Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

The goal of program obfuscation is to “scramble” a computer program, hiding its implementation details (making it hard to “reverse-engineer”), while preserving the functionality (i.e., input/output behavior) of the program. In recent years, the notion of indistinguishability obfuscation (iO) [BGI+01, GGH+13b] has emerged as the central notion of obfuscation. Roughly speaking, this notion requires that obfuscations \(\mathbf{iO } (C_1)\), \(\mathbf{iO } (C_2)\) of any two functionally equivalent circuits \(C_1\) and \(C_2\) (i.e., whose outputs agree on all inputs) from some class \({\mathcal C}\) (of circuits of some bounded size) are computationally indistinguishable.

On the one hand, this notion of obfuscation is strong enough for a plethora of amazing applications (see e.g., [SW14, BCP14, BZ14, GGHR14, BGL+15, CHJV14, KLW14]); on the other hand, it may plausibly exist [GGH+13b, BGK+13, PST14, GLSW14], whereas stronger notion of obfuscations have run into strong impossibility results, even in idealized models (see e.g., [BGI+01, GK05, CKP15, PS15, MMN15, LPST15])

However, despite all these amazing progress, to date, all candidate constructions of \(\mathbf{iO } \) rely on candidate constructions of multi-linear maps [GGH13a, CLT13, GGH15, CLT15], all of which have non-trivial attacks [CHL+15, MF15], and it is not clear to what extent the security of the obfuscators that rely on them are affected.

Can Inefficient iO be Useful? Let us emphasize that for all known application of \(\mathbf{iO } \), it is important that the obfuscator is efficient—namely, polynomial-time. Indeed, as already observed by [BGI+01], it is “trivial” to provide an inefficient iO with running time \({{\mathrm{poly}}}(|C|,\lambda ) \cdot 2^n\), where C is the circuit to be obfuscated, \(\lambda \) is the security parameter, and n is the input length of C, exists unconditionally: simply output the function table of C (i.e., the output of C on all possible inputs). Recall that, in contrast, for “standard” (efficient) iO, the running time and size of the obfuscator is required to be \({{\mathrm{poly}}}(|C|,\lambda )\)—namely, polylogarithmic in the size of the truth table of C).

In this paper, we consider \(\mathbf{iO } \) with just a slightly “non-trivial” notion of efficiency: the running-time of the obfuscator may still be “trivial” (namely, \({{\mathrm{poly}}}(|C|,\lambda ) \cdot 2^{n}\)), but we now require that the obfuscated code is just slightly smaller than the truth table of C (namely \({{\mathrm{poly}}}(|C|,\lambda ) \cdot 2^{n(1-\epsilon )}\), where \(\epsilon >0\)); we refer to this notion as iO with exponential efficiency, or simply exponentially-efficient iO (Xio). The main question investigated in this paper is the following:

Can iO with just slightly non-trivial efficiency be useful for applications?

Main Theorem. Perhaps surprisingly, we show that in the regime of subexponential security, under the LWE assumption, \(\mathbf{XiO } \) for \(\mathsf {P/poly} \) implies (standard) \(\mathbf{iO } \) for \(\mathsf {P/poly} \).

Theorem 1

Assume subexponential security of the LWE assumption, and the existence of subexponentially secure \(\mathbf{XiO } \) for \(\mathsf{P^{\log }/poly}\). Then there exists subexponentially secure \(\mathbf{iO } \) for \(\mathsf {P/poly} \).

Let us remark that in the proof of Theorem 1, we only employ the \(\mathbf{XiO } \) on circuits that take inputs of length \(O(\log \lambda )\) (it would be surprising if we didn’t since we aim is to achieve an obfuscator with polynomial efficiency). As a consequence, the proof of Theorem 1 also shows that (under the subexponential LWE assumption), subexponentially secure \(\mathbf{XiO } \) for circuits with such “short” inputs (i.e., inputs of length \(O(\log \lambda )\))—we refer to this class of circuits as \(\mathsf{P^{\log }/poly}\)—implies \(\mathbf{iO } \) for all polynomial-size circuits (with“long” inputs).Footnote 1 We remark that in [BGL+15], the authors (implicitly) considered a notion of “short-input” \(\mathbf{iO } \) (as opposed to XiO) and demonstrate that for some (but far from all) applications of \(\mathbf{iO } \), this weaker notion actually suffices. Our results show that in the regime of subexponential security, “short-input” iO (and in fact, even \(\mathbf{XiO } \)) implies standard iO (and thus suffices for all applications of \(\mathbf{iO } \)).

Techniques. Our starting point are the recent beautiful works by Ananth and Jain [AJ15] and Bitansky and Vaikuntanathan [BV15] which show that the existence of subexponentially-secure functional encryption with sublinearly compact ciphertexts (a.k.a. sublinear compact FE) for \(\mathsf {P/poly} \) implies \(\mathbf{iO } \) for \(\mathsf {P/poly} \). Roughly speaking, a (single-key) functional encryption scheme is a public-key encryption scheme for which it is possible to release a (single) functional secret-key \(sk_C\) (for circuit C of some a-priori bounded size S) such that knowledge of \(sk_C\) enables efficiently computing C(m) given any encryption of the message m, (but nothing more); sublinear compactness means that the encryption time is sublinear in the upper bound S on the circuit-size.Footnote 2 We recently demonstrated in [LPST15] that assuming subexponential LWE, it in fact suffices to start off with an FE satisfying an even weaker notion of compactness—which we refer to as weak sublinear compactness—which simply requires that the size of the ciphertext (but not the encryption time) is sublinear in the circuit-size.

