Eval(P,e (cte 4`+1,..., cte 5`)).

It decrypts ciphertext ctSKE as m = SKE.Dec(H2(t), ctSKE). If m = m0

or m = m1, then it guesses accordingly. Otherwise, it guesses randomly.

We claim that A always guesses b correctly. In other words, A wins with non-negligible advantage.

275 First, note that (by correctness of FHE evaluation) ciphertext ct0 encrypts challenge message mb as H2(s) is the SKE secret key used for encrypting mb.

Similarly, ciphertext cte is an encryption of string r = H1(mb || s). Therefore, ciphertexts cte 4`+1,..., cte 5` are encryptions of each bit of r4. Since Progfhe.sk(cte 4`+1,..., cte 5`) = r4. thus, by correctness of obfuscation, we know that Eval(P,e (cte 4`+1,..., cte 5`)) = s. In other words, t = s. Finally, by correctness of SKE scheme, we can conclude that SKE.Dec(H2(t), ctSKE) = mb. Therefore, A always guesses correctly.

We would like to point out that A learns the challenge message com-

H,He pletely, therefore we could also prove that scheme FOPKE,SKE is not even one- way secure.

3.8 Indistinguishability Obfuscation for Rejecting Pro- grams

We now consider a new notition of obfucation that we call indistinguishability obfuscation for rejecting programs and show how to construct it from lockable obfuscation and witness encryption for circuit satisﬁability.

Obfuscators that meet this notion will be deﬁned over boolean circuits. Like indistinguishability obfuscation our obfuscator will take in any (not necessarily rejecting) boolean circuit C in a class and output an obfuscated program that is functionally equivalent to C. However, the security guarantees given by such an obfuscator are limited to “rejecting” programs. Informally, they state that no PPT adversary can distinguish between circuits C0 and C1 as long as for all inputs x C0(x) = C1(x) = 0. In contrast, standard indistinguishability

276 obfuscation security allows C0,C1 to have arbitrary (both 0 and 1) outputs as long as they are functionally equivalent.

Our construction is simple and follows along the same conceptual lines as our techniques for attribute hiding from Section 3.5. Recall, that in a witness encryption scheme for circuit satisﬁability the encryption operation will take as input a circuit description C as well as a message msg. The message will be computationally hidden as long as there is no satisfying assignment to C. I.e. for all x we have C(x) = 0. However, there is nothing in the deﬁnition of witness encryption that guarantees the hiding of the description of the circuit C itself.

To obfuscate a circuit C one first chooses a random lock value α and creates a witness encryption of the message α under circuit C to get a (sub) ciphertext ct. Then we can create a lockable obfuscation of the following program. The program on input x will first check if C(x) = 0, and if so it outputs 0òut . Otherwise, it runs the witness encryption decryption algorithm with x as the witness that C is satisfiable. It is easy to veryify correctness. On any input x where C(x) = 0 the lockable program will reject and we can output 0. On the other hand if C(x) = 1 the internal decryption will result in the lock value α and a message will be output. The security argument follows readily and is given below.

While the idea of indistinguishability for rejecting programs might at ﬁrst seem limiting for creating applications, it is important to remember that the actual obfuscator can be correctly used on programs that are not nec-

277 essarily rejecting. The restriction on rejecting programs is needed only in proof steps that invoke the security of the obfuscator and other outside primitives might be used to make other proof steps work. For example, Garg et al. [290] show how to use witness encryption and unique signatures to give an Identity-Based Encryption scheme. But one where the identity one encrypts to is revealed. If we replace the witness encryption scheme, with an indistinguishability obfuscator for rejecting programs, we get an anonoymous IBE scheme [3]. 15

3.8.1 Deﬁning Indistinguishability Obfuscation for Rejecting Pro- grams

We will now deﬁne the notion of rejecting indistinguishability obfuscator (riO). The syntax and correctness properties are similar to that of standard indistinguishability obfuscation. The obfuscator is a compiler which takes as input a circuit, and outputs an obfuscated progam which has identical functionality as the input program. For security, we require that if two circuits reject all inputs, then their obfuscations are computationally indistinguishable.

Syntax Let {Cλ}λ be a circuit family, where each circuit in Cλ has domain

Dλ and co-domain Rλ. A rejecting indistinguishability obfuscator consists of a compiler riO.Obf and an evaluator riO.Eval with the following syntax.

15This resulting construction (perhaps not so surprisingly) is actually very close to what one get if one ﬁrst constructed an IBE scheme from witness encryption using [290] and then applied our techniques from Section 3.5 to hide the identity. If one uses obfuscation for rejecting programs roles these two parts into one.

278 • riO.Obf(1λ,C) : The obfuscator takes as input a security parameter λ ˜ and a circuit C ∈ Cλ. It outputs an obfuscated program C.

• riO.Eval(C,˜ x) : The evaluation algorithm takes as input an obfuscated ˜ program C and an input x ∈ Dλ. It output y ∈ Rλ ∪ {⊥}.

Correctness Here, we will be considering perfect correctness, which requires that the obfuscated program has identical functionality as the input program. Formally, an obfuscator riO = (riO.Obf, riO.Eval) is said to be correct if for all security parameters λ, circuits C ∈ Cλ and inputs x ∈ Dλ,

riO.Eval riO.Obf 1λ,C , x = C(x).

Security We will now deﬁne the security notion for rejecting indistinguishability obfuscator . This notion guarantees that if two programs reject all inputs, then their obfuscations are computationally indistinguishable.

Deﬁnition 3.20. An obfuscation scheme riO = (riO.Obf, riO.Eval) for circuit class {Cλ}λ is said to be a secure rejecting indistinguishability obfuscator if for all PPT adversaries A = (A0, A1), there exists a negligible function negl(·) such that the following function (of λ) is bounded by negl(·):

 λ  (C0,C1, st) ← A0(1 ),

 ˜ Cb ∈ Cλ  1 Pr A1(Cb, st) = b ∧ (∀x, C0(x) = C1(x) = 0) :  −  b ← {0, 1},  2 ˜ λ Cb ← riO.Obf(1 ,Cb)

279 3.8.2 Witness Encryption

In this section, we will deﬁne the notion of witness encryption, ﬁrst introduced by [290]. A witness encryption scheme for an NP language L consists of an encryption algorithm and a decryption algorithm. Using the encryption algorithm, one can encrypt any message for an NP statement x to compute a ciphertext ct. If there exists a witness w proving that x ∈ L, then one can use w to decrypt the ciphertext ct. The security guarantee states that if x∈ / L, then encryption of message m0 for statement x is indistinguishable from encryption of message m1 for statement x. We will now give a formal description of the syntax, correctness and security requirements.

Syntax Let L be an NP language with witness relation R(·, ·) (that is, x ∈ L iﬀ there exists a witness w such that R(x, w) = 1). Let n = n(|x|) be a polynomial denoting the length of witness for statement x. A witness encryption scheme WE for language L and message space M consists of the following algorithms.

• WE.Enc(1λ, x, m): The encryption algorithm takes as input security parameter λ, statement x and message m ∈ M, and outputs a ciphertext ct.

• WE.Dec(ct, w): The decryption algorithm takes as input a ciphertext ct, witness w and outputs y ∈ M ∪ {⊥}.

280 Correctness For simplicity, we will deﬁne perfect correctness.

Deﬁnition 3.21. A witness encryption scheme (WE.Enc, WE.Dec) for language L and message space M is said to be (perfectly) correct if, for all security parameters λ, statements x ∈ L, witnesses w s.t. R(x, w) = 1 and messages m ∈ M, WE.Dec(WE.Enc(1λ, x, m), w) = m.

Security We will be using the adaptive soundness security deﬁnition from the work of Bellare and Hoang [80].

Deﬁnition 3.22. A witness encryption scheme WE = (WE.Enc, WE.Dec) for language L and message space M is said to be secure if for all security parameters λ, PPT adversaries A = (A0, A1),

λ (x, m0, m1, st) ← A0(1 ) 1 Pr x∈ / L ∧ A1(ct, st) = b : λ ≤ + negl(λ). b ← {0, 1}, ct ← WE.Enc(1 , x, mb) 2

3.8.3 Construction of Rejecting Indistinguishability Obfuscator from Witness Encrytion

We will show how to construct rejecting indistinguishability obfuscator from witness encryption and lockable obfuscation. Let C = {Cλ}λ be a family of circuits, where each circuit in Cλ has depth d(λ), takes n(λ) bit inputs, outputs a single bit. First, we need to deﬁne an NP relation for our witness encryption scheme. The NP language for our witness encryption scheme will be CIRCUIT-SAT = {C ∈ C : ∃ w s.t. C(w) = 1}. The set of witnesses for any

281 C ∈ CIRCUIT-SAT is {w : C(w) = 1}. The tools required for constructing riO for C are as follows:

- A witness encryption scheme WE = (WE.Enc, WE.Dec) with message

`out space {0, 1} for NP relation CIRCUIT-SAT. Let `ct denote the size of the ciphertext. Further, we will assume a canonical family of circuits

λ λ λ {CWE.Dec}λ where CWE.Dec(ct, w) = WE.Dec(ct, w). The circuit CWE.Dec

has depth dWE.Dec(λ), takes `ct(λ) + n(λ) bit inputs, and outputs `out(λ) bits.

- An lockable obfuscation scheme (Obf, Eval) with message space {0, 1} for

circuit class Cn,`out,d+dWE.Dec .

We will now describe the obfuscation and evaluation algorithms.

• riO.Obf(1λ,C): The obfuscation algorithm ﬁrst chooses a uniformly ran-

dom string α ← {0, 1}`out . Next, it computes a WE ciphertext ct ←

λ 16 WE.Enc(1 , C, α). Let Qct,C (·) be the circuit deﬁned in Figure 3.7. The ˜ λ obfuscator then computes an lockable obfuscation C ← Obf(1 ,Qct,C , 1, α). The ﬁnal obfuscation is C˜.

• riO.Eval(C,˜ x): The evaluation algorithm ﬁrst computes y = Eval(C,˜ x). If y = 1, the riO evaluator outputs 1, else it outputs 0.

16By circuit C, we represent the statement that ∃ w such that C(w) = 1.

282 Correctness We need to show that the obfuscated program has identical functionality as the original (input) program. Fix any security parameter λ,

n circuit C ∈ Cλ and input x ∈ {0, 1} . Let α be the random string chosen during obfuscation, ct ← WE.Enc(1λ, C, α) and C˜ ← Obf(1λ, 1, α).

`out ˜ If C(x) = 0, then Qct,C (x) = 0 . As a result, Eval(C, x) = ⊥ with all but negligible probability over the coins chosen during lockable obfuscation (assuming the semi-statistical correctness of lockable obfuscation scheme). Hence, riO.Eval(C,˜ x) = 0 with all but negligible probability.

If C(x) = 1, then Qct,C (w) = α (assuming perfect correctness of the witness encryption scheme), and hence riO.Eval(C,˜ x) = Eval(C,˜ x) = 1 (assuming correctness of lockable obfuscation scheme).

3.8.3.1 Security

We will prove security by deﬁning a sequence of computationally indistinguishable hybrids, and ﬁnally showing that in the last hybrid, the adversary has zero advantage. At a high level, our proof works as follows. Recall that the adversary must output two programs that reject all inputs. As a result, if we encrypt a string α to either of these programs using the witness encryption scheme, then α is computationally hidden. Hence, we can replace α with the all-zeroes string. Having done this, we can now use the security of our lockable obfuscation scheme to simulate the obfuscated program.

We will now formally deﬁne the hybrid experiments.

283 Hybrid H0 : This corresponds to the real experiment.

1. The challenger receives as input two circuits C0,C1 such that both circuits output 0 on all inputs.

2. The challenger chooses a uniformly random string α ← {0, 1}`out and b ← {0, 1}.

λ 3. It then computes ct ← WE.Enc(1 ,Cb, α).

˜ λ ˜ 4. Finally, it computes C ← Obf(1 ,Qct,Cb , 1, α) and sends C to the adversary. The adversary outputs a bit b0 and wins if b = b0.

Hybrid H1 : This hybrid is similar to the previous one, except that the challenger encrypts 0`out instead of α.

λ `out 3. It then computes ct ← WE.Enc(1 ,Cb, 0 ).

Hybrid H2 : In this hybrid experiment, the challenger uses the simulator for the lockable obfuscation scheme to output the ﬁnal obfuscation. Let Sim be

the simulator for the lockable obfuscation scheme. Let s = |Qct,C0 | = |Qct,C1 |.

4. Finally, it computes C˜ ← Sim(1λ, 1s) and sends C˜ to the adversary. The adversary outputs a bit b0 and wins if b = b0.

i Let advA denote the advantage of adversary A in hybrid Hi.

284 Claim 3.9. Assuming the witness encryption scheme WE is secure, for any

0 1 PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. Suppose, on the contrary, there exists a PPT adversary A such that

0 1 |advA − advA| = . We will use A to construct a reduction algorithm B that breaks the security of WE.

The adversary ﬁrst sends two circuits C0,C1. The reduction algorithm

`out `out chooses a string α ← {0, 1} , b ← {0, 1} and sends Cb, α, 0 to the witness encryption challenger. It receives a ciphertext ct. It then computes C˜ ←

λ ˜ Obf(1 ,Qct,C , 1, α) and sends C to the adversary. The adversary sends its guess b0. If b = b0, the reduction algorithm guesses that α was encrypted, else it guesses that 0`out was encrypted.

Claim 3.10. Assuming the security of lockable obfuscation scheme, for any

1 2 PPT adversary A, |advA − advA| ≤ negl(λ).

Proof. Suppose, on the contrary, there exists a PPT adversary A such that

0 1 |advA − advA| = . We will use A to construct a reduction algorithm B that breaks the security of the lockable obfuscation scheme.

The adversary sends two circuits C0,C1. The reduction algorithm ﬁrst

`out chooses b ← {0, 1} and computes an encryption of 0 for Cb; that is, it

λ `out computes ct ← WE.Enc(1 ,Cb, 0 ). It then sends circuit Qct,Cb and message 1 to the lockable obfuscator challenger, and receives an obfuscated program C˜

285 which it forwards to A. If A guesses correctly, then B guesses that C˜ is an honestly computed obfuscation, else it guesses that C˜ is simulated.

2 Claim 3.11. For any adversary A, |advA| = 0.

Proof. This follows directly from the deﬁnition of hybrid H2. Note that the

challenger only requires the size of Qct,Cb , and this is independent of b since ˜ |C0| = |C1|. As a result, the ﬁnal obfuscated program C contains no information about the bit b.

3.9 Upgrading Broadcast Encryption to Anonymous Broad- cast Encryption

The notion of broadcast encryption was ﬁrst formally discussed in [266]. In a broadcast encryption scheme, we have a set of N users. There is a common public key for all the N users, and each user has a private decryption key. Using the encryption algorithm, one can encrypt a message for any subset of users. Suppose message m is encrypted for set S. Then any person in set S must be able to recover m using the decryption key, and if person i is not in the set S, then person i should not learn the message m. For eﬃciency/succinctness, we require that the size of the ciphertext be at most |S| + poly(λ), where λ is the security parameter.

While hiding the message might suﬃce for certain applications, one might be interested in the case where even the set S is hidden. This is referred

286 to as anonymous/recipient-private broadcast encryption, introduced by [71]. In this work, we will consider a weaker notion which we call one-sided anonymous broadcast encryption. Here, if a message is encrypted for a set S, then for any user i∈ / S, both the message and the set S will be hidden.

In this section, we will ﬁrst deﬁne the notions of broadcast encryption and one-sided anonymous broadcast encryption, and then show how to transform any broadcast encryption scheme to a one-sided anonymous broadcast encryption scheme.

3.9.1 Preliminaries

We will ﬁrst introduce the syntax, correctness and security properties of broadcast encryption. A broadcast encryption scheme BE with message space M consists of the following algorithms.

• Setup(1λ,N): The setup algorithm takes as input the security parameter λ and a bound N on the total number of users. It outputs a pubic key

pk and N decryption keys sk1,..., skN .

• Enc(pk, m ∈ M,S ⊆ [N]): The encryption algorithm takes as input the public key pk, a message m ∈ M and a subset S ⊆ [N] . It outputs a ciphertext ct.

• Dec(sk, ct): The decryption algorithm takes as input a secret key sk and a ciphertext ct, and outputs y ∈ M ∪ {⊥}.

287 Correctness We require that for all security parameters λ and bound N on total number of users, for all sets S ⊆ [N], messages m ∈ M,(pk, {sk1,..., skN }) ←

λ N Setup(1 , 1 ) and ct ← Encrypt(pk, m, S), if i ∈ S, then Dec(ski, ct) = m.

Succinctness For succinctness, we require that for all λ, N,(pk, {sk1,..., skN }) ← Setup(1λ,N), messages m ∈ M and S ⊆ [N], if ct ← Enc(pk, m, S) then |ct| ≤ poly(λ) + |S|.

3.9.1.1 Security

We will now present two diﬀerent notions of security. The ﬁrst one only hides the message encrypted, while the second notion requires that the set of users associated with a ciphertext is also hidden.

Deﬁnition 3.23. Let BE = (Setup, Enc, Dec) be a broadcast encryption scheme. Consider the following security game between a challenger and an adversary A.

λ N • Setup Phase The challenger chooses (pk, (sk1,..., skN )) ← Setup(1 , 1 ) and sends pk to A.

• Pre-Challenge Query Phase In this phase, the adversary queries for

secret keys. It sends an index i ∈ [N], and receives the secret key ski.

• Challenge Phase The adversary sends two challenge messages m0, m1

and a set S. The challenger chooses b ← {0, 1}, computes ct ← Enc(pk, mb,S) and sends ct to the challenger.

288 • Post-Challenge Query Phase This is similar to the pre-challenge query phase. In this phase, the adversary sends an index i ∈ [N], and

receives the secret key ski.

• Guess The adversary ﬁnally sends its guess b0. Let Q be the set of indices queried by A. The adversary wins if b = b0 and Q ∩ S = φ.

