Indistinguishability Obfuscation from SXDH on 5Linear Maps and Locality5 PRGs
 45 Citations
 3.2k Downloads
Abstract
Two recent works [Lin, EUROCRYPT 2016, Lin and Vaikuntanathan, FOCS 2016] showed how to construct Indistinguishability Obfuscation (IO) from constant degree multilinear maps. However, the concrete degrees of multilinear maps used in their constructions exceed 30. In this work, we reduce the degree of multilinear maps needed to 5, by giving a new construction of IO from asymmetric Llinear maps and a pseudorandom generator (PRG) with output locality L and polynomial stretch. When plugging in a candidate PRG with locality5 (e.g., [Goldreich, ECCC 2010, Mossel, Shpilka, and Trevisan, FOCS 2013, O’Donnald and Wither, CCC 2014]), we obtain a construction of IO from 5linear maps.
Our construction improves the stateoftheart at two other fronts: First, it relies on “classical” multilinear maps, instead of their powerful generalization of graded encodings. Second, it comes with a security reduction to (i) the SXDH assumption on algebraic multilinear maps [Boneh and Silverberg, Contemporary Mathematics, Rothblum, TCC 2013], (ii) the security of PRG, and (iii) subexponential LWE, all with subexponential hardness. The SXDH assumption is weaker and/or simpler than assumptions on multilinear maps underlying previous IO constructions. When noisy multilinear maps [Garg et al., EUROCRYPT 2013] are used instead, security is based on a family of more complex assumptions that hold in the generic model.
Keywords
Pseudorandom Generator (PRG) Multilinear Maps Graded Encoding Security Reduction Innerproduct Encryption (IPE)1 Introduction
Indistinguishability obfuscation, defined first in the seminal work of Barak et al. [11], aims to transform programs into “unintelligible” ones while preserving functionality. IO is an extradinarily powerful object and has been used as a central tool for obtaining a plethora of new cryptographic constructions, solutions to longstanding open problems, and techniques enabling new cryptographic goals.
Unfortunately, so far, the existence of IO remain uncertain. Most known candidate IO schemes [5, 7, 10, 17, 25, 27, 30, 33, 46, 49, 53] are built from the socalled graded encoding schemes [26], a framework of complex algebraic structures that, in essence, enables evaluating polynomialdegree polynomials on secret encoded values and revealing whether the output is zero or not. The security of most IO candidates are either analyzed in the ideal model or based on strong uber assumptions [49], with only one exception [33]. On the front of instantiating graded encodings from concrete mathematical objects, the state of affairs is even more worrisome: Vulnerabilities have been demonstrated in all instantiations proposed so far [21, 22, 26, 31, 39]. Of course, this does not mean that the resulting IO constructions are insecure. In fact, this has motivated the search for IO constructions that withstand all existing attacks [29].
The trajectory of recent developments points towards the holly grail of “building IO from bilinear maps”. In this work, we make new strides in this direction: We give a new construction of IO from asymmetric Llinear maps and a PRG with output locality L (i.e., every output bit depends on at most L input bits). When plugging in a candidate PRG with locality5 in the literature [34, 47, 48], we obtain a construction of IO from 5linear maps. This gets the degree of multilinear maps needed for IO much closer to the dream version of 2. In comparison, previous IO constructions [41, 44] rely on multilinear maps with degree at least 30. On the other hand, no PRGs with locality 4 exist [23, 47]. Thus, our approach hits a barrier and cannot base IO on multilinear maps with degree \(L \le 4\). This barrier is common to recent IO constructions [41, 44] and suggests that we need new techniques circumventing the lower bound on locality of PRGs.
In addition to reducing the degree of multilinear maps, our IO construction improves the stateoftheart at two other fronts. First, our construction uses the classical asymmetric multilinear maps introduced in [15, 50], which are direct generalization of bilinear pairing groups to higher degree. Previous constructions rely on graded encodings, which are enhanced versions of multilinear maps with more powerful functionalities (such as, supporting complex label structures). Second, the security of our IO scheme is based on the subexponential SXDH assumption on Llinear maps, the subexponential security of PRGs, and subexponential LWE. The SXDH assumption on multilinear maps is much simpler and/or weaker than the assumption on graded encodings underlying previous IO constructions, for instance, the jointSXDH assumption in [44] and the multilinear subgroup elimination assumption in [33].
1.1 Our Results
We start with defining the SXDH assumption on multilinear maps and then describe our results.
SXDH on Multilinear Maps. Asymmetric multilinear pairing groups introduced in [15, 50] generalize asymmetric bilinear pairing maps to a collection of source groups \(G_1, \cdots , G_D\), whose elements can be paired to produce elements in a target group \(G_T\) via a multilinear map \(e(g_1^{a_1}, \cdots , g_D^{a_D}) = g^{a_1\cdots a_D}_{T}\). The degree (a.k.a. multilinearity) of the multilinear map is the number of elements that can be paired together, which equals to the number of source groups D. We say that the multilinear pairing groups have prime order if all source groups and the target group have the same prime order, and composite order if all groups have the same composite order. In this work, we consider constantdegree multilinear paring groups, and in particular 5linear pairing groups, with either prime or composite order. We omit specifying the order of groups below.
Multilinear Maps v.s. Graded Encodings. The interface of (asymmetric) multilinear pairing groups is much simpler than that of graded encoding schemes introduced by [26]. First, graded encoding schemes support graded multiplication over a collection of groups \(\{ {G_l} \}\): Graded multiplication can pair elements of two groups \(G_{l_1}, G_{l_2}\), indexed by two labels \(l_1, l_2\), to produce an element in the group \(G_{l_1 + l_2}\), indexed by label \(l_1+l_2\) ^{1}. In particular, the output element in \(G_{l_1+l_2}\) can be further paired with elements in other groups to produce elements in group \(G_{l_1 + l_2 + l_3 + \cdots }\) and so on. In contrast, multilinear map allows only “oneshot” multiplication, where the output element belongs to the target group \(G_T\) that cannot be paired anymore. Second, graded encoding schemes support the notion of “pairable groups” in the sense that only elements from groups \(G_{l_1}, G_{l_2}\) that satisfy a “pairable” relation can be paired.^{2}
The support for graded multiplication between pairable groups provides powerful capabilities. In essence, GES allows one to “engineer” the labels of a set of group elements \(\{ {g^{a_i}_{l_i}} \}\), so that, only polynomials of certain specific forms can be evaluated on values in the exponent. In contrast, the simple interface of multilinear maps does not provide such capabilities.
SXDH v.s. JointSXDH. Lin and Vaikuntanathan introduced the jointSXDH assumption on graded encoding schemes, and showed that IO for \(\mathsf {P/poly} \) can be based on subexponential jointSXDH and PRG in \(\mathsf {NC} ^0\). Their jointSXDH assumption strengthens the SXDH assumption as follows: It considers the joint distribution of elements \((g_l^a, g_l^b, g_l^{ab})_{l \in S}\) in a set S of groups. The intuition is that as long as no pairs of groups \(G_{l_1}, G_{l_2}\) in the set S are pairable, in the same spirit as SXDH, the distribution is possibly indistinguishable to the joint distribution of elements \((g_l^a, g_l^b, g_l^{r})_{l \in S}\) in the same set of groups.^{3} The jointSXDH assumption is more complex and potentially stronger than the SXDH assumption.
Our Main Result: IO from SXDH on L Linear Maps and LocalL PRG
Theorem 1
(Main Theorem). Let L be any positive integer. Assume the subexponential hardness of LWE with subexponential modulustonoise ratio. Then, IO for \(\mathsf {P/poly} \) is implied by the subexponential SXDH assumption on Llinear pairing groups, and the existence of a subexponentially secure localityL PRG with polynomial \(n^{1+\varepsilon }\)stretch for some \(\varepsilon > 0\).
We note that the subexponential hardness of SXDH and PRG required by our theorem is weaker than standard notions of subexponential hardness of decisional problems, in the sense that we only require the distinguishing gap to be subexponentially small against polynomial time adversaries, as opposed to subexponential time adversaries.
Our result establishes a direct and tight connection between the degree D of multilinear maps needed for constructing IO and the locality L of PRGs—they are the same \(D = L\)—assuming subexponential LWE. In comparison, the previous stateoftheart [44] requires the degree of the multilinear map to be much larger, namely \(D > 6L\). Thus, when pluggingin a PRG of locality5, their construction requires at least 30linear maps, whereas our construction relies on 5linear maps.
Step 1: Bootstrapping IO from Locality L PRG and Degree L FE. We follow the same twostep approach in all previous IO constructions: First, construct IO for \(\mathsf {P/poly} \) from some simpler primitives—call this the bootstrapping step—and then instantiate the primitives needed, using graded encodings or multilinear maps. In the literature, previous bootstrapping theorems have shown that general purpose IO can be built from one of the following: (i) IO for \(\mathsf {NC} ^1\) [27], or (ii) subexponentially secure FE for \(\mathsf {NC} ^1\) [2, 3, 13, 14], or (iii) subexponentially secure IO for constant degree computations and PRG in \(\mathsf {NC} ^0\) [41], or (iv) subexponentially secure FE for \(\mathsf {NC} ^0\) and PRG in \(\mathsf {NC} ^0\) [44].^{4}
In this work, we strengthen the bootstrapping theorem of [44], and show how to build IO from PRGs with localityL and FE for computing degree L polynomials in some ring \(\mathcal {R}\) (which eventually corresponds to the exponent space of multilinear maps used for instantiating the FE).