Our main technical contribution will be showing that \(\mathbf{XiO } \) for \(\mathsf{P^{\log }/poly}\) implies weakly sublinear compact FE for \(\mathsf {P/poly} \), which by the above-mentioned result implies our main theorem.

Theorem 2

Assume the LWE assumption (resp. subexponential security of the LWE assumption) holds, and the existence of \(\mathbf{XiO } \) for \(\mathsf{P^{\log }/poly}\) (resp. subexponentially-secure \(\mathbf{XiO } \) for \(\mathsf{P^{\log }/poly}\)). Then there exists weakly sublinear compact FE for \(\mathsf {P/poly} \) (resp. subexponentially-secure weakly sublinear compact FE for \(\mathsf {P/poly} \)).

Note that Theorem 2 is interesting in its own right as it applies also in the regime of polynomial security.Footnote 3

The proof of Theorem 2 proceeds as follows. Following a proof template from [AJ15] (we discuss this result in more detail below), we start off with the result of Goldwasser et al. [GKP+13] which shows that under the LWE assumption, there exists a functional encryption scheme for boolean functions (i.e., functions with 1-bit outputs) in \(\mathsf {NC} ^1\) that has logarithmic compactness. Combined with the bootstrapping result of [ABSV14], this can be used to construct a functional encryption scheme for boolean functions in \(\mathsf {P/poly} \) that still has logarithmic compactness. We next show how to use \(\mathbf{XiO } \) for \(\mathsf{P^{\log }/poly}\) to extend any such compact FE scheme for boolean functions to one that handles arbitrary polynomial-sized circuits (with potentially long outputs). ([AJ15] provided a similar transformation assuming, so-called, compact randomized encoding (for Turing machines) instead of \(\mathbf{XiO } \).)

We now turn to describe our transformation from “single-bit compact FE” to “multi-bit weakly sublinear compact FE”. As an initial approach, instead of simply encrypting a message m, encrypt the sequence (m; 1), (m; 2), ...\((m;\ell )\), where \(\ell \) is the maximum output length of the class of functions we want to be able to evaluate. Then, instead of simply releasing a functional secret key for a circuit C, release a secret key for the function \(C'(m;i) = C_i(m)\), where \(C_i(m)\) denotes the ith output bit of C(m). This approach clearly enables evaluating circuits with multi-bit outputs; but the encryption scheme is no longer (even weakly) compact! The length of the ciphertext grows linearly with the number of output bits. To retain compactness (or at least weakly sublinear compactness), we have the encryption algorithm release an obfuscation of a program \(\varPi \) that generates all the \(\ell \) encryptions—more precisely, given an index i, it applies a PRF (with a hard-coded seed) to the index i to generate randomness \(r_i\) and then outputs an encryption of (mi). As long as obfuscation size is “just-slightly-compressing”, the functional encryption will have weak sublinear compactness; furthermore, the program we obfuscate only needs to take inputs of length \(O(\log \lambda )\). Thus, it suffices to assume the obfuscator satisfies \(\mathbf{XiO } \) for \(\mathsf{P^{\log }/poly}\).

To prove security of the construction, we use the “one-input-at-a-time” technique from [BCP14, GLW14, PST14, GLSW14, CLTV15], and the punctured program technique of Sahai and Waters [SW14]; the crucial point that enables us to keep the obfuscation small is that the output of the program \(\varPi \) on different inputs uses independent randomness (since they are independent encryptions) and thus in the hybrid arguments it suffices to puncture the PRF on a single point.

Let us end this section by briefly comparing our transformation to the above-mentioned transformation by Ananth and Jain [AJ15]; [AJ15] shows how to use, so-called, “compact randomized encoding” to transform single-bit compact FE for \(\mathsf {NC} ^1\) into multi-bit compact FE for \(\mathsf {NC} ^1\). As we explain in more detail in Remark 3, compact randomized encoding can be viewed as a special case of \(\mathbf{XiO } \) for the class of Turing machines (as opposed to circuits) with short input. Turing machine obfuscation is a significantly more challenging task than circuit obfuscation. We provide a brief description of their transformation in Appendix A and explain why the transformation fails when using \(\mathbf{XiO } \) (for circuits).

2 Preliminaries

Let \(\mathcal {N} \) denote the set of positive integers, and [n] denote the set \( \left\{ {1, 2, \ldots , n} \right\} \). We denote by PPT probabilistic polynomial time Turing machines, and by nuPPT non-uniform probabilistic polynomial time Turing machines. The term negligible is used for denoting functions that are (asymptotically) smaller than one over any polynomial. More precisely, a function \(\nu (\cdot )\) from non-negative integers to reals is called negligible if for every constant \(c>0\) and all sufficiently large n, it holds that \(\nu (n)<n^{-c}\). For any algorithm A and input x we denote by \(\mathsf{outlen}_A(x)\), the output length of A when run with input x.

