Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Indistinguishability/Ideal Obfu...

SoraSuegami
October 13, 2024
Technology
0
300

Introduction to Indistinguishability/Ideal Obfuscation (iO)

An introduction to indistinguishability/ideal Obfuscation (iO) at Progcrypto camp.

SoraSuegami

October 13, 2024
Tweet

More Decks by SoraSuegami

See All by SoraSuegami
Ethcon Korea 2023 "ZK Email: On-chain verification of emails using ZKP"
sorasuegami
1
1.6k
ICBC2023 "Contract Wallet Using Emails"
sorasuegami
1
520
Theory and Applications of Zero-Knowledge Proof - Part 2: Formal protocol of Plonk and its applications.
sorasuegami
1
230
Theory and Applications of Zero-Knowledge Proof - Part 1: Introduction
sorasuegami
1
540

Other Decks in Technology

See All in Technology
SSMRunbook作成の勘所_20241120
koichiotomo
3
160
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
140
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
690
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
0
200
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1.3k
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.7k
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
CDCL による厳密解法を採用した MILP ソルバー
imai448
3
140
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870

Featured

See All Featured
Automating Front-end Workflow
addyosmani
1366
200k
Writing Fast Ruby
sferik
627
61k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Adopting Sorbet at Scale
ufuk
73
9.1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Practical Orchestrator
shlominoach
186
10k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Done Done
chrislema
181
16k

Transcript

  1. Introduction to Indistinguishability/Ideal Obfuscation (iO) Sora Suegami

  2. Issues of Multi Party Computation (MPC) While MPC, including fully

    homomorphic encryption (FHE), is a practical method for private computation, it relies on the following two assumptions: • Online Assumption: 
 Some parties holding some secrets or private inputs must remain online until MPC terminates. 
 • Threshold Assumption: 
 When one group of parties, called committee, holds secrets used during MPC for all users, more than a threshold number of the committee parties must be honest and online.

  3. Online & Threshold Assumptions is not ideal The threshold indicates

    a trade of between safety and liveness, 
 but online assumption requires both. t 4BGFUZ /PQSJWBUFEBUBJTNBMJDJPVTMZSFWFBMFEEVSJOH.1$ -JWFOFTT .1$ FWFOUVBMMZTVDDFFET t = n t = 1 5SBEFP ff CFUXFFO TBGFUZBOEMJWFOFTT

  4. Obfuscation fixes this. User’s Machine Any user can evaluate a

    private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)

  5. Obfuscation fixes this. User’s Machine 0CGVTDBUFE QSPHSBNGPS  XJUITFDSFUT P

    s Any user can evaluate a private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)

  6. Obfuscation fixes this. User’s Machine 0CGVTDBUFE QSPHSBNGPS  XJUITFDSFUT P

    s Input x Any user can evaluate a private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)

  7. Obfuscation fixes this. User’s Machine 0CGVTDBUFE QSPHSBNGPS  XJUITFDSFUT P

    s Input x Output 
 P(x, s) Any user can evaluate a private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)

  8. What is Obfuscation based on Cryptographic Assumptions? $JSDVJU C

  9. $JSDVJU C 0CGVTDBUFE $JSDVJU 0CG(C) 0CGVTDBUJPO $PNQJMFS What is Obfuscation

    based on Cryptographic Assumptions?

  10. What is Obfuscation based on Cryptographic Assumptions? $JSDVJU C 0CGVTDBUFE

    $JSDVJU 0CG(C) 0CGVTDBUJPO $PNQJMFS *OQVUx 0VUQVU C(x) *OQVUx 0VUQVU 0CG(C)(x) = =

  11. 0CGVTDBUFE $JSDVJU 0CG(C) "OBMZ[JOHʜ )BSEDPEFE QSJWBUFEBUB  4FDSFU BMHPSJUIN *OGPSNBM

    TVQQPTFBOBEWFSTBSZDBOFYUSBDUOPOUSJWJBMJOGPSNBUJPO JOUIFDJSDVJUGSPNUIFPCGVTDBUFEDJSDVJU  
 XFDBODPOTUSVDUBOBEWFSTBSZUIBUCSFBLTIBSEQSPCMFNTJO DSZQUPHSBQIZ What is Obfuscation based on Cryptographic Assumptions?

