Indistinguishability Obfuscation from Trilinear Maps and BlockWise Local PRGs
 34 Citations
 3.1k Downloads
Abstract
We consider the question of finding the lowest degree L for which Llinear maps suffice to obtain IO. The current state of the art (Lin, EUROCRYPT’16, CRYPTO ’17; Lin and Vaikunthanathan, FOCS’16; Ananth and Sahai, EUROCRYPT ’17) is that Llinear maps (under suitable security assumptions) suffice for IO, assuming the existence of pseudorandom generators (PRGs) with output locality L. However, these works cannot answer the question of whether \(L < 5\) suffices, as no polynomialstretch PRG with locality lower than 5 exists.

A construction of a generalpurpose indistinguishability obfuscator from Llinear maps and a subexponentiallysecure PRG with blockwise locality L and polynomial stretch.

A construction of generalpurpose functional encryption from Llinear maps and any slightly superpolynomially secure PRG with blockwise locality L and polynomial stretch.
All our constructions are based on the SXDH assumption on Llinear maps and subexponential Learning With Errors (LWE) assumption, and follow by instantiating our new generic bootstrapping theorems with Lin’s recently proposed FE scheme (CRYPTO ’17). Inherited from Lin’s work, our security proof requires algebraic multilinear maps (Boneh and Silverberg, Contemporary Mathematics), whereas security when using noisy multilinear maps is based on a family of more complex assumptions that hold in the generic model.
Our candidate PRGs with blockwise locality are based on Goldreich’s local functions, and we show that the security of instantiations with blockwise locality \(L \ge 3\) is backed by similar validation as constructions with (conventional) locality 5. We further complement this with hardness amplification techniques that further weaken the pseudorandomness requirements.
1 Introduction
Indistinguishability obfuscation (IO), first defined in the seminal work of Barak et al. [16], aims to obfuscate functionally equivalent programs into indistinguishable ones while preserving functionality. IO is an extraordinarily powerful object that has been shown to enable a large set of new cryptographic applications. All existing IO constructions [4, 5, 10, 15, 24, 36, 39, 41, 45, 52, 53, 56, 63, 65] rely on multilinear maps or graded encodings. In particular, the power of an Llinear map – first made explicit by Boneh and Silverberg [23] – stems from the fact that it essentially allows to evaluate degreeL polynomials on secret encoded values, and to test whether the output of such polynomials is zero or not.
The case \(L = 2\) corresponds to bilinear maps, which can be efficiently instantiated from elliptic curves. In contrast, the instantiation of Llinear maps with \(L \ge 3\) has turned to be a far more challenging problem. Garg et al. [38] proposed in particular noisy (i.e., approximate) versions of Llinear maps for \(L \ge 3\), and gave the first candidate construction. Unfortunately, vulnerabilities [6, 27, 28, 31, 59] were later demonstrated against this and subsequent candidates [32, 33, 44, 51]. Of course, this does not mean that the resulting constructions are insecure. In fact, this has motivated the search for IO constructions which withstand all existing attacks [41].
IO from LowDegree Multilinear Maps. This paper addresses the problem of finding the smallest L such that degreeL mutlilinear maps are sufficient for constructing IO. This fits within the more general goal of ultimately assessing whether bilinear maps are sufficient. While firstgeneration IO constructions all required polynomialdegree multilinear maps, a series of recent works [4, 52, 53, 56] reduced the required degree to \(L = 5\), assuming the existence of PRGs with output locality 5 and subexponential LWE, and under suitable assumption on the 5linear maps. However, these works left open the question of whether multilinear maps with degree \(L < 5\) are sufficient.
Further reducing the degree is important. On the one hand, if IO can be achieved from bilinear maps, this is going to take us one step closer. On the other hand, even if bilinear maps would not suffice, it is potentially easier to find secure algebraic instantiations for low degree multilinear maps. Moreover, we want to understand the precise power these maps would enable.
Our Contributions, in a Nutshell. This paper presents a new paradigm for IO constructions which admits instantiations with Llinear maps for \(L \ge 3\), provided the SXDH assumption holds for the Llinear map. While this falls short of achieving IO from bilinear maps, our result shifts the focus on the fact that the gap between two and threelinear maps is a seemingly fundamental barrier to be overcome. In particular, under the assumptions needed for our construction be secure, this shows that building threelinear maps is as difficult as getting fullblown IO.
We fundamentally rely on the recent line of works on building IO from constantdegree multilinear maps [4, 52, 53, 56], which all rely on socalled local pseudorandom generators (PRGs) – a PRG with locality L has every output bit depend on L input bits. It is known that if PRGs with locality L and polynomial stretch exist, then IO can be constructed from Llinear maps [4, 53]. Unfortunately, we do not even have locality4 (polynomial stretch) PRGs [34, 60], and candidate PRGs only exist starting from locality 5 [47, 60, 61]. To circumvent the lower bound on PRG locality, we propose a new, relaxed, notion of locality, called blockwise locality. We build upon Lin’s [53] recent IO construction, but show that in order to obtain IO from Llinear maps, it suffices to use PRGs with blockwise locality L. As we will discuss below, such PRGs can exist for L as low as three.
BlockWise Locality and IO. We say that a PRG mapping \(n\times \ell \) input bits to m output bits has blockwise locality L and blocksize \(\ell \), if when viewing its input (i.e., the seed) as a matrix of \(n\times \ell \) bits, every output bit depends on at most L columns in the matrix (as opposed to L input bits), as depicted in Fig. 1. Observe that that the actual locality of such PRGs can go up to \(L\times \ell \), yet, it has the special structure that all these input bits come from merely L input columns. This special structure is the key feature that allows for replacing local PRGs with blockwiselocal PRGs, in the following applications.

Application I: If there exists a subexponentiallysecure PRG with blockwiselocality L, and any blocksize Open image in new window , then we can construct generalpurpose IO from Llinear maps.

