Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Indistinguishability/Ideal Obfu...

SoraSuegami
October 13, 2024
Technology
0
110

Introduction to Indistinguishability/Ideal Obfuscation (iO)

An introduction to indistinguishability/ideal Obfuscation (iO) at Progcrypto camp.

SoraSuegami

October 13, 2024
Tweet

More Decks by SoraSuegami

See All by SoraSuegami
Ethcon Korea 2023 "ZK Email: On-chain verification of emails using ZKP"
sorasuegami
1
1.6k
ICBC2023 "Contract Wallet Using Emails"
sorasuegami
1
490
Theory and Applications of Zero-Knowledge Proof - Part 2: Formal protocol of Plonk and its applications.
sorasuegami
1
230
Theory and Applications of Zero-Knowledge Proof - Part 1: Introduction
sorasuegami
1
530

Other Decks in Technology

See All in Technology
AIとともに歩んだライブラリアップデートの道のり/ vue-fes-japan-2024-link-and-motivation
lmi
2
2.3k
VueとViteで作るUIコンポーネントライブラリ ~デザインシステムとプロダクトの理想的な分離を目指して~ / 20241019_cloudsign_VueFesJapan2024_1
bengo4com
8
4.8k
パートナー企業のテクニカルサポートエンジニアとして気になる、より良い AWS サポートの利活用について
kazzpapa3
1
300
Deep dive into Nuxt Server Components
wattanx
1
1.4k
MobileActOsaka_241018.pdf
akaitadaaki
0
120
生成AIの活用パターンと継続的評価
asei
5
360
カメラ単体で物体の3次元 座標を扱う方法
kenmatsu4
1
190
KMPプロジェクトでマニュアルDIを使う選択
rmakiyama
0
100
ゼロからはじめる生成AI〜AWS認定とハンズオンで学ぶ初心者の道〜
kenichinakamura
0
140
LeSS Yoake 2024 スポンサーセッション
riki_hiraoka
0
210
プログラミング写経のすすめ
natsutan
0
180
データ分析基盤のためにS3を深堀りする~アーキテクチャ設計の考え方のヒントに~
nrinetcom
PRO
1
790

Featured

See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
19
2.9k
Rails Girls Zürich Keynote
gr2m
93
13k
Ruby is Unlike a Banana
tanoku
96
11k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
130k
Done Done
chrislema
181
16k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
26
4.1k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
4.9k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
106
48k
BBQ
matthewcrist
85
9.2k
Why Our Code Smells
bkeepers
PRO
334
57k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k

Transcript

  1. Introduction to Indistinguishability/Ideal Obfuscation (iO) Sora Suegami

  2. Issues of Multi Party Computation (MPC) While MPC, including fully

    homomorphic encryption (FHE), is a practical method for private computation, it relies on the following two assumptions: • Online Assumption: 
 Some parties holding some secrets or private inputs must remain online until MPC terminates. 
 • Threshold Assumption: 
 When one group of parties, called committee, holds secrets used during MPC for all users, more than a threshold number of the committee parties must be honest and online.

  3. Online & Threshold Assumptions is not ideal The threshold indicates

    a trade of between safety and liveness, 
 but online assumption requires both. t 4BGFUZ /PQSJWBUFEBUBJTNBMJDJPVTMZSFWFBMFEEVSJOH.1$ -JWFOFTT .1$ FWFOUVBMMZTVDDFFET t = n t = 1 5SBEFP ff CFUXFFO TBGFUZBOEMJWFOFTT

  4. Obfuscation fixes this. User’s Machine Any user can evaluate a

    private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)

  5. Obfuscation fixes this. User’s Machine 0CGVTDBUFE QSPHSBNGPS  XJUITFDSFUT P

    s Any user can evaluate a private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)

  6. Obfuscation fixes this. User’s Machine 0CGVTDBUFE QSPHSBNGPS  XJUITFDSFUT P

    s Input x Any user can evaluate a private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)

  7. Obfuscation fixes this. User’s Machine 0CGVTDBUFE QSPHSBNGPS  XJUITFDSFUT P

    s Input x Output 
 P(x, s) Any user can evaluate a private (unknown) program hardcoding some secrets on arbitrary input non-interactively, without learning more information than ! s x P(x, s)

  8. What is Obfuscation based on Cryptographic Assumptions? $JSDVJU C

  9. $JSDVJU C 0CGVTDBUFE $JSDVJU 0CG(C) 0CGVTDBUJPO $PNQJMFS What is Obfuscation

    based on Cryptographic Assumptions?

