 Thank you for the introduction. So this is joint work with Tsvika Parkevsky and Christina Buska. And when you're talking about statistically secure obfuscation with approximate correctness, the first obvious question is, what is statistically secure obfuscation? And it's a very short reminder. An obfuscator is basically just a program that gets its input a circuit C and probably some randomness, and it outputs another circuit C prime. And what you would usually want is perfect correctness. Meaning that the output circuit should be functionally equivalent to the input circuit. However, we can sometimes get away with much weaker definitions. What we are going with is approximate correctness. Approximate correctness basically means that for a random input, the output circuit must agree with the input circuit with probability at least 1 minus epsilon for some function epsilon that basically describes the approximation error of the obfuscator. The second thing we want from our obfuscator is, of course, that it's secure. And what you would usually go with is inextinguishability obfuscation. And in the statistical sense, inextinguishability obfuscation simply means that if you have two circuits that are functionally equivalent and have the same size, then the statistical distance of the obfuscations must be negligible. However, we can also weaken this definition to something that we know paper call correlation obfuscation. And there, the difference is that we no longer want that the statistical distance is necessarily bounded by a negligible function. Instead, it's enough that we know some function delta that bounds the statistical distance. For the main part of my talk, I will actually focus on indistinguishability obfuscators simply to keep things a bit simpler. But I will mention how our result also applies to correlation obfuscators. So the next obvious question might be why we even care about approximate correctness. Because an approximately correct obfuscator might seem like a relatively useful thing. It does not even guarantee that it is correct on any fixed input. However, it turns out that it is, in fact, still useful. In particular, it was observed by Mahmoudi, Mohamed, Nematihachi, Parse, and Shilat that you can still construct public key encryption from one-way functions if you have statistically secure I.O., approximate I.O. And this is basically done by just applying the construction of the high-end waters that usually constructs public key encryption from one-way functions and I.O. to an approximate I.O. And then you get something that you can amplify using an amplification technique due to Hohenstein to a full public key encryption scheme. And in our paper we show with the careful analysis that this is not only true for statistically secure approximate I.O., but this is even true for correlation obfuscation for everything, all the parameters basically in this blue area here. So that means that even correlation obfuscation is still an interesting primitive. And it's a very interesting question to ask whether it might exist, especially in this region, with statistical security, because it would lead to a major breakthrough in crypto giving you public key encryption from one-way functions. And our answer to that question is mainly negative. What we show is that if statistically secure, approximately correct I.O. would exist, then either one-way functions do not exist or the polynomial hierarchy collapses. And since we do not believe that either one-way functions do not exist or the polynomial hierarchy collapses, probably statistically secure approximate I.O. does not exist. Our actual proof is more general in that it also applies to correlation obfuscation and it basically gives us a lower bound on the possible parameters for statistically correct, statistically secure, approximately correct correlation obfuscation. However, for correlation obfuscation, we also have a positive result where we can for very weak parameters give a trivial construction. And this gives us this landscape of correlation obfuscation where in the upper right we have a large area that where we actually know a trivial construction. However, the construction is actually so trivial that we are pretty certain that it is completely useless. On the other hand, we have down here the red range. In this range, we cannot construct correlation obfuscation with statistical security. Unless the polynomial hierarchy collapses or one-way functions still don't exist. However, I need to mention that we cannot rule out the full range of parameters that are actually useful for the transformation to public key encryption. So how does our proof work? Basically, the starting point for our proof is a previous proof by Goldwasser and Rotbloom. And what they showed was the impossibility of statistically secure IO with perfect correctness. And they also rely on the assumption that the polynomial hierarchy does not collapse. And what they do is basically show how a statistically secure obfuscator would help you in solving SAT. So the SAT problem is that you are given a formula, it's either unsatisfiable or satisfiable and you have to decide which one it is. And to be able to use an obfuscator to do that, we look at another