Theorem 2
(Bootstrapping Theorem). Let L be any positive integer. Assume the subexponential hardness of LWE with subexponential modulustonoise ratio. IO for \(\mathsf {P/poly} \) is implied by the existence of subexponentially secure (collusion resistant) secretkey FE schemes for computing degreeL polynomials in some ring \(\mathcal {R}\) with linear efficiency, and a subexponentially secure localityL PRG with \(n^{1+\varepsilon }\)stretch for some \(\varepsilon >0\).
(In the case that the FE schemes are publickey, the assumption of subexponential LWE is not needed.)
Above, the linear efficiency of FE schemes means that encryption time is linear in the input length \(N(\lambda )\), that is, \(\mathsf{Time}_{\mathsf{FE.Enc}} = N(\lambda )\mathrm {poly}(\lambda )\). In fact, we only need the FE scheme to achieve the weaker functionality of revealing whether the output of a degreeL polynomial is zero in \(\mathcal {R}\). Below, we refer to such FE schemes as degreeL FE in \(\mathcal {R}\) with linear efficiency.
In comparison, with localityL PRG, the bootstrapping theorem in [44] needs to start with FE for computing polynomials with higher degree \(3L+2\). We here reduce the degree of FE to exactly L, by proposing a new preprocessing idea: At a very highlevel, we let the encryptor preprocess the input to be encrypted to perform part of the degree\((3L+2)\) computations, and encrypt the processed values, so that later, the decryptor only need to perform a degreeL computation, and hence degreeL FE suffices. An overview of our bootstrapping step is given in Sect. 2.1.
Step 2: Degree Preserving Construction of FE. Next, we construct degreeL FE based on the SXDH assumption on Llinear maps.
Theorem 3
Let D be any positive integer and \(\mathcal {R}\) any ring. Assuming SXDH on Dlinear maps over ring \(\mathcal {R}\), there exist secret key FE schemes for degreeD polynomials in \(\mathcal {R}\), with linear efficiency.
This new FE scheme is our main technical contribution. Previous constructions of FE for \(\mathsf {NC} ^1\) either relies on IO for \(\mathsf {NC} ^1\) or high degree multilinear maps [27, 28], whose degree is polynomial in the circuitsize of the computations. In [44], Lin and Vaikuntanathan constructed FE for \(\mathsf {NC} ^0\) from constantdegree graded encodings. Their construction, however, is not degreepreserving: To compute \(\mathsf {NC} ^0\) functions that can be evaluated in degree D, they require degree 2D graded encodings. Our FE construction is the first one that supports degreeD computations using only degreeD multilinear maps.
It turns out that removing a factor of 2 in the degree requires completely new techniques for constructing FE. The reason is that the factor of 2 increase in degree allows the FE construction in [44] to evaluate instead of a degreeD computation directly, an arithmetic randomized encodings of the computation. The benefit is that they can rely on the security of randomized encoding to argue the security of FE. In our case, since the degree is exactly D, we cannot afford to “embed” any cryptographic primitives in the FE construction, and must come up with ways of encoding inputs and intermediate computation values using multilinear maps that directly guarantee security. For this reason, our construction share similar flavor with constructions of inner product encryptions based on bilinear maps. See Sects. 2.2 and 2.3 for an overview of our degreepreserving FE construction.
Additional Contributions. Along the way of designing our degreepreserving FE construction, we also construct the following primitives that are of independent interests.
Simple Function Hiding IPE Schemes from SXDH on Bilinear Maps. Without using the heavy hammers of multilinear maps or IO, the stateoftheart collusion resistant FE schemes can only compute inner products, they are called Inner Product Encryption (IPE). In the literature, Abdalla et al. (ABDP) [1] came up with a public key IPE scheme based on one of a variety of assumptions, such as, DDH, Paillier, and LWE.
Bishop et al. [12] (BJK) constructed the first secretkey IPE scheme based on the SXDH assumption over asymmetric bilinear pairing groups. Their scheme achieves a stronger security notion, called weak functionhiding, and is improved by [24] to achieve full function hiding. Lin and Vaikuntanathan [44] further showed that any weakly function hiding IPE scheme can be generically transformed into a function hiding IPE scheme. Here, (weak) function hiding requires the FE scheme to hide both inputs and functions (revealing only outputs), and is much harder to achieve than standard security that hides only inputs.
While the ABDP publickey IPE scheme is simple, the secretkey (weak) function hiding IPE schemes [12, 24] are much more complex. In this work, we give a simple construction of weak function hiding IPE from SXDH on bilinear maps, which can then be transformed to function hiding IPE using [44]. Our IPE scheme is built from the ABDP publickey IPE scheme in a modular way, and inherits its efficiency and simplicity: Ciphertexts and secret keys of lengthN vectors consists of \((N+2)\) group elements, and the construction and security proof of our scheme fits within 2 pages (reducing to the security of the ABDP IPE scheme). In addition, the new scheme satisfies certain special properties that are important for our construction of degreeL FE schemes, which are not satisfied by previous IPE schemes [12, 24]. See Sect. 2.5 for an overview of our simple function hiding IPE.
Algebraic v.s. Noisy Multilinear Maps. Our results and proofs are described w.r.t. algebraic multilinear maps. However, finding algebraic multilinear maps with degree above 2 is still a major open problem. Can our IO and FE schemes be instantiated with known noisy multilinear map candidates [21, 22, 26, 31, 39]? The answer is nuanced: The constructions can be instantiated asis with noisy multilinear maps and correctness holds, but the security proof fails, for (1) the SXDH assumption does not hold on known candidates, and (2) the current security reduction relies on the homomorphic scalar multiplication functionality, which is not supported by known candidates. (The latter is shared with all previous reductions that base security on a laconic and instanceindependent assumption [33, 44].) Nevertheless, the security proof of the degreeL FE scheme (the only component that relies on multilinear maps) can be adapted into a proof in the degree5 ideal multilinear map model without homomorphic scalar multiplication. Security in the ideal model does not imply security against known cryptanalytic attacks [6, 16, 18, 19, 20, 26, 32, 46]. It is unclear whether these instantiations are secure against them—we have no concrete attacks nor formal arguments that validate their security against known attacks, such as, a security proof in the weak multilinear map model [29]. See Sect. 2.6 for a more detailed discussion.
1.2 Concurrent and Independent Work
In a concurrent work, Ananth and Sahai [4] (AS) showed a similar result. Both works convey the same highlevel message that “IO can be constructed from 5linear maps and locality5 PRG, assuming subexponential LWE”. But, the concrete theorem statements differ. First, while our construction relies on the classical 5linear maps, the AS construction uses degree5 setbased graded encodings, which, as discussed above, is more powerful. Second, a main contribution of this paper is basing security of IO on the SXDH assumption, which is laconic and instance dependent. In comparison, the AS construction is proven secure based on two assumptions on graded encodings that are tailored to their construction and justified in the ideal model, and the security of their FE scheme follows immediately from the assumptions. In terms of techniques, both works follow the paradigm of IO construction in [44]. The two works propose different notions of FE for lowdegree polynomials, and use completely different methods to construct them.
1.3 Subsequent Works
Given that locality 4 PRGs do not exist [47], the approach (in this and recent works [4, 44]) of using local PRGs to reduce the degree of multilinear maps used in IO constructions hits a barrier at degree 5. In a subsequent work, Lin and Tessaro [43] overcame this barrier and further reduced the degree of multilinear maps needed to 3. More specifically, they showed that assuming subexponential LWE, IO can be based on the SXDH assumption on Llinear maps and PRGs with a new notion of blockwise locality L. Roughly speaking, a PRG has blockwise locality L if every output bit depends on at most L input blocks, each containing up to \(\log \lambda \) bits. Their result crucially relies on our IO construction, with the modification of replacing locality L PRGs with blockwise locality L PRGs in the first bootstrapping step (the rest of the construction, such as, the lowdegree FE scheme, is kept the same). They further initiated the study of blockwise local PRGs based on Goldreich’s local functions and their (in)security. In particular, they showed that the security of candidates with blockwise locality \(L \ge 3\) is backed by similar validation as candidates with (conventional) locality 5. Soon after their work, two exciting cryptanalytic works [9, 45] showed that, unfortunately, (polynomialstretch) PRGs with blockwise locality 2 do not exist.
Summarizing the new stateoftheart: Assuming subexponential LWE, there is a construction of IO from trilinear maps and PRGs with blockwise locality 3—we are one degree away from the dream statement of “building IO from bilinear maps”.
Organization. Next, we proceed to give an overview of our FE and IO constructions and their security proofs. Due to the lack of space, we leave the formal description of constructions and proofs to the full version [42]. In Sect. 2.6, we discuss in more detail issues related to instantiating our schemes with noisy multilinear maps.
2 Overview
In this work, scalars are written in normal font, such as a, b, and vectors are written in boldface, such as \({{\mathbf {v}}}, {{\mathbf {w}}}\).
2.1 Bootstrapping