  10. What is Obfuscation based on Cryptographic Assumptions? $JSDVJU C 0CGVTDBUFE

    $JSDVJU 0CG(C) 0CGVTDBUJPO $PNQJMFS *OQVUx 0VUQVU C(x) *OQVUx 0VUQVU 0CG(C)(x) = =

  11. 0CGVTDBUFE $JSDVJU 0CG(C) "OBMZ[JOHʜ )BSEDPEFE QSJWBUFEBUB  4FDSFU BMHPSJUIN *OGPSNBM

    TVQQPTFBOBEWFSTBSZDBOFYUSBDUOPOUSJWJBMJOGPSNBUJPO JOUIFDJSDVJUGSPNUIFPCGVTDBUFEDJSDVJU  
 XFDBODPOTUSVDUBOBEWFSTBSZUIBUCSFBLTIBSEQSPCMFNTJO DSZQUPHSBQIZ What is Obfuscation based on Cryptographic Assumptions?

  12. 0CGVTDBUFE $JSDVJU 0CG(C) "OBMZ[JOHʜ )BSEDPEFE QSJWBUFEBUB  4FDSFU BMHPSJUIN *OGPSNBM

    TVQQPTFBOBEWFSTBSZDBOFYUSBDUOPOUSJWJBMJOGPSNBUJPO JOUIFDJSDVJUGSPNUIFPCGVTDBUFEDJSDVJU 
 XFDBODPOTUSVDUBOBEWFSTBSZUIBUCSFBLTIBSEQSPCMFNTJO DSZQUPHSBQIZ What is Obfuscation based on Cryptographic Assumptions?

  13. Indistinguishability Obfuscation (iO) 0CGVTDBUJPOTPGUXPDJSDVJUTXJUIUIFTBNFGVODUJPOBMJUZ  JF JOQVUPVUQVUSFMBUJPO BSFJOEJTUJOHVJTIBCMF $JSDVJU C0

    $JSDVJU C1 ≠ C0 (x) = C1 (x) 0CGVTDBUFE $JSDVJU 0CG(C0 ) 0CGVTDBUFE $JSDVJU 0CG(C1 ) ⇒ ≈

  14. &WFOJG DPOUBJOTTPNFIBSEDPEFEQSJWBUFEBUB  JGXFDBONBLFBDJSDVJU XJUIPVUUIFQSJWBUFEBUB UIBUIBTUIFTBNFPVUQVUBTUIBUPG GPSBMMJOQVU UIBUBOBEWFSTBSZDBOQSPWJEF  UIFPCGVTDBUJPOPG

    EPFTOPUSFWFBMJOGPSNBUJPOBCPVU UIFIBSEDPEFEQSJWBUFEBUBCFDBVTFJUJT JOEJTUJOHVJTIBCMFGSPNUIFPCGVTDBUJPOPG  C0 C1 C0 C0 C1 Indistinguishability Obfuscation (iO)

  15. &WFOJG DPOUBJOTTPNFIBSEDPEFEQSJWBUFEBUB  JGXFDBONBLFBDJSDVJU XJUIPVUUIFQSJWBUFEBUBUIBU IBTUIFTBNFPVUQVUBTUIBUPG GPSBMMJOQVUUIBUBO BEWFSTBSZDBOQSPWJEF  UIFPCGVTDBUJPOPG

    EPFTOPUSFWFBMJOGPSNBUJPO BCPVUUIFIBSEDPEFEQSJWBUFEBUBCFDBVTFJUJT JOEJTUJOHVJTIBCMFGSPNUIFPCGVTDBUJPOPG  C0 C1 C0 C0 C1 Indistinguishability Obfuscation (iO)

  16. Ideal Obfuscation under Pseudorandom Oracle Model [JLL+23] 6OGPSUVOBUFMZ BOZTDIFNFTJODMVEJOHJ0DBOOPUFOTVSFUIBUBOBEWFSTBSZ DBOOPUMFBSONPSFJOGPSNBUJPOUIBOUIFDJSDVJUPVUQVUJOQMBJONPEFM

    <#(* >5IFTFDVSJUZPGJ0JTUIFCFTUQPTTJCMFPCGVTDBUJPO<(3> )PXFWFS CZNPEFMJOHBIBTIGVODUJPOBTBQTFVEPSBOEPNPSBDMF 1S0  TJNJMBSUPSBOEPNPSBDMFCVUEJ ff FSFOUGSPNJU XFDBODPOTUSVDUBOJEFBM PCGVTDBUJPOUIBUSFWFBMTOPJOGPSNBUJPOFYDFQUGPSUIFPVUQVU<+-- >

