Secure Obfuscation in a Weak Multilinear Map Model
 46 Citations
 1.2k Downloads
Abstract
All known candidate indistinguishability obfuscation (iO) schemes rely on candidate multilinear maps. Until recently, the strongest proofs of security available for iO candidates were in a generic model that only allows “honest” use of the multilinear map. Most notably, in this model the zerotest procedure only reveals whether an encoded element is 0, and nothing more.
However, this model is inadequate: there have been several attacks on multilinear maps that exploit extra information revealed by the zerotest procedure. In particular, Miles, Sahai and Zhandry (Crypto’16) recently gave a polynomialtime attack on several iO candidates when instantiated with the multilinear maps of Garg, Gentry, and Halevi (Eurocrypt’13), and also proposed a new “weak multilinear map model” that captures all known polynomialtime attacks on GGH13.
In this work, we give a new iO candidate which can be seen as a small modification or generalization of the original candidate of Garg, Gentry, Halevi, Raykova, Sahai, and Waters (FOCS’13). We prove its security in the weak multilinear map model, thus giving the first iO candidate that is provably secure against all known polynomialtime attacks on GGH13. The proof of security relies on a new assumption about the hardness of computing annihilating polynomials, and we show that this assumption is implied by the existence of pseudorandom functions in NC\(^1\).
Keywords
Multilinear Maps Obfuscator Polynomial Time Attack Zero Test Zerotesting Procedure1 Introduction
Candidates for multilinear maps [GGH13a, CLT13, GGH15, CLT15, Hal15], also called graded encoding schemes, have formed the substrate for achieving the important goal of generalpurpose indistinguishability obfuscation (iO) [BGI+01, BGI+12]. Several iO candidates have appeared in the literature starting with the work of [GGH+13b]. However, all known proofs of security for candidate obfuscation schemes have relied on assumptions that are justified only in a generic multilinear group model, where, informally speaking, the adversary is limited to using the multilinear map only in an honest manner. Most notably, this model allows the adversary to submit encodings for a zero test, and in the model the adversary only learns whether the encoding is an encoding of zero or not, and nothing more.
Unfortunately this last aspect of the modeling of multilinear maps has proven extremely elusive to achieve in multilinear map candidates: zero testing seems to reveal quite a bit more than just whether an encoded element is zero or not. Indeed, all candidate constructions of multilinear maps have been shown to suffer from “zeroizing” attacks [GGH13a, CHL+15, BWZ14, CGH+15, HJ15, BGH+15, Hal15, CLR15, MF15, MSZ16a] that show how to exploit the additional information leaked by zero testing to attack various schemes constructed on top of multilinear maps. In particular, a work by Miles, Sahai, and Zhandry [MSZ16a] gave the first polynomialtime attack on several candidate constructions of iO [BR14, BGK+14, PST14, AGIS14, MSW14, BMSZ16] when those constructions are instantiated using the original multilinear map candidate due to Garg, Gentry, and Halevi [GGH13a]. Thus, these attacks show that our modeling of multilinear map candidates is insufficient, even as a heuristic for arguing security.
The work of Badrinarayanan et al. [BMSZ16] explicitly addressed the question of whether a weaker model of security of multilinear maps can suffice for proving the security of iO. In particular, such a model of weak multilinear maps must take into account known attacks on the candidate multilinear map — that is, all known polynomialtime attacks must be allowable in the model. While there are several longstanding iO candidates that are not known to be broken (see, e.g., [AJN+16, Appendix A]), until recently there has not been any model for justifying their security. The work of [BMSZ16] gave the first such positive result, and showed that in one such weak multilinear map model, obfuscation for evasive functions can be proven secure with only minor modifications to existing iO candidates. [MSZ16a] posited another, more specific, weak multilinear map model that captured all known polynomialtime attacks in the context of the GGH13 multilinear map candidate. However, that work did not answer the question of whether one can construct an iO candidate for general programs that is provably secure in this model.
Our Contribution. In this work we answer this question in the affirmative, showing a new construction of an iO candidate, which can be seen as a small modification or generalization of the original iO candidate of [GGH+13b], and we prove its security in the weak multilinear map model of [MSZ16a].
We prove the security of our candidate under a new assumption about the hardness of computing annihilating polynomials (cf. Definition 4), and we show that this assumption is implied by the existence of pseudorandom functions (PRF) in NC\(^1\). Interestingly, if our assumption is true because a PRF exists and can be computed by a matrix branching program of size t(n), then our construction will only depend on this size bound t(n), and not on any other details of the PRF! Indeed, our construction will just need to be padded to have size at least roughly t(n), and no modification will be necessary at all if the program being obfuscated is already larger than t(n).
Philosophically, this is reminiscent of the recent work on timelock puzzles of [BGJ+15], where their construction of a puzzle needs to be padded to have the size of some program that computes a long nonparallelizable computation. Technically, however, our methods appear to be completely unrelated.
We now give an overview of the GGH13 multilinear map candidate. Following that, we describe an objective that is common to all known polynomialtime attacks on the GGH13 multilinear map, and use this to explain the weak multilinear map model of [MSZ16a]. We then present some starting intuition followed by an outline of the proof that our new candidate is secure against all known polynomialtime attacks on GGH13 (including [MSZ16a]).
1.1 Overview of GGH13
For GGH13 [GGH13a] with k levels of multilinearity, the plaintext space is a quotient ring \(R_g=R/gR\) where R is the ring of integers in a number field and \(g\in R\) is a “small element” in that ring. The space of encodings is \(R_q=R/qR\) where q is a “big integer”. An instance of the scheme relies on two secret elements, the generator g itself and a uniformly random denominator \(z\in R_q\). A small plaintext element \(\alpha \) is encoded “at level one” as \(u=[e/z]_q\) where e is a “small element” in the coset of \(\alpha \), that is \(e=\alpha + gr\) for some small \(r\in R\).
Addition/subtraction of encodings at the same level is just addition in \(R_q\), and it results in an encoding of the sum at the same level, so long as the numerators do not wrap around modulo q. Similarly multiplication of elements at levels \(i,i'\) is a multiplication in \(R_q\), and as long as the numerators do not wrap around modulo q the result is an encoding of the product at level \(i+i'\).
The scheme also includes a “zerotest parameter” in order to enable testing for zero at level k. Noting that a levelk encoding of zero is of the form \(u=[gr/z^k]_q\), the zerotest parameter is an element of the form \({\mathbf {p}_{\mathrm {zt}}} =[hz^k/g]_q\) for a “somewhat small element” \(h\in R\). This lets us eliminate the \(z^k\) in the denominator and the g in the numerator by computing \([{\mathbf {p}_{\mathrm {zt}}} \cdot u]_q = h\cdot r\), which is much smaller than q because both h, r are small. If u is an encoding of a nonzero \(\alpha \), however, then multiplying by \({\mathbf {p}_{\mathrm {zt}}} \) leaves a term of \([h\alpha /g]_q\) which is not small. Testing for zero therefore consists of multiplying by the zerotest parameter modulo q and checking if the result is much smaller than q.
Note that above we describe the “symmetric” setting for multilinear maps where there is only one z, and its powers occur in the denominators of encodings. More generally, there is an “asymmetric” setting where there are multiple \(z_i\).
1.2 Overview of the Model
To motivate our model (which is essentially that of [MSZ16a] with some clarifications), we note that all known polynomialtime attacks [GGH13a, HJ15, MSZ16a] on the GGH13 graded encoding scheme share a common property. As mentioned above, these attacks work by using information leaked during zero testing. More precisely, these attacks compute a set of toplevel 0encodings via algebraic manipulations on some set of initial encodings, then apply the zero test to each top level encoding, and then perform an algebraic computation on the results of the zero testing to obtain an element in the ideal \(\langle g \rangle \). In particular, the latter computation is agnostic to the particular value of g and to the randomization values r chosen for each initial encoding.
After obtaining a set of elements from \(\langle g \rangle \), the prior attacks then use these in various different ways to mount attacks on different cryptographic constructions built on top of GGH13. However, those details are not important to us. In our model (as suggested in [MSZ16a]), if the adversary succeeds in just generating an element in the ideal \(\langle g \rangle \), we will say that the adversary has won.