  12. 0CGVTDBUFE $JSDVJU 0CG(C) "OBMZ[JOHʜ )BSEDPEFE QSJWBUFEBUB  4FDSFU BMHPSJUIN *OGPSNBM

    TVQQPTFBOBEWFSTBSZDBOFYUSBDUOPOUSJWJBMJOGPSNBUJPO JOUIFDJSDVJUGSPNUIFPCGVTDBUFEDJSDVJU 
 XFDBODPOTUSVDUBOBEWFSTBSZUIBUCSFBLTIBSEQSPCMFNTJO DSZQUPHSBQIZ What is Obfuscation based on Cryptographic Assumptions?

  13. Indistinguishability Obfuscation (iO) 0CGVTDBUJPOTPGUXPDJSDVJUTXJUIUIFTBNFGVODUJPOBMJUZ  JF JOQVUPVUQVUSFMBUJPO BSFJOEJTUJOHVJTIBCMF $JSDVJU C0

    $JSDVJU C1 ≠ C0 (x) = C1 (x) 0CGVTDBUFE $JSDVJU 0CG(C0 ) 0CGVTDBUFE $JSDVJU 0CG(C1 ) ⇒ ≈

  14. &WFOJG DPOUBJOTTPNFIBSEDPEFEQSJWBUFEBUB  JGXFDBONBLFBDJSDVJU XJUIPVUUIFQSJWBUFEBUB UIBUIBTUIFTBNFPVUQVUBTUIBUPG GPSBMMJOQVU UIBUBOBEWFSTBSZDBOQSPWJEF  UIFPCGVTDBUJPOPG

    EPFTOPUSFWFBMJOGPSNBUJPOBCPVU UIFIBSEDPEFEQSJWBUFEBUBCFDBVTFJUJT JOEJTUJOHVJTIBCMFGSPNUIFPCGVTDBUJPOPG  C0 C1 C0 C0 C1 Indistinguishability Obfuscation (iO)

  15. &WFOJG DPOUBJOTTPNFIBSEDPEFEQSJWBUFEBUB  JGXFDBONBLFBDJSDVJU XJUIPVUUIFQSJWBUFEBUBUIBU IBTUIFTBNFPVUQVUBTUIBUPG GPSBMMJOQVUUIBUBO BEWFSTBSZDBOQSPWJEF  UIFPCGVTDBUJPOPG

    EPFTOPUSFWFBMJOGPSNBUJPO BCPVUUIFIBSEDPEFEQSJWBUFEBUBCFDBVTFJUJT JOEJTUJOHVJTIBCMFGSPNUIFPCGVTDBUJPOPG  C0 C1 C0 C0 C1 Indistinguishability Obfuscation (iO)

  16. Ideal Obfuscation under Pseudorandom Oracle Model [JLL+23] 6OGPSUVOBUFMZ BOZTDIFNFTJODMVEJOHJ0DBOOPUFOTVSFUIBUBOBEWFSTBSZ DBOOPUMFBSONPSFJOGPSNBUJPOUIBOUIFDJSDVJUPVUQVUJOQMBJONPEFM

    <#(* >5IFTFDVSJUZPGJ0JTUIFCFTUQPTTJCMFPCGVTDBUJPO<(3> )PXFWFS CZNPEFMJOHBIBTIGVODUJPOBTBQTFVEPSBOEPNPSBDMF 1S0  TJNJMBSUPSBOEPNPSBDMFCVUEJ ff FSFOUGSPNJU XFDBODPOTUSVDUBOJEFBM PCGVTDBUJPOUIBUSFWFBMTOPJOGPSNBUJPOFYDFQUGPSUIFPVUQVU<+-- >

