 All right, thank you for the introduction of this work. Can everyone hear me? Cool. So the purpose of this work is we want to try and construct an obfuscation scheme that we can prove from standard assumptions without coming up with something new. And we'll try and do this for a more limited function class that will still be non-trivial to obfuscate. So why do we care about obfuscation? I suppose you've written some amazing piece of code, and you want everyone to run it. And maybe it'll reduce carbon emissions and help save the environment. The problem is within your code, maybe you have a cryptographic secret key, and you don't want people to read a part of your code and learn something from that. So an obfuscation scheme will do something like the following. We'll take this and then return code that is guaranteed so that you can only treat it as a black box. We want the user to only get input, output, query access to the code. And if I run any algorithm that does a partial evaluation or tries to read some bits of memory, this should just give you a randomness that you could otherwise simulate without seeing the code itself. So if you could do this for any arbitrary fix function, this is the standard notion of virtual black box obfuscation. Now unfortunately, or fortunately depending on your perspective, this is not possible in general for all circuits, but it is still possible for maybe some limited function classes such as point functions. So as the previous talk was mentioned, like most of the follow-up work on obfuscation has been on trying to come up with a weaker notion of obfuscation I.L. and trying to do this for general circuits. So we're going to take the opposite direction in this work, and we're going to ask the question, let's say we start from VBB for point functions. What's the most complex function class that we can still obfuscate from something like VBB without coming with a new assumption? So specifically, we're going to use a notion of distributional VBB, and we're going to look at the following function class, which we call pattern matching with wildcards. So here's how the function class works. Let's say you're trying to evaluate your input on an n-dimensional Boolean vector. So a pattern is going to be an n-dimensional length n string where the character set is 0, 1, or star. So if we didn't have the star character, this is exactly a point function. It outputs 1 if it agrees with the 0, 1 on the input. Now with the star character, we essentially ignore the dimensions that are stars. So you can think of it as projecting out those dimensions, and then just doing a point function of the remaining. And importantly, we want w, the number of wildcards, to be large, to be a constant fraction. If w was small, then this would just be a union of two point functions, and I wouldn't be standing here talking. So here's an example. Let's say for a length 6, you have 0, 1, star, star, 0, 1 is your pattern. So any input that agrees with the first two or last two bits is going to be 1. It doesn't matter what the middle two bits are. But if you have 1 in the first bit, then this is going to help with 0. So hopefully, function class is clear. OK, so just some possible applications of why this function class might be useful. Suppose you're trying to check code for a security flaw. And the non-wildcard slots sort of indicate where the security flaw is. So if a person has a security flaw, you want them to be able to detect in the code, but you don't want to tell everyone where the non-wildcard slots are because then everyone else who does not already have this problem can then go and try and look for it. So this function class was previously studied under the name of obfuscating conjunctions. And in the past, the schemes were constructed based on multilinear maps and based on something called the entrapment LWE assumption. So we want to get an obfuscation scheme for the same function class, but just in the generic group model. So on one hand, the assumption will be easy to understand. On the other hand, the construction itself will be much simpler to describe and implement because it will essentially just be computing some number and exponentially using a group oracle and then multiplying those. So the definition of security that we're going to use is distributional VBB. So as I mentioned earlier, VBB was for if we could fix any function and then obfuscate it. So here instead of the function itself, we're going to allow that to be sampled. So let me just say specifically what this is for our function class. We have this pattern sigma of 0, 1 star. So you can imagine some sampling scheme of how I sample this length and string. You can sample each character slot individually from the three possible choices independently. You could fix the number of wildcard slots and sample a subset, however you want to sample it. So then we have this joint distribution over both the sampling the function and over the obfuscate is randomness. And we want to say that with probability over this joint distribution, this whole thing can be simulated. So we're going to construct an explicit simulator which runs the adversaries algorithm on something that represents a 0 function. So what this says is that if you have this pattern and our priority you don't know what the pattern is, then this should behave to any adversarial algorithm A. This should behave just like something that is always 0 that never has an accepting input. So the proof of security of this is going to be in a generic group model. So the way this is set up is the following. So let's say, again, we're trying to evaluate a length and input. And each x0 through xn has two possible slots. So we'll start off by giving a table of two n handles. You can think of these handles as just being arbitrary strings in a space that's large enough that there's no collisions. And these handles will not have any meaning themselves except for interacting with the generic group oracle. So the group oracle itself is going to have some underlying group. It could be a cyclic group. It could be an integer ring of polynomials. And so the group oracle will initialize the random embedding from this group into the space of handles. And so the interaction is modeled as a following. You can give the group oracle two of these elements and it'll compute the product and its internal representation and give you a handle corresponding to that product. So if you've never seen this handle before, for example, if I took two of the table elements and computed something that was not in the table, then that new handle element should be uniformly distributed in this space age. So this is the model for the generic group. Now, the way we want to think about a proper computation of a function in this model is the following. We set up this table with all