Obfuscating Compute-And-Compare Programs Under LWE

58th Annual IEEE Symposium on Foundations of Computer Science

Obfuscating Compute-and-Compare Programs under LWE

Daniel Wichs Giorgos Zirdelis Northeastern University Northeastern University [email protected] [email protected]

Abstract—We show how to obfuscate a large and expres- that the obfuscated program can be simulated given black- sive class of programs, which we call compute-and-compare box access to the program’s functionality. Unfortunately, programs, under the learning-with-errors (LWE) assumption. they showed that general purpose VBB obfuscation is un- Each such program CC[f,y] is parametrized by an arbitrary polynomial-time computable function f along with a target achievable. This leaves open two possibilities: (1) achieving value y and we define CC[f,y](x) to output 1 if f(x)=y weaker security notions of obfuscation for general programs, and 0 otherwise. In other words, the program performs an and (2) achieving virtual black box obfuscation for restricted arbitrary computation f and then compares its output against classes of programs. y a target . Our obfuscator satisfies distributional virtual-black- Along the first direction, Barak et al. proposed a weaker box security, which guarantees that the obfuscated program does not reveal any partial information about the function f security notion called indistinguishability obfuscation (iO) or the target value y, as long as they are chosen from some which guarantees that the obfuscations of two functionally distribution where y has sufficient pseudo-entropy given f. equivalent programs are indistinguishable. In a breakthrough We also extend our result to multi-bit compute-and-compare result, Garg, Gentry, Halevi, Raykova, Sahai and Waters MBCC[f,y,z](x) z programs which output a message if [GGH+13b] showed how to iO-obfuscate all polynomial- f(x)=y. Compute-and-compare programs are powerful enough to size circuits using multi-linear maps [GGH13a]. Since then, capture many interesting obfuscation tasks as special cases. there has been much follow-up work on various construc- This includes obfuscating conjunctions, and therefore we im- tions and cryptanalysis of multi-linear maps, constructions prove on the prior work of Brakerski et al. (ITCS ’16) which and cryptanalysis of iO using multi-linear maps, and various constructed a conjunction obfuscator under a non-standard applications of iO. At this point, we have heuristic candidate “entropic” ring-LWE assumption, while here we obfuscate a significantly broader class of programs under standard constructions of iO which we do not know how to attack, LWE. We show that our obfuscator has several interesting but we lack a high degree of confidence in their security applications. For example, we can take any encryption scheme and don’t have a good understanding of the underlying and publish an obfuscated plaintext equality tester that allows computational problems on which such schemes are based. users to check whether a ciphertext decrypts to some target It remains a major open problem to construct iO under value y; as long as y has sufficient pseudo-entropy this will not harm semantic security. We can also use our obfuscator standard well-studied assumptions. to generically upgrade attribute-based encryption to predicate Along the second direction, several interesting but highly encryption with one-sided attribute-hiding security, and to restricted classes of programs have been shown to be upgrade witness encryption to indistinguishability obfuscation virtual black-box obfuscatable. This includes constructions which is secure for all “null circuits”. Furthermore, we of (multi-bit) point function obfuscators [Can97], [Wee05], show that our obfuscator gives new circular-security counter- examples for public-key bit encryption and for unbounded [CD08], [Zha16] in the random oracle model or under length key cycles. various (semi-)standard assumptions, hyperplane obfuscators Our result uses the graph-induced multi-linear maps of assuming strong DDH [CRV10], and very recently conjunc- Gentry, Gorbunov and Halevi (TCC ’15), but only in a carefully tion obfuscators, first using multi-linear maps [BR13] and restricted manner which is provably secure under LWE. Our later a variant of Ring LWE called “entropic Ring LWE” technique is inspired by ideas introduced in a recent work of Goyal, Koppula and Waters (EUROCRYPT ’17) in a seemingly [BVWW16]. It remains an open problem to understand unrelated context. which classes of programs can we even hope to VBB obfuscate to avoid the impossibility results of Barak et al. In summary, prior to this work, we did not know how I. INTRODUCTION to achieve any meaningful definition of obfuscation for any The goal of program obfuscation [Had00], [BGI+01], expressive class of programs under any standard assumption. [GGH+13b] is to encode a program in a way that pre- serves its functionality while hiding everything else about A. Our Results its code and its internal operation. Barak et al. [BGI+01] In this work, we show how to obfuscate a large and proposed a strong security definition for obfuscation, called expressive class of programs which we call compute-and- virtual black-box (VBB) security, which (roughly) guarantees compare programs, achieving a strong notion of security

0272-5428/17 $31.00 © 2017 IEEE 600 DOI 10.1109/FOCS.2017.61 called distributional virtual black box (D-VBB), under the any input on which it does not output 0? However, the point learning with errors (LWE) assumption. This is the first such is that there may be some users with additional information result that allows us obfuscate complex programs under a about y (for whom it does not have much pseudo-entropy) standard assumption. and who may therefore be able to find inputs on which A compute-and-compare program CC[f,y] is parameter- the program outputs 1. In other words, the correctness of ized by a function f : {0, 1}in →{0, 1}out , represented obfuscation is meaningful for users for whom y does not as a circuit or a Turing Machine, along with a target value have much pseudo-entropy (but for such users we do not y ∈{0, 1}out and we define CC[f,y](x)=1if f(x)=y get any meaningful security), while security is meaningful and CC[f,y](x)=0otherwise. In other words, the program for users for whom y has sufficient pseudo-entropy (but for performs an arbitrary computation f and then compares such users correctness is not very meaningful since they + the output against a target y. The D-VBB definition of will always get a 0 output). The work of [BBC 14] shows security says that an obfuscation of CC[f,y] hides all partial that one cannot have (D-)VBB obfuscation for all evasive information about the function f and the target value y as functions (with auxiliary input) and our work is the first to long as they are chosen from some distribution where y has identify a large sub-class of evasive functions for which it sufficient min-entropy or (HILL) pseudo-entropy given f.1 is possible. We show that this type of obfuscation is already We can relax this to only requiring that y is computationally powerful and has several interesting applications. unpredictable given f, but in that case we also need an additional mild assumption that there exist pseudo-random B. Applications generators for unpredictable sources which holds e.g, in the Obfuscation for compute-and-compare programs is al- random oracle model or assuming the existence of extremely ready sufficiently powerful and expressive to capture many lossy functions (ELFs) [Zha16]. All our results hold in the interesting obfuscation tasks and gives rise to new applica- presence of auxiliary input, as long as y remains sufficiently tions as well as a simple and modular way to recover several unpredictable even given f and the auxiliary input. prior results. We also extend our result to multi-bit compute-and- CONJUNCTIONS AND AFFINE TESTERS. We can think of compare programs MBCC[f,y,z](x) which output a mes- conjunctions as a restricted special case of compute-and- sage z if f(x)=y and otherwise output ⊥. In this case compare programs CC[f,y] where the function f(x) simply we ensure that the obfuscated program does not reveal outputs some subset of the bits of x. Therefore our result anything about f,y,z as long as they are chosen from some improves on the work of [BVWW16] which constructed an distribution where y has sufficient pseudo-entropy (or is obfuscator for conjunctions under a non-standard entropic computationally unpredictable) even given f,z. Ring-LWE assumption, whereas here we get a conjunction When the function f is represented as a Turing Machine obfuscator under standard LWE as a special case of our with some fixed run-time t, our obfuscator is succinct result. Moreover, our obfuscator also achieves a stronger meaning that the run-time of our obfuscator and the size notion of security for a broader class of distributions than of the obfuscated program only have a poly-logarithmic the previous constructions. dependence on t. To get this we need to further rely As another special case which generalizes conjunctions, on true (non-leveled) fully homomorphic encryption (FHE) we can obfuscate arbitrary affine testers which are parame- which requires a circular security assumption. Assuming terized by a matrix A and a vector y and test whether an only leveled FHE, which we have under standard LWE, we input x satisfies Ax =? y, where security is guaranteed as get a weakly succinct scheme where the run-time of the long as y has sufficient pseudo-entropy given A. obfuscator depends polynomially on log t, d, where d is the SECURE SKETCHES. We also show that our obfuscator depth of the circuit computing f. allows us to convert any secure sketch [DORS08] into OBFUSCATING EVASIVE PROGRAMS. We note that a (computational) private secure sketch [DS05]. A secure compute-and-compare programs CC[f,y] where y has sketch SS(y) of a string y allows us to recover y given any pseudo-entropy given f are an example of evasive pro- string x which is close to y (e.g., in hamming distance) grams, meaning that for any input x chosen a-priori, with without revealing all the entropy in y. However, the sketch overwhelming probability the program outputs 0. When may reveal various sensitive partial information about y. obfuscating evasive programs, D-VBB security ensures that We show how to convert any secure sketch into a private one cannot find an input on which it evaluates to anything one, which does not reveal any partial information, by other than 0. This may seem strange at first; what is the obfuscating a program that has SS(y) inside it. point of creating the obfuscated program and ensuring that PLAINTEXT EQUALITY TESTER. Using our obfuscator, we it functions correctly on all inputs if users cannot even find can take an arbitrary encryption scheme and obfuscate a CC 1The HILL pseudo-entropy must be at least λε, where λ is the security plaintext equality tester [Decsk,y] which has a hard- parameter and ε>0 is an arbitrary constant. coded secret key sk and a target plaintext value y and tests