Step 1. First, construct subexponentially secure singlekey FE schemes \(\mathbf{CFE}\) for \(\mathsf {NC} ^1\) that are weakly compact, meaning that encryption time scales polynomially in the security parameter \(\lambda \) and the input length N, but also scales sublinearly in the maximal size S of the circuits for which secret keys are generated. More precisely, a FE scheme is said to be \((1\varepsilon )\)weaklycompact if its encryption time is \(\mathrm {poly}(\lambda ,N)S^{1\varepsilon }\).

Step 2. If the FE schemes obtained from Step 1 are publickey schemes, invoke the result of [2, 14] that any publickey (singlekey) weaklycompact FE schemes (for any \(\varepsilon > 0\)) imply IO for \(\mathsf {P/poly} \).
Otherwise, if the FE schemes obtained are secretkey schemes, then invoke the recent result of [13] that any secretkey weaklycompact FE schemes also imply IO for \(\mathsf {P/poly} \), assuming additionally subexponential LWE.
The challenging task is constructing (publickey or secretkey) weaklycompact FE schemes for \(\mathsf {NC} ^1\) from simpler primitives. In [44] (LV), they constructed such schemes from (public key or secret key respectively) collusion resistant FE schemes for \(\mathsf {NC} ^0\) with linear efficiency, assuming the existence of a polynomialstretch PRG in \(\mathsf {NC} ^0\). We observe that in their construction, if the PRG has locality L, the \(\mathsf {NC} ^0\)FE scheme is used to compute polynomials with low degree \(3L+2\). In this work, we show that the degree of the FE schemes (i.e., the degree of the polynomials supported) can be reduced to L. Below, we start with reviewing the LV construction of weaklycompact FE for \(\mathsf {NC} ^1\), and then modify their construction to reduce the degree of the underlying FE scheme. (In the exposition below, we do not differentiate publickey vs secretkey schemes, since they are handled in the same way.)
The LV WeaklyCompact FE for \(\mathsf {NC} ^1\) . To construct weaklycompact FE schemes for \(\mathsf {NC} ^1\) from FE schemes for \(\mathsf {NC} ^0\), LV uses Randomized Encodings (RE) [8, 37] to represent every \(\mathsf {NC} ^1\) function \(f({{\mathbf {x}}})\), as a simpler \(\mathsf {NC} ^0\) randomized function \(\hat{f} ({{\mathbf {x}}}; \ {{\mathbf {r}}})\). Then, to enable computing \(f({{\mathbf {x}}})\), it suffices to publish a secret key for \(\hat{f} \in \mathsf {NC} ^0\), and a ciphertext of \(({{\mathbf {x}}}, {{\mathbf {r}}})\), which can be done using the \(\mathsf {NC} ^0\)FE scheme. But, the resulting ciphertext is not compact, since the randomness \({{\mathbf {r}}}\) for computing the randomized encoding is at least of length \(S(\lambda )\mathrm {poly}(\lambda )\), where \(S(\lambda )\) is the size of the circuit computing f. The key idea of LV is using a polynomialstretch PRG \(\mathbf{PRG}\!:\{0,1\}^{n}\rightarrow \{0,1\}^{n^{1+\alpha }}\) in \(\mathsf {NC} ^0\) to generate pseudorandomness for RE, that is, computing instead \(g({{\mathbf {x}}}, {{\mathbf {s}}}) = \hat{f} ({{\mathbf {x}}}; \mathbf{PRG}({{\mathbf {s}}}))\). Now the input of the function becomes \(({{\mathbf {x}}}, {{\mathbf {s}}})\), whose length is sublinear in \(S(\lambda )\) thanks to the fact that the PRG has polynomial stretch. Since the \(\mathsf {NC} ^0\)FE scheme has linear efficiency, the ciphertext size is also sublinear in \(S(\lambda )\). In addition, the function g can still be computed in \(\mathsf {NC} ^0\).
Observe that if g can be computed by a degreeD polynomial in some ring \(\mathcal {R}\), then one can instantiate the LV construction with degreeD FE schemes in \(\mathcal {R}\). The question is how large is the degree D? Plug in the randomized encoding scheme by Applebaum et al. [8], whose encodings \(\hat{f} ({{\mathbf {x}}}; {{\mathbf {r}}})\) are computable in \(\mathsf {NC} ^0_4\) and has degree 1 in \({{\mathbf {x}}}\) and degree 3 in \({{\mathbf {r}}}\). Then, the degree of g is determined by the degree \(D_{\mathrm {PRG}}\) of the PRG (i.e., the minimal degree of polynomials that computes PRG in \(\mathcal {R}\)), namely, \(D = 3 D_{\mathrm {PRG}} + 1\). As the degree of PRG is upper bounded by its locality \(D_{\mathrm {PRG}} \le L\), the degree of g is bounded by \(3L+1\). For the security proof to work out, the actual functions used in the LV construction are more complicated and has degree \(3L+2\). For simplicity of this overview, it is convenient to ignore this issue, as it does not affect understanding the main ideas.

A (collusion resistant) FE scheme for degree\((3D+2)\) polynomials \(\{\mathbf{FE}= (\mathsf{FE.Setup}, \mathsf{FE.KeyGen},\mathsf{FE.Enc},\mathsf{FE.Dec})\}\) in some ring \(\mathcal {R}\) with linear efficiency.

A pseudorandom generator \(\mathbf{PRG}\) with \(n^{1+\alpha }\)stretch for any \(\alpha > 0\) that is computable in degree D in ring \(\mathcal {R}\).

A weak PRF \({\mathsf {F}}\) in \(\mathsf {NC} ^1\).