the possible bit values. So in order to evaluate an input x, we're going to choose the handles that are indicated by the input. So if x0 was 1, then we're going to choose h01. Do this for each input. You get n handles. And then we're going to do some computation over these n handles that will tell us the output value. So how do we do this computation? So this differs from a point function in sort of this following symmetry. Let's say the pattern is 0, 1 star. First two coordinates are just same as a point function. But on the third corner, we want these two handles to look the same when we compute the whole function. It shouldn't matter which one you choose. But on the other hand, they can't actually be identical before you complete the entire function evaluation, because then the adversary wouldn't be able to see that this is a wildcard slot. So the solution that we're going to use for this is the standard technique of polynomial interpolation. So it doesn't matter which samples you get as long as all of them are n unique samples, you can construct the same interpolating polynomial. So the setup is the following. We'll sample a polynomial such that p of 0 is 0. So you can sample this by just sampling the coefficients for the first to the nth terms and then constructing the polynomial as a sum like this. And then the way we're going to initialize that table of two n handles is as follows. So first let's say we have a, for the slots that are not supposed to be accepting, right? So for 0, 1 star, if x0 was 1, then we'd never want this to be part of an accepting input. So for that slot, we're going to give a completely random group element and then give the mapping from that to the handle space. So r here represents just an independently sampled random group element. For the slots that are part of an accepting input, we're going to give it a unique sample from the polynomial. And so the input of the polynomial is just going to be this index that you can compute beforehand just by looking at the table. So here's just 2i plus j. So we'll do this for both the non-Wallcard slots and for the Wallcard slots, right? These will all be generated in the same way. So then once you have this table, let them, we can follow our previous evaluation scheme, pick the samples, construct the interpolating polynomial, and then we'll just say, if p had the interpolating polynomial evaluates to 0 on the input 0, then we'll just output 1. So this corresponds to if all my samples were legitimate samples in the polynomial. As opposed to if I had a completely random sample, then p of 0 would not be 0. So this doesn't work, obviously, because so you can think of this as I had this table of 2n samples, but there's actually more than n samples, so you don't. So an adversary could try and figure out the extra samples that he's not supposed to do under an honest evaluation. So there's these decoding attacks or read Solomon codes with noisy samples. For example, the Berle-Cann-Wellsch algorithm, where in this case, if the number of Wallcard slots was greater than n over 2, you could construct an error polynomial and solve for that and figure out the distinction between the slots. So we can't release the scheme like that quite yet. But so one thing to note is that the Berle-Cann-Wellsch algorithm requires a nonlinear computation because you're actually multiplying this interpolating polynomial by other algebraic terms. However, as we'll show next, if you just want to compute the value of the interpolating polynomial on 0, this only requires a linear combination over the elements. So with this realization, we can just put everything in the exponent as follows. So we'll sample the same degree n polynomial in the same way, but then we'll also fix a cyclic group of the same prime order as the modulus of the integer ring. All right, so that's the setup, and then the way you give the handles will be the same as before we just put everything in the exponent of the same generator element, okay? So now that we have this, how do we do this linear combination computation to evaluate the polynomial interpolant? Well, you can think of polynomial interpolation as a linear combination of basis elements. And because our inputs are 2i plus j, and then we also only evaluate it on the term zero. We don't care about what the interpolating polynomial is and everything else. We can just plug in all these terms and get a single number out of them. We call this Lagrange coefficient. So then we're just computing a sum of Lagrange coefficients, which is just a product over the, which is just the sum in the exponent, which we can compute as a product of these generic group elements. So for correctness then, if each thing is a sample, then you'll see that in the exponent you get the sum of the ci Lagrange coefficient times the value of the polynomial. And so this is gonna give you g to the p of zero. And so if p of zero is the correct polynomial then, this will show you that the scheme gives you the correct output. But then if any of them was random, then you'll just get a product with a random group element. So the correctness of this scheme is pretty straightforward. Now we're gonna show security of this through the following game between the generic group simulators, right? So the proof of this will be a, so I'll go through the high-level proof of how we set up the generic group arguments. So we can think of this proof will be a hybrid over the actual internal group representation of each article, right? So the first one that we're gonna start with is the actual implementation. This will be the cyclic group of ordered p. So a group element will look like this. It'll actually be g to the sum p of some polynomial. The group that we're gonna end with is going to be this thing which represents the zero function. Now what is that? That's going to be a group over, that's gonna be a free group over two n basis elements, right? So the reason this represents a zero function is because each basis element here is going to correspond to one handle. So any linear combination of that is never gonna be zero because these are all independent elements with no relations. So then any adversary trying to construct an interpolation over this group will always get something non-zero. So this represents the zero function. So this is the simulator e for n. Now we'll have a third simulator in the middle which is sort of like an algebraic hybrid between these two. So for this last simulator, remember earlier we sampled the polynomial by sampling coefficients a1 through an. Here we're gonna leave those coefficients unsampled. So this will be a polynomial ring over the coefficients a1 through an. And then we'll also have variables for each non-accepting slot. So we had n accepting slots plus w wildcard slots. So there's n minus w non-accepting