601 whether a given ciphertext ct decrypts to Decsk(ct)=y.Or, (multi-linear maps or obfuscation) [Rot13], [KRW15]. The more generally, we can evaluate an arbitrary polynomial- very recent work of Goyal, Koppula and Waters [GKW17b] time function g on the plaintext and test if g(Decsk(ct)) = y provided such a counter-example for symmetric-key bit- by obfuscating CC[g ◦Decsk,y]. As long as the target y has encryption under LWE. Using our obfuscator, we get a sufficient pseudo-entropy, our obfuscated plaintext equality simple and modular counter-example for public-key bit- tester can be simulated without knowing sk and therefore encryption under LWE. will not harm the semantic security of the encryption Secondly, it gives us a simple construction of a scheme. The idea of obfuscating a plaintext-equality tester public-key bit-encryption scheme which is semanti- is implicitly behind several of our other applications, and cally secure but not circular secure for key cycles we envision that more applications should follow. of any unbounded polynomial length . That is, we ATTRIBUTE BASED ENCRYPTION TO ONE-SIDED PREDI- construct a single scheme such that, given a cycle Encpk (sk2), Encpk (sk3),...,Encpk (sk ), Encpk (sk1) of CATE ENCRYPTION. We show that our obfuscator allows 1 2 −1 us to generically upgrade attribute-based encryption (ABE) any arbitrary polynomial length , we can completely re- into predicate encryption (PE) with one-sided attribute- cover all of the secret keys. Previously, we had such results hiding security, meaning that the attribute is hidden from for bounded-length cycles under LWE [AP16], [KW16] or any user who is not qualified to decrypt. Although the recent unbounded-length cycles under iO [GKW17a]. Using our work of Gorbunov, Vaikuntanathan and Wee [GVW15] con- obfuscator, we get a result for unbounded-length cycles structed such predicate encryption for all circuits under LWE under LWE. Furthermore, our scheme does not require any by cleverly leveraging a prior construction of attribute-based common public parameters. encryption [BGG+14] under LWE, it was a fairly intricate Thirdly, we consider a compiler proposed by Black, non-generic construction with a subtle analysis, while our Rogaway, and Shrimpton [BRS03] which transforms any transformation is simple and generic. For example, it shows semantically secure scheme into a circular secure (and that any future advances in attribute-based encryption (e.g., even Key-Dependent Message secure) one in the random- getting rid of the dependence on circuit depth in encryption oracle model. We show that this compiler fails in the efficiency and ciphertext size) will directly translate to standard model: under the LWE assumption, there exists a predicate encryption as well. semantically secure scheme such that, when we apply the transformation of [BRS03] and replace the random oracle WITNESS ENCRYPTION TO NULL IO. A witness encryption with any hash function, the resulting scheme fails to be scheme [GGSW13] allows us to use any NP statement x circular secure. as a public-key to encrypt a message m. Any user who knows the corresponding witness w for x will be able C. Concurrent and Independent Work of [GKW17c] to decrypt m, but if x is a false statement then m is The concurrent and independent work of Goyal, Koppula computationally hidden. We show that our obfuscator for and Waters [GKW17c] achieves essentially the same results compute-and-compare programs allows us to convert any as this work modulo small differences in presentation and witness encryption (WE) into an obfuscation scheme that focus. They define a notion of “lockable obfuscation” which has correctness for all circuits and guarantees that we cannot (in our language) is an obfuscation scheme for multi-bit distinguish the obfuscations of any two null circuits C, C MBCC compute and compare programs [f,y,z] where y is such that C(x)=C (x)=0for all inputs x. We call this uniformly random and independent of f,z. While we allow notion null iO or niO. We previously knew that iO implies for more general distributions, where y only has pseudo- niO which in turn implies WE, but we did not know anything entropy/unpredictability given f,z, this can be achieved about the reverse directions. Our result shows that under generically from lockable obfuscation using a pseudorandom the LWE assumptions, WE implies niO. It remains as a generator that works with any high pseudo-entropy seed. fascinating open problem whether niO implies full iO. Indeed, the main constructions in both works are essentially CIRCULAR SECURITY COUNTER-EXAMPLES. Finally, we identical. Both works also present applications of this type show that our obfuscator gives us new counter-examples to of obfuscation to one-sided predicate encryption, null iO, various circular security problems. and circular security counter-examples. Our work also shows Firstly, it gives us a simple construction of a public-key applications to private secure sketches and to other obfusca- bit-encryption scheme which is semantically secure but is tion tasks such as obfuscating conjunctions and affine spaces not circular secure: given ciphertexts encrypting the secret while the work of [GKW17c] gives new results showing the key one bit at a time, we can completely recover the secret uninstatiability of random oracle schemes. key. This means that, under the LWE assumption, semantic security does not generically imply circular security for D. Our Techniques all public-key bit-encryption schemes. Previously, we only Our result relies on the graph induced multilinear maps had such counter-examples under non-standard assumptions of Gentry, Gorbunov and Halevi [GGH15]. In the original

