FE and iO for Turing Machines from Minimal Assumptions

Agrawal, Shweta; Maitra, Monosij

doi:10.1007/978-3-030-03810-6_18

Shweta Agrawal¹⁵ &
Monosij Maitra¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11240))

Included in the following conference series:

Theory of Cryptography Conference

910 Accesses
15 Citations

Abstract

We construct Indistinguishability Obfuscation ($\mathsf {iO}$) and Functional Encryption ($\mathsf {FE}$) schemes in the Turing machine model from the minimal assumption of compact $\mathsf {FE}$ for circuits ($\mathsf {CktFE}$). Our constructions overcome the barrier of sub-exponential loss incurred by all prior work. Our contributions are:

1.
We construct $\mathsf {iO}$ in the Turing machine model from the same assumptions as required in the circuit model, namely, sub-exponentially secure $\mathsf {FE}$ for circuits. The previous best constructions [6, 41] require sub-exponentially secure $\mathsf {iO}$ for circuits, which in turn requires sub-exponentially secure $\mathsf {FE}$ for circuits [5, 15].
2.
We provide a new construction of single input $\mathsf {FE}$ for Turing machines with unbounded length inputs and optimal parameters from polynomially secure, compact $\mathsf {FE}$ for circuits. The previously best known construction by Ananth and Sahai [7] relies on $\mathsf {iO}$ for circuits, or equivalently, sub-exponentially secure $\mathsf {FE}$ for circuits.
3.
We provide a new construction of multi-input $\mathsf {FE}$ for Turing machines. Our construction supports a fixed number of encryptors (say k), who may each encrypt a string $\mathbf {x}_i$ of unbounded length. We rely on sub-exponentially secure $\mathsf {FE}$ for circuits, while the only previous construction [10] relies on a strong knowledge type assumption, namely, public coin differing inputs obfuscation.

Our techniques are new and from first principles, and avoid usage of sophisticated $\mathsf {iO}$ specific machinery such as positional accumulators and splittable signatures that were used by all relevant prior work [6, 7, 41].

You have full access to this open access chapter, Download conference paper PDF

Obfuscation from Polynomial Hardness: Beyond Decomposable Obfuscation

Indistinguishability Obfuscation for Turing Machines: Constant Overhead and Amortization

Indistinguishability Obfuscation with Non-trivial Efficiency

1 Introduction

The notion of indistinguishability obfuscation ($\mathsf {iO}$) [11] seeks to garble programs such that the obfuscations of any two functionally equivalent programs are indistinguishable. While non-obvious at first what such a guarantee is good for, $\mathsf {iO}$ has emerged as a surprisingly powerful notion in cryptography, leading to many advanced cryptographic applications that were previously out of reach [12, 14, 22,23,24, 26, 27, 41, 44, 46, 50].

Functional encryption ($\mathsf {FE}$) [16, 48, 49] is a generalization of public key encryption that enables fine grained access control on encrypted data. In $\mathsf {FE}$, a secret key corresponds to a function f and ciphertexts correspond to strings from the domain of f. Given a function key $\mathsf {SK}_f$ and a ciphertext $\mathsf {CT}_\mathbf {x}$, the decryptor learns $f(\mathbf {x})$ and nothing else.

While an important primitive in its own right, $\mathsf {FE}$ has also been shown to imply $\mathsf {iO}$, albeit with sub-exponential loss [5, 15]. Over the last few years, both primitives have received significant attention, with a rich body of work that attempts to support more general models of computation [4, 12, 20,21,22, 25, 41], rely on weaker assumptions [8, 13, 19, 30, 37,38,39,40, 42, 43, 45], achieve stronger security [3, 19] and greater efficiency [6].

In this work, we make further progress towards the goal of basing $\mathsf {iO}$ and $\mathsf {FE}$ on minimal assumptions, in the Turing machine model of computation. This question has been studied extensively [4, 6, 7, 12, 20,21,22, 25, 34, 41] – we refer the reader to [6, 7] for a detailed discussion. Below, we summarize the state of art:

1.
$\mathsf {iO}$ for Turing Machines with unbounded memory and bounded inputs are constructed in the works of Koppula et al. and Ananth et al. [6, 41]. Both works rely on the existence of sub-exponentially secure $\mathsf {iO}$ for circuits along with other standard assumptions. We note that $\mathsf {FE}$ for circuits implies $\mathsf {iO}$ with sub-exponential loss, so when relying on $\mathsf {FE}$ for circuits, these works incur double sub-exponential loss.
2.
For single input $\mathsf {FE}$ for Turing machines that accept unbounded length inputs and place no restriction on the description size or space complexity of the machine, the state of art is the work of Ananth and Sahai [7], which relies on the existence of $\mathsf {iO}$ for circuits.
3.
For multi-input $\mathsf {FE}$ in the Turing machine model, the only known construction is [10], which relies on the existence of public coin differing inputs obfuscation (${\mathsf {diO}}$).

Our Results. We construct Indistinguishability Obfuscation ($\mathsf {iO}$) and Functional Encryption ($\mathsf {FE}$) schemes in the Turing machine model from the minimal assumption of compact $\mathsf {FE}$ for circuits ($\mathsf {CktFE}$). Our constructions overcome the barrier of sub-exponential loss incurred by all prior work. Our contributions are:

1.
We construct $\mathsf {iO}$ for Turing machines with bounded inputs and unbounded memory from the same assumptions as required by $\mathsf {iO}$ for circuits, namely, sub-exponentially secure $\mathsf {FE}$ for circuits. The previous best constructions [6, 41] require sub-exponentially secure $\mathsf {iO}$ for circuits, which in turn requires sub-exponentially secure $\mathsf {FE}$ for circuits [5, 15], resulting in double sub-exponential loss.
2.
We provide a new construction of single input $\mathsf {FE}$ for Turing machines with unbounded inputs, achieving optimal parameters from polynomially secure, compact $\mathsf {FE}$ for circuits. The previously best known construction by Ananth and Sahai [7] relies on $\mathsf {iO}$ for circuits, or equivalently, sub-exponentially secure $\mathsf {FE}$ for circuits. We note that $\mathsf {iO}$ for circuits implies decomposable compact $\mathsf {FE}$ for circuits [27] (please see the full version [1]), so our construction also implies $\mathsf {FE}$ for TMs from $\mathsf {iO}$ for circuits.
3.
We provide a new construction of multi-input $\mathsf {FE}$ for Turing machines. Our construction supports a fixed number of encryptors (say k), who may each encrypt a string $\mathbf {x}_i$ of unbounded length. We rely on sub-exponentially secure $\mathsf {FE}$ for circuits, while the only previous construction [10] relies on a strong knowledge type assumption, namely, public coin differing inputs obfuscation. The arity k supported by our scheme depends on the underlying multi-input $\mathsf {CktFE}$ scheme, for instance using [40], we can support $k = \mathsf{polylog}(\lambda )$.

Our constructions make use of $\mathsf {FE}$ for circuits that satisfy a mild property called decomposablity, which in turn can be constructed generically from $\mathsf {FE}$ for circuits (please see Appendix A). Decomposable $\mathsf {FE}$, analogously to decomposable randomized encodings [9], roughly posits that a long string be encrypted bit by bit using shared randomness across bits. This property is already satisfied by all known constructions of $\mathsf {CktFE}$ in the literature to the best of our knowledge.

Our techniques are new and from first principles, and avoid usage of sophisticated $\mathsf {iO}$ specific machinery such as positional accumulators and splittable signatures that were used by all prior work [6, 7, 41]. Our work leverages the security notion of distributional indistinguishability ($\mathsf {DI}$) for $\mathsf {CktFE}$ which was first considered by [31], who provided a construction for single input FE satisfying DI security assuming the existence of $\mathsf {iO}$. We strengthen this result by constructing $\mathsf {DI}$ secure $\mathsf {CktFE}$ from standard $\mathsf {CktFE}$. Please see Fig. 1 for an overview of our results.

Additional Prior Work. Since $\mathsf {iO}$ is considered an inherently sub-exponential assumption and much stronger than the polynomial assumption of compact $\mathsf {FE}$, replacing $\mathsf {iO}$ by $\mathsf {FE}$ in cryptographic constructions has already been studied extensively, for instance in the context of $\mathsf{PPAD}$ hardness [28], multi-input $\mathsf {FE}$ for circuits [19, 40] as well as trapdoor one-way permutations and universal samplers [29]. We note that aside from reliance on weaker, better understood assumptions, avoiding sub-exponential loss results in significantly more efficient schemes. We refer the reader to [29] for a detailed discussion.

Distributional indistinguishability was also considered in the context of output compressing randomized encodings [44]; indeed, this work implies that achieving $\mathsf {DI}$ security for FE for Turing machines with long outputs is impossible in the plain model. We note that our construction sidesteps this lower bound by considering Turing machines with a single output bit.

$\mathsf {iO}$ for TMs with unbounded memory has been constructed by [6, 41] as discussed above, other prior works were limited to bounded space constraints. We note that [6] additionally achieve constant overhead in the size of the obfuscated program as well as amortization, which we do not consider in this work. We also note that the work of [10] achieve ${\mathsf {miFE}}$ for TMs where the number of encrypting parties can be arbitrary, whereas we only support a-priori fixed, bounded number of parties.

The approach of using decomposable $\mathsf {FE}$ for circuits to construct $\mathsf {FE}$ for deterministic finite automata (DFA) in the single key setting was suggested by [2]. In this work we develop and significantly generalize their ideas. In particular, we handle the unbounded key setting in $\mathsf {FE}$ for $\mathsf {TM}$s which necessitates dealing with the much more complex indistinguishability style definition, for which we develop new proof techniques which use a novel “sliding trapdoor” approach and leverage distributional indistinguishability. In contrast, since [2] use simulation security for single key $\mathsf {FE}$, their proof must not contend with any of these challenges. Please see below for details.

Our Techniques. We describe an overview of our constructions, starting with single input $\mathsf {FE}$, generalizing to multi-input $\mathsf {FE}$ and then building $\mathsf {iO}$. All our constructions support the Turing machine model of computation. Our constructions rely on a single input FE scheme for circuits, denoted by $\mathsf {CktFE}$, which satisfies decomposability. In Appendix A, we show that decomposable FE for circuits is implied by FE for circuits. Intuitively, decomposability means that the ciphertext $\mathsf {CT}_\mathbf {x}$ for a multi-bit message $\mathbf {x}$ be decomposable into multiple ciphertext components $\mathsf {CT}_i$ for $i \in |\mathbf {x}|$, one for each bit $x_i$ of the message. Moreover, the ciphertext components encoding individual bits of a single input are tied together by common randomness, that is $\mathsf {CT}_i = {\mathcal {E}}(\mathsf {PK}, r, x_i)$ where $\mathcal {E}$ is an encoding function and r is common randomness used for all $i \in |\mathbf {x}|$^{Footnote 1}. The notion of decomposability has been widely studied and used in the context of randomized encodings, which may be seen as a special case of functional encryption; please see [9] as an example.

Single Input. $\mathsf {TMFE}$. Recall that a Turing machine at any time step reads a symbol, state pair and produces a new symbol which is written to the work tape, a new state and a left or right head movement. By assuming the Turing machine is oblivious, the head movements of the TM may be fixed; thus, at any given time step when a work tape cell is read, we can compute the next time step when the same work tape cell will be accessed. This reduces the output at any time step t to a symbol, state pair, where the state is read in the next time step $t+1$ and the symbol is read at a future (fixed) time step $t'>t$.

Our construction uses two $\mathsf {CktFE}$ schemes, $\mathsf {1\mathsf {FE}}_1$ and $\mathsf {1\mathsf {FE}}_2$, where $\mathsf {1\mathsf {FE}}_2$ is decomposable. Intuitively, $\mathsf {1\mathsf {FE}}_1$ is used by the encryptor to encode the unbounded length input, while $\mathsf {1\mathsf {FE}}_2$ is used to mimic the computation of the Turing machine, as we describe next. The ciphertext of $\mathsf {1\mathsf {FE}}_2$ is divided into two parts, encoding input components $(t, \sigma )$ and q respectively. Here, t is the current time step in the computation and $\sigma , q$ are the current work-tape symbol and state respectively. We maintain the invariant that at any time step t in the computation, both components of the ciphertext have been computed using common randomness derived from $\mathsf{PRF}_\mathsf {K}((t\Vert \mathsf{salt}))$, where $\mathsf{salt}$ is an input chosen by the key generator and the PRF key $\mathsf {K}$ is chosen by the encryptor.

Now, to mimic the TM computation, we provide a function key for the $\mathsf {Next}$ functionality, that stores the transition table, receives as input the current (symbol, state) pair, computes the symbol to be written on the work tape and the next state using the transition table, derives the randomness using the PRF for the appropriate time step and outputs the encodings of the new (symbol, state) pair. In more detail, say the encryptor provides encodings of each input symbol $x_i$, for $i \in [|\mathbf {x}|]$, in addition to an encoding for the first (fixed) state $\mathsf {q}_{\mathsf {st}}$, where the encodings of $(1, x_1)$ and $\mathsf {q}_{\mathsf {st}}$ share the same randomness so that they may be concatenated to yield a complete ciphertext for $(1, x_1, \mathsf {q}_{\mathsf {st}})$. Now, the function key may read input $(1, x_1, \mathsf {q}_{\mathsf {st}})$, lookup the transition table and produce an encryption of the next state $q_2$ and the symbol to be written $x'_2$. The randomness used to encrypt $q_2$ is derived using a PRF as described above, and is the same as the randomness used by the encryptor to encode $(2, x_2)$. Hence, the two ciphertext components encoding $(2, x_2)$ and $q_2$ may be concatenated to yield a complete $\mathsf {1\mathsf {FE}}_2$ ciphertext which may be again decrypted using the function key.

Now consider how to support writing on tape. Say the symbol $x'_2$ will be read at future fixed time step $t'$. Then the function key encodes the tuple $(t',x'_2)$ using randomness $\mathsf{PRF}_\mathsf {K}((t'\Vert \mathsf{salt}))$. The state for time step $t'$, say $q'$ is computed at time step $t'-1$, also using randomness $\mathsf{PRF}_\mathsf {K}((t'\Vert \mathsf{salt}))$. Thus, encodings of $(t',x'_2)$ and $q'$ may be joined together to yield a complete $\mathsf {1\mathsf {FE}}_2$ ciphertext which may be decrypted to propagate the computation.

A detail brushed away by the above description is that the encryptor, given input $\mathbf {x}$, cannot compute randomness generated by a PRF which has input a value $\mathsf{salt}$ chosen by the key generator. This is handled by making use of an additional scheme $\mathsf {1\mathsf {FE}}_1$, which re-encrypts ciphertexts provided by the encryptor via a $\mathsf {ReRand}$ functionality, using the requisite randomness. Note that we support inputs of unbounded length by leveraging the fact that $\mathsf {CktFE}$ schemes $\mathsf {1\mathsf {FE}}_1,\mathsf {1\mathsf {FE}}_2$ support encryption of unbounded number of inputs, even if each must be of bounded length. Thus, the encryptor provides an unbounded number of $\mathsf {1\mathsf {FE}}_1$ ciphertexts which are rerandomized and translated to ciphertexts under $\mathsf {1\mathsf {FE}}_2$ using the $\mathsf {ReRand}$ function key provided by the key generator.

Encoding the PRF key. The above informal description hides an important detail – for the function key to produce ciphertext components using a PRF, it must have the key of the PRF, chosen by the encryptor^{Footnote 2}, passed to it as input. Thus the ciphertext must additionally encode the PRF key along with inputs (t, x, q). However, the ciphertext is constructed using randomness derived from the same PRF- resulting in circularity. We resolve this difficulty by using constrained PRFs [17, 18, 36], and having a ciphertext encode a PRF key that only allows computation of randomness for time steps of the future; this does not compromise its own security. For this constraint family, we provide a construction of cPRFs from standard assumptions. We believe this construction and the method of its application may be useful elsewhere^{Footnote 3}.

More formally, our construction makes use of constrained, delegatable PRF for the function family $f_t :\{0,1\}^{2 \cdot \lambda } \rightarrow \{0,1\}$ defined as follows.

$$\begin{aligned} f_t(x\Vert z)&= 1 \;\;\;if \;\; x \ge t\\&=0 \;\;\; otherwise \end{aligned}$$

We denote the constrained PRF key $\mathsf {K}_{f_t}$ by $\mathsf {K}_t$ for brevity. By the delegation property of constrained PRFs, we have that if $t'\ge t$ then $\mathsf {K}_{t'}$ can be derived from $\mathsf {K}_{t}$. The proof requires the PRF to be punctured at a fixed point in each hybrid, we provide a construction of delegatable punctured PRF in the full version of the paper [1].

Proof Overview. While the above description of single input $\mathsf {TMFE}$ is natural and intuitive, the proof of indistinguishability based security is quite subtle and requires new techniques as we discuss next. For ease of exposition, we describe the proof overview for the case where the adversary makes a single key request corresponding to some TM M. We must argue that the challenge ciphertext, which is a sequence of $\mathsf {1\mathsf {FE}}_1$ ciphertexts, together with $\mathsf {ReRand}$ and $\mathsf {Next}$ keys corresponding to a TM M, do not distinguish the bit b.

As discussed above, the $\mathsf {1\mathsf {FE}}_1$ ciphertexts are decrypted using the $\mathsf {ReRand}$ key to produce a sequence of $\mathsf {1\mathsf {FE}}_2$ ciphertexts, each corresponding to a time step in the TM execution (when the encoded symbol is read), which are in turn decrypted by $\mathsf {Next}$ keys to compute new $\mathsf {1\mathsf {FE}}_2$ ciphertexts for future time steps. We may view the $\mathsf {1\mathsf {FE}}_2$ ciphertexts as forming a chain, with each link of the chain corresponding to a single step of the TM computation, and each ciphertext producing (via decryption) a new ciphertext for the next time step, finally yielding the output when the TM halts (after T steps, say). Intuitively, since the output of the TM does not distinguish the bit b by admissibility of the $\mathsf{TMFE}$ adversary, we may argue by security of $\mathsf {1\mathsf {FE}}_2$ that the ciphertext at the penultimate step $T-1$ also does not distinguish b, which implies that the ciphertext at step $T-2$ hides b and so on, ultimately yielding indistinguishability of the entire chain, and hence of the $\mathsf {1\mathsf {FE}}_1$ challenge ciphertext.

