 Thank you for the introduction, this is a joint work with Nyo Nishimaki and Keisuke Tanaka. In this work, we focus on constructing indistinguishability of obfuscation, IO based on secret key functional encryption, SKF-E, and we show how to construct IO for all sites, based only on corrosion resistant SKF-E. In this work, we also show that we can construct corrosion resistant SKF-E based on succinct SKF-E that can issue only a single functional key. I will start with what is obfuscation? Obfuscation aims to turn programs intelligible while preserving its functionality. The most natural and intuitive definition of obfuscation is water black box obfuscation or VVB obfuscation for shown. However, it is known that it's impossible to construct VVB obfuscation for all sites. So many works have focused on weaker variant of obfuscation called indistinguishability of obfuscation or IO for short. No impossibility results for IO for all sites is known so far. Although IO is weaker than VVB obfuscation, many works have shown that IO is powerful enough in the sense that we can construct a wide variety of primitives based on IO. However, constructing IO from standard assumptions is still standing as a major open question. All existing constructions of IO are based on marginia maps. Marginia maps are not a standard assumption in the sense that they have been read off study so far. To realize IO from more mild assumptions, it's important to find seemingly weaker primitives in priming IO. Some previous works showed a functional encryption is such a bramble. Next, I will talk about functional encryption. In functional encryption, we can encrypt data using an encryption key similar to the ordinary encryption schemes. In addition, in functional encryption, by using the master secret key, we can generate a functional key that is a decryption key tied to some function f. By decrypting the encrypted data using this functional key, only a whole data is decrypted. Any other information about the data reminds hidden. This is functional encryption. Here if the encryption key and the master secret key are different and we can make the encryption key public, we say that the functional encryption scheme is public key functional encryption or PKFE for short. If the encryption key and the master secret key are the same, we say that the functional encryption scheme is secret key functional encryption or SKFE for short. I will introduce two important properties for functional encryption called succinctness and collusion resistance. This is a property related to the size of ciphertext. We say that functional encryption scheme is succinct. If the size of it ciphertext or the size of its encryption circuit in general depends on the size of functions only sub-linearly, resistance is a property related to the number of securely issuable functional keys. We say that a functional encryption scheme is collusion resistant if it can securely issue a purely unbounded number of functional keys. In this talk, I will also use the term single key scheme to indicate a functional encryption scheme that can securely issue only a single functional key. Kitaski and Vaikun Tanasan and Nansan Jain showed how to construct IO for all circuits based on sub-exponentially secure single key succinct to PKFE. Sub-second works showed we can construct single key succinct PKFE based on collusion resistant SKFE if we additionally assume public key encryption and we can also construct single key succinct PKFE based on single key succinct SKFE if we additionally assume the hardness of LW problem or identity-based encryption. So for these results, we see that the combination of functional encryption with succinctness or collusion resistance and some public key primitive implies IO for all circuits. However, for these results, we have the following natural question, whether we really need public key primitives to construct IO? In other words, is it possible to construct IO based only on secret key primitives? The best candidate that gives an affirmative answer to the question is SKFE. However, Ashraf and Segeff showed some negative answer to the question. Their result can be seen as substantial evidence that SKFE does not imply IO if we use SKFE in a black box way. In the last year, great Komar Godoski and Segeff showed how to construct IO for circuits of polylogalized input based on collusion resistant SKFE. However, it's to open whether we can construct IO for all circuits based on SKFE. The real power of IO appears in the fact that we can transform a secret key primitive into a public key one using IO. So solving the above question is a key advancement to discover the exact requirement for constructing IO. Based on this motivation, we show the following results. We show how to construct IO for all circuits based only on sub-exponentially secure collusion resistant SKFE. Our construction is non-black box, so we can circumvent the impossible result shown by Ashraf and Segeff. And in this work, we also show that we can construct collusion resistant SKFE based only on single key succinct SKFE with collage polynomial security loss. So by these results, we see