Our model captures the type of attack described above as follows. Like the standard ideal graded encoding model, our model \({\mathcal {M}}\) is an oracle that maintains a table mapping generic representations called “handles” to encodings of elements \(a_i \in \mathbb {Z}_p \simeq R/\langle g \rangle \). However, rather than just storing each value \(a_i\) (along with its level), we store the formal \(\mathbb {Z}_p\)polynomial \(a_i + g \cdot r_i\), where g is a formal variable common to all encodings and \(r_i\) is a “fresh” formal variable chosen for each \(a_i\). Then, an adversary may use the handles to perform any set of levelrespecting algebraic computations on the initial set of encodings. The result of any such computation is an encoding f which is represented as a \(\mathbb {Z}_p\)polynomial in the variables g and \(\{r_i\}\).
When the adversary submits a handle to a toplevel encoding f for zerotesting, \({\mathcal {M}}\) checks whether f’s constant term is 0 (which corresponds to a 0encoding in the standard ideal model). If so, \({\mathcal {M}}\) returns a handle to the formal polynomial f / g (corresponding to the result of the GGH13 zerotesting procedure), and otherwise \({\mathcal {M}}\) responds “not zero.”
Finally, the adversary may submit a postzerotest polynomial Q of degree at most \(2^{o(\lambda )}\), where throughout the paper \(\lambda \) is the security parameter. \({\mathcal {M}}\) checks whether Q, when evaluated on the set of zerotested encodings \(\{f/g\}\) the adversary has created, produces a nonzero polynomial in which every monomial is divisible by g; i.e., it checks whether Q produces a nonzero polynomial that is zero mod g. If so, \({\mathcal {M}}\) outputs “WIN”, indicating that the adversary’s attack was successful. Note that any such Q is an annihilating polynomial (Definition 4) for the set \(\{f/g \mod g\}\).
On the Degree Bound. The bound deg\((Q) \le 2^{o(\lambda )}\) for efficient adversaries may seem somewhat artificial. Indeed, arithmetic circuits of size \(\mathsf {poly}(\lambda )\) can have arbitrary exponential degree.
However, using the GGH13 graded encoding scheme, such highdegree polynomials appear difficult to compute in the nonidealized setting. This is because, in all known polynomialtime attacks on GGH13, the postzerotest computations cannot be performed modulo the GGH13 parameter q while maintaining the correctness of the attack. Indeed, there is no modulus M known with respect to which the computations can be performed while still maintaining correctness of attacks, unless the modulus M is so large that working modulo M results in computations that are identical to the computations over \(\mathbb {Z}\).
Let us explore the intuition behind why this seems to be the case. Let d be the dimension of the ring R over \(\mathbb {Z}\). Recall that the goal of the attacker in our model is to recover an element of the ideal \(\langle g \rangle \). In order to safely work modulo M, it needs to be the case that \(M \mathbb {Z}^d\) is a sublattice of the ideal lattice \(\langle g \rangle \). But g is a secret parameter of the GGH13 scheme. Until the adversary finds out something about g, it cannot be sure that any modulus M it chooses will be safe (and indeed if the computation overflows with respect to M, almost certainly any information relevant to g will be lost). But the only way we know to learn anything about g is to find an element in \(\langle g \rangle \), which was the goal of the attack to begin with.
Therefore, multiplication of two elements potentially doubles the size of the elements, and an element of exponential degree will likely have exponential size. It seems difficult even to perform postzerotest computations of superpolynomial degree.
At a technical level, we need to restrict to degree \(2^{o(\lambda )}\) due to our use of the SchwartzZippel lemma, which ceases to give useful bounds when Q has larger degree.
1.3 Intuition: Obfuscation Using an Explicit NC\(^1\) PRF
To build intuition, we first describe a construction assuming an explicit PRF in NC\(^1\). Later we will show that simply the existence of an NC\(^1\) PRF (in fact, a more general assumption that is implied by the existence of such PRF) suffices for our purpose.
1.4 Overview of the Security Proof
The proof of security follows the argument presented above, up to the point of showing that a “successful” postzerotest polynomial Q must in particular annihilate the polynomials \(\{f_{x_j}^{(1)}\}_{j \in [m]}\). Unlike in the hardwiredPRF construction however, each \(f_{x_j}^{(1)}\) now does not contain an explicit PRF output. Still, each can be viewed a polynomial in the entries of the original branching program A, the randomization values chosen by the obfuscator (including the \(B_{i,b}\) matrices), and the randomization values \(r_i\) in the GGH13 encodings.
Our main assumption (Assumption 1) states that annihilating a polysize subset of \(\{e_x\}_{x\in {{\{0,1\}}}^n}\) is not possible. We observe in Theorem 2 that, in particular, this assumption is implied by the existence of PRF in NC\(^1\). However, we believe the above assumption to be quite plausible independent of the fact that a PRF in NC\(^1\) would imply its validity.
1.5 Extensions
SingleInput vs DualInput Branching Programs. Our obfuscator, following Barak et al. [BGK+14], uses dualinput branching programs, which allows us to prove VBB security in the weak multilinear map model. The obfuscator of [BGK+14] can also be modified to use singleinput branching programs, though then only iO security is proved in the plain generic model. Unfortunately, we are unable to prove iO security for a singleinput variant of our construction. The problem is that a postzerotest encoding can now consist of elements coming from exponentially many inputs. This means that an annihilating polynomial Q may annihilate an exponential set of “generic BP evaluation polynomials.” This prevents us from embedding Assumption 1 into the security proof.
However, if the input domain of the obfuscated program is polynomialsized instead of exponential, then there are only a polynomial number of possible BP evaluation polynomials. Thus, we are able to embed Assumption 1. Therefore, in the case of polynomialsized domain, the single input version of our obfuscator achieves iO security.
Order Revealing Encryption. Our techniques can also be applied to the orderrevealing encryption scheme of [BLR+15]. Orderrevealing encryption is a symmetric encryption scheme that lets one publicly compare the order of plaintexts, but no information beyond the order of the plaintexts is revealed.
In the scheme of [BLR+15], ciphertexts are generated by encoding branching program matrices analagous to how they are encoded in obfuscation — Kilian randomize and multiply by a random scalar. The branching program arises from the state transition matrices of the finite automata for comparing two integers.
We note that their scheme was shown to be insecure in the weak multilinear map model by [MSZ16a]. To protect against these attacks, we similarly extend the branching program matrices into a block diagonal matrix with the new block being a random matrix, before applying Kilian randomization.
Security readily follows from our analysis, using a “baseB” version of Assumption 1, where B is the number of ciphertexts the adversary sees. That is, we can consider a version of our assumption where the matrix branching programs have inputs that are represented base B, and each layer of the branching program reads a single digit, selecting one of B matrices for that layer. Such a baseB assumption follows from the standard binary version of Assumption 1 by decomposing each digit into \(\log B\) bits.
Model Variations. In Sect. 5, we consider a variant of our model that more closely reflects the GGH13 encodings. Here, the \(r_i\) used to encode are no longer treated as formal variables, but are instead treated as actual ring elements sampled from some distribution. In GGH13, the distribution on \(r_i\) depends on the ring element \(a_i\) — in our model, we therefore allow the \(r_i\) to have arbitrary correlations with the \(a_i\), as long as the conditional minentropy of \(r_i\) given \(a_i\) is high. This minentropy requirement is satisfied by GGH13 encodings. We note that switching to \(r_i\) being ring elements makes the adversary’s winning condition easier, as there are now fewer constraints on the postzerotest polynomial Q.
We show that, with a small modification to the proof, our obfuscator is also secure in this variant model. If the \(r_i\) were uniformly random in some fixed subset of the ring, the SchwartzZippel lemma would suffice for adapting our original security proof to this setting. However, as we allow the \(r_i\) to be nonuniform and potentially come from different distributions, we need a new variant of the SchwartzZippel lemma for more general distributions. We prove this variant, which may be of independent interest, in Lemma 2.