602 C ∈ Zm×m work [GGH15], such maps were used in a heuristic manner sampling a matrix q such that to construct iO and various other applications, but there ⎡ ⎤ ⎡ ⎤ was no attempt to define or prove any stand-alone security A1 S · A1 + E1 ⎣ ⎦ ⎣ ⎦ properties of such maps. The subsequent work of [CLLT16] ... C = ... A S · A E came up with attacks on various uses of such multilinear w w + w maps, showing that some of the applications in [GGH15] are insecure. However, a series of works also showed that certain This can be done the same way as in the⎡ single-edge⎤ A1 highly restricted uses of these multilinear maps are actually case given the trapdoor for the matrix B = ⎣ ...⎦ with provably secure under the LWE assumption. In particular, Aw the works of [BVWW16], [KW16], [AP16], [GKW17b], dimensions (n · w) × m. The resulting encoding C satisfies [CC17] all either implicitly or explicitly rely on various A C ≈ SA ∈ j j for all j [w] and therefore is an encoding provably secure properties of the [GGH15] multilinear map. of S along each one of the edges A → A separately. Following [BVWW16] we refer to a restricted version of j j the [GGH15] scheme as a directed encoding. ENCODING BRANCHING PROGRAMS. As a building block, we define the notion of “encoding” a permutation branching Our particular use of directed encodings is inspired by program P . This encoding is not an obfuscation scheme yet, the recent work of Goyal, Koppula and Waters [GKW17b] since it does not allow us to evaluate the encoded program which studied the seemingly unrelated problem of circular and learn the output. However, it’s a useful first step toward security counterexamples for symmetric-key bit-encryption. obfuscation. As one of the components of their solution, they described a We think of a boolean permutation branching program clever way of encoding branching programs. We essentially P of input size in, length L and width w, as a graph use this encoding as the core component of our obfuscation containing (L +1)· w vertices that are grouped into (L +1) construction. The work of [GKW17b] did not explicitly levels of w vertices each; we denote these vertices by (i, j) define or analyze any security properties of their encoding for i ∈{1,...,L +1},j ∈{0,...,w − 1}. Each level and did not draw a connection to obfuscation. Indeed, as we i ≤ L is associated with two permutations πi,0,πi,1 over will elaborate later, there are major differences between the {0,...,w − 1}. For each vertex (i, j) at level i ≤ L we security properties of the encoding that they implicitly used use the permutations to define two outgoing edges labeled in the context of their construction and the ones that we with 0 and 1 that respectively go to vertices (i +1,πi,0(j)) rely on in our work. We show how to use this encoding to and (i +1,πi,1(j)) at level i +1. To evaluate the branching get a “basic obfuscation scheme” for compute-and-compare program P on an input x =(x1,...,x ) ∈{0, 1} in we CC in program [f,y] where f is a branching program and y start at the vertex (1, 0) and at each level i ∈ [L] we follow has very high pseudo-entropy. We then come up with generic the edge labeled with the bit x(i mod in). At the final level transformations to go from branching programs to circuits L +1, we end up at a vertex (L +1,b) where b ∈{0, 1} or Turing Machines and to reduce the requirements on the is the output of the program P (x). See Figure I-D for an 1 pseudo-entropy of y to get our final result. example. By Barrington’s theorem [Bar89], any NC circuit can be converted into a branching program with constant- DIRECTED ENCODINGS. A directed encoding scheme con- width w =5and polynomial-length.2 A ∈ Zn×m tains public keys i q . We define an encoding of To encode a branching program, we associate a public S ∈ Zn×n A → A a “small” secret q along the edge i j as key A with each vertex (i, j) of the branching program. C ∈ Zm×m A C SA E i,j a “small” matrix q such that i = j + For each level i ∈ [L] we pick two random secrets where E ∈ Zn×m is some “small” noise. For simplicity, q Si,0, Si,1 and create two encodings Ci,0, Ci,1 where Ci,b we will just write AiC ≈ SAj where the ≈ hides “small” encodes Si,b simultaneously along the w edges {Ai,0 → noise. Creating such an encoding requires knowing a trap- A A → A } i+1,π (0) ,..., i,w−1 i+1,π (w−1) that are door for the public key A . i,b i,b i labeled with the bit b. For any input x ∈{0, 1}in we Given an encoding C1 of a secret S1 along an edge A1 → can then “evaluate” the encoded branching program on D A · L C A2 and an encoding C2 of a secret S2 along an edge A2 → x to get: := 1,0 =1 i,x( mod ) satisfying i i in A C ·C S ·S 3, the value 1 2 is an encoding of 1 2 along the edge D ≈ L S · A =1 i,x( mod ) L+1,P (x). Note that this A1 → A3 with slightly larger noise. More generally, given i i in C S A → A “evaluation” does not allow us to recover the output P (x), encodings i of secrets i along edges i i+1, the C∗ L C S∗ L S value = i=1 i is an encoding of = i=1 i along ∗ ∗ 2We depart from the usual definition of branching programs by insisting the edge A1 → A +1 meaning that A1C ≈ S A +1. L L that the input-bits are accessed in a fixed order where step i reads bit S i mod in. However, this is without loss of generality since any branching We can also encode a secret along multiple edges program that reads the input in an arbitrary order can be converted into one {A → A A → A } 1 1 ,..., w w simultaneously by of this form at the expense of increasing the length by a factor of in.

603 start output 0 This gives us our basic obfuscation scheme but several

(1,0) (2,0) (3,0) (4,0) issues remain. Firstly, it only works for functions f which can be represented by polynomial length branching programs output 1 rather than all polynomial size circuits or polynomial time (1,1) (2,1) (3,1) (4,1) Turing Machines. Secondly, in order to set the parameters in a way that balances correctness and security, we would (1,2) (2,2) (3,2) (4,2) need y to have “very large” pseudo-entropy which depends Input bit: ݔଵ ݔଶ ݔଵ polynomially on the length of the branching program L Figure 1. Example of a branching program of length L =3, width and the security parameter λ. Ideally, we would like to ε w =3, and input size in =2. Solid edges are labeled with 1 and the only require that y has some non-trivial pseudo-entropy λ dashed edges with 0. For example, on input x =10(i.e., x1 =1,x2 =0) or, better yet, just that it is computationally unpredictable the program evaluates to 0. (Technically the above simple example is not a legal branching program since there are inputs on which it does no evaluate given f. We show how to solve these problems via generic to 0 or 1, but it is useful to illustrate the concept.) transformations described below. RELATION TO [GKW17B]. The above technique for encoding branching programs follows closely from ideas but only gives us an LWE sample with respect to the matrix developed by Goyal, Koppula and Waters [GKW17b] in A L+1,P (x) which depends on the output. the completely unrelated context of constructing circular- We can also encode a branching program P with out- security counter-examples for bit-encryption. The technique bit output, by thinking of it as a sequence of boolean there is used as part of a larger scheme and is not analyzed (1) ( ) branching programs P =(P ,...,P out ) for each output modularly. However, implicitly, their work relies on entirely bit, where all the programs have a common length L, width different properties of the encoding compared to our work. w, and access pattern in which the i’th level reads the In [GKW17b], the branching-programs being encoded are input bit (i mod in). We essentially encode each boolean public and there is no requirement that the scheme hides program P (k) separately as described above with fresh and ( ) them in any way. Instead, that work relies on hiding the cor- A k (k) independent public keys i,j but we use the same secrets respondence between the components C of the encoded S S i,b i,0, i,1 across all programs. This allows us to evaluate the branching programs and the input bits b that they correspond entire sequence of encoded programs on some input x and to. Their scheme gives out various such components at D(k) ≈ S∗·A(k) derive a sequence of LWE samples +1 (k)( ) different times and if a user collects ones corresponding L ,P x S∗ L S to an input x on which f(x)=y this can be efﬁciently with a common secret = =1 i,x( mod ) . In other i i in checked. In our work, we make the correspondence between words, for each output bit k we get an LWE sample with (k) ∗ (k) the components C and the bits b public, in order to the secret S and one of two possible matrices A i,b L+1,0 allow the user to evaluate the encoded program on arbitrary A(k) or L+1,1 depending on the value of that bit. We show inputs, but rely on hiding the actual branching program being that under the LWE assumption the above encoding is encoded. “semantically secure”, meaning that it completely hides the program P . UPGRADING FUNCTIONALITY AND SECURITY. Our basic obfuscation scheme for compute-and-compare programs FROM ENCODING TO OBFUSCATION. We use the CC[f,y] only works for functions f represented by branch- above idea to obfuscate the compute-and-compare program ing programs of some polynomial length L and values y with CC { }in →{ }out [f,y] where the function f : 0, 1 0, 1 can very large pseudo-entropy that exceeds some polynomial be computed via a polynomial-size branching program P = (1) ( ) bound in the security parameter λ and the branching program out ∈{ } out (P ,...,P ) and the target value is y 0, 1 . length L. We show a series of generic transformations to To do so, we simply encode the program P as described upgrade the functionality and security of our scheme. A(k) above, but instead of choosing all of the public keys i,j Firstly, we can reduce the requirement on the pseudo- randomly we choose the keys at the last level L+1 to satisfy entropy of y to only exceeding some small threshold λε out (k) =1 A +1 = 0.Ify has sufﬁciently large (pseudo- k L ,yk for some constant ε>0. We do so by applying a pseudo- )entropy given f than, by the leftover hash lemma, this is random generator (PRG) G and using our obfuscator on the statistically close to choosing the public keys at random and program CC[G ◦ f,G(y)]. We need an injective PRG in 1 therefore, by the semantic security of the encoding scheme NC that takes as input any seed y with pseudo-entropy λε for branching programs, the obfuscation does not reveal any and outputs an arbitrarily large number of pseudo-random partial information about f or y. To evaluate the obfuscated bits. Luckily, we have such PRGs under LWE. program on x, we evaluate the sequence of encoded branch- Secondly, we can “bootstrap” our obfuscator for branch- (k) ∗ (k) ing programs to get LWE samples D ≈ S ·A ( ) L+1,P k (x) ing programs into one for circuits or Turing Machines out D(k) ≈ 0 and check if k=1 . by using a (leveled) fully homomorphic encryption (FHE)