Formalizing this intuitive argument is quite tricky. A natural approach would be to consider a sequence of hybrids, one corresponding to each link in the chain, and switch the $\mathsf {1\mathsf {FE}}_2$ ciphertexts one by one starting from the end of the chain. While intuitive, this idea is misleading – note that a naive implementation of this idea would lead to a chain which is “broken”: namely, its first links correspond to $b=0$, and last links to $b=1$. Since the ciphertext at a given step is decrypted to compute the ciphertext at the next step, a ciphertext corresponding to $b=0$ cannot in general output a ciphertext for $b=1$.

A standard approach to deal with this difficulty is to embed a “trapdoor” mode within the functionality [3, 5, 19] which lets us“hardwire” the ciphertexts that must be output by decryption directly in the key, allowing decryption to yield an inconsistent chain. However, this approach also fails in our case, since the length of the chain is unbounded and there isn’t sufficient space in the key to incorporate all its values.

Our Approach: “Sliding” Trapdoors. We deal with this difficulty by designing a novel “sliding-window” trapdoor approach which lets us hardwire the decryption chain“piece by piece”. In more detail, we start with the last two time steps $(T, T-1)$, program the key to produce the output corresponding to $b=1$ for time step T and $b=0$ for $T-1$, then transition to a world where the output corresponds to $b=1$ for both T and $T-1$. At this point, the hardwiring of the output for time step T is redundant, since the ciphertext output by the decryption process at time step $T-1$ automatically computes the output coresponding to $b=1$ at time step T. Thus, we may now slide the trapdoor to program to the next pair $(T-1, T-2)$, switching the decryption output at time step $T-2$ to $b=1$ and so on, until the entire chain corresponds to $b=1$.

Intuitively, we are “programming” the decryption only for outputs at both ends of the“broken link”, so that preceding links are generated using $b=0$ and subsequent links are generated using $b=1$. We leverage the fact that the chain links corresponding to future time-steps are encoded implicitly in a given time step – hence if we manage to hide the chain inconsistency at a certain position i, this implies that the remainder of the chain is constructed using the bit encoded at step i. Formalizing this argument requires a great deal of care, as we must keep track of the “target” time steps corresponding to the two ends of the broken link that are being programmed, the time steps at which the symbol and state ciphertexts are generated to be“consumed” at the target time-steps, the particular values that must be encoded in the symbol, state fields in both cases as well as the key that is being handled at a given time in the proof. For more details, please see Sect. 3.3.

Generalising to Multi-input FE for Turing Machines. For the k party setting, a natural idea is to have each party encrypt its own input $\mathbf {x}_i$, and use a k input $\mathsf {CktFE}$ scheme $\mathsf {k}\mathsf {FE}$ [19, 40], to “aggregate” these into the“input” ciphertext $\mathsf {CT}(\mathbf {x})$ for one long input $\mathbf {x}= (\mathbf {x}_1\Vert \mathbf {x}_2\Vert \ldots \Vert \mathbf {x}_k)$, under a different $\mathsf {CktFE}$ scheme $\mathsf {1\mathsf {FE}}$. Note that the length of $\mathbf {x}$ is unknown hence it may not be encoded “all at once” but must be encoded bit by bit as in the previous scheme. Now, by additionally providing the $\mathsf {1\mathsf {FE}}$ ciphertext encoding the start state of the Turing machine $\mathsf {CT}(\mathsf {q}_{\mathsf {st}})$, and a function key to compute the transition table of the TM as in the previous scheme, we may proceed with the computation exactly as before.

Formalizing this idea must contend with several hurdles. In the multi-input setting, the $i^{th}$ encryptor may encode multiple inputs and functionality permits “mix and match” of ciphertexts in the sense that any input encoded by party i may be combined with any input encoded by parties $j \in [k],\; j \ne i$. Therefore, if each of k parties encodes T ciphertexts, there are $T^k$ valid input combinations that the TM may execute on. However, when the TM is executing on any input combination, we must ensure that it cannot mix and match symbol, state pairs across different input combinations. Moreover, an encryption for a symbol, state pair produced by some machine $M_i$ should not be decryptable by any machine $M_j$ for $j \ne i$. These issues are handled by careful design of the aggregate functionality to ensure that an execution thread of any input combination by any machine is separate from any other. The proof extends naturally from the single input case. Please see Sect. 4 for details.

Distributional Indistinguishability. As discussed above, our constructions rely on the security notion of distributional indistinguishability (DI) for functional encryption for circuits [31]. Intuitively, this notion says that if the outputs produced by a circuit on two input distributions are merely indistinguishable (as against exactly equal), then the ciphertexts encoding those inputs must also be indistinguishable. In the full version [1] we give a construction of DI secure single input FE from standard FE.

Indistinguishability Obfuscation. Constructing $\mathsf {iO}$ for $\mathsf {TM}$s given ${\mathsf {miFE}}$ for $\mathsf {TM}$ is straightforward, and adapts the ${\mathsf {miFE}}$ to $\mathsf {iO}$ circuit compiler by [33] to the $\mathsf {TM}$ setting. As in the circuit case, an ${\mathsf {miFE}}$ for $\mathsf {TM}$ that supports two ciphertext queries and single key query suffices for this transformation. Please see Sect. 5 for details. Since our security proof for ${\mathsf {miFE}}$ for $\mathsf {TM}$ is tight, this compiler yields $\mathsf {iO}$ for $\mathsf {TM}$ from sub-exponentially secure $\mathsf {FE}$ for circuits rather than sub-exponentially secure $\mathsf {iO}$ for circuits.

Organization of the Paper. Definitions and preliminaries are provided in Sect. 2 as well as the full version [1]. In Sect. 3, we provide our construction for single input FE for Turing machines. In Sect. 4, we provide our construction for multi-input FE for Turing machines for any fixed arity k and in Sect. 5 we describe our $\mathsf {iO}$ for $\mathsf {TM}$s for bounded inputs.

2 Preliminaries

In this section, we define some notation and preliminaries that we require.

Notation. We begin by defining the notation that we will use throughout the paper. We use bold letters to denote vectors and the notation [a, b] to denote the set of integers $\{k\in \mathbb {N}~|~a\le k\le b\}$. We use [n] to denote the set [1, n]. Concatenation is denoted by the symbol $\Vert $.

We say a function f(n) is negligible if it is $O(n^{-c})$ for all $c > 0$, and we use ${{\mathrm{negl}}}(n)$ to denote a negligible function of n. We say f(n) is polynomial if it is $O(n^c)$ for some $c > 0$, and we use ${{\mathrm{poly}}}(n)$ to denote a polynomial function of n. We use the abbreviation $\mathsf {PPT}$ for probabilistic polynomial-time. We say an event occurs with overwhelming probability if its probability is $1 - {{\mathrm{negl}}}(n)$. The function $\log x$ is the base 2 logarithm of x.

2.1 Definitions: FE for Circuits

In this section, we define functional encryption for circuits, in both the single and multi-input setting.

Single Input Functional Encryption for Circuits. Let $\mathcal{X}= \{\mathcal{X}_\lambda \}_{\lambda \in \mathbb {N}}$ and $\mathcal{Y}= \{\mathcal{Y}_\lambda \}_{\lambda \in \mathbb {N}}$ denote ensembles where each $\mathcal{X}_{\lambda }$ and $\mathcal{Y}_{\lambda }$ is a finite set. Let $\mathcal {F}= \big \{\mathcal {F}_\lambda \big \}_{\lambda \in \mathbb {N}}$ denote an ensemble where each $\mathcal {F}_{\lambda }$ is a finite collection of circuits, and each circuit $f \in \mathcal {F}_{\lambda }$ takes as input a string $\mathbf {x}\in \mathcal{X}_{\lambda }$ and outputs $f(\mathbf {x}) \in \mathcal{Y}_\lambda $.

A functional encryption scheme $\mathsf {CktFE}$ for $\mathcal {F}$ consists of four algorithms

$\mathsf {CktFE}=(\mathsf {CktFE.Setup}, \mathsf {CktFE.Keygen},$ $\mathsf {CktFE.Enc}, \mathsf {CktFE.Dec})$ defined as follows.

$\mathsf {CktFE.Setup}(1^\lambda )$ is a $\mathsf {PPT}$ algorithm that takes as input the unary representation of the security parameter and outputs the master public and secret keys $(\mathsf {PK}, \mathsf {MSK})$. Sometimes, the $\mathsf {CktFE.Setup}$ algorithm may also accept as input a parameter $1^\ell $, denoting the length of the input. In this case, the input lives in domain $\mathcal{X}^\ell $.
$\mathsf {CktFE.Keygen}(\mathsf {MSK}, f)$ is a $\mathsf {PPT}$ algorithm that takes as input the master secret key $\mathsf {MSK}$ and a circuit $f \in \mathcal {F}_{\lambda }$ and outputs a corresponding secret key $\mathsf {SK}_f$.
$\mathsf {CktFE.Enc}(\mathsf {PK}, \mathbf {x})$ is a $\mathsf {PPT}$ algorithm that takes as input the master public key $\mathsf {PK}$ and an input message $\mathbf {x}\in \mathcal{X}_\lambda $ and outputs a ciphertext $\mathsf {CT}$.
$\mathsf {CktFE.Dec}(\mathsf {SK}_f, \mathsf {CT}_\mathbf {x})$ is an (a deterministic) algorithm that takes as input the secret key $\mathsf {SK}_f$ and a ciphertext $\mathsf {CT}_\mathbf {x}$ and outputs $f(\mathbf {x})$.

Definition 1

(Correctness). A functional encryption scheme $\mathsf {CktFE}$ is correct if for all $\lambda \in \mathbb {N}$, all $f \in \mathcal {F}_\lambda $ and all $x \in \mathcal{X}_\lambda $,

$$ \Pr \Bigg [\begin{array}{ll}(\mathsf {PK},\mathsf {MSK}) \leftarrow \mathsf {CktFE.Setup}(1^\lambda ); \\ \mathsf {CktFE.Dec}\Big (\mathsf {CktFE.Keygen}(\mathsf {MSK},f), \mathsf {CktFE.Enc}(\mathsf {PK},\mathbf {x})\Big ) \ne f(\mathbf {x}) \end{array}\Bigg ] = {{\mathrm{negl}}}(\lambda ) $$

where the probability is taken over the coins of $\mathsf {CktFE.Setup}$, $\mathsf {CktFE.Keygen}$, and $\mathsf {CktFE.Enc}$.

Definition 2

(Compactness [5]). A functional encryption scheme for circuits is said to be compact if for any input message $\mathbf {x}$, the running time of the encryption algorithm is polynomial in the security parameter and the size of $\mathbf {x}$. In particular, it does not depend on the circuit description size or the output length of any function f supported by the scheme.

A weaker version of compactness, known as succinct or semi-compact FE, allows the run time of the encryption algorithm to depend on the output length of the functions. Equivalently, a semi-compact FE scheme is simply a compact FE scheme when we restrict our attention to functions with single-bit outputs.

Distributional Indistinguishability for Circuit FE. In this section we define the notion of distributional indistinguishability for functional encryption for circuits. The notion was first defined by [31, Sect. 3.4] in the context of reusable garbled circuits, i.e. single key functional encryption but may be generalized to the multi-key setting in a straightforward way. Intuitively, this notion says that if the outputs produced by a circuit on two input distributions are indistinguishable, then the ciphertexts encoding those inputs must also be indistinguishable.

Definition 3

A functional encryption scheme $\mathcal F$ for a circuit family $\mathcal G$ is secure in the distributional indistinguishability game, if for all $\mathsf {PPT}$ adversaries $\mathcal {A}$, the advantage of $\mathcal {A}$ in the following experiment is negligible in the security parameter $\lambda $:

1.
Public Key: Challenger returns $\mathsf {PK}$ to the adversary.
2.
Pre-Challenge Key Queries: $\mathcal {A}$ may adaptively request keys for any circuits $g_i \in \mathcal {G}$. In response, $\mathcal {A}$ is given the corresponding keys $\mathsf {SK}_{g_i}$. This step may be repeated any polynomial number of times by the attacker.
3.
Challenge Declaration: $\mathcal {A}(1^\lambda ,\mathsf {PK})$ outputs two ensembles of challenge distributions $\big (D_0(\lambda ), D_1(\lambda )\big )$^{Footnote 4} to the challenger, subject to the restriction that for any $\mathbf {x}_0 \leftarrow D_0, \mathbf {x}_1 \leftarrow D_1$, it holds that $g_i(\mathbf {x}_0) {\ {\mathop {\approx }\limits ^{c}}\ }g_i(\mathbf {x}_1)$ for all i.
4.
Challenge CT: $\mathcal {A}$ requests the challenge ciphertext, to which challenger chooses a random bit b, samples $\mathbf {x}_b \leftarrow D_b$ and returns the ciphertext $\mathsf {CT}_{\mathbf {x}_b}$.
5.
Key Queries: The adversary may continue to request keys for additional functions $g_i$, subject to the same restriction that for any $\mathbf {x}_0 \leftarrow D_0, \mathbf {x}_1 \leftarrow D_1$, it holds that $g_i(\mathbf {x}_0) {\ {\mathop {\approx }\limits ^{c}}\ }g_i(\mathbf {x}_1)$ for all i.
6.
$\mathcal {A}$ outputs a bit $b'$, and succeeds if $b' = b$.

The advantage of $\mathcal {A}$ is the absolute value of the difference between its success probability and 1/2. In the selective game, the adversary is required to declare the challenge distributions in the very first step, without seeing the public key.

Comparison with Standard Indistinguishability. We note that the standard indistinguishably game is implied by the above by restricting the adversary to choose distributions $D_0, D_1$ above to simply be two messages $\mathbf {x}_0, \mathbf {x}_1$ with probability 1 and requesting keys that satisfy $g_i(\mathbf {x}_0) = g_i(\mathbf {x}_1)$ for all i, which is a special case of $g_i(\mathbf {x}_0) {\ {\mathop {\approx }\limits ^{c}}\ }g_i(\mathbf {x}_1)$.

Decomposable Functional Encryption for Circuits. In this section, we recall the notion of decomposable functional encryption ($\mathsf{DFE}$) defined by [2]. Decomposable functional encryption is analogous to the notion of decomposable randomized encodings [9]. Intuitively, decomposability requires that the public key $\mathsf {PK}$ and the ciphertext $\mathsf {CT}_\mathbf {x}$ of a functional encryption scheme be decomposable into components $\mathsf {PK}_i$ and $\mathsf {CT}_i$ for $i \in [|\mathbf {x}|]$, where $\mathsf {CT}_i$ depends on a single deterministic bit $x_i$ and the public key component $\mathsf {PK}_i$. In addition, the ciphertext may contain components that are independent of the message and depend only on the randomness.

Formally, let $\mathbf {x}\in \{0,1\}^k$. A functional encryption scheme is said to be decomposable if there exists a deterministic function $\mathcal {E}: \mathcal {P}\times \{0,1\} \times \mathcal {R}_1 \times \mathcal {R}_2 \rightarrow \mathcal {C}$ such that:

1.
The public key may be interpreted as $\mathsf {PK}= (\mathsf {PK}_1,\ldots , \mathsf {PK}_k, \mathsf {PK}_{\mathsf{indpt}})$ where $\mathsf {PK}_i \in \mathcal {P}$ for $i\in [k]$. The component $\mathsf {PK}_\mathsf{indpt}\in \mathcal {P}^j$ for some $j \in \mathbb {N}$.
2.
The ciphertext may be interpreted as $\mathsf {CT}_\mathbf {x}= (\mathsf {CT}_1,\ldots , \mathsf {CT}_k, \mathsf {CT}_\mathsf{indpt})$, where
$$\mathsf {CT}_i =\mathcal {E}\;(\mathsf {PK}_i,x_i, r, \hat{r}_i)\;\forall i \in [k]\;\; \text { and }\;\;\; \mathsf {CT}_\mathsf{indpt}= \mathcal {E}\;(\mathsf {PK}_\mathsf{indpt}, r, \hat{r})$$
Here $r \in \mathcal {R}_1$ is common randomness used by all components of the encryption. Apart from the common randomness r, each $\mathsf {CT}_i$ may additionally make use of independent randomness $\hat{r}_i \in \mathcal {R}_2$.

We note that if a scheme is decomposable “bit by bit”, i.e. into k components for inputs of size k, it is also decomposable into components corresponding to any partition of the interval [k]. Thus, we may decompose the public key and ciphertext into any $i \le k$ components of length $k_i$ each, such that $\sum k_i =k$. We will sometimes use $\bar{\mathcal {E}}(\mathbf {y})$ to denote the tuple of function values obtained by applying $\mathcal {E}$ to each component of a vector, i.e. $\bar{\mathcal {E}}(\mathsf {PK},\mathbf {y},r) \triangleq \Big (\mathcal {E}(\mathsf {PK}_1, y_1, r, \hat{r}_1),\ldots ,\mathcal {E}(\mathsf {PK}_k, y_k, r, \hat{r}_k)\Big )$, where $|\mathbf {y}|=k$. We assume that given the security parameter, the spaces $\mathcal {P},\;\mathcal {R}_1,\;\mathcal {R}_2,\;\mathcal {C}$ are fixed, and the length of the message $|\mathbf {x}|$ can be any polynomial.

Multi-input Functional Encryption for Circuits. We define the notion of private-key t-input functional encryption for circuits here. Our definition follows that of [40].