  17. 6OGPSUVOBUFMZ BOZTDIFNFTJODMVEJOHJ0DBOOPUFOTVSFUIBUBOBEWFSTBSZ DBOOPUMFBSONPSFJOGPSNBUJPOUIBOUIFDJSDVJUPVUQVUJOQMBJONPEFM <#(* >5IFTFDVSJUZPGJ0JTUIFCFTUQPTTJCMFPCGVTDBUJPO<(3> )PXFWFS CZNPEFMJOHBIBTIGVODUJPOBTBQTFVEPSBOEPNPSBDMF 1S0  TJNJMBSUPSBOEPNPSBDMFCVUEJ

    ff FSFOUGSPNJU XFDBODPOTUSVDUBOJEFBM PCGVTDBUJPOUIBUSFWFBMTOPJOGPSNBUJPOFYDFQUGPSUIFPVUQVU<+-- > Ideal Obfuscation under Pseudorandom Oracle Model [JLL+23]

  18. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • FHE.Enc(C( ⋅ , s)) • iOsk Obfuscation

  19. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • FHE.Enc(C( ⋅ , s)) • iOsk Obfuscation iOsk(π, FHE.Enc(y)) 1. Verify the proof to assert that the given is a correct output of for some . 
 2. Output π FHE.Enc(y) FHE.Eval(C(x, s)) x FHE.Dec(sk, FHE.Enc(y))

  20. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • Obfuscate( ) executed by an obfuscator: 1. Sample FHE secret and public keys . 2. Encrypt under . 3. Generate , which hardcodes . 4. Output 
 C, s (sk, pk) C( ⋅ , s) pk iOsk sk iO = (FHE.Enc(C( ⋅ , s)), iOsk)

  21. Bootstrapping iO using verifiable FHE [GGH+13] We actually need iO

    only for ZKP verification + FHE decryption, which is represented by a shallow (NC1) circuit! • Obfuscate( ) executed by an obfuscator: 1. Sample FHE secret and public keys . 2. Encrypt under . 3. Generate , which hardcodes . 4. Output 
 C, s (sk, pk) C( ⋅ , s) pk iOsk sk iO = (FHE.Enc(C( ⋅ , s)), iOsk) • Eval( ) executed by an evaluator: 
 1. Compute 2. Generate a ZKP proof for 3. Evaluate , outputting . 
 iO, x FHE.Enc(y) := FHE.Eval(C(x, s)) π FHE.Enc(y) iOsk(π, FHE.Enc(y)) y = C(x, s)

  22. How to construct iO 8FMMTUVEJFE$SZQUPHSBQIJD"TTVNQUJPOT 
 -FBSOJOH1BSJUZXJUI/PJTFBTTVNQUJPO 
  1TFVEP3BOEPN(FOFSBUPSJO/$

    DPOTUBOUEFQUIDJSDVJU   %FDJTJPO-JOFBSBTTVNQUJPOPOCJMJOFBSHSPVQT 1VCMJD,FZ'VODUJPOBM&ODSZQUJPOXIPTFFODSZQUJPOUJNFJTTVCMVOBS JOUIFTJ[FPGUIFDJSDVJUPVUQVUTJ[F [JLS22]

  23. How to construct iO 8FMMTUVEJFE$SZQUPHSBQIJD"TTVNQUJPOT 
 -FBSOJOH1BSJUZXJUI/PJTFBTTVNQUJPO 
  1TFVEP3BOEPN(FOFSBUPSJO/$

    DPOTUBOUEFQUIDJSDVJU   %FDJTJPO-JOFBSBTTVNQUJPOPOCJMJOFBSHSPVQT [JLS22] [BV18] + PrO model [JLL+23] *OEJTUJOHVJTIBCJMJUZ0CGVTDBUJPO *EFBM0CGVTDBUJPO 1VCMJD,FZ'VODUJPOBM&ODSZQUJPOXIPTFFODSZQUJPOUJNFJTTVCMVOBS JOUIFTJ[FPGUIFDJSDVJUPVUQVUTJ[F

  24. How to construct iO 8FMMTUVEJFE$SZQUPHSBQIJD"TTVNQUJPOT 
 -FBSOJOH1BSJUZXJUI/PJTFBTTVNQUJPO 
  1TFVEP3BOEPN(FOFSBUPSJO/$