A specific randomized encoding scheme, which is the composition of Yao’s garbling scheme [51, 52] and the AIK randomized encoding scheme in \(\mathsf {NC} ^0\) [8]. Denote by \(\hat{C}_x = \mathsf {Yao}(C, {{\mathbf {x}}};\ {{\mathbf {r}}})\) Yao’s garbling algorithm that compiles a circuit C and an input \({{\mathbf {x}}}\) into a garbled circuit \(\hat{C}_x\), and by \(\varPi = \mathsf {AIK}(f, {{\mathbf {x}}}\ ; \ {{\mathbf {r}}})\) the AIK encoding algorithm.
We refer the reader to [44] for the correctness and security of the scheme, and to our full version [42] for the analysis of compactness and degree.
Relying on Degree L FE. To reduce the degree of polynomials computed using the lowdegree FE, our key idea is preprocessing the input \(({{\mathbf {x}}}, {{\mathbf {s}}})\), so that, part of the computation of the function g is already done at encryption time. To illustrate the idea, recall that g is linear in \({{\mathbf {x}}}\). Thus, if one precomputes \({{\mathbf {x}}}\,\otimes \,{{\mathbf {s}}}\) (where \({{\mathbf {x}}}\,\otimes \,{{\mathbf {s}}}\) is the tensor product of \({{\mathbf {x}}}\) and \({{\mathbf {s}}}\)), then g can be computed with one degree less. More specifically, there exists another function \(g'\) that takes input \(({{\mathbf {x}}}, {{\mathbf {s}}}, {{\mathbf {x}}}\,\otimes \,{{\mathbf {s}}})\) and computes \(g({{\mathbf {x}}}, {{\mathbf {s}}})\) in degree 3L, by replacing every monomial of form \(x_i s_{i_1}s_{i_2}\cdots \) with \((x_is_{i_1})\ s_{i_2} \cdots \), where \(x_is_{i_1}\) is taken directly from \({{\mathbf {x}}}\,\otimes \,{{\mathbf {s}}}\). Therefore, we can modify the LV construction to encrypt \(({{\mathbf {x}}}, {{\mathbf {s}}}, {{\mathbf {x}}}\,\otimes \,{{\mathbf {s}}})\), whose length is still sublinear in \(S(\lambda )\), and generate keys for functions \(g'\) that have degree 3L.
Finally, we need to make sure that the total number of such degree \(\le 3\) monomials is sublinear in \(S(\lambda )\), so that, encryption remains weaklycompact. Note that, for each \(\gamma \in [{{\mathbf {s}}}_q]\), the number of degree \(\le 3\) monomials over the \(\gamma ^\mathrm{th}\) bits in these Q seeds is bounded by \((Q+1)^3 = \mathrm {poly}(\lambda )\). Moreover, the length of each seed \(s_q\) is still sublinear in \(S(\lambda )\). Thus, the total number of monomials to be precomputed is sublinear in \(S(\lambda )\).
2.2 Quadratic SecretKey FE
Before proceeding to constructing degreeD FE schemes from SXDH on degreeD MMaps, we describe a selfcontained construction of FE for quadratic polynomials from SXDH on bilinear maps. The degreeD scheme is a generalization of the quadratic scheme.
We start with reviewing the tool, Inner Product Encryption (IPE), for constructing quadratic FE. A (public key or secret key) IPE scheme allows to encode vectors \({\mathbf {y}}\) and \({\mathbf {x}}\) in a ring \(\mathcal {R} \), in a function key \(\mathsf {iSK}({{\mathbf {y}}})\) and ciphertext \(\mathsf{iCT}({{\mathbf {x}}})\) respectively, and decryption evaluates the inner product \(\left\langle {{\mathbf {y}}, {\mathbf {x}}} \right\rangle \). In this work (like in [44]), we use specific IPEs that compute the inner product in the exponent, which, in particular, allows the decryptor to test whether the inner product is zero, or whether it falls into any polynomialsized range.^{5}
Given IPE schemes, it is trivial to implement FE for quadratic polynomials, or quadratic FE schemes for short: Simply write a quadratic function f as a linear function over quadratic monomials \(f(x) = \Sigma _{i,j} c_{i,j} x_ix_j = \left\langle {{\mathbf {c}}, {\mathbf {x}} \otimes {\mathbf {x}}} \right\rangle \). Then, generate an IPE secret key \(\mathsf {iSK}({{\mathbf {c}}})\), and an IPE ciphertext \(\mathsf {iSK}({{\mathbf {x}}}\otimes {{\mathbf {x}}})\), from which the function output can be computed. However, such a scheme has encryption time quadratic in the input length \(N = {{\mathbf {x}}}\). The key challenge is improving the encryption time to be linear in the input length under standard assumptions (e.g. bilinear maps).
In this work, we do so based on SXDH on bilinear maps, where the exponent space \(\mathcal {R}\) of the bilinear map is the ring in which quadratic polynomials are evaluated. At a highlevel, our key idea is “compressing” the encryption time of the above trivial quadratic FE schemes from quadratic to linear, by publishing some “compressed information” of linear size at encryption time, which can be expanded to an IPE ciphertext of \({{\mathbf {x}}}\,\otimes \,{{\mathbf {x}}}\) at decryption time. To make this idea work, we will use, as our basis, the public key IPE scheme by Abdalla et al. (ABDP) [1] based on the DDH assumption; we briefly review their scheme.
The ABDP Public Key IPE Scheme. The ABDP scheme \(\mathbf{IPE}\) resembles the El Gamal encryption and is quite simple. Let G be a cyclic group of order p with generator g, in which DDH holds. A master secret key of the ABDP scheme is a random vector Open image in new window , and its corresponding public key is \(\mathsf {iMPK}= g^{s_1}, \cdots g^{s_N}\). A ciphertext encrypting a vector \({{\mathbf {x}}}= x_1, \cdots , x_N\) looks like \(\mathsf{iCT}= g^{r}, \ g^{rs_1 + x_1},\ \cdots ,\ g^{rs_N + x_N}\), where r is the random scalar “shared” for encrypting every coordinate. It is easy to see that it follows from DDH that this encryption is semantically secure.
To turn the above scheme into an IPE, observe that given a vector \({{\mathbf {y}}}\in \mathbb {Z}_p^N\), and in addition the inner product \(\left\langle {{{\mathbf {y}}}, {{\mathbf {s}}}} \right\rangle \) in the clear, one can homomorphically compute inner product in the exponent to obtain \(g^{r \left\langle {{{\mathbf {y}}},{{\mathbf {s}}}} \right\rangle } g^{r\left\langle {{{\mathbf {s}}}, {{\mathbf {y}}}} \right\rangle + \left\langle {{{\mathbf {x}}}, {{\mathbf {y}}}} \right\rangle } = g^{\left\langle {{{\mathbf {x}}}, {{\mathbf {y}}}} \right\rangle }\), which reveals whether the inner product \(\left\langle {{{\mathbf {x}}}, {{\mathbf {y}}}} \right\rangle \) is zero or not. Therefore, the ABDP scheme sets the secret key to be \(\mathsf {iSK}= \left\langle {{{\mathbf {s}}}, {{\mathbf {y}}}} \right\rangle {{\mathbf {y}}}\).
Open image in new window The first difficulty with “compressing” a ciphertext Open image in new window is that it contains information of the master secret key \({{\mathbf {s}}}\) of quadratic length, which is truely random and cannot be “compressed”.
Our idea is replacing the truly random secret key \({{\mathbf {s}}}\) with the tensor product of two lengthN vectors \({{\mathbf {s}}}^1\,\otimes \,{{\mathbf {s}}}^2\), so that, the new ciphertext depends only on information, namely \((r, {{\mathbf {s}}}^1, {{\mathbf {s}}}^2, {{\mathbf {x}}})\), of linear size. The reason that we use the tensor product \({{\mathbf {s}}}^1 \,\otimes \, {{\mathbf {s}}}^2\) as the secret key is that under DDH, encodings Open image in new window is indistinguishable to encodings of \(N^2\) truely random elements, and hence there is hope that \({{\mathbf {s}}}^1 \,\otimes \, {{\mathbf {s}}}^2\) is “as good as” a truly random master secret key. As we will see later, this hope is true, however through complicated security proof.
Suppose that we have a (secret key) IPE scheme \({\mathbf{cIPE}}\) that is function hiding (defined shortly) from bilinear maps, and has certain canonical form: In particular, its ciphertexts and secret keys encodes the input and function vectors in different source groups \(G_1, G_2\) of the bilinear map, and decryption simply uses pairing to produce an encoding of the output inner product in the target group \(G_3\). (Unfortunately, offtheshelf function hiding IPEs [12, 24, 44] do not have the canonical form and we discuss how to construct such a scheme later.)
In summary, we now have the first version of our quadratic FE schemes.
 Version 1 of Our Secret Key Quadratic FE scheme \(\mathbf{qFE}\)

– Setup: A master secret key \(\mathsf{msk}\) consists of two random vectors \({{\mathbf {s}}}^1, {{\mathbf {s}}}^2\) of length N.
 – Key Generation: A secret key \(\mathsf {SK}({{\mathbf {c}}})\) of a function \(f_{{\mathbf {c}}}({{\mathbf {x}}}) = \left\langle {{{\mathbf {c}}}, {{\mathbf {x}}}\,\otimes \, {{\mathbf {x}}}} \right\rangle \) consists of$$\begin{aligned} \mathsf {SK}({{\mathbf {c}}}) = \left( \ \left\langle {{{\mathbf {s}}}^1 \,\otimes \, {{\mathbf {s}}}^2, {{\mathbf {c}}}} \right\rangle , \ {{\mathbf {c}}}\ \right) . \end{aligned}$$
 – Encryption: Sample a random scalar Open image in new window . A ciphertext \(\mathsf{CT}({{\mathbf {x}}})\) of input vector \({{\mathbf {x}}}\) contains and \(\{ {\mathsf {cSK}_j,\ \mathsf{cCT}_i} \}\) are generated using a freshly sampled master secret key \(\mathsf {cMSK}\) of a canonical function hiding IPE \({\mathbf{cIPE}}\).
 – Decryption: For every \((i, j) \in [N]^2\), decrypt \(\mathsf{cCT}_i\) using \(\mathsf {cSK}_j\) to obtain Homomorphically compute Open image in new window , and \(\varLambda _2 = \left\langle {\{ {\mathsf{iCT}[i,j]} \} ,\ {{\mathbf {c}}}} \right\rangle \). Homomorphically add \(\varLambda _1 + \varLambda _2\) to produce an encoding of the output Open image in new window .

Next, we move to describing ideas for the security proof. As we develop the proof ideas, we will need to make several modifications to the above scheme.
Selective INDSecurity of Our Quadratic FE Scheme. We want to show that ciphertexts of \(\mathbf{qFE}\) of one set of inputs \(\{ {{\mathbf {u}}_i} \}\) is indistinguishable from that of another \(\{ {{{\mathbf {v}}}_i} \}\), as long as all the secret keys published are associated with functions \(\{ {f_{{{\mathbf {c}}}_j}} \}\) that do not separate these inputs, that is, \(f_{{{\mathbf {c}}}_j}({\mathbf {u}}_i) = f_{{{\mathbf {c}}}_j}({{\mathbf {v}}}_i)\) for all i, j. For simplicity of this overview, we restrict our attention to the simpler case where only a single ciphertext and many secret keys are published. The security proof for the general case with many ciphertexts follows from a hybrid argument where the encrypted vectors are switched one by one from \({\mathbf {u}}_i\) to \({{\mathbf {v}}}_i\), and the indistinguishability of each step is proven using the same ideas to the singleciphertext case.
Naturally, we want to reduce the security of \(\mathbf{qFE}\) the security of the ABDP IPE scheme \(\mathbf{IPE}\) and the function hiding of \({\mathbf{cIPE}}\). Our intuition is that given a ciphertext \(\mathsf{CT}({{\mathbf {x}}})\) for \({{\mathbf {x}}}= {\mathbf {u}}\) or \({{\mathbf {v}}}\), the security of \({\mathbf{cIPE}}\) ensures that the N ciphertexts and secret keys \(\{ {\mathsf{cCT}_i} \}, \{ {\mathsf {cSK}_j} \}\) contained in ciphertext \(\mathsf{CT}({{\mathbf {x}}})\) reveals only the output encodings \(\{ {\mathsf{iCT}[i,j]} \}\) and nothing else. Then, the security of the ABDP scheme ensures that the derived ciphertext \(\mathsf{iCT}\) encrypting either \({\mathbf {u}}\,\otimes \, {\mathbf {u}}\) or \({{\mathbf {v}}}\,\otimes \, {{\mathbf {v}}}\) is indistinguishable, at the presence of secret keys for vectors \(\{ {{{\mathbf {c}}}_j} \}\) that do not separate them. This intuition would go through if the two building blocks \({\mathbf{cIPE}}\) and \(\mathbf{IPE}\) provide very strong security guarantees: Naturally, \({\mathbf{cIPE}}\) has simulation security, so that, its ciphertexts and secret keys \(\{ {\mathsf{cCT}_i} \}, \{ {\mathsf {cSK}_j} \}\) can be simulated from the set of output encodings \(\{ {\mathsf{iCT}[i,j]} \}\), and second, the ABDP scheme is secure even when the master secret keys are generated as a tensor product \({{\mathbf {s}}}^1 \,\otimes \, {{\mathbf {s}}}^2\) as opposed to be truely random. Unfortunately, our building blocks do not provide such strong security guarantees, which leads to the following challenges.