Definition 1

We denote by \(\mathsf{P^{\log }/poly}\) the class of circuits \(\{\mathcal {C} _\lambda \}\) where \(\mathcal {C} _\lambda \) are \({{\mathrm{poly}}}(\lambda )\)-size circuits that have input length \(c\log {\lambda }\) for some constant c.

2.1 Puncturable PRF

Puncturable PRFs defined by Sahai and Waters [SW14], are PRFs for which a key can be given out that allows evaluation of the PRF on all inputs, except for a designated polynomial-size set of inputs.

Definition 2

(Puncturable PRF [SW14]). A puncturable pseudo-random function \(\mathsf{F}\) is given by a triple of efficient algorithms \((\mathsf{F}.\mathsf{Key}\), \(\mathsf{F}.\mathsf{Punc}\), \(\mathsf{F}.\mathsf {Eval})\), and a pair of computable functions \(n(\cdot )\) and \(m(\cdot )\), satisfying the following conditions:

  • Functionality preserved under puncturing: For every polynomial size set \(S\subseteq \{0,1\}^{n(\lambda )}\) and for every \(x \in \{0,1\}^{n(\lambda )}\backslash S\), we have that:

    $$\begin{aligned} {\text {Pr}}[K \leftarrow \mathsf{F}.\mathsf{Key}(1^\lambda ), K_S = \mathsf{F}.\mathsf{Punc}(K,S) \ : \ \mathsf{F}.\mathsf {Eval}(K,x) = \mathsf{F}.\mathsf {Eval}(K_S,x)] = 1 \end{aligned}$$

  • Pseudorandom at punctured points: For every polynomial size set \(S\subseteq \{0,1\}^{n(\lambda )}\) and for every nuPPT adversary A we have that:

    $$\begin{aligned} |{\text {Pr}}[A(K_S, \mathsf{F}.\mathsf {Eval}(K,S)) = 1] - {\text {Pr}}[A(K_S, U_{m(\lambda )\cdot |S|}) = 1]|= {{\mathrm{negl}}}(\lambda ) \end{aligned}$$

    where \(K \leftarrow \mathsf{F}.\mathsf{Key}(1^\lambda )\) and \(K_S = \mathsf{F}.\mathsf{Punc}(K,S)\) and \(\mathsf{F}.\mathsf {Eval}(K, S)\) denotes the concatenation of \(\mathsf{F}.\mathsf {Eval}(K, x_1), \dots \mathsf{F}.\mathsf {Eval}(K, x_k)\) where \(S = \{x_1, \ldots , x_k\}\) is the enumeration of the elements of S in lexicographic order, \(U_\ell \) denotes the uniform distribution over \(\ell \) bits.

The GGM tree-based construction of PRFs [GGM86] from one-way functions are easily seen to yield puncturable PRFs, as recently observed by [BW13, BGI14, KPTZ13]. Furthermore, it is easy to see that if the PRG underlying the GGM construction is sub-exponentially hard (and this can in turn be built from sub-exponentially hard OWFs), then the resulting puncturable PRF is sub-exponentially pseudorandom.

2.2 Functional Encryption

We recall the definition of public-key functional encryption (FE) with selective indistinguishability based security [BSW12, O’N10]. We note that in this work, we only need the security of the functional encryption scheme to hold with respect to statically chosen challenge messages and functions. We further consider FE schemes that only produce a single functional secret key for each public key.

Definition 3

(Functional Encryption [O’N10, BSW12]). A public key functional encryption scheme for a class of circuits \(\{\mathcal {C} _\lambda \}\) is a tuple of PPT algorithms

\((\mathsf{FE.Setup}, \mathsf{FE.KeyGen}, \mathsf{FE.Enc}, \mathsf{FE.Dec})\) that behave as follows:

  • \((msk, pk) \leftarrow \mathsf{FE.Setup}(1^\lambda )\): \(\mathsf{FE.Setup}\) takes as input the security parameter \(\lambda \) and outputs the master secret key msk and public key pk.

  • \(sk_C \leftarrow \mathsf{FE.KeyGen}(msk, C)\): \(\mathsf{FE.KeyGen}\) takes as input the master secret key and a circuit \(C \in \mathcal {C} _\lambda \) and outputs the functional secret key \(sk_C\).

  • \(c \leftarrow \mathsf{FE.Enc}(pk,m)\): \(\mathsf{FE.Enc}\) takes as input the public key and message \(m \in \{0,1\}^*\) and outputs the ciphertext c.

  • \(y \leftarrow \mathsf{FE.Dec}(sk_C, c)\): \(\mathsf{FE.Dec}\) takes as input the functional secret key and ciphertext and outputs \(y \in \{0,1\}^*\).