Application II: If the blockwise local PRG is only slightly superpolynomially secure, we can still build specialpurpose IO for circuits with superlogarithmic length inputs, which implies fullfledged Functional Encryption (FE), from Llinear maps.
Concurrently, we investigate the existence of blockwise local PRGs. In particular, we propose candidates following the common paradigm for candidate local PRGs [7, 12, 34, 60, 61], which are variants of Goldreich’s functions [46]. We simply replace every PRG input bit with a column of \(\ell \) input bits. Such a blockwise local PRG is parameterized by a bipartite expander graph and a predicate (or potentially a set of predicates) over \(L \times \ell \) input bits. We discuss the security of these candidates, against known attacks, in relation to the choice of graph and predicate. Furthermore, aiming at weakening the assumption on our candidates, we present two hardness amplification techniques that amplify respectively the weaker nextbitunpredictability property and pseudominentropy generation property to different levels of pseudorandomness guarantees.
Instantiating the Underlying Multilinear Maps. We note that the results of this paper, per se, are merely new bootstrapping theorems, which do not rely, by themselves, on multilinear maps. More specifically, we show how to boostrap a FE scheme for computing degreeL polynomials to an IO scheme, using a PRG with blockwiselocality L, and then rely on Lin’s [53] FE construction. Some remarks on instantiations of the underlying multilinear maps are in order.
Concretely, the FE scheme from [53] relies on algebraic Llinear maps, for which to date no candidate for \(L \ge 3\) is known to exist. The alternative approach would be to instantiate them with existing noisy multilinearmap candidates. As discussed in [53, Sect. 2.6], the existing proof would however fail in this case, in addition to the SXDH assumption itself being false on exiting noisy multilinearmap candidates. Still, a proof for ideal multilinear maps would be valid, but it is not known whether (1) existing cryptanalytic attacks can be adapted to break a construction, or (2) whether a proof in a weak ideal model as in [41] is possible.
Background on Previous Versions of This Work. In a previous version of this paper, we incorrectly claimed that our approach can be extended to bilinear maps. Two subsequent works, one by Barak et al. [14], the other by Lombardi and Vaikuntanathan [57], have presented attacks against PRGs with blockwise locality two. Strictly speaking, these results leave a narrow window of expansion factors open where blockwise PRGs could exist, but we are not aware whether our approach could be modified to use such lowstretch PRGs, or whether the attacks can be extended. We discuss these results more in detail further below in Sect. 1.3.
In contrast, attacks for \(L \ge 3\) appear out of reach, as our assumption is implied by that made by recent works in the area of local PRGs and PRFs, c.f. e.g. the pseudorandomness assumptions from the recent work by Applebaum and Raykov [13]—and in fact, our amplification results show that even less needs to be achieved by the local function.
1.1 BlockWise Locality
A \((n\times \ell , m)\)PRG maps \(n\times \ell \) input bits to m output bits. As introduced above, a PRG has blockwise locality L and blocksize \(\ell \), if when viewing the input as a \(n\times \ell \) matrix, every output bits depend on input bits in at most L columns. Such a function is fully specified by the inputoutput dependency graph G describing which input columns each output bit depends on, and the set of predicates \(\{P_j\}_{j \in [m]}\) that each output bit is evaluated through.
In all our applications, we consider blockwise local PRGs with sufficiently large polynomial input and outputlengths, n and m (in the security parameter \(\lambda \)) and logarithmic blocksize \(\ell = O(\log (\lambda ))\). In this setting, a PRG has polynomialstretch if \(m = n^{1+\alpha }\) for some positive constant \(\alpha > 0\). For convenience, below we assume such parameters are fixed in our discussion.
When compared with traditional local PRGs (which can be thought as the special case with block size \(\ell = 1\)), the advantage of blockwise local PRGs is that while they will still permit instantiations with Llinear maps in our applications, their output bits depend on \(L \times \ell \) input bits, and hence we can use more complex, say logarithmicdegree, predicates. For this reason, known lower bounds on the locality of PRGs do not apply to blockwise locality, even when \(L < 5\), when the block size satisfies \(\ell = \varOmega (\log (\lambda ))\). Effectively, such PRGs can be seen as operating on input symbols with polynomial alphabet size. Moreover, the lower bounds in [34, 60] show that for conventional locality, PRGs with polynomial stretch require \(L \ge 5\), but they crucially rely on the fact that any locality4 predicate is correlated with two of its input bits to rule out the existence of locality4 PRGs. In contrast, a PRG with blockwise locality L can use predicates that depend on \(L\log \lambda \) input bits; setting the predicate to be uncorrelated with any subset of \(\log \lambda \) input bits circumvents the lower bound argument in [34, 60].
BlockWise Local PRGs via Local PRGs. Every function with blockwise locality L and block size \(\ell \) is a function with locality \(L\ell \). Therefore, the rich literature on the security of Goldreich’s local functions (see Applebaum’s survey [8]) provides guidelines on how to choose candidate blockwise local PRGs, more specifically, the dependency graph G and predicates \(\{P_j\}\). In particular, the graph G should be (k, c)expanding, i.e., every subset of \(k' \le k\) output bits depends on at least \(c\times k'\) input columns, for appropriately large k and c. We show that for \(L \ge 3\), a large \(1o(1)\) fraction of graphs G is \((n^{1\eta }, (1\eta )L)\)expanding. This in turn means that we can think of this as an instance of Goldreich’s function with locality \(L\ell \) built from a graph which is \((n^{1\eta }, (1\eta )L\ell )\)expanding, thus taking us back to the classical setting studied in the literature.
Using this analogy, we can show for example that for blockwise locality 3 and block size 2, for most graphs G, the resulting function withstands all linear attacks with subexponential bias \(\epsilon \) when using the predicate outputting \(x_1^0 \oplus x_2^0 \oplus x_3^0 \oplus (x_1^1 \wedge x_2^1)\) on input three columns \((x_1^0, x_1^1), (x_2^0, x_2^1), (x_3^0, x_3^1)\). This is a criterion that has been adopted so far to validate PRG security of local functions.
Moving even one step further, Applebaum and Raykov [13] recently postulated the following (even stronger) pseudorandomness assumption on functions with logarithmic locality:
Assumption 1
(Informal). For locality \(D = O(\log \lambda )\), and arbitrarily polynomial output length \(m = n^{1 + \alpha }\), there exist a suitable predicate, \(P'\), such that, for any dependency graph \(G'\) that is \((n^{1\eta }, (1\eta )D)\)expanding for some \(0< \eta < 1/2\), the localityD function specified by \(P'\) and \(G'\) is \(2^{n^{1\eta }}\)pseudorandom again \(2^{n^{1\eta }}\)time distinguishers.
In our setting, for blockwise locality \(L \ge 3\) and blocksize \(\log \lambda \), we show that when choosing the dependency graph G at random, the obtained blockwise local function can be thought as a function with locality \(D = L\log \lambda \) satisfying the properties specified by the ApplebaumRaykov assumption, with \(1o(1)\) probability. In particular, such functions withstand myopic inversion attacks (cf. e.g. [30]). In fact, our applications only need pseudorandomness to hold for output length \(m = n^{1+\alpha }\) for some arbitrarily small constant \(\alpha > 0\), and against polynomial time attackers, thus a much weaker requirement than what is guaranteed by the ApplebaumRaykov assumption.
For the case \(L = 2\), the assumption that a blockwise local PRG exists is not backed by any of the past results, and indeed, recent works (following up on an earlier version of this paper) show that blockwiselocal PRGs with sufficient stretch do not exist. We discuss this further below in Sect. 1.3.

Amplification Technique I: produces a PRG construction with quasipolynomial indistinguishabilitygap (to polynomialtime distinguishers), from any unpredictable generator satisfying just polynomial nextbit unpredictability (i.e., the probability of predicting any output bit given previous output bits is at most Open image in new window , albeit for predictors in quasipolynomial time). Though such PRGs are not strong enough for constructing IO, it suffices for constructing FE from Llinear maps; see the next section.

Amplification Technique II: produces a PRG construction with subexponential indistinguishabilitygap, from certain special pseudominentropygenerator whose output has sufficientlyhigh pseudominentropy.
1.2 From BlockWise Locality to IO and FE
We now move to an overview of our constructions from blockwise local PRGs.
IO from Subexponentially Secure BlockWiseLocal PRGs. Recent IO constructions from lowdegree multilinear maps [4, 53, 56] follow a common twostep approach: They first implement appropriate FE schemes, and then transform them into an IO scheme; we refer to the second step as the (FEtoIO) bootstrapping step. In more detail, they use localityL PRGs in the bootstrapping step in order to start with FE schemes that support only computation of degreeL polynomials; they then show that such FE schemes can be constructed from Llinear maps. In this work, following the blueprint and technique in [53], we show how to replace the use of local PRGs with blockwise local PRGs within the bootstrapping step.
Theorem 1

Publickey fullyselectivelysecure (collusionresistant) FE for degreeL polynomials whose encryption time is linear in the input length (i.e., \({\mathrm {poly}}(\lambda )N\)); or with a secretkey FE scheme with the same properties, assuming additionally the subexponential hardness of LWE with subexponential modulustonoise ratio.

a PRG with blockwise locality L, blocksize \(\log \lambda \), and \(n^{1+\alpha }\)stretch for some positive constant \(\alpha \).
The type of secretkey FE schemes for degreeL polynomials needed above was constructed by Lin [53] assuming the SXDH assumption on Llinear maps.
Theorem 2
[53]. Let L be any positive integer. Assuming the SXDH assumption on asymmetric Llinear maps, there is a construction of secretkey fullyselectivelysecure (collusionresistant) FE schemes for degreeL polynomials whose encryption time is linear in the input length (i.e., \({\mathrm {poly}}(\lambda )N\)). Moreover, the security reduction has a polynomial security loss.
Therefore, combining our new bootstrapping theorem with Lin’s FE construction, we obtain IO from the subexponential SXDH assumption on Llinear maps, subexponentiallysecure PRG with blockwise locality L, and subexponential LWE.
The Power of SuperPolynomially Secure BlockWise Local PRGs. While constructing fullfledged IO for all polynomialsized programs requires blockwise local PRGs with subexponentiallysecurity, we ask what can be built from PRGs with weaker (slightly) superpolynomialsecurity. In particular, such PRGs can be obtained using the aforementioned amplification technique I, from unpredictable generator satisfying just polynomial nextbit unpredictability. To this end, we first give a parameterized version of Theorem 1 showing that if the PRG and Llinear maps are \((2^{{\mathrm {i}\ell }}\mathrm {negl})\)secure, then we can build IO schemes for circuits with \({\mathrm {i}\ell }\)bit inputs.
Theorem 3
(Parameterized version of Theorem 1 ). Let L be any positive integer. Then, there is a construction of IO for the class of polynomialsized circuits with \({\mathrm {i}\ell }\)bit inputs from the same primitives as in Theorem 1, and if FE and PRG are \((2^{({\mathrm {i}\ell }+{\kappa })}\mathrm {negl})\)secure, the resulting IO scheme is \((2^{{\kappa }}\mathrm {negl})\)secure.

Type 1: Applications where IO is used to obfuscate a circuit with short inputs. For instance, for building FHE without relying on circular security [25], and constructing succinct randomized encoding for bounded space Turning machines [17]. In these applications, IO is used to obfuscate a circuit that receive as input an index from an arbitrary polynomial range.