The scheme is said to be secure if for all security parameters λ and all PPT adversaries A, the advantage of A in the above security game is at most negligible.

Deﬁnition 3.24 (One-sided anonymous broadcast encryption). Let BE = (Setup, Enc, Dec) be a broadcast encryption scheme. Consider the following security game between a challenger and an adversary A.

λ N • Setup Phase The challenger chooses (pk, (sk1,..., skN )) ← Setup(1 , 1 ) and sends pk to A.

• Pre-Challenge Query Phase In this phase, the adversary queries for

secret keys. It sends an index i ∈ [N], and receives the secret key ski.

• Challenge Phase The adversary sends two challenge messages m0, m1

and two sets S0,S1. The challenger chooses b ← {0, 1}, computes ct ←

Enc(pk, mb,Sb) and sends ct to the challenger.

• Post-Challenge Query Phase This is similar to the pre-challenge query phase. In this phase, the adversary sends an index i ∈ [N], and

receives the secret key ski.

289 • Guess The adversary ﬁnally sends its guess b0. Let Q be the set of

0 indices queried by A. The adversary wins if b = b and Q∩(S0 ∪S1) = φ.

The scheme is said to be secure if for all security parameters λ and all PPT adversaries A, the advantage of A in the above security game is at most negligible.

3.9.2 Upgrading Broadcast Encryption to One-Sided Anonymous Broadcast Encryption

In this section, we will show how to upgrade any broadcast encryption scheme to achieve one-sided anonymity. Let BE = (BE.Setup, BE.Enc, BE.Dec)

∗ be a broadcast encryption scheme with message space {0, 1} . Let `ct(λ) denote the length of ciphertext corresponding to message m ∈ {0, 1}λ. Our scheme with one-sided anonymity aBE = (aBE.Setup, aBE.Enc, aBE.Dec) uses the following cryptographic primitives:

- PRF F with keyspace K, input space {0, 1}λ and output space {0, 1}. Let

dF denote depth of circuit evaluating F (·, ·).

- Leveled homomorphic encryption scheme LHE = (LHE.Setup, LHE.Enc, LHE.Dec, LHE.Eval) with decryption circuit having depth bounded by

dLHE(·).

- Lockable obfuscation scheme (Obf, Eval)

The scheme can be described as follows.

290 λ N • aBE.Setup(1 , 1 ): The setup algorithm computes (pk, {sk1,..., skN }) ←

λ N BE.Setup(1 , 1 ) and outputs pk as the public key and {sk1,..., skN } as the secret keys.

• aBE.Enc(pk, m, S): The encryption algorithm ﬁrst chooses a random string α ← {0, 1}λ and computes ct0 ← BE.Enc(pk, α, S). Next, it

chooses a PRF key K ← K and LHE keys (lhe.pk, lhe.sk) ← LHE.Setup(1λ, 1dF ).

It computes mask = (F (K, 1),F (K, 2),...,F (K, `ct)) and sets ct1 =

0 ct ⊕ mask. Let ct2 ← LHE.Enc(lhe.pk,K). Finally, let CLHE.Dec be the LHE decryption circuit with lhe.sk hardwired. The encryption al-

gorithm computes P ← Obf(CLHE.Dec, α, m). The ﬁnal ciphertext is

ct = (ct1, ct2,P, lhe.pk).

• aBE.Dec(sk, ct = (ct1, ct2,P, lhe.pk)): The decryption algorithm ﬁrst computes an LHE evaluation using the encryption of PRF key. Consider

a circuit CF that takes as input a PRF key K and outputs (F (K, 1),

F (K, 2), ..., F (K, `ct)). The decryption algorithm performs LHE eval-

uation on ct2 with CF . It computes cte 2 = LHE.Eval(ct2,CF ). Next, let

Cct1⊕ denote the function that has ct1 hardwired, takes input y and out-

puts ct1⊕y. The decryption algorithm computes cte 1 = LHE.Eval(cte 2,Cct1⊕).

Next, consider the circuit CBE.Dec = BE.Dec(sk, ·) which has a secret key

sk hardwired. Let cte = LHE.Eval(cte 1,CBE.Dec). Finally, the decryption algorithm outputs y = Eval(P, cte ).

291 Correctness Fix any security parameter λ, N ∈ N, message m ∈ {0, 1}λ λ and set S ⊆ [N]. Let (pk, {sk1,..., skN }) ← aBE.Setup(1 ,N) be the public/secret keys. The encryption algorithm chooses α ← {0, 1}λ, K ← K,

λ dF 0 (lhe.pk, lhe.sk) ← LHE.Setup(1 , 1 ) and sets ct ← BE.Enc(pk, α, S), ct2 =

LHE.Enc(lhe.pk,K). Finally, it computes P ← Obf(CLHE.Dec, α, m).

The decryption algorithm ﬁrst computes cte 2 = LHE.Eval(ct2,CF ). Note that cte 2 is an LHE encryption of mask = (F (K, 1),...,F (K, `ct)). Next, the decryption algorithm computes cte 1 = LHE.Eval(cte 2,Cct1⊕). By construction, it follows that BE.Dec(sk, LHE.Dec(lhe.sk, cte 1)) = α. Therefore, cte =

LHE.Eval(cte 1,CBE.Dec) is an LHE encryption of α. As a result, the obfuscated program P , when evaluated with input cte , outputs m.

Efficiency The ciphertext in our anonymous broadcast encryption scheme consists of three components. The first component ct1 has size `ct(λ) = poly1(λ) + N. This follows from the efficiency of the underlying broadcast encryption scheme. Next, the second component is an LHE encryption of

PRF key K, and therefore its size is bounded by poly2(λ), independent of N. Finally, the last component is an obfuscation of LHE decryption circuit. This also depends only on the security parameter, and is independent of N. As a result, the ciphertext output by our anonymous broadcast encryption scheme has size poly(λ) + N.

292 3.9.2.1 Security

In this section, we will show that the scheme described above satisfies the one-sided anonymity definition (see Definition 3.24). We will prove security via a sequence of hybrid experiments H0,H1, where H0 corresponds to the original security game.

Hybrid H0

λ N • Setup Phase The challenger chooses (pk, (sk1,..., skN )) ← BE.Setup(1 , 1 ) and sends pk to A.

• Pre-Challenge Query Phase In this phase, the adversary queries for

secret keys. It sends an index i ∈ [N], and receives the secret key ski.

• Challenge Phase The adversary sends two challenge messages m0, m1

and two sets S0,S1. The challenger chooses b ← {0, 1}.

λ 0 1. It chooses α ← {0, 1} and computes ct ← BE.Enc(pk, α, Sb).

2. Next it chooses a PRF key K and sets mask = (F (K, 1),F (K, 2),...,

0 F (K, `ct)), ct1 = ct ⊕ mask.

3. It then chooses LHE keys (lhe.pk, lhe.sk) ← LHE.Setup(1λ, 1dF ) and

sets ct2 ← LHE.Enc(lhe.pk,K).

4. Finally, let CLHE.Dec be the LHE decryption circuit with lhe.sk hard-

wired. The challenger computes P ← Obf(CLHE.Dec, α, mb) and out-

puts (ct1, ct2,P ).

293 • Post-Challenge Query Phase This is similar to the pre-challenge query phase. In this phase, the adversary sends an index i ∈ [N], and

receives the secret key ski.

• Guess The adversary ﬁnally sends its guess b0. Let Q be the set of

0 indices queried by A. The adversary wins if b = b and Q∩(S0 ∪S1) = φ.

Hybrid H1 This hybrid is identical to the previous one, except that the challenger computes a broadcast encryption of 0 instead of the lock α.

λ 0 1. It chooses α ← {0, 1} and computes ct ← BE.Enc(pk, 0,Sb).

Hybrid H2 In this hybrid experiment, the challenger simulates the obfuscated program. Instead of computing P ← obf(CLHE.Dec, α, mb), it computes

P ← Sim(1|CLHE.Dec|, 1|mb|).

4. Finally, let CLHE.Dec be the LHE decryption circuit with lhe.sk hard-

wired. The challenger computes P ← Sim(1|CLHE.Dec|, 1|mb|) and outputs

(ct1, ct2,P ).

Hybrid H3 In this hybrid experiment, the challenger replaces the LHE encryption of PRF key K with encryption of 0.

3. It then chooses LHE keys (lhe.pk, lhe.sk) ← LHE.Setup(1λ, 1dF ) and sets

ct2 ← LHE.Enc(lhe.pk, 0).

294 Hybrid H4 This experiment is similar to the previous one, except that the challenger sets ct1 to be a uniformly random string.

`ct 2. Next it chooses ct1 ← {0, 1} .

i Analysis For any PPT adversary A, let advA denote the advantage of A in the hybrid experiment Hi.

Claim 3.12. Assuming BE is a secure broadcast encryption scheme, for any

0 1 PPT adversary A, advA − advA ≤ negl(λ).

Proof. The only diﬀerence between these two hybrids is with regard to the

0 ciphertext component ct . In hybrid H0, the challenger computes a broadcast encryption of α, while in H1, it computes an encryption of 0. Also, note that the adversary’s queries lie outside the set S0 ∪ S1. Suppose there exists

0 1 an adversary A such that advA − advA = . We will use A to construct a reduction algorithm B that breaks the security of BE.

The reduction algorithm B ﬁrst receives the public key from the challenger, which it then forwards to the adversary. Next, it receives secret key queries from the adversary, which it forwards to the challenger. For each key query i, the challenger sends ski to B, and the reduction algorithm forwards it to A. Next, the adversary sends two challenge messages m0, m1 together with sets S0,S1. The reduction algorithm ﬁrst chooses a bit b ← {0, 1}. It then sends mb, 0 as the challenge messages, and Sb as the challenge set. The challenger sends back the challenge ciphertext ct0. The reduction algorithm

295 then chooses a PRF key K, LHE keys (lhe.pk, lhe.sk) ← LHE.Setup(1λ, 1dF ),

0 sets ct1 = ct ⊕ (F (K, 1),...,F (K, `ct)), ct2 ← LHE.Enc(lhe.pk,K) and P ←

Obf(CLHE.Dec, α, mb). It sends (ct1, ct2,P ) to A. Next, the adversary sends post-challenge queries which are handled similar to the pre-challenge ones. Fi- nally, if the adversary’s guess is correct, the reduction algorithm guesses that

0 0 ct is encryption of 0, else it guesses that ct is encryption of mb.

Depending on whether the challenger sends an encryption of mb or 0, the reduction algorithm simulates either hybrid experiment H0 or H1.

Claim 3.13. Assuming (Obf, Eval) is a secure lockable obfuscation scheme,

1 2 for any PPT adversary A, advA − advA ≤ negl(λ).

Proof. Suppose, on the contrary, there exists a PPT adversary A such that

1 2 advA − advA = for some non-negligible function . We will use A to build a reduction algorithm B that breaks the security of lockable obfuscation scheme.

The reduction algorithm ﬁrst chooses the public/secret keys of broadcast encryption scheme and sends the public key to A. Next, it handles the queries of the adversary using the secret keys. In the challenge phase, the adversary sends m0, m1 and subsets S0,S1. The reduction algorithm chooses

0 b ← {0, 1} and computes ct ← BE.Enc(pk, 0,Sb). It chooses PRF key K,

0 LHE keys (lhe.pk, lhe.sk) and sets ct1 = ct ⊕ (F (K, 1),...,F (K, `ct)) and ct2 ← LHE.Enc(lhe.pk, K). Next, it sends CLHE.Dec and message mb to the challenger and receives an obfuscated program P . It sends (ct1, ct2,P ) to A. The adversary ﬁnally sends its guess. If the guess is correct, the reduction

296 algorithm guesses that P is a simulated obfuscation, else it guesses that P is an honestly computed obfuscation.

Note that the lock used by the obfuscator is not used anywhere else in hybrids H1 and H2. As a result, the simulator can correctly simulate either

H1 or H2 depending on whether P is simulated or not.

Claim 3.14. Assuming LHE is a secure leveled homomorphic encryption scheme,

2 3 for any PPT adversary A, advA − advA ≤ negl(λ).

Proof. The only diﬀerence between these two hybrids is that in one case, the challenge ciphertext has an LHE encryption of the PRF key K, while in the other case, it is replaced by an encryption of 0. Suppose there exists an adversary that can distinguish between the two hybrids with advantage . We will use this adversary to break the INDCPA security of LHE.

0 b ← {0, 1} and computes ct ← BE.Enc(pk, 0,Sb). It chooses PRF key K, LHE

0 keys (lhe.pk, lhe.sk) and sets ct1 = ct ⊕ (F (K, 1),...,F (K, `ct)).

Next, the reduction algorithm sends K, 0 to the challenger. It receives an LHE public key lhe.pk and ciphertext ct2 from the challenger. Next, it

|CLHE.Dec| |mb| computes P ← Sim(1 , 1 ) and sends (ct1, ct2,P, lhe.pk) to A. The adversary ﬁnally sends its guess. If the guess is correct, the reduction algorithm

297 guesses that ct2 is an encryption of 0, else it guesses that it is an encryption of K.

Note that since the obfuscated program P is simulated, the reduction algorithm does not require the LHE secret key.

Claim 3.15. Assuming F is a secure pseudorandom function, for any adver-

3 4 sary A, advA − advA ≤ negl(λ).

Proof. The only diﬀerence between these two hybrids is that in one case, mask = (F (K, 1),...,F (K, `ct)), while in the other case, mask is uniformly random. Note that the PRF key is not required anywhere else in the security game (in particular, recall that ct2 is an encryption of 0). As a result, it follows directly from the security of PRF F that no PPT adversary can distinguish between these two hybrids with advantage greater than negl(λ).

4 Claim 3.16. For an adversary A, advA = 0.

Proof. In hybrid H4, the ciphertext component ct1 is a uniformly random string, ct2 is an LHE encryption of 0 and P is a simulated program which is independent of the bit b chosen by challenger. As a result, any adversary A has zero advantage in this experiment.

298 Comp-Gen (i) n (i) o (i) (i) (a) Let BP = σj,b : [5] → [5] , acc ∈ [5], rej ∈ [5] j∈[L],b∈{0,1} for all i ≤ `PRG.

(b) First, for each i ≤ `PRG, j ∈ [0,L − 1], it chooses a matrix of dimensions 5n × m along with its trapdoors (independently) as (i) (i) 5n m (i) (Bj ,Tj ) ← TrapGen(1 , 1 , q). The matrix Bj can be parsed as follows  (i) Bj,1 (i)  .  Bj =  .   (i) Bj,5

(i) n×m (i) where matrices Bj,k ∈ Zq for k ≤ 5. The matrix Bj,k corresponds to state k at level j of branching program BP(i).

(i) (c) For the top level, it chooses top level matrices BL,k for each i ≤ `PRG, k ≤ 5, uniformly at random, subject to the following constraint:

X (i) X (i) B + B = 0n×m if msg = 0. L,rej(i) L,acc(i) i : βi=0 i : βi=1

X (i) X (i) √ h i B + B = q · I || 0n×(m−n) if msg = 1. L,rej(i) L,acc(i) n i : βi=0 i : βi=1

(d) For each level level ∈ [1,L], do the following:

(0) (1) n×n (i,0) (i,1) 5n×m i. Choose matrices Slevel, Slevel ← χ and Elevel , Elevel ← χ (0) (1) for i ≤ `PRG. If either Slevel or Slevel has determinant zero, then set it to be In. (i,b) ii. For b ∈ {0, 1}, set matrix Dlevel as a permutation of the matrix (i) (i) blocks of Blevel according to the permutation σlevel,b(·). More formally, for i ≤ `PRG, set   B(i) level,σ(i) (1)  level,b  (i,b)  .  D =  .  . level    (i)  B (i) level,σlevel,b(5)

(i,b) (b) (i,b) (i,b) iii. Set Mlevel = I5 ⊗ Slevel · Dlevel + Elevel for i ≤ `PRG. (i,b) (i) (i) (i,b) iv. Compute Clevel ← SamplePre299 (Blevel−1,Tlevel−1, σ, Mlevel)

n (i) o (i,0) (i,1) (e) Output B0,1 , {(Clevel , Clevel )}i≤`PRG,level≤L . i Figure 3.1: Routine Comp-Gen Comp-Eval Input: Input string z, Components n (i) o (i,0) (i,1) B0,1 , {(Clevel , Clevel )}i≤`PRG,level≤L . i Output: y ∈ {0, 1, ⊥}.

(a) For each i ∈ [1, `PRG], do the following

(i) (i) i. Set M = B0,1. ii. For j = 1 to L, do the following (i) (i) (i,0) (i) - If zinp(j) = 0, set M = M · Cj . Else, set M = (i) (i,1) M · Cj .

P (i) h (1) (2)i (1) (b) Compute M = i M . Let M = M || M where M ∈ Zqn × n (i.e. a square matrix). Next, do the following

- If kMk∞ ≤ Bd, output 0.

(2) - Otherwise, if M ≤ Bd and kMk∞ ∈ √ √ ∞ q − Bd, ( q + 1) · Bd, output 1. - Else output ⊥.

Figure 3.2: Routine Comp-Eval

Program Progsk

Constants: Secret key sk. Inputs: Ciphertexts ct1,..., ctn.

1. Let sk1 = sk. For i = 1 to n:

(a) Decrypt cti as (sk(i mod n)+1, α(i mod n)+1) = Dec(ski, cti).

2. If any decryption step fails, output ⊥. Otherwise, output α1. Figure 3.3: n-Cycle Tester

300 Program BPsk

Constants: Secret key sk. Inputs: Ciphertexts ct1,..., ctn.

1. For i = 1 to k:

(a) Decrypt cti+`1 as αi = Dec(sk, cti+`1 ). 2. If any decryption step fails, output ⊥. Otherwise, output α = α1 || · · · || αk.

Figure 3.4: Bit Encryption 1-Cycle Tester

Program UPlhe.sk

Constants: Secret key lhe.sk. Inputs: Ciphertext ct.