Organization. In Sect. 2 we formally define our model. In Sect. 3 we give the details of our obfuscator, and in Sect. 4 we give the proof of security and discuss our assumption. In Sect. 5, we prove security in the alternative model discussed above.
2 The Model
In this section, we define our model for weak graded encoding schemes. The model is inspired by [CGH+15, Appendix A], and is essentially the same as the model given in [MSZ16a] except for some details that we clarify here.
Recall that in a graded encoding scheme, there is a universe set \(\mathbb {U}\), and a value a can be encoded at a level \(S \subseteq \mathbb {U}\), denoted by \([a]_S\). Addition, subtraction, and multiplication of encodings are defined provided that the levels satisfy certain restrictions, as follows.

For any \(S \subseteq \mathbb {U}\): \([a_1]_S \pm [a_2]_S := [a_1 \pm a_2]_S\).

For any \(S_1,S_2 \subseteq \mathbb {U}\) such that \(S_1 \cap S_2 = \emptyset \): \([a_1]_{S_1} \cdot [a_2]_{S_2} := [a_1 \cdot a_2]_{S_1 \cup S_2}\).
Further, an encoding \([a]_\mathbb {U}\) at level \(\mathbb {U}\) can be zerotested, which checks whether \(a = 0\).
In the standard ideal graded encoding model, a stateful oracle maintains a table that maps encodings to generic representations called handles. Each handle explicitly specifies the encoding’s level, but is independent of the encoding’s value. All parties have access to these handles, and can generate new handles by querying the oracle with arithmetic operations that satisfy the above restrictions. In addition, all parties may perform a zerotest query on any handle whose level is \(\mathbb {U}\), which returns a bit indicating whether the corresponding value is 0.
Our model also implements these features, but adds new features to more closely capture the power that an adversary has in the nonidealized setting. The most important new feature is that a successful zero test returns a handle to a ring element that can further be manipulated, as opposed to just returning a bit.
We now formally describe the interfaces implemented by the oracle \({\mathcal {M}}\) that defines our model. For concreteness, we define \({\mathcal {M}}\) to explicitly work over the GGH13 ring \({\mathcal {R}}= \mathbb {Z}[X]/(X^\eta +1)\) and the field \(\mathbb {Z}_p \simeq {\mathcal {R}}/\langle g \rangle \) for an appropriate \(g \in {\mathcal {R}}\).
Initialize Parameters. The first step in interacting with \({\mathcal {M}}\) is to initialize it with the security parameter \(\lambda \in \mathbb {N}\). (Jumping ahead, this will be done by the obfuscator.) \({\mathcal {M}}\) defines the ring \({\mathcal {R}}= \mathbb {Z}[X]/(X^\eta +1)\), where \(\eta = \eta (\lambda )\) is chosen as in [GGH13a]. Then, \({\mathcal {M}}\) chooses \(g \in {\mathcal {R}}\) according to the distribution in [GGH13a], and outputs the prime \(p := {\mathcal {R}}/\langle g \rangle  > 2^{\lambda }\). After initializing these parameters, \({\mathcal {M}}\) discards the value of g, and treats g as a formal variable in all subsequent steps.
Initialize Elements. After the parameters have been initialized, \({\mathcal {M}}\) is given a universe set \(\mathbb {U}\) and a set of initial elements \(\left\{ [a_i]_{S_i} \right\} _i\) where \(a_i \in \mathbb {Z}_p\) and \(S_i \subseteq \mathbb {U}\) for each i. For each initial element \([a_i]_{S_i}\), \({\mathcal {M}}\) defines the formal polynomial \(f_i := a_i + g \cdot z_i\) over \(\mathbb {Z}_p\). Here g is a formal variable that is common to all \(f_i\), while \(z_i\) is a “fresh” formal variable^{2} chosen for each \(f_i\). Then \({\mathcal {M}}\) generates a handle \(h_i\) (whose representation explicitly specifies \(S_i\) but is independent of \(a_i\)), and stores the mapping “\(h_i \rightarrow (f_i,S_i)\)” in a table that we call the prezerotest table. Finally, \({\mathcal {M}}\) outputs the set of handles \(\{h_i\}_i\).
Note that storing the formal polynomial \(f_i\) strictly generalizes the standard ideal model which just stores the value \(a_i\). This is because \(a_i\) can always be recovered as the constant term of \(f_i\), and this holds even for subsequent polynomials that are generated from the initial set via the algebraic operations defined next.
The above two initialization interfaces are each executed once, in the order listed; any attempt to execute them out of order or more than once will fail. \({\mathcal {M}}\) also implements the following algebraic interfaces.
Prezerotest Arithmetic. Given two input handles \(h_1,h_2\) and an operation \(\circ \in \{+,,\cdot \}\), \({\mathcal {M}}\) first locates the corresponding polynomials \(f_1, f_2\) and level sets \(S_1,S_2\) in the prezerotest table. If \(h_1\) and \(h_2\) do not both appear in this table, the call to \({\mathcal {M}}\) fails. If the expression is undefined (i.e., \(S_1 \ne S_2\) for \(\circ \in \{+,\}\), or \(S_1 \cap S_2\ne \emptyset \) for \(\circ \in \{\cdot \}\)), the call fails. Otherwise, \({\mathcal {M}}\) computes the formal polynomial \(f := f_1 \circ f_2\) and the level set \(S := S_1 \cup S_2\), generates a new handle h, and stores the mapping “\(h \rightarrow (f,S)\)” in the prezerotest table. Finally, \({\mathcal {M}}\) outputs h.
ZeroTesting. Given an input handle \(h\), \({\mathcal {M}}\) first locates the corresponding polynomial f and level set S in the prezerotest table. If \(h\) does not appear in this table, or if \(S \ne \mathbb {U}\), the call to \({\mathcal {M}}\) fails. If f’s constant term is nonzero (recall that this term is an element of \(\mathbb {Z}_p\)), \({\mathcal {M}}\) outputs the string “nonzero”. If instead f’s constant term is 0, note that f must be divisible by the formal variable g, i.e. g appears in each of f’s monomials. \({\mathcal {M}}\) computes the formal polynomial \(f' := f/g\) over \(\mathbb {Z}_p\), generates a new handle \(h'\), and stores the mapping “\(h' \rightarrow f'\)” in a table that we call the postzerotest table. Finally, \({\mathcal {M}}\) outputs \(h'\).
Postzerotest Arithmetic. Given a set of input handles \(h'_1,\ldots ,h'_m\) and an mvariate polynomial Q over \(\mathbb {Z}\) (represented as an arithmetic circuit), \({\mathcal {M}}\) first locates the corresponding polynomials \(f'_1,\ldots ,f'_m\) in the postzerotest table. If any \(h'_i\) does not appear in this table, the call to \({\mathcal {M}}\) fails. Otherwise, \({\mathcal {M}}\) checks whether \(Q(f'_1,\ldots ,f'_m)\) is nonzero as a polynomial over \(\mathbb {Z}_p\) which is zero modulo the variable g. In other words, \({\mathcal {M}}\) checks that \(Q(f'_1,\ldots ,f'_m)\) contains at least one monomial whose coefficient is not zero modulo p, and that g appears in all such nonzero monomials.^{3} If this check passes, \({\mathcal {M}}\) outputs “WIN”, otherwise it outputs \(\perp \).
Definition 1
A (possibly randomized) adversary interacting with the model \({\mathcal {M}}\) is efficient if it runs in time \(\mathsf {poly}(\lambda )\), and if each Q submitted in a postzerotest query has degree \(2^{o(\lambda )}\). Such an adversary wins if it ever submits a postzerotest query that causes \({\mathcal {M}}\) to output “WIN”.
3 The Obfuscator
We now describe our obfuscator \({\mathcal {O}}\). \({\mathcal {O}}\) is instantiated with two parameters, \(t=t(n,\lambda )\) and \(s=s(n,\lambda )\), that correspond to those in Assumption 1.
 1.
It is forward nonshortcutting, defined below.