Type 2: Applications where the input length of the obfuscated circuit is determined by the security parameter of some other primitive. Then, by assuming exponential security of the other primitive, the input length can be made polylogarithmic. For instance, as observed in [18, 50], in the construction of public key encryption from oneway functions via IO, if assuming exponentially secure oneway functions, then IO for circuits with \(\omega (\log \lambda )\) bit inputs suffices for the application.
We further show that IO for circuits with superlogarithmic length inputs implies fullfledged functional encryption.
Theorem 4
(Functional Encryption from \(\omega (\log \lambda )\) Input IO). Let \({\mathrm {i}\ell }\) be any superlogarithmic polynomial, that is, \({\mathrm {i}\ell }= \omega (\log \lambda )\). Assume IO for the class of polynomialsized circuits with \({\mathrm {i}\ell }\)bit inputs and public key encryption, both with \((2^{{\mathrm {i}\ell }}\mathrm {negl})\)security. Then, there exist collusion resistant (compact) publickey functional encryption for \({\mathsf {P/poly}}\), satisfying adaptivesecurity.
Combining the above two theorems, we immediately have that the existence of a PRG with blockwise locality L and Llinear maps, both with slighly superpolynomial security (and assuming subexponential LWE), implies the existence of fullfledged functional encryption, and all its applications, including, for instance, noninteractive key exchange (NIKE) for unbounded users [43], trapdoor permutations [43], PPAD hardness [19, 42], publiclyverifiable delegation schemes in the CRS model [62], and secure traitor tracing scheme [22, 29, 39], which further implies hardness results in differential privacy [37, 64].
1.3 Subsequent Works
Two recent works by Lombardi and Vaikuntanathan (LV) [57], and Barak, Brakerski, Komargodski, and Kothari (BBKK) [14] essentially rule out the existence of PRGs with blockwise locality \(L = 2\), except for a very narrow window of expansion, as we explain next.
The LV Attack. The LV attack considers generators whose output bits are evaluated using the same predidate P, and whose dependency graph G is chosen at random. LV show that for any predicate P and a \(1o(1)\) fraction of the graphs, the output can be efficiently distinguished from random, if its length reaches Open image in new window , where recall that Open image in new window is the block size. Their attack relies on two important ingredient. The first ingredient consists of techniques for refuting random LCSPs over large qary alphabets, which corresponds to PRGs with blockwise localityL and blocksize \(\ell = \log q\). Allen, O’Donnell, and Witmer [1] presented an efficient algorithm for this, which succeeds when the number of constraints is roughly Open image in new window , where \(\varepsilon \) controls the “quality” of refutation. The second ingredient is a novel structural lemma showing that any locality2 balanced predicate P over alphabet \(\mathbb {Z}_q\) must be \((1/2 + O(1)/\sqrt{q})\)correlated with a locality2 predicate Q over the constantsized alphabet \(\mathbb {Z}_{16}\). Roughly speaking, to distinguish the output of a PRG with predicate P, they apply the refutation technique on CSPs w.r.t. the predicate Q correlated with P. This allows them to rule out PRGs with output length as short as Open image in new window .
The BBKK Attack. BBKK considered the more general case where the generators use an arbitrary set of predicates \(\{P_j\}\) and arbitrary dependency graph G. They show that PRGs with blockwise locality 2 and output length Open image in new window do not exist. The bound on the output length can be improved to Open image in new window for the case where G is randomly chosen, and so is the predicate (in particular, the predicate is the same for all output bits). In fact, they proved a more general lower bound: There is no PRG whose outputs are evaluated using polynomials of degree at most d involving at most s monomials, and of output length \(\tilde{O}(s n^{\lceil d/2\rceil })\). Note that every blockwise locality L PRG can be written as such a generator, with \(n 2^{\ell }\) input bits, and using polynomials of degree L and at most \(2^{L\ell }\) monomials. Their result is based on semidefinite programming and in particular the sum of squares (SOS) hierarchy.
BV and BBKK essentially rule out the existence of PRGs with blockwise locality 2, except for the corner case where the generator can use a set of different predicates \(\{P_j\}\), a specific or random graph, and the output length is \(\tilde{O}(n 2^{(1+\varepsilon )\ell })\), for some \(0< \varepsilon < 1\). However, it is unclear to us whether PRGs with such small expansion is sufficient for constructing IO, or whether the attacks can be extended to cover this case.
Outline of This Paper
Section 2 discusses candidate constructions of blockwise local PRGs. Section 3 discusses our bootstrapping method using blockwise local PRGs. Finally, in Sect. 4, we discuss constructions of functionalencryption schemes in Sect. 4.
Further, the paper employs standard notation and terminology on functional encryption and IO. We refer the reader to the full version for the complete formalism [55].
2 BlockWise Local PRGs
In this section, we introduce the notion of a blockwise local PRG. We start with formal definitions, in Sect. 2.1, which we refer to throughout the rest of the paper. Then, the remaining subsections will discuss a graphbased framework for blockwise local functions, and discuss candidates.
2.1 Pseudorandom Generators, Locality, and BlockWise Locality
We review the notion of a PRG family, and its locality.
Definition 1
 Syntax:

For every \(\lambda \in \mathbb {N} \), every \(\mathrm {PRG}\) in the support of \(\mathbf{PRG}_\lambda \) defines a function mapping \(n(\lambda )\) bits to \(m(\lambda )\) bits.
 Efficiency:

There is a uniform Turning machine M satisfying that for every \(\lambda \in \mathbb {N} \), every \(\mathrm {PRG}\) in the support of \(\mathbf{PRG}_\lambda \), and every \(x \in \{0,1\}^{n(\lambda )}\), \(M(\mathrm {PRG}, x) = \mathrm {PRG}(x)\).
 \(\mu \)Indistinguishability:
 The following ensembles are \(\mu \)indistinguishable
Definition 2
(BlockWise Locality of PRGs). Let n, m, L, and \(\ell \) be polynomials. We say that a family of \((n(\lambda )\ell (\lambda ),m(\lambda ))\)PRGs has blockwise locality\((L(\lambda ),\ell (\lambda ))\) if for every \(\lambda \) and every \(\mathrm {PRG}\) in the support of \(\mathbf{PRG}_\lambda \), inputs of \(\mathrm {PRG}\) are viewed as \(n(\lambda )\times \ell (\lambda )\) matrices of bits, and every output bit of \(\mathrm {PRG}\) depends on input bits contained in at most \(L(\lambda )\) columns.
2.2 GraphBased BlockWise Local Functions
In this section, we discuss candidate PRGs with blockwise locality d, where d can be as small as two. Here, we start with the notational framework and then move on to discussing concrete assumptions on them in Sect. 2.3.
Goldreich’s Function. We will consider local functions based on Goldreich’s construction [46], which have been the subject for extensive study (cf. e.g. Applebaum’s survey [8]).
Recall first that an [n, m, d]hypergraph is a collection \(G = (S_1, \ldots , S_m)\) where the hyerpedges \(S_i\) are elements of \([n]^d\), i.e., \(S_i = (i_1, \ldots , i_d)\), where \(i_j \in [n]\) (note that we allow for potential repetitions, merely for notational convenience). We use hypergraphs to build functions as follows.
Definition 3
Functions with BlockWise Locality. We want to extend the notation used above to consider the case where an edge of G does not solely give a pointer to individual bits to be injected in the computation, but rather, to “chunks” consisting of \(\ell \)bit strings, and the predicate is applied to the concatenation of these bits. The resulting function clearly then satisfies blockwise locality d with block size \(\ell \).
Definition 4
Expansion Properties. In general, we will want to instantiate our framework with functions where the base graph G is a good expander graph. Recall the following.
Definition 5
\(G = (S_1, \ldots , S_m)\) is a (k, c)expander (or, equivalently, is (k, c)expanding) if for all sets \(J\,\subseteq \,[m]\) with \(J \le k\), we have \({\bigcup _{j \in J} S_j} \ge c\cdot J\).
Ideally, we will want in fact \(\overline{G}\) to be a good expander (in order to resort to large body of analyses for such functions). This will follow by making the base graph a good expander. In particular, the following simple fact stems from the observation that when going from G to \(\overline{G}\), we have \({\overline{S}_j} = \ell {S_j}\), and hence the (relative) expansion factors of G and \(\overline{G}\) are identical.
Lemma 1
Let G be an [n, m, d]hypergraph which is \((k, (1 \gamma )d)\)expanding. Then, for any blocksize \(\ell \), the resulting \([n \cdot \ell , m, d\ell ]\)hypergraph \(\overline{G}\) is \((k, (1  \gamma ) d\ell )\)expanding.
In general, if we have high degree (say \(O(\log \lambda )\)), we can prove the existence (at least probabilistically) of very good expanders with expansion rate very close to the degree. Unfortunately, our construction of \(\overline{G}\) imposes some structure, and the actual expansion factor is dictated by the graph G with much lower degree d. The following lemma establishes the existence of good expander graphs, which we summarize below in a corollary with more useful parameters. While the proof of the lemma is folklore (we take notational inspiration from the one in [9]), we give it for completeness in the full version [55].
Lemma 2
(Strong expansion lemma). Let \(d \ge 2\), and let \(\gamma \in (0,1)\) and \(\beta \in (0, 1/2)\) be such that \(d \gamma = 1 + \beta \). Further, let \(1 \le \varDelta \le n^{\beta }/\log (n)\). Then, there exists a constant \(\alpha > 0\) such that a random \([n,m=\varDelta n, d]\)hypergraph G is a \((k = \alpha n/\varDelta ^{1/\beta }, d(1  \gamma ))\)expander with probability \(1  o(1)\).
Corollary 1
For every \(\gamma \) and d such that \(1< \gamma d < 1.5\), and every \(\eta \in (0,1)\), there exists a \([n, n^{1 + \zeta }, d]\)hypergraph (for some \(\zeta > 0\)) which is a \((n^{1  \eta }, (1  \gamma )d)\)expander.
2.3 Pseudorandom and Unpredictability Generators
We are interested in the question of finding [n, m, d]hypergraphs for \(m = n^{1 + \alpha }\) and a constant \(d \ge 2\) such that \(\mathrm {GF}_{G, P, \ell }\) is a good PRG, for \(\ell = O(\log \lambda )\). We consider a parameterized assumption on such functions (in terms of unpredictability), and discuss it briefly. Below, we are then going to show how strong indistinguishability follows from (potentially) weaker versions of this assumption.
Unpredictability Generator and Assumptions. Let \(\mathbf {UG} = \{{\mathbf {UG}}_{\lambda }\}_{\lambda \in \mathbb {N}}\) be a function ensemble, where \(\mathbf {UG}_{\lambda }\) is a distribution on functions from \(n(\lambda )\) to \(m(\lambda )\) bits, for some polynomial functions m and n.
Definition 6
Note that by a standard argument, being a \((s, \delta )\)UG implies being a (family of) \((s, O(m \cdot \delta ))\)PRGs. We now consider the following assumption, which parametrizes the fact that \(\mathrm {GF}_{G, P,\ell }\) is a good PRG.
Definition 7
( \(\mathsf {BLUG}\) assumption). Let \(n, \ell ,s : \mathbb {N}\rightarrow \mathbb {N}\), and let \(d \ge 2\) and \(\alpha > 0\) be constants. Also, let \(\delta : \mathbb {N}\rightarrow [0,1]\). Then, the \((d, \ell )\)\(\mathsf {BLUG}(n, \alpha , s, \delta )\) assumption is the assumption that there exists a family \(G = \{G_{\lambda }\}_{\lambda \in \mathbb {N}}\) of \([n(\lambda ), n(\lambda )^{1 + \alpha }, d]\) hypergraphs, and a family \(P = \{P_{\lambda }\}_{\lambda \in \mathbb {N}}\) of predicates on \((d(\lambda ) \times \ell (\lambda ))\)bit strings such that \(\mathbf {GF}^{G, P, \ell }\) is an \((s, \delta )\)UG.
We are being a bit informal here, in the sense that obviously we would like \(\mathbf {GF}^{G, P, \ell }\) to additionally be efficiently computable in a uniform sense. Our candidates will not have this property, as we are only able to infer the existence of suitable G’s probabilistically. There are two ways of thinking about the resulting ensemble: Either nonuniformly – the graph \(G_{\lambda }\) is given as advice for security parameter \(\lambda \) – but usually we actually show that a \(1  o(1)\) fraction of the \([n, n^{1 + \alpha }, d]\)hypergraphs are good choices. In that case, we replace G with \(\mathbf {G}\) where \(\mathbf {G}_{\lambda }\) chooses a random \([n(\lambda ), n(\lambda )^{1 + \alpha }, d(\lambda )]\)hypergraph G, which is bad with vanishing probability o(1). This is of course not good enough, yet the problem can often be bypassed in an applicationdependent way, by considering the fact that the end scheme using \(\mathbf {GF}^{\mathbf {G}, P, \ell }\) will also be insecure with probability o(1). One can then consider \(\omega (1)\)instances of this scheme, each using an independent instance from \(\mathbf {GF}^{\mathbf {G},P,\ell }\), and then combine them with a combiner, if it exists.
Our constructions below require \((d, O(\log (\lambda )))\)\(\mathsf {BLUG}(n, \alpha , {\mathrm {poly}}(\lambda ), 2^{\omega (\log \lambda )})\) to be true for some \(n(\lambda ) = {\mathrm {poly}}(\lambda )\) and \(\alpha > 0\). For stronger results, we are going to replace \(2^{\omega (\log \lambda )}\) with \(2^{\lambda ^{\epsilon }}\) for some \(\epsilon > 0\). Below, we will discuss whether this assumption can be implied by (qualitatively) weaker properties. We will show in particular that \((d, O(\log ^{1  \varepsilon }(\lambda )))\)\(\mathsf {BLUG}(n, \alpha , 2^{\omega (\log \lambda )}, 1/\lambda ^{\varOmega (1)})\) implies \((d, O(\log (\lambda )))\)\(\mathsf {BLUG}(n, \alpha , {\mathrm {poly}}(\lambda ), 2^{\omega (\log \lambda )})\).
Here, we briefly discuss what can be expected to start with.
The case \(d \ge 3\) . For the case \(d \ge 3\), a good candidate to study is the case where \(\ell = O(\log (\lambda ))\) and \(G = \{G_{\lambda }\}_{\lambda \in \mathbb {N}}\) is such that \(G_{\lambda }\) is an \([n(\lambda ), n(\lambda )^{1 + \alpha }, d]\)hypergraph which is a good \((n^{1  \gamma }, (1  \gamma )d)\)expander where \(\gamma < \frac{1}{2}\), which exists (for some suitable \(\alpha > 0\)) by Corollary 1. The corresponding \(\overline{G}_{\lambda }\) are then in turn also \((n^{1  \gamma }, (1  \gamma )d \ell )\)expanders by Lemma 1.
Applebaum and Raykov [13] recently justify the assumption that for suitable predicates, P, the function family \(\mathbf {GF}^{\overline{\mathcal {G}}, P}\) is one way and a PRG against adversary running in time \(2^{n^{1  \gamma }}\), which cannot succeed with probability larger than \(2^{n^{1 \gamma }}\). In the same paper, they also give a decisiontosearch reduction for such functions, which however applies only for degrees where we can accommodate some \(\gamma \) with \(3 \gamma < 1\). In particular, such functions withstand existing attacks, such as myopic inversion attacks [30]. Also, the degree of P can be high, e.g., \(O(\log (\lambda ))\), and this prevents a number of attacks exploiting weakness of the predicate [21, 34].
Also, as we show in the next section, it is possible to adopt the techniques from [9] to show that we can get good \(\epsilon \)biased generators (for a subexponential \(\epsilon \)) with blockwise locality (3, 2). This has been the main technique in validating PRG assumptions on graphbased local functions [9, 60, 61].
The special case \(d = 2\) . The case \(d = 2\) is particularly important, as it does allow instantiations from bilinear maps in our applications. Note that algebraic attacks are mitigated here – in contrast to the case of plain locality, i.e., \(\ell = 1\), we can set \(\ell = O(\log \lambda )\) and achieve sufficiently high algebraic degree of the predicate P. Unfortunately, this is not sufficient to prove pseudorandomness, as shown by recent attacks [14, 57], which we have discussed above in Sect. 1.3.
2.4 BlockWise Local SmallBias Generators
Several works [9, 12, 34, 60] have focused on studying weaker properties achieved by local generators. In particular, a standard statement towards validating their security is that of showing that the meet the definition of being a smallbias generator.
Definition 8
We say \(\mathrm {SB}: \{0,1\}^n \rightarrow \{0,1\}^m\) is an \(\epsilon \) small biased generator if \(\max _{J \subseteq [n], J \ne \emptyset } \bigl  \Pr [x \mathop {\leftarrow }\limits ^{\$}\{0,1\}^n \;:\; \bigoplus _{j \in J} \mathrm {SB}_j(x) = 1]  \tfrac{1}{2} \bigr  \le \epsilon \), where \(\mathrm {SB}_j(x)\) denotes the jth bit of \(\mathrm {SB}(x)\).
Lemma 3
For all \(\delta > 0\) and \(\alpha < \frac{1  \delta }{4}\), for a fraction of \(1  o(1)\) of all \([n, n^{1 + \alpha }, 3]\)hypergraphs G, and Q as defined above, \(\mathrm {GF}_{G, Q, 2}\) is an \(\left( e^{\frac{n^{\delta }}{4}}\right) \)biased generator.
2.5 Hardness Amplification via the XOR Construction
In this paper, we rely on the assumption that \(\mathbf {GF}^{G,P,\ell }\) is a good PRG for an appropriate family G of expanders. However, we want to add additional justification to our assumptions. Here, in particular, we discuss how weak unpredictability for graphbased blockwise local functions can be amplified to superpolynomially small unpredictability generically. This means in particular that blockwise local PRGs have strong selfamplifying properties, and that for any G and P, in order to invalidate our assumption, we need to find an attack which succeeds in predicting the next bit with large (i.e., polynomial) advantage over \(\frac{1}{2}\). For otherwise, the lack of such an attack would imply that for the same G and (a related) \(P'\) and \(\ell '\), \(\mathbf {GF}^{G, P', \ell '}\) is a strong PRG.
To this end, we use a simple construction xoring the outputs of generators, which has already been studied to amplify PRG security [35, 58]. Our analysis resembles the one from [35], but is given for completeness. Also, a more general construction, with xoring replaced by a general extractor, was considered by Applebaum [7]. The use of xor, however, is instrumental to preserve blockwise locality. The main drawback of this construction is that it can at best ensure \(2^{\varOmega (\log ^{1+\theta } \lambda )}\) distinguishing gap for some \(\theta \in (0, 1]\) while retaining block size \(\ell = O(\log \lambda )\). In the full version [55], we explain a different approach which relies on a different assumption. and potentially guarantees \(2^{\lambda ^{\varOmega (1)}}\) distinguishing gap.
Theorem 5
Corollary 2
For any \(\beta > 0\), \(d \ge 2\), and \(\theta \in (0,1]\), if the \((d, O(\log ^{1  \theta }(\lambda )))\)\(\mathsf {BLUG}(n, \beta , 2^{\log ^3(\lambda )}, 1/\lambda ^{\varOmega (1)})\) assumption holds, then the assumption \((d, O(\log (\lambda )))\)\(\mathsf {BLUG}(n, \beta , {\mathrm {poly}}(\lambda ), 2^{\varOmega (\log ^{1 + \theta }(\lambda ))})\) also holds true.
3 IO from BlockWise Locality\((L, \log \lambda )\) PRG and LLinear Maps
In this section, we prove the following bootstrapping theorem.
Theorem 6