Let $\forall i\in [t], \mathcal{X}_i = \{(\mathcal{X}_i)\}_{\lambda \in \mathbb {N}}$ and $\mathcal{Y}= \{\mathcal{Y}_\lambda \}_{\lambda \in \mathbb {N}}$ be ensembles of finite sets, and let $\mathcal{F}= \{\mathcal{F}_\lambda \}_{\lambda \in \mathbb {N}}$ be an ensemble of finite t-ary function families. For each $\lambda \in \mathbb {N}$, each function $f\in \mathcal{F}_\lambda $ takes as input t strings, $\mathbf {x}_1\in (\mathcal{X}_1)_\lambda , \ldots , \mathbf {x}_t\in (\mathcal{X}_t)_\lambda $, and outputs a value $f(\mathbf {x}_1,\ldots ,\mathbf {x}_t)\in \mathcal{Y}_\lambda $.

A private-key t-input functional encryption scheme $t\text {-}\mathsf {CktFE}$ for $\mathcal{F}$ consists of four algorithms $t\text {-}\mathsf {CktFE}= \left( t\text {-}\mathsf {CktFE}\mathsf {.Setup},t\text {-}\mathsf {CktFE}\mathsf {.Keygen}, \right. $ $\left. t\text {-}\mathsf {CktFE}\mathsf {.Enc},t\text {-}\mathsf {CktFE}\mathsf {.Dec}\right) $ defined as follows.

$t\text {-}\mathsf {CktFE}\mathsf {.Setup}(1^\lambda )$ is a $\mathsf {PPT}$ algorithm that takes as input the unary representation of the security parameter and outputs the master secret key $\mathsf {MSK}$.
$t\text {-}\mathsf {CktFE}\mathsf {.Keygen}(\mathsf {MSK}, f)$ is a $\mathsf {PPT}$ algorithm that takes as input the master secret key $\mathsf {MSK}$ and a circuit $f \in \mathcal {F}_{\lambda }$ and outputs a corresponding secret key $\mathsf {SK}_f$.
$t\text {-}\mathsf {CktFE}\mathsf {.Enc}(\mathsf {MSK}, \mathbf {m}, \mathsf{ind})$ is a $\mathsf {PPT}$ algorithm that takes as input the master secret key $\mathsf {MSK}$, an input message $\mathbf {m}= \mathbf {x}_i \in (\mathcal{X}_i)_\lambda $ if $\mathsf{ind}=i, i\in [t]$, and outputs a ciphertext $\mathsf {CT}_\mathsf{ind}$.
$t\text {-}\mathsf {CktFE}\mathsf {.Dec}(\mathsf {SK}_f, (\mathsf {CT}_{1},\ldots ,\mathsf {CT}_{t}))$ is an (a deterministic) algorithm that takes as input the secret key $\mathsf {SK}_f$ and t ciphertexts $\mathsf {CT}_1,\ldots , \mathsf {CT}_t$ and outputs a string $y \in \mathcal{Y}_\lambda \cup \bot $.

Definition 4

(Correctness). A private-key t-input functional encryption scheme $t\text {-}\mathsf {CktFE}$ is correct if for all $\lambda \in \mathbb {N}$, $f \in \mathcal {F}_\lambda $ and all $(\mathbf {x}_1,\ldots ,\mathbf {x}_t) \in (\mathcal{X}_1)_\lambda \times \ldots \times (\mathcal{X}_t)_\lambda $,

$$ \Pr \Bigg [\begin{array}{ll} t\text {-}\mathsf {CktFE}\mathsf {.Dec}\Big (t\text {-}\mathsf {CktFE}\mathsf {.Keygen}(\mathsf {MSK},f), \big (t\text {-}\mathsf {CktFE}\mathsf {.Enc}(\mathsf {MSK},\mathbf {x}_1,1),\ldots ,\\ \;\;\;\;\; \;\;\;\;\;\;\;\;\;\;\;\;\;\;t\text {-}\mathsf {CktFE}\mathsf {.Enc}(\mathsf {MSK}, \mathbf {x}_t, t)\big )\Big ) \ne f(\mathbf {x}_1,\ldots ,\mathbf {x}_t) \end{array}\Bigg ] = {{\mathrm{negl}}}(\lambda ) $$

Here, $\mathsf {MSK}\leftarrow t\text {-}\mathsf {CktFE}\mathsf {.Setup}(1^\lambda )$ and probability is taken over the random coins of $t\text {-}\mathsf {CktFE}\mathsf {.Setup}$, $t\text {-}\mathsf {CktFE}\mathsf {.Enc}$ and $t\text {-}\mathsf {CktFE}\mathsf {.Keygen}$.

Distributional Indistinguishability. We define the notion of distributional indistinguishability for a t-input functional encryption scheme for circuits. To begin, we describe a valid t-input adversary.

Definition 5

(Valid t-Input Adversary). A $\mathsf {PPT}$ algorithm $\mathcal{A}$ is a valid t-input adversary if for all private-key t-input functional encryption schemes over message space $(\mathcal{X}_1)_\lambda \times \ldots \times (\mathcal{X}_t)_\lambda $, and a circuit space $\mathcal{F}$, for any $(f_0, f_1)$ queried by the adversary, and any t pairs of input distribution ensembles $(D_{01}(\lambda ), D_{11}(\lambda )),\ldots , (D_{0t}(\lambda ), D_{1t}(\lambda ))$^{Footnote 5} output by the adversary such that $D_{bj}$ is a distribution over $\mathcal{X}_j$ for $b \in \{0,1\}$, $j \in [t]$, it holds that

$$ f_0(\mathbf {x}_{01},\ldots ,\mathbf {x}_{0t}) {\ {\mathop {\approx }\limits ^{c}}\ }f_1(\mathbf {x}_{11},\ldots ,\mathbf {x}_{1t}), $$

where $\mathbf {x}_{bj} \leftarrow D_{bj}$ for $b \in \{0,1\}$, $j\in [t]$.

We define the following game between a challenger and an adversary:

1.
Key Queries. $\mathcal {A}$ may adaptively submit key requests for pairs of functions $(f_0, f_1) \in \mathcal {F}$. In response, $\mathcal {A}$ is given the corresponding keys $\mathsf {SK}_{f_b}$ for some random bit b chosen by the challenger. This step may be repeated any polynomial number of times by the attacker.
2.
Ciphertext Queries. $\mathcal {A}(1^\lambda )$ submits ciphertext requests for pairs of challenge distribution ensembles $(D_{01}, D_{11}),\ldots , (D_{0t}, D_{1t})$ to the challenger. The challenger samples $\mathbf {x}_j \leftarrow D_{bj}$ for $j \in [t]$ and returns ${t\text {-}\mathsf {CktFE}\mathsf {.Enc}}({\mathsf {MSK}},\mathbf {x}_j,j), \forall j \in [t]$. This step may be repeated any polynomial number of times by the attacker.
3.
Guess. $\mathcal {A}$ outputs a bit $b'$, and succeeds if $b' = b$.

In the above definition, ciphertext and key queries may be interspersed in any order. The advantage of $\mathcal{A}$ is the absolute value of the difference between its success probability and 1/2. In the selective game, the adversary is required to declare the challenge ciphertext distributions in the very first step, without seeing the public key.

Definition 6

A t-input functional encryption scheme $t\text {-}\mathsf {CktFE}$ for a circuit family $\mathcal{F}$ is secure in the distributional indistinguishability game, if for all valid $\mathsf {PPT}$ adversaries $\mathcal{A}$, the advantage of $\mathcal{A}$ in the above game is negligible in the security parameter $\lambda $.

We note that the standard indistinguishability game is the special case where the adversary submits challenge messages rather than distributions and all queried functions must output exactly the same rather than indistinguishable values.

2.2 Definitions: FE for Turing Machines

In this section, we will define functional encryption for Turing Machines (TM). We denote the runtime (i.e. number of steps the head takes) by $\mathsf{{runtime}}(M,\mathbf {w})$.

Let $\mathcal{M}=\{{\mathcal {M}}_\lambda \}_{\lambda \in \mathbb {N}}$ be a family of Turing machines with alphabet $\varSigma =\{\varSigma _\lambda \}_{\lambda \in \mathbb {N}}$ and the running time upper-bounded by a polynomial in $\lambda $. A functional encryption scheme $\mathsf {TMFE}$ for a Turing machine family ${\mathcal {M}}$ consists of four algorithms $\mathsf {TMFE}=(\mathsf {TMFE.Setup}, \mathsf {TMFE.KeyGen},$ $\mathsf {TMFE.Enc}, \mathsf {TMFE.Dec})$ defined as follows.

$\mathsf {TMFE.Setup}(1^\lambda )$ is a $\mathsf {PPT}$ algorithm that takes as input the unary representation of the security parameter and outputs the master public and secret keys $(\mathsf {PK}, \mathsf {MSK})$.
$\mathsf {TMFE.KeyGen}(\mathsf {MSK}, M\mathsf )$ is a $\mathsf {PPT}$ algorithm that takes as input the master secret key $\mathsf {MSK}$ and a TM M and outputs a corresponding secret key $\mathsf {SK}_M$.
$\mathsf {TMFE.Enc}(\mathsf {PK}, \mathbf {x})$ is a $\mathsf {PPT}$ algorithm that takes as input the master public key $\mathsf {PK}$, and an input message $\mathbf {x}\in \varSigma ^*_\lambda $ of arbitrary length, outputs a ciphertext $\mathsf {CT}_\mathbf {x}$.
$\mathsf {TMFE.Dec}(\mathsf {SK}_ M\mathsf , \mathsf {CT}_\mathbf {x})$ is an (a deterministic) algorithm that takes as input the secret key $\mathsf {SK}_M$ and a ciphertext $\mathsf {CT}_\mathbf {x}$ and outputs a bit b.

Correctness is defined analogously to the circuit setting.

Efficiency [7]. The efficiency property of a public-key FE scheme for Turing machines says that the algorithm $\mathsf {TMFE.Setup}$ on input $1^\lambda $ should run in time polynomial in $\lambda $, $\mathsf {TMFE.KeyGen}$ on input the Turing machine M and the master key $\mathsf {MSK}$ should run in time polynomial in $(\lambda , |M|)$, $\mathsf {TMFE.Enc}$ on input a message $\mathbf {x}$ and the public key should run in time polynomial in $(\lambda , |\mathbf {x}|)$. Finally, $\mathsf {TMFE.Dec}$ on input a functional key of M and an encryption of $\mathbf {x}$ should run in time polynomial in $(\lambda , |M|, |\mathbf {x}|, \mathsf{runtime}(M, \mathbf {x}))$.

The multi-input case may be defined as in the circuit setting.

Indistinguishability Obfuscation for Turing Machines. As in prior work, we construct $\mathsf {iO}$ for Turing machines (TMs) in the setting where the input length is fixed a-priori. A uniform P.P.T machine $\mathsf {iO}$ is an indistinguishability obfuscator for a class of Turing machines $\{\mathcal{M}_\lambda \}_{\lambda \in \mathbb {N}}$ with input length L, if the following conditions are satisfied:

1.
Correctness. For all security parameters $\lambda \in {\mathbb N}$, for any $M \in \mathcal{M}_\lambda $ and every input $\mathbf {x}\in \{0,1\}^{\le L}$, we have that:
$$ \Pr \big [ M' \leftarrow {\mathsf {iO}}(1^\lambda , M, L): M'(\mathbf {x}) = M(\mathbf {x}) \big ] =1 $$
where the probability is taken over the coin-tosses of the obfuscator $\mathsf {iO}$.
2.
Indistinguishability of Equivalent TMs. For every ensemble of pairs of Turing machines $\{M_{0,\lambda }, M_{1,\lambda }\}_{\lambda \in \mathbb {N}}$, such that $M_{0,\lambda }(\mathbf {x}) = M_{1,\lambda }(\mathbf {x})$ for every $\mathbf {x}\in \{0,1\}^{\le L}$ and $\mathsf{runtime}(M_{0,\lambda },\mathbf {x}) = \mathsf{runtime}(M_{1,\lambda },\mathbf {x})$, we have that the following ensembles of pairs of distributions are indistinguishable to any $\mathsf {PPT}$ $\mathsf{Adv}$:
$$ \Big \{M_{0,\lambda }, M_{1,\lambda }, {\mathsf {iO}}(1^\lambda , M_{0,\lambda }) \Big \} {\ {\mathop {\approx }\limits ^{c}}\ }\Big \{M_{0,\lambda }, M_{1,\lambda }, {\mathsf {iO}}(1^\lambda , M_{1,\lambda }) \Big \} $$
3.
Succinctness. For all security parameters $\lambda \in {\mathbb N}$, for any $M \in \mathcal{M}_\lambda $ , we have that the running time of $\mathsf {iO}(1^\lambda , M, L)$ is ${{\mathrm{poly}}}(\lambda , |M|, L)$ and the evaluation time of $\mathsf {iO}(M)$ on input $\mathbf {x}$ where $\mathbf {x}\in \{0,1\}^{\le L}$, is ${{\mathrm{poly}}}(|M|,L,t)$ where $t = \mathsf{runtime}(M,\mathbf {x})$.

2.3 Constrained Pseudorandom Functions

Constrained pseudorandom functions (introduced concurrently by Boneh and Waters (CCS 2013), Boyle, Goldwasser, and Ivan (PKC 2014), and Kiayias, Papadopoulos, Triandopoulos, and Zacharias (CCS 2013)), are pseudorandom functions (PRFs) that allow the owner of the secret key K to compute a constrained key $K_f$, such that anyone who possesses $K_f$ can compute the output of the PRF on any input x such that $f(x) = 1$ for some predicate f. The security requirement of constrained PRFs state that the PRF output must still look indistinguishable from random for any x such that $f(x) = 0$. We will also require the property of delegatability, formalized below.

Definition 7

([17]). Let $F: \{0,1\}^{\mathsf{seed}(\lambda )} \times \{0,1\}^{\mathsf{in}(\lambda )} \rightarrow \{0,1\}^{\mathsf{out}(\lambda )}$ be an efficient function, where $\mathsf{seed}$, $\mathsf{{in}}$ and $\mathsf{{out}}$ are all polynomials in the security parameter $\lambda $. We say that F is a delegatable constrained pseudorandom function with respect to a set system $\mathcal{S}\subseteq 2^{\{0,1\}^{\mathsf{{in}(\lambda )}}}$ if there exist algorithms $(\mathsf {Setup}, \mathsf {Constrain}, \mathsf {Eval}, \mathsf {KeyDel})$ that satisfy the following:

$\mathsf {Setup}(1^\lambda , 1^{\mathsf{{in}(\lambda )}})$ outputs a pair of keys $\mathsf{pk}, \mathsf{sk}$.
$\mathsf {Constrain}(\mathsf{sk}, S)$ outputs a constrained key $K_S$ which enables evaluation of $F(\mathsf{sk}, \mathbf {x})$ on all $\mathbf {x}\in S$ and no other $\mathbf {x}$.
$\mathsf {KeyDel}(K_S, S')$ outputs a constrained key $K_{S \cap S'}$ which enables the evaluation of $F(\mathsf{sk}, \mathbf {x})$ for all $\mathbf {x}\in S \cap S'$ and no other $\mathbf {x}$. We note that in systems where $\mathsf {KeyDel}$ is supported, the $\mathsf {Constrain}$ algorithm above can be expressed as a special case of $\mathsf {KeyDel}$ by letting $\mathsf{sk}$ correspond to the set of all inputs, i.e. $\mathsf{sk}= K_{\{0,1\}^{\mathsf{{in}(\lambda )}}}$.
$\mathsf {Eval}(K_S, \mathbf {x})$ outputs $F(\mathsf{sk}, \mathbf {x})$ if $\mathbf {x}\in S$, $\bot $ otherwise.

Please refer to the full version [1] for the definition of security.

3 Construction: Single Input FE for Turing Machines

In this section, we construct a single input functional encryption scheme for Turing machines, denoted by $\mathsf{TMFE}$ from the following ingredients:

1.
Two compact functional encryption schemes for circuits, $\mathsf {1\mathsf {FE}}_1$ and $\mathsf {1\mathsf {FE}}_2$. We will assume that the scheme $\mathsf {1\mathsf {FE}}_2$ is decomposable as defined in the preliminaries.
2.
A symmetric encryption scheme $\mathsf {SKE}= (\mathsf {SKE}.\mathsf{KeyGen},\mathsf {SKE}.\mathsf {Enc},\mathsf {SKE}.\mathsf {Dec})$.
3.
A delegatable constrained pseudorandom function ($\mathsf{cPRF}$), denoted by $\mathsf {F}$ which supports T delegations for the function family $f_t :\{0,1\}^{2 \cdot \lambda } \rightarrow \{0,1\}$ defined as follows. Let x, t denote integers whose binary representations are $\mathbf {x}, {\mathbf {t}}$ of $\lambda $ bits. Then,
$$\begin{aligned} f_{t}(\mathbf {x}\Vert \mathbf {z})&= 1, \text {if} \;\; x \ge t \text { and } 0 \text { otherwise} \end{aligned}$$

Intuitively, the function is parametrized by a value t and evaluates to 1 if the first half of its input, $x \ge t$. We will denote the constrained PRF key $\mathsf {K}_{f_t}$ corresponding to function $f_t$ by $\mathsf {K}_t$ for ease of notation. By the delegation property of constrained PRFs, we have that if $t'\ge t$ then $\mathsf {K}_{t'}$ can be derived from $\mathsf {K}_{t}$. In our construction the parameter t will represent the time step in the computation, which means that a PRF key of the current time step can be used to derive PRF keys for future time steps. We will denote a PRF for this functionality by $\mathsf {F}$. The security proof makes use a punctured version of the above $\mathsf{cPRF}$, please see the full version [1] for details.

3.1 Construction

Below we provide our construction for single input $\mathsf {FE}$ for Turing machines.

Notation. Note that since $\mathsf {1\mathsf {FE}}_2$ is decomposable, there exists an encoding function $\mathcal {E}$ which encodes each bit of the input and since it is compact, the output length of $\mathcal {E}$ is independent of the circuit class supported by $\mathsf {1\mathsf {FE}}_2$. Thus, by choosing the encoding function first, the $\mathsf {CktFE}$ scheme may support a circuit class that outputs its own ciphertext components. We denote by $\bar{\mathcal {E}}$ the encoding function $\mathcal {E}$ applied bitwise to a vector, i.e. $\bar{\mathcal {E}}(\mathbf {w}) = \mathcal {E}(w_1)\ldots \mathcal {E}(w_n)$.