We require the following conditions to hold:

  • Correctness: For every \(\lambda \in \mathbb {N}\), \(C \in \mathcal {C} _\lambda \) with input length n and message \(m \in \{0,1\}^n\), we have that

    $$\begin{aligned} {\text {Pr}}\left[ \begin{array}{r} (pk,msk) \leftarrow \mathsf{FE.Setup}(1^\lambda )\\ sk_C \leftarrow \mathsf{FE.KeyGen}(msk,C)\\ c \leftarrow \mathsf{FE.Enc}(pk,m)\\ \end{array} :C(m) = \mathsf{FE.Dec}(sk_C,c) \right] = 1 \end{aligned}$$

  • Selective Security: For every nuPPT A there exists a negligible function \(\mu \) such that for every \(\lambda \in \mathbb {N}\), every circuit \(C \in \mathcal {C} _\lambda \) with input length n and pair of messages \(m_0, m_1 \in \{0,1\}^n\) such that \(C(m_0) = C(m_1)\) we have that \(|{\text {Pr}}[A(\mathcal {D} _0)= 1] - {\text {Pr}}[A(\mathcal {D} _1)= 1]| \le \mu (\lambda )\) where

    $$\begin{aligned} \mathcal {D} _b = Pr \left[ \begin{array}{r} (pk,msk) \leftarrow \mathsf{FE.Setup}(1^\lambda )\\ sk_C \leftarrow \mathsf{FE.KeyGen}(msk,C)\\ c_b \leftarrow \mathsf{FE.Enc}(pk,m_b)\\ \end{array} :(pk,sk_C,c_b)\right] \end{aligned}$$

    We say the scheme has sub-exponential security if there exists a constant \(\epsilon \) such that for every \(\lambda \), every \(2^{\lambda ^\epsilon }\)-size adversary A, \(|{\text {Pr}}[A(\mathcal {D} _0) = 1] - {\text {Pr}}[A(\mathcal {D} _1)=1]| \le 1/2^{\lambda ^\epsilon }\) where \(\mathcal {D} _b\) is defined above.

We recall the definition of compactness and succinctness for functional encryption schemes, as defined in [BV15, AJ15].

Definition 4

(Compact Functional Encryption [BV15, AJ15]). We say a functional encryption scheme for a class of circuits \(\{\mathcal {C} _\lambda \}\) is compact if for every \(\lambda \in \mathbb {N}\), \(pk \leftarrow \mathsf{FE.Setup}(1^ \lambda )\) and \(m \in \{0,1\}^*\) we have that

$$\begin{aligned} \mathsf{Time}(\mathsf{FE.Enc}(pk,m)) = {{\mathrm{poly}}}(\lambda , |m|, \log {s}) \end{aligned}$$

where \(s = \max _{C \in \mathcal {C} _\lambda }|C|\). We say the scheme has sub-linear compactness if the running time of \(\mathsf{FE.Enc}\) is bounded as

$$\begin{aligned} \mathsf{Time}(\mathsf{FE.Enc}(pk,m)) = {{\mathrm{poly}}}(\lambda ,|m|) \cdot s^{1-\epsilon } \end{aligned}$$

where \(\epsilon > 0\).

Definition 5

(Succinct Functional Encryption). A compact functional encryption scheme for a class of circuits that output only a single bit is called a succinct functional encryption scheme.

Theorem 3

([GKP+13]). Assuming (sub-exponentially secure) LWE, there exists a (sub-exponentially secure) succinct functional encryption scheme for \(\mathsf {NC} ^1\).

We note that [GKP+13] do not explicitly consider sub-exponentially secure succinct functional encryption, but their construction satisfies it (assuming sub-exponentially secure LWE). Additionally, we have the following bootstrapping theorem:

Theorem 4

([GHRW14, ABSV14, AJ15]). Assuming the existence of symmetric-key encryption with decryption in \(\mathsf {NC} ^1\) (resp. sub-exponentially secure) and succinct functional encryption for \(\mathsf {NC} ^1\) (resp. sub-exponentially secure), there exists succinct functional encryption for \(\mathsf {P/poly} \) (resp. sub-exponentially secure).

Following [LPST15], we here also consider a weaker compactness notion, where only the ciphertext size (but not the encryption time) is sublinear in the output length of the function being evaluated.

Definition 6

(Weakly Sublinear Compact Functional Encryption [LPST15]). We say a functional encryption scheme for a class of circuits \(\{\mathcal {C} _\lambda \}\) is weakly sublinear compact if there exists \(\epsilon > 0\) such that for every \(\lambda \in \mathbb {N}\), \(pk \leftarrow \mathsf{FE.Setup}(1^\lambda )\) and \(m \in \{0,1\}^*\) we have that

$$\begin{aligned} \mathsf{Time}_\mathsf{FE.Enc}(pk,m)&= {{\mathrm{poly}}}(\lambda , |m|, s)\\ \mathsf{outlen}_\mathsf{FE.Enc}(pk,m)&= s^{1-\epsilon } \cdot {{\mathrm{poly}}}(\lambda , |m|) \end{aligned}$$

where \(s = \max _{C \in \mathcal {C} _\lambda }|C|\).

2.3 Indistinguishability Obfuscation

We recall the notion of indistinguishability obfuscation (iO).