1. Decrypt ct as (sk0, α) = LHE.Dec(lhe.sk, ct). Output α.

Figure 3.5: Tester for Unbounded Length Key Cycles Program Progfhe.sk

Constants: Secret key fhe.sk. Inputs: Ciphertexts ct1,..., ct`.

1. Decrypt cti as αi = FHE.Dec(fhe.sk, cti). 2. If any decryption step fails, output ⊥. Otherwise, output α1 || · · · || α`.

Figure 3.6: FO

Program Qct,C

Constants: Ciphertext ct, circuit C. Inputs: String w ∈ {0, 1}n.

1. If C(w) = 0, output 0`out .

2. Else output WE.Dec(ct, w).

Figure 3.7: Program Qct,C

301 Index

Abstract, v Acknowledgments, iv

Bibliography, 389

Indistinguishability Obfuscation for Turing Machines, 13, 22 Introduction, 1

Lockable Obfuscation, 16 Lockable Obfuscation , 183

302 Bibliography

[1] 104th United States Congress. Health Insurance Portability and Ac- countability A (HIPPA), 1996. http://aspe.hhs.gov/admnsimp/pl104191.htm; Last access: August 16, 2004.

[2] Martin Abadi and Phillip Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption). J. Cryptology, 15(2):103–127, 2002.

[3] Michel Abdalla, Mihir Bellare, Dario Catalano, Eike Kiltz, Tadayoshi Kohno, Tanja Lange, John Malone-Lee, Gregory Neven, Pascal Paillier, and Haixia Shi. Searchable encryption revisited: Consistency properties, relation to anonymous ibe, and extensions. In Annual International Cryptology Conference, 2005.

[4] Michel Abdalla, Mihir Bellare, and Gregory Neven. Robust encryption. Cryptology ePrint Archive, Report 2008/440, 2008.

[5] Michel Abdalla, Dario Catalano, and Dario Fiore. Veriﬁable random functions: Relations to identity-based key encapsulation and new constructions. J. Cryptol., 27(3):544–593, July 2014.

[6] Michel Abdalla, Chanathip Namprempre, and Gregory Neven. On the (im)possibility of blind message authentication codes. In CT-RSA ’06,

303 volume 3860 of LNCS, pages 262–279, 2006.

[7] Masayuki Abe. A secure three-move blind signature scheme for polynomially many signatures. In EUROCRYPT ’01, volume 2045 of LNCS, pages 136–151, 2001.

[8] Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash. Crypto- graphic agility and its relation to circular encryption. In EUROCRYPT ’10, volume 6110 of LNCS, pages 403–422. Springer, 2010.

[9] Pedro Adao, Gergei Bana, Jonathan Herzog, and Andre Scedrov. Sound- ness of formal encryption in the presence of key-cycles. In ESORICS ’05, volume 3679 of LNCS, pages 374–396, 2005.

[10] Pedro Ad˜ao,Gergei Bana, Jonathan Herzog, and Andre Scedrov. Sound- ness and completeness of formal encryption: The cases of key cycles and partial information leakage. Journal of Computer Security, 17(5):737– 797, 2009.

[11] Ben Adida, Susan Hohenberger, and Ronald L. Rivest. Ad-hoc group signatures from hijacked keypairs. In DIMACS Workshop on Theft in E-Commerce (preliminary version), April 2005.

[12] A. Adya, W. Bolosky, M. Castro, R. Chaiken, G. Cermak, J. Douceur, J. Howell, J. Lorch, M. Theimer, and R. Wattenhofer. Farsite: feder- ated, available, and reliable storage for an incompletely trusted environ- ment. SIGOPS Oper. Syst. Rev., 36(SI):1–14, 2002.

304 [13] Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens- Davidowitz. Solving the shortest vector problem in 2n time using discrete gaussian sampling: Extended abstract. In Proceedings of the Forty-seventh Annual ACM Symposium on Theory of Computing, STOC ’15, pages 733–742, New York, NY, USA, 2015. ACM.

[14] Shweta Agrawal, Dan Boneh, and Xavier Boyen. Eﬃcient lattice (H)IBE in the standard model. In Advances in Cryptology - EUROCRYPT, pages 553–572, 2010.

[15] Shweta Agrawal, Dan Boneh, and Xavier Boyen. Eﬃcient lattice (h)ibe in the standard model. In Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’10, pages 553–572, Berlin, Heidelberg, 2010. Springer- Verlag.

[16] Shweta Agrawal, Dan Boneh, and Xavier Boyen. Lattice basis delegation in ﬁxed dimension and shorter-ciphertext hierarchical ibe. In Proceedings of the 30th annual conference on Advances in cryptology, CRYPTO’10, pages 98–115, Berlin, Heidelberg, 2010. Springer-Verlag.

[17] Shweta Agrawal, David Mandell Freeman, and Vinod Vaikuntanathan. Functional encryption for inner product predicates from learning with errors. In Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security, ASI- ACRYPT’11, 2011.

305 [18] Shweta Agrawal, Craig Gentry, Shai Halevi, and Amit Sahai. Discrete gaussian leftover hash lemma over inﬁnite domains. Cryptology ePrint Archive, Report 2012/714, 2012.

[19] Shweta Agrawal, Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Functional encryption: New perspectives and lower bounds. Cryptology ePrint Archive, Report 2012/468, 2012.

[20] Alfred V. Aho, editor. Proceedings of the 19th Annual ACM Symposium on Theory of Computing, 1987, New York, New York, USA. ACM, 1987.

[21] Mikl´osAjtai. Generating hard instances of the short basis problem. In Automata, Languages and Programming, 26th International Colloquium, ICALP’99, Prague, Czech Republic, July 11-15, 1999, Proceedings, pages 1–9, 1999.

[22] Mikl´osAjtai, Ravi Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proceedings of the Thirty-third Annual ACM Symposium on Theory of Computing, STOC ’01, pages 601–610, New York, NY, USA, 2001. ACM.

[23] Adi Akavia, Shaﬁ Goldwasser, and Vinod Vaikuntanathan. Simultane- ous hardcore bits and cryptography against memory attacks. In TCC ’09, volume 5444 of LNCS, pages 474–495, 2009.

[24] Navid Alamati and Chris Peikert. Three’s compromised too: Circular insecurity for any cycle length from (ring-)lwe. In Advances in Cryp-

306 tology - CRYPTO 2016 - 36th Annual International Cryptology Confer- ence, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part II, pages 659–680, 2016.

[25] Martin R. Albrecht, Pooya Farshim, Dennis Hofheinz, Enrique Larraia, and Kenneth G. Paterson. Multilinear maps from obfuscation. In Theory of Cryptography - 13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10-13, 2016, Proceedings, Part I, pages 446– 473, 2016.

[26] Jacob Alperin-Sheriﬀ and Chris Peikert. Circular and KDM security for identity-based encryption. In Public Key Cryptography, pages 334–352, 2012.

[27] Jacob Alperin-Sheriﬀ and Chris Peikert. Circular and KDM security for identity-based encryption. In Public Key Cryptography - PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, May 21-23, 2012. Proceedings, pages 334–352, 2012.

[28] Jo¨elAlwen and Chris Peikert. Generating shorter bases for hard random lattices. In 26th International Symposium on Theoretical Aspects of Computer Science, STACS 2009, February 26-28, 2009, Freiburg, Ger- many, Proceedings, pages 75–86, 2009.

[29] Jee Hea An, Yevgeniy Dodis, and Tal Rabin. On the security of joint

307 signature and encryption. In Proceedings of Eurocrypt ’02, volume 2332 of Lecture Notes in Computer Science, pages 83–107, 2002.

[30] Prabhanjan Ananth, Dan Boneh, Sanjam Garg, Amit Sahai, and Mark Zhandry. Diﬀering-inputs obfuscation and applications. IACR Cryp- tology ePrint Archive, 2013:689, 2013.

[31] Prabhanjan Ananth, Zvika Brakerski, Gil Segev, and Vinod Vaikun- tanathan. From selective to adaptive security in functional encryption. In Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part II, pages 657–677, 2015.

[32] Prabhanjan Ananth, Yu-Chi Chen, Kai-Min Chung, Huijia Lin, and Wei- Kai Lin. Delegating RAM computations with adaptive soundness and privacy. In Theory of Cryptography - 14th International Conference, TCC 2016-B, Beijing, China, October 31 - November 3, 2016, Proceed- ings, Part II, pages 3–30, 2016.

[33] Prabhanjan Ananth and Abhishek Jain. Indistinguishability obfuscation from compact functional encryption. In Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pages 308–326, 2015.

[34] Prabhanjan Ananth, Abhishek Jain, and Amit Sahai. Achieving compactness generically: Indistinguishability obfuscation from non-compact functional encryption. IACR Cryptology ePrint Archive, 2015.

308 [35] Prabhanjan Ananth, Abhishek Jain, and Amit Sahai. Patchable indistinguishability obfuscation: iO for evolving software. In Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Confer- ence on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part III, pages 127–155, 2017.

[36] Prabhanjan Ananth and Amit Sahai. Functional encryption for turing machines. In Proceedings, Part I, of the 13th International Conference on Theory of Cryptography - Volume 9562, TCC 2016-A, pages 125–153, New York, NY, USA, 2016. Springer-Verlag New York, Inc.

[37] Prabhanjan Ananth and Amit Sahai. Projective arithmetic functional encryption and indistinguishability obfuscation from degree-5 multilinear maps. In EUROCRYPT, 2016.

[38] Prabhanjan Vijendra Ananth and Amit Sahai. Functional encryption for turing machines. In Theory of Cryptography - 13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10-13, 2016, Pro- ceedings, Part I, pages 125–153, 2016.

[39] Daniel Apon, Nico D¨ottling,Sanjam Garg, and Pratyay Mukherjee. Cryptanalysis of indistinguishability obfuscations of circuits over ggh13. Cryptology ePrint Archive, Report 2016/1003, 2016.

[40] Benny Applebaum. Key-dependent message security: Generic ampliﬁ- cation and completeness. In Advances in Cryptology - EUROCRYPT

309 2011 - 30th Annual International Conference on the Theory and Appli- cations of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings, pages 527–546, 2011.

[41] Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In CRYPTO, pages 595–618, 2009.

[42] Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. Computationally private randomizing polynomials and their applications. Computational Complexity, 15(2):115–162, 2006.

[43] Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. Computationally private randomizing polynomials and their applications. Computational Complexity, 15(2):115–162, 2006.

[44] Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. On pseudorandom generators with linear stretch in nc0. Comput. Complex., 17(1):38– 69, April 2008.

[45] Giuseppe Ateniese, Jan Camenisch, and Breno de Medeiros. Untrace- able RFID tags via insubvertible encryption. In CCS ’05, pages 92–101, 2005.

[46] Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger. Improved Proxy Re-encryption Schemes with Applications to Secure Dis- tributed Storage. In the 12th Annual Network and Distributed Sys-

310 tem Security Symposium, pages 29–43, 2005. Full version available at http://eprint.iacr.org/2005/028.

[47] Nuttapong Attrapadung. Dual system encryption via doubly selective security: Framework, fully secure functional encryption for regular languages, and more. In Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings, pages 557–577, 2014.

[48] Nuttapong Attrapadung, Yang Cui, Goichiro Hanaoka, Hideki Imai, Kanta Matsuura, Peng Yang, and Rui Zhang. Relations among notions of security for identity based encryption schemes. Cryptology ePrint Archive, Report 2005/258, 2005. http://eprint.iacr.org/.

[49] M. Backes, B. Pﬁtzmann, and A. Scedrov. Key-dependent message security under active attacks -BRSIM/UC-soundness of Dolev-Yao-style encryption with key cycles. J.of Comp.Security, 16(5):497–530, 2008.

[50] Saikrishna Badrinarayanan, Eric Miles, Amit Sahai, and Mark Zhandry. Post-zeroizing obfuscation: New mathematical tools, and the case of evasive circuits. In Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceed- ings, Part II, 2016.

311 [51] Joonsang Baek, Ron Steinfeld, and Yuliang Zheng. Formal proofs for the security of signcryption. In Proceedings of Public Key Cryptography ’02, volume 2274 of LNCS, pages 80–98, 2002.

[52] Joonsang Baek and Yuliang Zheng. Identity-based threshold decryption, 2003. Cryptology ePrint Archive, Report 2003/164, available at http://eprint.iacr.org/2003/164, to appear in the Proceedings of PKC 2004.

[53] Dirk Balfanz, Glenn Durfee, Narendar Shankar, Diana Smetters, Jessica Staddon, and Hao-Chi Wong. Secret handshakes from pairing-based key agreements. In Proceedings of the 2003 IEEE Symposium on Security and Privacy (SP ’03), page 180, Washington, DC, USA, 2003. IEEE Computer Society.

[54] Dirk Balfanz, Glenn Durfee, Narendar Shankar, Diana Smetters, Jessica Staddon, and Hao-Chi Wong. Secret handshakes from pairing-based key agreements. In SP ’03: Proceedings of the 2003 IEEE Symposium on Security and Privacy, page 180, Washington, DC, USA, 2003. IEEE Computer Society.

[55] Lucas Ballard, Matthew Green, Breno de Medeiros, and Fabian Monrose. Correlation-resistant storage. Technical Report TR-SP-BGMM-050705, Johns Hopkins University, CS Dept, 2005. http://spar.isi.jhu.edu/

~mgreen/correlation.pdf.

312 [56] Lucas Ballard, Matthew Green, Breno de Medeiros, and Fabian Mon- rose. Correlation-resistant storage from keyword searchable encryption. Cryptology ePrint Archive, Report 2005/417, 2005.

[57] Abhishek Banerjee, Chris Peikert, and Alon Rosen. Pseudorandom functions and lattices. In Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Pro- ceedings, pages 719–737, 2012.

[58] Boaz Barak, Nir Bitansky, Ran Canetti, Yael Tauman Kalai, Omer Paneth, and Amit Sahai. Obfuscation for evasive functions. In Theory of Cryptography - 11th Theory of Cryptography Conference, TCC 2014, San Diego, CA, USA, February 24-26, 2014. Proceedings, pages 26–51, 2014.

[59] Boaz Barak, Zvika Brakerski, Ilan Komargodski, and Pravesh K. Kothari. Limits on low-degree pseudorandom generators (or: Sum-of-squares meets program obfuscation). In Advances in Cryptology - EUROCRYPT 2018 - 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part II, pages 649–679, 2018.

[60] Boaz Barak, Sanjam Garg, Yael Tauman Kalai, Omer Paneth, and Amit Sahai. Protecting obfuscation against algebraic attacks. In Advances

313 in Cryptology - EUROCRYPT 2014 - 33rd Annual International Con- ference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings, 2014.

[61] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. In CRYPTO, pages 1–18, 2001.

[62] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. J. ACM, 59(2):6, 2012.

[63] Boaz Barak, Iftach Haitner, Dennis Hofheinz, and Yuval Ishai. Bounded key-dependent message security. In Advances in Cryptology - EURO- CRYPT, pages 423–444, 2010.

[64] Boaz Barak, Shien Jin Ong, and Salil Vadhan. Derandomization in cryptography. SIAM J. Comput., 37(2):380–400, May 2007.

[65] Boaz Barak, Shien Jin Ong, and Salil P. Vadhan. Derandomization in cryptography. In CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 299–315, 2003.

[66] Niko Bari´cand Birgit Pﬁtzmann. Collision-free accumulators and fail- stop signature schemes without trees. In EUROCRYPT ’97, volume 1233 of LNCS, pages 480–494, 1997.

314 [67] Paulo S. L. M. Barreto and Michael Naehrig. Pairing-friendly elliptic curves of prime order. In Selected Areas in Cryptography, 12th Interna- tional Workshop (SAC 2005), pages 319–331, 2005.

[68] Paulo S.L.M. Barreto. The Pairing Based Crypto Lounge, 2004. http://planeta.terra.com.br/informatica/paulobarreto/pblounge.html, last accessed on June 4, 2004.

[69] Paulo S.L.M. Barreto, Hae Yong Kim, Ben Lynn, and Michael Scott. Eﬃcient algorithms for pairing-based cryptosystems. In Proceedings of Crypto ’02, volume 2442 of LNCS, pages 354–368, 2002.

[70] D A Barrington. Bounded-width polynomial-size branching programs recognize exactly those languages in nc1. In Proceedings of the eigh- teenth annual ACM symposium on Theory of computing, STOC ’86, 1986.

[71] Adam Barth, Dan Boneh, and Brent Waters. Privacy in encrypted content distribution using private broadcast encryption. In Financial Cryp- tography and Data Security, 10th International Conference, FC 2006, Anguilla, British West Indies, February 27-March 2, 2006, Revised Se- lected Papers, pages 52–64, 2006.

[72] James Bartusek, Jiaxin Guan, Fermi Ma, and Mark Zhandry. Pre- venting zeroizing attacks on GGH15. IACR Cryptology ePrint Archive, 2018:511, 2018.

315 [73] Amos Beimel. Secret-sharing schemes: A survey. In IWCC, pages 11–46, 2011.

[74] Mira Belenkiy, Melissa Chase, Markulf Kohlweiss, and Anna Lysyan- skaya. Compact e-cash and simulatable vrfs revisited. In Proceedings of the 3rd International Conference Palo Alto on Pairing-Based Cryptog- raphy, Pairing ’09, pages 114–131, Berlin, Heidelberg, 2009. Springer- Verlag.

[75] Mira Belenkiy, Melissa Chase, Markulf Kolweiss, and Anna Lysyanskaya. Non-interactive anonymous credentials. In TCC ’08, volume 4948 of LNCS, pages 356–374, 2008.

[76] Mihir Bellare, Alexandra Boldyreva, Anand Desai, and David Pointcheval. Key-privacy in public-key encryption. In International Conference on the Theory and Application of Cryptology and Information Security, pages 566–582. Springer, 2001.