slots. Each of those gets its own variable b1. So the initial handle table will look like this. So p of three will be this algebraic polynomial of three a1 plus a9. And if you had a non-accepting slot then it would just be its own independent free variable b1. So this is what the three internal group representations will look like in our proof. Now how do we show indistinguishability between any two? And so for the rest of this, I'm just gonna focus on the indistinguishability game between s and m, right? The first two. And you can think of the game between the second step as roughly similar. So proofs in the generic group model in the past have been sort of difficult to formalize because there's a lot of things you need to keep track of. You need to keep track of handles, how these correspond to group elements. And you also need to formalize this notion of what does it mean for a generic two generic group to simulate is the different. In the past a lot of this has just been formalized as the simulation is perfect except if this happens. So we'd like to make that statement a bit more rigorous. So we're gonna define a security game as follows. So the adversary is given two oracles. One of them you know, it's the, let's hear what we'll say, it's the middle oracle with the z-adjoint a, b polynomial representation. The other oracle is going to be either s or m with probably half. And the goal of this game is to guess which one that is. So the adversary is going to start off with the table from each one and you're gonna, and each round he asks the same query to each oracle. And the adversary wins if he can guess correctly the identity of what the unknown oracle is. Okay, so how do we, okay, so what do we need to define this game, right? We had these two different group representations. One was a polynomial z-adjoint a, b. One was the actual group. So it turns out that in order to make this game work there's a relationship between these two, which is exactly the evaluation map. In which you take the polynomial and plug in the values that were actually sampled in the simulator's start. And so this gives you a group homomorphism from the group in the simulator m to the group in the simulator s. So we have this evaluation map, I'll denote it by. Now, I do need to establish some notation just to keep track of the rest of the bookkeeping. So let's say that we have these two handle sets, we had an adversary playing two oracles simultaneously. So I have two handle sets and so H superscript zero is just the initial table of the two end handles. And as each round, as the adversary asks a product and gets a new handle, he'll keep adding it to this set. And in order to make precise a notion of asking the same query, we'll have this other map that identifies between the two sets. So initially, this will correspond to just the same entry in one table maps the same entry on the table. And then if I ask a query and get this new pair of handles from each one, that will be added to this map. And then lastly, each group simulator will have its own embedding, this own sample fixed random embedding from the group into the space of handles. Okay, so the proof is going to be approved by induction. And so the idea is false. Let's say the adversary has made T queries so far and has these two sets of T handles. Okay, now first, I want to formalize what does it mean that the answers I've seen so far are the same. So that's going to be either I see one handle from each and I already knew that side of one map to side of another. So I've seen both handles and I know that one maps to another. Then that means this is the same answer. The other option is both are new handles. And so because each file is a random embedding, then these new handles will both be drawn from a uniform distribution over the handle space. So in this case, we'll also say that the query output from the two simulators are the same. So we want this to be true for a query. And if that's the case, then we can say this game is indistinguishable. But we also need another condition in order to show that this is true. And so this condition is that where we have this non-trivial kernel from the polynomial we're bringing Z join AB to the group. And because this kernel is non-trivial, there's multiple things that map down, but we want there to only be one that the adversary has seen so far in the handle space of M. So what this is saying is, let's say we get a handle in the handle space of S, there is a unique polynomial which corresponds to a handle you've seen in M which maps to this. Okay, so this will be inductive hypothesis. Now given these two things, let's look at what a round in this game looks like. A round of simulation, let's say we've done T rounds on the T plus one round, the adversary will want to ask a group query of say H1, H2 to simulator M, and then the same corresponding one to similar S which will be defined by the sign map. And he'll get back two handles, one from each, okay? So we have basically four cases here. These two handles can be the same that you've seen already. They can both be different or one can be different and one can be one that you've seen already. So one of these cases is impossible. Two of them are already, well still satisfied the inductive hypothesis and there's only one problem and we can show that there's only one problematic case which is that if you get a new handle in the simulator corresponding to the Z-adjoint AB polynomial ring, but you get one that you've already seen already corresponding to the simulator in the generic group. Right, so then basically this comes down to an algebraic argument. We can show that the only way this happens is if you get something in the kernel of this map and this evaluation map that's non-trivial. And so once you get to this step then the rest is a combinatorial calculation. So we can apply the same argument to both of the games. So right, so the evaluation map here I've defined is just for S to M but you can define a different evaluation map from M to E which evaluates on the random entry and on different random entries. So this is a high level overview of this framework that we give for arguing the generic group model and I will spare you all the combinatorics details. So to conclude, we give a obfuscation scheme for this function class and we're able to show it from a standard assumption just which is just a generic group model. And this assumption itself is easy to describe you're computing this rational number outside of the group and then your explanation using the group oracle. And so we also give this new framework for how you can maybe more formally think about generic group arguments using the simultaneous oracle game and how you can more explicitly identify when a simulation fails in this generic group case. And thanks for listening.