604 1 scheme with decryption in NC , which is known to exist x we can then evaluate P˜0(x) and if it outputs 0 we output under LWE. A similar type of bootstrapping was used to ⊥. Otherwise we can recover each bit zi of z by setting convert iO for branching programs into iO for circuits in zi := P˜i(x). Security of the multi-bit obfuscator follows [GGH+13b], although in our scenario we can get away from the security of the single-bit one and the security of with an even simpler variant of this trick. To obfuscate the PRG. the program CC[f,y] where f is an arbitrary circuit or Turing Machine, we first encrypt f via the FHE scheme II. ORGANIZATION and make the ciphertext ct ← Encpk(f) public. We then Due to space limitations, this proceedings version of our obfuscate the program CC[Decsk,y] which is essentially a paper only presents our “basic obfuscator” for compute-and- “plaintext-equality tester” that checks if an input ciphertext compare programs CC[f,y] where f is a polynomial-length 1 decrypts to y. Since Decsk is in NC , we can rely on branching program and y has very high pseudo-entropy our basic obfuscation construction for branching programs exceeding some polynomial threshold α(λ, L) in the security to accomplish this. To evaluate the obfuscated program on parameter λ and the branching program length L. In the full an input x we first perform a homomorphic computation version of the paper [WZ17] we show how to reduce the re- ∗ ε over ct to derive a ciphertext ct = Encpk(f(x)) and then quirements on the pseudo-entropy of y to only exceed λ for run the obfuscated plaintext-equality tester on ct∗. To argue an arbitrary ε>0 or (under additional assumptions) to only security, notice that when y has sufficient pseudo-entropy require that y is computationally unpredictable. Furthermore, given f then the obfuscated program CC[Decsk,y] can be we allow f to be an arbitrary circuit or Turing Machine. simulated without knowledge of sk and therefore it hides Lastly, in the full version we present several applications of sk,y. We can then rely on the semantic security of the obfuscation for compute and compare programs as described encryption scheme to also argue that the ciphertext ct also in the introduction. hides f. If the function f is represented as a Turing Machine III. NOTATION AND PRELIMINARIES then our obfuscator is succinct since it only encrypts f but ≥ Z doesn’t need to run it at obfuscation time. Summarizing, For any integer q 2,welet q denote the ring of Z the above approach generically transforms a compute-and- integers modulo q. We represent elements of q as integers compare obfuscator for branching programs into one for in the range (−q/2,q/2] and define the absolute value |x| ∈ Z circuits and Turing Machines. of x q by taking its representative in this range. For c ∈ Zn ||c|| ≤ a vector q we write ∞ β if each entry ci in Thirdly, we can reduce the requirement on the distribution n×m c satisfies |ci|≤β. Similarly, for a matrix C ∈ Z of y even further and only insist that it is computationally q we write ||C||∞ ≤ β if each entry ci,j in C satisfies unpredictable given f (for example, f may include a one- |ci,j|≤β. We say that a distribution χ over Zq is β-bounded way permutation of y in its description so that y has no if Pr[|x|≤β : x ← χ]=1. By default, all vectors are pseudo-entropy given f but still remains computationally assumed to be row vectors. unpredictable). To do so, we use the same trick as previously by taking a PRG G and obfuscating the program Lemma 1 ([Ajt99], [GPV08], [MP12]). There exist PPT al- CC[G ◦ f,G(y)], but now we need an injective PRG that gorithms TrapGen, SamPre, Sam with the following syntax: converts any computationally unpredictable source y into • (B, td) ← TrapGen(1k, 1m,q) samples a matrix B ∈ a long pseudo-random output (but we no longer need the Zk×m with a trapdoor td. 1 q PRG to be in NC ). Such PRGs exist in the random • C ← Sam(1m,q) samples a “small” matrix C ∈ Zm×m oracle model or assuming the existence of extremely lossy q . × • C ← B B B B ∈ Zk m functions (ELFs) [Zha16], which in turn exists assuming SamPre( , ) gets , q along with exponential security of the DDH in elliptic curve groups. a trapdoor td for B and samples a “small” matrix C ∈ Zm×m such that BC B. Lastly, we construct an obfuscator for multi-bit compute- q = ≥ ≥ ∗ and-compare programs MBCC[f,y,z](x) which output Given integers k √1,q 2 there exists some m = ≥ ∗ a message z if f(x)=y and otherwise output ⊥. O(k log q), γ = O(k log q) such that for all m m We again rely on a PRG G and interpret G(y) as out- we have: B ← k m B ∈ Zk×m putting a series of blocks G0(y),G1(y) ...,G (y) where 1) For any ( , td) TrapGen(1 , 1 ,q), q , msg C ← B B BC B msg := |z| and each block is sufficiently large. To ob- SamPre( , , td) we have = and fuscate MBCC[f,y,z] we instead obfuscate a series of ||C||∞ ≤ γ (with probability 1). 0 CC 0 ◦ 2) We have the statistical indistinguishability requirement single-bit compute-and-compare programs P = [G s CC ◦ CC ◦ B ≈ B f,G0(y)],P1 = [G1 f,u1],...,Pmsg = [Gmsg B ← k m B ←$ Zk×m f,umsg ] where we set ui := Gi(y) if zi =1and where ( , td) TrapGen(1 , 1 ,q), q . 3) We have the statistical indistinguishability requirement ui := Gi(y) (denoting the bit-wise complement) if zi =0. s ˜ ˜ B C ≈ B C Let (P0,...,Pmsg ) be the obfuscated programs. On input ( , td, ) ( , td, )