[77] Mihir Bellare, Alexandra Boldyreva, and Adam ONeill. Deterministic and eﬃciently searchable encryption. In Annual International Cryptol- ogy Conference, 2007.

[78] Mihir Bellare, Alexandra Boldyreva, and Adriana Palacio. An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In EUROCRYPT, pages 171–188, 2004.

316 [79] Mihir Bellare, Shai Halevi, Amit Sahai, and Salil Vadhan. Many-to-one trapdoor functions and their relation to public-key cryptosystems. In Annual International Cryptology Conference, 1998.

[80] Mihir Bellare and Viet Tung Hoang. Adaptive witness encryption and asymmetric password-based cryptography. In Public-Key Cryptography - PKC 2015 - 18th IACR International Conference on Practice and The- ory in Public-Key Cryptography, Gaithersburg, MD, USA, March 30 - April 1, 2015, Proceedings, pages 308–331, 2015.

[81] Mihir Bellare, Viet Tung Hoang, and Sriram Keelveedhi. Instantiating random oracles via uces. IACR Cryptology ePrint Archive, 2013:424, 2013.

[82] Mihir Bellare, Viet Tung Hoang, and Phillip Rogaway. Foundations of garbled circuits. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12, pages 784–796, 2012.

[83] Mihir Bellare and Silvio Micali. Non-interactive oblivious transfer and applications. In CRYPTO ’89, volume 435 of LNCS, pages 547–557, 1989.

[84] Mihir Bellare and Chanathip Namprempre. Authenticated Encryp- tion: relations among notions and analysis of the generic composition paradigm. In ASIACRYPT ’00, volume 1976 of LNCS, pages 531–545. Springer, 2000.

317 [85] Mihir Bellare and Chanathip Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. J. Cryptology, 21(4):469–491, 2008.

[86] Mihir Bellare, Chanathip Namprempre, and Gregory Neven. Unre- stricted aggregate signatures. In ICALP, pages 411–422, 2007.

[87] Mihir Bellare, Chanathip Namprempre, David Pointcheval, and Michael Semanko. The Power of RSA Inversion Oracles and the Security of Chaum’s RSA-Based Blind Signature Scheme. In Financial Cryptogra- phy, volume 2339 of LNCS, pages 319–338, 2001.

[88] Mihir Bellare and Philip Rogaway. Optimal asymmetric encryption padding — how to encrypt with rsa. In EUROCRYPT ’94, pages 92– 111, 1994.

[89] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing eﬃcient protocols. In ACM Conference on Com- puter and Communications Security, pages 62–73, 1993.

[90] Mihir Bellare and Phillip Rogaway. The exact security of digital signatures - how to sign with rsa and rabin. In EUROCRYPT, pages 399–416, 1996.

[91] Mihir Bellare, Igors Stepanovs, and Brent Waters. New negative results on diﬀering-inputs obfuscation. In Advances in Cryptology - EURO- CRYPT 2016 - 35th Annual International Conference on the Theory

318 and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part II, pages 792–821, 2016.

[92] Mihir Bellare, Igors Stepanovs, and Brent Waters. New negative results on diﬀering-inputs obfuscation. In Proceedings of the 35th Annual International Conference on Advances in Cryptology — EUROCRYPT 2016 - Volume 9666, pages 792–821, 2016.

[93] Mihir Bellare and Moti Yung. Certifying cryptographic tools: The case of trapdoor permutations. In ErnestF. Brickell, editor, Advances in Cryptology CRYPTO 92, volume 740 of Lecture Notes in Computer Science, pages 442–460. Springer Berlin Heidelberg, 1993.

[94] Mihir Bellare and Moti Yung. Certifying permutations: Noninterac- tive zero-knowledge based on any trapdoor permutation. Journal of Cryptology, 9(3):149–166, 1996.

[95] Michael Ben-Or, Oded Goldreich, Shaﬁ Goldwasser, Johan H˚astad,Joe Kilian, Silvio Micali, and Phillip Rogaway. Everything provable is provable in zero-knowledge. In CRYPTO, pages 37–56, 1988.

[96] Josh Cohen Benaloh and Michael de Mare. One-way accumulators: A decentralized alternative to digital sinatures (extended abstract). In Advances in Cryptology - EUROCRYPT ’93, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, pages 274–285, 1993.

319 [97] Karyn Benson, Hovav Shacham, and Brent Waters. The k-BDH As- sumption Family: Bilinear Map Cryptography from Progressively Weaker Assumptions. In Topics in Cryptology - CT-RSA, pages 310–325, 2013.

[98] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based encryption. In IEEE Symposium on Security and Pri- vacy, pages 321–334, 2007.

[99] Allison Bishop, Susan Hohenberger, and Brent Waters. New circular security counterexamples from decision linear and learning with errors. In Advances in Cryptology - ASIACRYPT 2015 - 21st International Con- ference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29 - December 3, 2015, Proceedings, Part II, pages 776–800, 2015.

[100] Nir Bitansky, Sanjam Garg, Huijia Lin, Rafael Pass, and Sidharth Telang. Succinct randomized encodings and their applications. In Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Comput- ing, STOC 2015, Portland, OR, USA, June 14-17, 2015, pages 439–448, 2015.

[101] Nir Bitansky, Sanjam Garg, Huijia Lin, Rafael Pass, and Sidharth Telang. Succinct randomized encodings and their applications. In Proceedings of the Forty-seventh Annual ACM Symposium on Theory of Computing, STOC ’15, pages 439–448, New York, NY, USA, 2015. ACM.

320 [102] Nir Bitansky, Shaﬁ Goldwasser, Abhishek Jain, Omer Paneth, Vinod Vaikuntanathan, and Brent Waters. Time-lock puzzles from randomized encodings. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, ITCS ’16, pages 345–356, New York, NY, USA, 2016. ACM.

[103] Nir Bitansky and Omer Paneth. Zaps and non-interactive witness indistinguishability from indistinguishability obfuscation. In Theory of Cryptography, pages 401–427. Springer Berlin Heidelberg, 2015.

[104] Nir Bitansky and Vinod Vaikuntanathan. Indistinguishability obfuscation from functional encryption. In IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, Berkeley, CA, USA, 17-20 October, 2015, pages 171–190, 2015.

[105] John Black, Phillip Rogaway, and Thomas Shrimpton. Encryption- scheme security in the presence of key-dependent messages. In Selected Areas in Cryptography, 9th Annual International Workshop, SAC 2002, St. John’s, Newfoundland, Canada, August 15-16, 2002. Revised Pa- pers, pages 62–75, 2002.

[106] Matt Blaze. A cryptographic ﬁle system for UNIX. In ACM Conference on Computer and Communications Security, pages 9–16, 1993.

[107] Matt Blaze, G. Bleumer, and M. Strauss. Divertible protocols and atomic proxy cryptography. In Proceedings of Eurocrypt ’98, volume 1403, pages 127–144, 1998.

321 [108] Manuel Blum, Paul Feldman, and Silvio Micali. Non-interactive zero- knowledge and its applications. In STOC, pages 103–112, 1988.

[109] Alexandra Boldyreva. Threshold, Multisignature and Blind Signature Schemes Based on the Gap-Diﬃe-Hellman-Group Signature Scheme. In PKC ’03, volume 2139 of LNCS, pages 31–46, 2003.

[110] Alexandra Boldyreva, A. Palacio, and B. Warinschi. Secure proxy signature schemes for delegation of signing rights, 2003. Cryptology ePrint Archive, Report 2003/96, available at http://eprint.iacr.org/2003/96.

[111] Dan Boneh and Xavier Boyen. Eﬃcient selective-ID secure Identity- Based Encryption without random oracles. In EUROCRYPT ’04, volume 3027 of LNCS, pages 223–238, 2004.

[112] Dan Boneh and Xavier Boyen. Secure identity based encryption without random oracles. In Proceedings of Crypto ’04 (to appear), 2004.

[113] Dan Boneh and Xavier Boyen. Secure identity based encryption without random oracles. In CRYPTO, pages 443–459, 2004.

[114] Dan Boneh and Xavier Boyen. Short signatures without random oracles. In EUROCRYPT ’04, volume 3027 of LNCS, pages 382–400, 2004.

[115] Dan Boneh and Xavier Boyen. Short signatures without random oracles. IACR Cryptology ePrint Archive, 2004:171, 2004.

322 [116] Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based encryption with constant size ciphertext. In EUROCRYPT 2005, volume 3494 of LNCS of Lecture Notes in Computer Science, pages 440–456. Springer, 2005.

[117] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In CRYPTO ’04, volume 3152 of LNCS, pages 45–55, 2004.

[118] Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, and Giuseppe Persiano. Public key encryption with keyword search. In EUROCRYPT ’04, volume 3027 of LNCS, pages 506–522, 2004.

[119] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the Weil Pairing. In Proceedings of the 21st Annual International Cryp- tology Conference on Advances in Cryptology, CRYPTO ’01, 2001.

[120] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the Weil Pairing. SIAM Journal of Computing, 32(3):586–615, 2003.

[121] Dan Boneh, Craig Gentry, Sergey Gorbunov, Shai Halevi, Valeria Niko- laenko, Gil Segev, Vinod Vaikuntanathan, and Dhinakaran Vinayaga- murthy. Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In Advances in Cryptology - EURO- CRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings, pages 533–556, 2014.

323 [122] Dan Boneh, Craig Gentry, Ben Lynn, and Hovav Shacham. Aggregate and veriﬁably encrypted signatures. In Proceedings of Eurocrypt ’03, volume 2656 of LNCS, pages 416–432, 2003.

[123] Dan Boneh, Craig Gentry, and Brent Waters. Collusion resistant broadcast encryption with short ciphertexts and private keys. In CRYPTO, pages 258–275, 2005.

[124] Dan Boneh, Eu-Jin Goh, and Toshihiko Matsuo. Proposal for P1363.3 Proxy Re-encryption. http://grouper.ieee.org/groups/1363/IBC/ submissions/NTTDataProposal-for-P1363.3-2006-09-01.pdf.

[125] Dan Boneh, Eu-Jin Goh, and Kobbi Nissim. Evaluating 2-DNF formulas on ciphertexts. In TCC ’05, volume 3378 of LNCS, pages 325—341. Springer, 2005.

[126] Dan Boneh, Shai Halevi, Michael Hamburg, and Rafail Ostrovsky. Circular- Secure Encryption from Decision Diﬃe-Hellman. In CRYPTO ’08, volume 5157 of LNCS, pages 108–125, 2008.

[127] Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the Weil Pairing. In ASIACRYPT ’01, volume 2248 of LNCS, pages 514–532, 2001.

[128] Dan Boneh, Amit Sahai, and Brent Waters. Fully collusion resistant traitor tracing with short ciphertexts and private keys. In Advances in

324 Cryptology – EUROCRYPT ’06, volume 4004 of LNCS, pages 573–592, 2006.

[129] Dan Boneh, Amit Sahai, and Brent Waters. Fully collusion resistant traitor tracing with short ciphertexts and private keys. In EURO- CRYPT, pages 573–592, 2006.

[130] Dan Boneh, Amit Sahai, and Brent Waters. Functional encryption: deﬁnitions and challenges. In Proceedings of the 8th conference on The- ory of cryptography, TCC’11, pages 253–273, Berlin, Heidelberg, 2011. Springer-Verlag.

[131] Dan Boneh, Hovav Shacham, and Ben Lynn. Short signatures from the Weil pairing. In Proceedings of Asiacrypt ’01, volume 2248, pages 514–532, 2001.

[132] Dan Boneh and Alice Silverberg. Applications of multilinear forms to cryptography. IACR Cryptology ePrint Archive, 2002:80, 2002.

[133] Dan Boneh and Alice Silverberg. Applications of Multilinear Forms to Cryptography. Contemporary Mathematics, 324:71–90, 2003.

[134] Dan Boneh and Brent Waters. A fully collusion resistant broadcast, trace, and revoke system. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, Ioctober 30 - November 3, 2006, pages 211–220, 2006.

325 [135] Dan Boneh and Brent Waters. Conjunctive, subset, and range queries on encrypted data. In Proceedings of the 4th conference on Theory of cryptography, TCC’07, pages 535–554, Berlin, Heidelberg, 2007. Springer- Verlag.

[136] Dan Boneh and Brent Waters. Constrained pseudorandom functions and their applications. In Kazue Sako and Palash Sarkar, editors, Ad- vances in Cryptology - ASIACRYPT 2013, volume 8270 of Lecture Notes in Computer Science, pages 280–300. Springer Berlin Heidelberg, 2013.

[137] Dan Boneh, David J. Wu, and Joe Zimmerman. Immunizing multilinear maps against zeroizing attacks. Cryptology ePrint Archive, Report 2014/930, 2014.

[138] Dan Boneh and Mark Zhandry. Multiparty key exchange, eﬃcient traitor tracing, and more from indistinguishability obfuscation. In Ad- vances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology Confer- ence, Santa Barbara, CA, USA, August 17-21, 2014, Proceedings, Part I, pages 480–499, 2014.

[139] Allan Borodin, Danny Dolev, Faith E. Fich, and Wolfgang J. Paul. Bounds for width two branching programs. SIAM J. Comput., 15(2):549– 560, 1986.

[140] Fabrice Boudot. Eﬃcient proofs that a committed number lies in an interval. In EUROCRYPT ’00, volume 1807 of LNCS, pages 431–444, 2000.

326 [141] Xavier Boyen. A tapestry of identity-based encryption: practical frame- works compared. IJACT, 1(1):3–21, 2008.

[142] Xavier Boyen and Brent Waters. Anonymous hierarchical identity-based encryption (without random oracles). In CRYPTO ’06, volume 4117 of LNCS, pages 290–307, 2006.

[143] Xavier Boyen and Brent Waters. Full-domain subgroup hiding and constant-size group signatures. In PKC ’07, volume 4450 of LNCS, pages 1–15. Springer, 2007.

[144] Elette Boyle, Kai-Min Chung, and Rafael Pass. On extractability obfuscation. In Theory of Cryptography - 11th Theory of Cryptography Conference, TCC 2014, San Diego, CA, USA, February 24-26, 2014. Proceedings, pages 52–73, 2014.

[145] Elette Boyle, Shaﬁ Goldwasser, and Ioana Ivan. Functional signatures and pseudorandom functions. In Hugo Krawczyk, editor, Public-Key Cryptography PKC 2014, volume 8383 of Lecture Notes in Computer Science, pages 501–519. Springer Berlin Heidelberg, 2014.

[146] Zvika Brakerski. Fully homomorphic encryption without modulus switching from classical gapsvp. In CRYPTO, pages 868–886, 2012.

[147] Zvika Brakerski, Craig Gentry, Shai Halevi, Tancr`edeLepoint, Amit Sahai, and Mehdi Tibouchi. Cryptanalysis of the quadratic zero-testing of GGH. IACR Cryptology ePrint Archive, 2015.

327 [148] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homomorphic encryption without bootstrapping. In ITCS, 2012.

[149] Zvika Brakerski and Shaﬁ Goldwasser. Circular and leakage resilient public-key encryption under subgroup indistinguishability (or: Quadratic residuosity strikes back). IACR Cryptology ePrint Archive, 2010:226, 2010.

[150] Zvika Brakerski, Shaﬁ Goldwasser, and Yael Tauman Kalai. Black-box circular-secure encryption beyond aﬃne functions. In Theory of Cryp- tography - 8th Theory of Cryptography Conference, TCC 2011, Provi- dence, RI, USA, March 28-30, 2011. Proceedings, pages 201–218, 2011.

[151] Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehl´e. Classical hardness of learning with errors. In Symposium on Theory of Computing Conference, STOC’13, Palo Alto, CA, USA, June 1-4, 2013, pages 575–584, 2013.

[152] Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehl´e. Classical hardness of learning with errors. In Symposium on Theory of Computing Conference, STOC’13, Palo Alto, CA, USA, June 1-4, 2013, pages 575–584, 2013.

[153] Zvika Brakerski and Guy N Rothblum. Virtual black-box obfuscation for all circuits via generic graded encoding. In Theory of Cryptography Conference, 2014.

328 [154] Zvika Brakerski and Vinod Vaikuntanathan. Eﬃcient fully homomorphic encryption from (standard) LWE. In IEEE 52nd Annual Sympo- sium on Foundations of Computer Science, FOCS 2011, Palm Springs, CA, USA, October 22-25, 2011, pages 97–106, 2011.

[155] Zvika Brakerski and Vinod Vaikuntanathan. Eﬃcient fully homomorphic encryption from (standard) lwe. In FOCS, pages 97–106, 2011.

[156] Zvika Brakerski and Vinod Vaikuntanathan. Fully homomorphic encryption from ring-lwe and security for key dependent messages. In CRYPTO, 2011.

[157] Zvika Brakerski and Vinod Vaikuntanathan. Circuit-abe from LWE: unbounded attributes and semi-adaptive security. IACR Cryptology ePrint Archive, 2016.

[158] Zvika Brakerski, Vinod Vaikuntanathan, Hoeteck Wee, and Daniel Wichs. Obfuscating conjunctions under entropic ring lwe. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, 2016.

[159] Stefan Brands. Rapid demonstration of linear relations connected by boolean operators. In EUROCRYPT ’97, volume 1233 of LNCS, pages 318–333, 1997.

[160] Gilles Brassard, Claude Cr´epeau, and Jean-Marc Robert. All-or-nothing

329 disclosure of secrets. In CRYPTO ’86, volume 263 of LNCS, pages 234– 238, 1986.

[161] E. Bresson, D. Catalano, and D. Pointcheval. A simple public-key cryptosystem. In Proceedings of Asiacrypt ’03, volume 2894 of LNCS, pages 37–54, 2003.

[162] Christina Brzuska, Pooya Farshim, and Arno Mittelbach. Random- oracle uninstantiability from indistinguishability obfuscation. In Theory of Cryptography - 12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23-25, 2015, Proceedings, Part II, 2015.

[163] Jan Camenisch, Nishanth Chandran, and Victor Shoup. A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In EUROCRYPT ’09, volume 5479 of LNCS, pages 351–368, 2009.