that if we have functional encryption with succinctness or collusion resistance, even if the functional encryption scheme is SKFE, we can construct IO for all circuits. Hereafter, I will talk about overview of how we construct IO for all circuits based only on collusion resistant SKFE. Our key tool is puncturable SKFE. A puncturable SKFE is SKFE that can generate a punctured master-seq key MSK star that is punctured at two messages, M0 and M1. And it satisfies the following two properties. The first one is the functionality preserving property. It requires that there exists a punctured encryption algorithm PNK that, given the punctured master-seq key MSK star and the message M, output a ciphertext exactly the same as a ciphertext output by the ordinary encryption algorithm if the message M is different from M0 and M1. And the second property is semantic security at punctured points. This requires that the encryptions of M0 and M1 under the ordinary master-seq key are computationally indistinguishable even if the punctured master-seq key MSK star punctured at M0 and M1 is given. Bidanski and Bykin Tannasen showed we can replace succinct PKFE with succinct puncturable SKFE in the construction of IO. However, it has been opened whether we can construct such a primitive or not. In this work, we show how to construct succinct puncturable SKFE based only on collusion resistant SKFE. This construction consists of two steps. In the first step, we construct non-succinct puncturable SKFE based only on one-way function, which is trivially implied by collusion-resistant SKFE. And in the second step, we transform the constructed non-succinct puncturable SKFE into succinct one using SXIO. SXIO is a weaker variant of IO. Informally, SXIO is IO that given a succinct C, an obfuscated version of C whose size is slightly smaller than the truth table of C. And we can construct SXIO based only on collusion-resistant SKFE. So by these two steps, we can construct succinct puncturable SKFE based only on collusion-resistant SKFE. The first step is based on the construction technique proposed by Sahae and Sehari Oburu. They show how to construct non-succinct PKFE based on garble circuit and public key encryption. Based on their construction technique, we show how to construct non-succinct puncturable SKFE based on garble circuit and puncturable pseudo-random function, both of which are implied by one-way function. Intuitively, the functionality preserving property and semantic security at punctured points of the constructed non-succinct SKFE can be proved based on the corresponding properties of the underlining puncturable pseudo-random function. The second step, in the second step, we extend the construction techniques proposed by previous works to transform non-succinct functional encryption into succinct one using SXIO. However, there is a problem in this step. In the transformation from non-succinct functional encryption into succinct one using SXIO, proposed by previous works, a ciphertext output by the encryption algorithm of the succinct scheme is the encryption circuit of the non-succinct scheme of a skated by SXIO. Now we are constructing puncturable SKFE, so we need to define punctured encryption algorithm in addition to the ordinary encryption algorithm. As a naive idea, we can define a ciphertext output by the punctured encryption algorithm of the succinct scheme as the punctured encryption circuit of the non-succinct scheme of a skated by SXIO. By defining so, we can prove that the construction satisfies semantic security at punctured point based on the security of the underlining preemptives and the punctured programming technique proposed by Sahaya Motors. However, this construction does not satisfy the functionality preserving property. The reason is as follows. If the underlining non-succinct scheme satisfies the functionality preserving property, the encryption circuit and the punctured encryption circuit of the non-succinct scheme of a skated by SXIO generates exactly the same ciphertext. However, they are different as objects since they are vacations of different circuits. So this means that the construction does not satisfy functionality preserving property. In fact, as long as we use SXIO, it seems difficult to transform non-succinct scheme into succinct one without using functionality preserving property. So we solve this problem by introducing a weaker version of functionality preserving property. More specifically, we introduce a notion we call indistinguishability of functionality. The ordinary functionality preserving property requires that there exists a punctured encryption algorithm that can generate a ciphertext exactly the same as a ciphertext output by the ordinary encryption circuit. On the other hand, the indistinguishability of functionality requires that there exists a punctured encryption algorithm that can generate a ciphertext which is computationally indistinguishable from a ciphertext output by the ordinary encryption algorithm even if both master-secret key and the punctured master-secret key are given. And SXIO-based construction, I explained in the previous slide, a