Definition 7

(Indistinguishability Obfuscator [BGI+01, GGH+13b]). A PPT machine \(\mathsf{iO} \) is an indistinguishability obfuscator (also referred to as iO) for a circuit class \(\{\mathcal {C}_\lambda \}_{\lambda \in \mathcal {N}}\) if the following conditions are satisfied:

  • Functionality: for all security parameters \(\lambda \in \mathbb {N}\), for all \(C \in \mathcal {C}_\lambda \), for all inputs x, we have that

    $$\begin{aligned} {\text {Pr}}[C' \leftarrow \mathsf{iO} (C)\ : \ C'(x)=C(x)] = 1. \end{aligned}$$

  • Indistinguishability: for any polysize distinguisher \(\mathcal {D} \), there exists a negligible function \(\mu \) such that the following holds: For all security parameters \(\lambda \in \mathbb {N}\), for all pairs of circuits \(C_0, C_1 \in \mathcal {C}_\lambda \) of the same size, we have that if \(C_0(x) = C_1(x)\) for all inputs x, then

    $$\begin{aligned} \Big | {\text {Pr}}\big [\mathcal {D} (\mathsf{iO} (C_0))= 1\big ] - {\text {Pr}}\big [\mathcal {D} (\mathsf{iO} (C_1))= 1\big ] \Big | \le \mu (\lambda ). \end{aligned}$$

    We say the scheme has sub-exponential security if there exists a constant \(\epsilon \) such that for every \(\lambda \), every \(2^{\lambda ^\epsilon }\)-size adversary \(\mathcal {D} \), \(|{\text {Pr}}[\mathcal {D} (\mathsf{iO} (C_0)) = 1] - {\text {Pr}}[\mathcal {D} (\mathsf{iO} (C_1))=1]| \le 1/2^{\lambda ^\epsilon }\).

The recent beautiful results of [AJ15], Bitansky and Vaikuntanathan [BV15] show that subexponentially secure sublinear compact functional encryption schemes implies \(\mathbf{iO } \) for \(\mathsf {P/poly} \). In an earlier work [LPST15], we demonstrated that (if we additionally assume subexponential LWE), it suffices to start off with just a weakly sublinear compact functional encryption scheme (recall that in such a scheme only the length of the ciphertext needs to be sublinear, but encryption time may be polynomial).

Theorem 5

([LPST15]). Assume the existence of sub-exponentially secure LWE. If there exists a weakly sublinear compact functional encryption scheme for \(\mathsf {P/poly} \) with sub-exponential security, then there exists a sub-exponentially secure indistinguishability obfuscator for \(\mathsf {P/poly} \).

3 Exponentially-Efficient iO (XiO)

In this section, we define our new notion of exponentially-efficient indistinguishability obfuscation (XiO), which allows the obfuscator to have running time as long as a brute-force canonicalizer that outputs the entire truth table of the function, but requires the obfuscated program to be slightly smaller in size than a brute-force canonicalization.

Definition 8

(Exponentially-Efficient Indistinguishability Obfuscation (XiO)). A machine \(\mathsf{XiO} \) is an exponentially-efficient indistinguishability obfuscator (also referred to as XiO) for a circuit class \(\{\mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\) if it satisfies the same functionality and indistinguishability property of indistinguishability obfuscators as in Definition 7 and the following efficiency requirement.

  • Non-trivial Efficiency Footnote 4. There exists a constant \(\epsilon > 0\) such that for any security parameter \(\lambda \in \mathbb {N}\), circuit \(C \in \mathcal {C}_\lambda \) with input length n and \(C' \in \mathsf{XiO} (1^\lambda ,C)\), we have that

    $$\begin{aligned} \mathsf{Time}_\mathsf{XiO} (1^\lambda , C)&= {{\mathrm{poly}}}(\lambda , |C|, 2^n)\\ \mathsf{outlen}_\mathsf{XiO} (1^\lambda , C)&= {{\mathrm{poly}}}(\lambda , |C|) \cdot 2^{n(1-\epsilon )}\\ \end{aligned}$$

Remark 1

(Circuits with logarithmic input length). Note that if we want the obfuscation to be efficient (i.e., polynomial-time in \(\lambda \) and the size of the circuit to be obfuscated), then the above definition is only meaningful when the class of circuits \(\mathcal {C} _\lambda \) has input length \(O(\log {\lambda })\). Our results in this paper hold assuming XiO for \(\mathsf{P^{\log }/poly}\).

Remark 2

(XiO in the preprocessing model and comparison with Compact Functional Encryption). We can consider further a relaxation of the running-time requirement of the obfuscator. The obfuscator may first perform a long “pre-processing” step (without having seen the program to be obfuscated), taking time \({{\mathrm{poly}}}(\lambda ,s, 2^n)\) (where s is the size bound on circuits to be obfuscated), and outputting a (potentially long) pre-processing public-key \(O_{pk}\). The actual obfuscation then takes \(O_{pk}\), and the circuit C as inputs, runs in time \({{\mathrm{poly}}}(\lambda ,s,2^n)\) and outputs an obfuscated program of size \({{\mathrm{poly}}}(\lambda , s) \cdot 2^{n(1-\epsilon )}\), and then the evaluation of the obfuscated program may finally also access the public-key \(O_{pk}\). All our results also apply to this relaxed notion of XiO.

Additionally, we note that weakly sublinear compact FE directly implies this notion as follows: pre-processing public key \(O_{pk}\) (generated in the pre-processing step) is the public key pk for the FE and the functional secret key \(sk_{FT}\) corresponding to a function table generator program that takes as input a circuit and outputs the function table of it; the obfuscation of a circuit C is an encryption of the circuit C (w.r.t., the FE public key pk), and evaluation of the obfuscated code uses the functional secret key \(sk_{FT}\) inside \(O_\mathsf {pk}\) to compute the function table of C and selects the appropriate output. Sub-linear compactness of the functional encryption scheme implies the obfuscator has exponential efficiency.