  17. 6OGPSUVOBUFMZ BOZTDIFNFTJODMVEJOHJ0DBOOPUFOTVSFUIBUBOBEWFSTBSZ DBOOPUMFBSONPSFJOGPSNBUJPOUIBOUIFDJSDVJUPVUQVUJOQMBJONPEFM <#(* >5IFTFDVSJUZPGJ0JTUIFCFTUQPTTJCMFPCGVTDBUJPO<(3> )PXFWFS CZNPEFMJOHBIBTIGVODUJPOBTBQTFVEPSBOEPNPSBDMF 1S0  TJNJMBSUPSBOEPNPSBDMFCVUEJ

    ff FSFOUGSPNJU XFDBODPOTUSVDUBOJEFBM PCGVTDBUJPOUIBUSFWFBMTOPJOGPSNBUJPOFYDFQUGPSUIFPVUQVU<+-- > Ideal Obfuscation under Pseudorandom Oracle Model [JLL+23]

  18. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • FHE.Enc(C( ⋅ , s)) • iOsk Obfuscation

  19. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • FHE.Enc(C( ⋅ , s)) • iOsk Obfuscation iOsk(π, FHE.Enc(y)) 1. Verify the proof to assert that the given is a correct output of for some . 
 2. Output π FHE.Enc(y) FHE.Eval(C(x, s)) x FHE.Dec(sk, FHE.Enc(y))

  20. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • Obfuscate( ) executed by an obfuscator: 1. Sample FHE secret and public keys . 2. Encrypt under . 3. Generate , which hardcodes . 4. Output 
 C, s (sk, pk) C( ⋅ , s) pk iOsk sk iO = (FHE.Enc(C( ⋅ , s)), iOsk)

  21. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • Obfuscate( ) executed by an obfuscator: 1. Sample FHE secret and public keys . 2. Encrypt under . 3. Generate , which hardcodes . 4. Output 
 C, s (sk, pk) C( ⋅ , s) pk iOsk sk iO = (FHE.Enc(C( ⋅ , s)), iOsk) • Eval( ) executed by an evaluator: 
 1. Compute 2. Generate a ZKP proof for 3. Evaluate , outputting . 
 iO, x FHE.Enc(y) := FHE.Eval(C(x, s)) π FHE.Enc(y) iOsk(π, FHE.Enc(y)) y = C(x, s)

  22. How to construct iO 8FMMTUVEJFE$SZQUPHSBQIJD"TTVNQUJPOT 
 -FBSOJOH1BSJUZXJUI/PJTFBTTVNQUJPO 
  1TFVEP3BOEPN(FOFSBUPSJO/$

    DPOTUBOUEFQUIDJSDVJU   %FDJTJPO-JOFBSBTTVNQUJPOPOCJMJOFBSHSPVQT 1VCMJD,FZ'VODUJPOBM&ODSZQUJPOXIPTFFODSZQUJPOUJNFJTTVCMVOBS JOUIFTJ[FPGUIFDJSDVJUPVUQVUTJ[F [JLS22]

  23. How to construct iO 8FMMTUVEJFE$SZQUPHSBQIJD"TTVNQUJPOT 
 -FBSOJOH1BSJUZXJUI/PJTFBTTVNQUJPO 
  1TFVEP3BOEPN(FOFSBUPSJO/$

    DPOTUBOUEFQUIDJSDVJU   %FDJTJPO-JOFBSBTTVNQUJPOPOCJMJOFBSHSPVQT [JLS22] [BV18] + PrO model [JLL+23] *OEJTUJOHVJTIBCJMJUZ0CGVTDBUJPO *EFBM0CGVTDBUJPO 1VCMJD,FZ'VODUJPOBM&ODSZQUJPOXIPTFFODSZQUJPOUJNFJTTVCMVOBS JOUIFTJ[FPGUIFDJSDVJUPVUQVUTJ[F

  24. How to construct iO 8FMMTUVEJFE$SZQUPHSBQIJD"TTVNQUJPOT 
 -FBSOJOH1BSJUZXJUI/PJTFBTTVNQUJPO 
  1TFVEP3BOEPN(FOFSBUPSJO/$

    DPOTUBOUEFQUIDJSDVJU   %FDJTJPO-JOFBSBTTVNQUJPOPOCJMJOFBSHSPVQT [JLS22] [BV18] + PrO model [JLL+23] *OEJTUJOHVJTIBCJMJUZ0CGVTDBUJPO *EFBM0CGVTDBUJPO 1VCMJD,FZ'VODUJPOBM&ODSZQUJPOXIPTFFODSZQUJPOUJNFJTTVCMVOBS JOUIFTJ[FPGUIFDJSDVJUPVUQVUTJ[F