$\mathsf {TMFE.Setup}(1^\lambda )$: Upon input the security parameter $1^\lambda $, do the following:
1. 1.
  Let $(\mathsf {1\mathsf {FE}}_2.\mathsf {PK}, \mathsf {1\mathsf {FE}}_2.\mathsf {MSK}) \leftarrow \mathsf {1\mathsf {FE}}_2.\mathsf {Setup}(1^\lambda )$, where $\mathsf {1\mathsf {FE}}_2$ is a decomposable functional encryption scheme for the circuit family
  $$\mathsf {Next}:\Big (\left( \{\mathsf {SYM}\}\times \{0,1\}^{4\lambda } \times \varSigma \times \mathsf{Trap}\right) \times \Big (\{\mathsf {ST}\}\times \mathcal{Q}\Big )\Big ) \rightarrow \left( \mathcal{C}^\mathsf{{1\mathsf {FE}}_2}\right) ^2 \cup \{\mathsf {ACC},\mathsf {REJ},\bot \}$$
  Here, $\varSigma $ and $\mathcal{Q}$ are the alphabet and state space respectively of the Turing machine family. The tokens $\mathsf {SYM}$ and $\mathsf {ST}$ are flags denoting a symbol and a state respectively. The set $\{0,1\}^{4\lambda }$ encodes in order, a random value $\mathsf{key}\text {-}\mathsf{id}$ associated with a TM M, a cPRF key, the current time step in the computation and the length of the input string, each of $\lambda $ bits. Here, $\mathsf{Trap}$ is a data structure of fixed polynomial length which will be used in the proof. Since we do not need it in the construction, we do not discuss it here, please see Fig. 6 for its definition. $\mathcal{C}^\mathsf{{1\mathsf {FE}}_2}$ denotes the ciphertext space of $\mathsf {1\mathsf {FE}}_2$, and $\mathsf {ACC}$ and $\mathsf {REJ}$ are bits indicating accepting and a rejecting states of a TM respectively.
2. 2.
  Let $\left( \mathsf {1\mathsf {FE}}_1.\mathsf {PK}, \mathsf {1\mathsf {FE}}_1.\mathsf {MSK}\right) \leftarrow \mathsf {1\mathsf {FE}}_1.\mathsf {Setup}(1^\lambda )$, where $\mathsf {1\mathsf {FE}}_1$ is a compact, public-key $\mathsf {CktFE}$ scheme for the circuit family
  $$\mathsf {ReRand}:\Big (\{0,1\}^{3\lambda } \times \varSigma \times \mathsf{Trap}\Big )\rightarrow \mathcal{C}^\mathsf{{1\mathsf {FE}}_2}\times \left( \mathcal{C}^\mathsf{{1\mathsf {FE}}_2} \cup \{\bot \} \right) $$
  Again, $\{0,1\}^{3\lambda }$ encodes in order, a root cPRF key, a time step and the length of the input string respectively, while $\varSigma $, $\mathsf{Trap}$ and $\mathcal{C}^\mathsf{{1\mathsf {FE}}_2}$ are as described above.
3. 3.
  Output $\mathsf {PK}= \mathsf {1\mathsf {FE}}_1.\mathsf {PK}$ and $\mathsf {MSK}= \left( \mathsf {1\mathsf {FE}}_1.\mathsf {MSK}, \left( \mathsf {1\mathsf {FE}}_2.\mathsf {PK}, \mathsf {1\mathsf {FE}}_2.\mathsf {MSK}\right) \right) $.
$\mathsf {TMFE.Enc}(\mathsf {PK}, \mathbf {w})$: Upon input the public key $\mathsf {PK}$, and message $\mathbf {w}$ of arbitrary length $\ell =\vert \mathbf {w}\vert $, do the following:
1. 1.
  Sample the root key $\mathsf {K}_0$ for function $f_t$ where $t=0$ for the cPRF $\mathsf {F}$ described above.
2. 2.
  For $i \in [\ell ]$, let $\mathsf {CT}_{i} =\mathsf{{1\mathsf {FE}}_1.\mathsf {Enc}}(\mathsf {PK}, (\mathsf {K}_0, i, \ell , w_i,\mathsf{Trap}))$, where $\mathsf{Trap}$ is a data structure which is only relevant in the proof. Here, all fields of $\mathsf{Trap}$ are set to $\bot $ except a flag which indicates that we are in the real world. Please see Fig. 6 for the definition of $\mathsf{Trap}$.
3. 3.
  Output $\mathsf {CT}_\mathbf {w}=\{\mathsf {CT}_{i}\}_{i \in [\ell ]}$.
$\mathsf {TMFE.KeyGen}(\mathsf {MSK}, M\mathsf )$: Upon input the master secret key $\mathsf {MSK}$ and the description of a Turing machine M, do the following. We will assume, w.l.o.g. that the TM is oblivious (see [1] for a justification) and $\mathsf {q}_\mathsf {st}\in \mathcal{Q}$ is the start state of M.
1. 1.
  Sample a random value $\mathsf{salt}\leftarrow \{0,1\}^\lambda $.
2. 2.
  Interpret $\mathsf {MSK}= \left( \mathsf {1\mathsf {FE}}_1.\mathsf {MSK}, \left( \mathsf {1\mathsf {FE}}_2.\mathsf {PK}, \mathsf {1\mathsf {FE}}_2.\mathsf {MSK}\right) \right) $.
3. 3.
  Let $\mathsf {SK}_\mathsf {ReRand}= \mathsf {1\mathsf {FE}}_1.\mathsf{KeyGen}(\mathsf {1\mathsf {FE}}_1.\mathsf {MSK}, \mathsf {ReRand}_\mathsf{{1\mathsf {FE}}_2.PK,\mathsf{salt},\mathsf {q}_\mathsf {st},\bot ,\bot })$ where Fig. 2 defines the circuit $\mathsf {ReRand}_\mathsf{{1\mathsf {FE}}_2.PK,\mathsf{salt},\mathsf {q}_\mathsf {st},\bot ,\bot }$.
4. 4.
  Let $\mathsf {SK}_\mathsf {Next}= \mathsf {1\mathsf {FE}}_2.\mathsf{KeyGen}(\mathsf {1\mathsf {FE}}_2.\mathsf {MSK}, \mathsf {Next}_\mathsf{{1\mathsf {FE}}_2.\mathsf {PK},\mathsf{salt}, M\mathsf ,\bot ,\bot })$ where Fig. 4 defines the circuit $\mathsf {Next}_\mathsf{{1\mathsf {FE}}_2.\mathsf {PK},\mathsf{salt}, M\mathsf ,\bot ,\bot }$.
5. 5.
  Output $\mathsf {SK}_M = (\mathsf {SK}_\mathsf {ReRand}, \mathsf {SK}_\mathsf {Next})$.
$\mathsf{{TMFE.Dec}}(\mathsf {SK}_M, \mathsf {CT}_\mathbf {w})$: Upon input secret key $\mathsf {SK}_M$ and ciphertext $\mathsf {CT}_\mathbf {w}$, do the following:
1. 1.
  Interpret $\mathsf {SK}_M = \left( \mathsf {SK}_\mathsf {ReRand}, \mathsf {SK}_\mathsf {Next}\right) $ and $\mathsf {CT}_\mathbf {w}= \left( \mathsf {CT}_1,\ldots , \mathsf {CT}_{\vert \mathbf {w}\vert }\right) $.
2. 2.
  For $i \in [|\mathbf {w}|]$, do the following:
  1. (a)
    If $i=1$, invoke $ \mathsf {1\mathsf {FE}}_1.\mathsf {Dec}(\mathsf {SK}_\mathsf {ReRand}, \mathsf {CT}_1)$ to obtain $\left( \mathsf {CT}_{\mathsf {sym},1}, \mathsf {CT}_{\mathsf {st},1}\right) $.
  2. (b)
    Else, invoke $ \mathsf {1\mathsf {FE}}_1.\mathsf {Dec}(\mathsf {SK}_\mathsf {ReRand}, \mathsf {CT}_ i\mathsf )$ to obtain $\left( \mathsf {CT}_{\mathsf {sym}, i}, \bot \right) $.
3. 3.
  Denote $\big ((\mathsf {CT}_{\mathsf {sym},1}, \mathsf {CT}_{\mathsf {st},1}), \mathsf {CT}_{\mathsf {sym},2},\ldots ,\mathsf {CT}_{\mathsf {sym},|\mathbf {w}|} \big )$ as the new sequence of ciphertexts obtained under the $\mathsf {Next}$ scheme.
4. 4.
  Let $t=1$. While the Turing machine does not halt, do:
  1. (a)
    Invoke $\mathsf {1\mathsf {FE}}_2.\mathsf {Dec}\big (\mathsf {SK}_\mathsf {Next}, (\mathsf {CT}_{\mathsf {sym},{t}}, \mathsf {CT}_{\mathsf {st},{t}})\big )$ to obtain:
    - $\mathsf {ACC}$ or $\mathsf {REJ}$. In this case, output “Accept” or “Reject” respectively, and exit the loop.
    - $\big ( {\mathsf {CT}}_{\mathsf {sym},t'} , {\mathsf {CT}}_{\mathsf {st},t+1} \big )$.
    Note that $t'$ is the next time step that the work tape cell accessed at time step t will be accessed again.
  2. (b)
    Let $t=t+1$ and go to start of loop.

3.2 Correctness and Efficiency of Single Input $\mathsf {TMFE}$

We now argue that the above scheme is correct. The $\mathsf {TMFE}.\mathsf {Dec}$ algorithm takes as input a secret key $\mathsf {SK}_M = (\mathsf {SK}_\mathsf {ReRand},\mathsf {SK}_\mathsf {Next})$ and a ciphertext $\mathsf {CT}_\mathbf {w}=\left( \mathsf {CT}_1,\ldots , \mathsf {CT}_{\vert \mathbf {w}\vert }\right) $ under the $\mathsf {1\mathsf {FE}}_1$ scheme supporting the functionality . Firstly, note that given a secret key $\mathsf {SK}_\mathsf {ReRand}$ along with a ciphertext $\mathsf {CT}_\mathbf {w}$, we have as follows.

1.
Since $\mathsf {CT}_1$ encodes $\mathsf{Trap}$ with $\mathsf{Trap}.\mathsf{mode}\text {-}\mathsf{real}=1$, hence by the correctness of the $\mathsf {1\mathsf {FE}}_1$ scheme, we get $\mathsf {1\mathsf {FE}}_1.\mathsf {Dec}(\mathsf {SK}_\mathsf {ReRand}, \mathsf {CT}_1) = \left( \mathsf {CT}_{\mathsf {sym},1}, \mathsf {CT}_{\mathsf {st},1}\right) $ as output.
2.
For $i\in [2,\vert \mathbf {w}\vert ]$, since $\mathsf {CT}_i$ encodes $\mathsf{Trap}$ with $\mathsf{Trap}.\mathsf{mode}\text {-}\mathsf{real}=1$, hence by the correctness of the $\mathsf {1\mathsf {FE}}_1$ scheme, we get $\mathsf {1\mathsf {FE}}_1.\mathsf {Dec}(\mathsf {SK}_\mathsf {ReRand}, \mathsf {CT}_{i}) = \left( \mathsf {CT}_{\mathsf {sym},{i}}, \bot \right) $ as the correct output.

The new sequence of $\mathsf {1\mathsf {FE}}_2$ ciphertexts output by $\mathsf {ReRand}$ are now sequenced as $\big ((\mathsf {CT}_{\mathsf {sym},1}, \mathsf {CT}_{\mathsf {st},1}),$ $\mathsf {CT}_{\mathsf {sym},2},\ldots ,\mathsf {CT}_{\mathsf {sym},|\mathbf {w}|} \big )$. The $\mathsf {1\mathsf {FE}}_2$ scheme supports the functionality . Throughout the $\mathsf {1\mathsf {FE}}_2$ decryption, we maintain the invariant that at any time step t, apart from a secret key $\mathsf {SK}_\mathsf {Next}$, the input to the $\mathsf {1\mathsf {FE}}_2.\mathsf {Dec}$ algorithm is an entire $\mathsf {1\mathsf {FE}}_2$ ciphertext decomposed into two components corresponding to a symbol and a state ciphertext both of which are computed with the same randomness, which is computed as $\mathsf {F}.\mathsf {Eval}(\mathsf {K}_0, (t\Vert \mathsf{salt}))$^{Footnote 6}.

We show that given a secret key $\mathsf {SK}_\mathsf {Next}$ and the sequence of ciphertexts $\big ((\mathsf {CT}_{\mathsf {sym},1}, \mathsf {CT}_{\mathsf {st},1}),$ $\mathsf {CT}_{\mathsf {sym},2},\ldots ,\mathsf {CT}_{\mathsf {sym},|\mathbf {w}|} \big )$ generated from the outputs of the $\mathsf {1\mathsf {FE}}_1.\mathsf {Dec}$ algorithm, $\mathsf {1\mathsf {FE}}_2.\mathsf {Dec}$ correctly computes the decomposed ciphertext components of a symbol and a state that occur along the computation path and finally outputs the value of machine M on the sequenced input. Define $\tau =\mathsf {runtime}(M,\mathbf {w})$. Formally, by the correctness of $\mathsf {1\mathsf {FE}}_2$ scheme, at any time step $t\in [\tau -2]$, $\mathsf {1\mathsf {FE}}_2.\mathsf {Dec}(\mathsf {SK}_\mathsf {Next},\left( \mathsf {CT}_{\mathsf {sym},{t}}, \mathsf {CT}_{\mathsf {st},{t}}\right) )$ correctly outputs either $(\mathsf {CT}_{\mathsf {sym},t'},\mathsf {CT}_{\mathsf {st},t+1})$ with $t < t' \le \tau -1$. Further, for any time step $t\in [\tau -2]$, we have:

1.
Let $t\in [\tau -2]\setminus [\ell ]$. If the current work tape cell was accessed^{Footnote 7}, at some time step $ \tilde{t} < t$, then $\mathsf {CT}_{\mathsf {sym},t}$ encoding $(\mathsf {SYM}, \mathsf{key}\text {-}\mathsf{id}, \mathsf {K}_{t+1}, t, \ell , \sigma _t, \mathsf{Trap})$ was constructed at time step $\tilde{t}$. Note that $\sigma _t$ may be the blank symbol $\beta $. When $t\in [\ell ]$, $\mathsf {CT}_{\mathsf {sym}, t}$ is constructed at time step t via the $\mathsf {ReRand}$ circuit.
2.
The ciphertext component ${\mathsf {CT}}_{\mathsf {st},t} $ encoding $(\mathsf {ST}, \mathsf {q}_{t})$ at time step t was constructed at time step $t-1$ for $t>1$ and at time step 1, when $t=1$.
3.
The randomness $r_t = \mathsf {F}.\mathsf {Eval}(\mathsf {K}_{\tilde{t}+1},(t\Vert \mathsf{salt})) = \mathsf {F}.\mathsf {Eval}(\mathsf {K}_t,(t\Vert \mathsf{salt}))$ binds the components $\mathsf {CT}_{\mathsf {sym}, t }$ and $\mathsf {CT}_{\mathsf {st}, t }$.

Thus, at any given time step $t\in [\tau -2]$, we have a complete ciphertext of $\mathsf {1\mathsf {FE}}_2$ which may be fed again with $\mathsf {SK}_\mathsf {Next}$ to $\mathsf {1\mathsf {FE}}_2.\mathsf {Dec}$ in order to proceed with the computation. Thus, the execution of $\mathsf {1\mathsf {FE}}_2.\mathsf {Dec}$ at the $(\tau -2)^\text {th}$ time step provides the complete pair $(\mathsf {CT}_{\mathsf {sym}, \tau -1},\mathsf {CT}_{\mathsf {st}, \tau -1})$. By the correctness of $\mathsf {1\mathsf {FE}}_2$ scheme again, at time step $t = \tau -1$, invoking $\mathsf {1\mathsf {FE}}_2.\mathsf {Dec}(\mathsf {SK}_\mathsf {Next},(\mathsf {CT}_{\mathsf {sym}, \tau \mathsf -1},\mathsf {CT}_{\mathsf {st}, \tau \mathsf -1}))$ outputs either “Accept” or“Reject” by simulating the execution of M for the final time step $\tau $ inside the function $\mathsf {Next}$, thus correctly outputting $M(\mathbf {w})$.

Efficiency. The $\mathsf {TMFE}$ construction described above inherits its efficiency from the underlying $\mathsf {CktFE}$ constructions. Note that the ciphertext is compact and is of size ${{\mathrm{poly}}}(\lambda ,\vert \mathbf {w}\vert )$. Also, the running time of the decryption procedure is input specific since it mimics the computation of M on $\mathbf {w}$ using secret key encoding M and ciphertext encoding all the intermediate states of the computation. Additionally, the public parameters are short ${{\mathrm{poly}}}(\lambda )$, since these are just the public parameters of a compact $\mathsf {CktFE}$ scheme. The function keys are also short, since they are $\mathsf {CktFE}$ function keys for circuits $\mathsf {ReRand}$ and $\mathsf {Next}$ which are of size ${{\mathrm{poly}}}(\lambda )$ and ${{\mathrm{poly}}}(|M|,\lambda )$ respectively.

3.3 Proof of Security for Single Input $\mathsf {TMFE}$

Next, we prove that the above $\mathsf {TMFE}$ scheme satisfies distributional indistinguishability ($\mathsf {DI}$) for single (or constant) length outputs, as long as the underlying $\mathsf {CktFE}$ scheme satisfies distributional indistinguishability for any output length. In the full version [1], we provide an instantiation of a $\mathsf {CktFE}$ scheme satisfying distributional indistinguishability.

Theorem 1

Assume that the functional encryption schemes for circuits $\mathsf {1\mathsf {FE}}_1$ and $\mathsf {1\mathsf {FE}}_2$ are $\mathsf {DI}$ secure and that $\mathsf{F}$ is a secure $\mathsf{cPRF}$ for the function family defined above. Then, the construction of functional encryption for Turing machines $\mathsf {TMFE}$ is selective $\mathsf {DI}$ secure for single bit outputs.

