 Hello, I'm Kamil Klusniak and I'm going to present my recent paper, Locable Obfuscation from Circularly Insecure Fully Homomorphic Encryption. So let me start by recalling what is program obfuscation. So suppose we have a C++ program that takes us input some x and outputs a y. Then we have a program called the obfuscator, which is going to take the source program and output obfuscation. So one crucial thing that we require from the obfuscated program is that it preserves functionality and this means that on every input, the output should be the same as in the source program. What we require is that the obfuscated program is only polynomially slower than the source program. And finally we have our security guarantee, and this is a virtual black box security, which means that even given the obfuscated program evaluator can evaluate it, but looking at the code of this program is unable to tell any information on the source program. So what functions can we obfuscate from standard assumptions right now, and one class of functions are point functions. So these are these are functions that take us input, some acts and output one only if x is equal to our hard coded point yeah so appointed is hard coded in in this program. So all other inputs that are not equal this hard coded point alpha, we are going to return zero and point functions have received you already a lot of attention in the literature and their constructions here from various assumptions. So we have an important class of functions that we know how to obfuscate our conjunctions are sometimes called pattern matching with wild cards. So here again, yeah we have a lot of research done to obfuscate this sort of functions and we can do this as also from from from from various assumptions. In this paper, we are focusing on lockable obfuscation and this is obfuscation of so called compute and compare programs and what are computing compare programs. So let's say that we have a circuit C and this can be any polynomial size sit back, and a computer compare program, given the circuit C and giving a lot value is a program that outputs one. So if C of x, so C of the input to this program is equal to log value and any other situation, the computer compare program P is going to output zero. Now we can generalize this a little bit here instead of returning one when we hit the log value. So we are going to return a message. And this paper we are going to show we are how to obfuscate this class of programs. So the security property that lockable obfuscation is supposed to guarantee is as follows, suppose that we have user and the adversary. So basically the adversary is going to choose circuit C and the message. And then the user is going to obfuscate the circuit with the message, and it's going to choose a lot of value and this goes into the lockable obfuscation and obfuscation is then returned to the adversary. So an important thing to note is that the lock value has to have a high entropy and in particular so for, for most of the presentation we are going to assume that lock is chosen from the uniform distribution independent from the message. And the goal of the adversary is to distinguish between two worlds just one world is the obfuscation is generated by the user. And the other world is that the obfuscation is generated by a simulator, where the simulator does not have access to the message, or the lock one we also has absolutely zero knowledge about about those. About those variables. And yeah so so so the adversary is supposed to distinguish between these two worlds. The lockable obfuscation is works only for a very restricted class of functions yeah so one way wonder what are the applications of lockable obfuscation. So the first observation is yeah that lockable obfuscation actually implies point function obfuscation and conjunction obfuscation. The important use case here are compilers so we can use lockable obfuscation to, for example, compile our public key encryption scheme into anonymous public key encryption scheme. And this means yeah that so the anonymous public key encryption scheme. It does not reveal the recipient of a cipher text so an adversary given a cipher text is unable to tell to which public key decipher text was was sent. Similarly, we can build anonymous identity base encryption schemes from lockable obfuscation and identity base encryption schemes. So in this case that cipher text to not reveal the identity of the recipient of a cipher text. Similarly, we can we can we can build predicate encryption with one sided privacy and anonymous broadcast encryption and finally we know how to build indistinguishability obfuscation for rejecting programs so this are programs that will always reject every input. And this we can build from lockable obfuscation and witness encryption. And I hope that this is enough for motivation. So let me say a few words of where lockable obfuscation came from. And the story that is relevant for this paper I asked us with circular security separations yeah so in particular with cycle testers, but we're introduced to the web first formalized by Bishop Hockenberger and waters. There was earlier work here that constructed cycle testers here but yeah but the first formalization was here, and this notion was later continued by our sequence of works that designed cycle testers from provably secure applications of graded encoding schemes yeah so in particular from the GGH 15 graded encoding scheme. The same technique yeah was later or like a generalization of this technique yeah was later used by Goyal Coppola waters, and independently by Vixens and Drellies to build lockable obfuscation. So this technique here requires us here to take a circle, which is of logarithmic depth. Compile it represented as a permutation matrix branching program. And then using learning with errors encode this permutation matrix branching programs in a very special, a special way to build lockable obfuscation yeah so the actual construction is a little bit involved yeah so I'm not going to go into details. But yes, so this shows us yeah that so cycle testers you know like the graded encoding schemes that were provably secure and they're under learning with arrows yeah they were crucial to build lockable obfuscation. So let me give you what is our base construction intuitively what is lockable obfuscation yeah so if you would suppose to explain the construction in like a very high level. Let's say that we have a circuit yeah and the first observation is here that that any obfuscation is a sort of encryption of the circuit yeah. But it's not like any encryption of the circuit it is an encryption of the circuit that allows us to still evaluate the circuit so we are going to use a fully homomorphic encryption to encrypt C. So it allows us here to to evaluate the circuit on any input axia and obtain an encryption of C of X. Now, in lockable obfuscation what we still need to be able to do is to test whether the evaluation, whether C of X, yeah, in the encryption is equal to log value or not yeah so and this is actually the difficult part. Yeah, how to do this testing. Now again, so what we want to do is given encryption of C of X, we need to test whether the encrypted C of X is equal to log value or not. And the idea is to use a full homomorphic encryption scheme that is synchronarily insecure and in particular, it is equipped with a cycle tester. So what is important to