[164] Jan Camenisch, Maria Dubovitskaya, and Gregory Neven. Oblivious transfer with access control. In CCS ’09, pages 131–140, New York, NY, USA, 2009. ACM.

[165] Jan Camenisch, Maciej Koprowski, and Bogdan Warinschi. Eﬃcient blind signatures without random oracles. In SCN ’04, volume 3352 of LNCS, pages 134–148, 2004.

[166] Jan Camenisch and Anna Lysyanskaya. An eﬃcient system for non- transferable anonymous credentials with optional anonymity revocation.

330 IACR Cryptology ePrint Archive, 2001:19, 2001.

[167] Jan Camenisch and Anna Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. In CRYPTO ’04, volume 3152 of LNCS, pages 56–72. Springer, 2004.

[168] Jan Camenisch and Markus Michels. Proving in zero-knowledge that a number n is the product of two safe primes. In EUROCRYPT ’99, volume 1592 of LNCS, pages 107–122, 1999.

[169] Jan Camenisch, Gregory Neven, and abhi shelat. Simulatable adaptive oblivious transfer. In EUROCRYPT ’07, volume 4515 of LNCS, pages 573–590, 2007.

[170] Jan Camenisch and M. Stadler. Eﬃcient group signature schemes for large groups. In CRYPTO ’97, volume 1296 of LNCS, pages 410–424, 1997.

[171] Jan Leonhard Camenisch. Group Signature Schemes and Payment Sys- tems Based on the Discrete Logarithm Problem. PhD thesis, ETH Z¨urich, 1998.

[172] Jan Leonhard Camenisch, Jean-Marc Piveteau, and Markus A. Stadler. Blind signatures based on the discrete logarithm problem. In EURO- CRYPT ’94, volume 950 of LNCS, pages 428–432. Springer, 1994.

331 [173] R. Canetti, Y. Dodis, R. Pass, and S. Walﬁsh. Universally composable security with pre-existing setup. In TCC ’07, volume 4392 of LNCS, pages 61–85, 2007.

[174] Ran Canetti. Towards realizing random oracles: Hash functions that hide all partial information. In Advances in Cryptology - CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 1997, Proceedings, pages 455–469, 1997.

[175] Ran Canetti. Universally Composable Security: A new paradigm for cryptographic protocols. In FOCS ’01, page 136. IEEE Computer Society, 2001. http://eprint.iacr.org/2000/067.

[176] Ran Canetti. Universally composable security: Towards the bare bones of trust. In Asiacrypt ’07, volume 4833 of LNCS, pages 88–112, 2007.

[177] Ran Canetti and Yilei Chen. Constraint-hiding constrained prfs for nc1 from lwe. In EUROCRYPT, 2017.

[178] Ran Canetti, Yilei Chen, Justin Holmgren, and Mariana Raykova. Adap- tive succinct garbled RAM or: How to delegate your database. In Theory of Cryptography - 14th International Conference, TCC 2016-B, Beijing, China, October 31 - November 3, 2016, Proceedings, Part II, pages 61–90, 2016.

[179] Ran Canetti and Ronny Ramzi Dakdouk. Obfuscating point functions with multibit output. In Advances in Cryptology - EUROCRYPT 2008,

332 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Pro- ceedings, pages 489–508, 2008.

[180] Ran Canetti, Cynthia Dwork, Moni Naor, and Rafail Ostrovsky. Deni- able encryption. In CRYPTO, pages 90–104, 1997.

[181] Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In Proc. of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pages 639–648, 1996.

[182] Ran Canetti and Marc Fischlin. Universally composable commitments. In CRYPTO ’01, volume 2139 of LNCS, pages 19–40. Springer, 2001.

[183] Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited (preliminary version). In STOC, pages 209–218, 1998.

[184] Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited. J. of the ACM, 51(4):557–594, 2004.

[185] Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-secure public- key encryption scheme. In EUROCRYPT ’03, volume 3027 of LNCS, pages 255–271, 2003.

[186] Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext security from Identity Based Encryption. In EUROCRYPT ’04, volume 3027 of LNCS, pages 207–222, 2004.

333 [187] Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-secure public- key encryption scheme. J. Cryptology, 20(3):265–294, 2007.

[188] Ran Canetti and Justin Holmgren. Fully succinct garbled ram. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, ITCS ’16, pages 169–178, New York, NY, USA, 2016. ACM.

[189] Ran Canetti, Justin Holmgren, Abhishek Jain, and Vinod Vaikuntanathan. Succinct garbling and indistinguishability obfuscation for RAM programs. In Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, June 14-17, 2015, pages 429–437, 2015.

[190] Ran Canetti, Justin Holmgren, Abhishek Jain, and Vinod Vaikuntanathan. Succinct garbling and indistinguishability obfuscation for ram programs. In Proceedings of the Forty-seventh Annual ACM Symposium on Theory of Computing, STOC ’15, pages 429–437, New York, NY, USA, 2015. ACM.

[191] Ran Canetti, Hugo Krawczyk, and Jesper B. Nielsen. Relaxing chosen- ciphertext security. In CRYPTO ’03, volume 2729 of LNCS, pages 565–582. Springer, 2003.

[192] Ran Canetti, Huijia Lin, Stefano Tessaro, and Vinod Vaikuntanathan. Obfuscation of probabilistic circuits and applications. In Theory of

334 Cryptography - 12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23-25, 2015, Proceedings, Part II, pages 468– 497, 2015.

[193] Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai. Uni- versally composable two-party and multi-party secure computation. In STOC ’02, pages 494–503. ACM Press, 2002.

[194] Ran Canetti and Tal Rabin. Universal composition with joint state. In CRYPTO ’03, volume 2729 of LNCS, pages 265–281. Springer, 2003.

[195] Ran Canetti, Guy N. Rothblum, and Mayank Varia. Obfuscation of hyperplane membership. In Theory of Cryptography, 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, February 9- 11, 2010. Proceedings, pages 72–89, 2010.

[196] Angelo De Caro, Vincenzo Iovino Abhishek Jain, Adam O’Neill, Omer Paneth, and Giuseppe Persiano. On the achievability of simulation- based security for functional encryption. In CRYPTO, 2013.

[197] David Cash, Matthew Green, and Susan Hohenberger. New deﬁnitions and separations for circular security. In Public Key Cryptography - PKC, pages 540–557, 2012.

[198] Agnes Chan, Yair Frankel, and Yiannis Tsiounis. Easy come – easy go divisible cash. In EUROCRYPT ’98, volume 1403 of LNCS, pages 561–575, 1998.

335 [199] Melissa Chase. Multi-authority attribute based encryption. In TCC, pages 515–534, 2007.

[200] Melissa Chase and Sherman S. M. Chow. Improving privacy and security in multi-authority attribute-based encryption. In ACM Conference on Computer and Communications Security, pages 121–130, 2009.

[201] Melissa Chase and Anna Lysyanskaya. Simulatable vrfs with applications to multi-theorem nizk. In Proceedings of the 27th Annual Interna- tional Cryptology Conference on Advances in Cryptology, CRYPTO’07, pages 303–322, Berlin, Heidelberg, 2007. Springer-Verlag.

[202] Sanjit Chatterjee and Palash Sarkar. Trading time for space: Towards an eﬃcient IBE scheme with short(er) public parameters in the standard model. In ICISC 2005, volume 3935 of LNCS, pages 424–440, 2005.

[203] Sanjit Chatterjee and Palash Sarkar. HIBE with Short Public Param- eters without Random Oracle. In ASIACRYPT ’06, volume 4284 of LNCS, pages 145–160, 2006.

[204] David Chaum. Blind signatures for untraceable payments. In CRYPTO ’82, pages 199–203. Plenum Press, 1982.

[205] David Chaum and Torben Pryds Pedersen. Wallet databases with ob- servers. In CRYPTO ’92, volume 740 of LNCS, pages 89–105, 1992.

336 [206] Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee. Shorter ibe and signatures via asymmetric pairings. In Pairing-Based Cryptography–Pairing 2012, pages 122–140. Springer, 2013.

[207] Jie Chen and Hoeteck Wee. Semi-adaptive attribute-based encryption and improved delegation for boolean formula. In Security and Cryptog- raphy for Networks - 9th International Conference, SCN 2014, Amalﬁ, Italy, September 3-5, 2014. Proceedings, pages 277–297, 2014.

[208] L. Chen, Z. Cheng, and Nigel Smart. Identity-based key agreement protocols from pairings. International Journal of Information Security, 6:213–241, August 2007.

[209] Jung Hee Cheon. Security analysis of the strong diﬃe-hellman problem. In EUROCRYPT ’06, volume 4004 of LNCS, pages 1–11, 2006.

[210] Jung Hee Cheon, Pierre-Alain Fouque, Changmin Lee, Brice Minaud, and Hansol Ryu. Cryptanalysis of the new clt multilinear map over the integers. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2016.

[211] Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol Ryu, and Damien Stehl´e. Cryptanalysis of the multilinear map over the integers. In Advances in Cryptology - EUROCRYPT 2015 - 34th Annual Interna- tional Conference on the Theory and Applications of Cryptographic Tech- niques, Soﬁa, Bulgaria, April 26-30, 2015, Proceedings, Part I, pages 3–12, 2015.

337 [212] Jung Hee Cheon, Jinhyuck Jeong, and Changmin Lee. An algorithm for ntru problems and cryptanalysis of the ggh multilinear map without a low-level encoding of zero. LMS Journal of Computation and Mathematics, 2016.

[213] Jung Hee Cheon and Dong Hoon Lee. Diﬃe-Hellman problems and bilinear maps. Cryptology ePrint Archive: Report 2002/117, 2001.

[214] Fangguo Zhang Chih-Yin Lin, T.-C. Wu. Proxy signature and proxy multi-signature from bilinear pairings. In Proceedings of the 2003 Inter- national Conference on Informatics, Cybernetics and Systems, 2003.

[215] Seung Geol Choi, Jonathan Katz, Hoeteck Wee, and Hong-Sheng Zhou. Eﬃcient, adaptively secure, and composable oblivious transfer with a single, global crs. In Public-Key Cryptography–PKC 2013, pages 73–88. Springer, 2013.

[216] Benny Chor, Amos Fiat, and Moni Naor. Tracing traitors. In CRYPTO, pages 257–270, 1994.

[217] Cheng-Kang Chu and Wen-Guey Tzeng. Eﬃcient k-out-of-n oblivious transfer schemes with adaptive and non-adaptive queries. In PKC ’05, volume 3386 of LNCS, pages 172–183, 2005.

[218] Mathieu Ciet, Tanja Lange, Francesco Sica, and Jean-Jacques Quisquater. Improved algorithms for eﬃcient arithmetic on elliptic curves using fast

338 endomorphisms. In Proceedings of Eurocrypt ’03, volume 2656 of LNCS, pages 388–400, 2003.

[219] Cliﬀord Cocks. An identity based encryption scheme based on Quadratic Residues. In Cryptography and Coding, IMA International Conference, volume 2260 of LNCS, pages 360–363, 2001.

[220] Cliﬀord Cocks. An identity based encryption scheme based on quadratic residues. In IMA Int. Conf., pages 360–363, 2001.

[221] Debra L. Cook and Angelos D. Keromytis. Conversion and proxy functions for symmetric key ciphers. In proceedings of the IEEE Interna- tional Conference on Information Technology: Coding and Computing (ITCC), 2005. To appear.

[222] Stephen A. Cook and H. James Hoover. A depth-universal circuit. SIAM Journal on Computing, 14(4):833–839, 1985.

[223] Jean-S´ebastienCoron, Craig Gentry, Shai Halevi, Tancr`edeLepoint, He- manta K. Maji, Eric Miles, Mariana Raykova, Amit Sahai, and Mehdi Tibouchi. Zeroizing without low-level zeroes: New MMAP attacks and their limitations. In Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16- 20, 2015, Proceedings, Part I, 2015.

[224] Jean-S´ebastienCoron, Moon Sung Lee, Tancr`edeLepoint, and Mehdi Tibouchi. Cryptanalysis of GGH15 multilinear maps. In Advances

339 in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part II, 2016.

[225] Jean-S´ebastienCoron, Moon Sung Lee, Tancr`edeLepoint, and Mehdi Tibouchi. Zeroizing attacks on indistinguishability obfuscation over CLT13. In Public-Key Cryptography - PKC 2017 - 20th IACR Interna- tional Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28-31, 2017, Proceedings, Part I, 2017.

[226] Jean-S´ebastienCoron, Tancr`edeLepoint, and Mehdi Tibouchi. Prac- tical multilinear maps over the integers. In Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I, pages 476–493, 2013.

[227] Jean-Sebastien Coron, Tancrede Lepoint, and Mehdi Tibouchi. Crypt- analysis of two candidate ﬁxes of multilinear maps over the integers. Cryptology ePrint Archive, Report 2014/975, 2014.

[228] Jean-S´ebastienCoron, Tancr`edeLepoint, and Mehdi Tibouchi. New multilinear maps over the integers. In Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, 2015.

[229] Jean-S´ebastienCoron, Avradip Mandal, David Naccache, and Mehdi

340 Tibouchi. Fully homomorphic encryption over the integers with shorter public keys. In CRYPTO, pages 487–504, 2011.

[230] Scott Coull, Matthew Green, and Susan Hohenberger. Controlling access to an oblivious database using stateful anonymous credentials. In Public Key Cryptography, volume 5443 of LNCS, pages 501–520, 2009.

[231] Ronald Cramer, Ivan Damg˚ard,and Berry Schoenmakers. Proofs of partial knowledge and simpliﬁed design of witness hiding protocols. In CRYPTO ’94, volume 839 of LNCS, pages 174–187, 1994.

[232] Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In CRYPTO ’98, pages 13–25, London, UK, 1998. Springer.

[233] Ronald Cramer and Victor Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In Pro- ceedings of Eurocrypt ’02, volume 2332 of Lecture Notes in Computer Science, pages 45–64, 2002.

[234] Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput., 33(1):167–226, January 2004.

[235] Yang Cui, Eiichiro Fujisaki, Goichiro Hanaoka, Hideki Imai, and Rui Zhang. Formal security treatments for IBE-to-signature transformation:

341 Relations among security notions. Cryptology ePrint Archive, Report 2007/030, 2007. http://eprint.iacr.org/.

[236] Ivan Damg˚ard,Masahiro Mambo, and Eiji Okamoto. Further study on the transformability of digital signatures and the blind decryption. In SCIS ’97-33B, 1997.

[237] Pratish Datta, Ratna Dutta, and Sourav Mukhopadhyay. Constrained pseudorandom functions for unconstrained inputs revisited: Achieving veriﬁability and key delegation. In Proceedings, Part II, of the 20th IACR International Conference on Public-Key Cryptography — PKC 2017 - Volume 10175, pages 463–493, New York, NY, USA, 2017. Springer- Verlag New York, Inc.

[238] Alfredo De Santis, Giovanni Di Crescenzo, and Giuseppe Persiano. Nec- essary and suﬃcient assumptions for non-iterative zero-knowledge proofs of knowledge for all NP relations. In ICALP ’00, volume 1853 of LNCS, pages 451–462, 2000.

[239] Apoorvaa Deshpande, Venkata Koppula, and Brent Waters. Con- strained pseudorandom functions for unconstrained inputs. In Proceed- ings, Part II, of the 35th Annual International Conference on Advances in Cryptology — EUROCRYPT 2016 - Volume 9666, pages 124–153, New York, NY, USA, 2016. Springer-Verlag New York, Inc.

[240] Whitﬁeld Diﬃe and Martin E. Hellman. Multiuser cryptographic techniques. In AFIPS National Computer Conference, pages 109–112, 1976.

342 [241] Whitﬁeld Diﬃe and Martin E. Hellman. New directions in cryptography, 1976.

[242] Yan Zong Ding, Danny Harnik, Alon Rosen, and Ronen Shaltiel. Constant- round oblivious transfer in the bounded storage model. In TCC ’04, volume 2951 of LNCS, pages 446–472, 2004.

[243] Yevgeniy Dodis. Eﬃcient construction of (distributed) veriﬁable random functions. In YvoG. Desmedt, editor, Public Key Cryptography PKC 2003, volume 2567 of Lecture Notes in Computer Science, pages 1–17. Springer Berlin Heidelberg, 2002.

[244] Yevgeniy Dodis, Matthew K. Franklin, Jonathan Katz, Atsuko Miyaji, and Moti Yung. Intrusion-resilient public-key encryption. In Proceed- ings of CT-RSA ’03, volume 2612 of LNCS, pages 19–32, 2003.

[245] Yevgeniy Dodis, Matthew K. Franklin, Jonathan Katz, Atsuko Miyaji, and Moti Yung. A generic construction for intrusion-resilient public-key encryption. In Proceedings of CT-RSA ’04, volume 2964 of LNCS, pages 81–98, 2004.

[246] Yevgeniy Dodis, Shai Halevi, and Tal Rabin. A cryptographic solution to a game theoretic problem. In CRYPTO ’00, volume 1880 of LNCS, pages 112–130. Springer, 2000.

[247] Yevgeniy Dodis and Anca Ivan. Proxy cryptography revisited. In

343 Proceedings of the Tenth Network and Distributed System Security Sym- posium, February 2003.

[248] Yevgeniy Dodis, Yael Tauman Kalai, and Shachar Lovett. On cryptography with auxiliary input. In STOC ’09, pages 621–630, 2009.

[249] Yevgeniy Dodis, Jonathan Katz, Shouhuai Xu, and Moti Yung. Key- insulated public key cryptosystems. In Proceedings of Eurocrypt ’02, volume 2332 of Lecture Notes in Computer Science, pages 65–82, 2002.

[250] Yevgeniy Dodis, Roberto Oliveira, and Krzysztof Pietrzak. On the generic insecurity of the full domain hash. In CRYPTO, pages 449–466, 2005.

[251] Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin, and Adam D. Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM J. Comput., 38(1):97–139, 2008.