A family of \((n(\lambda )\times \log \lambda , n(\lambda )^{1+\varepsilon })\)PRGs with blockwise locality \((L,\log \lambda )\).

A publickey FE for degreeL polynomials in \(\mathcal {R}\), with linear efficiency and \({\mathsf {Full  Sel}}\)security; or with a secretkey FE with the same properties, assuming additionally LWE with subexponential modulotonoise ratio.
The IO scheme is \((2^{{\kappa }(\lambda )}\mathrm {negl}(\lambda ))\)secure, if the PRG and FE schemes are \((2^{{\mathrm {i}\ell }(\lambda )+{\kappa }(\lambda )}\mathrm {negl}(\lambda ))\)secure, and LWE is \((2^{{\mathrm {i}\ell }(\lambda )+{\kappa }(\lambda )}\mathrm {negl}(\lambda ))\)hard.
Theorem 6 follows the same approach as Lin’s recent bootstrapping theorem [53], but modifies it in two ways. First, it uses blockwise local PRGs to replace local PRGs. Second, it makes explicit the relation between the security level (more precisely, the maximal distinguishing gap) of the underlying PRG and FE, and the inputlength and security level of the resulting IO—if the underlying primitives are \(2^{{\mathrm {i}\ell }+{\kappa }}\mathrm {negl}\)secure, then the resulting IO scheme is for \({\mathrm {i}\ell }\)bitinput circuits and \(2^{{\kappa }}\mathrm {negl}\)security. Such relations are implicit in previous works, and not as tight as shown here.
Overview of Proof of Theorem 6 . To show the theorem, similar to previous works [53, 56], we take two steps:
Step 1. Construct a singlekey publickey (or secretkey) FE schemes \(\mathbf{CFE}= \{{\mathbf{CFE}}^{N,D,S}\}\) for \({\mathsf {P/poly}}\), with \((1\varepsilon )\)sublinear compactness and \(2^{{\mathrm {i}\ell }+{\kappa }}\mathrm {negl}\)\({\mathsf {Full  Sel}}\)security, starting from a publickey (or secretkey) FE for degreeL polynomials in Open image in new window , with linear efficiency and \({\mathsf {Full  Sel}}\)security.
Previously, the work of [56] showed how to achieve this transformation from a localityL PRGs and FE for computing degree Open image in new window polynomials. Following that, the two recent works of [4, 53] used a preprocessing technique to relax the requirement on the underlying FE to supporting only degreeL polynomials. In this work, we extend their preprocessing technique even further, in order to relax the requirement on the underlying PRGs from having locality L to having blockwise locality \((L, \log \lambda )\). We describe this step in full detail in Sect. 3.1.
In the case that the obtained FE scheme \(\mathbf{CFE}\) is a secretkey one, we invoke the result of [18] to transform it into a public key FE scheme with the same properties, assuming LWE with subexponential modulustonoise ratio.
Since our transformation from FE for lowdegree computations to weaklycompact FE for \({\mathsf {P/poly}}\) in Sect. 3.1 incurs only a polynoimal security loss, and so does the transformation of [18], the resulting weaklycompact FE has essentially the same level of security as that of underlying primitives.
Step 2. Apply an FEtoIO transformation to obtain \({\mathrm {i}\ell }\)bitinput IO for \({\mathsf {P/poly}}\), with \(2^{{\kappa }}\mathrm {negl}\)security.
The literature already offers three FEtoIO transformations [2, 20, 54] that start from a public key FE scheme \(\mathbf{CFE}=\{{\mathbf{CFE}}^{N,D,S}\}\) as described above w.r.t. any positive constant \(\varepsilon \). In this work, we reduce the security loss incurred in the transformation so as to start with \(2^{{\mathrm {i}\ell }+{\kappa }}\mathrm {negl}\)secure FE (as opposed to \(2^{O({\mathrm {i}\ell }^2)+{\kappa }}\mathrm {negl}\)secure or \(2^{O(\log \lambda ) {\mathrm {i}\ell }+{\kappa }}\mathrm {negl}\)secure FE as in previous works). To do so, we present a new FEtoIO transformation inspired by that of [54] and present a tight analysis. We describe this step in the full version [55].
3.1 Step 1: Constructing WeaklyCompact FE
Proposition 1

A family of \((n(\lambda )\times \log \lambda , n(\lambda )^{1+\varepsilon })\)PRGs with blockwise locality \((L,\log \lambda )\).

Publickey FE for degreeL polynomials in \(\mathcal {R}\), with linear efficiency and \({\mathsf {Full  Sel}}\)security; or secretkey FE with the same properties, assuming additionally LWE with subexponential modolustonoise ratio.
The weaklycompact FE is \((2^{{\bar{\kappa }}(\lambda )}\mathrm {negl}(\lambda ))\)\({\mathsf {Full  Sel}}\)secure, if the underlying PRG and FE are \((2^{{\bar{\kappa }}(\lambda )}\mathrm {negl}(\lambda ))\)secure and LWE is \((2^{{\bar{\kappa }}(\lambda )}\mathrm {negl}(\lambda ))\)hard.
It was shown in [53] that 1key weaklycompact FE for \({\mathsf {P/poly}}\) can be constructed from localityL PRG and (unbounded collusion) FE for degreeL polynomials. Their construction of weaklycompact FE follows from the blueprint of previous works [52, 56], which uses FE for low degree polynomials to compute a randomized encoding of a computation in \({\mathsf {P/poly}}\), with pseudorandomness generated through a local PRG. The locality of RE and PRG ensures that their composition can be computed in low degree. However, the straightforward composition of RE and PRG leads to a computation with degree \(3L+2\). The key idea in [53] and the concurrent work of [4] is that part of the RE computation can already be done at encryption time, that is, by asking the encryptor to preprocess the inputs (of the computation in \({\mathsf {P/poly}}\)) and seeds of PRG, and encrypt the preprocessed values, the composition of RE and PRG can be computed in just degree L from the preprocessed values, at decryption time—This is called the preprocessing technique. We take this technique one step further: By also performing part of the PRG computation at encryption time, we can replace local PRG with blockwise local PRG (with appropriate parameters) at “no cost”.
Below, we first briefly review the blueprint of [56], then describe the preprocessing idea of [53] and how to use it to accommodate PRG with blockwise locality.
The General Blueprint of [56]. To construct 1key weaklycompact FE for \({\mathsf {P/poly}}\), Lin and Vaikuntanathan [56] (LV) first observed that, using the Trojan Method [26], it suffices to construct 1key weaklycompact FE for \(\mathsf {NC}^1\) functions with some fixed depth \(D(\lambda ) = O(\log \lambda )\); denote this class of functions as \(\mathsf {NC}^1_D\).