    DPOTUBOUEFQUIDJSDVJU   %FDJTJPO-JOFBSBTTVNQUJPOPOCJMJOFBSHSPVQT [JLS22] [BV18] + PrO model [JLL+23] *OEJTUJOHVJTIBCJMJUZ0CGVTDBUJPO *EFBM0CGVTDBUJPO 1VCMJD,FZ'VODUJPOBM&ODSZQUJPOXIPTFFODSZQUJPOUJNFJTTVCMVOBS JOUIFTJ[FPGUIFDJSDVJUPVUQVUTJ[F

  25. Public-Key Functional Encryption 4FUVQ .BTUFS 
 TFDSFULFZ msk &OD ek

    .FTTBHF m $JQIFSUFYU ct ,FZ(FO msk $JSDVJU C 'VODUJPOBM 
 TFDSFULFZ fskC %FD ct fskC 0VUQVU C(m) 1SJWBUF0QFSBUJPO &ODSZQUJPO 
 LFZ ek 1VCMJD0QFSBUJPO

  26. Public-Key Functional Encryption 1,'&WT')& 1,'& ')& 0VUQVU 1MBJOUFYU $JQIFSUFYU $JSDVJUUIBUDBO

    CFFWBMVBUFE -JNJUFECZB USVTUFEQBSUZ 'SFF $JSDVJUJT 1SJWBUF1VCMJD 1VCMJD $BOCF1SJWBUF

  27. iO from Public-Key Functional Encryption 1,'&JTBMNPTUJ0TJODFJUBMMPXTOPOJOUFSBDUJWFFWBMVBUJPOPGUIF TQFDJ fi DDJSDVJUPOQSJWBUFJOQVUT

  28. iO from Public-Key Functional Encryption 1,'&JTBMNPTUJ0TJODFJUBMMPXTOPOJOUFSBDUJWFFWBMVBUJPOPGUIF TQFDJ fi DDJSDVJUPOQSJWBUFJOQVUT )PXFWFS

    1,'&JTOPUJ0CFDBVTFBGVODUJPOBMTFDSFULFZEPFTOPU IJEFJOGPSNBUJPOJOTJEFUIFDJSDVJU

  29. iO from Public-Key Functional Encryption 1,'&JTBMNPTUJ0TJODFJUBMMPXTOPOJOUFSBDUJWFFWBMVBUJPOPGUIF TQFDJ fi DDJSDVJUPOQSJWBUFJOQVUT )PXFWFS

    1,'&JTOPUJ0CFDBVTFBGVODUJPOBMTFDSFULFZEPFTOPU IJEFJOGPSNBUJPOJOTJEFUIFDJSDVJU %VSJOHUIFFWBMVBUJPOPGC(x, s) 1,'& BSFQVCMJD  JTQSJWBUF C, s x J0 BSFQSJWBUF  JTQVCMJD C, s x

  30. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s)

  31. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s) 5IFFWBMVBUPSDBO fi OBMMZPCUBJOFODSZQUJPOPG  BMMPXJOH1,'&EFDSZQUJPOUPPVUQVU  (C, s, x) C(x, s)

  32. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s) 5IFFWBMVBUPSDBO fi OBMMZPCUBJOFODSZQUJPOPG  BMMPXJOH1,'&EFDSZQUJPOUPPVUQVU  (C, s, x) C(x, s) 3FDVSTJWF&ODSZQUJPO$JSDVJU   Di (C, s, x1 x2 …xi−1 ) := '&&OD(pk, (C, s, x1 x2 …xi−1 0)) || '&&OD(pk, (C, s, x1 x2 …xi−1 1))

  33. Constructing iO by Recursive use of PKFE [BV18] ,FZ*EFBBEEJOHFBDICJUPGUIFFWBMVBUPS`TJOQVU UPUIF

    1,'&FODSZQUJPOPG QSPWJEFECZUIFPCGVTDBUPS x (C, s) 5IFFWBMVBUPSDBO fi OBMMZPCUBJOFODSZQUJPOPG  BMMPXJOH1,'&EFDSZQUJPOUPPVUQVU  (C, s, x) C(x, s) 3FDVSTJWF&ODSZQUJPO$JSDVJU Di (C, s, x1 x2 …xi−1 ) := '&&OD(pk, (C, s, x1 x2 …xi−1 0))||'&&OD(pk, (C, s, x1 x2 …xi−1 1)) 5IFJUIEFDSZQUJPOPG1,'&PVUQVUTUIF1,'& FODSZQUJPOTGPS BOE (C, s, x1 x2 …xi−1 0) (C, s, x1 x2 …xi−1 1)