 2.
For each \(i \in [m]: {\textsf {inp}}(i)_1 \ne {\textsf {inp}}(i)_2\).
 3.
For each pair \(j \ne k \in [n]\), there exists \(i \in [m]\) such that \({\textsf {inp}}(i) \in \{(j,k),(k,j)\}\).
Definition 2
Step 0: Initialize Model. \({\mathcal {O}}\) first sends the security parameter \(\lambda \) to the model \({\mathcal {M}}\), and receives back a prime p.
Step 1: Pad BP. \({\mathcal {O}}\)’s first modification to BP is to pad it with identity matrices (if necessary) so that it contains a set of t layers \(i_1< \ldots < i_t\) such that \(({\textsf {inp}}(i_1)_1,\ldots ,{\textsf {inp}}(i_t)_1)\) cycles t / n times through [n]. This choice of \({\textsf {inp}}\) is specifically to allow a branching program of the form in Assumption 1 to be transformed into one with input selection function \({\textsf {inp}}(\cdot )_1\). We use \(\ell \le t + m\) to denote the length of the padded branching program.
Step 4: Encode. Finally, \({\mathcal {O}}\) initializes \({\mathcal {M}}\) with the elements of the \(\widehat{A}\) matrices. To do this, it uses the level structure in [BGK+14] constructed from socalled straddling sets. We defer the details to Appendix A, but we remark that this level structure has the property that each “honest evaluation” \(\widehat{BP}(x) = \widehat{A_0} \times \prod _i \widehat{A_{i,x(i)}} \times \widehat{A_{\ell +1}}\) results in an encoding at level \(\mathbb {U}\). This, in combination with the zerotest procedure, allows the obfuscated program to be evaluated.
The final branching program \(\widehat{BP} = {\mathcal {O}}(BP)\) has length \(\ell \) (satisfying \(t \le \ell \le m+t\)) and width \(w+s\). In the proof of Theorem 3, we will use the fact that any branching program of the form in Assumption 1 can be transformed (by padding with identity matrices) into one with length \(\ell \) whose input selection function is the same as \({\textsf {inp}}(\cdot )_1\).
Definition 3
\({\mathcal {O}}\) is secure in the model \({\mathcal {M}}\) of Sect. 2 if, for every BP matching \({\mathcal {O}}\)’s input specification and every efficient adversary \({\mathcal {A}}\) interacting with \({\mathcal {M}}\), \(\Pr [{\mathcal {A}}\) wins\(] < \mathsf {negl}(\lambda )\) when \({\mathcal {M}}\) is initialized by \({\mathcal {O}}(BP)\). (Here the probability is over the randomness of \({\mathcal {O}}\) and \({\mathcal {A}}\).)
4 Security of Our Obfuscator
We first state two definitions, and then state the assumption under which we will prove security. After that, we prove our security theorem.
Definition 4
Let \(f_1,\ldots ,f_m\) be a set of polynomials over some common set of variables. Then an mvariate polynomial Q annihilates \(\{f_i\}_{i\in [m]}\) if \(Q(f_1,\ldots ,f_m)\) is zero as a formal polynomial.
Definition 5
A matrix branching program BP is Lbounded for \(L \in \mathbb {N}\) if every intermediate value computed when evaluating BP on any input is at most L. In particular all of BP’s outputs and matrix entries are \(\le L\).
Our assumption essentially states that no efficiently computable polynomial can annihilate every branching program’s evaluation polynomials on some efficiently computable set of inputs. (The assumption is parameterized by the length t and width s of the branching program.) In the assumption, we implicitly use a more general notion of how a branching program computes a function than was used in the previous section. Namely, the function computed can have range \([2^\lambda ]\) (rather than \({{\{0,1\}}}\)) by taking the output to be the value resulting from multiplying the appropriate vectors and matrices (rather than a bit indicating whether this value is 0).
Assumption 1
The (t, s)branching program unannihilatability (BPUA) assumption. Let \(t = \mathsf {poly}(n,\lambda )\) and \(s = \mathsf {poly}(n,\lambda )\) be parameters. Let \({\mathcal {A}}\) denote a PPT that, on input \((1^n,1^\lambda )\), outputs a \(\mathsf {poly}(\lambda )\)size set \({\mathcal {X}}\subseteq {{\{0,1\}}}^n\) and a \(\mathsf {poly}(\lambda )\)size, \(2^{o(\lambda )}\)degree polynomial Q over \(\mathbb {Z}\).
We observe that Assumption 1 is in particular implied by the existence of PRF in NC\(^1\) secure against P/poly (with t, s related to the size of such PRF).
Theorem 2

is computable by a lengtht/n, widths, \(2^\lambda \)bounded matrix branching program \(BP_k\), and

is secure against nonuniform, polynomialtime adversaries (i.e. secure against P/poly)
Note that we take \(BP_k\)’s matrix entries to be computed as a function of the PRF key k.
Proof
\({\mathcal {A}}'\) simply runs \({\mathcal {A}}\) to get Q and \({\mathcal {X}}\), and computes \(d := Q(O(x)_{x \in {\mathcal {X}}})\ (\bmod \ p)\). Note that \({\mathcal {A}}'\) runs in time \(\mathsf {poly}(\lambda )\) because Q and p both have this size. If O implements \(BP_k\), then \(d = 0\) with probability \(\ge 1/\mathsf {poly}(\lambda )\). To see this, note that \(BP_k\) can be transformed (by padding with identity matrices) into an equivalent branching program of the form in Assumption 1 due to the input selection function there.
On the other hand, if O implements a random function, then since \(p > 2^\lambda \) and deg\((Q) = 2^{o(\lambda )}\), \(d = 0\) with probability \(< \mathsf {negl}(\lambda )\) by the SchwartzZippel lemma.
For further discussion on our assumption, including the plausibility of PRF necessary for Theorem 2, see Sect. 4.2.
4.1 Our Main Theorem
Theorem 3
Let \({\mathcal {O}}\) be the obfuscator from Sect. 3 with parameters t and s. If the (t, s)BPUA assumption holds, \({\mathcal {O}}\) is secure in the model \({\mathcal {M}}\) of Sect. 2.
We note that this theorem also implies that \({\mathcal {O}}\) achieves VBB security in the model from Sect. 2. To see this, first note that the initialization, prezerotest arithmetic, and zerotest interfaces can be simulated with error \(\mathsf {negl}(\lambda )\) exactly as in the proof of [BMSZ16, Theorem 5.1]. Further, a simulator can simply respond to every postzerotest query with \(\perp \), and the additional error introduced by this is bounded by \(\mathsf {negl}(\lambda )\) due to Theorem 3.
Proof
Fix a PPT adversary \({\mathcal {A}}\) and assume for contradiction that, with probability \(\epsilon \ge 1/\mathsf {poly}(\lambda )\), \({\mathcal {A}}\) obtains a set of valid postzerotest handles \(h'_1,\ldots ,h'_m\) and constructs a size\(\mathsf {poly}(\lambda )\), degree\(2^{o(\lambda )}\), mvariate polynomial Q over \(\mathbb {Z}\) such that the postzerotest query \((Q,h'_1,\ldots ,h'_m)\) causes \({\mathcal {M}}\) to output “WIN”. By the definition of \({\mathcal {M}}\), each handle \(h'_j\) must then correspond to a polynomial \(f'_j\) such that \(f_j := g \cdot f'_j\) is a level\(\mathbb {U}\) polynomial in \({\mathcal {M}}\)’s prezerotest table with constant term 0.
Recall that \({\mathcal {M}}\) is initialized with the set of \(\mathbb {Z}_p\) values \(\{a_i\}_i\) from the branching program \(\widehat{BP}\) created by \({\mathcal {O}}(BP)\), and that for each such value \({\mathcal {M}}\) stores a polynomial \(a_i + g \cdot z_i\) with formal variables \(g,z_i\). Thus each \(f_j\) is a \(\mathbb {Z}_p\)polynomial with variables \(g,\{z_i\}_i\). In the following, we use \(\overline{f_j}\) to denote the polynomial over the set of \({\mathcal {M}}\)’s initial elements such that \(\overline{f_j}(\{a_i + g \cdot z_i\}_i) = f_j\).