\({\mathsf {Full  Sel}}\)secure (collusion resistant) FE schemes for degree\((3L+2)\) polynomials in some \(\mathcal {R}\), \(\{\mathbf{FE}^{N'} = (\mathsf{FE.Setup}, \mathsf{FE.KeyGen},\mathsf{FE.Enc},\mathsf{FE.Dec})\}\), with linear efficiency.

A \((n, n^{1+\alpha })\)pseudorandom generator \(\mathrm {PRG}\) with locality L, for a sufficiently large polynomial input length \(n = n(\lambda )\) and any positive constant \(\alpha \).

The AIK randomized encoding scheme in \(\mathsf {NC}^0\) [11]; denote the encoding algorithm as \(\mathsf {AIK}(f, {{\mathbf {x}}}\, ; \ {{\mathbf {r}}})\).
 1.
The length of the input \(({{\mathbf {x}}}, {{\mathbf {s}}}, {{\mathbf {s}}}', 0)\) encrypted using \(\mathbf{FE}\) is \(N + 2\varGamma + 1 = N + S(\lambda )^{1/(1+\alpha )}{\mathrm {poly}}(\lambda )\).
 2.
\(\mathbf{FE}\) has linear efficiency.
When \(\mathrm {PRG}\) has locality L, the straightforward way of computing a degree3 monomial \({{\mathbf {r}}}[i]_{i_1} {{\mathbf {r}}}[i]_{i_2} {{\mathbf {r}}}[i]_{i_3}\) from the seed \({{\mathbf {s}}}\) requires degree 3L. The works of [4, 53] showed how to reduce the degree to just L. First, they use a different way to compute each \({{\mathbf {r}}}[i]\). View the seed \({{\mathbf {s}}}\) as a \(Q \times \varGamma '\) matrix with \(Q = Q(\lambda ) = {\mathrm {poly}}(\lambda )\) rows and \(\varGamma ' = S^{1/1+\alpha }\) columns; apply PRG on each row of \({{\mathbf {s}}}\) to expand the seed matrix into a \(Q \times S\) matrix \({{\mathbf {r}}}\) of pseudorandom bits. That is, denote the \(q^\mathrm{th}\) row of \({{\mathbf {s}}}\) and \({{\mathbf {r}}}\) as \({{\mathbf {s}}}_q\) and \({{\mathbf {r}}}_q\); \({{\mathbf {r}}}_q = \mathrm {PRG}({{\mathbf {s}}}_q)\). Finally, set the random tape for computing the \(i^\mathrm{th}\) AIK encoding to be the \(i^\mathrm{th}\) column \({{\mathbf {r}}}[i]\) of \({{\mathbf {r}}}\).
Furthermore, the size of each set \(\mathsf{Mnml}^{\le 3}({{\mathbf {s}}}[\gamma ])\) is bounded by \((Q+1)^{3} = {\mathrm {poly}}(\lambda )\), and thus the size of their union for all \(\gamma \) is bounded by \(\varGamma '{\mathrm {poly}}(\lambda ) = S^{1/1+\alpha }{\mathrm {poly}}(\lambda )\)—only a polynomial factor (in \(\lambda \)) larger than the original seed \({{\mathbf {s}}}\) itself. Therefore the encryptor can afford to precompute all these monomials and encrypt them, without compromising the weakcompactness of the resulting FE for \(\mathsf {NC}^1_D\) scheme.
This Work: Handling BlockWise Local PRG. Our new observation is that the above technique naturally extends to accommodate blockwise local PRGs. Consider a family of \((n(\lambda ) \times \log \lambda , n(\lambda )^{1+\alpha })\)PRGs with blockwise locality\((L, \log \lambda )\). As before, we think of the seed of such PRGs as a vector \({{\mathbf {t}}}\) of length n, where every element \(t_i\) is a block of \(\log \lambda \) bits, and each output bit \(\mathrm {PRG}[i]({{\mathbf {t}}})\) depends on at most L blocks.
Correspondingly, think of the seed matrix \({{\mathbf {s}}}\) described above as consisting of \(Q \times \varGamma '\) blocks of \(\log \lambda \) bits. When \({{\mathbf {r}}}[i]\) is computed using blockwise local PRGs, the degree3 monomial \({{\mathbf {r}}}[i]_{i_1}{{\mathbf {r}}}[i]_{i_2}{{\mathbf {r}}}[i]_{i_3}\) in Eq. (2) now depends on a set of blocks \(\{{s_{i_t, \gamma _s}}\}_{t \in [3], s \in [L]}\). Though the actual locality of the PRG is \(L \log \lambda \), due to its special structure, we can still preprocess the seed \({{\mathbf {s}}}\) to enable computing any degree3 monomial over \({{\mathbf {r}}}[i]\) for any i using degree L, in the following two steps.
 1.Precompute all multilinear monomials over bits in each block \(s_{q, \gamma }\) in \({{\mathbf {s}}}\).More precisely, precompute \(\mathsf{Mnml}(s_{q, \gamma })\) for all \(q \in [Q]\) and \(\gamma \in [\varGamma ']\). Note that each set \(\mathsf{Mnml}(s_{q, \gamma })\) has exactly size \(\lambda \).$$\begin{aligned} \text{ Define } \qquad \mathsf{Mnml}(A) := \{{a_{i_1}a_{i_2}\cdots a_{i_{q}} \  \ q \le A \ \text{ and } \forall j, k \ a_{i_j}\ne a_{i_k} \in A}\}. \end{aligned}$$
 2.
For every column \(\gamma \in [\varGamma ']\), take the union of monomials over blocks in column \(\gamma \), that is, \(\cup _{q} \mathsf{Mnml}(s_{q, \gamma })\). Then, precompute all degree\(\le 3\) monomials over this union, that is, \(\mathsf{Mnml}^{\le 3}(\cup _{q} \mathsf{Mnml}(s_{q,\gamma }))\), for each \(\gamma \). Observe that from \(\{{\mathsf{Mnml}^{\le 3}(\cup _q \mathsf{Mnml}(s_{q, \gamma }))}\}_{\gamma \in [\varGamma ']}\), one can again compute any degree3 monomial in \({{\mathbf {r}}}[i]\) for any i in just degree L.
4 FE from \(\omega (\log \lambda )\)BitInput IO for \({\mathsf {P/poly}}\)
Our proof generically transforms any 1key (public key) FE scheme for any circuit class \(\mathcal{C} \) into a collusionresistant (public key) FE scheme for the same circuit class, using IO for circuits with \(\omega (\log \lambda )\)bit inputs. The encryption time of the resulting FE schemes is polynomial in the encryption time of the original schemes, and hence if the original scheme is (non)compact, so is the resulting FE scheme. The transformation also preserves the same type of security—namely \({\mathsf {Full  Sel}}\) or \({\mathsf {Adap}}\)security—and incurs a \(2^{\omega (\log \lambda )}\) security loss.
More precisely, we prove the following below in Sect. 4.1.
Proposition 2

The encryption time of \(\mathbf{CRFE}\) is polynomial in the encryption time of \(\mathbf{OFE}\).

If \({i\mathcal {O}}\) is \(2^{({\mathrm {i}\ell }(\lambda ) + {\tau }(\lambda ))}\mathrm {negl}(\lambda )\)secure and \(\mathbf{OFE}\) is \(2^{({\mathrm {i}\ell }(\lambda ) + {\tau }(\lambda ))}\mathrm {negl}(\lambda )\)(\({\mathsf {Adap}}\) or \({\mathsf {Full  Sel}}\))secure, then \(\mathbf{CRFE}\) is \(2^{{\tau }(\lambda )}\mathrm {negl}(\lambda )\)(\({\mathsf {Adap}}\) or \({\mathsf {Full  Sel}}\))secure.
It is known that adaptivelysecure 1key noncompact publickey FE for \({\mathsf {P/poly}}\) can be constructed from just public key encryption [48].
Theorem 7
(1Key \({\mathsf {Adap}}\) Secure PublicKey FE for \({\mathsf {P/poly}}\) [48]). Let \(\mu \) be any function from \(\mathbb {N} \) to [0, 1]. Assuming public key encryption with \(\mu (\lambda )\mathrm {negl}(\lambda )\)security, there exist \(\mu (\lambda )\mathrm {negl}(\lambda )\)\({\mathsf {Adap}}\)secure 1key noncompact publickey FE schemes for \({\mathsf {P/poly}}\).
Now, applying the transformation of Proposition 2 to the \(\mu \mathrm {negl}\)\({\mathsf {Adap}}\)secure 1key FE schemes for \({\mathsf {P/poly}}\) with \(\mu = 2^{({\mathrm {i}\ell }+{\tau })}\), yields \(2^{{\tau }}\mathrm {negl}\)\({\mathsf {Adap}}\)secure collusionresistant (noncompact publickey) FE for \({\mathsf {P/poly}}\). Finally, note that it follows from [3] that collusionresistant noncompact FE schemes implies collusionresistant compact FE schemes with the same level of security, which yields Theorem 4.
4.1 From 1Key to CollusionResistant FE, Generically

An \({\mathrm {i}\ell }\)bitinput indistinguishability obfuscator \({i\mathcal {O}}\) for \({\mathsf {P/poly}}\).