  25. Public-Key Functional Encryption 4FUVQ .BTUFS 
 TFDSFULFZ msk &OD ek

    .FTTBHF m $JQIFSUFYU ct ,FZ(FO msk $JSDVJU C 'VODUJPOBM 
 TFDSFULFZ fskC %FD ct fskC 0VUQVU C(m) 1SJWBUF0QFSBUJPO &ODSZQUJPO 
 LFZ ek 1VCMJD0QFSBUJPO

  26. Public-Key Functional Encryption 1,'&WT')& 1,'& ')& 0VUQVU 1MBJOUFYU $JQIFSUFYU $JSDVJUUIBUDBO

    CFFWBMVBUFE -JNJUFECZB USVTUFEQBSUZ 'SFF $JSDVJUJT 1SJWBUF1VCMJD 1VCMJD $BOCF1SJWBUF

  27. iO from Public-Key Functional Encryption 1,'&JTBMNPTUJ0TJODFJUBMMPXTOPOJOUFSBDUJWFFWBMVBUJPOPGUIF TQFDJ fi DDJSDVJUPOQSJWBUFJOQVUT

  28. iO from Public-Key Functional Encryption 1,'&JTBMNPTUJ0TJODFJUBMMPXTOPOJOUFSBDUJWFFWBMVBUJPOPGUIF TQFDJ fi DDJSDVJUPOQSJWBUFJOQVUT )PXFWFS

    1,'&JTOPUJ0CFDBVTFBGVODUJPOBMTFDSFULFZEPFTOPU IJEFJOGPSNBUJPOJOTJEFUIFDJSDVJU

  29. iO from Public-Key Functional Encryption 1,'&JTBMNPTUJ0TJODFJUBMMPXTOPOJOUFSBDUJWFFWBMVBUJPOPGUIF TQFDJ fi DDJSDVJUPOQSJWBUFJOQVUT )PXFWFS

    1,'&JTOPUJ0CFDBVTFBGVODUJPOBMTFDSFULFZEPFTOPU IJEFJOGPSNBUJPOJOTJEFUIFDJSDVJU %VSJOHUIFFWBMVBUJPOPGC(x, s) 1,'& BSFQVCMJD  JTQSJWBUF C, s x J0 BSFQSJWBUF  JTQVCMJD C, s x

  30. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s)

  31. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s) 5IFFWBMVBUPSDBO fi OBMMZPCUBJOFODSZQUJPOPG  BMMPXJOH1,'&EFDSZQUJPOUPPVUQVU  (C, s, x) C(x, s)

  32. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s) 5IFFWBMVBUPSDBO fi OBMMZPCUBJOFODSZQUJPOPG  BMMPXJOH1,'&EFDSZQUJPOUPPVUQVU  (C, s, x) C(x, s) 3FDVSTJWF&ODSZQUJPO$JSDVJU   Di (C, s, x1 x2 …xi−1 ) := '&&OD(pk, (C, s, x1 x2 …xi−1 0)) || '&&OD(pk, (C, s, x1 x2 …xi−1 1))

  33. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s) 5IFFWBMVBUPSDBO fi OBMMZPCUBJOFODSZQUJPOPG  BMMPXJOH1,'&EFDSZQUJPOUPPVUQVU  (C, s, x) C(x, s) 3FDVSTJWF&ODSZQUJPO$JSDVJU Di (C, s, x1 x2 …xi−1 ) := '&&OD(pk, (C, s, x1 x2 …xi−1 0))||'&&OD(pk, (C, s, x1 x2 …xi−1 1)) 5IFJUIEFDSZQUJPOPG1,'&PVUQVUTUIF1,'& FODSZQUJPOTGPS BOE (C, s, x1 x2 …xi−1 0) (C, s, x1 x2 …xi−1 1)

  34. Constructing iO by Recursive use of PKFE [BV18] The image

    is taken from [BV18]