Challenge 1—Relying only on indistinguishabilitybased function hiding of \({\mathbf{cIPE}}\) . The simulation security of \({\mathbf{cIPE}}\) essentially allows one to easily reduce the security of \(\mathbf{qFE}\) to that of \(\mathbf{IPE}\). With only indistinguishabilitybased security of \({\mathbf{cIPE}}\), the reduction to security of \(\mathbf{IPE}\) becomes significantly harder. Typically, one build a blackbox security reduction that receives from its challenger \(\mathbf{IPE}\) secret keys and a ciphertext, in this case \(\{ {\mathsf {SK}_j} \}, \mathsf{iCT}\), and embeds them in the view of the adversary attacking the \(\mathbf{qFE}\) scheme. However, the ciphertext \(\mathsf{CT}\) of \(\mathbf{qFE}\) has only linear size, but \(\mathsf{iCT}\) has quadratic size—there is not enough space for embedding.^{6}
To resolve this problem, our idea is to embed \(\mathsf{iCT}\) in “piecemeal”. Observe that the ABDP scheme encrypts its input vector element by element using different master secret key elements, and a shared random scalar. Thus, we can flexibly view its ciphertext \(\mathsf{iCT}\) either as a single ciphertext, or as a list of many ciphertexts encrypting a list of vectors of shorter length. In particular, we will “cut” the ciphertext into N pieces, each of length N and indexed by \(i \in [N]\). Since the \(i^\mathrm{th}\) ciphertextpiece can be viewed as an \(\mathbf{IPE}\) ciphertext of vector \(x_i{{\mathbf {x}}}\), generated with master secret key \(s^1_i{{\mathbf {s}}}^2\) and shared random scalar r. Our idea is gradually switching the values of \(x_i{{\mathbf {x}}}\) from \(u_i{\mathbf {u}}\) to \(v_i{{\mathbf {v}}}\) piece by piece in N steps. In each step, we first apply the function hiding of \({\mathbf{cIPE}}\) to move to a hybrid distribution where the challengepiece \(\mathsf{iCT}[i, \star ]\) is directly hardwired in the \(\mathbf{qFE}\) ciphertext; since \(\mathsf{iCT}[i, \star ] = N\), there is enough space for it. Then, we rely on the indistinguishabilitysecurity of \(\mathbf{IPE}\) to argue that switching the plaintextpiece underlying \(\mathsf{iCT}[i, \star ]\) from \(u_i {\mathbf {u}}\) to \(v_i {{\mathbf {v}}}\) is indistinguishable. 
Challenge 2—Relying on the security of the ABDP scheme under correlated randomness. Arguing the indistinguishability of switching the vectors underlying each ciphertextpiece \(\mathsf{iCT}[i, \star ]\) from \(u_i{\mathbf {u}}\) to \(v_i{{\mathbf {v}}}\) turns out to be tricky. First, An acute reader might have already noticed the problem that changing pieces in the tensor product would affect the function output, which is noticeable. For example, after switching the first plaintext piece to \(v_i{{\mathbf {v}}}\), the function output changes to \(\left\langle {{{\mathbf {c}}}_j, {\mathbf {u}}\,\otimes \, {\mathbf {u}}} \right\rangle \ne \left\langle {{{\mathbf {c}}}_j, v_1{{\mathbf {v}}} {\mathbf {u}}_{\ge 1}\,\otimes \, {\mathbf {u}}} \right\rangle \). To resolve this problem, we modify the scheme to build in an offset value \(\varDelta _j\) in every secret key \(\mathsf {SK}_j\) to ensure that the function output remains the same throughout all steps.
Second, the challenge ciphertextpiece is generated with master secret key \(s^1_i{{\mathbf {s}}}^2\), which is not truly random, since the vector \({{\mathbf {s}}}^2\) is used for generating the master secret keys \(s_{k}^1{{\mathbf {s}}}^2\) of other ciphertextpieces for \(k \ne i\). We overcome this by relying on the SXDH assumption to argue that encodings of \(s^1_i{{\mathbf {s}}}^2\), given encodings of \(s^1_i\) and \({{\mathbf {s}}}^2\), are indistinguishable to encodings of random elements, and hence as good as a truly random master secret key. Similar idea was used in [44].
Next, we discuss in more detail how to overcome these two challenges.
 1.
In \(H_\rho ^b\), the \(\rho ^\mathrm{th}\) ciphertextpiece \(\mathsf{iCT}[\rho , \star ]\) is embedded in the \(\mathbf{qFE}\) ciphertext \(\mathsf{CT}\),
 2.
The derived \(\mathbf{IPE}\) ciphertext \(\mathsf{iCT}\) encrypts the following “hybrid” vectors.
 Version 2 of Our Secret Key Quadratic FE scheme \(\mathbf{qFE}\)
 – Encryption: A ciphertext \(\mathsf{CT}({{\mathbf {x}}})\) consists of where \(\{ {\mathsf{cCT}_i} \}\) and \(\{ {\mathsf {cSK}_j} \}\) encode vectors \(\varvec{\chi }^d_i\) like before, but now padded with 3 zeros.

We refer to the first 4 elements in \({{\mathbf {X}}}\)’s as the first slot, which holds two vectors of length 2, and the last element as the second slot. In the honest executions, these vectors \(\{ {{{\mathbf {X}}}^d_i} \}\) are set to either \((\varvec{\mu }^d\mathbf {0}, 0)\) if \({\mathbf {u}}\) is encrypted, or \((\varvec{\nu }^d\mathbf {0}, 0)\) if \({{\mathbf {v}}}\) is encrypted, with \(\varvec{\mu }\) and \(\varvec{\nu }\) defined as \(\varvec{\chi }\) in Eq. 1 but replacing \(x_i\) with \(u_i\) or \(v_i\) respectively.
In the case \(i = \rho \), \(\mathsf{iCT}[\rho ,\star ]\) encodes exactly the values hardwired in the last slot, which as argued above encrypts \(u_\rho {\mathbf {u}}\) in \(H_\rho ^0\) and \(v_\rho {{\mathbf {v}}}\) in \(H_\rho ^1\) as desired. In the case \(i < \rho \), the derived ciphertextpiece \(\mathsf{iCT}[i, \star ]\) encodes values \(\{ {\left\langle {\varvec{\nu }^1_i, \varvec{\nu }^2_j} \right\rangle } \}_j\), corresponding to encrypting \(v_i {{\mathbf {v}}}\); and similarly, when \(i > \rho \), the ciphertextpiece \(\mathsf{iCT}[i, \star ]\) encrypts \(u_i{\mathbf {u}}\) as desired. Therefore, all desiderata above are satisfied.
Now, to show the security of \(\mathbf{qFE}\), it suffices to argue that every pair of neighboring hybrids is indistinguishable. Note that the only difference between different hybrids lies in the values of the \({{\mathbf {X}}}\) vectors encoded in the ciphertexts and secret keys of \({\mathbf{cIPE}}\). Observe first that in hybrids \(H_\rho ^1\) and \(H^0_{\rho +1}\), every pair of vectors \(({{\mathbf {X}}}^1_i, {{\mathbf {X}}}^2_j)\) produce the same inner products, and hence the indistinguishability of \(H_\rho ^1\) and \(H^0_{\rho +1}\) follows immediately from the function hiding property of \({\mathbf{cIPE}}\). This is, however, not the case in hybrids \(H^0_\rho \) and \(H^1_\rho \), where for the special index \(\rho \), the challenge ciphertextpiece change from encrypting \(u_\rho {\mathbf {u}}\) to \(v_\rho {{\mathbf {v}}}\). Next, we show how to reduce the indistinguishability of \(H_\rho ^0\) and \(H_\rho ^1\) to the security of the ABDP IPE scheme, which turns out to be quite tricky.
This means the hybrids are clearly distinguishable. To fix this, we modify our \(\mathbf{qFE}\) scheme to build in an offset value \(\varDelta \) in its secret keys, which will be added to the decryption output. In the honest execution, the offsets are set to zero, whereas in hybrid \(H^b_\rho \), they are set to \(\varDelta ^b_j(\rho )\) in each secret key \(\mathsf {SK}_j\), so that, the above inner products when added with \(\varDelta ^0_j(\rho )\) in the left hand side and \(\varDelta ^1_j(\rho )\) in the right hand side become equal. Clearly, whether the offset values \(\varDelta \) are used (set to nonzero) at all and their values must be hidden, we do so by encoding it using \({\mathbf{cIPE}}\), as described below.
 Version 3 of Our Secret Key Quadratic FE schemes \(\mathbf{qFE}\)