A 1key FE scheme \(\mathbf{OFE}= (\mathsf{OFE.Setup}, \mathsf{OFE.KeyGen}, \mathsf{OFE.Enc}, \mathsf{OFE.Dec})\) for \(\mathcal{C} \).

A puncturable PRF scheme \(\mathsf{PPRF}= (\mathsf {PRF{.}Gen},\mathsf {PRF{.}Punc},{\mathsf {F}})\).

Setup: Generate a superpolynomial number, \(M = 2^{{\mathrm {i}\ell }(\lambda )} = 2^{\omega (\lambda )}\), of \(\mathbf{OFE}\) instances with master keys \(\{{({\mathsf {OMPK}}_i, {\mathsf {OMSK}}_i)\mathop {\leftarrow }\limits ^{\$}\mathsf{OFE.Setup}(1^\lambda )}\}_{i \in [M]}\).

Key Generation: To generate a key for a function f, sample an index at random \(i_f \mathop {\leftarrow }\limits ^{\$}[M]\) and generate a secret key using the \(i_f^\mathrm{th}\) master secret key \({\mathsf {OSK}}_{i_f} \mathop {\leftarrow }\limits ^{\$}\mathsf{OFE.KeyGen}({\mathsf {OMSK}}_{i_f}, f)\). Since there are at most a polynomial number of secret keys ever generated, the probability that every \(\mathbf{OFE}\) instance is used to generate at most one secret key is overwhelming.