note that is that we require a cycle test that works, even on cipher text that came out of evaluation process yeah so this are not necessarily fresh cipher text so. So yeah so so the cycle test that has has to work on any correct cipher on any cipher text that decrypts correctly. So, let me let me tell you what actually are the cycle testers, so a cycle test as an attack on on an encryption scheme, yeah that is able to differentiate between encryptions of zero and encryptions of secret keys yeah that form a cycle yeah So we have an encryption of secret keys here we have on the left. And yeah, so we have an encryption of secret key to under secret key one, and then we will have an encryption of secret key free under secret key to, and so on and so forth yeah until we have until we complete the cycle yeah with an encryption of SK one under SK and. And the attack algorithm is able to differentiate between this two situations. And yeah and then I'm calling this attack here because so previously cycle testers yeah so they were actually considered as attacks yeah so. And the research here was was was was focused on constructing such a cycle testers here to show that CPA security does not imply circular security. And cycle testers was a way to show confidence actors for for this implication. Okay, I'm going to simplify. I'm going to show a local office cattle that uses one cycle test that so in particular is going to differentiate an encryption of zero and encryption of its own secret key yeah so an encryption of SK under SK. Now, let's put things together. Our local office patient is going to consist of encryption of the circuit see, and encryption of the secret key SK, but this encryption is uses the log value as a secret key. So we need to evaluate such local office patient. So we will first take the encryption of the circuit and evaluate this on input, the circuit input x. And then as a result here is an encryption of C of X. And as they noted us the, and then the crucial part here is that we are going to take the so the encryption of C of X, and evaluate the decryption circuit on a using the as the secret key part yeah so eventually we'll get encryption of a where C of X is treated as the secret key. Now, note that if C of X is equal to log yeah then cipher text is actually our key dependent message cipher text. Otherwise, it is going to be a different cipher text and our cycle test that is supposed to be able to differentiate here between this. Now, let me briefly sketch and security proof. Let me remind you that we have our two cipher text C and a, and as a first step, we are going to turn a into an encryption of zero assuming CPA security of the of the encryption scheme. Now the second step is, we are going to turn a into a uniformly random value, and here we need to assume, see the random cipher text yeah. And we had that from CPA security, we cannot get rid of the log yeah so the CPA security doesn't say anything yeah what that we can distinguish encryption under one secret key from an encryption of another secret key. Yeah, so we have to do this. Assuming you see the random cipher text. And the last step is to turn the encryption of the third cut C into an encryption of zero yeah so in the last hybrid, we have some uniformly random value for a, and an encryption of zero for CIA. So both cipher text are completely independent of the, of the circuit C and the log value. So this this this completes the proof. Now, in the paper, we actually have another construction that is a little bit more complicated, but it doesn't need to assume to the random cipher text so that the whole proof is requires only CPA security from the encryption systems. As I pointed out earlier, what we needed to assume previously for CPA security to work is that the log value is chosen uniformly at random from the secret key space yeah but actually, we can extend the construction. The log values chosen from different distributions. And in particular, I'm going to focus on the unpredictable distribution. So, which is a distribution where we have X and some auxiliary data chosen from from this distribution, then adversary, given the auxiliary data is unable to output X. So there are in the literature, many papers yet that realize public key encryption, and so the random number generators for secretly chosen from this distribution. So the auxiliary data yeah it may be for like like like anything it may be for in particular it may be for example the circuit yeah that that we are going to offer scale. Now, the second distribution is outside entropy distribution yeah so this says yeah that when we have acts the other conditioned on some auxiliary data. It's helps held on trophy is larger than some polynomial alpha from the security parameter. And here again, we have a ton of literature yeah that was concerned and building public encryption scheme. And that is secure when the secret key is chosen from such a distribution. And this is in particular the literature that is concerned with leakage resistance yeah so so we consider some leakage, some non trivial leakage of information about the secret key. And the tension that we consider in the paper yeah is multiple messages yeah so previously I described are very simplified version of the local obfuscation that could where we could only test whether a circuit, whether the obfuscated circuit evaluates to the log value or not yeah so that would one or zero. So when cold yeah any message. And then later decode the other message from a successfully evaluated local obfuscation so when CEO facts is equal to log value. We are going to publish additionally encryptions of the bits of the message. The evaluation for the most part yeah goes exactly the same as it is as it was here for the base construction. But additionally, when we hit when we evaluate the other cipher text to the log value and then we get our key cycle. So we're going to be able to decode the message, the bits of the message as follows yeah so suppose we take the first encryption of the first bit, we are multiplying this yeah with our potential key cycle. If the message bit was a zero, then we are getting an encryption of zero. If it was an encryption of one year then we are getting the encryption of the secret key under the secret key so we have our key cycle and our cycle test is able to again distinguish between the two. So we are going to decode the first bit by bit. So very, very simple idea really. Now in summary, in the paper we have a generic construction of local obfuscation from for the homomorphic encryption with equipped with a cycle test that. So as I said earlier in the presentation I simplified things here and I used only one cycle to describe this in the scheme. So in the paper we actually have a general construction that uses arbitrarily like cycle of keys. And note yeah so let me note that in previous literature show the other having local obfuscation so this was one of the applications for local obfuscation yeah so given local obfuscation and encryption scheme. We can turn it into an encryption scheme with a cycle test that so and this encryption scheme may in particular be a full homomorphic encryption scheme. So in this work, what I showed you is that giving a full homomorphic encryption scheme and equipped with a cycle test that we get local obfuscation which completes the cycle. And if you are interested, the paper is available in print. Bye.