The Trapdoor Data Structure. To implement the approach discussed in Sect. 1, we will make use of a data-structure $\mathsf{Trap}$ that lets us store all the requisite trapdoor information needed for the security proof within the ciphertext. In our construction, decryption of a particular input by a particular function key results in a chain of ciphertexts, each of which contain the trapdoor data structure. In the real world, this information is not used but as we progress through the proof, different fields become relevant. The data structure is outlined in Fig. 6.

Row 1. Above, $\mathsf{key}\text {-}\mathsf{id}$ refers to the particular function key being considered and we switch the execution chain from $b=0$ to $b=1$ key by key. All the ciphertexts in a given execution chain share the $\mathsf{key}\text {-}\mathsf{id}$ value. We assume a lexicographic order on the $\mathsf{key}\text {-}\mathsf{id}$ fields, this can be easily ensured by having a counter as part of the $\mathsf{key}\text {-}\mathsf{id}$ field. We do not make this explicit below for notational brevity. If $\mathsf{key}\text {-}\mathsf{id}^*$ is the key identity programmed in a particular execution chain, then all keys with values smaller than $\mathsf{key}\text {-}\mathsf{id}^*$ will decrypt the chain using the input bit $b=1$, and all keys with values larger than $\mathsf{key}\text {-}\mathsf{id}^*$ will use $b=0$. Hence, the $\mathsf {1\mathsf {FE}}_1$ ciphertexts provided by the encryptor must encode messages corresponding to both values of b, the fields $\mathsf{val}_0$ and $\mathsf{val}_1$ are designed for this purpose^{Footnote 8}. Note that $\mathsf {1\mathsf {FE}}_2$ ciphertexts computed by decryption need not track messages corresponding to both values of b, since the “chain is extended” via decryption corresponding to exactly one of $b=0$ or $b=1$ depending on the relation between the key identities in the ciphertext and the function key. The field $\mathsf {SKE}.\mathsf {K}$ refers to the key of a symmetric key encryption scheme, which is used to decrypt some encrypted value embedded in the function key. This is a standard trick when the key must hide something in the public key setting. The flag $\mathsf{mode}\text {-}\mathsf{real}$ means the scheme operates in the real world mode and the trapdoor information is not used.
Rows 2 and 3. The fields ${\mathsf{Target}}\; \mathsf {TS}_1$ and ${\mathsf{Target}}\; \mathsf {TS}_2$ refer to the time steps corresponding to the “broken link” in the decryption chain, namely the two time steps for which the ciphertext and function key are being programmed so as to switch from $b=0$ to $b=1$. The fields $\mathsf{Sym}\;\mathsf {TS}_1$ and $\mathsf {ST}\;\mathsf {TS}_1$ are the time steps when the symbol and state ciphertexts for time step ${\mathsf{Target}}\; \mathsf {TS}_1$ are generated; for instance $\mathsf {ST}\;\mathsf {TS}_1 = {\mathsf{Target}}\; \mathsf {TS}_1 -1$ since the state ciphertext for a given time step is always generated in the previous time step, while the symbol ciphertext for a given time step may be generated much earlier. $\mathsf{Sym}\;\mathsf {TS}_2$ and $\mathsf {ST}\;\mathsf {TS}_2$ are defined analogously. The fields $\mathsf{Sym}\;\mathsf{val}_1$ and $\mathsf {ST}\;\mathsf{val}_1$ contain the symbol and state values which will be encrypted in the hybrid at the time steps $\mathsf{Sym}\;\mathsf {TS}_1$ and $\mathsf {ST}\;\mathsf {TS}_1$ when $\mathsf{mode}\text {-}\mathsf{trap}_1$ is set; $\mathsf{Sym}\;\mathsf{val}_2$ and $\mathsf {ST}\;\mathsf{val}_2$ are defined analogously.
Row 4. When $\mathsf{mode}\text {-}\mathsf{trap}_3$ is set, the symbol and state values are set to $\bot $, and the values hard coded in the function key are used for the target time step. In more detail, the function key contains $\mathsf {SKE}$ encryptions of symbol and state ciphertexts corresponding to time step ${\mathsf{Target}}\; \mathsf {TS}$ hard-coded within itself. If $\mathsf{key}\text {-}\mathsf{id}^* = \mathsf{key}\text {-}\mathsf{id}$, where $\mathsf{key}\text {-}\mathsf{id}^*$ is the key identity programmed in a particular execution chain and $\mathsf{key}\text {-}\mathsf{id}$ is the key identity of the function key in question, and $\mathsf{mode}\text {-}\mathsf{trap}_3=1$, then at time steps ${\mathsf {SYM}}\; \mathsf {TS}$ and $\mathsf {ST}\; \mathsf {TS}$ the $\mathsf {SKE}$ secret key in row 1 of the $\mathsf{Trap}$ data structure is used to decrypt the $\mathsf {SKE}$ encryptions and output the encrypted values.

The Hybrids. We now proceed to describe our hybrids. For simplicity we first describe the hybrids for a single function request, for some Turing machine M. We denote by T the time taken by M to run on the challenge messages. Since the proof is very involved, we describe it first for the weak selective game, where the adversary specifies the challenge vectors and machine at the same time. In the full version [1] we discuss how to remove this restriction.

$\mathcal{H}(0)$: This is the real world, when $\mathsf{mode}\text {-}\mathsf{real}=1$ and $\mathsf{mode}\text {-}\mathsf{trap}_1 = \mathsf{mode}\text {-}\mathsf{trap}_2 = \mathsf{mode}\text {-}\mathsf{trap}_3 =\bot $.
$\mathcal{H}(1,1)$: In this world, all ciphertexts (constructed by the encryptor as well as function keys) have $\mathsf{mode}\text {-}\mathsf{real}= \bot $, $\mathsf{mode}\text {-}\mathsf{trap}_1 = 1,\;\mathsf{mode}\text {-}\mathsf{trap}_2=1, \;\mathsf{mode}\text {-}\mathsf{trap}_3 =\bot $. We program the last link in the decryption chain for switching bit b by setting:
$$ {\mathsf{Target}}\; \mathsf {TS}_1 = T-1, {\mathsf{Target}}\; \mathsf {TS}_2 = T-2 $$
The fields $\mathsf{Sym}\;\mathsf {TS}_1$ and $\mathsf {ST}\;\mathsf {TS}_1$ contain the time steps when the symbol and state ciphertext pieces are generated for time step $T-1$, and the fields $\mathsf{Sym}\;\mathsf{val}_1$ and $\mathsf {ST}\;\mathsf{val}_1$ contain the symbol and state values which must be encrypted by the function key in the above time steps when $\mathsf{mode}\text {-}\mathsf{trap}_1$ is set. Note that these fields exactly mimic the behaviour in the real world, namely the time steps and values are set to be exactly what the real world decryption would output. The fields corresponding to $\mathsf {TS}_2$ are defined analogously.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$, since the decryption values in both hybrids are exactly the same.
$\mathcal{H}(1,2)$: Hardwire the key with an $\mathsf {SKE}$ encryption of symbol and state ciphertexts output at step $T-1$ for $b=0$. Use the same ciphertexts as would be generated in the previous hybrid.

Indistinguishability follows from security of $\mathsf {SKE}$, since the only difference is the value of the message encrypted using $\mathsf {SKE}$ which is embedded in the key.
$\mathcal{H}(1,3)$: Set $\mathsf{mode}\text {-}\mathsf{trap}_1 = \bot $, $\mathsf{mode}\text {-}\mathsf{trap}_2=1$, $\mathsf{mode}\text {-}\mathsf{trap}_3 = 1$ and ${\mathsf{Target}}\; \mathsf {TS}= T-1$. In this hybrid the hardwired value in the key is used to be output as step $T-1$ ciphertext.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$, since the decryption values in both hybrids are exactly the same.
$\mathcal{H}(1,4)$: Change normal root key $\mathsf {K}_0$ to punctured root key $\mathsf {K}^{T-1}_0$ which punctures all delegated keys at point $(T-1\Vert \mathsf{key}\text {-}\mathsf{id})$.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$. Note that we evaluate the $\mathsf{cPRF}$ at point $(T-1\Vert \mathsf{key}\text {-}\mathsf{id})$ only to construct the $\mathsf {1\mathsf {FE}}_2$ ciphertext output at time step $T-1$ identified with $\mathsf{key}\text {-}\mathsf{id}$. This ciphertext is currently hardwired in the function key, and is computed exactly the same way in both hybrids. Thus, the $\mathsf{cPRF}$ key is only required to compute randomness of points $\ne (T-1\Vert \mathsf{key}\text {-}\mathsf{id})$, for which the punctured key suffices, and which moreover evaluates to the same value as the normal key on all such points. Hence, we have that the decryption values in both hybrids are exactly the same. Note that the punctured key is not used to evaluate on the punctured points.
$\mathcal{H}(1,5)$: Switch the randomness in the $\mathsf {1\mathsf {FE}}_2$ ciphertexts for time step $T-1$ which are hardwired in the key to true randomness.

Indistinguishability follows from security of punctured $\mathsf{cPRF}$ for the aforementioned function family, since the remainder of the distribution only uses the punctured key.
$\mathcal{H}(1,6)$: Switch the value encoded in the $\mathsf {1\mathsf {FE}}_2$ ciphertexts for time step $T-1$ which are hardwired in the key to correspond to $b=1$.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_2$. Formally, we do a reduction which plays the security game against the $\mathsf {1\mathsf {FE}}_2$ challenger and simulates the $\mathsf {TMFE}$ adversary. The reduction simulates $\mathsf {1\mathsf {FE}}_1$ itself and receives the $\mathsf {1\mathsf {FE}}_2$ public and function keys from the challenger. The only difference between the two hybrids is the $\mathsf {1\mathsf {FE}}_2$ ciphertext for time step $T-1$ which is embedded in the function key as received from the $\mathsf {1\mathsf {FE}}_2$ challenger.
$\mathcal{H}(1,7)$: Switch randomness back to PRF randomness in the ciphertext hardwired in key, using the punctured key for all but the hardwired ciphertext.

Indistinguishability follows from security of $\mathsf{cPRF}$ as discussed above.
$\mathcal{H}(1,8)$: Switch the punctured root key to the normal root key.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$ as discussed above.
$\mathcal{H}(2,1)$: Switch ciphertext in slot 1 for target $T-1$ to be for $b=1$. Slot 2 remains $b=0$. Set $\mathsf{mode}\text {-}\mathsf{trap}_3 = \bot $ and $\mathsf{mode}\text {-}\mathsf{trap}_1 = \mathsf{mode}\text {-}\mathsf{trap}_2 =1$.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$, since the decryption values in both hybrids are exactly the same.
$\mathcal{H}(2,2)$: Hardwire key with $\mathsf {SKE}$ encryption of $\mathsf {1\mathsf {FE}}_2$ ciphertext for time step $T-2$ and bit $b=0$ (same as hybrid (1, 2) but for $T-2$).

Indistinguishability follows from security of $\mathsf {SKE}$ as above.
$\mathcal{H}(2,3)$: Set $\mathsf{mode}\text {-}\mathsf{trap}_1=1$ with target $T-1$, $\mathsf{mode}\text {-}\mathsf{trap}_2 = \bot $, and $\mathsf{mode}\text {-}\mathsf{trap}_3 =1 $ with target $T-2$.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$, since the decryption values in both hybrids are exactly the same.
$\mathcal{H}(2,4)$: Switch normal root key to punctured key at point $(T-2\Vert \mathsf{key}\text {-}\mathsf{id})$.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$ as discussed above.
$\mathcal{H}(2,5)$: Switch randomness to true in the ciphertext hardwired in key.

Indistinguishability follows from security of $\mathsf{cPRF}$ as discussed above.
$\mathcal{H}(2,6)$: Switch hardwired $\mathsf {1\mathsf {FE}}_2$ ciphertext for step $T-2$ to correspond to bit $b=1$.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_2$.
$\mathcal{H}(2,7)$: Switch randomness back to use the $\mathsf{PRF}$ in the ciphertext hardwired in key.

Indistinguishability follows from security of $\mathsf{cPRF}$ as discussed above.
$\mathcal{H}(2,8)$: Switch punctured root key to normal root key.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$ as discussed above.
$\mathcal{H}(3,1)$: Intuitively, we slide the trapdoor left by one step, i.e. change target time-steps to $T-2$ and $T-3$ in the ciphertext. Now slot 1 for $T-2$ corresponds to $b=1$ and slot 2 for $T-3$ to $b=0$. Set $\mathsf{mode}\text {-}\mathsf{real}= \mathsf{mode}\text {-}\mathsf{trap}_3 = \bot $ and $\mathsf{mode}\text {-}\mathsf{trap}_1 = \mathsf{mode}\text {-}\mathsf{trap}_2 =1$.

Indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$, since the decryption values in both hybrids are exactly the same. Note that now slot $T-1$ is redundant, since $T-2$ ciphertext is already switched to $b=1$.

Hybrid $\mathcal{H}(3,i)$ will be analogous to $\mathcal{H}(2,i)$ for $i \in [8]$.

As we proceed left in the execution chain one step at a time, we reach step $\ell $ where $\ell = |\mathbf {w}|$, i.e. time steps for which $\mathsf {1\mathsf {FE}}_1$ ciphertexts are provided by the encryptor. At this point we will hardwire the $\mathsf {ReRand}$ key with symbol ciphertexts for $\ell $ time steps, one at a time, and the $\mathsf {Next}$ key for the state ciphertexts^{Footnote 9}. Moreover, we must now add an additional hybrid in which the challenge $\mathsf {1\mathsf {FE}}_1$ ciphertext at position $\ell $ contains the message bit corresponding to $b=1$; intuitively, we must switch the bit before we slide the trapdoor since the ciphertext for this position is not generated by decrypting the previous ciphertext. In more detail, in $\mathcal{H}(T-\ell ,8)$, analogously to hybrid (1, 8), the $T-(T-\ell ) = \ell ^{th}$ bit hard-wired in the trapdoor is changed to 1. We now add one more hybrid, namely:
$\mathcal{H}(T-\ell ,9):$ In this hybrid, we modify the $\mathsf {1\mathsf {FE}}_1$ challenge ciphertext in position $\ell $ as follows: the encoded message is changed corresponding to $b=1$ and flag $\mathsf{mode}\text {-}\mathsf{real}=1$. The other flags $\mathsf{mode}\text {-}\mathsf{trap}_1 = \mathsf{mode}\text {-}\mathsf{trap}_2 = \mathsf{mode}\text {-}\mathsf{trap}_3 =\bot $.

Note that all ciphertexts previous to time step $\ell $ remain unchanged, and output their corresponding symbol ciphertexts correctly. The $\mathsf {Next}$ circuit outputs the state ciphertext for time step $\ell $ corresponding to bit $b=1$. The only difference between this hybrid and the previous one is that here we use the real mode to output the symbol ciphertext for $b=1$ whereas previously we used the trapdoor mode to output the same symbol ciphertext. Hence, decryption values in both hybrids are exactly the same, and indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$.

Finally in $\mathcal{H}(T-1,9)$, the entire chain has been replaced to use $b=1$ and all the challenge $\mathsf {1\mathsf {FE}}_1$ ciphertexts have encoded messages corresponding to $b=1$ with $\mathsf{mode}\text {-}\mathsf{real}=1$.
$\mathcal{H}(T)$: In this hybrid, all the other fields in the trapdoor data structure, excepting $\mathsf{mode}\text {-}\mathsf{real}$ are disabled and set to $\bot $. This is the real world with $b=1$.

Since all the encoded messages use $b=1$, decryption values are all exactly the same as in $\mathcal{H}(T-1,9)$, hence indistinguishability follows from security of $\mathsf {1\mathsf {FE}}_1$.

The formal reductions are provided in the full version [1].

Multiple Keys. We handle multiple keys by repeating the above set of hybrids key by key. Each key carries within it an identifier $\mathsf{key}\text {-}\mathsf{id}$, and if this is less than the key identifier encoded in the ciphertext, the bit $b=1$ is used, if it is greater then the bit $b=0$ is used and if it is equal, then the above sequence of hybrids is performed to switch from $b=0$ to $b=1$. To support this, the $\mathsf {1\mathsf {FE}}_1$ ciphertexts provided by the encryptor must encode messages corresponding to both values of b, the fields $\mathsf{val}_0$ and $\mathsf{val}_1$ in the trapdoor data structure of Fig. 6 are provided for this purpose. Security follows by a standard hybrid argument as in [5], we defer the formal description to the full version of the paper [1].

3.4 Constructing the $\mathsf{cPRF}$

In the full version [1], we provide a construction for a $\mathsf{cPRF}$ $\mathsf {F}$ which supports puncturing and delegation as required; the T $\mathsf{cPRF}$s $\mathsf {F}_i$ for $i \in [T]$ may each be constructed similarly. To begin, note that we require the root key of $\mathsf {F}$ to be punctured at a point $i^*$ (say). The cPRF construction for punctured PRF [17, 18, 36] (which is in turn inherited from the standard PRG based GGM [32]) immediately satisfies this constraint, so we are left with the question of delegation.

Recall that we are required to delegate T times, where T is the (polynomial) runtime of the Turing machine on the encrypted input (please see preliminaries in [1]), and the $j^{th}$ delegated key must support evaluation of points $\{(k\Vert z): z \in \{0,1\}^\lambda \}$ for $k \ge j$, except when $(k\Vert z)=i^*$. This may be viewed as the $j^{th}$ key being punctured on points $[1,j-1]\cup i^*$. We show that the GGM based construction for puncturing a single point can be extended to puncturing an interval (plus an extra point). Intuitively, puncturing an interval corresponds to puncturing at most $\lambda $ internal nodes in the GGM tree. In more detail, we show that regardless of the value of j, it suffices to puncture at most $\lambda $ points in the GGM tree to achieve puncturing of the entire interval $[1,j-1]$. Please see the full version [1] for details.