605 where (B, td) ← TrapGen(1k, 1m,q), C ← where the probability is over the choice of P˜ ← Obf(1λ,P). m B ←$ Zk×m C ← B B Sam(1 ,q), q , SamPre( , , td). In the full version, we give two definitions of security All statistical distances are negligible in k and therefore also called distributional VBB and distributional indistinguisha- in the security parameter λ when k = λΩ(1). bility and show that they are equivalent. Here we only define the latter notion. LEARNING WITH ERRORS (LWE). The learning with errors Definition 2 (Distributional Indistinguishability). Let D be a (LWE) assumption was introduced by Regev in [Reg05]. We class of distribution ensembles D = {D } ∈N that sample define several variants. λ λ (P, aux) ← Dλ with P ∈P. An obfuscator Obf for the Definition 1 ([Reg05]). Let n, q be integers and χ a distribution class D over a family of program P, satis- probability distribution over Zq, all parameterized by the fies distributional indistinguishability if there exists a (non- security parameter λ. The (n, q, χ)-LWE assumption says uniform) PPT simulator Sim, such that for every distribution that for all polynomial m the following distributions are ensemble D = {Dλ}∈D, we have computationally indistinguishable c λ ≈ λ c (Obf(1 ,P), aux) (Sim(1 ,P.params), aux), (A, sA + e) ≈ (A, u) where (P, aux) ← Dλ. $ $ $ where A ← Zn×m, s ← Zn, e ← χm, u ← Zm. q q q A. Defining Compute-and-Compare Obfuscation The work of [ACPS09] showed that the (n, q, χ)-LWE Given a program f : {0, 1}in →{0, 1}out along with assumption above also implies security when the secret is a target value y ∈{0, 1} out , we define the compute-and- chosen from the error distribution χ: compare program: c A sA e ≈ A u ( , + ) ( , ) 1 if f(x)=y CC[f,y](x)= A ←$ Zn×m s ←$ n e ← m u ←$ Zm 0 otherwise where q , χ , χ , q . Via a simple hybrid argument, we also get security when S is a We assume that programs CC[f,y] have some canonical matrix rather than a vector: description that makes it it easy to recover the components c f,y from CC[f,y]. (A, SA + E) ≈ (A, U) (1) We define three distinct classes of compute-and-compare A ←$ Zn×m S ←$ n×n E ← n×m U ←$ Zn×m programs depending on whether f is represented as a where q , χ , χ , q . The above variant of (n, q, χ)-LWE is the one we will rely branching program, a circuit, or a Turing Machine. BP on in this work. BRANCHING PROGRAMS. We define the class PCC of + The works of [Reg05], [Pei09], [BLP 13] show that the compute-and-compare programs CC[f,y] where f is a LWE assumption is as hard as (quantum) solving GapSVP permutation branching program (see Section V-C for a and SIVP under various parameter regimes. In particular, formal definition). In this case we define CC[f,y].params = we will assume for any polynomial p = p(λ) there ex- (1L, 1in , 1out ) where L denotes the length of the branching ists some polynomial dimension n = n(λ), a modulus program f. O(1) q = q(λ)=2λ , and a distribution χ = χ(λ) which CIRC CIRCUITS. We define the class P to consist of · p CC is β = β(λ) bounded such that q>(λ β) and the programs CC[f,y] where f is represented as a circuit. (n, q, χ)-LWE assumption holds. Furthermore we can ensure | | We define CC f in out where | | H ≥ [f,y].params =(1 , 1 , 1 ) f that ∞(χ) ω(log λ). We refer to the above as the denotes the circuit size. LWE assumption when we don’t specify parameters. This PTM is known to be as hard as solving GapSVP and (quantum) TURING MACHINES. Lastly we define the class CC of CC SIVP with sub-exponential approximation factors, which is compute-and-compare programs [f,y] where the func- believed to be hard. tion f is given as a Turing Machine with some fixed run- time t. The main advantage of considering Turing Machines IV. OBFUSCATION DEFINITIONS instead of circuits is that the run-time of the obfuscator ˜ ← λ CC Consider a family of programs P and let Obf be a PPT P Obf(1 , [f,y]) and the size of the obfuscated ˜ algorithm, which takes as input a program P ∈P, a security program P can be sub-linear in the run-time t. When parameter λ ∈ N, and outputs a program P˜ ← Obf(1λ,P). we consider an obfuscator for Turing Machines, we also ˜ An obfuscator is required to be functionality preserving, require that the run-time of the obfuscated program P , which is itself a Turing Machine, is poly(λ, t). We define meaning there is some negligible function ν(λ) such that | | CC f in out | | for all programs P ∈P with input size n we have [f,y].params =(1 , 1 , 1 ,t) where f denotes the Turing Machine description size and t denotes the run- n Pr[∀x ∈{0, 1} : P (x)=P˜(x)] ≥ 1 − ν(λ), time.

606 We will consider distribution ensembles D over compute- B. Directed Encodings { } and-compare programs where each distribution D = Dλ A A ∈ Zn×m Definition 3 (Directed Encoding). Let i, j q .A in D is polynomial-time samplable. We define the following S ∈ Zn×n directed encoding of a secret q with respect to an classes of distributions: A → A C ∈ Zm×m edge i j and noise level β is a value q such UNPREDICTABLE. The class of unpredictable distribu- that AiC = SAj +E where ||S||∞, ||C||∞, ||E||∞ ≤ β.We β tions DUNP consists of ensembles D = {Dλ} over define the set of all such encodings E (S) as Ai→Aj (CC[f,y], aux) such that y is computationally unpredictable {C A C SA E ||S|| ||C|| ||E|| ≤ } given (f,aux). : i = j + and ∞, ∞, ∞ β . α-PSEUDO-ENTROPY. For a function α(λ), the class of α- It’s easy to see that the above definition implies that for any β1 β2 pseudo-entropy distributions D PE consists of ensembles C ∈E S C ∈E S C C ∈ α- 1 A1→A2 ( 1), 2 A2→A3 ( 2) we have 1 2 { } CC ← 2mβ1β2 D = Dλ such that ( [f,y], aux) Dλ satisfies EA →A (S1S2). H | ≥ 1 3 HILL(y (f,aux)) α(λ). For a two-argument func- In particular, we get the following claim: D tion α(λ, L), we define α-PE analogously but require Claim 1. If C ∈Eβ (S ) for i ∈ [L] then HHILL(y | (f,aux)) ≥ α(λ, L) where L is the length of i Ai→Ai+1 i −1 β(2mβ)L the branching program f. (C1C2 ···C ) ∈E (S1S2 ···S ). L A1→AL+1 L V. BASIC OBFUSCATION CONSTRUCTION DIRECTED ENCODING SCHEME. Nextweshowhowto In this section, we construct our “basic obfuscator” create directed encodings. We construct a directed en- CC for compute-and-compare programs [f,y] where f is coding scheme that lets us create an encoding C of a polynomial-length branching program and y has very a secret S with respect to w separate edges {A0 → high pseudo-entropy exceeding some polynomial threshold A A → A } 0 ,..., w−1 w−1 simultaneously. We define α(λ, L) in the security parameter λ and the branching the algorithms (DE.TrapGen, DE.Encode): program length L. • (B, tdB) ← DE.TrapGen(): Output (B, tdB) ← In particular, we will prove the following theorem. · TrapGen(1w n, 1m,q) where TrapGen(1k, 1m,q) is de- B ∈ Zw·n×m Theorem 1. Under the LWE assumption, there exists some fined in Lemma 1. We parse q as polynomial α = α(λ, L) in the security parameter λ ⎡ ⎤ A and branching program length L, for which there is an 0 B ⎣ ⎦ obfuscator for compute-and-compare branching programs = ... BP Aw−1 PCC which satisfies distributional indistinguishability for × the class of α-pseudo-entropy distributions Dα PE. A ∈ Zn m - with i q . A. Parameters • C ← DE.Encode(B → B , S, tdB): Parse ⎡ ⎤ ⎡ ⎤ Throughout this section we rely on the following param- A0 A0 eters: B = ⎣ ... ⎦ , B = ⎣ ... ⎦ . • A A q: an LWE modulus w−1 w−1 • n, m: matrix dimensions Set • χ: a distribution over Z ⎡ ⎤ q • β: the distribution χ is β-bounded S · A0 + E0 H I ⊗ S · B E ⎣ ⎦ • w: branching program width; for concreteness we can := ( w ) + = ... S · A E set w =5 w−1 + w−1 ⎡ ⎤ The above parameters are chosen in a way that depends on E0 the security parameter λ and the branching program length where E = ⎣ ... ⎦ ← χw·n×m. Output C ← L to ensure that the following conditions hold: Ew−1 L ω(1) 1) The modulus satisfies q>(4mβ) λ . SamPre(B, H, tdB) where the SamPre algorithm is 2) The distribution χ has super-logarithmic entropy, defined in Lemma 1. H ∞(χ) >ω(log λ). We prove two properties for the above directed encoding 3) In Lemma 1, if we set k = n√· w then the values ∗ scheme. One is a correctness property, saying that the value m = O(k log q) and γ = O(k log q) specified by C S ∗ sampled above is indeed an encoding of along each of the lemma satisfy m ≥ m and β ≥ γ. A → A the w edges j j. The second is a security property, 4) The (n, q, χ)-LWE assumption holds. saying that if we encode the same secret S many times with The general LWE assumption we discussed in the prelimi- B → B respect to different sets of edges k k then this can be naries allows us to choose the above parameters as a function B B simulated without knowing either k or k. of λ, L so that the above conditions are satisfied.