  35. Requirements to PKFE for iO construction [BV18] 'PSUIFPVUQVUTJ[F UIFDPNQVUBUJPOBMDPNQMFYJUZPGUIF FODSZQUJPOBMHPSJUINJODSFBTFTJOPSEFS

     m 𝒪 (mα) *OPSEFSGPSUIFDPNQVUBUJPOBMDPNQMFYJUZUPDPOWFSHF BGUFS SFDVSTJPOT  NVTUCFMFTTUIBO 
 TVCMJOFBSF ff i DJFODZ  n α

  36. PKFE in Three Steps [JLS22]  3FQSFTFOUBQSPDFTTUPHFOFSBUFBHBSCMFEDJSDVJUGPSBDJSDVJU BOEJUT HBSCMFEJOQVUTGPSJOQVUT JOBDPOTUBOUEFHSFFNVMUJWBSJBUFQPMZOPNJBM

    
  $POWFSUUIFQPMZOPNJBMJOUPBEFHSFFQPMZOPNJBMTVDIUIBU UIF EFHSFFGPSQSJWBUFBOEQVCMJDJOQVUTBSFUXPBOEDPOTUBOU SFTQFDUJWFMZ  BOE UIFSVOOJOHUJNFUPFODPEFUIFPSJHJOBMWBSJBCMFTUPQSJWBUFBOE QVCMJDJOQVUTJTTVCMJOFBSXJUISFTQFDUUPUIFPVUQVUTJ[F   6TF1,'&GPSEFHSFFQPMZOPNJBMT DBMMFEQBSUJBMMZIJEJOHGVODUJPOBM FODSZQUJPO 1)'&  C x m

  37. PKFE in Three Steps [JLS22]  3FQSFTFOUBQSPDFTTUPHFOFSBUFBHBSCMFEDJSDVJUGPSBDJSDVJU BOEJUT HBSCMFEJOQVUTGPSJOQVUT JOBDPOTUBOUEFHSFFNVMUJWBSJBUFQPMZOPNJBM

    
  $POWFSUUIFQPMZOPNJBMJOUPBEFHSFFQPMZOPNJBMTVDIUIBU UIF EFHSFFGPSQSJWBUFBOEQVCMJDJOQVUTBSFUXPBOEDPOTUBOU SFTQFDUJWFMZ  BOE UIFSVOOJOHUJNFUPFODPEFUIFPSJHJOBMWBSJBCMFTUPQSJWBUFBOE QVCMJDJOQVUTJTTVCMJOFBSXJUISFTQFDUUPUIFPVUQVUTJ[F   6TF1,'&GPSEFHSFFQPMZOPNJBMT DBMMFEQBSUJBMMZIJEJOHGVODUJPOBM FODSZQUJPO 1)'&  C x m

  38. PKFE in Three Steps [JLS22] 6TF1,'&GPSEFHSFFQPMZOPNJBMT HBSCMFEDJSDVJUHFOFSBUJPO Encryption Process: 


    1. Encode input and random seeds into private and public inputs . 2. Encrypt under the public key for PHFE, denoted by . 3. Output . 
 x r (SI, PI) (SI, PI) ctPHFE ctPHFE

  39. PKFE in Three Steps [JLS22] 6TF1,'&GPSEFHSFFQPMZOPNJBMT HBSCMFEDJSDVJUHFOFSBUJPO Decryption Process: 


    1. Decrypt the given , outputting a garbled circuit and its garbled inputs. 2. Evaluate the garbled circuit on the garbled inputs, outputting 
 ctPHFE C(x) Encryption Process: 
 1. Encode input and random seeds into private and public inputs . 2. Encrypt under the public key for PHFE, denoted by . 3. Output . 
 x r (SI, PI) (SI, PI) ctPHFE ctPHFE

  40. PKFE in Three Steps [JLS22]  3FQSFTFOUBQSPDFTTUPHFOFSBUFBHBSCMFEDJSDVJUGPSBDJSDVJU BOEJUT HBSCMFEJOQVUTGPSJOQVUT JOBDPOTUBOUEFHSFFNVMUJWBSJBUFQPMZOPNJBM