Decomposing \(\overline{f_j}\). For any input x, let \(\overline{f_x}\) denote the matrix product polynomial that corresponds to evaluating \(\widehat{BP}(x)\), and note that \(\overline{f_x}(\{a_i\}_i) = 0\ (\mathrm {mod}\ p) \Leftrightarrow \widehat{BP}(x) = 0 \Leftrightarrow BP(x) = 0\). The results of [BGK+14, BMSZ16] (summarized in Lemma 1 following this proof) show that, with probability \(1\mathsf {negl}(\lambda )\) over the randomness of \({\mathcal {O}}\), for each \(j \in [m]\) there is a \(\mathsf {poly}(\lambda )\)size set \({\mathcal {X}}_j\) such that: (1) \(\overline{f_j}\) is a linear combination of the polynomials \(\{\overline{f_x}\}_{x \in {\mathcal {X}}_j}\), and (2) \(BP(x) = 0\) for every \(x \in {\mathcal {X}}_j\). (Note that the conditions of the lemma are satisfied, as we can assume wlog that the postzerotest query we are analyzing is the first to which \({\mathcal {M}}\) has responded with “WIN”.)
The set \({\mathcal {X}}_j\) and the coefficients in the linear combination depend only on the structure of \(\overline{f_j}\), and not on \({\mathcal {O}}\)’s randomness. So, more precisely, Lemma 1 says that if \(\overline{f_j}\) is not a linear combination of \(\{\overline{f_x}\}_{x \in {\mathcal {X}}_j}\) for some \({\mathcal {X}}_j\) that satisfies \(\bigwedge _{x \in {\mathcal {X}}_j} (BP(x) = 0)\), then \(f_j = \overline{f_j}(\{a_i + g \cdot z_i\}_i)\) has constant term 0 with probability \(< \mathsf {negl}(\lambda )\) over the randomness of \({\mathcal {O}}\). Thus, we condition on the event that each \(\overline{f_j}\) is decomposable in this way, which has probability \(1\mathsf {negl}(\lambda )\).
We now analyze the structure of the \(f_x^{(1)}\) to show that such a \(Q'\) violates the (t, s)BPUA assumption, which will complete the proof.

\(Q'\) annihilates \(\left\{ f_x^{(1)} \right\} _{x\in {\mathcal {X}}}\) when considered as polynomials in variables Z, R, B, and \(\alpha \) (i.e. when only the A matrices are taken to be \(\mathbb {Z}_p\)values), or

it does not, but with probability \(\epsilon \ge 1/\mathsf {poly}(\lambda )\) over the distribution on R, B, and \(\alpha \), \(Q'\) annihilates the set \(\left\{ f_x^{(1)} \right\} _{x\in {\mathcal {X}}}\) when considered as polynomials in variables Z.
Here and throughout the remainder of the proof, we use the phrase “variables Z” to refer to the set of all variables arising from the Z matrices, and similarly for R, B, and \(\alpha \).
We now show that the first case contradicts the (t, s)BPUA assumption, while the second case is ruled out by the SchwartzZippel lemma.
Case 1: \(Q'\) annihilates \(\left\{ f_x^{(1)} \right\} _{x\in {\mathcal {X}}}\) as polynomials in variables Z, R, B, and \(\alpha \). Because we can write \(f_x^{(1)} = d_x + \alpha _0 \cdot d'_x\), where \(d_x\) does not contain the variable \(\alpha _0\), if \(Q'\) annihilates \(\left\{ f_x^{(1)} \right\} _{x\in {\mathcal {X}}}\) as polynomials in variables Z, R, B, and \(\alpha \), it must also annihilate \(\{d_x\}_{x\in {\mathcal {X}}}\).
However, this contradicts the (t, s)BPUA assumption: by construction of \({\textsf {inp}}\) and \(\ell \) in Sect. 3, any branching program of the form in Assumption 1 can be embedded into the B matrices, and thus there is an efficiently computable distribution on degree\(2^{o(\lambda )}\) polynomials that annihilates all such branching programs with probability \({\ge }1/\mathsf {poly}(\lambda )\).
Case 2: \(\Pr _{R,B,\alpha } \left[ Q' \text{ annihilates } \left\{ f_x^{(1)} \right\} _{x\in {\mathcal {X}}} \text{ as } \text{ polynomials } \text{ in } \text{ variables } Z\right] \ge 1/\mathsf {poly}(\lambda )\). If Case 1 does not hold, then \(Q'(\lbrace f_x^{(1)}\rbrace _{x\in {\mathcal {X}}})\) must contain some nonzero monomial. View this monomial as being over the variables g and Z, whose coefficient is a nonzero polynomial \(\gamma \) of degree \(2^{o(\lambda )}\) in variables R, B, and \(\alpha \). (The degree bound on \(\gamma \) comes from the fact that \(Q'\) has degree \(2^{o(\lambda )}\) and each \(f_x^{(1)}\) has degree \(\mathsf {poly}(\lambda )\).)
If Case 2 holds, we must have \(\Pr _{R,B,\alpha } \left[ \gamma (R,B,\alpha ) = 0\right] \ge 1/\mathsf {poly}(\lambda )\). However, this contradicts the SchwartzZippel lemma, because we are working over the field \(\mathbb {Z}_p\) with \(p > 2^\lambda \), and the distribution on the variables \(R,B,\alpha \) is \(2^{\varOmega (\lambda )}\)close to each being uniform and independent. Indeed, the distributions on the B variables are uniform over \(\mathbb {Z}_p\), the distributions on the \(\alpha \) variables are uniform over \(\mathbb {Z}_p {\setminus } \{0\}\), and the distributions on the R variables are uniform over \(\mathbb {Z}_p\) conditioned on each matrix \(R_i\) being nonsingular.
We now prove the lemma that was used in the proof of Theorem 3. We will need the following result from [BMSZ16]. Recall that \(\overline{f_x}\) denotes the matrix product polynomial that corresponds to evaluating \(\widehat{BP}(x)\).
Theorem 4
([BMSZ16]). Fix \(x \in {{\{0,1\}}}^n\), and consider the following matrices from Sect. 3: \(A'_i := A'_{i,x(i)}\), \(\widehat{A}_i := \widehat{A}_{i,x(i)}\), and \(R_i\). Consider also a polynomial f in the entries of the \(\widehat{A}\) matrices in which each monomial contains at most one variable from each \(\widehat{A_i}\). Let \(f'\) be the polynomial derived from f after making the substitution \(\widehat{A_i} = R^{adj}_{i1} \times A'_i \times R_i\), and suppose that \(f'\) is identically 0 as a polynomial over the \(R_i\).
Then either f is identically zero as a polynomial over its formal variables (namely the \(\widehat{A_i}\)), or else f is a constant multiple of the matrix product polynomial \(\overline{f_x} = \widehat{A_0}\times \cdots \times \widehat{A_{\ell +1}}\).
We remark that the proof of this theorem requires that the \(A'\) matrices form a nonshortcutting branching program (see Definition 2), and that for us this is implied by the distribution on the B matrices and the fact that A is forward nonshortcutting.
Lemma 1
Let BP be any forwardnonshortcutting branching program, and let the model \({\mathcal {M}}\) from Sect. 2 be initialized by the obfuscator \({\mathcal {O}}(BP)\) with parameters t, s as described in Sect. 3.
Let \({\mathcal {A}}\) be an efficient adversary interacting with \({\mathcal {M}}\), and let \(\{h_j\}_{j\in [m]}\) be the set of all handles \({\mathcal {A}}\) has received that map to a level\(\mathbb {U}\) polynomial with constant term 0 in \({\mathcal {M}}\)’s prezerotest table; denote these polynomials by \(\{f_j\}_{j\in [m]}\). Assume that \({\mathcal {A}}\) has not received “WIN” in response to any postzerotest query.