[252] Yevgeniy Dodis, Leonid Reyzin, and Adam D. Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Advances in Cryptology - EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2-6, 2004, Proceedings, pages 523–540, 2004.

[253] Yevgeniy Dodis and Adam D. Smith. Correcting errors without leaking partial information. In Proceedings of the 37th Annual ACM Symposium

344 on Theory of Computing, Baltimore, MD, USA, May 22-24, 2005, pages 654–663, 2005.

[254] Yevgeniy Dodis and Aleksandr Yampolskiy. A veriﬁable random function with short proofs and keys. In Proceedings of the 8th Interna- tional Conference on Theory and Practice in Public Key Cryptography, PKC’05, pages 416–431, Berlin, Heidelberg, 2005. Springer-Verlag.

[255] Danny Dolev, Cynthia Dwork, and Moni Naor. Nonmalleable cryptography. SIAM J. Computing, 30(2):391–437, 2000.

[256] Markus D¨urmuth and David Mandell Freeman. Deniable encryption with negligible detection probability: An interactive construction. In EUROCRYPT, pages 610–626, 2011.

[257] Markus D¨urmuth and David Mandell Freeman. Deniable encryption with negligible detection probability: An interactive construction. IACR Cryptology ePrint Archive, 2011:66, 2011.

[258] Ratna Dutta, Rana Barua, and Palash Sarkar. Pairing-Based Cryptog- raphy : A Survey. Cryptology ePrint Archive, Report 2004/064, 2004. http://eprint.iacr.org/.

[259] Cynthia Dwork and Moni Naor. Zaps and their applications. In FOCS, pages 283–293, 2000.

[260] Taher El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In CRYPTO ’84, pages 10–18, 1984.

345 [261] Alex Escala, Gottfried Herold, Eike Kiltz, Carla Rfols, and Jorge Vil- lar. An algebraic framework for diﬃe-hellman assumptions. In Ran Canetti and JuanA. Garay, editors, Advances in Cryptology CRYPTO 2013, volume 8043 of Lecture Notes in Computer Science, pages 129–147. Springer Berlin Heidelberg, 2013.

[262] Shimon Even, Oded Goldreich, and Abraham Lempel. A randomized protocol for signing contracts. In CRYPTO ’82, pages 205–210, 1982.

[263] Uriel Feige, Dror Lapidot, and Adi Shamir. Multiple non-interactive zero knowledge proofs under general assumptions. SIAM Journal of Computing, 29(1):1–28, 1999.

[264] Uriel Feige and Adi Shamir. Witness indistinguishable and witness hiding protocols. In STOC, pages 416–426, 1990.

[265] Ai fen Sui, Sherman S. M. Chow, Lucas C. K. Hui, S. M. Yiu, K. P. Chow, W. W. Tsang, C. F. Chong, K. H. Pun, and H. W. Chan. Separable and anonymous identity-based key issuing. In ICPADS ’05, pages 275–279, 2005.

[266] Amos Fiat and Moni Naor. Broadcast encryption. In Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’93, pages 480–491, 1994.

[267] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identiﬁcation and signature problems. In CRYPTO ’86, volume 263

346 of LNCS, pages 186–194, 1986.

[268] Matthew K. Franklin, editor. Advances in Cryptology - CRYPTO 2004, 24th Annual International CryptologyConference, Santa Barbara, Cali- fornia, USA, August 15-19, 2004, Proceedings, volume 3152 of Lecture Notes in Computer Science. Springer, 2004.

[269] Michael J. Freedman, Yuval Ishai, Benny Pinkas, and Omer Reingold. Keyword search and oblivious pseudorandom functions. In TCC ’05, volume 3378 of LNCS, Cambridge, MA, February 2005. Springer.

[270] David Mandell Freeman. Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In Advances in Cryptology– EUROCRYPT 2010, pages 44–61. Springer, 2010.

[271] David Mandell Freeman. Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In Proceedings of the 29th Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’10, pages 44–61, Berlin, Hei- delberg, 2010. Springer-Verlag.

[272] Eduarda SV Freire, Dennis Hofheinz, Kenneth G Paterson, and Christoph Striecks. Programmable hash functions in the multilinear setting. In Advances in Cryptology–CRYPTO 2013, pages 513–530. Springer, 2013.

[273] Kevin Fu. Group sharing and random access in cryptographic storage ﬁle systems. Master’s thesis, Massachusetts Institute of Technology,

347 May 1999.

[274] Kevin Fu. Integrity and access control in untrusted content distribution networks. PhD thesis, Massachusetts Institute of Technology, Manuscript.

[275] Kevin Fu, M. Frans Kaashoek, and David Mazi`eres. Fast and secure distributed read-only ﬁle system. ACM Trans. Comput. Systems, 20(1):1– 24, 2002.

[276] Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud. Anony- mously transferable constant-size e-tickets, 2009.

[277] Eiichiro Fujisaki and Tatsuaki Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In CRYPTO ’97, volume 1294 of LNCS, pages 16–30, 1997.

[278] Eiichiro Fujisaki and Tatsuaki Okamoto. How to enhance the security of public-key encryption at minimum cost. In International Workshop on Public Key Cryptography, pages 53–68. Springer, 1999.

[279] Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In CRYPTO ’99, volume 1666 of LNCS, pages 537–554. Springer, 1999.

[280] S.D. Galbraith, K.G. Paterson, and N.P. Smart. Pairings for cryptog- raphers. Cryptology ePrint Archive, Report 2006/165, 2006. http: //eprint.iacr.org/2006/165.

348 [281] S.D. Galbraith, K.G. Paterson, and N.P. Smart. Pairings for cryptog- raphers. Cryptology ePrint Archive, Report 2006/165, 2006. http: //eprint.iacr.org/.

[282] Steven D. Galbraith. Supersingular curves in cryptography. In ASI- ACRYPT ’01, volume 2248 of LNCS, pages 495–513, 2001.

[283] Steven D. Galbraith, Keith Harrison, and David Soldera. Implementing the tate pairing. In Proceedings of the Algorithmic Number Theory Symposium, volume 2369 of LNCS, pages 324–337, 2002.

[284] David Galindo and Ichiro Hasuo. Security notions for identity based encryption. Cryptology ePrint Archive, Report 2005/253, 2005. http: //eprint.iacr.org/2005/253.pdf.

[285] Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate multilinear maps from ideal lattices. In EUROCRYPT, 2013.

[286] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sa- hai, and Brent Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. In FOCS, 2013.

[287] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sa- hai, and Brent Waters. Candidate indstinguishability obfuscation and functional encryption for all circuits. In FOCS, 2013.

[288] Sanjam Garg, Craig Gentry, Shai Halevi, Amit Sahai, and Brent Wa- ters. Attribute-based encryption for circuits from multilinear maps.

349 Cryptology ePrint Archive, Report 2013/128, 2013. http://eprint. iacr.org/.

[289] Sanjam Garg, Craig Gentry, Shai Halevi, and Daniel Wichs. On the implausibility of diﬀering-inputs obfuscation and extractable witness encryption with auxiliary input. In Advances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2014, Proceedings, Part I, pages 518–535, 2014.

[290] Sanjam Garg, Craig Gentry, Amit Sahai, and Brent Waters. Witness encryption and its applications. In STOC, 2013.

[291] Sanjam Garg, Abishek Kumarasubramanian, Amit Sahai, and Brent Waters. Building eﬃcient fully collusion-resilient traitor tracing and revocation schemes. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pages 121–130, New York, NY, USA, 2010. ACM.

[292] Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan, and Mark Zhandry. Secure obfuscation in a weak multilinear map model. In Theory of Cryptography Conference, pages 241–268. Springer, 2016.

[293] Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova. Quadratic span programs and succinct NIZKs without PCPs. In EU- ROCRYPT, 2013.

350 [294] Craig Gentry. Practical identity-based encryption without random oracles. In EUROCRYPT ’06, volume 4004 of LNCS, pages 445–464, 2006.

[295] Craig Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009. crypto.stanford.edu/craig.

[296] Craig Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st Annual ACM Symposium on Theory of Comput- ing, STOC 2009, Bethesda, MD, USA, May 31 - June 2, 2009, pages 169–178, 2009.

[297] Craig Gentry. Fully homomorphic encryption using ideal lattices. In STOC, 2009.

[298] Craig Gentry, Sergey Gorbunov, and Shai Halevi. Graph-induced multilinear maps from lattices. In TCC, 2015.

[299] Craig Gentry and Shai Halevi. Hierarchical identity based encryption with polynomially many levels. In Theory of Cryptography, 6th The- ory of Cryptography Conference, TCC 2009, San Francisco, CA, USA, March 15-17, 2009. Proceedings, pages 437–456, 2009.

[300] Craig Gentry, Allison B. Lewko, and Brent Waters. Witness encryption from instance independent assumptions. In Advances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2014, Proceedings, Part I, pages 426–443, 2014.

351 [301] Craig Gentry, Allison Bishop Lewko, Amit Sahai, and Brent Waters. In- distinguishability obfuscation from the multilinear subgroup elimination assumption. In IEEE 56th Annual Symposium on Foundations of Com- puter Science, FOCS 2015, Berkeley, CA, USA, 17-20 October, 2015, pages 151–170, 2015.

[302] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In STOC, pages 197–206, 2008.

[303] Craig Gentry, Amit Sahai, and Brent Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In CRYPTO, 2013.

[304] Craig Gentry and Alice Silverberg. Hierarchical ID-Based cryptography. In Proceedings of Asiacrypt ’02, volume 2501 of Lecture Notes in Computer Science, pages 548–566. Springer, 2002.

[305] Michael Gerbush, Allison Lewko, Adam ONeill, and Brent Waters. Dual form signatures: An approach for proving security from static assumptions. In Xiaoyun Wang and Kazue Sako, editors, Advances in Cryp- tology ASIACRYPT 2012, volume 7658 of Lecture Notes in Computer Science, pages 25–42. Springer Berlin Heidelberg, 2012.

[306] Yitchak Gertner and Amir Herzberg. Committing encryption and publicly-veriﬁable signcryption. Cryptology ePrint Archive, Report 2003/254, 2003. http://eprint.iacr.org/.

352 [307] E. Ghadaﬁ, N.P. Smart, and B. Warinschi. Groth-Sahai proofs revisited, 2009. Cryptology ePrint Archive: Report 2009/599.

[308] Eu-Jin Goh, Hovav Shacham, Nagendra Modadugu, and Dan Boneh. SiRiUS: Securing remote untrusted storage. In Proceedings of the Tenth Network and Distributed System Security Symposium, pages 131–145, February 2003.

[309] O. Goldreich. Foundations of Cryptography. Cambridge University Press, 2001.

[310] Oded Goldreich, Shaﬁ Goldwasser, and Silvio Micali. How to construct random functions (extended abstract). In FOCS, pages 464–479, 1984.

[311] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or a completeness theorem for protocols with honest ma- jority. In STOC ’87, pages 218–229, 1987.

[312] Oded Goldreich, Birgit Pﬁtzmann, and Ronald L. Rivest. Self-Delegation with Controlled Propagation – or – What If You Lose Your Laptop. In Proceedings of Crypto ’98, volume 1462, pages 153–168, 1998.

[313] S. Goldwasser and S. Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270–299, 1984.

[314] S. Goldwasser, S. Micali, and C. Rackoﬀ. The knowledge complexity of interactive proof systems. SIAM J. Comput., 18(1):186–208, February 1989.

353 [315] Shaﬁ Goldwasser, editor. Advances in Cryptology - CRYPTO ’88, 8th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1988, Proceedings, volume 403 of Lecture Notes in Computer Science. Springer, 1990.

[316] Shaﬁ Goldwasser, Yael Kalai, Raluca Ada Popa, Vinod Vaikuntanathan, , and Nickolai Zeldovich. How to run turing machines on encrypted data. In CRYPTO, 2013.

[317] Shaﬁ Goldwasser, Yael Kalai, Raluca Ada Popa, Vinod Vaikuntanathan, and Nickolai Zeldovich. Reusable garbled circuits and succinct functional encryption. In Proceedings of the Forty-ﬁfth Annual ACM Sym- posium on Theory of Computing, STOC ’13, pages 555–564, 2013.

[318] Shaﬁ Goldwasser, Yael Kalai, Raluca Ada Popa, Vinod Vaikuntanathan, and Nickolai Zeldovich. Succinct functional encryption and applications: Reusable garbled circuits and beyond. In STOC, 2013.

[319] Shaﬁ Goldwasser and Yael Tauman Kalai. On the (In)security of the Fiat-Shamir Paradigm. In FOCS ’03, page 102, 2003.

[320] Shaﬁ Goldwasser and Yael Tauman Kalai. On the impossibility of obfuscation with auxiliary input. In Foundations of Computer Science, 2005. FOCS 2005. 46th Annual IEEE Symposium on, pages 553–562. IEEE, 2005.

354 [321] Shaﬁ Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, 1984.

[322] Shaﬁ Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput., 17(2):281–308, 1988.

[323] Shaﬁ Goldwasser and Rafail Ostrovsky. Invariant signatures and non- interactive zero-knowledge proofs are equivalent (extended abstract). In Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’92, pages 228–245, London, UK, UK, 1993. Springer-Verlag.

[324] Shaﬁ Goldwasser and Guy N. Rothblum. On best-possible obfuscation. In Proceedings of the 4th conference on Theory of cryptography, TCC’07, pages 194–213, 2007.

[325] Philippe Golle, Markus Jakobsson, Ari Juels, and Paul F. Syverson. Universal Re-encryption for Mixnets. In Proceedings of CT-RSA ’04, volume 2964 of LNCS, pages 163–178, 2004.

[326] Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Functional encryption with bounded collusions via multi-party computation. In CRYPTO, 2012.

[327] Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Attribute- based encryption for circuits. In STOC, 2013.

355 [328] Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Predicate encryption for circuits from lwe. In Annual Cryptology Conference, 2015.

[329] Rishab Goyal, Venkata Koppula, and Brent Waters. Lockable obfuscation. In 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2017, Berkeley, CA, USA, October 15-17, 2017, pages 612–621, 2017.

[330] Rishab Goyal, Venkata Koppula, and Brent Waters. Lockable obfuscation. In 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2017, Berkeley, CA, USA, October 15-17, 2017, pages 612–621, 2017.

[331] Rishab Goyal, Venkata Koppula, and Brent Waters. Separating IND- CPA and circular security for unbounded length key cycles. In Public- Key Cryptography - PKC 2017 - 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28-31, 2017, Proceedings, Part I, 2017.

[332] Rishab Goyal, Venkata Koppula, and Brent Waters. Separating se- mantic and circular security for symmetric-key bit encryption from the learning with errors assumption. In EUROCRYPT, 2017.

[333] Vipul Goyal. Reducing trust in the PKG in identity based cryptosystems. In CRYPTO ’07, volume 4622 of LNCS, pages 430–447, 2007.

356 [334] Vipul Goyal, Yuval Ishai, Amit Sahai, Ramarathnam Venkatesan, and Akshay Wadia. Founding cryptography on tamper-proof hardware to- kens. In TCC, pages 308–326, 2010.

[335] Vipul Goyal, Abhishek Jain, Omkant Pandey, and Amit Sahai. Bounded ciphertext policy attribute based encryption. In Automata, Languages and Programming, 35th International Colloquium, ICALP 2008, Reyk- javik, Iceland, July 7-11, 2008, Proceedings, Part II - Track B: Logic, Semantics, and Theory of Programming & Track C: Security and Cryp- tography Foundations, 2008.

[336] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute- based encryption for ﬁne-grained access control of encrypted data. In Proceedings of the 13th ACM conference on Computer and communications security, CCS ’06, 2006.

[337] Matthew Green and Susan Hohenberger. Blind identity-based encryption and simulatable oblivious transfer. In ASIACRYPT ’07, volume 4833 of LNCS, pages 265–282, 2007.

[338] Matthew Green and Susan Hohenberger. Universally composable adaptive oblivious transfer. In ASIACRYPT, volume 5350, pages 179–197, 2008.

[339] Matthew Green and Susan Hohenberger. Universally composable adaptive oblivious transfer. Cryptology ePrint Archive, Report 2008/163, 2008. Full version available at http://eprint.iacr.org/.

357 [340] Matthew Green and Susan Hohenberger. Adaptive oblivious transfer from a simple assumption. Available at http://eprint.iacr.org, 2009.

[341] Jens Groth. Simulation-sound NIZK proofs for a practical language and constant size group signatures. In ASIACRYPT, volume 4284, pages 444–459, 2006.

[342] Jens Groth. Short pairing-based non-interactive zero-knowledge arguments. In ASIACRYPT, 2010.

[343] Jens Groth, Rafail Ostrovsky, and Amit Sahai. Perfect non-interactive zero knowledge for NP. In EUROCRYPT ’06, volume 4004 of LNCS, pages 339–358. Springer, 2006.

[344] Jens Groth and Amit Sahai. Eﬃcient non-interactive proof systems for bilinear groups. In EUROCRYPT ’08, volume 4965 of LNCS, pages 415–432, 2008.

[345] Iftach Haitner. Semi-honest to malicious oblivious transfer - the black- box way. In TCC, pages 412–426, 2008.

[346] Iftach Haitner and Thomas Holenstein. On the (im)possibility of key dependent encryption. In Theory of Cryptography, 6th Theory of Cryp- tography Conference, TCC 2009, San Francisco, CA, USA, March 15-17, 2009. Proceedings, pages 202–219, 2009.

[347] Shai Halevi, editor. Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA,

358 August 16-20, 2009. Proceedings, volume 5677 of Lecture Notes in Com- puter Science. Springer, 2009.

[348] Shai Halevi. Graded encoding, variations on a scheme. Cryptology ePrint Archive, Report 2015/866, 2015.

[349] Shai Halevi and Hugo Krawczyk. Security under key-dependent inputs. In ACM CCS ’07, pages 466–475, 2007.