4 Construction: Multi-input FE for Turing Machines

In this section we construct a multi-input functional encryption scheme for Turing machines. Our construction supports a fixed number of encryptors (say k), who may each encrypt a string $\mathbf {w}_i$ of unbounded length. Function keys may be provided for Turing machines, so that given k ciphertexts for $\mathbf {w}_i$ and a function key for TM M, decryption reveals $M(\mathbf {w}_1\Vert \ldots \Vert \mathbf {w}_k)$ and nothing else. We use the following ingredients for our construction:

1.
A compact, k-input functional encryption scheme for circuits, $\mathsf {k}\mathsf {FE}$ and a compact, public-key functional encryption scheme $\mathsf {1\mathsf {FE}}$. As before, we will assume that the scheme $\mathsf {1\mathsf {FE}}$ is decomposable as defined in the preliminaries.
2.
A symmetric encryption scheme $\mathsf {SKE}= (\mathsf {SKE}.\mathsf{KeyGen},\mathsf {SKE}.\mathsf {Enc},\mathsf {SKE}.\mathsf {Dec})$.
3.
A delegatable constrained pseudorandom function ($\mathsf{cPRF}$), denoted by $\mathsf {F}$ which supports T delegations for the function family $f_t :\{0,1\}^{(k+2) \cdot \lambda } \rightarrow \{0,1\}$ defined as follows. Let x, t denote integers whose binary representations are $\mathbf {x}, {\mathbf {t}}$ of $\lambda $ bits. Then,
$$\begin{aligned} f_{t}(\mathbf {x}\Vert \mathbf {z})&= 1, \text {if} \;\; x \ge t \text { and } 0 \text { otherwise} \end{aligned}$$

The functionalities supported by $\mathsf {k}\mathsf {FE}$ and $\mathsf {1\mathsf {FE}}$ are called $\mathsf {Agg}$ and $\mathsf {Next}$ respectively, described next. $\mathsf {Agg}$ aggregates the inputs $\mathbf {w}_1,\ldots ,\mathbf {w}_k$ of all k parties into one long “global” string $(\mathbf {w}_1\Vert \ldots \Vert \mathbf {w}_k)$, encrypted under the scheme $\mathsf {1\mathsf {FE}}$. Since the length of this aggregate string is unbounded, a single invocation of $\mathsf {Agg}$ produces an encryption of a single symbol in the string, and the function is invoked repeatedly to produce ciphertexts for the entire string. Each ciphertext output by the $\mathsf {Agg}$ scheme contains a symbol $w_i$ as well as the position of the symbol within the global string. The encryption of the symbols (and the initial state) also contains a global salt which $\mathsf {Agg}$ computes from the random salts provided in the ciphertexts under the $\mathsf {k}\mathsf {FE}$ scheme by the individual encryptors. The global salt identifies the particular input combination that is aggregated, and serves as input to the PRF in the $\mathsf {Next}$ functionality.

Our k-input $\mathsf {CktFE}$ scheme may be either private or public key, and will result in the corresponding notion for k-input $\mathsf {TMFE}$. Since the multi input setting for $\mathsf {FE}$ is considered more interesting in the symmetric key setting (see [19] for a discussion), we present our construction in the symmetric key setting – the public key adaptation is straightforward.

We note that ciphertexts output by $\mathsf {Agg}$, which are encryptions of the symbols in the aggregate string under the $\mathsf {1\mathsf {FE}}$ scheme, are exactly the same as the output of the $\mathsf {ReRand}$ function in the single input scheme of Sect. 3. Therefore, as before, we may have the functionality $\mathsf {Next}$ of the $\mathsf {1\mathsf {FE}}$ scheme mimic the computation of the Turing machine on the global string $(\mathbf {w}_1\Vert \ldots \Vert \mathbf {w}_k)$. As in the previous construction, $\mathsf {1\mathsf {FE}}.\mathsf {Dec}$ accepts as its inputs a ciphertext decomposed into two components encoding the current symbol on the worktape and the current state in the computation, both of which have been encrypted using the same randomness, and outputs a ciphertext component corresponding to the symbol written on the tape, as well as the next state. The global salt in the ciphertext, along with a random nonce chosen by $\mathsf{KeyGen}$ are used as input to a cPRF as before, to compute the randomness used to generate ciphertexts. This ensures that the execution of a given machine on a given input combination is maintained separate from any other execution, and thwarts “mix and match” attacks, where, for instance, an attacker may try to combine a state generated at some time step t in one execution with a symbol generated at time step t from a different execution.

If we instantiate the underlying multi-input $\mathsf {CktFE}$ by the construction of [40], we may let the arity k be poly-logarithmic in the security parameter. If we instantiate multi-input $\mathsf {CktFE}$ by the construction of [33], we may support fixed polynomial arity at the cost of worsening the assumption. Note that [33] rely on $\mathsf {iO}$ while [40] rely on compact $\mathsf {FE}$. Note that [10] support unbounded polynomial arity, but from public coin $\mathsf{DiO}$ as discussed in Sect. 1.

4.1 Construction of Multi-input $\mathsf {TMFE}$

In the following, we denote a k-input, private-key $\mathsf {CktFE}$ scheme by k-$\mathsf {CktFE}$ and a decomposable, public key $\mathsf {CktFE}$ scheme by $\mathsf {1\mathsf {FE}}$. Since our scheme supports an a-priori fixed number of parties, say k, we assume that every user is pre-assigned an index $\mathsf{ind}\in [k]$.

$\mathsf {kTMFE.Setup}(1^\lambda ,1^{k})$: Upon input the security parameter $1^\lambda $ and the bound $1^k$, do the following:
1. 1.
  Choosing the functionality for $\mathsf {1\mathsf {FE}}$. Let $\mathsf {1\mathsf {FE}}$ be a decomposable, public-key $\mathsf {CktFE}$ for the following circuit family.
  The tokens $\mathsf {SYM}$ and $\mathsf {ST}$ are flags denoting a symbol and a state respectively of a Turing machine M which has $\varSigma $ and $\mathcal{Q}$ as the alphabet and state space respectively. The set $\{0,1\}^{(k+4)\lambda }$ encodes in order, a random value $\mathsf{key}\text {-}\mathsf{id}$ associated with a TM M, a constrained PRF key, the current time step in the computation, the length of the input string, each of $\lambda $ bits and a string of length $k\!\cdot \!\lambda $ bits encoding a random value $\mathsf{gsalt}$. Here, $\mathsf{Trap}$ is a data structure of fixed polynomial length which will be used in the proof. Since we do not need it in the construction, we do not discuss it here, please see the full version [1] for its definition. The set $\{0,1\}^{k\cdot \lambda }$ encodes again a random value $\mathsf{gsalt}$ associated with the message component for state. $\mathcal{C}^\mathsf{{1\mathsf {FE}}}$ is the ciphertext space of $\mathsf {1\mathsf {FE}}$. $\mathsf {ACC}$ and $\mathsf {REJ}$ denote tokens when M reaches an accepting state and a rejecting state respectively.
2. 2.
  Choosing the functionality for $\mathsf {k}\mathsf {FE}$. Let $\mathsf {k}\mathsf {FE}$ be a k-$\mathsf {CktFE}$ for the following circuit family.
  $${\mathsf {Agg}:(\{\mathsf {SYM},\mathsf {SP}\} \times \{0,1\}^{4\lambda } \times [k]\times \varSigma \times \mathsf{Trap})^k \rightarrow \mathcal{C}^\mathsf{{1\mathsf {FE}}} \times \left( \mathcal{C}^\mathsf{{1\mathsf {FE}}}\cup \{\bot \}\right) } $$
  The special token $\mathsf {SP}$ denotes an encryption of the length of an input string corresponding to any user. The set $\{0,1\}^{4\lambda }$ encodes in order, a constrained PRF key, the time step of the current symbol, the input length and a random salt each of $\lambda $ bits. $\varSigma , \mathsf{Trap}$ and $\mathcal{C}^\mathsf{{1\mathsf {FE}}}$ are as described above.
3. 3.
  Choosing keys for $\mathsf {k}\mathsf {FE}$ and $\mathsf {1\mathsf {FE}}$.
  $$\text {Let }\mathsf {k}\mathsf {FE}.\mathsf {MSK}\!\leftarrow \! \mathsf {k}\mathsf {FE}.\mathsf {Setup}(1^\lambda ,1^ k ), \left( \mathsf {1\mathsf {FE}}.\mathsf {PK}, \mathsf {1\mathsf {FE}}.\mathsf {MSK}\right) \!\leftarrow \! \mathsf {1\mathsf {FE}}.\mathsf {Setup}(1^\lambda ,1^ k\mathsf )$$
4. 4.
  Output $\mathsf {MSK}= \left( \mathsf {k}\mathsf {FE}.\mathsf {MSK},\left( \mathsf {1\mathsf {FE}}.\mathsf {PK},\mathsf {1\mathsf {FE}}.\mathsf {MSK}\right) \right) $.
$\mathsf {kTMFE.Enc}(\mathsf {MSK}, \mathbf {w}_{\mathsf{ind}}, \mathsf{ind})$: Upon input the master key $\mathsf {MSK}$, and message $\mathbf {w}_{\mathsf{ind}}$ of arbitrary length $\ell _\mathsf{ind}$ and an index $\mathsf{ind}\in [k]$, do the following:
1. 1.
  Interpret the input $\mathsf {MSK}= \left( \mathsf {k}\mathsf {FE}.\mathsf {MSK},\left( \mathsf {1\mathsf {FE}}.\mathsf {PK},\mathsf {1\mathsf {FE}}.\mathsf {MSK}\right) \right) $.
2. 2.
  Let $\mathbf {w}_\mathsf{ind}= w_1w_2\ldots w_{\ell _\mathsf{ind}}$. Sample $\mathsf{salt}_\mathsf{ind}\leftarrow \{0,1\}^\lambda $.
3. 3.
  Construct the data structure $\mathsf{Trap}$ and set all its fields to $\bot $ except a flag which indicates that we are in the real world. The data structure $\mathsf{Trap}$ is only relevant in the proof. Please see [1] for the definition of $\mathsf{Trap}$.
- Encoding Input String and Its Length
1. 4.
  If $\mathsf{ind}=1$, do the following:
  1. (a)
    Sample a root key for the constrained PRF $\mathsf {F}$ as $\mathsf {K}_0 \leftarrow \mathsf {F}.\mathsf {Setup}(1^\lambda )$.
  2. (b)
    Construct the input message $\mathsf {len}_1 = (\mathsf {SP},\mathsf {K}_0,\bot ,\ell _1,\mathsf{salt}_1,1,\bot ,\mathsf{Trap})$.
  3. (c)
    Encrypt $\ell _1$ as a special ciphertext $\mathsf {CT}_{1,\mathsf {SP}} = \mathsf {k}\mathsf {FE}.\mathsf {Enc}(\mathsf {k}\mathsf {FE}.\mathsf {MSK},\mathsf {len})$.
  4. (d)
    For $i\in [\ell _1]$ do the following:
    1. i.
      Construct the input message $\mathbf {y}_{1,i} = (\mathsf {SYM}, \mathsf {K}_0, i, \ell _1,\mathsf{salt}_1,1,w_i,$ $\mathsf{Trap})$.
    2. ii.
      Compute the ciphertext $\mathsf {CT}_{1,\mathsf {SYM},i} = \mathsf {k}\mathsf {FE}.\mathsf {Enc}(\mathsf {k}\mathsf {FE}.\mathsf {MSK}, \mathbf {y}_i)$.
2. 5.
  If $\mathsf{ind}\in [2,k]$, do the following:
  1. (a)
    Construct the input message $\mathsf {len}_\mathsf{ind}= (\mathsf {SP}, \bot ,\bot ,\ell _\mathsf{ind},\mathsf{salt}_\mathsf{ind},\mathsf{ind},\bot ,$ $\mathsf{Trap})$.
  2. (b)
    Encrypt $\ell _\mathsf{ind}$ as a special ciphertext $\mathsf {CT}_{\mathsf{ind},\mathsf {SP}} = \mathsf {k}\mathsf {FE}.\mathsf {Enc}(\mathsf {k}\mathsf {FE}.\mathsf {MSK},$ $\mathsf {len})$.
  3. (c)
    For $i\in [\ell _\mathsf{ind}]$ do the following:
    1. i.
      Construct the input message $\mathbf {y}_{\mathsf{ind},i} = (\mathsf {SYM},\bot ,i,\ell _\mathsf{ind},\mathsf{salt}_\mathsf{ind},$ $\mathsf{ind},w_i,\mathsf{Trap})$.
    2. ii.
      Compute the ciphertext $\mathsf {CT}_{\mathsf{ind},\mathsf {SYM},i} = \mathsf {k}\mathsf {FE}.\mathsf {Enc}(\mathsf {k}\mathsf {FE}.\mathsf {MSK}, \mathbf {y}_i)$.
3. 6.
  Output $\mathsf {CT}_{\mathbf {w}_\mathsf{ind}}=\left( \mathsf {CT}_{\mathsf{ind},\mathsf {SP}},\{\mathsf {CT}_{\mathsf{ind},\mathsf {SYM},i}\}_{i\in [\ell _\mathsf{ind}]} \right) $.
$\mathsf {kTMFE.KeyGen}(\mathsf {MSK}, M\mathsf )$: Upon input the master secret key $\mathsf {MSK}$ and the description of a Turing machine M, do the following. We will assume, w.l.o.g. that the TM is oblivious (see [1] for a justification) and $\mathsf {q}_\mathsf {st}\in \mathcal{Q}$ is the start state of M.
1. 1.
  Sample a random value $\mathsf {rand}\leftarrow \{0,1\}^\lambda $.
2. 2.
  Interpret $\mathsf {MSK}= \left( \mathsf {k}\mathsf {FE}.\mathsf {MSK},\left( \mathsf {1\mathsf {FE}}.\mathsf {PK},\mathsf {1\mathsf {FE}}.\mathsf {MSK}\right) \right) $.
3. 3.
  Let $\mathsf {SK}_\mathsf {Agg}= \mathsf {k}\mathsf {FE}.\mathsf{KeyGen}(\mathsf {k}\mathsf {FE}.\mathsf {MSK},\mathsf {Agg}_\mathsf{{1\mathsf {FE}}.\mathsf {PK},\mathsf {rand},\mathsf {q}_\mathsf {st},\bot ,\bot })$, where Fig. 7 defines the circuit $\mathsf {Agg}_\mathsf{{1\mathsf {FE}}.\mathsf {PK},\mathsf {rand},\mathsf {q}_\mathsf {st},\bot ,\bot }$.
4. 4.
  Let $\mathsf {SK}_\mathsf {Next}= \mathsf {1\mathsf {FE}}.\mathsf{KeyGen}(\mathsf {1\mathsf {FE}}.\mathsf {MSK},\mathsf {Next}_\mathsf{{1\mathsf {FE}}.\mathsf {PK},\mathsf {rand}, M\mathsf ,\bot ,\bot })$, where Fig. 9 defines the circuit $\mathsf {Next}_\mathsf{{1\mathsf {FE}}.\mathsf {PK},\mathsf {rand}, M\mathsf ,\bot ,\bot }$.
5. 5.
  Output the secret key as $\mathsf {SK}_M = (\mathsf {SK}_\mathsf {Agg},\mathsf {SK}_\mathsf {Next})$.
$\mathsf{{kTMFE.Dec}}(\mathsf {SK}_M, \{\mathsf {CT}_{\mathbf {w}_i}\}_{i\in [k]})$: Upon input secret key $\mathsf {SK}_M$ and k ciphertexts $\mathsf {CT}_{\mathbf {w}_1},\ldots ,\mathsf {CT}_{\mathbf {w}_k}$, do the following:
1. 1.
  Interpret the secret key as $\mathsf {SK}_M = (\mathsf {SK}_{\mathsf {Agg}},\mathsf {SK}_\mathsf {Next})$.
2. 2.
  Parse $\mathsf {CT}_{\mathbf {w}_\mathsf{ind}}=\left( \mathsf {CT}_{\mathsf{ind},\mathsf {SP}},(\mathsf {CT}_{\mathsf{ind},\mathsf {SYM},1},\ldots , \mathsf {CT}_{\mathsf{ind},\mathsf {SYM},\ell _\mathsf{ind}}) \right) $ for all $\mathsf{ind}\in [k]$.
- Aggregate the ciphertexts of all users.
1. 3.
  For $i = 1$ to k, do the following:
  1. (a)
    For $j = 1$ to $\ell _i$, do the following:
    1. i.
      If $((i=1) \wedge (j=1))$, invoke $\mathsf {k}\mathsf {FE}.\mathsf {Dec}\left( \mathsf {SK}_{\mathsf {Agg}}, \left( \mathsf {CT}_{1,\mathsf {SYM},1},\right. \right. $ $\left. \left. \{\mathsf {CT}_{n,\mathsf {SP}}\}_{n\in [k]\setminus \{1\}}\right) \right) $ to obtain $(\mathsf {CT}_{\mathsf {sym},1},\mathsf {CT}_{\mathsf {st},1})$.
    2. ii.
      If $((i=1)\wedge (j>1))$, invoke $\mathsf {k}\mathsf {FE}.\mathsf {Dec}\left( \mathsf {SK}_{\mathsf {Agg}}, \left( \mathsf {CT}_{1,\mathsf {SYM},j},\right. \right. $ $\left. \left. \{\mathsf {CT}_{n,\mathsf {SP}}\}_{n\in [k]\setminus \{1\}}\right) \right) $ to obtain $(\mathsf {CT}_{\mathsf {sym}, j },\bot )$.
    3. iii.
      Else, invoke $\mathsf {k}\mathsf {FE}.\mathsf {Dec}\left( \mathsf {SK}_{\mathsf {Agg}}, \left( \mathsf {CT}_{i,\mathsf {SYM},j},\{\mathsf {CT}_{n,\mathsf {SP}}\}_{n\in [k]\setminus \{i\}}\right) \right) $ to obtain $(\mathsf {CT}_{\mathsf {sym}, \widetilde{L_i}+j},\bot )$, where $\widetilde{L_i} = \sum _{m=1}^{i-1}\ell _m$.
- Execute the TM on aggregated input.
1. 4.
  The aggregated sequence of ciphertexts under the $\mathsf {Next}$ scheme, of length $L_k = \sum _{j=1}^{k}\ell _j$ computed above is expressed as:
  
  $\left( (\mathsf {CT}_{\mathsf {sym},1},\mathsf {CT}_{\mathsf {st},1}),\mathsf {CT}_{\mathsf {sym},2},\ldots ,\mathsf {CT}_{\mathsf {sym},\ell _1},\mathsf {CT}_{\mathsf {sym},\ell _1+1},\ldots ,\mathsf {CT}_{\mathsf {sym},L_k}\right) $.
2. 5.
  Let $t=1$. While the Turing machine does not halt, do:
  1. (a)
    Invoke $\mathsf {1\mathsf {FE}}.\mathsf {Dec}\big (\mathsf {SK}_\mathsf {Next},(\mathsf {CT}_{\mathsf {sym},{t}}, \mathsf {CT}_{\mathsf {st},{t}})\big )$ to obtain:
    - $\mathsf {ACC}$ or $\mathsf {REJ}$. In this case, output “Accept” or“Reject” respectively, and exit the loop.
    - $\left( \mathsf {CT}_{\mathsf {sym},t'} , \mathsf {CT}_{\mathsf {st},t+1}\right) $.
    Note that $t'$ is the next time step that the work tape cell accessed at time step t will be accessed again.
  2. (b)
    Let $t=t+1$ and go to start of loop.