Then with probability \(1\mathsf {negl}(\lambda )\) over the randomness of \({\mathcal {O}}\), there exist \(\mathsf {poly}(\lambda )\)size sets \({\mathcal {X}}_1,\ldots ,{\mathcal {X}}_m\) such that: (1) for each \(j \in [m]\), \(f_j\) is a linear combination of the polynomials \(\{\overline{f_x}\}_{x\in {\mathcal {X}}_j}\), and (2) for each \(j \in [m]\) and each \(x \in {\mathcal {X}}_j\), \(BP(x) = 0\).
Proof
The proof follows the analysis of [BMSZ16, Theorem 5.1], which builds on [BGK+14]. We assume that the lemma’s conclusion holds for \(f_1,\ldots ,f_{m1}\), and prove that it holds for \(f_m\) with probability \(1\mathsf {negl}(\lambda )\). This inductively implies the lemma.
Notice that \(f_m\) has constant term 0 iff \(\overline{f_m}(\{a_i\}_i) = 0\). Then following the [BGK+14, Sect. 6] analysis, the independence of the \(\alpha _{i,b_1,b_2}\) randomization variables along with the fact that \(\overline{f_m}(\{a_i\}_i) = 0\) implies \(\Pr [\exists x \in {\mathcal {X}}_m: f_{m,x}(\{a_i\}_i) \ne 0] < \mathsf {negl}(\lambda )\), where the probability is over \({\mathcal {O}}\)’s randomness. Assume for the remainder that \(f_{m,x}(\{a_i\}_i) = 0\) for all \(x \in {\mathcal {X}}_m\), which occurs with probability \(1\mathsf {negl}(\lambda )\).
Consider the moment just before \({\mathcal {A}}\) submits the handle \(h_m\) (corresponding to \(f_m\)) for zerotesting. At this point, since we assume the lemma’s conclusion holds for \(f_1,\ldots ,f_{m1}\) and that \({\mathcal {A}}\) has never received “WIN” in response to any postzerotest query, \({\mathcal {A}}\)’s view can be completely derived from the set \(\{ BP(x)\ \ x \in \bigcup _{j \in [m1]} {\mathcal {X}}_j \}\). In particular, \({\mathcal {A}}\)’s view is independent of the randomness generated by \({\mathcal {O}}\).
Now fix some \(x\in {\mathcal {X}}_m\). The values \(\{a_i\}_i\) are generated by \({\mathcal {O}}\) from the original branching program BP by choosing the randomization matrices R and the other randomization values \(\alpha ,B\), and performing the computation described in Sect. 3. We can thus view \(f_{m,x}\) as a polynomial \(f'_{m,x}\) over the R variables whose coefficients are polynomials in the variables \(\alpha ,B\). Then because \(f_{m,x}\) only has variables from matrices corresponding to input x and is not identically zero, Theorem 4 implies that either \(f_{m,x}\) is a constant multiple of \(\overline{f_x}\), or else \(f'_{m,x}\) is not the identically zero polynomial.
Because we assume \(f_{m,x}(\{a_i\}_i) = 0\) for the particular sample of \(\{a_i\}_i\) generated by \({\mathcal {O}}\), if \(f'_{m,x}\) is not identically zero, then one of two things must have occurred. Either every coefficient of \(f'_{m,x}\) became 0 after the choice of \(\alpha ,B\), or some choice of \(\alpha ,B\) yields a fixed \(\mathbb {Z}_p\)polynomial that evaluated to 0 on the choice of the R matrices. However, both of these events have probability \(1\mathsf {negl}(\lambda )\) by the SchwartzZippel lemma. Thus, since \({\mathcal {A}}\)’s view (and in particular \(f'_{m,x}\)) is independent of \({\mathcal {O}}\)’s randomness, we conclude that with probability \(1\mathsf {negl}(\lambda )\), \(f_{m,x}\) is a constant multiple of \(\overline{f_x}\).
Finally, note that if \(f_{m,x}\) is a (nonzero) constant multiple of \(\overline{f_x}\) and if \(f_{m,x}(\{a_i\}_i) = 0\), then \(\overline{f_x}(\{a_i\}_i) = 0\), which is equivalent to \(BP(x) = 0\).
4.2 Further Discussion of Our Assumption
We first note that PRFs such as those in the statement of Theorem 2 can be constructed from any boolean NC\(^1\) PRF, provided \(s \ge 5\lambda \) and t is a sufficiently large polynomial. The idea is to take \(\lambda \) copies of a width5, lengtht boolean PRF (constructed via [Bar86]), scale the ith copy by \(2^i\) for \(i = 0,\ldots ,\lambda 1\), and put them into a blockdiagonal BP of width \(5\lambda \) with appropriate bookend vectors to sum the scaled copies.
We note that for complicated programs whose length is already larger than t, the overhead for protecting against zeroizing attacks is mainly due to increasing the width by s. The multiplicative overhead is thus \((w+s)^2/w^2\) where w is the original width of the branching program. Thus, for many applications, it is likely best to minimize s, potentially at the expense of a slightly larger t. Next, we describe how to modify the above idea to obtain a branching program of constant width.
Varying the Assumption Strength. We also note that, based on whether we wish t, s to be polynomial, logarithmic, or constant, we can obtain assumptions of varying strength. For example, we can have the following.
Assumption 5
(The \(\mathsf {poly}/\mathsf {poly}\) BPUA Assumption). There exist polynomials t, s such that the (t, s)BPUA assumption holds.
Assumption 6
(The \(\mathsf {poly}/\mathsf {const}\) BPUA Assumption). There exists polynomial t and constant s such that the (t, s)BPUA assumption holds.
Assumption 7
(The \(\mathsf {polylog}/\mathsf {const}\) BPUA Assumption). There exists polylogarithmic t and constant s such that the (t, s)BPUA assumption holds.
We can thus get a tradeoff between efficiency and assumption strength  stronger assumptions (those with smaller s and t) very naturally correspond to more efficient obfuscators.
Dual Input Assumptions. We could have similarly made dualinput versions of the above assumptions. However, we observe that the single input and dual input variants are equivalent, up to constant factors in t and s.
In particular, any single input branching program of length t and width s can be turned into a dual input program of length t/2 and width s by premultiplying branching program matrices. That is, set \(A'_{i,b_0,b_1}=A_{2i1,b_0}\cdot A_{2i,b_1}\) and \({\textsf {inp}}_b(i)={\textsf {inp}}(2ib)\).
5 Security in an Alternative Model
In this section, we define a second model for weak multilinear maps, and we show that the proof of Theorem 3 can be modified to give security in this model as well. The main difference as compared to the model in Sect. 2 is that this model no longer treats the \(z_i\) as formal variables, but instead considers \(z_i\) sampled in some fashion by the encoding procedure.
We now formally describe the interfaces implemented by the oracle \({\mathcal {M}}\) that defines our model. For concreteness, we define \({\mathcal {M}}\) to explicitly work over the GGH13 ring \({\mathcal {R}}= \mathbb {Z}[X]/(X^\eta +1)\) and the field \(\mathbb {Z}_p \simeq {\mathcal {R}}/\langle g \rangle \) for an appropriate \(g \in {\mathcal {R}}\).
\({\mathcal {M}}\) is parameterized by a family of distributions \(\{D_{p,\{a_i\}_{i\in [n]}}\}\) for prime p and sets of integers \(\{a_i\}_{i\in [n]}\subseteq \mathbb {Z}_p\) of size n. Each \(D_{p,\{a_i\}_{i\in [n]}}\) is a product distribution \(D_1\times \cdots \times D_n\) where the \(D_i\) are distributions over \(\mathbb {Z}_p\).
Initialize Parameters. This is identical to the model of Sect. 2. The first step in interacting with \({\mathcal {M}}\) is to initialize it with the security parameter \(\lambda \in \mathbb {N}\). (Jumping ahead, this will be done by the obfuscator.) \({\mathcal {M}}\) defines the ring \({\mathcal {R}}= \mathbb {Z}[X]/(X^\eta +1)\), where \(\eta = \eta (\lambda )\) is chosen as in [GGH13a]. Then, \({\mathcal {M}}\) chooses \(g \in {\mathcal {R}}\) according to the distribution in [GGH13a], and outputs the prime \(p := {\mathcal {R}}/\langle g \rangle  > 2^{\lambda }\). After initializing these parameters, \({\mathcal {M}}\) discards the value of g, and treats g as a formal variable in all subsequent steps.