[350] Christian Hanser and Daniel Slamanig. Structure-preserving signatures on equivalence classes and their application to anonymous credentials. In Advances in Cryptology–ASIACRYPT 2014, pages 491–511. Springer, 2014.

[351] Danny Harnik, Yuval Ishai, and Eyal Kushilevitz. How many oblivious transfers are needed for secure multiparty computation? In Alfred Menezes, editor, Advances in Cryptology - CRYPTO 2007, volume 4622 of Lecture Notes in Computer Science, pages 284–302. Springer, 2007.

[352] Anthony Harrington and Christian Jensen. Cryptographic access control in a distributed ﬁle system. In Proceedings of 8th ACM Symposium on Access Control Models and Technologies (SACMAT 2003), Villa Gal- lia, Como, Italy, June 2003. ACM.

[353] Johan H˚astad,Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandom generator from any one-way function. SIAM J. Com- put., 28(4):1364–1396, 1999.

359 [354] Gottfried Herold, Julia Hesse, Dennis Hofheinz, Carla Rafols, and Andy Rupp. Polynomial spaces: A new framework for composite-to-prime- order transformations. In Advances in Cryptology–CRYPTO 2014, pages 261–279. Springer, 2014.

[355] Dennis Hofheinz and Tibor Jager. Veriﬁable random functions from standard assumptions. In Theory of Cryptography - 13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10-13, 2016, Pro- ceedings, Part I, pages 336–362, 2016.

[356] Dennis Hofheinz and Eike Kiltz. Secure hybrid encryption from weak- ened key encapsulation. In Advances in Cryptology - CRYPTO, pages 553–571, 2007.

[357] Dennis Hofheinz and Eike Kiltz. Programmable hash functions and their applications. J. Cryptology, 25(3):484–527, 2012.

[358] Dennis Hofheinz and Dominique Unruh. Towards key-dependent message security in the standard model. In EUROCRYPT ’08, volume 4965 of LNCS, pages 108–126, 2008.

[359] Susan Hohenberger, Guy N. Rothblum, abhi shelat, and Vinod Vaikun- tanathan. Securely obfuscating re-encryption. In TCC ’07, volume 4392 of LNCS, pages 233–252, 2007.

[360] Susan Hohenberger, Amit Sahai, and Brent Waters. Full domain hash from (leveled) multilinear maps and identity-based aggregate signatures.

360 In CRYPTO, 2013.

[361] Susan Hohenberger, Amit Sahai, and Brent Waters. Replacing a random oracle: Full domain hash from indistinguishability obfuscation. In Advances in Cryptology–EUROCRYPT 2014, pages 201–220. Springer, 2014.

[362] Susan Hohenberger and Brent Waters. Constructing veriﬁable random functions with large input spaces. In Advances in Cryptology– EUROCRYPT 2010, pages 656–672. Springer, 2010.

[363] Jeremy Horwitz and Ben Lynn. Toward hierarchical identity-based encryption. In Proceedings of Eurocrypt ’02, volume 2332 of Lecture Notes in Computer Science, pages 466–481, London, UK, 2002. Springer- Verlag.

[364] Yupu Hu and Huiwen Jia. Cryptanalysis of ggh map. In Annual In- ternational Conference on the Theory and Applications of Cryptographic Techniques, 2016.

[365] Pavel Hubacek and Daniel Wichs. On the communication complexity of secure function evaluation with long output. Cryptology ePrint Archive, Report 2014/669, 2014. http://eprint.iacr.org/.

[366] Yuval Ishai. Personal communication, 2013.

[367] Yuval Ishai and Eyal Kushilevitz. Randomizing polynomials: A new representation with applications to round-eﬃcient secure computation.

361 In 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, 12-14 November 2000, Redondo Beach, California, USA, pages 294–304, 2000.

[368] Yuval Ishai, Omkant Pandey, and Amit Sahai. Public-Coin Diﬀering- Inputs Obfuscation and Its Applications. Manuscript, 2014.

[369] Yuval Ishai, Omkant Pandey, and Amit Sahai. Public-coin diﬀering- inputs obfuscation and its applications. In Theory of Cryptography - 12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23-25, 2015, Proceedings, Part II, pages 668–697, 2015.

[370] Yuval Ishai and Hoeteck Wee. Partial garbling schemes and their applications. In Automata, Languages, and Programming - 41st International Colloquium, ICALP 2014, Copenhagen, Denmark, July 8-11, 2014, Pro- ceedings, Part I, pages 650–662, 2014.

[371] Tibor Jager. Veriﬁable random functions from weaker assumptions. In Yevgeniy Dodis and JesperBuus Nielsen, editors, Theory of Cryptogra- phy, volume 9015 of Lecture Notes in Computer Science, pages 121–143. Springer Berlin Heidelberg, 2015.

[372] Markus Jakobsson. On quorum controlled asymmetric proxy re-encryption. In Proceedings of Public Key Cryptography, pages 112–121, 1999.

[373] Stanislaw Jarecki and Xiaomin Liu. Eﬃcient oblivious pseudorandom function with applications to adaptive ot and secure computation of set

362 intersection. In TCC ’09, volume 5444 of LNCS, pages 577–594, 2009.

[374] Stanislaw Jarecki and Vitaly Shmatikov. Handcuﬃng big brother: an abuse-resilient transaction escrow scheme. In Advances in Cryptology - EUROCRYPT 2004, International Conference on the Theory and Appli- cations of Cryptographic Techniques, Interlaken, Switzerland, May 2-6, 2004, Proceedings, volume 3027 of Lecture Notes in Computer Science, pages 590–608. Springer, 2004.

[375] Antoine Joux. A one-round protocol for tripartite Diﬃe-Hellman. In Proceedings of ANTS-IV conference, Lecture Notes in Computer Sci- ence., volume 1838, pages 385–394, 2000.

[376] Ari Juels, Michael Luby, and Rafail Ostrovsky. Security of blind digital signatures (extended abstract). In CRYPTO ’97, volume 1294 of LNCS, pages 150–164, 1997.

[377] Charanjit S Jutla and Arnab Roy. Shorter quasi-adaptive nizk proofs for linear subspaces. In Advances in Cryptology-ASIACRYPT 2013, pages 1–20. Springer, 2013.

[378] SaqibA. Kakvi, Eike Kiltz, and Alexander May. Certifying rsa. In Xiaoyun Wang and Kazue Sako, editors, Advances in Cryptology ASI- ACRYPT 2012, volume 7658 of Lecture Notes in Computer Science, pages 404–414. Springer Berlin Heidelberg, 2012.

363 [379] Yael Tauman Kalai. Smooth projective hashing and two-message oblivious transfer. In EUROCRYPT ’05, volume 3494 of LNCS, pages 78–95, 2005.

[380] Yael Tauman Kalai, Ran Raz, and Ron D. Rothblum. How to delegate computations: the power of no-signaling proofs. In Symposium on The- ory of Computing, STOC 2014, New York, NY, USA, May 31 - June 03, 2014, pages 485–494, 2014.

[381] B. Kaliski and J. Staddon. Pkcs #1: Rsa cryptography speciﬁcations version 2.0, 1998.

[382] M. Kallahalla, E. Riedel, R. Swaminathan, Q. Wang, and K. Fu. Plutus – scalable secure ﬁle sharing on untrusted storage. In Proceedings of the Second USENIX Conference on File and Storage Technologies, March 2003.

[383] Ravi Kannan. Improved algorithms for integer programming and related lattice problems. In Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing, STOC ’83, pages 193–206, New York, NY, USA, 1983. ACM.

[384] Jonathan Katz and Yehuda Lindell. Introduction to Modern Cryptogra- phy. Chapman & Hall/CRC, 2008.

[385] Jonathan Katz, Amit Sahai, and Brent Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner products. In

364 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology, EURO- CRYPT’08, 2008.

[386] Aggelos Kiayias, Stavros Papadopoulos, Nikos Triandopoulos, and Thomas Zacharias. Delegatable pseudorandom functions and applications. In 2013 ACM SIGSAC Conference on Computer and Communications Se- curity, CCS’13, Berlin, Germany, November 4-8, 2013, pages 669–684, 2013.

[387] Aggelos Kiayias, Stavros Papadopoulos, Nikos Triandopoulos, and Thomas Zacharias. Delegatable pseudorandom functions and applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS ’13, pages 669–684, New York, NY, USA, 2013. ACM.

[388] Joe Kilian. Founding cryptography on oblivious transfer. In STOC ’88, pages 20–31, 1988.

[389] Joe Kilian. Founding cryptography on oblivious transfer. In Simon [516], pages 20–31.

[390] Eike Kiltz. Chosen-ciphertext security from tag-based encryption. In TCC ’06, volume 3876 of LNCS, pages 581–600. Springer, 2006.

[391] Venkata Koppula, Allison Bishop Lewko, and Brent Waters. Indis- tinguishability obfuscation for turing machines with unbounded mem-

365 ory. Cryptology ePrint Archive, Report 2014/925, 2014. https: //eprint.iacr.org/2014/925.

[392] Venkata Koppula, Allison Bishop Lewko, and Brent Waters. Indistin- guishability obfuscation for turing machines with unbounded memory. In Proceedings of the Forty-Seventh Annual ACM on Symposium on The- ory of Computing, STOC 2015, Portland, OR, USA, June 14-17, 2015, pages 419–428, 2015.

[393] Venkata Koppula, Allison Bishop Lewko, and Brent Waters. Indistin- guishability obfuscation for turing machines with unbounded memory. In Proceedings of the Forty-seventh Annual ACM Symposium on Theory of Computing, STOC ’15, pages 419–428, New York, NY, USA, 2015. ACM.

[394] Venkata Koppula, Kim Ramchen, and Brent Waters. Separations in circular security for arbitrary length key cycles. IACR Cryptology ePrint Archive, 2013:683, 2013.

[395] Venkata Koppula, Kim Ramchen, and Brent Waters. Separations in circular security for arbitrary length key cycles. In Theory of Cryptography Conference (TCC), 2015.

[396] Venkata Koppula and Brent Waters. Circular security counterexamples for arbitrary length cycles from LWE. In CRYPTO, 2016.

366 [397] Fabien Laguillaumie, Pascal Paillier, and Damien Vergnau. Universally convertible directed signature. In ASIACRYPT ’05, volume 3788 of LNCS, pages 682–701, 2005.

[398] Peeter Laud. Encryption cycles and two views of cryptography. In NORDSEC 2002 - Proceedings of the 7th Nordic Workshop on Secure IT Systems (Karlstad University Studies 2002:31, pages 85–100, 2002.

[399] Peeter Laud and Ricardo Corin. Sound computational interpretation of formal encryption with composed keys. In ICISC, volume 2971, pages 55–66, 2003.

[400] Jung-San Lee and Chin-Chen Chang. Choosing t-out-of-N secrets by oblivious transfer. Cybercrime and Cybersecurity, pages 67–84, 2006.

[401] H.W. Lenstra, A.K. Lenstra, and L. Lovsz. Factoring polynomials with rational coeﬃcients. Mathematische Annalen, 261:515–534, 1982.

[402] Allison Lewko. Tools for simulating features of composite order bilinear groups in the prime order setting. In Advances in Cryptology– EUROCRYPT 2012, pages 318–335. Springer, 2012.

[403] Allison Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters. Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. In Proceedings of EuroCrypt, 2010.

367 [404] Allison Lewko and Brent Waters. Decentralizing attribute-based encryption. In Proceedings of EuroCrypt, 2011.

[405] Allison Lewko and Brent Waters. Why proving hibe systems secure is diﬃcult. Cryptology ePrint Archive, Report 2013/068, 2013. http: //eprint.iacr.org/.

[406] Allison B Lewko and Sarah Meiklejohn. A proﬁtable sub-prime loan: Obtaining the advantages of composite-order in prime-order bilinear groups. IACR Cryptology ePrint Archive, 2013:300, 2013.

[407] Allison B. Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters. Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. In EURO- CRYPT, pages 62–91, 2010.

[408] Allison B. Lewko and Brent Waters. New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In Theory of Cryptography, 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, February 9-11, 2010. Proceedings, pages 455–479, 2010.

[409] Allison B. Lewko and Brent Waters. Decentralizing attribute-based encryption. In EUROCRYPT, pages 568–588, 2011.

[410] Allison B. Lewko and Brent Waters. New proof methods for attribute- based encryption: Achieving full security through selective techniques.

368 In Advances in Cryptology - CRYPTO 2012 - 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012. Proceedings, pages 180–198, 2012.

[411] Jinyuan Li, Maxwell N. Krohn, David Mazi`eres,and Dennis Shasha. Secure untrusted data repository (SUNDR). In Proceedings of the 6th Symposium on Operating Systems Design and Implementation, pages 91–106, San Francisco, CA, December 2004.

[412] Benoit Libert, Marc Joye, Moti Yung, and Thomas Peters. Concise multi-challenge cca-secure encryption and signatures with almost tight security. In Advances in Cryptology–ASIACRYPT 2014, pages 1–21. Springer, 2014.

[413] Huijia Lin. Indistinguishability obfuscation from constant-degree graded encoding schemes. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2016.

[414] Huijia Lin. Indistinguishability obfuscation from ddh on 5-linear maps and locality-5 prgs. Cryptology ePrint Archive, Report 2016/1096, 2016.

[415] Huijia Lin. Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 prgs. In Advances in Cryptology - CRYPTO 2017 - 37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20-24, 2017, Proceedings, Part I, pages 599–629, 2017.

369 [416] Huijia Lin and Stefano Tessaro. Indistinguishability obfuscation from trilinear maps and block-wise local prgs. In Advances in Cryptology - CRYPTO 2017 - 37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20-24, 2017, Proceedings, Part I, pages 630–660, 2017.

[417] Huijia Lin and Vinod Vaikuntanathan. Indistinguishability obfuscation from ddh-like assumptions on constant-degree graded encodings. In Foundations of Computer Science (FOCS), 2016 IEEE 57th Annual Symposium on, 2016.

[418] Yehuda Lindell. Eﬃcient fully-simulatable oblivious transfer. In CT- RSA ’08 (to appear), 2008. Available at http://eprint.iacr.org/ 2008/035.

[419] Moses Liskov. Updatable zero-knowledge databases. In Advances in Cryptology proceedings of ASIACRYPT 05, 2005.

[420] Alex Lombardi and Vinod Vaikuntanathan. Limits on the locality of pseudorandom generators and applications to indistinguishability obfuscation. In Theory of Cryptography - 15th International Conference, TCC 2017, Baltimore, MD, USA, November 12-15, 2017, Proceedings, Part I, pages 119–137, 2017.

[421] Adriana L´opez-Alt, Eran Tromer, and Vinod Vaikuntanathan. On-the- ﬂy multiparty computation on the cloud via multikey fully homomorphic encryption. In STOC, pages 1219–1234, 2012.

370 [422] Anna Lysyanskaya. Unique signatures and veriﬁable random functions from the dh-ddh separation. In Proceedings of the 22Nd Annual Inter- national Cryptology Conference on Advances in Cryptology, CRYPTO ’02, pages 597–612, London, UK, UK, 2002. Springer-Verlag.

[423] Anna Lysyanskaya, Ronald L. Rivest, Amit Sahai, and Stefan Wolf. Pseudonym systems. In SAC ’99: Proceedings of the 6th Annual Inter- national Workshop on Selected Areas in Cryptography, pages 184–199. Springer, 1999.

[424] Fermi Ma and Mark Zhandry. New multilinear maps from CLT13 with provable security against zeroizing attacks. IACR Cryptology ePrint Archive, 2017:946, 2017.

[425] Philip D. MacKenzie, Michael K. Reiter, and Ke Yang. Alternatives to non-malleability: Deﬁnitions, constructions, and applications (extended abstract). In TCC ’04, volume 2951 of LNCS, pages 171–190. Springer, 2004.

[426] Tal Malkin, Isamu Teranishi, and Moti Yung. Eﬃcient circuit-size independent public key encryption with KDM security. In Advances in Cryp- tology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Es- tonia, May 15-19, 2011. Proceedings, pages 507–526, 2011.

[427] M. Mambo, K. Usuda, and E. Okamoto. Proxy signatures: delegation

371 of the power to sign messages. IEICE Trans. Fundamentals, E79-A(9), 1996.

[428] Masahiro Mambo and Eiji Okamoto. Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts. IEICE Trans. Fund. Electronics Communications and Computer Science, E80-A/1:54–63, 1997.

[429] Masahiro Mambo, Kouichi Sakurai, and Eiji Okamoto. How to utilize the transformability of digital signatures for solving the oracle problem. In ASIACRYPT ’96, pages 322–333, London, UK, 1996. Springer- Verlag.

[430] Antonio Marcedone and Claudio Orlandi. Obfuscation ⇒ (IND-CPA security !⇒ circular security). In Security and Cryptography for Networks - 9th International Conference, SCN 2014, Amalﬁ, Italy, September 3-5, 2014. Proceedings, pages 77–90, 2014.

[431] Antonio Marcedone and Claudio Orlandi. Obfuscation ⇒ (IND-CPA security !⇒ circular security). In Security and Cryptography for Networks - 9th International Conference, SCN 2014, Amalﬁ, Italy, September 3-5, 2014. Proceedings, pages 77–90, 2014.

[432] Noel McCullagh and Paulo S. L. M. Barreto. A new two-party identity- based authenticated key agreement. In CT-RSA ’04, volume 3376, pages 262–274, 2004.

372 [433] Sarah Meiklejohn and Hovav Shacham. New trapdoor projection maps for composite-order bilinear groups. IACR Cryptology ePrint Archive, 2013:657, 2013.

[434] Sarah Meiklejohn, Hovav Shacham, and David Mandell Freeman. Limi- tations on transformations from composite-order to prime-order groups: The case of round-optimal blind signatures. In Advances in Cryptology- ASIACRYPT 2010, pages 519–538. Springer, 2010.

[435] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Hand- book of Applied Cryptography. CRC Press, 1996.

[436] Silvio Micali. Fair public key cryptosystems. In CRYPTO ’92, pages 113–138, 1993.