Remark 3

(Comparison with Compact Randomized Encoding for Turing machines). [AJ15] and [LPST15] study a notion of compact randomized encodings [IK02, AIK04]. Roughly speaking, a randomized encoding (RE) is a method for encoding a Turing Machine \(\varPi \), an input x and a running-time bound T, into a randomized encoding \(\widehat{\varPi (x)}\) from which \(\varPi (x)\) can be efficiently decoded; furthermore the encodings does not leak anything more about \(\varPi \) and x than what can be (inefficiently) deduced from just the output \(\varPi (x)\) (truncated at T steps).Footnote 5 A randomized encodings is compact (resp. sublinearly compact) if the encoding time is poly-logarithmic (resp sublinear) in T (and polynomial in the size of \(\varPi \) and x). We note that sublinear compact RE directly implies XiO as follows: to obfuscate a circuit C, compute an encoding \(\widehat{FT_C}\) of the function table generator Turing machine \(FT_C\) that has the circuit C hardcoded (i.e., \(FT_C\) takes no inputs and simply computes the function table of C); evaluation of the obfuscation on an input i simply decodes the encoding \(\widehat{FT_C}\) and picks out the ith output. Sublinear compactness of the RE implies that the obfuscator is exponentially-efficient. In fact, this obfuscator has a stronger efficiency guarantee than XiO: the running time of the obfuscator is \({{\mathrm{poly}}}(\lambda , |C|)\cdot 2^{n(1-\epsilon )}\) whereas XiO allows for a longer running time.

In fact, the above methods extend to show that (sublinearly) compact RE implies a notion of \(\mathbf{XiO } \) for Turing machines. We note that Turing machine obfuscation is a significantly harder task than circuit obfuscation (indeed, all known construction of Turing machine obfuscators first go through circuit obfuscation). We also point out that whereas (subexponentially-secure) iO for circuits is known to imply iO for Turing machine [BGL+15, CHJV14, KLW14], these techniques do not apply in the regime of programs with short input (and thus do not seem amenable in the regime of inefficient \(\mathbf{iO } \) either).

4 iO from XiO

In this section, we show how to achieve “standard” (polynomially-efficient) iO from XiO.

4.1 Weakly Sublinear Compact FE from Succinct FE and XiO

We first give our construction of weakly sublinear compact FE from succinct FE and XiO for circuits with input-size \(O(\log (\lambda ))\). At a high-level, our idea is to have the ciphertext for the FE scheme be \(\mathbf{XiO } \) of a circuit that, on input i, generates a succinct FE encryption of (mi). The secret key corresponding to C consists of a single key for the succinct FE scheme, that, given a ciphertext encrypting (mi), computes the ith output bit of C(m).

Let \({\mathsf {F}}\) be a puncturable pseudorandom function, \(\mathsf{XiO} \) be an exponentially-efficient indistinguishability obfuscator for \(\mathsf{P^{\log }/poly}\) and \(\mathsf{sFE}\) be a succinct functional encryption scheme (resp. with sub-exponential security) for an appropriate class of circuits \(\{\mathcal {C} '_\lambda \}\) that includes \(C'\) defined below. We define a compact functional encryption scheme \(\mathsf{FE}\) for a class of poly-size circuits \(\{\mathcal {C} _\lambda \}\) as follows:

  • \((msk,pk) \leftarrow \mathsf{FE.Setup}(1^\lambda )\): \(\mathsf{FE.Setup}\) is identical to \(\mathsf{sFE.Setup}\) and has the same output.

  • \(c \leftarrow \mathsf{FE.Enc}(pk,m)\): \(\mathsf{FE.Enc}\) samples a puncturable PRF key \(K \leftarrow \mathsf{F}.\mathsf{Key}(1^\lambda )\) and outputs \(\varPi \leftarrow \mathsf{XiO} (1^\lambda ,G[pk,K, m])\) where G[pkKm] is a circuit with input length \(n = \log {s}\) where \(s = {\max _{C \in \mathcal {C} _\lambda }\mathsf{outlen}(C)}\), defined as follows:

    $$\begin{aligned} G[pk, K, m](i) = \mathsf{sFE.Enc}(pk,(m,i);\mathsf{F}.\mathsf {Eval}(K,i)) \end{aligned}$$

    G is padded to be the same size as circuits \(G'\) and \(G''\) that we will define later in the security proof. All circuits G, \(G'\), and \(G''\) will ultimately have size bounded by \(S= {{\mathrm{poly}}}(\lambda , |m|, \log {s})\) where \(s = \max _{C \in \mathcal {C} _\lambda }|C|\), and are padded to size \(S\).

  • \(sk_C \leftarrow \mathsf{FE.KeyGen}(msk,C)\): \(\mathsf{FE.KeyGen}\) outputs \(\mathsf{sFE.KeyGen}(msk,C')\) where \(C'\) on input (mi) outputs the \(i^{th}\) bit of C(m), or outputs \(\bot \) if i is greater than the output length of C.

  • \(y \leftarrow \mathsf{FE.Dec}(sk_C, \varPi )\): \(\mathsf{FE.Dec}\) runs \(c_i \leftarrow \varPi (i)\) and \(y_i \leftarrow \mathsf{sFE.Dec}(sk_C,c_i)\) for every i and outputs \(y_1,\dots y_{2^n}\).