Encryption: To encrypt any input x, simply encrypt the input x under all master public keys, \(\{{\mathsf{OCT}_i \mathop {\leftarrow }\limits ^{\$}\mathsf{OFE.Enc}({\mathsf {OMPK}}_i, x)}\}_{i \in [M]}\). Given the set of ciphertexts, one can compute the output f(x) of any function f for which a secret key \({\mathsf {OSK}}_{i_f}\) has been generated, by decrypting the appropriated ciphertext \(\mathsf{OCT}_{i_f}\) using the secret key \({\mathsf {OSK}}_{i_f}\).
Of course, the only problem with this FE scheme is that its setup and encryption algorithms run in superpolynomial time. To address this, we follow the previously adopted idea (e.g. [17, 25]) of using IO to “compress” these superpolynomially many \(\mathbf{OFE}\) instances into “polynomial size”. More precisely, instead of having the setup algorithm publish all M master public keys, let it generate an obfuscated circuit that on input \(i \in [M]\) outputs the \(i^\mathrm{th}\) master public key. Similarly, instead of having the encryption algorithm publish M ciphertexts, let it generate an obfuscated circuit that on input \(i \in [M]\) outputs the \(i^\mathrm{th}\) ciphertext under the \(i^\mathrm{th}\) master public key. Since the inputs to the obfuscated circuits are indexes from the range [M], which could be represented in \({\mathrm {i}\ell }\) bits, it suffices to use \({\mathrm {i}\ell }\)bitinput IO. Furthermore, for “compression” to the possible, all M master public and secret keys, as well as all M ciphertexts, need to be sampled using pseudorandomness generated by puncturable PRFs. The resulting obfuscated circuits have polynomial size, since generating individual master public keys and ciphertexts using pseudorandomness is efficient, and hence the new FE scheme becomes efficient. Finally, the security of the new FE scheme follows from the common “oneinputatatime” argument, which incurs a \(2^{i} = 2^{{\mathrm {i}\ell }}\) security loss. We formally describe the collusionresistant FE scheme \(\mathbf{CRFE}\) for \(\mathcal{C} \) in Fig. 4.
Footnotes
 1.
The notion could be blockwise to the cases where predicates are drawn by a distribution, and possibly differ from each output bit. We are going to dispense with such extensions, which are straightforward but easily lead to notational overhead.
Notes
Acknowledgements
The authors thank Benny Applebaum and Vinod Vaikuntanathan for many helpful discussions and insights.
Huijia Lin was supported in part by NSF grants CNS1528178, CNS1514526, and CNS1652849 (CAREER). Stefano Tessaro was supported in part by NSF grants CNS1423566, CNS1528178, CNS1553758 (CAREER), and IIS152804.
References
 1.Allen, S.R., O’Donnell, R., Witmer, D.: How to refute a random CSP. In: 56th FOCS, Berkeley, CA, USA, pp. 689–708, 17–20 October 2015Google Scholar
 2.Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 308–326. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_15 CrossRefGoogle Scholar
 3.Ananth, P., Jain, A., Sahai, A.: Achieving compactness generically: indistinguishability obfuscation from noncompact functional encryption. IACR Cryptology ePrint Archive, vol. 2015, p. 730 (2015)Google Scholar
 4.Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree5 multilinear maps. Cryptology ePrint Archive, Report 2016/1097 (2016). http://eprint.iacr.org/2016/1097
 5.Ananth, P.V., Gupta, D., Ishai, Y., Sahai, A.: Optimizing obfuscation: avoiding Barrington’s theorem. In: ACM CCS 2014, Scottsdale, AZ, USA, pp. 646–658, 3–7 November 2014Google Scholar
 6.Apon, D., Döttling, N., Garg, S., Mukherjee, P.: Cryptanalysis of indistinguishability obfuscations of circuits over GGH13. In: ICALP 2017. LNCS, vol. 80. Springer, Heidelberg (2017)Google Scholar
 7.Applebaum, B.: Pseudorandom generators with long stretch and low locality from random local oneway functions. In: 44th ACM STOC, New York, NY, USA, pp. 805–816, 19–22 May 2012Google Scholar
 8.Applebaum, B.: The cryptographic hardness of random local functions – survey. Cryptology ePrint Archive, Report 2015/165 (2015). http://eprint.iacr.org/2015/165
 9.Applebaum, B., Bogdanov, A., Rosen, A.: A dichotomy for local smallbias generators. J. Cryptol. 29, 577–596 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
 10.Applebaum, B., Brakerski, Z.: Obfuscating circuits via compositeorder graded encoding. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 528–556. Springer, Heidelberg (2015). doi: 10.1007/9783662464977_21 CrossRefGoogle Scholar
 11.Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC\(^{\text{0}}\). In: FOCS, pp. 166–175 (2004)Google Scholar
 12.Applebaum, B., Lovett, S.: Algebraic attacks against random local functions and their countermeasures. In: 48th ACM STOC, Cambridge, MA, USA, pp. 1087–1100, 18–21 June 2016Google Scholar
 13.Applebaum, B., Raykov, P.: Fast pseudorandom functions based on expander graphs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 27–56. Springer, Heidelberg (2016). doi: 10.1007/9783662536414_2 CrossRefGoogle Scholar
 14.Barak, B., Brakerski, Z., Komargodski, I., Kothari, P.K.: Limits on lowdegree pseudorandom generators (or: sumofsquares meets program obfuscation). Cryptology ePrint Archive, Report 2017/312 (2017). http://eprint.iacr.org/2017/312
 15.Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 221–238. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_13 CrossRefGoogle Scholar
 16.Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). doi: 10.1007/3540446478_1 CrossRefGoogle Scholar
 17.Bitansky, N., Garg, S., Lin, H., Pass, R., Telang, S.: Succinct randomized encodings and their applications. In: Proceedings of 47th Annual ACM on Symposium on Theory of Computing, STOC 2015, 14–17 June 2015, Portland, OR, USA, pp. 439–448 (2015)Google Scholar
 18.Bitansky, N., Nishimaki, R., Passelègue, A., Wichs, D.: From cryptomania to obfustopia through secretkey functional encryption. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 391–418. Springer, Heidelberg (2016). doi: 10.1007/9783662536445_15 CrossRefGoogle Scholar
 19.Bitansky, N., Paneth, O., Rosen, A.: On the cryptographic hardness of finding a nash equilibrium. In: Guruswami [49], pp. 1480–1498 (2015)Google Scholar
 20.Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation from functional encryption. In: IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, 17–20 October 2015, Berkeley, CA, USA, pp. 171–190 (2015)Google Scholar
 21.Bogdanov, A., Qiao, Y.: On the security of Goldreich’s oneway function. Comput. Complex. 21(1), 83–127 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 22.Boneh, D., Sahai, A., Waters, B.: Fully collusion resistant traitor tracing with short ciphertexts and private keys. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 573–592. Springer, Heidelberg (2006). doi: 10.1007/11761679_34 CrossRefGoogle Scholar
 23.Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324, 71–90 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
 24.Brakerski, Z., Rothblum, G.N.: Virtual blackbox obfuscation for all circuits via generic graded encoding. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 1–25. Springer, Heidelberg (2014). doi: 10.1007/9783642542428_1 CrossRefGoogle Scholar
 25.Canetti, R., Lin, H., Tessaro, S., Vaikuntanathan, V.: Obfuscation of probabilistic circuits and applications. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 468–497. Springer, Heidelberg (2015). doi: 10.1007/9783662464977_19 CrossRefGoogle Scholar
 26.Caro, A., Iovino, V., Jain, A., O’Neill, A., Paneth, O., Persiano, G.: On the achievability of simulationbased security for functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 519–535. Springer, Heidelberg (2013). doi: 10.1007/9783642400841_29 CrossRefGoogle Scholar
 27.Chen, Y., Gentry, C., Halevi, S.: Cryptanalyses of candidate branching program obfuscators. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 278–307. Springer, Cham (2017). doi: 10.1007/9783319566177_10 CrossRefGoogle Scholar
 28.Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). doi: 10.1007/9783662468005_1 Google Scholar
 29.Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 257–270. Springer, Heidelberg (1994). doi: 10.1007/3540486585_25 Google Scholar
 30.Cook, J., Etesami, O., Miller, R., Trevisan, L.: Goldreich’s oneway function candidate and myopic backtracking algorithms. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 521–538. Springer, Heidelberg (2009). doi: 10.1007/9783642004575_31 CrossRefGoogle Scholar
 31.Coron, J.S., et al.: Zeroizing without lowlevel zeroes: new MMAP attacks and their limitations. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 247–266. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_12 CrossRefGoogle Scholar
 32.Coron, J.S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). doi: 10.1007/9783642400414_26 CrossRefGoogle Scholar
 33.Coron, J.S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 267–286. Springer, Heidelberg (2015). doi: 10.1007/9783662479896_13 CrossRefGoogle Scholar
 34.Cryan, M., Miltersen, P.B.: On pseudorandom generators in NC^{0}. In: Sgall, J., Pultr, A., Kolman, P. (eds.) MFCS 2001. LNCS, vol. 2136, pp. 272–284. Springer, Heidelberg (2001). doi: 10.1007/3540446834_24 CrossRefGoogle Scholar
 35.Dodis, Y., Impagliazzo, R., Jaiswal, R., Kabanets, V.: Security amplification for Interactive cryptographic primitives. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 128–145. Springer, Heidelberg (2009). doi: 10.1007/9783642004575_9 CrossRefGoogle Scholar
 36.Döttling, N., Garg, S., Gupta, D., Miao, P., Mukherjee, P.: Obfuscation from low noise multilinear maps. Cryptology ePrint Archive, Report 2016/599 (2016). http://eprint.iacr.org/2016/599
 37.Dwork, C., Naor, M., Reingold, O., Rothblum, G.N., Vadhan, S.P.: On the complexity of differentially private data release: efficient algorithms and hardness results. In: 41st ACM STOC, Bethesda, MD, USA, pp. 381–390, 31 May–2 June 2009Google Scholar
 38.Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). doi: 10.1007/9783642383489_1 CrossRefGoogle Scholar
 39.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26–29 October 2013, Berkeley, CA, USA, pp. 40–49 (2013)Google Scholar
 40.Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Functional encryption without obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 480–511. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_18 CrossRefGoogle Scholar
 41.Garg, S., Miles, E., Mukherjee, P., Sahai, A., Srinivasan, A., Zhandry, M.: Secure obfuscation in a weak multilinear map model. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 241–268. Springer, Heidelberg (2016). doi: 10.1007/9783662536445_10 CrossRefGoogle Scholar
 42.Garg, S., Pandey, O., Srinivasan, A.: Revisiting the cryptographic hardness of finding a nash equilibrium. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 579–604. Springer, Heidelberg (2016). doi: 10.1007/9783662530085_20 CrossRefGoogle Scholar
 43.Garg, S., Pandey, O., Srinivasan, A., Zhandry, M.: Breaking the subexponential barrier in obfustopia. Cryptology ePrint Archive, Report 2016/102 (2016). http://eprint.iacr.org/2016/102
 44.Gentry, C., Gorbunov, S., Halevi, S.: Graphinduced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). doi: 10.1007/9783662464977_20 CrossRefGoogle Scholar
 45.Gentry, C., Lewko, A.B., Sahai, A., Waters, B.: Indistinguishability obfuscation from the multilinear subgroup elimination assumption. In: Guruswami [49], pp. 151–170 (2015)Google Scholar
 46.Goldreich, O.: Candidate oneway functions based on expander graphs. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 7, no. 90 (2000)Google Scholar
 47.Goldreich, O.: Foundations of Cryptography – Basic Tools. Cambridge University Press, Cambridge (2001)CrossRefzbMATHGoogle Scholar
 48.Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multiparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). doi: 10.1007/9783642320095_11 CrossRefGoogle Scholar
 49.Guruswami, V. (ed.) IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, Berkeley, CA, USA, 17–20 October 2015. IEEE Computer Society (2015)Google Scholar
 50.Komargodski, I., Segev, G.: From minicrypt to obfustopia via privatekey functional encryption. Cryptology ePrint Archive, Report 2017/080 (2017). http://eprint.iacr.org/2017/080
 51.Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_14 CrossRefGoogle Scholar
 52.Lin, H.: Indistinguishability obfuscation from constantdegree graded encoding schemes. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 28–57. Springer, Heidelberg (2016). doi: 10.1007/9783662498903_2 CrossRefGoogle Scholar
 53.Lin, H.: Indistinguishability obfuscation from SXDH on 5linear maps and locality5 PRGs. In: CRYPTO 2017. LNCS. Springer, Heidelberg (2017)Google Scholar
 54.Lin, H., Pass, R., Seth, K., Telang, S.: Outputcompressing randomized encodings and applications. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 96–124. Springer, Heidelberg (2016). doi: 10.1007/9783662490969_5 CrossRefGoogle Scholar
 55.Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and blockwise local PRGs. Cryptology ePrint Archive, Report 2017/250 (2017). http://eprint.iacr.org/2017/250
 56.Lin, H., Vaikuntanathan, V.: Indistinguishability obfuscation from DDHlike assumptions on constantdegree graded encodings. In: IEEE 57th Annual Symposium on Foundations of Computer Science, FOCS 2016, New Brunswick, NJ, USA, 9–11 October 2016Google Scholar
 57.Lombardi, A., Vaikuntanathan, V.: On the nonexistence of blockwise 2local PRGs with applications to indistinguishability obfuscation. Cryptology ePrint Archive, Report 2017/301 (2017). http://eprint.iacr.org/2017/301
 58.Maurer, U., Tessaro, S.: A hardcore lemma for computational indistinguishability: security amplification for arbitrarily weak PRGs with optimal stretch. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 237–254. Springer, Heidelberg (2010). doi: 10.1007/9783642117992_15 CrossRefGoogle Scholar
 59.Miles, E., Sahai, A., Zhandry, M.: Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 629–658. Springer, Heidelberg (2016). doi: 10.1007/9783662530085_22 CrossRefGoogle Scholar
 60.Mossel, E., Shpilka, A., Trevisan, L.: On ebiased generators in NC0. In: 44th FOCS, Cambridge, MA, USA, pp. 136–145, 11–14 October 2003Google Scholar
 61.O’Donnell, R., Witmer, D.: Goldreich’s PRG: evidence for nearoptimal polynomial stretch. In: IEEE 29th Conference on Computational Complexity, CCC 2014, 11–13 June 2014, Vancouver, BC, Canada, pp. 1–12 (2014)Google Scholar
 62.Parno, B., Raykova, M., Vaikuntanathan, V.: How to delegate and verify in public: verifiable computation from attributebased encryption. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 422–439. Springer, Heidelberg (2012). doi: 10.1007/9783642289149_24 CrossRefGoogle Scholar
 63.Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semanticallysecure multilinear encodings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 500–517. Springer, Heidelberg (2014). doi: 10.1007/9783662443712_28 CrossRefGoogle Scholar
 64.Ullman, J.: Answering \(n_{2+o(1)}\) counting queries with differential privacy is hard. In: 45th ACM STOC, Palo Alto, CA, USA, pp. 361–370, 1–4 June 2013Google Scholar
 65.Zimmerman, J.: How to obfuscate programs directly. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 439–467. Springer, Heidelberg (2015). doi: 10.1007/9783662468036_15 Google Scholar