– Setup: A master secret key \(\mathsf{msk}= ({{\mathbf {s}}}^1, {{\mathbf {s}}}^2, \mathsf {cMSK}')\) contains additionally Open image in new window .
 – Key Generation: In the secret key \(\mathsf {SK}({{\mathbf {c}}})\), the inner product \(\left\langle {{{\mathbf {s}}}^1 \,\otimes \, {{\mathbf {s}}}^2, {{\mathbf {c}}}} \right\rangle \) is now encoded, together with an offset value \(\varDelta \), using \(\mathsf {cMSK}'\) of \({\mathbf{cIPE}}\):
 – Encryption: In the ciphertext \(\mathsf{CT}({{\mathbf {x}}})\), the random scalar r is now encrypted, with an additional 0, using \(\mathsf {cMSK}'\) of \({\mathbf{cIPE}}\):

– Decryption: Decryption proceeds as before, except that now encoding \(\varLambda _1\) is obtained by decrypting \(\mathsf{cCT}'\) using \(\mathsf {cSK}'\), which yields Open image in new window as desired.

With the new offset value in secret key, we can now fix our hybrids so that the function outputs always stay the same.
Now \(H_\rho ^0\) and \(H_\rho ^1\) have the same function outputs. But, to formally reduce their indistinguishability to the security of \(\mathbf{IPE}\), we need a way to incorporate the offsets \(\varDelta \)’s into the challenge \(\mathbf{IPE}\) ciphertexts. We do so by viewing \(\varDelta _j\)’s as extension of the plaintext. More specifically, we implicitly switch from encrypting \({\mathbf {U}} = u_\rho {\mathbf {u}}\varDelta ^0_1(\rho )\cdots \varDelta _L^0(\rho )\) to \({\mathbf {V}} = v_\rho {{\mathbf {v}}}\varDelta _1^1(\rho )\cdots \varDelta _L^1(\rho )\) using master secret key \({\mathbf {S}} = s_\rho ^1{{\mathbf {s}}}^2  t_1  \cdots t_L\), at the presence of secret keys for vectors \({{\mathbf {Y}}}_j = \{ {{{\mathbf {c}}}_j[\rho ,\star ]e_j} \}_j\), where L is the total number of keys, \(t_j\)’s are implicitly sampled secret key elements, and \(e_j\) is the unit vector of length L with a single one at index j. Observe that from such ciphertexts and secret keys, one can extract the challenge ciphertextpiece \(\mathsf{iCT}[\rho , \star ]\) encrypting \(u_\rho {\mathbf {u}}\) or \(v_\rho {{\mathbf {v}}}\), and obtain an encoding of \(r\left\langle {{{\mathbf {s}}}^1 \,\otimes \, {{\mathbf {s}}}^2, {{\mathbf {c}}}} \right\rangle + \varDelta _j^b(\rho )\) embedded in each secret key \(\mathsf {cSK}'_j\)—these are the only parts that hybrids \(H_\rho ^0\) and \(H_\rho ^1\) differ at. Given that \(\left\langle {{\mathbf {U}}, {{\mathbf {Y}}}_j} \right\rangle = \left\langle {{\mathbf {V}}, {{\mathbf {Y}}}_j} \right\rangle \) for every j, we are almost done: Apply the security of \(\mathbf{IPE}\) to argue that \(H_\rho ^0\) and \(H_\rho ^1\) are indistinguishable, except that we must overcome one last hurdle—the master secret key for encrypting \(u_i{\mathbf {u}}\) or \(v_i{{\mathbf {v}}}\) is not truely random.
Pseudorandomness from SXDH. The master secret key of the challenge ciphertextpiece is \(s_\rho ^1{{\mathbf {s}}}^2\). It is not truely random since \({{\mathbf {s}}}^2\) is also used for generating the master secret keys of other ciphertextpieces. But, observe that both the challenge ciphertextpiece and \({{\mathbf {s}}}^2\) are embedded in secret keys \(\{ {\mathsf {cSK}_j} \}\), and hence encoded in the same bilinear map source group. Furthermore, thanks to the fact that in \(H_\rho ^b\), the \(\rho ^\mathrm{th}\) ciphertext \(\mathsf{cCT}_\rho \) encrypts the vector \((\mathbf {0}\mathbf {0}, 1)\), the key element \(s^1_\rho \) does not appear in the other source group. Therefore, we can apply the SXDH assumption to argue that encodings of \(s_\rho ^1{{\mathbf {s}}}^2\) is indistinguishable to that of a truly random vector \({{\mathbf {w}}}\)—in other words, the master secret key \(s_\rho ^1{{\mathbf {s}}}^2\) is pseudorandom, inside encodings. Therefore, the security of \(\mathbf{IPE}\) applies, and we conclude that hybrid \(H_\rho ^0\) and \(H_\rho ^1\) are indistinguishable.
2.3 DegreeD SecretKey FE
where \(\mathsf{iCT}[I]\) encrypts the \(I^\mathrm{th}\) degreeD monomial \(\prod _{d \in [D]}x_{I_d}\), using the \(I^\mathrm{th}\) key element \(\prod _{d \in [D]}s^d_{I_d}\).
To show security of \(\mathbf{dFE}\), we, again, switch the degreeD monomials encrypted in the \(\mathbf{IPE}\) ciphertext \(\mathsf{iCT}\) in piecemeal. In each step, we can still only embed a sizeN ciphertextpiece; naturally we embed \(\mathsf{iCT}[\rho , \star ]\) for a prefix \(\rho \in [N]^{D1}\) of length \(D1\). Thus, the \(N^D\) encrypted monomials are changed piece by piece in \(N^{D1}\) steps, where in the \(\rho ^\mathrm{th}\) step, all monomials with index I smaller than \(\rho \) (i.e., \(I_{\le D1} < \rho \)) have already been switched to \(\prod _{d \in [D]}v_{I_d}\), monomials with index I larger than \(\rho \) (i.e., \(I_{\le D1}> \rho \)) remain to be \(\prod _{d \in [D]} u_{I_d}\), and monomials with index I that agrees with \(\rho \) (i.e., \(I_{\le D1} = \rho \)) are being switched from \(\prod _{d \in [D]} u_{I_d}\) in \(H_\rho ^0\) to \(\prod _{d \in [D]} v_{I_d}\) in \(H_\rho ^1\).
Creating a sequence of hybrids that carry out these steps is more complex than the case for degree 2. First, we need more space in the ciphertext to make sure that the right monomials are encrypted for every index I; thus, the vectors \({{\mathbf {X}}}\)’s are padded to length \(2D1\). Second, it becomes significantly harder to argue that the key elements \((\prod _{d \in [D1]}s^d_{\rho _d}) {{\mathbf {s}}}^{\le D}\) are pseudorandom, as the shares \(s^d_i\)’s are encoded in different MMap source groups, and unlike the degree 2 case, we cannot eliminate the appearance of all shares \(\{ {s^d_{\rho _d}} \}\) since they are also used for generating the master secret keys of other ciphertextpieces (whereas in the degree 2 case, \(s^1_\rho \) is only used for generating \(s^1_\rho {{\mathbf {s}}}^2\)). To resolve this, we apply the SXDH assumption iteratively to gradually replace every partial product \(\prod _{d \in [d^\star ]} s^d_{\rho _d}\) with an independent and random element \(w^d_\rho \), so that, the master secret keys for other ciphertextpieces are generated using independent w elements.
2.4 Construction of HIPE
We construct function hiding HIPE schemes by induction in the degree D.

For the base case of \(D = 2\), function hiding degree2 HIPE is identical to function hiding IPE, which we give a new construction discussed shortly in the next subsection.