  34. Constructing iO by Recursive use of PKFE [BV18] The image

    is taken from [BV18]

  35. Requirements to PKFE for iO construction [BV18] 'PSUIFPVUQVUTJ[F UIFDPNQVUBUJPOBMDPNQMFYJUZPGUIF FODSZQUJPOBMHPSJUINJODSFBTFTJOPSEFS

     m 𝒪 (mα) *OPSEFSGPSUIFDPNQVUBUJPOBMDPNQMFYJUZUPDPOWFSHF BGUFS SFDVSTJPOT  NVTUCFMFTTUIBO 
 TVCMJOFBSF ff i DJFODZ  n α

  36. PKFE in Three Steps [JLS22]  3FQSFTFOUBQSPDFTTUPHFOFSBUFBHBSCMFEDJSDVJUGPSBDJSDVJU BOEJUT HBSCMFEJOQVUTGPSJOQVUT JOBDPOTUBOUEFHSFFNVMUJWBSJBUFQPMZOPNJBM

    
  $POWFSUUIFQPMZOPNJBMJOUPBEFHSFFQPMZOPNJBMTVDIUIBU UIF EFHSFFGPSQSJWBUFBOEQVCMJDJOQVUTBSFUXPBOEDPOTUBOU SFTQFDUJWFMZ  BOE UIFSVOOJOHUJNFUPFODPEFUIFPSJHJOBMWBSJBCMFTUPQSJWBUFBOE QVCMJDJOQVUTJTTVCMJOFBSXJUISFTQFDUUPUIFPVUQVUTJ[F   6TF1,'&GPSEFHSFFQPMZOPNJBMT DBMMFEQBSUJBMMZIJEJOHGVODUJPOBM FODSZQUJPO 1)'&  C x m

  37. PKFE in Three Steps [JLS22]  3FQSFTFOUBQSPDFTTUPHFOFSBUFBHBSCMFEDJSDVJUGPSBDJSDVJU BOEJUT HBSCMFEJOQVUTGPSJOQVUT JOBDPOTUBOUEFHSFFNVMUJWBSJBUFQPMZOPNJBM

    
  $POWFSUUIFQPMZOPNJBMJOUPBEFHSFFQPMZOPNJBMTVDIUIBU UIF EFHSFFGPSQSJWBUFBOEQVCMJDJOQVUTBSFUXPBOEDPOTUBOU SFTQFDUJWFMZ  BOE UIFSVOOJOHUJNFUPFODPEFUIFPSJHJOBMWBSJBCMFTUPQSJWBUFBOE QVCMJDJOQVUTJTTVCMJOFBSXJUISFTQFDUUPUIFPVUQVUTJ[F   6TF1,'&GPSEFHSFFQPMZOPNJBMT DBMMFEQBSUJBMMZIJEJOHGVODUJPOBM FODSZQUJPO 1)'&  C x m

  38. PKFE in Three Steps [JLS22] 6TF1,'&GPSEFHSFFQPMZOPNJBMT HBSCMFEDJSDVJUHFOFSBUJPO Encryption Process: 


    1. Encode input and random seeds into private and public inputs . 2. Encrypt under the public key for PHFE, denoted by . 3. Output . 
 x r (SI, PI) (SI, PI) ctPHFE ctPHFE

  39. PKFE in Three Steps [JLS22] 6TF1,'&GPSEFHSFFQPMZOPNJBMT HBSCMFEDJSDVJUHFOFSBUJPO Decryption Process: 


    1. Decrypt the given , outputting a garbled circuit and its garbled inputs. 2. Evaluate the garbled circuit on the garbled inputs, outputting 
 ctPHFE C(x) Encryption Process: 
 1. Encode input and random seeds into private and public inputs . 2. Encrypt under the public key for PHFE, denoted by . 3. Output . 
 x r (SI, PI) (SI, PI) ctPHFE ctPHFE

  40. PKFE in Three Steps [JLS22]  3FQSFTFOUBQSPDFTTUPHFOFSBUFBHBSCMFEDJSDVJUGPSBDJSDVJU BOEJUT HBSCMFEJOQVUTGPSJOQVUT JOBDPOTUBOUEFHSFFNVMUJWBSJBUFQPMZOPNJBM