4.2 Correctness of Multi-input $\mathsf {TMFE}$

The proof of correctness is split into two parts. In the first part we argue that, given as input the secret key $\mathsf {SK}_{\mathsf {Agg}}$ along with k ciphertexts under the $\mathsf {k}\mathsf {FE}$ scheme, exactly one of which encodes a symbol and the other $(k-1)$ encode the individual input lengths, the $\mathsf {k}\mathsf {FE}.\mathsf {Dec}$ algorithm computes a $\mathsf {1\mathsf {FE}}$ ciphertext component of the symbol with its updated position in the global string. By repeating this process for all symbols encoded by all users, we obtain a sequence of $\mathsf {1\mathsf {FE}}$ ciphertext components, each containing its updated position in the aggregated string. Additionally, each of these ciphertext components contains a global/aggregate salt that is generated from concatenating each individual encryptor’s randomly generated salts. This global salt identifies the particular input combination being aggregated.

Correctness of the second part corresponds to the correct execution of the Turing machine on the aggregate sequence of ciphertexts, and this is exactly the same as in Sect. 3. As before, we maintain the invariant that at any time step t, the input to the $\mathsf {1\mathsf {FE}}.\mathsf {Dec}$ algorithm is a complete $\mathsf {1\mathsf {FE}}$ ciphertext decomposed into two components corresponding to symbol and state (along with additional auxiliary inputs), both computed with the same randomness $\mathsf {F}.\mathsf {Eval}(\mathsf {K}_0,(t\Vert \mathsf {rand}\Vert \mathsf{gsalt}))$.

In more detail, we have the following. Correctness of Aggregation. Formally, let there be k users so that k ciphertexts $\{\mathsf {CT}_{\mathbf {w}_\mathsf{ind}}\}_{\mathsf{ind}\in [k]}$ are given as input to ${\mathsf {kTMFE}}.\mathsf {Dec}$ algorithm. For all $\mathsf{ind}\!\in \![k]$, let $\ell _\mathsf{ind}$ be the length of input string of user $\mathsf{ind}$. Each ciphertext $\mathsf {CT}_{\mathbf {w}_\mathsf{ind}}$ is a sequence $\left( \mathsf {CT}_{\mathsf{ind},\mathsf {SP}},(\mathsf {CT}_{\mathsf{ind},\mathsf {SYM},1},\ldots ,\mathsf {CT}_{\mathsf{ind},\mathsf {SYM},\ell _{\mathsf{ind}}})\right) $ of ciphertexts, where the first component $\mathsf {CT}_{\mathsf{ind},\mathsf {SP}}$ encodes the input string length of user $\mathsf{ind}$ and the second component $\{\mathsf {CT}_{\mathsf{ind},\mathsf {SYM},i}\}_{i\in [\ell _\mathsf{ind}]}$ encodes in order the i-th symbol $w_i$ of the actual input string $\mathbf {w}_\mathsf{ind}= (w_1,w_2,\ldots , w_{\ell _\mathsf{ind}})$ of the same user. These ciphertexts are generated under the $\mathsf {k}\mathsf {FE}$ scheme with the master secret key $\mathsf {k}\mathsf {FE}.\mathsf {MSK}$ which supports a k-input functionality . Therefore, given secret key $\mathsf {SK}_\mathsf {Agg}$, we have:

1.
Invoking $\mathsf {k}\mathsf {FE}.\mathsf {Dec}$ on the ciphertext $\mathsf {CT}_{1,\mathsf {SYM},1}$ encoding the first symbol of $\mathbf {w}_1$ along with the special ciphertexts $\mathsf {CT}_{\mathsf{ind},\mathsf {SP}} $ encoding $\vert \mathbf {w}_\mathsf{ind}\vert $ for $\mathsf{ind}\ne 1$ gives $\left( \mathsf {CT}_{\mathsf {sym},1},\mathsf {CT}_{\mathsf {st},1}\right) $. By correctness of $\mathsf {k}\mathsf {FE}$ decryption, we have: $\mathsf {k}\mathsf {FE}.\mathsf {Dec}\left( \mathsf {SK}_{\mathsf {Agg}}, \left( \mathsf {CT}_{1,\mathsf {SYM},1},\{\mathsf {CT}_{\mathsf{ind},\mathsf {SP}}\}_{\mathsf{ind}\in [k]\setminus \{1\}}\right) \right) = \left( \mathsf {CT}_{\mathsf {sym},1},\mathsf {CT}_{\mathsf {st},1}\right) $.
2.
Invoking $\mathsf {k}\mathsf {FE}.\mathsf {Dec}$ on the ciphertext $\mathsf {CT}_{1,\mathsf {SYM},j}$ encoding the jth symbol of $\mathbf {w}_1$ along with the special ciphertexts $\mathsf {CT}_{\mathsf{ind},\mathsf {SP}} $ encoding $\vert \mathbf {w}_\mathsf{ind}\vert $ for $\mathsf{ind}\ne 1$ gives $\left( \mathsf {CT}_{\mathsf {sym},j},\bot \right) $. By correctness of $\mathsf {k}\mathsf {FE}$ decryption, we have: $\mathsf {k}\mathsf {FE}.\mathsf {Dec}\left( \mathsf {SK}_{\mathsf {Agg}}, \left( \mathsf {CT}_{1,\mathsf {SYM},j},\{\mathsf {CT}_{\mathsf{ind},\mathsf {SP}}\}_{\mathsf{ind}\in [k]\setminus \{1\}}\right) \right) = \left( \mathsf {CT}_{\mathsf {sym},j},\bot \right) $.
3.
Finally, $\forall ~\mathsf{ind}\in [k]\setminus \{1\}$, invoking $\mathsf {k}\mathsf {FE}.\mathsf {Dec}$ on the ciphertext $\mathsf {CT}_{\mathsf{ind},\mathsf {SYM},j}$ encoding the jth symbol of $\mathbf {w}_{\mathsf{ind}}$ along with the special ciphertexts $\mathsf {CT}_{\mathsf{ind}',\mathsf {SP}}$ encoding $\vert \mathbf {w}_{\mathsf{ind}'}\vert $ for $\mathsf{ind}\ne \mathsf{ind}'$ computes the new global position of the symbol in the aggregated string and outputs $\big (\mathsf {CT}_{\mathsf {sym},\widetilde{L_i}+j},\bot \big )$. By correctness of $\mathsf {k}\mathsf {FE}$ decryption, we have: $\mathsf {k}\mathsf {FE}.\mathsf {Dec}\left( \mathsf {SK}_{\mathsf {Agg}}, \left( \mathsf {CT}_{\mathsf{ind},\mathsf {SYM},j},\{\mathsf {CT}_{\mathsf{ind}',\mathsf {SP}}\}_{\mathsf{ind}'\in [k]\setminus \{\mathsf{ind}\}}\right) \right) = \big (\mathsf {CT}_{\mathsf {sym},\widetilde{L_i}+j},\bot \big )$, where $\widetilde{L_i} = \sum _{m=1}^{\mathsf{ind}-1}\ell _m$.

Note that $\mathsf {F}.\mathsf {Eval}(\mathsf {K}_0,(\mathsf {pos}\Vert \mathsf {rand}\Vert \mathsf{gsalt}))$ is the randomness used to compute each of these ciphertext components, where $\mathsf {pos}$ refers to the global position specific to a symbol in the aggregate input string.

Correctness of TM Execution. The $\mathsf {1\mathsf {FE}}$ scheme supports the functionality . Let the newly generated and organized sequence of ciphertexts based on time steps be as follows: $\big (\left( \mathsf {CT}_{\mathsf {sym},1},\mathsf {CT}_{\mathsf {st},1}\right) , \{\mathsf {CT}_{\mathsf {sym}, i }\}_{i\in [2,L_k]}\big )$ with $L_k = \sum _{i=1}^{k}\ell _i$. Let $\mathbf {w}= (w_1,w_2,\ldots ,w_{\ell _1},w_{\ell _1+1},$ $w_{\ell _1+2},\ldots ,w_{\ell _1+\ell _2},\ldots ,w_{L_k})$ be the aggregated input string and define $\tau = \mathsf {runtime}(M,\mathbf {w})$. For any time step $t\in [\tau -2]$, we have

1.
Let $t\in [\tau -2]\setminus [\ell ]$. If the current work tape cell was accessed^{Footnote 10}, at some time step $ \tilde{t} < t$, then $\mathsf {CT}_{\mathsf {sym},t}$ encoding $(\mathsf {SYM},\mathsf{key}\text {-}\mathsf{id},\mathsf {K}_{t+1},t,\ell ,\mathsf{gsalt},\sigma _t,\mathsf{Trap})$ was constructed at time step $\tilde{t}$. Note that $\sigma _t$ may be the blank symbol $\beta $. When $t\in [\ell ]$, $\mathsf {CT}_{\mathsf {sym}, t}$ is constructed at time step t via the $\mathsf {Agg}$ circuit.
2.
The ciphertext component ${\mathsf {CT}}_{\mathsf {st},t}$ encoding $(\mathsf {ST},\mathsf {q}_{t},\mathsf{gsalt})$ at time step t was constructed at time step $t-1$ for $t>1$ and at time step 1, when $t=1$.
3.
The randomness $r_t = \mathsf {F}.\mathsf {Eval}(\mathsf {K}_{\tilde{t}+1},(t\Vert \mathsf {rand}\Vert \mathsf{gsalt})) = \mathsf {F}.\mathsf {Eval}(\mathsf {K}_t,(t\Vert \mathsf {rand}\Vert \mathsf{gsalt}))$ binds $\mathsf {CT}_{\mathsf {sym},t}$ and $\mathsf {CT}_{\mathsf {st},t}$ and both the encoded messages also share the same global salt.

Thus, at any given time step $t\in [\tau -2]$, we have a complete ciphertext of $\mathsf {1\mathsf {FE}}$ which may be fed again with $\mathsf {SK}_\mathsf {Next}$ to $\mathsf {1\mathsf {FE}}.\mathsf {Dec}$ in order to proceed with the computation. Thus, the execution of $\mathsf {1\mathsf {FE}}.\mathsf {Dec}$ at the $(\tau -2)^\text {th}$ time step provides the complete pair $(\mathsf {CT}_{\mathsf {sym}, \tau -1},\mathsf {CT}_{\mathsf {st}, \tau -1})$. By the correctness of $\mathsf {1\mathsf {FE}}$ scheme again, at time step $t = \tau -1$, invoking $\mathsf {1\mathsf {FE}}.\mathsf {Dec}(\mathsf {SK}_\mathsf {Next},(\mathsf {CT}_{\mathsf {sym},\tau -1},\mathsf {CT}_{\mathsf {st}, \tau \mathsf -1}))$ outputs either “Accept” or “Reject” by simulating the execution of M for the final time step $\tau $ inside the function $\mathsf {Next}$, thus correctly outputting $M(\mathbf {w})$.

4.3 Proof of Security for Multi-input $\mathsf {TMFE}$

Security of the above construction follows the same blueprint as the proof in Sect. 3 except that instead of single input functionality $\mathsf {ReRand}$, we now use a k-input functionality $\mathsf {Agg}$ to aggregate and rerandomize the inputs. We emphasize that the outputs produced by the $\mathsf {Agg}$ functionality are exactly the same as the outputs produced by $\mathsf {ReRand}$ functionality in Sect. 3: namely a sequence of $\mathsf {1\mathsf {FE}}$ ciphertexts encoding the symbol and global position, computed using randomness derived from a cPRF. Hence, the chief new ingredient in the security proof is the security of $\mathsf {Agg}$ functionality, which is derived from the security of the $\mathsf {k}\mathsf {FE}$ scheme.

Formally, we argue that:

Theorem 2

Assume that the k input FE for circuits $\mathsf {k}\mathsf {FE}$ satisfies standard indistinguishability, and the single input FE for circuits $\mathsf {1\mathsf {FE}}$ satisfies distributional indistinguishability. Assume that the cPRF is secure according to definition. Then, the above construction of k input ${\mathsf {kTMFE}}$ satisfies standard indistinguishability.

The proof follows the outline of the single input case, except that now we must additionally keep track of multiple execution threads corresponding to various combinations of ciphertexts across multiple users, i.e. various “global salt” values. In more detail, if each of k users makes Q ciphertext requests, then we have $Q^k$ total possible combinations of ciphertexts, each yielding a different execution thread per key. Note that each of the $Q^k$ combinations is identified with a unique“global salt”. We will assume w.l.o.g that there is a lexicographic ordering on all the global salt values; this can be easily ensured by associating a counter value with each random salt. We do not explicitly include this for notational brevity.

In the single input case, we replaced the execution chain of a machine over an input string from $b=0$ to $b=1$, step by step, and enumerated over all keys. Now, we again replace an execution chain step by step as in the single input case, but additionally enumerate over all $Q^k$ combinations for each key, as well as over all keys as before. The number of hybrids grows multiplicatively by $Q^k$. Details are again deferred to in the full version [1].

5 Indistinguishability Obfuscation for Turing Machines

In this section we construct indistinguishability obfuscation for Turing machines with bounded length input, i.e. the input length $n=n(\lambda )$ is any fixed polynomial in the security parameter. To support inputs of length n, we need an $(n+1)$-ary ${\mathsf {miFE}}$ for Turing machines denoted as $\mathsf {(n\!+\!1)\text {-}TMFE}$; we instantiate this with our construction from Sect. 4.

5.1 Construction

Let $\mathcal{M}= \{\mathcal{M}_\lambda \}_{\lambda \in \mathbb {N}}$ denote an ensemble of Turing machines with alphabet $\varSigma _\lambda = \{0,1\}$. Let be an ensemble of encoding schemes for $\mathcal{M}$ on alphabet $\varSigma _{\mathsf {enc}}$ such that for any $M\in \mathcal{M}_\lambda , \mathsf {Encode}_\lambda $ $(M) = \langle M\rangle $. Further, let $\mathcal{U}= \{\mathsf {U}_{\lambda }\}_{\lambda \in \mathbb {N}}$ denote the set of Universal Turing machines parameterized by the security parameter with alphabet $\varSigma _{\mathcal{U}} = \varSigma _{\mathsf {enc}}\cup \varSigma _\lambda $ such that for all $\lambda \in \mathbb {N}$, for any $M\in \mathcal{M}_\lambda $ and any $\mathbf {x}= (x_1, \ldots , x_n)\in \varSigma ^n_\lambda $, $\mathsf {U}_{\lambda }(\mathbf {x},\langle M\rangle )$ takes $\mathbf {x}$ and an encoding $\langle M\rangle $ of M, simulates M on $\mathbf {x}$ and outputs $M(\mathbf {x})$.

Let $\mathsf {(n\!+\!1)\text {-}TMFE}$ denote the $(n+1)$-ary multi-input functional encryption scheme for Turing machines with alphabet $\varSigma _{\mathcal{U}}$. We construct an ensemble of indistinguishability obfuscators $\mathsf {iO}= \{\mathsf {iO}_\lambda \}_{\lambda \in \mathbb {N}}$ with $\mathsf {iO}_\lambda = (\mathsf {iO}.\mathsf {Obf}, \mathsf {iO}.\mathsf {Eval})$ for $\mathcal{M}_\lambda $ with inputs $\mathbf {x}\in \varSigma _\lambda ^n$ as follows.