For the induction step, we show that for any \(D \ge 2\), if there exist a function hiding degreeD HIPE scheme, denoted as \({\mathbf{dIPE}}\), from SXDH on degreeD MMap, then there exist a functionhiding degree\((D+1)\) HIPE scheme, denoted as \({\mathbf{hIPE}}\), from SXDH on degree\((D+1)\) MMap. Our induction keeps the invariant that both \({\mathbf{dIPE}}\) and \({\mathbf{hIPE}}\) have canonical form.
In the induction step, we construct the degree\(D+1\) scheme \({\mathbf{hIPE}}\), by combining the degreeD scheme \({\mathbf{dIPE}}\), with a special purpose IPE scheme \({\mathbf{sIPE}}\). Denote by \((\mathsf{hCT}^1, \cdots , \mathsf{hCT}^D)\) and \(\mathsf {hSK}\) the ciphertexts and secret key of \({\mathbf{hIPE}}\), \((\mathsf{dCT}^1, \cdots , \mathsf{dCT}^{D1})\) and \({\mathsf {dSK}}\) that of \({\mathbf{dIPE}}\), and \(\mathsf{sCT}\) and \(\mathsf {sSK}\) that of \({\mathbf{sIPE}}\).
 1.
First, decrypt for every l, the tuple \((\mathsf{dCT}_l^1, \cdots \mathsf{dCT}_l^{D1}, {\mathsf {dSK}}_l)\) using the decryption algorithm of \({\mathbf{dIPE}}\) to obtain \(\mathsf{sCT}_l\); put them together to get a ciphertext \(\mathsf{sCT}\) of \({{\mathbf {x}}}^{\le D}\).
 2.Then, decrypt the obtained ciphertext \(\mathsf{sCT}\) using the decryption algorithm of \({\mathbf{sIPE}}\) and secret key \(\mathsf {hSK}= \mathsf {sSK}\) of \({{\mathbf {x}}}^{D+1}\) to obtain an encoding of the final inner product y, as illustrated below.
Having distinct randomness is still not enough for applying the security of \({\mathbf{sIPE}}\), which requires independently and uniformly sampled randomness. We will rely on the SXDH assumption to argue that they are indeed pseudorandom. The security analysis of the above scheme turns out to be quite complicated, and in fact for security to hold, the scheme needs to further pad the vectors \(\varvec{\chi }_l^d\) with zeros, serving as redundant space for hardwiring information in different hybrids in the security proof.
2.5 Simple Function Hiding IPE
As described above, our construction of degreeD FE crucially relies on a canonical function hiding IPE. However, known secretkey IPE schemes [12, 24, 44] do not have the canonical form, in particular, their decryption does not produce an encoding of the output inner product Open image in new window , but produce the inner product masked by a scalar Open image in new window together with Open image in new window , where the scalar \(\theta \) is determined by the randomness used in key generation and encryption. In this work, we give a construction of a canonical function hiding IPE. Our construction is extremely simple and may be of independent interests. We now summarize the idea of the construction in one paragraph.
Lin and Vaikuntanathan [44] give a simple transformation from IPE with weak function hiding to IPE with full function hiding. Our construction starts from the ABDP public key IPE scheme, whose secret key for a vector \({{\mathbf {y}}}\) reveals \({{\mathbf {y}}}\) and its inner product with the master secret key \(\left\langle {{{\mathbf {s}}}, {{\mathbf {y}}}} \right\rangle \) in the clear. To achieve weak function hiding, we need to hide \({{\mathbf {y}}}\). Our idea is to simply encrypt the secret key as an input vector using the ABDP scheme itself, with an independently sampled master secret key \({{\mathbf {s}}}'\) of length \(N+1\), which yields the new secret key Open image in new window . Recall that decryption of the ABDP scheme simply computes (homomorphically) the inner product between its secret key and ciphertext. Now that the original secret key is encrypted, we correspondingly encode the original ciphertext in a secret key using \({{\mathbf {s}}}'\), which gives the new ciphertext Open image in new window . Computing the “inner product” of \(\mathsf{iCT}'\) and \(\mathsf {iSK}'\) using paring simultaneously decrypts both “layers” of ABDP encryption, and produce exactly an encoding of the output inner product.
We have described ideas underlying our FE and IO constructions; due to the lack of space, we refer the reader to the full version [42] for their formal description and proofs. With a better view of the constructions and security proofs, next, we revisit the topic of instantiating our schemes with known noisy multilinear map candidates in more detail.
2.6 On Instantiation with Noisy Multilinear Maps
As mentioned in the introduction when replacing algebraic multilinear maps with noisy ones [21, 22, 26, 31, 39], the constructions work asis, but not the security proofs. Nevertheless, the security proof can be modified into an ideal model proof, or a proof based on a family of more complex assumptions.
 1.
The SXDH assumption does not hold on known noisy MMap candidates. Roughly speaking, a noisy multilinear map scheme can encode a ring element a and a label l with some noise. Let L be a set of labels that correspond to the set of source groups in algebraic MMaps. Translating the SXDH assumption to the noisy setting would require for every label \(l \in L\), the distribution of randomly sampled encodings of a, b, ab with label l to be indistinguishable to that of a, b, r, for random ring elements a, b, r, even when lowlevel encodings of 1 with each label \(l \in L\) is published. Unfortunately, given these encodings of 1, known noisy MMap candidates can be completely broken.
 2.
The security reduction uses the homomorphic scalar multiplication functionality of algebraic MMaps, which is not support by current candidates.
The reason that encodings of 1 is needed in the assumption and homomorphic scalar multiplication is needed for the reduction is as follows. The security of the FE scheme is based on the SXDH assumption, via a security reduction that turns FE attackers to SXDH distinguishers. To do so, given a challenge sampled according to (one of the two distributions specified in) the SXDH assumption, our reduction internally simulates the view of the attacker in the FE security game, and appropriately embeds the challenge into the view. Since the challenge is “laconic”—containing only a constant number of encodings. To concoct the attacker’s view, the reduction needs to (i) generate new encodings and (ii) randomize some encodings in the challenge for embedding. It does so using encodings of 1 in the challenge and homomorphic scalar multiplication. It seems (to us) that any reduction to a laconic and/or instanceindependent assumption (i.e., one that is independent of the scheme and the attacker) necessarily needs the capabilities of generating and randomizing encodings. This is indeed the case for previous such reductions [33, 44] and they also require homomorphic scalar multiplication. Designing a reduction that does not rely on homomorphic scalar multiplication, or rely only on homomorphic scalar multiplication with small scalars is an interesting open question.
Security Proofs to Nonlaconic Assumptions, and in Ideal MMap Model. Above problems can be eliminated if we give up on having a security reduction to a laconic and instanceindependent assumption. In particular, our security proof presents a sequence of hybrids that gradually “morph” from one honest execution of the FE scheme to another (where the attacker receives secret keys and ciphertexts of different functions and inputs as specified in the security definition of FE). Each pair of neighboring hybrids defines an indistinguishability assumption that simply states that the attacker’s views in these two hybrids are indistinguishable, and the security of FE can be based on such a family of nonlaconic and instancedependent assumptions, without using encodings of 1 and homomorphic scalar multiplication. Such a security proof is nontrivial since the assumptions only require indistinguishability of distributions that are almost identical modulo the difference induced by switching a single DDH tuple to a random tuple. Moreover, since these assumptions hold in the ideal model, such a proof also gives a proof in degree5 ideal multilinear map model.
Instantiating the Construction with Noisy Multilinear Maps. We can instantiate our FE scheme with noisy MMaps and correctness holds. The abovediscussed issues w.r.t. the security proof do not appear when instantiating the construction. This is because the secret keys and ciphertexts of our FE scheme do not contain any lowlevel encodings of 0 or 1, in fact, they contain only encodings of large randomized elements, and its algorithms do not rely on homomorphic scalar multiplication. We note, however, decryption may generate toplevel encodings of 0 or 1 for correctness. It is unclear (to us) whether these instantiations are secure against known cryptanalytic attacks. We do not know whether known attacks can be adapted to break their security, nor have formal arguments that validate their security against known attacks. Obtaining a concrete attack or give some formal proof, such as, a security proof in the weak MMap model [29], are interesting open problems.
Footnotes
 1.
The operation is according to some welldefined addition operation over the labels; for example, if labels are integers, \(+\) is integer addition, and if labels are sets, \(+\) is set union.
 2.
For instance, if labels are sets, then two groups are pairable, if their labelsets \(l_1, l_2\) are disjoint.
 3.
Note that in both distributions, the same exponents, a, b, r, are used in all groups in S.
 4.
 5.
Such IPEs should be contrasted with functional encryption for testing the orthogonality of two vectors (see, e.g., [38, 40] and many others), which reveals only whether the inner product is zero and nothing else. In particular, they do not compute the inner product in the exponent in a way that allows for further computation, which is needed for our quadratic FE construction.
 6.
Nonblackbox security reduction may get around this difficulty, but is unclear how one can design a nonblackbox reduction here.
Notes
Acknowledgements
The author thanks Benny Applebaum, Nir Bitansky, Stefano Tessaro, and Vinod Vaikuntanathan for many helpful and insightful discussions.