Let \(\{\mathcal {C} _\lambda '\}\) be a class of circuits that includes \(C'\) as defined above for every \(C \in \mathcal {C} _\lambda \).

Theorem 6

Assuming \({\mathsf {F}}\) is a puncturable pseudorandom function (resp. with subexponential security), \(\mathsf{XiO} \) is an exponentially efficient indistinguishability obfuscator for \(\mathsf{P^{\log }/poly}\) (resp. with subexponential security) and \(\mathsf{sFE}\) is a succinct functional encryption scheme for \(\{\mathcal {C} '_\lambda \}\) (resp. with subexponential security), we have that \(\mathsf{FE}\) as defined above is a functional encryption scheme for \(\{\mathcal {C} _{\lambda }\}\) with weakly sub-linear compactness (resp. and with subexponential security).

Proof

We first show weak sublinear compactness of \(\mathsf{FE}\). Consider any \(\lambda \), \(C \in \mathcal {C} _\lambda \), message m, \(pk \in \mathsf{FE.Setup}(1^\lambda )\) and puncturable PRF key \(K \in \mathsf{F}.\mathsf{Key}(1^\lambda )\). \(\mathsf{Time}(\mathsf{FE.Enc}(pk,m))\) is the time \(\mathsf{XiO} \) takes to obfuscate the circuit G[pkKm], which is of size \(S= {{\mathrm{poly}}}(\lambda , |m|, \log {s})\) where \(s = \max _{C \in \mathcal {C} _\lambda }|C|\). Hence we have that

$$\begin{aligned}&\qquad \mathsf{Time}_\mathsf{XiO} (1^\lambda , G[pk,K, m]) = {{\mathrm{poly}}}(\lambda , |m|, \log {s}, 2^n) \le {{\mathrm{poly}}}(\lambda , |m|, s)\\&\mathsf{outlen}_\mathsf{XiO} (1^\lambda , G[pk,K,m]) = {{\mathrm{poly}}}(\lambda , |m|, \log {s}) \cdot 2^{n(1-\epsilon )} \le {{\mathrm{poly}}}(\lambda , |m|) \cdot s^{1-\epsilon '} \end{aligned}$$

where \(\epsilon '\) is a constant with \(0 < \epsilon ' < \epsilon \).

Next we show the selective security of \(\mathsf{FE}\). We proceed by using the ”one-input-at-a-time” technique from [BCP14, GLW14, PST14, GLSW14, CLTV15]. More precisely, we proceed by a hybrid argument where in each hybrid distribution, the circuit being obfuscated, on input i, produces ciphertexts of \(m_1\) when i is less than a “threshold”, and ciphertexts of \(m_0\) otherwise. Indistinguishability of neighboring hybrids is shown using the “punctured programming” technique of [SW14], as was done in [CLTV15] for constructing iO for probabilistic functions. (This technique is also used extensively in other applications of iO, eg., [BGL+15, CHJV14, KLW14] and more.)

Assume for contradiction there exists a nuPPT A and polynomial p such that for sufficiently large \(\lambda \), circuit \(C \in \mathcal {C} _\lambda \) and messages \(m_0,m_1\) such that \(C(m_0) = C(m_1)\), A distinguishes \(\mathcal {D} _0\) and \(\mathcal {D} _1\) with advantage \(1/p(\lambda )\), where

$$\begin{aligned} \mathcal {D} _{b} = \left( \begin{array}{l} (msk,pk) \leftarrow \mathsf{FE.Setup}(1^\lambda )\\ K \leftarrow \mathsf{F}.\mathsf{Key}(1^\lambda )\\ sk_C \leftarrow \mathsf{FE.KeyGen}(msk,C)\\ \end{array} :pk, sk_C, \mathsf{XiO} (G[pk,K,m_b]) \right) \end{aligned}$$

For \(j \in [\ell ]\), we define the \(j^{th}\) hybrid distribution \(H_j\) as follows:

$$\begin{aligned} H_{j} = \left( \begin{array}{l} (msk,pk) \leftarrow \mathsf{FE.Setup}(1^\lambda )\\ K \leftarrow \mathsf{F}.\mathsf{Key}(1^\lambda )\\ sk_C \leftarrow \mathsf{FE.KeyGen}(msk,C)\\ \end{array} :pk, sk_C, \mathsf{XiO} (G'[pk,K,j,m_0,m_1]) \right) \end{aligned}$$

where \(G'[pk,K,j,m_0,m_1]\), where \(G'\) is defined as follows

$$ G'[pk,K,j,m_0,m_1] (i) = \left\{ \begin{array}{ll} \mathsf{sFE.Enc}(pk,(m_0,i);{\mathsf {F}}(K,i)) &{} \text{ if } i > j \\ \mathsf{sFE.Enc}(pk,(m_1,i);{\mathsf {F}}(K,i)) &{} \text{ if } i \le j \end{array} \right. $$

We also require \(G'\) to be padded to be of the same size \(S\) as G[pkKm].