formula, the formula zero is some canonical unsatisfiable formula. Doesn't matter what it is, just we know this formula is unsatisfiable. And now we obfuscate all of these formulae. And what we get is that because the two unsatisfiable formulae are functionally equivalent, the security of the obfuscator guarantees us that the output distributions must be negligible close. On the other hand, if we have a satisfiable formula, then by definition, this formula is not functionally equivalent to a zero circuit because there exists at least one point on which it actually outputs one. And because you have perfect correctness in the obfuscator, this means that the output distributions are actually completely disjoint. And now it turns out that the problem of deciding whether two distributions are either very close, statistically, or very far, this is called the gap statistical distance problem. And it was proven by Zahaian Waddan that this problem is actually in AM intersect coAM, which would mean that we can decide SAT in AM intersect coAM, which would imply a collapse of the polynomial hierarchy. So the next obvious question is of course, can we just use exactly the same approach in the approximate case? And the answer is no. And to see why, just consider that we have a satisfiable formula that has very few satisfying assignments. Let's say it only has a single satisfying assignment, then it actually disagrees with the zero circuit only on a single point. And because we only have an approximate obfuscator, the obfuscator can just ignore that point, obfuscate this satisfiable formula to a zero circuit, and therefore we no longer have the guarantee that there will be a large statistical distance. So how do we solve this problem? Our approach is basically to obfuscate more complicated circuits. And for this, we construct two different circuits. We construct a reference circuit CY and a circuit CX that's indexed with a PRF key and a formula psi. And we construct these circuits in such a way that if the formula psi is unsatisfiable, then the two circuits are function equivalent and the output distributions are once again negligibly close. On the other hand, if psi is satisfiable, then the two circuits are almost functionally equivalent. However, there exists a point we call X zero on which they disagree. Now this may seem confusing because I just spent some time arguing that if you have two circuits that only disagree on a single point, an obfuscator might choose to ignore that point. And that is why we basically have to hide whether this point exists or not. So to do this, to do this, we introduce another circuit C and this circuit is constructed in such a way that it is function equivalent to the reference circuit. However, the obfuscator cannot actually distinguish between the circuit CX and the circuit C and this allows us to ensure that while the distributions are no longer completely disjoint, that the statistical distance is large. And to be able to do this, we leverage the fact that the obfuscator is actually an efficient algorithm, even though it must be statistically secure, it must itself be an efficient algorithm to be useful. And so we leverage here our assumption that one-way functions exist. And this assumption is leveraged in the form of punctual-sur-rendum functions and punctual-sur-rendum functions were shown by Bonnier Waters, Boyle, Goldwasser, Ivan, and Kiyayas, Papartopoulos, Triadopoulos, and Zaharias, basically concurrently to be existentially equivalent to one-way functions. And we use a very simple notion of punctual-PRFs here, where we have two algorithms. We have a PRF algorithm that on input a key and an input value outputs a single bit. And we have a puncture algorithm that on input a key and a value x zero outputs a punctured key. And we want two things from a punctual-PRF. First of all, functionality should be preserved under puncturing, meaning that for all inputs that are not x zero, it makes no difference whether you use the punctured key or the normal key. Second thing is of course, security. And security for punctual-PRF is defined as follows. You have the attacker. The attacker may choose a point x zero on which we should puncture the key. We choose a key K, we puncture that key on x zero, and then we have two cases. Either we give the attacker the punctured key and the actual PRF value on x zero, or we give the attacker the punctured key and a random bit B. And the security states that the two cases should be indistinguishable. So how can we use this to ensure that two circuits that only differ on a single point are obfuscated in such a way that the statistic distance is large? And to see this, we first look at this circuit. This circuit is for now not indexed by a formula. Instead we have a punctured key K star here, a value x zero on which the key is punctured and a bit B. And what the circuit does is on x zero, it simply outputs B on all other values, it outputs the PRF circuit, the PRF value. And we can see that if B is not the PRF value, so our PRF only outputs a single bit, so this means it's simply the PRF value x of one, then this circuit disagrees with the PRF circuit on exactly a single point, on exactly x zero. And what we want to show is that the