References
 1.Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015). doi: 10.1007/9783662464472_33 Google Scholar
 2.Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 308–326. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_15 CrossRefGoogle Scholar
 3.Ananth, P., Jain, A., Sahai, A.: Achieving compactness generically: indistinguishability obfuscation from noncompact functional encryption. IACR Cryptology ePrint Archive, vol. 2015, p. 730 (2015)Google Scholar
 4.Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree5 multilinear maps. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 152–181. Springer, Cham (2017). doi: 10.1007/9783319566207_6 CrossRefGoogle Scholar
 5.Ananth, P.V., Gupta, D., Ishai, Y., Sahai, A.: Optimizing obfuscation: avoiding Barrington’s theorem. In: ACM CCS 2014, Scottsdale, AZ, USA, pp. 646–658, 3–7 November 2014Google Scholar
 6.Apon, D., Döttling, N., Garg, S., Mukherjee, P.: Cryptanalysis of indistinguishability obfuscations of circuits over GGH 2013. In: ICALP 2017. LNCS. Springer, Heidelberg (2017)Google Scholar
 7.Applebaum, B., Brakerski, Z.: Obfuscating circuits via compositeorder graded encoding. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 528–556. Springer, Heidelberg (2015). doi: 10.1007/9783662464977_21 CrossRefGoogle Scholar
 8.Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in nc\(^{\text{0}}\). In: FOCS, pp. 166–175 (2004)Google Scholar
 9.Barak, B., Brakerski, Z., Komargodski, I., Kothari, P.K.: Limits on lowdegree pseudorandom generators (or: sumofsquares meets program obfuscation). Cryptology ePrint Archive, Report 2017/312 (2017). http://eprint.iacr.org/2017/312
 10.Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 221–238. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_13 CrossRefGoogle Scholar
 11.Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). doi: 10.1007/3540446478_1 CrossRefGoogle Scholar
 12.Bishop, A., Jain, A., Kowalczyk, L.: Functionhiding inner product encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 470–491. Springer, Heidelberg (2015). doi: 10.1007/9783662487976_20 CrossRefGoogle Scholar
 13.Bitansky, N., Nishimaki, R., Passelègue, A., Wichs, D.: From cryptomania to obfustopia through secretkey functional encryption. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 391–418. Springer, Heidelberg (2016). doi: 10.1007/9783662536445_15 CrossRefGoogle Scholar
 14.Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation from functional encryption. In: IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, 17–20 October 2015, Berkeley, CA, USA, pp. 171–190 (2015)Google Scholar
 15.Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324, 71–90 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Boneh, D., Wu, D.J., Zimmerman, J.: Immunizing multilinear maps against zeroizing attacks. Cryptology ePrint Archive, Report 2014/930 (2014). http://eprint.iacr.org/2014/930
 17.Brakerski, Z., Rothblum, G.N.: Virtual blackbox obfuscation for all circuits via generic graded encoding. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 1–25. Springer, Heidelberg (2014). doi: 10.1007/9783642542428_1 CrossRefGoogle Scholar
 18.Chen, Y., Gentry, C., Halevi, S.: Cryptanalyses of candidate branching program obfuscators. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 278–307. Springer, Cham (2017). doi: 10.1007/9783319566177_10 CrossRefGoogle Scholar
 19.Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). doi: 10.1007/9783662468005_1 Google Scholar
 20.Coron, J.S., et al.: Zeroizing without lowlevel zeroes: new MMAP attacks and their limitations. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 247–266. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_12 CrossRefGoogle Scholar
 21.Coron, J.S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). doi: 10.1007/9783642400414_26 CrossRefGoogle Scholar
 22.Coron, J.S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 267–286. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_13 CrossRefGoogle Scholar
 23.Cryan, M., Miltersen, P.B.: On pseudorandom generators in NC^{0}. In: Sgall, J., Pultr, A., Kolman, P. (eds.) MFCS 2001. LNCS, vol. 2136, pp. 272–284. Springer, Heidelberg (2001). doi: 10.1007/3540446834_24 CrossRefGoogle Scholar
 24.Datta, P., Dutta, R., Mukhopadhyay, S.: Functional encryption for inner product with full function privacy. In: Cheng, C.M., Chung, K.M., Persiano, G., Yang, B.Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 164–195. Springer, Heidelberg (2016). doi: 10.1007/9783662493847_7 CrossRefGoogle Scholar
 25.Döttling, N., Garg, S., Gupta, D., Miao, P., Mukherjee, P.: Obfuscation from low noise multilinear maps. Cryptology ePrint Archive, Report 2016/599 (2016). http://eprint.iacr.org/2016/599
 26.Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). doi: 10.1007/9783642383489_1 CrossRefGoogle Scholar
 27.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26–29 October 2013, Berkeley, CA, USA, pp. 40–49 (2013)Google Scholar
 28.Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Functional encryption without obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 480–511. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_18 CrossRefGoogle Scholar
 29.Garg, S., Miles, E., Mukherjee, P., Sahai, A., Srinivasan, A., Zhandry, M.: Secure obfuscation in a weak multilinear map model. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 241–268. Springer, Heidelberg (2016). doi: 10.1007/9783662536445_10 CrossRefGoogle Scholar
 30.Garg, S., Mukherjee, P., Srinivasan, A.: Obfuscation without the vulnerabilities of multilinear maps. IACR Cryptology ePrint Archive, vol. 2016, p. 390 (2016)Google Scholar
 31.Gentry, C., Gorbunov, S., Halevi, S.: Graphinduced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). doi: 10.1007/9783662464977_20 CrossRefGoogle Scholar
 32.Gentry, C., Halevi, S., Maji, H.K., Sahai, A.: Zeroizing without zeroes: cryptanalyzing multilinear maps without encodings of zero. Cryptology ePrint Archive, Report 2014/929 (2014). http://eprint.iacr.org/2014/929
 33.Gentry, C., Lewko, A.B., Sahai, A., Waters, B.: Indistinguishability obfuscation from the multilinear subgroup elimination assumption. In: Guruswami [36], pp. 151–170 (2015)Google Scholar
 34.Goldreich, O.: Candidate oneway functions based on expander graphs. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 7, no. 90 (2000)Google Scholar
 35.Goldwasser, S., et al.: Multiinput functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_32 CrossRefGoogle Scholar
 36.Guruswami, V. (ed.) IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, 17–20 October 2015. IEEE Computer Society, Berkeley (2015)Google Scholar
 37.Ishai, Y., Kushilevitz, E.: Perfect constantround secure computation via perfect randomizing polynomials. In: Widmayer, P., Eidenbenz, S., Triguero, F., Morales, R., Conejo, R., Hennessy, M. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 244–256. Springer, Heidelberg (2002). doi: 10.1007/3540454659_22 CrossRefGoogle Scholar
 38.Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). doi: 10.1007/9783540789673_9 CrossRefGoogle Scholar
 39.Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_14 CrossRefGoogle Scholar
 40.Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attributebased encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). doi: 10.1007/9783642131905_4 CrossRefGoogle Scholar
 41.Lin, H.: Indistinguishability obfuscation from constantdegree graded encoding schemes. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 28–57. Springer, Heidelberg (2016). doi: 10.1007/9783662498903_2 CrossRefGoogle Scholar
 42.Lin, H.: Indistinguishability obfuscation from DDH on 5linear maps and locality5 PRGs. Cryptology ePrint Archive, Report 2016/1096 (2016). http://eprint.iacr.org/2016/1096
 43.Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and blockwise local PRGs. In: CRYPTO 2017 (2017, to appear)Google Scholar
 44.Lin, H., Vaikuntanathan, V.: Indistinguishability obfuscation from DDHlike assumptions on constantdegree graded encodings. In: IEEE 57th Annual Symposium on Foundations of Computer Science, FOCS 2016, New Brunswick, NJ, USA, 9–11 October 2016Google Scholar
 45.Lombardi, A., Vaikuntanathan, V.: On the nonexistence of blockwise 2local PRGs with applications to indistinguishability obfuscation. Cryptology ePrint Archive, Report 2017/301 (2017). http://eprint.iacr.org/2017/301
 46.Miles, E., Sahai, A., Zhandry, M.: Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13. IACR Cryptology ePrint Archive, vol. 2016, p. 147 (2016)Google Scholar
 47.Mossel, E., Shpilka, A., Trevisan, L.: On ebiased generators in NC0. In: 44th Symposium on Foundations of Computer Science (FOCS 2003), 11–14 October 2003, Cambridge, MA, USA, Proceedings, pp. 136–145 (2003)Google Scholar
 48.O’Donnell, R., Witmer, D.: Goldreich’s PRG: evidence for nearoptimal polynomial stretch. In: IEEE 29th Conference on Computational Complexity, CCC 2014, Vancouver, BC, Canada, 11–13 June 2014, pp. 1–12 (2014)Google Scholar
 49.Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semanticallysecure multilinear encodings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 500–517. Springer, Heidelberg (2014). doi: 10.1007/9783662443712_28 CrossRefGoogle Scholar
 50.Rothblum, R.D.: On the circular security of bitencryption. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 579–598. Springer, Heidelberg (2013). doi: 10.1007/9783642365942_32 CrossRefGoogle Scholar
 51.Yao, A.C.: Protocols for secure computations (extended abstract). In: 23rd Annual Symposium on Foundations of Computer Science, 3–5 November 1982, Chicago, Illinois, USA, pp. 160–164 (1982)Google Scholar
 52.Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: FOCS, pp. 162–167 (1986)Google Scholar
 53.Zimmerman, J.: How to obfuscate programs directly. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 439–467. Springer, Heidelberg (2015). doi: 10.1007/9783662468036_15 Google Scholar