Initialize Elements. After the parameters have been initialized, \({\mathcal {M}}\) is given a universe set \(\mathbb {U}\) and a set of initial elements \(\left\{ [a_i]_{S_i} \right\} _i\) where \(a_i \in \mathbb {Z}_p\) and \(S_i \subseteq \mathbb {U}\) for each i. \({\mathcal {M}}\) then samples a set of ring elements \(\{z_i\}\) from \(D_{p,\{a_i\}}\).
\({\mathcal {M}}\) defines the formal polynomial \(f_i := a_i + g \cdot z_i\) over \(\mathbb {Z}_p\). Here g is a formal variable that is common to all \(f_i\). Then \({\mathcal {M}}\) generates a handle \(h_i\) (whose representation explicitly specifies \(S_i\) but is independent of \(a_i\)), and stores the mapping “\(h_i \rightarrow (f_i,S_i)\)” in a table that we call the prezerotest table. Finally, \({\mathcal {M}}\) outputs the set of handles \(\{h_i\}_i\).
The above two initialization interfaces are each executed once, in the order listed; any attempt to execute them out of order or more than once will fail. The only difference with the model in Sect. 2 is that the \(z_i\) are no longer formal variables, but are now actual ring elements.
\({\mathcal {M}}\) also implements the following algebraic interfaces.
Prezerotest Arithmetic. Given two input handles \(h_1,h_2\) and an operation \(\circ \in \{+,,\cdot \}\), \({\mathcal {M}}\) first locates the corresponding polynomials \(f_1, f_2\) and level sets \(S_1,S_2\) in the prezerotest table. If \(h_1\) and \(h_2\) do not both appear in this table, the call to \({\mathcal {M}}\) fails. If the expression is undefined (i.e., \(S_1 \ne S_2\) for \(\circ \in \{+,\}\), or \(S_1 \cap S_2\ne \emptyset \) for \(\circ \in \{\cdot \}\)), the call fails. Otherwise, \({\mathcal {M}}\) computes the formal polynomial \(f := f_1 \circ f_2\) and the level set \(S := S_1 \cup S_2\), generates a new handle h, and stores the mapping “\(h \rightarrow (f,S)\)” in the prezerotest table. Finally, \({\mathcal {M}}\) outputs h.
ZeroTesting. Given an input handle \(h\), \({\mathcal {M}}\) first locates the corresponding polynomial f and level set S in the prezerotest table. If \(h\) does not appear in this table, or if \(S \ne \mathbb {U}\), the call to \({\mathcal {M}}\) fails. If f’s constant term is nonzero (recall that this term is an element of \(\mathbb {Z}_p\)), \({\mathcal {M}}\) outputs the string “nonzero”. If instead f’s constant term is 0, note that f must be divisible by the formal variable g, i.e. g appears in each of f’s monomials. \({\mathcal {M}}\) computes the formal polynomial \(f' := f/g\) over \(\mathbb {Z}_p\), generates a new handle \(h'\), and stores the mapping “\(h' \rightarrow f'\)” in a table that we call the postzerotest table. Finally, \({\mathcal {M}}\) outputs \(h'\).
Postzerotest Arithmetic. Given a set of input handles \(h'_1,\ldots ,h'_m\) and an mvariate polynomial Q over \(\mathbb {Z}\) (represented as an arithmetic circuit), \({\mathcal {M}}\) first locates the corresponding polynomials \(f'_1,\ldots ,f'_m\) in the postzerotest table. If any \(h'_i\) does not appear in this table, the call to \({\mathcal {M}}\) fails. Otherwise, \({\mathcal {M}}\) checks whether \(Q(f'_1,\ldots ,f'_m)\) is nonzero as a polynomial over \(\mathbb {Z}_p\) which is zero modulo the variable g. In other words, \({\mathcal {M}}\) checks that the constant term of \(Q(f'_1,\ldots ,f'_m)\) is 0, but that some other coefficient is nonzero. If this check passes, \({\mathcal {M}}\) outputs “WIN”, otherwise it outputs \(\perp \).
Definition 6
A (possibly randomized) adversary interacting with the model \({\mathcal {M}}\) is efficient if it runs in time \(\mathsf {poly}(\lambda )\), and if each Q submitted in a postzerotest query has degree \(2^{o(\lambda )}\). Such an adversary wins if it ever submits a postzerotest query that causes \({\mathcal {M}}\) to output “WIN”.
Definition 7
Let \(O=\{O_p\}\) be a (family of) distributions over initial elements \(\left\{ [a_i]_{S_i} \right\} _{i\in [n]}\). Consider model \({\mathcal {M}}\) parameterized by distribution family \(\{D_{p,\{a_i\}_{i\in [n]}}\}\). \({\mathcal {M}}\) satisfies the unpredictability probability relative to O if the following holds. For each \(i\in [n]\), the expected guessing probability of \(z_i\) drawn from \(D_{p,\{a_i\}_{i\in [n]}}\) (where the expectation is over the choice of \(\{a_i\}_{i\in [n]}\)) is at most \(2^{\varOmega (\lambda )}\).
The above definition captures the fact that in GGH13 encodings, the \(z_i\) elements are chosen with minentropy at least \(\varOmega (\lambda )\), yielding a guessing probability of \(2^{\varOmega (\lambda )}\). This holds even in the “low noise” variants, due to the large dimensional space that the \(z_i\) are drawn from. As required by GGH13, our definition allows the \(z_i\) to depend on \(a_i\); however we allow for an even more general condition where the \(z_i\) can depend on all of the \(\{a_j\}\). Moreover, we only require the guessing probability to be small on average.
5.1 A New Variant of the SchwartzZippel Lemma
We now prove a generalization of the SchwartzZippel lemma, which will allow us to prove security in the alternative model described above. The standard SchwartzZippel lemma applies to variables chosen independently and uniformly from some (possibly restricted) set. Here, we instead allow the variables to be chosen from arbitrary distributions with sufficient minentropy, and we even allow some correlations among the variables.
Lemma 2
Proof

\(P_{X_1,\dots ,X_{n1}}\) is identically zero. Let \(e_0\) be the probability of this event. Let \(e_{\ne 0}=1e_0\) be the probability that \(P_{X_1,\dots ,X_{n1}}\) is not identically zero

\(P_{X_1,\dots ,X_{n1}}\) is not identically zero, and \(X_n\) is a root of \(P_{X_1,\dots ,X_{n1}}\).
Let \(q_0\) be the expectation of \(p_n(X_1,\dots ,X_{n1})\) conditioned on \(P_{X_1,\dots ,X_{n1}}\) being identically 0, and let \(q_{\ne 0}\) be the expectation conditioned on \(P_{X_1,\dots ,X_{n1}}\) not being identically 0. Note that \(p_n = e_0 q_0+e_{\ne 0} q_{\ne 0}\). Also, not that \(q_0,q_{\ne 0}\ge 0\). Therefore, \(e_{\ne 0} q_{\ne 0} \le p_n\).
The coefficient of \(x_n^{d_n}\) in \(P_{X_1,\dots ,X_{n1}}\) is a polynomial of total degree at most \(dd_n\) in \(X_1,\dots ,X_{n1}\). If \(d_n=d\), the coefficient is actually a constant and must be nonzero (with probability 1). In the case \(d_n < d\), we can apply the inductive hypothesis to bound the probability that this coefficient is 0 by \((dd_n) p_{\max }\). Thus, in either case, the probability \(e_0\) that \(P_{X_1,\dots ,X_{n1}}\) is identically 0 is at most \((dd_n) p_{\max }\).
