 or conjectures to meet the IO and even proven in idealized models. So in this work we provide some negative results for different inputs of pulsation and one could look at it as making progress towards settling the existence of indistinguishability of pulsation. So let us recall the result by Gargetol. So they showed that polynomially secure different inputs of pulsation for circuits does not exist if there exists a digital signature scheme and the hash function and some special purpose superscator for these two schemes, signature scheme and hash function. So then the special purpose superscator is now a lot of assumptions that was introduced by Gargetol and the question is, is it more plausible than the IO? And yes, it indeed looks more plausible and so the conclusion was that different inputs of pulsation is implausible. So what we do is we build on the results of Gargetol and achieve the following claims. First of all, it shows that sub-expansionally secure different inputs of pulsation for Turing machines does not exist if sub-expansionally secure one-way functions exist. So our first theorem actually uses IO in the proof, however, we get this assumption for free when proving the theorem assuming that sub-expansionally secure IO exists by contradiction. So now to compare our result with the result of GJW. So their implausibility result concerns circuits versus ours concerns Turing machines, which is weaker. However, their result uses the special purpose pulsation assumption versus our result uses kind of more concrete assumptions. Moreover, it was previously shown that fully homomorphic encryption along with the IO for circuits and snarks give the IO for Turing machines. So if you are willing to additionally assume fully homomorphic encryption and snarks, then we can lift our results from negative results for Turing machines to circuits. Then one question one could ask is, well, sub-expansion assumptions are they reasonable? Are they reasonable? And we believe that yes, when problems are hard, they appear to be sub-expansionally hard. So now let us recall the construction that was used by Gargato to show their implausibility result and then we will extend it to show our construction. So they construct the generator using a digital signature scheme, a special purpose to obfuscator in the hash function to generate outputs to circuits and auxiliary information. In order to show that the IO is implausible, they show that whatever obfuscator used to obfuscate these two circuits, there exists a distinguisher that can distinguish obfuscation of C0 from obfuscation of C1. They also argue that it is hard to find an input X on which these two circuits are different. So how did they define these things in the following way? Circuit C0 always returns zero. Circuit C1 returns one if and only if it takes the same input and valid message signature pair for verification key that is embedded in the circuits. Circuit C2 takes some obfuscated program as same inputs. This obfuscated program is C tilde. It hashes it to get the message. It uses an embedded secret key to produce a signature for this message and it adds this obfuscated circuit C tilde on this valid message signature pair. So you can see that if you feed an obfuscation of C0 into C2, then it always returns zero whereas if you feed an obfuscation of C1, it always returns one. And so trivially, you can build a distinguisher that tells the part obfuscation of C0 from obfuscation of C1. Now, to argue that it is hard to find an input on which the two circuits are different, Gargoth all assumed that there exists an obfuscator that hides the obfuscated circuit C2 sufficiently good. What does it mean to be sufficiently good? Intuitively, it means that an adversary should not be able to extract the secret key from this circuit or just it should not be helpful to forge any signatures in order to distinguish between circuits C0 and C1. Moreover, we only want to obfuscate this single circuit C2 for any specific digital signature scheme and hash function of your choice. So in all, it seems that special purpose obfuscation is more plausible than different inputs obfuscation. So now, towards our attack, so we do the following changes. Instead of using special purpose obfuscation, we use indistinguishability obfuscation to produce the auxiliary inputs. Furthermore, our generator produces Turing machines instead of circuits. Program M1 accepts only the messages of a specific length k, where k is a fixed polynomial, which is a parameter of our scheme. And Turing machine T2, no longer uses hash function, it merrily produces a signature on the actual Turing machine and tilde that is being taken as inputs. So similar to GGHW, in our case, it is still trivial to distinguish obfuscation of M0 from obfuscation of M1. However, now, the challenging part is proving that it is hard to find an input in which these Turing machines are different. So we do this using a hybrid argument as follows. Our hybrid argument, it trades through every single message of length k, and for each of these messages, it argues that polynomial time adversary is unlikely to produce or forge valid signature for this message. So hybrid game 0 is the original game where the adversary can produce any message signature in order to distinguish M0 from M1. Hybrid game 2 is a power k. It is impossible to win this game because it requires the message of length k to be elixic graphically larger than k1s. And now, every next hybrid game, after 0, it simply increases the counter of what message is acceptable for which the adversary can forge a signature. Now, what we do is we show that the polynomial time adversary can win any subsequent to hybrid games with probability difference less than sub-expansionally small. And we show that, in fact, there is a way to choose the parameters such that the number of games from 0 to the power k probability still remains sub-expansionally small. So now, in fact, each of the transitions, each of the exponential number transitions in this hybrid game consists of three transitions itself, meaning there are two more games in between. For these games, I need to introduce consistent, punchable signature schemes which we define and