607 Claim 2 (Correctness). For every S with ||S||∞ ≤ β, for allow the program to read the input in an arbitrary order. B ← B ∈ Zw·n×m all ( , tdB) DE.TrapGen(), all q and all However, we can easily convert any arbitrary branching C ← DE.Encode(B → B , S, tdB) it holds that: program into one that reads its input in the above fixed β order by blowing up the length of the branching program ∀j ∈{0,...,w− 1} : C ∈EA →A (S) j j by a factor of at most . ⎡ ⎤ ⎡ ⎤ in NC1 A0 A0 By Barrington’s theorem [Bar89], any circuit can where B = ⎣ ... ⎦ , B = ⎣ ... ⎦ . be converted into a branching program with constant-width A A w =5and polynomial-length. In particular, any circuit with w−1 w−1 input-size in and depth d can be computed by a branching Claim 3 (Security). Let = (λ) be any polynomial on d program of length in · 4 , where the factor of in comes the security parameter. Under the (n, q, χ)-LWE assumption, from our insistence on having a fixed access pattern to the there exists an efficiently samplable distribution DE.Sam() input. such that the following two distributions are computationally We also consider a branching program P with - indistinguishable: out bit output to consist of separate boolean branching c out (k) B B C B ∈[ ] ≈ B B C B ∈[ ] (2) programs P = P for each output bit, where ( k, k, k, td k )k ( k, k, k, td k )k k∈[out] all the programs have a common length L, width w, and S ← n×n ∈ where χ and for all k []: access pattern in which the i’th level reads the input bit λ $ w·n×m (i mod ). To evaluate P (x) we separately evaluate each (Bk, tdB ) ← DE.TrapGen(1 ), B ← Z , in k k q (k) C ← B → B S C ← of the programs P (x) to get each output bit. k DE.Encode( k k, , tdBk ), k DE.Sam(). ENCODING BPS. We first show how to encode a permu- The proofs of these claims appear in the full version of (k) tation branching program P = P ∈[ ] with out-bit this paper [WZ17]. k out output. This is not an obfuscation scheme yet since it does C. Obfuscating Compute-and-Compare Branching Pro- not allow us to evaluate the encoded program and learn the grams output. Instead, when we encode the program, we specify A(k) A(k) ∈ We now use the directed encoding scheme to construct two matrices 0 , 1 for each output bit k [out]. When and obfuscator for compute-and-compare branching pro- we evaluate the encoded branching program on some input x D(k) ≈ S∗A(k) grams. First, we formally define our notion of branching we will get LWE tuples P (k)(x) with respect to ( ) programs. Then we define an encoding scheme for branching S∗ A k some common secret and matrices P (k)(x) that depend programs. Lastly, we show how to turn this encoding scheme on the output P (x). into an obfuscator. We define the algorithms (BP.Encode, BP.Eval) as fol- BRANCHING PROGRAMS (BPS). A boolean permutation lows. branching program P of input size in, length L and width (k) (k) BP.Encode P, (A , A ) ∈[ ] : Takes as input w, is described by a sequence of 2L permutations 0 1 k out A(k) A(k) ∈ Zn×m 0 , 1 q and a branching program P = πi,b : {0,...,w− 1}→{0,...,w− 1} (k) P with in-bit input, out-bit output and length k∈[out] for i ∈ [L],b∈{0, 1}. (k) (k) L. Parse P =(πi,b )i∈[L],b∈{0,1}. Given a program P =(πi,b)i∈[L],b∈{0,1} we can evaluate (k) in ∈ ∈ B ← P (x) on an arbitrary input x ∈{0, 1} . We do by defining –Fork [out] and i [L] sample ( i , tdB(k) ) ⎡ ⎤ i the start state v1 =0. Then in a sequence of steps i = A(k) i,0 +1 (k) ⎢ ⎥ 1,...,Lwe define vi = πi,x(i mod ) (vi). In other words, B ⎣ ⎦ in DE.TrapGen() with i = ... . in each step i we read the bit in position (i mod in) of x A(k) i,w−1 and this determines which of the two permutations πi,0,πi,1 ( ) –For k ∈ [ ] sample the matrix B k = to apply to the current state vi. We define the final state ⎡ ⎤ out L+1 A(k) vL+1 to be the output of the program. A valid branching L+1,0 ⎢ ⎥ (k) (k) (k) +1 ∈{ } ⎣ ⎦ A A A program ensures that vL 0, 1 for all inputs x. ... by setting L+1,0 := 0 , L+1,1 := Note that we assume a fixed ordering in which the input A(k) L+1,w−1 bits are accessed, where the i’th step reads the input bit (k) (k) $ n×m A1 and sampling A ← Z for j ∈ (i mod ).3 This departs from standard definitions that L+1,j q in {2,...,w− 1}. ∈ ∈{ } S ← n×n 3Any other fixed access pattern where the i’th step read the ti’th input bit –Fori [L], b 0, 1 , sample i,b χ . t ∈ [ ] (k) would work equally well as long as the locations i in are fixed/public –Fori ∈ [L], b ∈{0, 1}, k ∈ [out] sample: C ← t = i,b and the same for all branching programs. We restrict ourselves to i B(k) → (k) B(k) S (i mod in) for simplicity. DE.Encode( i πi,b ( i+1), i,b, tdB(k) ), where i

608 ⎡ ⎤ A(k) Our construction of an obfuscator Obf(1λ, CC[f,y]) for ⎢ i,π(0) ⎥ B(k) ⎣ ⎦ compute-and-compare branching programs is defined as (abusing notation) we define π( i )= ... . A(k) follows. Let f be a BP with input size in, output size out, i,π(w−1) length L and width w. – Finally, output the sequence P = • ∈ ∈{ } (k) (k) For all k [out],b 0, 1 , except for (k, b)= A C (k) (k) × 1,0, i,b . A A ← Zn m i∈[L],b∈{0,1} ∈[ ] (out,yout ), sample 0 , 1 q . k out ( ) −1 ( ) • A out − out A k Set y := =1 yk . ∈{ }in out k BP.Eval(P,x). To evaluate P on input x 0, 1 , the (k) (k) • Set f ← BP.Encode f,(A , A ) ∈[ ] . evaluation algorithm for all k ∈ [] computes 0 1 k out • ˜ ∈{ }in L Create a program P [f] that takes as input x 0, 1 D(k) A(k) · C(k) and does the following: := 1,0 i,x( mod ) i in ( ) =1 D k i – Compute ∈[ ] = BP.Eval(f,x). Let k out D(k) D∗ = out D(k). and outputs the sequence k∈[ ]. k=1 out ∗ L−1 We now analyze a correctness and a security property that – If ||D ||∞ ≤ out ·β ·(2mβ) then output 1 and the above scheme satisfies. The correctness property says otherwise output 0. that when we evaluate the encoded program P on x we Output P˜[f]. (k) ∗ (k) get LWE samples D ≈ S A ( ) with respect to some P k (x) We now show that our obfuscator satisfies correctness and common secret S∗. The security property says that the above security. encoding completely hides the branching program P (and in (k) particular the choice of permutation πi,b ) being encoded. Claim 6 (Correctness). There exists a negligible function ν(λ)=negl(λ) such that for all branching programs f with Claim 4 (Correctness). For every branching program P = out (k) input size in and output size out and for all y ∈{0, 1} P with in-bit input and out-bit output, for all k∈[out] ( ) ( ) we have A k A k ∈{ }in choices of ( 0 , 1 )k∈[out], and for all x 0, 1 the following holds. For ∀ ∈{ }in ˜ CC ≥ − Pr x 0, 1 : P (x)= [f,y](x) 1 ν(λ), ← A(k) A(k) P BP.Encode P, ( 0 , 1 )k∈[out] where the probability is over P˜ ← Obf(1λ, CC[f,y]). ( ) D k = BP.Eval(P,x) k∈[out] Claim 7 (Security). Let α(λ, L)=n·m·log(q)+ω(log λ)= S∗ ∈ Zn×n E(k) ∈ Zn×m D(k) poly(λ, L). Then there exists a PPT simulator Sim, such that there exist q , q such that = ( ) for every distribution ensemble D = {D }∈D −PE over S∗ · A k E(k) ||E(k)|| ≤ L−1 λ α (k)( ) + and ∞ β(2mβ) . BP P x PCC the following two distributions are indistinguishable