We consider the hybrid sequence \(\mathcal {D} _{0}, H_1, \dots , H_{\ell }, \mathcal {D} _1\). By a hybrid argument, there exists a pair of neighboring hybrids in this sequence such that A distinguishes the pair with probability \(\frac{1}{p(\lambda )\cdot (\ell + 2)} = \frac{1}{{{\mathrm{poly}}}(\lambda )}\). We show a contradiction by proving that each pair of neighboring hybrids is computationally indistinguishable.

We first note that \(\mathcal {D} _0\) is indistinguishable from \(H_0\). This follows by observing that \(G'[pk,K,0,m_0,m_1]\) is functionally identical to \(G[pk,K,m_0]\), and applying the security of \(\mathsf{XiO} \). The same argument also shows that \(H_{\ell }\) is indistinguishable from \(\mathcal {D} _1\).

Next, we show \(H_{j^*}\) and \(H_{j^*+1}\) are indistinguishable for each \(j^* \in [\ell ]\). Define hybrid distribution \(H'_0\) which is identical to \(H_{j^*}\) except that \(\mathsf{XiO} \) obfuscates a different circuit \(G''[pk,K_{j^*},j^*,m_0,m_1,c]\) where \(K_{j^*} \leftarrow \mathsf{F}.\mathsf{Punc}(\lambda ,j^*)\) and \(c \leftarrow \mathsf{sFE.Enc}(pk,(m_0,j^*); R)\) using uniformly sampled randomness R. \(G''\) on input i has the same behavior as \(G'\) except \(i = j^*\), where it outputs the hardcoded ciphertext c. By the “punctured programming” technique of Sahai-Waters [SW14], which relies on the security of the obfuscator \(\mathsf{XiO} \) and puncturable PRF \({\mathsf {F}}\), it follows that for sufficiently large \(\lambda \), A distinguishes between \(H_{j^*}\) and \(H'_0\) with negligible probability.

The puncturing programming technique itself works in two hybrid steps:

  • First the circuit \(G'\) is replaced with circuit \(G''[pk,K_{j^*},j^*,m_0,m_1,c]\) where the hardwired ciphertext is \(c = \mathsf{sFE.Enc}(pk,(m_0,j^*);{\mathsf {F}}(K,j^*))\), which is the same ciphertext \(G'\) previously computed. Since this doesn’t change the functionality of the circuit, indistinguishability follows from the security of \(\mathsf{XiO} \).

  • Second, the hardcoded ciphertext is modified to be generated from real randomness R, and indistinguishability follows from the security of the puncturable PRF.

Next, we define hybrid distribution \(H'_1\) which is identical to \(H'_0\) except that the hardcoded ciphertext c is generated as \(\mathsf{sFE.Enc}(pk,(m_1,j^*); R)\) for uniformly sampled randomness R. Since \(C(m_0)\) is identical to \(C(m_1)\), from the security of \(\mathsf{sFE}\), A distinguishes \(H'_0\) and \(H'_1\) with negligible probability.

Finally, note that \(H'_1\) and \(H_{j^*+1}\) differ in the same way \(H'_0\) and \(H_{j^*}\) do, and are hence indistinguishable by a similar argument. Hence A distinguishes \(H_{j^*}\) and \(H_{j^*+1}\) with negligible probability and we have a contradiction. This completes the proof.

We note that the proof above is described in terms of computational indistinguishability, but in fact also can be applied to show that \(\mathsf{FE}\) is subexponentially-secure, if both \(\mathsf{XiO} \) and \(\mathsf{sFE}\) are subexponentially secure.

4.2 Putting Pieces Together

Theorem 7

Assuming sub-exponentially hard LWE, if there exists a subexponentially secure exponentially efficient indistinguishability obfuscator for \(\mathsf{P^{\log }/poly}\) then there exists an indistinguishability obfuscator for \(\mathsf {P/poly} \) with subexponential security.

Proof

By Theorems 3 and 4, assuming subexponentially secure LWE, there exists a succinct functional encryption scheme for \(\mathsf {P/poly} \) that is subexponentially secure. Using this with a subexponentially secure exponentially efficient indistinguishability obfuscator for \(\mathsf{P^{\log }/poly}\), by Theorem 6, we get weakly sublinear compact function encryption for \(\mathsf {P/poly} \) with sub-exponential selective security. Together with Theorem 5, this gives us \(\mathbf{iO } \) for \(\mathsf {P/poly} \).

Remark 4

(XiO for \(\mathsf {NC} ^1\) suffices). We remark it in fact suffices to assume \(\mathbf{XiO } \) for only \(\mathsf {NC} ^1\) (instead of \(\mathsf {P/poly} \)) if rely on the existence of puncturable PRFs in \(\mathsf {NC} ^1\). Indeed, if encryption algorithm of the succinct FE scheme and the puncturable PRF are both in \(\mathsf {NC} ^1\), then in our construction it suffices to obfuscate \(\mathsf {NC} ^1\) circuits (we also need to verify that the “merged” circuit used in the hybrid argument is in NC1, which directly follows). By the result of [AIK04], assuming the existence of pseudorandom generators in \(\mathsf {NC} ^1\), we can assume without loss of generality that the succinct FE encryption we rely on also has encryption in \(\mathsf {NC} ^1\) (in fact even \(\mathsf {NC} ^0\), but this will not be useful to us): the encryption algorithm for the new succinct FE scheme computes the “randomized encoding” of the original encryption function.