build, and then I will return back and show how these transitions happen. So we define consistent, punchable signature schemes, which are signature schemes with the following two properties. First of all, they should be puncturable, meaning that you can take a secret key, a secret signing key, puncture it to some message, and produce a punctured secret key such that it is possible to use the punctured key to sign every message except for the star. Second property that we need is this signature scheme should be consistent, meaning that whenever you sign a message using the original signing key or the punctured signing key, so unless this message is the punctured message, the produced signatures should be the same. Now, security level, security requires selective puncturable unfurgeability. That means that we consider the following game. A polynomial time under 3a chooses a challenge message mstar, and it receives a back verification key and a secret key that is punctured at mstar. It is an ask to forge a valid signature for mstar. So this under construction essentially mimics the idea of PPFs, and we get it by obfuscating PPFs, and in fact the construction is the same as the high water signatures. So now how do we do these three transitions in between every two hybrid games? So we'll use a technique which again mimics the PPF plus IU technique by the high waters where the first transition will be by security. If IU, the second transition, digital signature scheme, the third transition again IO. So how we do this is, so habit game zero uses an auxiliary formation that is in the position of M2, whereas when switching to game zero A, we replace circuit M2 by circuit M3. Circuit M3 is functionally equivalent to circuit M2, except that it's secret key punctured, and this punctured input is processed separately in the second line, and so we can use security if IO. Next, going from game zero A to game zero B, we merely change the reading condition of the security game, meaning in this case it would require rather than message being any message, it would require it to be at least all zeros and one at the end. So now security of digital signature scheme is sufficient here because in both games, the secret key is punctured at message all zeros. So if an adversary can win one of these games, this probability significantly different than another, then it would be able to break the security of digital signature scheme. Finally, we simply revert back auxiliary information from prosecution of M3 to prosecution of M2. So finally, so regarding, so in order to construct such generator, we have to choose a number of parameters and a lot of technical details are emitted from this talk, and in particular, a big challenge avoiding circular dependencies between these parameters. So most of the extensions one can attempt leads to introducing the circular dependencies and some examples of limitations that we have, because of this is that first, our results only apply to the most general case when you want to obfuscate Turing machines with unbounded input, whereas if you a priori bound the maximum input of Turing machines, you obfuscate by some fixed polynomial, then our results no longer apply. And second, Belarito introduced proposed to require that the auxiliary information that is returned by the generator, its size should be smaller than the size of each of the programs. So again, our construction can, so our result does not apply to this case, and this is in contrast to GGHW who managed to find the workaround for this by assuming a slightly stronger version of special purpose obfuscation. Yeah, thank you. Questions? So in your counter example, you generate a secret key for signing and to generate the two circuits M0 and M1, okay, and then you don't give this secret key to be able to find X such that M0 of X is equal to, is different from M1 of X, but you give this secret key to be able to distinguish obfuscated M0 and the obfuscated M1. So would it be more fair to give the same information to try to find X and to try to distinguish the two obfuscated circuits? Sir, you understand the last thing you said? So to distinguish the obfuscated M0 and the obfuscated M1, you need a secret key, but you don't give the secret key to be able to find X such that M0 of X is different from M1 of X. So you do know the secret key itself, but you need to make sure that, so technically, if oxygen information is empty, then finding an input to which these two circuits are different amounts to essentially existential forgery. So we would get it easily by existential forgery of digital signature scheme. So what we want from obfuscation is that it kind of sufficient, it hides secret key sufficiently good in some sense. So it doesn't necessarily mean that the adversary wants the secret key itself, but it should not be able to produce the signatures. Can you give some intuition on why removing the hash function was crucial for using IO? So you mean the hash function is the one which was used in GGHW and not in our construction. So this... So one reason is to avoid circular dependencies. So in our case, we use stirring machines, so it's not as crucial. One more reason that was present in GGHW is that you do not want to produce... You do not want to see multiple messages that produce the same signature. So you want some kind of unpredictability, because if many messages map to the same signature, it might be possible to use the circuit C2, even if it's perfectly obfuscated to leak the signature bit by bit, if you have the same signature many times. So like one Turing machine, it was the first bit of the signature, another the second, and if the signature is the same, then it would leak. But the main reason is essentially that after switching to Turing machines, we just don't need kind of this hash function, because we avoid circular dependencies in other ways. Does your result apply to public in the IO? No, it does not apply to public in the IO, because in public in the IO, you would require... All the randomness used to produce the information to be public, but in our case, we actually care that the secret key is embedded in C2 remains secret. Okay, let's thank both speakers in the session.