    
  $POWFSUUIFQPMZOPNJBMJOUPBEFHSFFQPMZOPNJBMTVDIUIBU UIF EFHSFFGPSQSJWBUFBOEQVCMJDJOQVUTBSFUXPBOEDPOTUBOU SFTQFDUJWFMZ  BOE UIFSVOOJOHUJNFUPFODPEFUIFPSJHJOBMWBSJBCMFTUPQSJWBUFBOE QVCMJDJOQVUTJTTVCMJOFBSXJUISFTQFDUUPUIFPVUQVUTJ[F   6TF1,'&GPSEFHSFFQPMZOPNJBMT DBMMFEQBSUJBMMZIJEJOHGVODUJPOBM FODSZQUJPO 1)'&  C x m

  41. Learning Parity with Noise (LPN) Assumption The image is taken

    from [JLS21]

  42. Deg 2.5 Polynomials with LPN [JLS22] 4VCMJOFBSTJ[FE1VCMJDBOE1SJWBUF*OQVUTVTJOH-1/ The images are

    taken from [JLS22]

  43. Deg 2.5 Polynomials with LPN [JLS22] 4VCMJOFBSTJ[FE1VCMJDBOE1SJWBUF*OQVUTVTJOH-1/ 5PDPNQVUFBEFHSFF QPMZOPNJBM d

    h(Y) The images are taken from [JLS22]

  44. Deg 2.5 Polynomials with LPN [JLS22] Observation: since error is

    sparse, the following is also sparse: e Corr Corr = {hj (x′  ) − hj (x′  + e)}j∈[m]

  45. Deg 2.5 Polynomials with LPN [JLS22] Observation: since error is

    sparse, the following is also sparse: e Corr Corr = {hj (x′  ) − hj (x′  + e)}j∈[m] The matrix of has at most non-zeros for with overwhelming probability, i.e., the rank is at most . Corr m1−ϵ ϵ > 0 m1−ϵ

  46. Deg 2.5 Polynomials with LPN [JLS22] Observation: since error is

    sparse, the following is also sparse: e Corr Corr = {hj (x′  ) − hj (x′  + e)}j∈[m] The matrix of has at most non-zeros for with overwhelming probability, i.e., the rank is at most . Corr m1−ϵ ϵ > 0 m1−ϵ , where the sizes of is sublinear, i.e., Corr = UV |U, V| 𝒪 (m1−ϵ)

  47. Deg 2.5 Polynomials with LPN [JLS22] 4VCMJOFBSTJ[FE1VCMJDBOE1SJWBUF*OQVUTVTJOH-1/ SI = (s⊗

    d 2 , U, V) PI = (A, b = sA + e + x′  ) 1. The degree is 2.5 2. the sizes of is sublinear, i.e., |U, V| 𝒪 (m1−ϵ)

  48. 3FGFSFODFT • [SW14] Sahai, A., & Waters, B. (2014, May).

    How to use indistinguishability obfuscation: deniable encryption, and more. In Proceedings of the forty-sixth annual ACM symposium on Theory of computing (pp. 475-484). • [JLL+23] Jain, A., Lin, H., Luo, J., & Wichs, D. (2023, August). The pseudorandom oracle model and ideal obfuscation. In Annual International Cryptology Conference (pp. 233-262). Cham: Springer Nature Switzerland. • [BGI+01] Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., & Yang, K. (2001, August). On the (im) possibility of obfuscating programs. In Annual international cryptology conference (pp. 1-18). Berlin, Heidelberg: Springer Berlin Heidelberg. • [GR07] Goldwasser, S., & Rothblum, G. N. (2007). On best-possible obfuscation. In Theory of Cryptography: 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, The Netherlands, February 21-24, 2007. Proceedings 4 (pp. 194-213). Springer Berlin Heidelberg. • [JLS22] Jain, A., Lin, H., & Sahai, A. (2022, May). Indistinguishability obfuscation from LPN over F p, DLIN, and PRGs in NC 0. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 670-699). Cham: Springer International Publishing. • [GGH+13] Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., & Waters, B. (2016). Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM Journal on Computing, 45(3), 882-929. • [BV18] Bitansky, N., & Vaikuntanathan, V. (2018). Indistinguishability obfuscation from functional encryption. Journal of the ACM (JACM), 65(6), 1-37. • [JLS21] Jain, A., Lin, H., & Sahai, A. (2021, June). Indistinguishability obfuscation from well-founded assumptions. In Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing (pp. 60-73).