Claim 5 (Security). Under the (n, q, χ)-LWE assumption, c λ λ L in out there exists a PPT simulator Sim, such that for all ensembles (Obf(1 , CC[f,y]), aux) ≈ (Sim(1 , (1 , 1 , 1 )), aux) of permutation branching programs P of length L input CC ← size in and output-size out (all parameterized by λ), the where ( [f,y], aux) Dλ. following two distributions are indistinguishable The proofs of the above claims appear in the full version ( ) ( ) A k A k of this paper [WZ17]. The combination of Claim 6 and BP.Encode P, ( 0 , 1 )k∈[out] c Claim 7 proves Theorem 1. ≈ Sim(1λ, (1L, 1in , 1out )) A(k) A(k) ←$ Zn×m where 0 , 1 q . REFERENCES The proofs of the above claims appear in the full version [ACPS09] Benny Applebaum, David Cash, Chris Peikert, and of this paper [WZ17]. Amit Sahai. Fast cryptographic primitives and OBFUSCATING BPS. Finally, we are ready to construct circular-secure encryption based on hard learning an obfuscator for compute-and-compare programs CC[f,y] problems. In Shai Halevi, editor, Advances in Cryp- tology – CRYPTO 2009, volume 5677 of Lecture { }in →{ }out where f : 0, 1 0, 1 is a permutation branching Notes in Computer Science, pages 595–618, Santa program of length L. To do so, we simply use the BP Barbara, CA, USA, August 16–20, 2009. Springer, encoding scheme to encode f but we choose the matrices Heidelberg, Germany. ( ) ( ) ( ) A k A k out A k 0 0 , 1 to satisfy k=1 yk = . Then, to evaluate the obfuscated program on x, we evaluate the encoded program [Ajt99] Miklos´ Ajtai. Generating hard instances of the short D(k) out D(k) ≈ 0 basis problem. In ICALP, pages 1–9, 1999. to get matrices and check that k=1 .

609 [AP16] Navid Alamati and Chris Peikert. Three’s com- [BVWW16] Zvika Brakerski, Vinod Vaikuntanathan, Hoeteck promised too: Circular insecurity for any cycle Wee, and Daniel Wichs. Obfuscating conjunctions length from (ring-)LWE. In Matthew Robshaw and under entropic ring LWE. In Madhu Sudan, editor, Jonathan Katz, editors, Advances in Cryptology – ITCS 2016: 7th Innovations in Theoretical Computer CRYPTO 2016, Part II, volume 9815 of Lecture Notes Science, pages 147–156, Cambridge, MA, USA, Jan- in Computer Science, pages 659–680, Santa Barbara, uary 14–16, 2016. Association for Computing Ma- CA, USA, August 14–18, 2016. Springer, Heidelberg, chinery. Germany. [Can97] Ran Canetti. Towards realizing random oracles: [Bar89] David A. Mix Barrington. Bounded-width Hash functions that hide all partial information. In polynomial-size branching programs recognize Burton S. Kaliski Jr., editor, Advances in Cryptology 1 exactly those languages in nc . J. Comput. Syst. – CRYPTO’97, volume 1294 of Lecture Notes in Sci., 38(1):150–164, 1989. Computer Science, pages 455–469, Santa Barbara, + CA, USA, August 17–21, 1997. Springer, Heidelberg, [BBC 14] Boaz Barak, Nir Bitansky, Ran Canetti, Yael Tauman Germany. Kalai, Omer Paneth, and Amit Sahai. Obfuscation for evasive functions. In Yehuda Lindell, editor, [CC17] Ran Canetti and Yilei Chen. Constraint-hiding con- TCC 2014: 11th Theory of Cryptography Conference, strained PRFs for NC1 from LWE. In Jean-Sebastien´ volume 8349 of Lecture Notes in Computer Science, Coron and Jesper Buus Nielsen, editors, Advances pages 26–51, San Diego, CA, USA, February 24–26, in Cryptology – EUROCRYPT 2017, Part I, volume 2014. Springer, Heidelberg, Germany. 10210 of Lecture Notes in Computer Science, pages + 446–476, Paris, France, May 8–12, 2017. Springer, [BGG 14] Dan Boneh, Craig Gentry, Sergey Gorbunov, Shai Heidelberg, Germany. Halevi, Valeria Nikolaenko, Gil Segev, Vinod Vaikun- tanathan, and Dhinakaran Vinayagamurthy. Fully [CD08] Ran Canetti and Ronny Ramzi Dakdouk. Obfus- key-homomorphic encryption, arithmetic circuit ABE cating point functions with multibit output. In and compact garbled circuits. In Phong Q. Nguyen Nigel P. Smart, editor, Advances in Cryptology – and Elisabeth Oswald, editors, Advances in Cryp- EUROCRYPT 2008, volume 4965 of Lecture Notes in tology – EUROCRYPT 2014, volume 8441 of Lec- Computer Science, pages 489–508, Istanbul, Turkey, ture Notes in Computer Science, pages 533–556, April 13–17, 2008. Springer, Heidelberg, Germany. Copenhagen, Denmark, May 11–15, 2014. Springer, Heidelberg, Germany. [CLLT16] Jean-Sebastien´ Coron, Moon Sung Lee, Tancrede` Lepoint, and Mehdi Tibouchi. Cryptanalysis of + [BGI 01] Boaz Barak, Oded Goldreich, Russell Impagliazzo, GGH15 multilinear maps. In Matthew Robshaw and Steven Rudich, Amit Sahai, Salil P. Vadhan, and Jonathan Katz, editors, Advances in Cryptology – Ke Yang. On the (im)possibility of obfuscating pro- CRYPTO 2016, Part II, volume 9815 of Lecture Notes grams. In Joe Kilian, editor, Advances in Cryptology in Computer Science, pages 607–628, Santa Barbara, – CRYPTO 2001, volume 2139 of Lecture Notes CA, USA, August 14–18, 2016. Springer, Heidelberg, in Computer Science, pages 1–18, Santa Barbara, Germany. CA, USA, August 19–23, 2001. Springer, Heidelberg, Germany. [CRV10] Ran Canetti, Guy N. Rothblum, and Mayank Varia.