ciphertext output by the encryption algorithm of the succinct scheme and the punctured encryption algorithm of the succinct scheme are the encryption circuit of the non-succinct scheme and the punctured encryption circuit of the non-succinct scheme overscated by SXIO, respectively. We can prove that they are computationally indistinguishable based on the security of SXIO. And this computational indistinguishability holds even if both master-secret key and punctured master-secret key are given. Intuitively, this is because we can prove this computational indistinguishability based only on the security of SXIO and not the security of the underlining non-succinct scheme. So this means that the SXIO-based construction satisfies indistinguishability or functionality. So overall, we can construct succinct, functional SK-3 that satisfies indistinguishability or functionality based only on collusion-resistant SK-3. So the remaining problem is whether we can construct IO for all circuits based on succinct, functional SK-3 satisfies indistinguishability or functionality. We show this is possible by using more hybrid gains than the security proof of Vytansky and Baikon-Tanasan. Finally, I will review the overview of this security proof. The construction of IO based on puncturable SK-3 is recursive. And in each regressive step, we construct IO for circuits of I plus one bit input based on IO for circuits of IB input plus puncturable SK-3. And in the security proof of each regressive step, there is a step. We replace obfuscated encryption circuit for IB messages of puncturable SK-3 with obfuscated punctual encryption circuit for IB messages of puncturable SK-3. We can make this transition by relying on the security of IO for circuits of IB input if the underlying puncturable SK-3 satisfies the functionality preserving property. However, it is not clear we can make this transition if the underlying puncturable SK-3 satisfies only indistinguishability of functionality. This is because if the underlying puncturable SK-3 satisfies only indistinguishability of functionality, the functionality of encryption circuit might change by this transition. However, even if the underlying puncturable SK-3 satisfies only indistinguishability of functionality, we can make this transition by introducing more hybrid gains. More specifically, we introduce intermediate hybrid games parameterized by K. And in the case additional hybrid game, we overskate an encryption circuit HNK that behaves as the ordinary encryption circuit for input greater than K. And the operation behaves as the punctured encryption circuit for input less than or equals to K. Then roughly speaking, the ordinary encryption circuit is corresponding to HNK 0. And the punctured encryption circuit is corresponding to HNK 2 to the power of i. And for every K from 0 to 2 to the power of i, we can prove that overskated HNK and overskated HNK plus 1 are computationally indistinguishable based on the security of IO for circuits of id input and the indistinguishability of functionality. To construct the hybrid encryption circuit HNK, we need both master circuit key and punctured master circuit key. This is the reason why indistinguishability of functionality needs to hold, even if both master circuit key and punctured master circuit key are given. Due to the additional hybrid games, our security proof incurs additional 2 to the power i security loss compared to the security proof of Bitansky and Byton Tannason. However, we can still cancel this security loss if the underlying parameters are sub-exponentially secure and we can complete the security proof. This is a summary of my talk. In this work, we show how to construct IO for all circuits based only on collusion resistant SKF-E. Our construction is non-black box, so we can circumvent the impossibility results shown by Ashraf and Segev. And in this work, we also show that how to construct a collusion resistant SKF-E based only on single key succinct SKF-E with cash polynomial security loss. That's it, thank you. Questions? On the use of SXIO in your construction, because so you said that SXIO gives you like obfuscation but like slightly weaker obfuscation. The web circuit is still quite big, the obfuscated circuit. So I don't see like how from that you get succinctness. So can you show your like your picture? So your question is how we construct succinct from SKF-E from non succinct to SKF-E? Yes, based on this SXIO because it's not, I mean it's not really succinct. Yeah, I didn't explain what is SXIO. So in detail, SXIO is IO that can generate an obfuscated circuit whose size is slightly smaller than the truth table, its truth table. Yeah, so SXIO has the power to compress circuit compared to the size of truth table. By this power we can achieve succinctness. Okay. Other questions? We have a question. So how hard is it to build a collusion resistance SKF-E? Yes, sorry. How hard is it to build a collusion resistance SKF-E? So your question is... How hard is it to build a collusion resistance SKF-E? I mean, it's as hard as building IO. Yeah, I think it's very difficult. It still needs margining amounts so far.