We now bound the probability that \(P_{X_1,\dots ,X_{n1}}\) is not identically zero, and \(X_n\) is a root of \(P_{X_1,\dots ,X_{n1}}\). Since \(P_{X_1,\dots ,X_{n1}}\) is not identically 0 and has degree at most \(d_n\), there are at most \(d_n\) roots. Thus, the probability that \(X_n\) is a root is at most \(d_n p_n(X_1,\dots ,X_{n1})\). Taking the expectation conditioned on \(P_{X_1,\dots ,X_{n1}}\) being not identically 0, we get a bound of \(d_n q_{\ne 0}\) on the probability that \(P=0\) conditioned on \(P_{X_1,\dots ,X_{n1}}\) being identically 0. The joint probability is therefore at most \(e_{\ne 0} d_n q_{\ne 0}\le d_n p_n\le d_n p_{\max }\).
Putting everything together, the probability that \(P=0\) is at most \((dd_n) p_{\max } + d_n p_{\max }=d p_{\max }\).
5.2 Security in the Alternative Model
Security in the alternative model is given by the following theorem. We note that, analagously to Sect. 4, this theorem also implies that \({\mathcal {O}}\) achieves VBB security in the alternative model.
Theorem 8
Let \({\mathcal {O}}\) be the obfuscator from Sect. 3 with parameters t and s. Let \({\mathcal {M}}\) be the model defined above, parameterized by some distribution family \(\{D_{p,\{a_i\}_{i\in [n]}}\}\). If the (t, s)BPUA assumption holds, and if \({\mathcal {M}}\) satisfies the unpredictability property relative to the elements outputted by \({\mathcal {O}}\), then \({\mathcal {O}}\) is secure in the model \({\mathcal {M}}\).
The proof of Theorem 8 follows the proof of Theorem 3 almost exactly, with the only difference being that, when analyzing Case 2, we apply Lemma 2 instead of the standard SchwartzZippel lemma. We omit further details.
Footnotes
 1.
For simplicity we abuse notations of branching programs, in that it outputs a ring element instead of a bit. It is straightforward to embed multiple branching programs into one to achieve this effect.
 2.
Here and for the remainder of the paper, we use \(z_i\) rather than \(r_i\) to denote the randomization values in GGH13 encodings, to avoid conflicting with the random matrices R chosen by the obfuscator. We will not need to work with the GGH13 level denominators, which were previously denoted by \(z_i\).
 3.
Note that this corresponds to finding a nontrivial element in the ideal \(\langle g \rangle \).
 4.
 5.
References
 [AGIS14]Ananth, P., Gupta, D., Ishai, Y., Sahai, A.: Optimizing obfuscation: avoiding Barrington’s theorem. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 646–658 (2014)Google Scholar
 [AJN+16]Ananth, P., Jain, A., Naor, M., Sahai, A., Yogev, E.: Universal constructions and robust combiners for indistinguishability obfuscation and witness encryption. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 491–520. Springer, Heidelberg (2016). doi: 10.1007/9783662530085_17 CrossRefGoogle Scholar
 [App14]Applebaum, B.: Bootstrapping obfuscators via fast pseudorandom functions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 162–172. Springer, Heidelberg (2014). doi: 10.1007/9783662456088_9 Google Scholar
 [Bar86]Mix Barrington, D.A.: Boundedwidth polynomialsize branching programs recognize exactly those languages in NC1. In: STOC (1986)Google Scholar
 [BGH+15]Brakerski, Z., Gentry, C., Halevi, S., Lepoint, T., Sahai, A., Tibouchi, M.: Cryptanalysis of the quadratic zerotesting of GGH. Cryptology ePrint Archive, Report 2015/845 (2015). http://eprint.iacr.org/
 [BGI+01]Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). doi: 10.1007/3540446478_1 CrossRefGoogle Scholar
 [BGI+12]Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 [BGJ+15]Bitansky, N., Goldwasser, S., Jain, A., Paneth, O., Vaikuntanathan, V., Waters, B.: Timelock puzzles from randomized encodings. Cryptology ePrint Archive, Report 2015/514 (2015). http://eprint.iacr.org/
 [BGK+14]Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 221–238. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_13 CrossRefGoogle Scholar
 [BLR+15]Boneh, D., Lewi, K., Raykova, M., Sahai, A., Zhandry, M., Zimmerman, J.: Semantically secure orderrevealing encryption: multiinput functional encryption without obfuscation. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 563–594. Springer, Heidelberg (2015). doi: 10.1007/9783662468036_19 Google Scholar
 [BMSZ16]Badrinarayanan, S., Miles, E., Sahai, A., Zhandry, M.: Postzeroizing obfuscation: new mathematical tools, and the case of evasive circuits. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 764–791. Springer, Heidelberg (2016). doi: 10.1007/9783662498965_27 CrossRefGoogle Scholar
 [BR14]Brakerski, Z., Rothblum, G.N.: Virtual blackbox obfuscation for all circuits via generic graded encoding. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 1–25. Springer, Heidelberg (2014). doi: 10.1007/9783642542428_1 CrossRefGoogle Scholar
 [BWZ14]Boneh, D., Wu, D.J., Zimmerman, J.: Immunizing multilinear maps against zeroizing attacks. Cryptology ePrint Archive, Report 2014/930 (2014). http://eprint.iacr.org/
 [CGH+15]Coron, J.S., et al.: Zeroizing without lowlevel zeroes: new MMAP attacks and their limitations. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 247–266. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_12 CrossRefGoogle Scholar
 [CHL+15]Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). doi: 10.1007/9783662468005_1 Google Scholar
 [Cle88]Cleve, R.: Computing algebraic formulas with a constant number of registers. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC 1988, pp. 254–257. ACM, New York (1988)Google Scholar
 [CLR15]Cheon, J.H., Lee, C., Ryu, H.: Cryptanalysis of the new CLT multilinear maps. Cryptology ePrint Archive, Report 2015/934 (2015). http://eprint.iacr.org/
 [CLT13]Coron, J.S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). doi: 10.1007/9783642400414_26 CrossRefGoogle Scholar
 [CLT15]Coron, J.S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 267–286. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_13 CrossRefGoogle Scholar
 [GGH13a]Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). doi: 10.1007/9783642383489_1 CrossRefGoogle Scholar
 [GGH+13b]Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)Google Scholar
 [GGH15]Gentry, C., Gorbunov, S., Halevi, S.: Graphinduced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). doi: 10.1007/9783662464977_20 CrossRefGoogle Scholar
 [GMS16]Garg, S., Mukherjee, P., Srinivasan, A.: Obfuscation without the vulnerabilities of multilinear maps. Cryptology ePrint Archive, Report 2016/390 (2016). http://eprint.iacr.org/
 [Hal15]Halevi, S.: Graded encoding, variations on a scheme. IACR Cryptology ePrint Archive, 2015:866 (2015)Google Scholar
 [HJ15]Hu, Y., Jia, H.: Cryptanalysis of GGH map. IACR Cryptology ePrint Archive, 2015:301 (2015)Google Scholar
 [Kil88]Kilian, J.: Founding cryptography on oblivious transfer. In: STOC, pp. 20–31 (1988)Google Scholar
 [MF15]Minaud, B., Fouque, P.A.: Cryptanalysis of the new multilinear map over the integers. Cryptology ePrint Archive, Report 2015/941 (2015). http://eprint.iacr.org/
 [MSW14]Miles, E., Sahai, A., Weiss, M.: Protecting obfuscation against arithmetic attacks. IACR Cryptology ePrint Archive, 2014:878 (2014)Google Scholar
 [MSZ16a]Miles, E., Sahai, A., Zhandry, M.: Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 629–658. Springer, Heidelberg (2016). doi: 10.1007/9783662530085_22 CrossRefGoogle Scholar
 [MSZ16b]Miles, E., Sahai, A., Zhandry, M.: Secure obfuscation in a weak multilinear map model: a simple construction secure against all known attacks. Cryptology ePrint Archive, Report 2016/588 (2016). http://eprint.iacr.org/2016/588
 [PST14]Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semanticallysecure multilinear encodings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 500–517. Springer, Heidelberg (2014). doi: 10.1007/9783662443712_28 CrossRefGoogle Scholar