+ Obfuscation of hyperplane membership. In Daniele [BLP 13] Zvika Brakerski, Adeline Langlois, Chris Peikert, Micciancio, editor, TCC 2010: 7th Theory of Cryp- Oded Regev, and Damien Stehle.´ Classical hard- tography Conference, volume 5978 of Lecture Notes ness of learning with errors. In Dan Boneh, Tim in Computer Science, pages 72–89, Zurich, Switzer- Roughgarden, and Joan Feigenbaum, editors, 45th land, February 9–11, 2010. Springer, Heidelberg, Annual ACM Symposium on Theory of Computing, Germany. pages 575–584, Palo Alto, CA, USA, June 1–4, 2013. ACM Press. [DORS08] Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin, and Adam D. Smith. Fuzzy extractors: How to [BR13] Zvika Brakerski and Guy N. Rothblum. Obfuscating generate strong keys from biometrics and other noisy conjunctions. In Ran Canetti and Juan A. Garay, data. SIAM J. Comput., 38(1):97–139, 2008. editors, Advances in Cryptology – CRYPTO 2013, Part II, volume 8043 of Lecture Notes in Computer [DS05] Yevgeniy Dodis and Adam Smith. Correcting errors Science, pages 416–434, Santa Barbara, CA, USA, without leaking partial information. In Harold N. August 18–22, 2013. Springer, Heidelberg, Germany. Gabow and Ronald Fagin, editors, 37th Annual ACM Symposium on Theory of Computing, pages 654–663, [BRS03] John Black, Phillip Rogaway, and Thomas Shrimp- Baltimore, MA, USA, May 22–24, 2005. ACM Press. ton. Encryption-scheme security in the presence of key-dependent messages. In Kaisa Nyberg and [GGH13a] Sanjam Garg, Craig Gentry, and Shai Halevi. Candi- Howard M. Heys, editors, SAC 2002: 9th Annual date multilinear maps from ideal lattices. In Thomas International Workshop on Selected Areas in Cryp- Johansson and Phong Q. Nguyen, editors, Advances tography, volume 2595 of Lecture Notes in Computer in Cryptology – EUROCRYPT 2013, volume 7881 Science, pages 62–75, St. John’s, Newfoundland, of Lecture Notes in Computer Science, pages 1– Canada, August 15–16, 2003. Springer, Heidelberg, 17, Athens, Greece, May 26–30, 2013. Springer, Germany. Heidelberg, Germany.

610 [GGH+13b] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana [KRW15] Venkata Koppula, Kim Ramchen, and Brent Waters. Raykova, Amit Sahai, and Brent Waters. Candi- Separations in circular security for arbitrary length date indistinguishability obfuscation and functional key cycles. In Yevgeniy Dodis and Jesper Buus encryption for all circuits. In 54th Annual Symposium Nielsen, editors, TCC 2015: 12th Theory of Cryptog- on Foundations of Computer Science, pages 40–49, raphy Conference, Part II, volume 9015 of Lecture Berkeley, CA, USA, October 26–29, 2013. IEEE Notes in Computer Science, pages 378–400, Warsaw, Computer Society Press. Poland, March 23–25, 2015. Springer, Heidelberg, Germany. [GGH15] Craig Gentry, Sergey Gorbunov, and Shai Halevi. Graph-induced multilinear maps from lattices. In [KW16] Venkata Koppula and Brent Waters. Circular se- Yevgeniy Dodis and Jesper Buus Nielsen, editors, curity separations for arbitrary length cycles from TCC 2015: 12th Theory of Cryptography Conference, LWE. In Matthew Robshaw and Jonathan Katz, Part II, volume 9015 of Lecture Notes in Computer editors, Advances in Cryptology – CRYPTO 2016, Science, pages 498–527, Warsaw, Poland, March 23– Part II, volume 9815 of Lecture Notes in Computer 25, 2015. Springer, Heidelberg, Germany. Science, pages 681–700, Santa Barbara, CA, USA, August 14–18, 2016. Springer, Heidelberg, Germany. [GGSW13] Sanjam Garg, Craig Gentry, Amit Sahai, and Brent Waters. Witness encryption and its applications. In [MP12] Daniele Micciancio and Chris Peikert. Trapdoors for Dan Boneh, Tim Roughgarden, and Joan Feigen- lattices: Simpler, tighter, faster, smaller. In EURO- baum, editors, 45th Annual ACM Symposium on CRYPT, pages 700–718, 2012. Theory of Computing, pages 467–476, Palo Alto, CA, USA, June 1–4, 2013. ACM Press. [Pei09] Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended ab- [GKW17a] Rishab Goyal, Venkata Koppula, and Brent Waters. stract. In Michael Mitzenmacher, editor, 41st Annual Separating IND-CPA and circular security for un- ACM Symposium on Theory of Computing, pages bounded length key cycles. In Serge Fehr, editor, 333–342, Bethesda, MD, USA, May 31 – June 2, PKC 2017: 20th International Conference on Theory 2009. ACM Press. and Practice of Public Key Cryptography, Part I, volume 10174 of Lecture Notes in Computer Sci- [Reg05] Oded Regev. On lattices, learning with errors, ran- ence, pages 232–246, Amsterdam, The Netherlands, dom linear codes, and cryptography. In Harold N. March 28–31, 2017. Springer, Heidelberg, Germany. Gabow and Ronald Fagin, editors, 37th Annual ACM Symposium on Theory of Computing, pages 84–93, [GKW17b] Rishab Goyal, Venkata Koppula, and Brent Wa- Baltimore, MA, USA, May 22–24, 2005. ACM Press. ters. Separating semantic and circular security for symmetric-key bit encryption from the learning with [Rot13] Ron Rothblum. On the circular security of bit- errors assumption. In Jean-Sebastien´ Coron and encryption. In Amit Sahai, editor, TCC 2013: 10th Jesper Buus Nielsen, editors, Advances in Cryptology Theory of Cryptography Conference, volume 7785 of – EUROCRYPT 2017, Part II, volume 10211 of Lecture Notes in Computer Science, pages 579–598, Lecture Notes in Computer Science, pages 528–557, Tokyo, Japan, March 3–6, 2013. Springer, Heidel- Paris, France, May 8–12, 2017. Springer, Heidelberg, berg, Germany. Germany. [Wee05] Hoeteck Wee. On obfuscating point functions. In [GKW17c] Rishab Goyal, Venkata Koppula, and Brent Waters. Harold N. Gabow and Ronald Fagin, editors, 37th lockable obfuscation. Cryptology ePrint Archive, Re- Annual ACM Symposium on Theory of Computing, port 2017/274, 2017. http://eprint.iacr.org/2017/274. pages 523–532, Baltimore, MA, USA, May 22–24, 2005. ACM Press. [GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikun- tanathan. Trapdoors for hard lattices and new cryp- [WZ17] Daniel Wichs and Giorgos Zirdelis. Obfuscating tographic constructions. In STOC, pages 197–206, compute-and-compare programs under lwe. Cryptol- 2008. ogy ePrint Archive, Report 2017/276, 2017. http: //eprint.iacr.org/2017/276. [GVW15] Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Predicate encryption for circuits [Zha16] Mark Zhandry. The magic of ELFs. In Matthew from LWE. In Rosario Gennaro and Matthew Robshaw and Jonathan Katz, editors, Advances in J. B. Robshaw, editors, Advances in Cryptology – Cryptology – CRYPTO 2016, Part I, volume 9814 CRYPTO 2015, Part II, volume 9216 of Lecture of Lecture Notes in Computer Science, pages 479– Notes in Computer Science, pages 503–523, Santa 508, Santa Barbara, CA, USA, August 14–18, 2016. Barbara, CA, USA, August 16–20, 2015. Springer, Springer, Heidelberg, Germany. Heidelberg, Germany.

[Had00] Satoshi Hada. Zero-knowledge and code obfuscation. In Tatsuaki Okamoto, editor, Advances in Cryptology – ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 443–457, Kyoto, Japan, December 3–7, 2000. Springer, Heidelberg, Germany.

611