[437] Silvio Micali, Michael Rabin, and Salil Vadhan. Veriﬁable random functions. In In Proc. 40th IEEE Symposium on Foundations of Computer Science (FOCS, pages 120–130. IEEE, 1999.

[438] Silvio Micali and Leonid Reyzin. Soundness in the public-key model. In Joe Kilian, editor, Advances in Cryptology CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 542–565. Springer Berlin Heidelberg, 2001.

[439] Silvio Micali and Ronald L. Rivest. Micropayments revisited. In Pro- ceedings of the The Cryptographer’s Track at the RSA Conference on

373 Topics in Cryptology, CT-RSA ’02, pages 149–163, London, UK, UK, 2002. Springer-Verlag.

[440] Daniele Micciancio and Chris Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Pro- ceedings, pages 700–718, 2012.

[441] Daniele Micciancio and Chris Peikert. Hardness of SIS and LWE with small parameters. In Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I, pages 21–39, 2013.

[442] Daniele Micciancio and Oded Regev. Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput., 37(1):267–302, April 2007.

[443] Daniele Micciancio and Panagiotis Voulgaris. A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In Proceedings of the Forty-second ACM Symposium on Theory of Computing, STOC ’10, pages 351–358, New York, NY, USA, 2010. ACM.

[444] Eric Miles, Amit Sahai, and Mark Zhandry. Annihilation attacks for multilinear maps: Cryptanalysis of indistinguishability obfuscation over ggh13. In Annual Cryptology Conference, 2016.

374 [445] Atsuko Miyaji, Masaki Nakabayashi, and Shunzou Takano. New ex- plicit conditions of elliptic curve traces for FR-reduction. TIEICE: IEICE Transactions on Communications/Electronics/Information and Systems, E84-A(5):1234–1243, 2001.

[446] Shingo Miyazaki and Kouichi Sakurai. A more eﬃcient untraceable e-cash system with partially blind signatures based on the discrete logarithm problem. In Financial Cryptography ’98, volume 1465 of LNCS, pages 296–308, 1998.

[447] Steven Myers and Abhi Shelat. Bit encryption is complete. In FOCS, pages 607–616, 2009.

[448] David Naccache. Secure and practical identity-based encryption. Cryp- tology ePrint Archive, Report 2005/369, 2005. http://eprint.iacr. org/.

[449] Moni Naor. Bit commitment using pseudorandomness. J. Cryptology, 4(2):151–158, 1991.

[450] Moni Naor and Benny Pinkas. Oblivious transfer and polynomial evaluation. In STOC ’99, pages 245—254, 1999.

[451] Moni Naor and Benny Pinkas. Oblivious transfer with adaptive queries. In CRYPTO ’99, volume 1666 of LNCS, pages 573–590, 1999.

[452] Moni Naor and Benny Pinkas. Eﬃcient oblivious transfer protocols. In SODA ’01, pages 448–457, 2001.

375 [453] Moni Naor and Omer Reingold. Number-theoretic constructions of eﬃ- cient pseudo-random functions. J. ACM, 51(2):231–262, 2004.

[454] Moni Naor and Gil Segev. Public-key cryptosystems resilient to key leakage. In CRYPTO ’09, volume 5677 of LNCS, pages 18–35, 2009.

[455] Moni Naor and Gil Segev. Public-key cryptosystems resilient to key leakage. SIAM J. Comput., 41(4):772–814, 2012.

[456] Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In STOC ’90, pages 427–437, 1990.

[457] Wakaha Ogata and Kaoru Kurosawa. Oblivious keyword search. Special issue on coding and cryptography Special issue on coding and cryptography Journal of Complexity, 20(2-3):356–371, 2004.

[458] Tatsuaki Okamoto. Eﬃcient blind and partially blind signatures without random oracles. In Theory of Cryptography (TCC), volume 3876 of LNCS, pages 80–99, 2006.

[459] Tatsuaki Okamoto and Katsuyuki Takashima. Fully secure functional encryption with general relations from the decisional linear assumption. In CRYPTO, pages 191–208, 2010.

[460] Adam O’Neill. Deﬁnitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556, 2010.

376 [461] Adam O’Neill. Deﬁnitional issues in functional encryption. IACR Cryptology ePrint Archive, 2010:556, 2010.

[462] Rafail Ostrovsky, Amit Sahai, and Brent Waters. Attribute-based encryption with non-monotonic access structures. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2007.

[463] D. Page, N.P. Smart, and F. Vercauteren. A comparison of MNT curves and supersingular curves. Cryptology ePrint Archive, Report 2004/165, 2004. http://eprint.iacr.org/2004/165.pdf.

[464] Pascal Paillier. Public key cryptosystems based on composite degree residuosity classes. In Proceedings of Eurocrypt ’99, volume 1592 of LNCS, pages 223–238, 1999.

[465] Omer Paneth and Amit Sahai. On the equivalence of obfuscation and multilinear maps. Cryptology ePrint Archive, Report 2015/791, 2015. http://eprint.iacr.org/.

[466] Bryan Parno, Mariana Raykova, and Vinod Vaikuntanathan. How to delegate and verify in public: Veriﬁable computation from attribute- based encryption. In TCC, pages 422–439, 2012.

[467] Rafael Pass, Karn Seth, and Sidharth Telang. Indistinguishability obfuscation from semantically-secure multilinear encodings. In International Cryptology Conference, 2014.

377 [468] Torben Pryds Pedersen. Non-interactive and information-theoretic secure veriﬁable secret sharing. In CRYPTO ’92, volume 576 of LNCS, pages 129–140, 1992.

[469] Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31 - June 2, 2009, pages 333–342, 2009.

[470] Chris Peikert. A decade of lattice cryptography. Cryptology ePrint Archive, Report 2015/939, 2015. http://eprint.iacr.org/.

[471] Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for eﬃcient and composable oblivious transfer. In CRYPTO ’08, volume 5157, pages 554–571, 2008.

[472] Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for eﬃcient and composable oblivious transfer. In CRYPTO ’08 (to appear), 2008. http://eprint.iacr.org/2007/348.pdf.

[473] Radia Perlman and Charlie Kaufman. PDM: A new strong password- based protocol. In Proceedings of the 10th USENIX Security Sympo- sium, August 2001.

[474] Nicholas Pippenger and Michael J. Fischer. Relations among complexity measures. J. ACM, 26(2):361–381, 1979.

378 [475] David Pointcheval and Jacques Stern. Provably secure blind signature schemes. In ASIACRYPT ’96, volume 1163 of LNCS, pages 252–265, 1996.

[476] David Pointcheval and Jacques Stern. New blind signatures equivalent to factorization (extended abstract). In CCS ’97, pages 92–99, New York, NY, USA, 1997. ACM Press.

[477] David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3):361–396, 2000.

[478] Guillaume Poupard and Jacques Stern. Short proofs of knowledge for factoring. In PKC ’00: Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography, volume 1751 of LNCS, pages 147–166. Springer-Verlag, 2000.

[479] Michael Rabin. How to exchange secrets by oblivious transfer. Techni- cal Report TR-81, Aiken Computation Laboratory, Harvard University, 1981.

[480] Charles Rackoﬀ and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In CRYPTO ’91, volume 576 of LNCS, pages 433–444, 1991.

[481] Perlman Radia. The ephemerizer: Making data disappear. Journal of Information System Security, 1(1):51–68, 2005.

379 [482] David Reed and Liba Svobodova. Swallow: A distributed data storage system for a local network. In A. West and P. Janson, editors, Local Networks for Computer Communications, pages 355–373. North-Holland Publishing Company, Amsterdam, 1981.

[483] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22-24, 2005, pages 84–93, 2005.

[484] Alfredo Rial, Markulf Kohlweiss, and Bart Preneel. Universally composable adaptive priced oblivious transfer. In Pairing 2009, volume 5671 of LNCS, pages 231–247, 2009.

[485] Ron Rivest, Leonard Adleman, and Michael L. Dertouzos. On data banks and privacy homomorphisms. In Foundations of Secure Compu- tation, pages 169–180, 1978.

[486] Ronald L. Rivest. Can We Eliminate Certiﬁcate Revocation Lists? In Proceedings of Financial Cryptography ’98, volume 1465, pages 178–183, 1998.

[487] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120–126, 1978.

380 [488] Phillip Rogaway and Thomas Shrimpton. A provable-security treatment of the key-wrap problem. In EUROCRYPT, pages 373–390, 2006.

[489] M. Rosenblum and J. Ousterhout. The design and implementation of a log-structured ﬁle system. In Proceedings of the 13th ACM Symposium on Operating Systems Principles (SOSP), pages 1–15, Paciﬁc Grove, CA, October 1991. ACM.

[490] Ron Rothblum. On the circular security of bit-encryption. In Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, March 3-6, 2013. Proceedings, pages 579–598, 2013.

[491] Ron Rothblum. On the circular security of bit-encryption. In Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, March 3-6, 2013. Proceedings, pages 579–598, 2013.

[492] Steven Rudich. Unpublished, 1989.

[493] Ahmad-Reza Sadeghi and Michael Steiner. Assumptions Related to Discrete Logarithms: Why Subtleties Make a Real Diﬀerence. In Pro- ceedings of Eurocrypt ’01, volume 2045, pages 244–262, 2001.

[494] Amit Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In FOCS ’99, pages 543–553, 1999.

[495] Amit Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In FOCS, pages 543–553, 1999.

381 [496] Amit Sahai and Hakan Seyalioglu. Worry-free encryption: functional encryption with public keys. In Proceedings of the 17th ACM conference on Computer and communications security, CCS ’10, pages 463–472, New York, NY, USA, 2010. ACM.

[497] Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In EUROCRYPT, pages 457–473, 2005.

[498] Amit Sahai and Brent Waters. Slides on functional encryption. Pow-

erPoint presentation, 2008. http://www.cs.utexas.edu/~bwaters/ presentations/files/functional.ppt.

[499] Amit Sahai and Brent Waters. Attribute-based encryption for circuits from multilinear maps. Cryptology ePrint Archive, Report 2012/592, 2012.

[500] Amit Sahai and Brent Waters. How to use indistinguishability obfuscation: Deniable encryption, and more. In Proceedings of the 46th Annual ACM Symposium on Theory of Computing, STOC ’14, pages 475–484, New York, NY, USA, 2014. ACM.

[501] Amit Sahai and Brent Waters. How to use indistinguishability obfuscation: deniable encryption, and more. In Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31 - June 03, 2014, pages 475–484, 2014.

382 [502] Kouichi Sakurai and Yoshinori Yamane. Blind decoding, blind un- deniable signatures, and their applications to privacy protection. In Proceedings of the First International Workshop on Information Hiding, pages 257–264, London, UK, 1996. Springer-Verlag.

[503] Tomas Sander, Adam Young, and Moti Yung. Non-interactive cryp- tocomputing for nc1. In FOCS ’99, page 554, Washington, DC, USA, 1999. IEEE Computer Society.

[504] C. P. Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci., 53(2-3):201–224, August 1987.

[505] Claus-Peter Schnorr. Eﬃcient signature generation by smart cards. Journal of Cryptography, 4:161–174, 1991.

[506] Claus-Peter Schnorr. Eﬃcient signature generation for smart cards. Journal of Cryptology, 4(3):239–252, 1991.

[507] Claus-Peter Schnorr and Markus Jakobsson. Security of Signed ElGa- mal Encryption. In ASIACRYPT ’00, volume 1976 of LNCS, pages 72–89, 2000.

[508] Michael Scott. MIRACL library. Indigo Software. http://indigo.ie/Simmscott/#download.

[509] Mike Scott. Authenticated id-based key exchange and remote log-in with simple token and pin number, 2002. Available at http://eprint. iacr.org/2002/164.

383 [510] Hovav Shacham. A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. IACR Cryp- tology ePrint Archive, 2007:74, 2007.

[511] Hovav Shacham. A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074, 2007. http://eprint.iacr.org/.

[512] Adi Shamir. On the generation of cryptographically strong pseudorandom sequences. ACM Trans. Comput. Syst., 1(1):38–44, 1983.

[513] Adi Shamir. Identity-based cryptosystems and signature schemes. In CRYPTO ’84, volume 196 of LNCS, pages 47–53, 1984.

[514] Adi Shamir. Identity-based cryptosystems and signature schemes. In Proceedings of CRYPTO 84 on Advances in cryptology, pages 47–53, New York, NY, USA, 1985. Springer-Verlag New York, Inc.

[515] Victor Shoup. Lower bounds for discrete logarithms and related problems. In EUROCRYPT ’97, volume 1233 of LNCS, pages 256–266. Springer, 1997.

[516] Janos Simon, editor. Proceedings of the 20th Annual ACM Symposium on Theory of Computing, May 2-4, 1988, Chicago, Illinois, USA. ACM, 1988.

[517] Dawn Xiaoding Song, David Wagner, and Adrian Perrig. Practical techniques for searches on encrypted data. In Security and Privacy,

384 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on, pages 44–55. IEEE, 2000.

[518] Damien Stehl´eand Ron Steinfeld. Making ntru as secure as worst-case problems over ideal lattices. In EUROCRYPT, pages 27–47, 2011.

[519] Vanessa Teague. Selecting correlated random actions. In Financial Cryptography ’04, volume 3110 of LNCS, pages 181–195. Springer, 2004.

[520] Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. Fully homomorphic encryption over the integers. In EUROCRYPT, pages 24–43, 2010.

[521] Eric R. Verheul. Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptology, 17:277–296, 2004.

[522] Voltage Security, Inc. http://www.voltage.com.

[523] Brent Waters. Eﬃcient Identity-Based Encryption without random oracles. In EUROCRYPT ’05, volume 3494 of LNCS, pages 114–127, 2005.

[524] Brent Waters. Eﬃcient identity-based encryption without random oracles. In EUROCRYPT, pages 114–127, 2005.

[525] Brent Waters. Dual system encryption: Realizing fully secure ibe and hibe under simple assumptions. In CRYPTO, pages 619–636, 2009.

385 [526] Brent Waters. Functional encryption for regular languages. In CRYPTO, 2012.

[527] Brent Waters. A punctured programming approach to adaptively secure functional encryption. In Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part II, pages 678–697, 2015.

[528] Brent R. Waters, Dirk Balfanz, Glenn Durfee, and D. K. Smetters. Building an encrypted and searchable audit log. In NDSS’04, 2004.

[529] Brent R Waters, Edward W Felten, and Amit Sahai. Receiver anonymity via incomparable public keys. In Proceedings of the 10th ACM conference on Computer and communications security, 2003.

[530] Hoeteck Wee. On obfuscating point functions. In Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22-24, 2005, pages 523–532, 2005.

[531] Hoeteck Wee. Dual system encryption via predicate encodings. In Theory of Cryptography - 11th Theory of Cryptography Conference, TCC 2014, San Diego, CA, USA, February 24-26, 2014. Proceedings, pages 616–637, 2014.

[532] Daniel Wichs and Giorgos Zirdelis. Obfuscating compute-and-compare programs under lwe. Cryptology ePrint Archive, Report 2017/276, 2017.

386 [533] Takashi Yamakawa, Shota Yamada, Goichiro Hanaoka, and Noboru Ku- nihiro. Self-bilinear map on unknown order groups from indistinguishability obfuscation and its applications. In JuanA. Garay and Rosario Gennaro, editors, Advances in Cryptology CRYPTO 2014, volume 8617 of Lecture Notes in Computer Science, pages 90–107. Springer Berlin Heidelberg, 2014.

[534] Peng Yang, Takashi Kitagawa, Goichiro Hanaoka, Rui Zhang, Kanta Matsuura, and Hideki Imai. Applying Fujisaki-Okamoto to Identity- Based Encryption. In Applied Algebra, Algebraic Algorithms and Error- Correcting Codes, 16th International Symposium (AAECC-16), volume 3857 of Lecture Notes in Computer Science, pages 183–192. Springer, 2006.

[535] Andrew Yao. How to generate and exchange secrets. In FOCS, pages 162–167, 1986.

[536] Andrew Chi-Chih Yao. Theory and applications of trapdoor functions (extended abstract). In 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 3-5 November 1982, pages 80–91, 1982.

[537] Danfeng Yao, Nelly Fazio, Yevgeniy Dodis, and Anna Lysyanskaya. ID- based encryption for complex hierarchies with applications to forward security and broadcast encryption. In CCS ’04: Proceedings of the

387 11th ACM conference on Computer and communications security, pages 354–363, New York, NY, USA, 2004. ACM Press.

[538] Fangguo Zhang and Kwangjo Kim. Eﬃcient ID-based blind signature and proxy signature from bilinear pairings. In Proceedings of the Eighth ACISP Conference, volume 2727, pages 312–323, 2003.

[539] Fangguo Zhang, R. Safavi-Naini, and Chih-Yin Lin. New proxy signature, proxy blind signature and proxy ring signature schemes from bilinear pairing, 2003. Cryptology ePrint Archive, Report 2003/104, available at http://eprint.iacr.org/2003/104.

[540] Fangguo Zhang, Reihaneh Safavi-Naini, and Willy Susilo. An eﬃcient signature scheme from bilinear pairings and its applications. In Proceed- ings of Public Key Cryptography ’04, volume 2947 of LNCS, pages 277– 290, 2004. Full version of the paper available at http://www.uow.edu.au/Simfangguo/PKC04.pdf.

[541] Yuliang Zheng. Signcryption and its applications in eﬃcient public key solutions. In Proceedings of ISW ’97, volume 1396 of LNCS, pages 291–312, 1997.

[542] Lidong Zhou, Michael A. Marsh, Fred B. Schneider, and Anna Redz. Distributed blinding for ElGamal re-encryption. Technical Report 2004– 1924, Cornell Computer Science Department, 2004.

[543] Joe Zimmerman. How to obfuscate programs directly. In Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Confer-

388 ence on the Theory and Applications of Cryptographic Techniques, Soﬁa, Bulgaria, April 26-30, 2015, Proceedings, Part II, pages 439–467, 2015.

389