    
  $POWFSUUIFQPMZOPNJBMJOUPBEFHSFFQPMZOPNJBMTVDIUIBU UIF EFHSFFGPSQSJWBUFBOEQVCMJDJOQVUTBSFUXPBOEDPOTUBOU SFTQFDUJWFMZ  BOE UIFSVOOJOHUJNFUPFODPEFUIFPSJHJOBMWBSJBCMFTUPQSJWBUFBOE QVCMJDJOQVUTJTTVCMJOFBSXJUISFTQFDUUPUIFPVUQVUTJ[F   6TF1,'&GPSEFHSFFQPMZOPNJBMT DBMMFEQBSUJBMMZIJEJOHGVODUJPOBM FODSZQUJPO 1)'&  C x m

  41. Learning Parity with Noise (LPN) Assumption The image is taken

    from [JLS21]

  42. Deg 2.5 Polynomials with LPN [JLS22] 4VCMJOFBSTJ[FE1VCMJDBOE1SJWBUF*OQVUTVTJOH-1/ The images are

    taken from [JLS22]

  43. Deg 2.5 Polynomials with LPN [JLS22] 4VCMJOFBSTJ[FE1VCMJDBOE1SJWBUF*OQVUTVTJOH-1/ 5PDPNQVUFBEFHSFF QPMZOPNJBM d

    h(Y) The images are taken from [JLS22]

  44. Deg 2.5 Polynomials with LPN [JLS22] Observation: since error is

    sparse, the following is also sparse: e Corr Corr = {hj (x′  ) − hj (x′  + e)}j∈[m]

  45. Deg 2.5 Polynomials with LPN [JLS22] Observation: since error is

    sparse, the following is also sparse: e Corr Corr = {hj (x′  ) − hj (x′  + e)}j∈[m] The matrix of has at most non-zeros for with overwhelming probability, i.e., the rank is at most . Corr m1−ϵ ϵ > 0 m1−ϵ

  46. Deg 2.5 Polynomials with LPN [JLS22] Observation: since error is

    sparse, the following is also sparse: e Corr Corr = {hj (x′  ) − hj (x′  + e)}j∈[m] The matrix of has at most non-zeros for with overwhelming probability, i.e., the rank is at most . Corr m1−ϵ ϵ > 0 m1−ϵ , where the sizes of is sublinear, i.e., Corr = UV |U, V| 𝒪 (m1−ϵ)

  47. Deg 2.5 Polynomials with LPN [JLS22] 4VCMJOFBSTJ[FE1VCMJDBOE1SJWBUF*OQVUTVTJOH-1/ SI = (s⊗

    d 2 , U, V) PI = (A, b = sA + e + x′  ) 1. The degree is 2.5 2. the sizes of is sublinear, i.e., |U, V| 𝒪 (m1−ϵ)

  48. 3FGFSFODFT • [SW14] Sahai, A., & Waters, B. (2014, May).

    How to use indistinguishability obfuscation: deniable encryption, and more. In Proceedings of the forty-sixth annual ACM symposium on Theory of computing (pp. 475-484). • [JLL+23] Jain, A., Lin, H., Luo, J., & Wichs, D. (2023, August). The pseudorandom oracle model and ideal obfuscation. In Annual International Cryptology Conference (pp. 233-262). Cham: Springer Nature Switzerland. • [BGI+01] Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., & Yang, K. (2001, August). On the (im) possibility of obfuscating programs. In Annual international cryptology conference (pp. 1-18). Berlin, Heidelberg: Springer Berlin Heidelberg. • [GR07] Goldwasser, S., & Rothblum, G. N. (2007). On best-possible obfuscation. In Theory of Cryptography: 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, The Netherlands, February 21-24, 2007. Proceedings 4 (pp. 194-213). Springer Berlin Heidelberg. • [JLS22] Jain, A., Lin, H., & Sahai, A. (2022, May). Indistinguishability obfuscation from LPN over F p, DLIN, and PRGs in NC 0. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 670-699). Cham: Springer International Publishing. • [GGH+13] Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., & Waters, B. (2016). Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM Journal on Computing, 45(3), 882-929. • [BV18] Bitansky, N., & Vaikuntanathan, V. (2018). Indistinguishability obfuscation from functional encryption. Journal of the ACM (JACM), 65(6), 1-37. • [JLS21] Jain, A., Lin, H., & Sahai, A. (2021, June). Indistinguishability obfuscation from well-founded assumptions. In Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing (pp. 60-73).