obfuscation of this circuit is nevertheless statistically far from an obfuscation of the PRF circuit. And to do this, we look at the other case, we look at the case where B is actually the PRF value. In this case, we have that this circuit is function equivalent to the PRF circuit and this has an interesting implication because if we obfuscate the PRF circuit, then we're guaranteed by the approximate correctness that on x zero, the obfuscated circuit will output B because B is the actual PRF value. And it will output this with probability at least one minus epsilon. However, because the two circuits are function equivalent, we have basically this bound carries over to this case minus some negligible loss. And now we can leverage the fact that the attacker, the obfuscator is actually an efficient algorithm and use the PRF security because the obfuscator is actually not able to distinguish between the two different cases because this is exactly the security of the punctual PRF. So this bound also minus again some negligible loss carries over to this case. And this means what we have is that if we would obfuscate the PRF circuit, then the PRF circuit outputs the correct PRF value on x zero with probability at least one minus epsilon. Whereas the obfuscated circuit C disagrees with the PRF circuit on x zero with probability roughly one minus epsilon, giving us a statistical distance of roughly one minus two epsilon. And therefore we have enforced a large statistical distance even though the two circuits disagree only on a single point. Now of course what's missing here is still that we have to somehow put our formula into this. And to be able to do this, we actually have to restrict our attention to unique SAT. So unique SAT is exactly the same thing as SAT except that you're guaranteed that any satisfiable formula has only a single satisfying assignment. Now unique SAT was shown to be NP-hard by Valiant and Vasirani, however only via a randomized reduction. And that's a problem because we can't use the exact same approach as Goldwasser and Rotblum because if we would show that unique SAT is in AM intersect coAM, this would not directly imply that SAT is also in AM intersect coAM. However, we can combine previous results due to Mamoudi and Xiao and Bogdanov and Li to show that it's enough to prove that unique SAT can be solved if we are given a gap statistical distance oracle. Then this implies that SAT is in AM intersect coAM and the polynomial hierarchy collapses. So this is what we're doing. We are showing that unique SAT can be decided if we have a gap statistical distance oracle. So to do this, we are looking at this circuit here. This circuit CX is indexed with a key K, a random value S and a formula psi. And what it does is it simply checks whether the input value X or S satisfies the formula and if it does it outputs the opposite of the PRF value and otherwise it simply evaluates the PRF. Now there are obviously two cases here. Either psi is uniquely satisfiable or psi is unsatisfiable. Now if psi is unsatisfiable, then this circuit is functionally equivalent to the PRF because, well this is simply never true because there is no satisfying assignment. And on the other hand, in the uniquely satisfiable case, what we have is that CX is actually functionally equivalent to the circuit C we saw on the previous slide, 4X0 being the satisfying assignment of the formula X or S. And this is where the S is important because we need that this value X0 is uniformly distributed, otherwise the approximate correctness of the obfuscation scheme does not apply. And of course B is here not the PRF value, but the opposite. And what that means is that if we define these two distributions here, that basically only differ in that one distribution obfuscates the circuit CX and the other one obfuscates the PRF circuit, then in the unsatisfiable case, we have that the two circuits are functionally equivalent, meaning that the statistical distance between their obfuscations is negligible. On the other hand, in the uniquely satisfiable case, this circuit as I said is functionally equivalent to the circuit C we saw on the previous slide. And what that means is that our bound basically carries over again to this case minus again some negligible loss, meaning that we can bound this statistical distance with roughly one minus two epsilon. And this gives us a gap between the two cases. And this means, and this gap is large enough that we can decide in which case we're in given a gap statistical distance oracle. And that means that if SAIO and one-way functions both exist, then the polynomial hierarchy collapses. And this concludes our proof. And if we apply exactly the same proof and are very careful to correlation obfuscation, then we basically end up with this lower bound that I showed before. And I can leave you with the interesting open question where this bound can actually be extended to also rule out this interesting region here, or if there's a reason why we can't rule out this region, because maybe an obfuscator in this region actually exists, which would, as I said, lead to a major breakthrough in crypto. And with that, I'd like to thank you. And if there are any questions, I'd be happy to answer them.