$\mathsf {iO}.\mathsf {Obf}(1^\lambda , 1^n, M)$: On input the security parameter $\lambda $, a bound $n\in \mathbb {N}$ and a Turing machine $M\in \mathcal{M}_\lambda $, do the following:
1. 1.
  Compute the encoding of M as $\mathsf {Encode}_\lambda $ $(M) = \langle M\rangle $.
2. 2.
  Compute a master secret key $\mathsf {MSK}\leftarrow \mathsf {(n\!+\!1)\text {-}TMFE}.\mathsf {Setup}$ $(1^\lambda ,1^{n+1})$.
3. 3.
  Compute the secret key for machine $\mathsf {U}_{\lambda }$ as $\mathsf {SK}_\mathsf {U}\leftarrow $ $\mathsf {(n\!+\!1)\text {-}TMFE}.\mathsf{KeyGen}(\mathsf {MSK}, \mathsf {U}_{\lambda })$.
4. 4.
  For $i\in [n]$, compute the encryptions $\mathsf {CT}^b_i = \mathsf {(n\!+\!1)\text {-}TMFE}.\mathsf {Enc}(\mathsf {MSK},$ $ (b, i)), b\in \varSigma _\lambda $.
5. 5.
  Compute the encoding of M as $\mathsf {CT}_{n+1} = \mathsf {(n\!+\!1)\text {-}TMFE}.\mathsf {Enc}(\mathsf {MSK},$ $(\langle M\rangle ,n+1))$.
6. 6.
  Output the obfuscated machine as $\widetilde{M} = \left( \mathsf {SK}_\mathsf {U},\right. $ $\left. \left( \{\mathsf {CT}^b_i\}_{i\in \{1,\ldots ,n\},b\in \varSigma _\lambda },\mathsf {CT}_{n+1}\right) \right) $.
$\mathsf {iO}.\mathsf {Eval}(\widetilde{M}, \mathbf {x})$: On input the obfuscated machine $\widetilde{M}$ and an input $\mathbf {x}\in \varSigma ^n_\lambda $, do the following:
1. 1.
  Parse $\widetilde{M} = \left( \mathsf {SK}_\mathsf {U}, \left( \{\mathsf {CT}^b_i\}_{i\in \{1,\ldots ,n\},b\in \varSigma _\lambda },\mathsf {CT}_{n+1}\right) \right) $ and $\mathbf {x}= (x_1,\ldots ,x_n)$.
2. 2.
  Compute and output $\mathsf {(n\!+\!1)\text {-}TMFE}.\mathsf {Dec}\left( \mathsf {SK}_\mathsf {U}, (\mathsf {CT}^{x_1}_1, \ldots , \mathsf {CT}^{x_n}_{n},\mathsf {CT}_{n+1})\right) $.

Correctness is directly followed by the correctness of $\mathsf {(n\!+\!1)\text {-}TMFE}$ scheme. Since the $\mathsf {(n\!+\!1)\text {-}TMFE}$ we use is compact, the obfuscation size obtained by the above scheme is $\mathsf {poly}(\lambda ,\vert \mathsf {U}\vert ,\vert M\vert ,n)$. In the full version [1], we show that our construction is secure:

Theorem 3

Assume that $\mathsf {(n\!+\!1)\text {-}TMFE}$ is a 1-key, 2-ciphertext selectively secure $(n+1)$-ary multi-input functional encryption scheme for Turing machines which satisfies standard indistinguishability. Then the construction in Sect. 5.1 is a secure indistinguishability obfuscator for the Turing machines with bounded input length n.

Notes

1.
Encoding of each bit may also use additional independent randomness, which is not relevant to the discussion here, and hence omitted.
2.
Note that the PRF key must be encoded in the ciphertext rather than function key since it is required to be hidden.
3.
For instance, a similar situation w.r.t circularity arises in the original garbled RAM construction of Lu and Ostrovsky [47].
4.
We omit the parameter $\lambda $ in what follows for brevity of notation.
5.
We omit the argument $\lambda $ where it is implicit for notational brevity.
6.
We do not explicitly construct ciphertext components corresponding to blank tape cells in the $\mathsf {Next}$ functionality for ease of exposition; we assume w.l.o.g that any non-input cell that is accessed by the OTM has been written to by the $\mathsf {Next}$ functionality in a previous step, thus generating the requisite symbol ciphertext.
7.
We assume that every time a cell is accessed, it is written to, by writing the same symbol again if no change is made.
8.
For the knowledgeable reader, this is similar to what was done by [5].
9.
There is an exception at time step 1 when both the symbol ciphertext and the start state ciphertexts are hardwired in the $\mathsf {ReRand}$ key.
10.
We assume that every time a cell is accessed, it is written to, by writing the same symbol again if no change is made.

References

Agrawal, S., Maitra, M.: FE and IO for turing machines from minimal assumptions. Cryptology ePrint Archive, Report 2018/ (2018). http://www.cse.iitm.ac.in/~shwetaag/research/tm-mife-full.pdf
Agrawal, S., Singh, I.P.: Reusable garbled deterministic finite automata from lWE. In: ICALP (2017)
Google Scholar
Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 657–677. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_32
Chapter MATH Google Scholar
Ananth, P., Chen, Y.-C., Chung, K.-M., Lin, H., Lin, W.-K.: Delegating RAM computations with adaptive soundness and privacy. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 3–30. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_1
Chapter Google Scholar
Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 308–326. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_15
Chapter Google Scholar
Ananth, P., Jain, A., Sahai, A.: Indistinguishability obfuscation for turing machines: constant overhead and amortization. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 252–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_9
Chapter Google Scholar
Ananth, P., Sahai, A.: Functional encryption for turing machines. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 125–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_6
Chapter Google Scholar
Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree-5 multilinear maps. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 152–181. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_6
Chapter Google Scholar
Applebaum, B., Ishai, Y., Kushilevitz, E.: How to garble arithmetic circuits. SIAM J. Comput. 43(2), 905–929 (2014)
Article MathSciNet Google Scholar
Badrinarayanan, S., Gupta, D., Jain, A., Sahai, A.: Multi-input functional encryption for unbounded arity functions. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 27–51. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_2
Chapter Google Scholar
Barak, B., et al.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Chapter Google Scholar
Bitansky, N., Garg, S., Lin, H., Pass, R., Telang, S.: Succinct randomized encodings and their applications. In: STOC (2015)
Google Scholar
Bitansky, N., Nishimaki, R., Passelègue, A., Wichs, D.: From cryptomania to obfustopia through secret-key functional encryption. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 391–418. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_15
Chapter Google Scholar
Bitansky, N., Paneth, O., Rosen, A.: On the cryptographic hardness of finding a nash equilibrium. In: 2015 IEEE 56th Annual Symposium on Foundations of Computer Science (FOCS), pp. 1480–1498. IEEE (2015)
Google Scholar
Bitansky, N., Vaikuntanathan, V.; Indistinguishability obfuscation from functional encryption. In: FOCS (2015)
Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Chapter Google Scholar
Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_15
Chapter Google Scholar
Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_29
Chapter Google Scholar
Brakerski, Z., Komargodski, I., Segev, G.: Multi-input functional encryption in the private-key setting: stronger security from weaker assumptions. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 852–880. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_30
Chapter MATH Google Scholar
Canetti, R., Chen, Y., Holmgren, J., Raykova, M.: Succinct adaptive garbled RAM. Cryptology ePrint Archive, Report 2015/1074 (2015). https://eprint.iacr.org/2015/1074
Canetti, R., Holmgren, J.: Fully succinct garbled RAM. In: Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, pp. 169–178. ACM (2016)
Google Scholar
Canetti, R., Holmgren, J., Jain, A., Vaikuntanathan, V.: Indistinguishability obfuscation of iterated circuits and RAM programs. In: Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015 (2015)
Google Scholar
Canetti, R., Lin, H., Tessaro, S., Vaikuntanathan, V.: Obfuscation of probabilistic circuits and applications. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 468–497. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_19
Chapter MATH Google Scholar
Carmer, B., Malozemoff, A.J., Raykova, M.: 5Gen-C: multi-input functional encryption and program obfuscation for arithmetic circuits. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 747–764. ACM (2017)
Google Scholar
Chen, Y.C., Chow, S.S., Chung, K.M., Lai, R.W., Lin, W.K., Zhou, H.S.: Computation-trace indistinguishability obfuscation and its applications. IACR Cryptology ePrint Archive, 2015 (2015)
Google Scholar
Cohen, A., Holmgren, J., Nishimaki, R., Vaikuntanathan, V., Wichs, D.: Watermarking cryptographic capabilities. In: Proceedings of the Forty-Eighth Annual ACM symposium on Theory of Computing, pp. 1115–1127. ACM (2016)
Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS (2013). http://eprint.iacr.org/
Garg, S., Pandey, O., Srinivasan, A.: Revisiting the cryptographic hardness of finding a nash equilibrium. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 579–604. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_20
Chapter Google Scholar
Garg, S., Pandey, O., Srinivasan, A., Zhandry, M.: Breaking the sub-exponential barrier in obfustopia. Technical report, Cryptology ePrint Archive, Report 2016/102 (2016). http://eprint.iacr.org/2016/102
Garg, S., Srinivasan, A.: Single-key to multi-key functional encryption with polynomial loss. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 419–442. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_16
Chapter Google Scholar
Gentry, C., Halevi, S., Raykova, M., Wichs, D.: Outsourcing private RAM computation. In: 55th IEEE Annual Symposium on Foundations of Computer Science, FOCS (2014)
Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)
Article MathSciNet Google Scholar
Goldwasser, S., et al.: Multi-input functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_32
Chapter Google Scholar
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_30
Chapter Google Scholar
Jafargholi, Z., Scafuro, A., Wichs, D.: Adaptively indistinguishable garbled circuits. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 40–71. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_2
Chapter Google Scholar
Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & #38; Communications Security, CCS 2013 (2013)
Google Scholar
Kitagawa, F., Nishimaki, R., Tanaka, K.: Indistinguishability obfuscation for all circuits from secret-key functional encryption. IACR Cryptology ePrint Archive 2017, 361 (2017)
Google Scholar
Kitagawa, F., Nishimaki, R., Tanaka, K.: Obfustopia built on secret-key functional encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 603–648. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_20
Chapter Google Scholar
Kitagawa, F., Nishimaki, R., Tanaka, K.: Simple and generic constructions of succinct functional encryption. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 187–217. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_7
Chapter Google Scholar
Komargodski, I., Segev, G.: From minicrypt to obfustopia via private-key functional encryption. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 122–151. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_5
Chapter Google Scholar
Koppula, V., Lewko, A.B., Waters,B.: Indistinguishability obfuscation for turing machines with unbounded memory. In: Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015 (2015)
Google Scholar
Li, B., Micciancio, D.: Compactness vs collusion resistance in functional encryption. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 443–468. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_17
Chapter Google Scholar
Lin, H.: Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 599–629. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_20
Chapter Google Scholar
Lin, H., Pass, R., Seth, K., Telang,S.: Output-compressing randomized encodings and applications. In: TCC-A (2016)
Google Scholar
Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and block-wise local PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 630–660. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_21
Chapter Google Scholar
Liu, Q., Zhandry, M.: Decomposable obfuscation: a framework for building applications of obfuscation from polynomial hardness. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 138–169. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_6
Chapter MATH Google Scholar
Lu, S., Ostrovsky, R.: How to garble RAM programs? In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 719–734. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_42
Chapter Google Scholar
O’Neill, A.: Definitional issues in functional encryption. IACR Cryptology ePrint Archive 2010, 556 (2010)
Google Scholar
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Chapter Google Scholar
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: STOC (2014). http://eprint.iacr.org/2013/454.pdf

Download references

Acknowledgement

We thank Vinod Vaikuntanathan for suggesting the generic transformation from FE to decomposable FE.

Author information

Authors and Affiliations

IIT Madras, Chennai, India
Shweta Agrawal & Monosij Maitra

Authors

Shweta Agrawal
View author publications
You can also search for this author in PubMed Google Scholar
Monosij Maitra
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shweta Agrawal .

Editor information

Editors and Affiliations

Ben Gurion University, Beer Sheva, Israel
Amos Beimel
University of Warsaw, Warsaw, Poland
Stefan Dziembowski

A Construction: Decomposable FE for Circuits

Given any single-input circuit FE scheme $\mathsf {1FE}$ satisfying standard indistinguishability based security, a projective garbled circuit scheme $\mathsf {GC}= (\mathsf {GCirc},\mathsf {GInp},\mathsf {GEval})$ with indistinguishability based security [35] supporting a circuit class $\mathcal{C}= \{\mathcal{C}_\lambda \}_{\lambda \in \mathbb {N}}$ with n-bit inputs, a simple $\mathsf{PRF}$ $\mathsf {F}= (\mathsf {F}.\mathsf {Setup},\mathsf {F}.\mathsf {Eval})$ and a symmetric encryption scheme $\mathsf {SYM}$, we can construct a single-input decomposable FE scheme $\mathsf{DFE}$ supporting the circuit class $\mathcal{C}$. We note that projective garbled circuit schemes satisfying indistinguishability based security are implied from one-way functions [35].

$\mathsf{DFE}.\mathsf {Setup}(1^\lambda , 1^{n})$: On input the security parameter $\lambda $ and input message size n, do the following:
1. 1.
  Generate $(\mathsf {1FE}.\mathsf {PK}, \mathsf {1FE}.\mathsf {MSK}) \leftarrow \mathsf {1FE}.\mathsf {Setup}(1^\lambda ,1^{2\lambda +\log n+2})$.
2. 2.
  Output $(\mathsf {PK},\mathsf {MSK}) = (\mathsf {1FE}.\mathsf {PK}, \mathsf {1FE}.\mathsf {MSK})$.
$\mathsf{DFE}.\mathsf {Enc}(\mathsf {PK}, \mathbf {x})$: On input the public key $\mathsf {PK}$ and a message $\mathbf {x}= (x_1, \ldots , x_n)$ of length $n = \vert \mathbf {x}\vert $, do the following:
1. 1.
  Sample a $\mathsf{PRF}$ key $\mathsf {K}\leftarrow \mathsf {F}.\mathsf {Setup}(1^\lambda )$ and set a flag $\mathsf{mode}= 0$.
2. 2.
  Compute $\mathsf {CT}_{x_i} = \mathsf {1FE}.\mathsf {Enc}$ $(\mathsf {PK}, (\mathsf {K}, \mathbf {0}, i, x_i, \mathsf{mode})), \forall i\in [n]$ and output $\mathsf {CT}_\mathbf {x}= \{\mathsf {CT}_{x_i}\}_{i\in [n]}$.
$\mathsf{DFE}.\mathsf{KeyGen}$ $(\mathsf {MSK}, C)$: On input the master secret key $\mathsf {MSK}$ and a circuit $C\in \mathcal{C}_\lambda $, do the following:
1. 1.
  Sample a random $\mathsf{salt}\leftarrow \{0,1\}^\lambda $, $\mathsf {CT}_i \leftarrow \{0,1\}^{\ell (\lambda )}, \forall i\in [0,n]$.
2. 2.
  Output $\mathsf {SK}_{\widehat{C}} = \mathsf {1FE}.\mathsf{KeyGen}$ $(\mathsf {MSK}, \widehat{C}_{C,\mathsf{salt},\{\mathsf {CT}_i\}_{i\in [n]},\mathsf {CT}_0})$, where $\widehat{C}_{C,\mathsf{salt},}$ ${\{\mathsf {SYM}.\mathsf {CT}_i\}_{i\in [n]}, \mathsf {SYM}.\mathsf {CT}_{\widetilde{C}}}$ is a circuit described in Fig. 11.
$\mathsf{DFE}.\mathsf {Dec}(\mathsf {SK}_{\widehat{C}}, \mathsf {CT}_\mathbf {x})$: On input a function key $\mathsf {SK}_{\widehat{C}}$ and a decomposed ciphertext $\mathsf {CT}_\mathbf {x}= \{\mathsf {CT}_{x_i}\}_{i\in [n]}$, do the following:
1. 1.
  For $i=1$, invoke $\mathsf {1FE}.\mathsf {Dec}(\mathsf {SK}_{\widehat{C}}, \mathsf {CT}_{x_1})$ to obtain a pair $(\ell _{1, x_1} , \widetilde{C})$.
2. 2.
  For all $i\in [2,n]$, invoke $\mathsf {1FE}.\mathsf {Dec}(\mathsf {SK}_{\widehat{C}}, \mathsf {CT}_{x_i})$ to obtain $(\ell _{i, x_i} ,\bot )$.
3. 3.
  Note that $\widetilde{\mathbf {x}} = \{\ell _{i, x_i}\}_{i\in [n]}$ represents the labels corresponding to the garbled input underlying $\mathsf {CT}_\mathbf {x}$ generated as outputs of $\widehat{C}$, while $\widetilde{C}$ represents the garbled circuit for C.
4. 4.
  Run $\mathsf {GEval}$ $(\widetilde{C}, \widetilde{\mathbf {x}})$ to get $\mathbf {y}$.

Correctness. We have by correctness of $\mathsf {1FE}.\mathsf {Dec}$ that it outputs the garbled input $\widetilde{\mathbf {x}}$ and the garbled circuit $\widetilde{C}$ correctly. The correctness of $\mathsf {GEval}$ implies that decryption recovers $C(\mathbf {x})$ as desired.

The proof of security is provided in the full version [1].

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Agrawal, S., Maitra, M. (2018). FE and iO for Turing Machines from Minimal Assumptions. In: Beimel, A., Dziembowski, S. (eds) Theory of Cryptography. TCC 2018. Lecture Notes in Computer Science(), vol 11240. Springer, Cham. https://doi.org/10.1007/978-3-030-03810-6_18

Download citation

DOI: https://doi.org/10.1007/978-3-030-03810-6_18
Published: 08 November 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03809-0
Online ISBN: 978-3-030-03810-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

FE and iO for Turing Machines from Minimal Assumptions

Abstract

Similar content being viewed by others

Obfuscation from Polynomial Hardness: Beyond Decomposable Obfuscation

Indistinguishability Obfuscation for Turing Machines: Constant Overhead and Amortization

Indistinguishability Obfuscation with Non-trivial Efficiency

1 Introduction

2 Preliminaries

2.1 Definitions: FE for Circuits

Definition 1

Definition 2

Definition 3

Definition 4

Definition 5

Definition 6

2.2 Definitions: FE for Turing Machines

2.3 Constrained Pseudorandom Functions

Definition 7

3 Construction: Single Input FE for Turing Machines

3.1 Construction

3.2 Correctness and Efficiency of Single Input \(\mathsf {TMFE}\)

3.3 Proof of Security for Single Input \(\mathsf {TMFE}\)

Theorem 1

3.4 Constructing the \(\mathsf{cPRF}\)

4 Construction: Multi-input FE for Turing Machines

4.1 Construction of Multi-input \(\mathsf {TMFE}\)

4.2 Correctness of Multi-input \(\mathsf {TMFE}\)

4.3 Proof of Security for Multi-input \(\mathsf {TMFE}\)

Theorem 2

5 Indistinguishability Obfuscation for Turing Machines

5.1 Construction

Theorem 3

Notes

References

Acknowledgement

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

A Construction: Decomposable FE for Circuits

A Construction: Decomposable FE for Circuits

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation