Indistinguishability Obfuscation: From Approximate to Exact

Abstract

We show general transformations from subexponentially-secure approximate indistinguishability obfuscation (IO) where the obfuscated circuit agrees with the original circuit on a \(1/2+\epsilon \) fraction of inputs on a certain samplable distribution, into exact indistinguishability obfuscation where the obfuscated circuit and the original circuit agree on all inputs. As a step towards our results, which is of independent interest, we also obtain an approximate-to-exact transformation for functional encryption. At the core of our techniques is a method for “fooling” the obfuscator into giving us the correct answer, while preserving the indistinguishability-based security. This is achieved based on various types of secure computation protocols that can be obtained from different standard assumptions.

Put together with the recent results of Canetti, Kalai and Paneth (TCC 2015), Pass and Shelat (TCC 2016), and Mahmoody, Mohammed and Nemathaji (TCC 2016), we show how to convert indistinguishability obfuscation schemes in various ideal models into exact obfuscation schemes in the plain model.

This work was done in part while the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467. First author supported in part by NSF Grants CNS-1350619 and CNS-1414119. Second author supported in part by NSF Grants CNS-1350619 and CNS-1414119, Alfred P. Sloan Research Fellowship, Microsoft Faculty Fellowship, the NEC Corporation, and a Steven and Renee Finn Career Development Chair from MIT.

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Program obfuscation, the science of making programs “unintelligible” while preserving functionality, has been a holy grail in cryptography for over a decade. While the most natural and intuitively appealing notion of obfuscation, namely virtual-black-box (VBB) obfuscation [7], was shown to have strong limitations [7, 10, 42], the recent work of Garg, Gentry, Halevi, Raykova, Sahai and Waters [35, 57] opened new doors by demonstrating that the weaker notion of indistinguishability obfuscation (IO) is both very useful and potentially achievable. Since then, a veritable flood of applications has made indistinguishability obfuscation virtually “crypto-complete”.

On the flip side, the tremendous power of IO also begets its reliance on strong and untested computational assumptions. Indeed, it has been a major cryptographic quest to come up with a construction of IO based on well-studied computational assumptions. Garg et al. [35] gave the first candidate construction of IO, however the construction came as-is, without a security proof. We have recently seen several works [3, 14, 39, 55] that shed light on how a security proof for IO will look like. Pass, Seth and Telang show security of an IO construction based on a “semantic security” assumption on multi-linear maps [33]; Gentry, Lewko, Sahai and Waters [39] (following [40]) show security based on the “multilinear subgroup elimination assumption” on multi-linear maps; Ananth and Jain [3] and Bitansky and Vaikuntanathan [14] show how to construct IO from any functional encryption scheme.

Unfortunately, the first two of these works are based on the mathematical abstraction of multi-linear maps which has had a troubled history so far (with several constructions [19, 28, 29, 34, 36, 38] and matching attacks [25, 27, 34, 45, 49]), and the last two rely on functional encryption with succinct encryption for which the only known constructions, yet again, use multi-linear maps.

Yet another line of work focuses on proving the security of obfuscators in so-called idealized models. In a typical idealized model, both the construction and the adversary have access to an oracle that implements a certain functionality; in the random oracle model [8], this is a random function; in the generic group model [58], this is the functionality of a group; and the most recent entrant to this club, namely the ideal multilinear map model, is an abstraction of the functionality of multilinear maps. Several works [4, 6, 21, 22, 60] along this route prove security of (different) constructions of obfuscation (even in the sense of virtual black-box security) in various ideal multi-linear map models.

An even more recent line of work, initiated by Canetti, Kalai, and Paneth [23], investigates how to transform constructions of obfuscation in idealized models into ones in the plain model, where there are no oracles. Indeed, this may lead to an aesthetically appealing avenue to constructing obfuscation schemes:

1. 1.

   Construct an obfuscation scheme in an appropriate idealized model.

2. 2.

   “De-idealize” it: translate the ideal model obfuscation scheme into a scheme in the real world.

Even if eventual constructions of obfuscation schemes do not initially proceed along these lines, we believe that this two-step process is a conceptually appealing route to eventual, mature, constructions of obfuscation schemes. Indeed, constructions in ideal models, while not immediately deployable, typically give us an abstract, high level, understanding.

In more detail, the work of [23] show that any obfuscator in the random oracle model can be converted to an obfuscator in the plain model with the same security properties. Pass and Shelat [54] and subsequently, Mahmoody, Mohammed and Nematihaji [50] extend this to the generic group and ring models respectively, as well as ideal multilinear maps model with bounded multi-linearity.

However, the resulting obfuscators suffer from a major drawback: they only have approximate correctness. That is, the plain model obfuscator may err on a polynomially large fraction of inputs (or more generally with some polynomial probability when inputs are taken from a given samplable distribution). Roughly speaking, these results proceed by isolating a list of “heavy oracle queries”, that is, queries that arise in the evaluation of the obfuscated circuit on a large fraction of inputs. Once the (polynomially large set of) heavy queries are identified, the result of the oracle queries on this set is published as part of the obfuscated circuit. This approach will inherently miss the queries made by a rare set of inputs, resulting in an incorrect evaluation.

While these transformations already have interesting consequences (regarding the impossibility of VBB in these idealised models), the lack of correctness presents a serious obstacle towards fulfilling the above two-step plan. Indeed, it is far from clear that applications of IO will work when we only have approximate IO at our disposal. Certainly, one could go through the applications of IO one-by-one, and attempt to re-derive them from approximate IO, but in the absence of automated theorem provers¹, this seems neither particularly efficient nor aesthetically pleasing. This motivates us to ask:

Can approximate indistinguishability obfuscation be made exact?

In other words, we are asking for “one transformation to rule them all”, a generic way to compile an approximate obfuscation scheme into a perfectly correct obfuscation scheme, automatically enabling to recover all the applications of IO even given only approximately correct obfuscation.

In this work, we provide exactly such a transformation, under standard additional assumptions. Let us now describe our results in detail.

1.1 Our Results

We say that an obfuscator \({\mathsf {ap}\mathcal {O}}\) is \((\mathcal {X},\alpha )\)-correct for a given input sampler \(\mathcal {X}\) and \(\alpha \in [0,1]\) (which may depend on the security parameter), if it is correct with probability at least \(\alpha \) over inputs sampled by \(\mathcal {X}\). Security is defined as in the standard setting of (exact) indistinguishability obfuscation. We shall refer to such an obfuscator as an approximate indistinguishability obfuscator.

Our main result is that approximate IO with subexponential security for a certain class of samplers can be converted under standard assumptions into almost exact IO where for any circuit, with overwhelming probability over the coins of the obfuscator algorithm the resulting obfuscation is correct on all inputs. We present two routes towards this result based on different assumptions and with different parameters.

Theorem 1.1

(informal). Assuming DDH, there exists an input sampler \(\mathcal {X}_1\) and a transformation that for any \(\alpha \ge \frac{1}{2}+\lambda ^{-O(1)}\), converts any \((\mathcal {X}_1,\alpha )\)-correct sub-exponentially secure IO scheme for \(\mathbf{P}/\mathbf{poly}\) into an almost exact IO scheme for \(\mathbf{P}/\mathbf{poly}\).

Theorem 1.2

(informal). Assuming sub-exponentially-secure puncturable PRFs in \(\text{ NC } ^1\), there exists an input sampler \(\mathcal {X}_2\), polynomial \(\mathrm {poly}_2(\cdot )\), and a transformation that for any \(\alpha \ge 1-\frac{1}{\mathrm {poly}_2(\lambda )}\), converts any \((\mathcal {X}_2,\alpha )\)-correct sub-exponentially-secure IO scheme for \(\mathbf{P}/\mathbf{poly}\) into an almost exact IO scheme for \(\mathbf{P}/\mathbf{poly}\).

Since the works of [23, 50, 54] apply to any efficient sampler \(\mathcal {X}\) and any \(\alpha \) that is polynomially bounded away from 1, we obtain the following main corollary

Corollary 1.3

(Main Theorems + [23, 50, 54]). Assume that there is an indistinguishability obfuscator in either the random oracle model, the ideal generic group/ring model, or ideal multilinear maps model with bounded multi-linearity. Then, there is an (almost) exact obfuscator in the plain model.

We note that our theorems result in IO that may still output an erroneous obfuscator, but only with some negligible probability over the coins of the obfuscator alone. This is analogous to the setting of correcting decryption errors in plain public key encryption [31], and as far as we know is sufficient in all applications. In subsequent work [15], we show that under a worst-case complexity assumption typically used in the setting of derandomization, we could transform any such obfuscator to one that is perfectly correct.

We also show how to transform approximate functional encryption into exact functional encryption, where approximate FE is defined analogously to approximate IO with respect to a distribution on the message space and decryption errors. Besides being of independent interest, this transformation will also serve as a building block to obtain the second theorem above.

Theorem 1.4

(Informal). Assuming weak PRFs in \(\text{ NC } ^1\), there exists a message sampler \(\mathcal {X}\), constant \(\eta \), and a transformation that for any \(\alpha \ge 1-\eta \), converts any \((\mathcal {X},\alpha )\)-correct FE scheme for \(\mathbf{P}/\mathbf{poly}\) into an almost exact scheme FE scheme for \(\mathbf{P}/\mathbf{poly}\).

We now proceed to provide an overview of our techniques.

1.2 Overview of Our Techniques

The starting point of our constructions comes from the notion of random self-reducibility [1]. That is, imagine that you have an error-prone algorithm A that computes a (Boolean) function F correctly on a \(1/2+\varepsilon \) fraction of inputs. Suppose that there is an efficient randomizer \(r(\cdot )\) that maps an input x into a random input \(r = r(x)\) such that given F(r), one can efficiently recover F(x). Then, we can turn A into a BPP algorithm for computing F; namely, \(A'(x)=A(r(x))\). The new algorithm computes F correctly for any input with high probability over its own random coins. The probability of error can then be made arbitrarily small using standard amplification (i.e., taking majority of \(\approx \varepsilon ^{-2}\) invocations).

In our setting, F is an arbitrary function, which is likely not random self-reducible. Nevertheless, we show how to make the essence of this idea work, using various notions of (two-party and multi-party) non-interactive secure function evaluation (SFE) [9, 37, 59]. Indeed, certain forms of non-interactive SFE (or homomorphic encryption) have been used in several instances in the literature to obtain (sometimes computational) random self-reducibility [5, 11, 12, 26]. The rough idea is that if we can get the obfuscator to homomorphically evaluate a given function on encryptions for some fixed input distribution, then it must also behave correctly with roughly the same probability on encryptions of any arbitrary input. This, however, should be done with care to ensure that homomorphic evaluation does not harm the security of the obfuscator. We next go into more details on how we carry out this agenda.

Our First Construction. Our first construction uses a two-party non-interactive secure function evaluation protocol with security against malicious senders. For simplicity, let us describe this approach in the language of fully homomorphic encryption (FHE). Let \((\mathsf {Enc},\mathsf {Dec},\mathsf {Eval})\) be a (secret-key) FHE scheme (not necessarily compact). (We assume that the randomness of the key generation algorithm acts as the secret key, and avoid explicitly dealing with key generation.)

To exactly obfuscate a circuit C, we use the approximate obfuscator \({\mathsf {ap}\mathcal {O}}\) to obfuscate the circuit \(\mathsf {Eval}_C\) that, given as input an encryption of some x, homomorphically computes an encryption of C(x). Assume that \({\mathsf {ap}\mathcal {O}}(\mathsf {Eval}_C)\) is correct on a \(1/2+\varepsilon \) fraction of encryptions of \(0^n\). The key observation is that semantic security of the encryption scheme means that \({\mathsf {ap}\mathcal {O}}(\mathsf {Eval}_C)\) is also correct on a fraction of encryptions of any x; that is, it outputs \(\mathsf {Eval}_C(\mathsf {Enc}(x)) = \mathsf {Enc}(C(x))\). This gives the required randomizer and can be amplified to give us correctness for every input x.

The problem with this idea is the security of the final obfuscator. Indeed, \(\mathsf {Eval}_C(\mathsf {Enc}(x))\) may reveal information about the circuit C beyond the output C(x). The problem goes even further: since the evaluator in this setting is untrusted, she can try to run the obfuscated circuits with malformed encryptions, potentially making the problem much worse. The solution is to rely on a maliciously function-hiding homomorphic encryption scheme. Such an object can be constructed using Yao’s garbled circuits combined with an oblivious transfer (OT) protocol secure against malicious receivers (such as the Naor-Pinkas protocol based on the DDH assumption [52]). The evaluation procedure, however, is randomized, but can be derandomized with a pseudo-random function.

While the above works perfectly assuming ideal VBB obfuscation, this is not necessarily the case for IO. Nevertheless, we observe that we can use \({\mathsf {ap}\mathcal {O}}\) to obfuscate this (de)randomized circuit using the machinery of probabilistic IO [24]. This allows us to show that indistinguishability obfuscation is maintained, but requires going through an exponential number of hybrids, in turn requiring sub-exponential security from \({\mathsf {ap}\mathcal {O}}\) (and some of the other involved primitives).

Our Second Construction. Our second construction goes through the notion of functional encryption (FE). In a (public-key) FE scheme, the owner of a functional secret key \(\mathsf {FSK}_F\) can “decrypt” a ciphertext \(\mathsf {FE}.\mathsf {Enc}(\mathsf {MPK},m)\) to learn F(m), but should learn nothing else about m. In an approximately correct FE scheme, the decryption algorithm could err on encryptions of certain messages m, but should be correct with probability \(1-\varepsilon \) on messages m drawn from a (sampleable) distribution \(\mathcal {X}\).

We show how to transform an approximately correct FE scheme into an exact FE scheme. Here the main advantage over the setting of approximate IO is that we are only concerned with honestly generated encrypted messages and are not concerned with function hiding. In particular, we can relax the assumptions required for the SFE and rely on (a non-interactive) information-theoretic version of the Ben-Or-Goldwasser-Wigderson multi-party computation protocol for \(\text{ NC } ^1\) [9].

This construction also provides an alternative route for the IO transformation. Concretely, we show that starting from approximate IO, we can first apply the transformation of Garg et al. [35] to obtain approximate FE. For this to work, we need show how to obtain (almost exact) NIZKs and public-key encryption directly from approximate IO, which are required for the transformation. Then, in the second step, we apply our exact-to-approximate transformation for FE, and finally invoke a transformation from (exact) FE to IO [3, 14]. The latter transformation requires that the size of the encryption circuit the FE scheme is relatively succinct. In our case, due to the BGW-based SFE, this size grows exponentially in the depth. Fortunately though, in [14], it is shown that this still suffices to obtain IO, assuming also puncturable PRFs in \(\text{ NC } ^1\).

Overall, this leads to a construction of (almost exact) IO from subexponentially-secure approximate IO and subexponentially-secure puncturable PRFs in \(\text{ NC } ^1\) (which in turn can be obtained from standard assumptions such as LWE [16]).

Organization. In Sect. 2, we define the required tools for our transformations, including the forms of SFE that we rely on. In Sect. 3, we describe our first basic transformation from approximate to exact IO. In Sect. 4, we describe our transformation from approximate to exact FE. In Sect. 5, we describe our second transformation for IO, going through our transformation for FE.

2 Preliminaries

The cryptographic definitions in the paper follow the convention of modeling security against non-uniform adversaries. An efficient adversary \(\mathcal {A}\) is modeled as a sequence of circuits \(\mathcal {A}=\left\{ \mathcal {A}_\lambda \right\} _{\lambda \in \mathbb {N}}\), such that each circuit \(\mathcal {A}_\lambda \) is of polynomial size \(\lambda ^{O(1)}\) with \(\lambda ^{O(1)}\) input and output bits. We often omit the subscript \(\lambda \) when it is clear from the context.

When we refer to a randomized algorithm \(\mathcal {A}\), we typically do not explicitly denote its random coins, and use the notation \(s\leftarrow \mathcal {A}\) or \(s\leftarrow \mathcal {A}(x)\) if \(\mathcal {A}\) has an extra input x. When we want to be explicit regarding the coins, we shall denote \(s\leftarrow \mathcal {A}(r)\), or \(s\leftarrow \mathcal {A}(x;r)\), respectively.

Whenever we refer to a circuit class \(\mathcal {C}=\left\{ \mathcal {C}_\lambda \right\} \), we mean that each set \(\mathcal {C}_\lambda \) consists of Boolean circuits of size at most \(\mathrm {poly}(\lambda )\) for some polynomial \(\mathrm {poly}(\cdot )\), defined on the domain \(\{0,1\}^{n(\lambda )}\). When referring to inputs \(x\in \{0,1\}^{n(\lambda )}\), we often omit \(\lambda \) from the notation.

2.1 Non-interactive Secure Function Evaluation

We consider two-message secure function evaluation (SFE) protocols. Typically, such a protocol consists of two parties (A, B) and has the following syntax. Party A is given input x, encrypts x and sends the encrypted input to B. B given as additional input a function f, homomorphically evaluates f on the encrypted x, and returns the result to A, who can then decrypt the result f(x). The protocol is required to ensure input-privacy for A and function privacy for B (on top of correctness).

Definition 2.1

(Secure Function Evaluation). A scheme \(\mathsf {SFE}= (\mathsf {Enc}, \mathsf {Eval}, \mathsf {Dec})\), where \(\mathsf {Enc},\mathsf {Eval}\) are probabilistic and \(\mathsf {Dec}\) is deterministic, is a two-message secure function evaluation protocol for circuit class \(\mathcal {C}=\left\{ \mathcal {C}_\lambda \right\} \), where \(\mathcal {C}_\lambda \) is defined over \(\{0,1\}^{n(\lambda )}\), if the following requirements hold:

• Correctness: for any \(\lambda \in \mathbb {N}\), \(C\in \mathcal {C}_\lambda \) and input \(x\in \{0,1\}^n\) in the domain of C it holds that:

  

  for some negligible \(\nu (\cdot )\), where the probability is over the coin tosses of \(\mathsf {Enc}\) and \(\mathsf {Eval}\).

• Input Hiding: for any polysize distinguisher \(\mathcal {D}\) there exists a negligible function \(\mu (\cdot )\), such that for all \(\lambda \in \mathbb {N}\), and equal size inputs \(x_0,x_1\in \{0,1\}^n\):

  

  where \(\mathsf {CT}_{b}\leftarrow \mathsf {Enc}(x_b)\).

• Malicious Function Hiding: there exists a (possibly inefficient) function \(\mathsf {Ext}\), such that for any polysize distinguisher \(\mathcal {D}\) there exists a negligible function \(\mu (\cdot )\), such that for all \(\lambda \in \mathbb {N}\), maliciously chosen \(\mathsf {CT}^*\), and equal size circuits \(C_0,C_1 \in \mathcal {C}_\lambda \) that agree on \(x=\mathsf {Ext}(\mathsf {CT}^*)\):

  

  where . We say that the scheme is \(\delta \)-function-hiding, for some concrete negligible function \(\delta (\cdot )\), if for all poly-size distinguishers, the above indistinguishability gap \(\mu (\lambda )\) is smaller than \(\delta (\lambda )^{\varOmega (1)}\).

Remark 2.2

(strong function privacy). For our most basic transformation from approximate IO to exact IO, we will require \(2^{-\sigma (\lambda )}\cdot \lambda ^{-\omega (1)}\)-function-hiding, where \(\sigma (\lambda )\) is the size of encryptions in the scheme. Below, we discuss an instantiation, based on the DDH assumption, that has perfect function-hiding, and thus satisfies this requirement.

Distributed Secure Function Evaluation. We will also consider a notion of two-message distributed function evaluation (DSFE). Such a protocol consists of \(k+2\) parties \((A,B_1,\dots ,B_k,C)\) and has the following syntax. Party A, given input x, shares x into k shares and sends the shares to \(B_1,\dots ,B_k\). The parties \(B_1,\dots ,B_k\) given as additional input a function f, homomorphically and non-interactively evaluate f on each share, and send the evaluated shares to C, who can then decrypt and obtain the result f(x).

The protocol is required to ensure that each individual share sent by A in the second message hides all information regarding the input x. We also require that C gains no information on the input, except for the output of the function (formally, we will require an indistinguishability-based guarantee analogous to that of functional encryption.) Furthermore, we will require that correctness holds even if some \(\tau \) fraction of the parties \(B_1,\dots ,B_k\) are faulty.

Definition 2.3

(Distributed Secure Function Evaluation). A scheme \( \mathsf {DSFE}= (\mathsf {Enc}, \mathsf {Eval}, \mathsf {Dec})\), where \(\mathsf {Enc}\) is probabilistic and \(\mathsf {Eval},\mathsf {Dec}\) are deterministic, is a \((k,\tau )\)-secure distributed function evaluation protocol for circuit class \(\mathcal {C}=\left\{ \mathcal {C}_\lambda \right\} \), where \(\mathcal {C}_\lambda \) is defined over \(\{0,1\}^{n}\) for \(n=n(\lambda )\), \(k=k(\lambda )\), and \(\tau =\tau (\lambda )\), if the following requirements hold:

• Correctness in the Presence of F aults: for any \(\lambda \in \mathbb {N}\), \(C\in \mathcal {C}_\lambda \) and input \(x\in \{0,1\}^n\) in the domain of C and any set \(S\in [k]\) of size smaller than \(\tau k\), and functions \(\left\{ \mathsf {Err}_i:i\in S\right\} \) it holds that:

  

  for some negligible \(\nu (\cdot )\), where the probability is over the coin-tosses of \(\mathsf {Enc}\).

• Input Hiding: for any polysize distinguisher \(\mathcal {D}\) there exists a negligible function \(\mu (\cdot )\), such that for all \(\lambda \in \mathbb {N}\), and equal size inputs \(x_0,x_1\in \{0,1\}^n\) and any \(i\in [k]\):

  

  where \(\mathsf {CT}_{b,i}\) denotes the i-th ciphertext output by \(\mathsf {Enc}(x_b)\).

• Residual Input Hiding: for any polysize distinguisher \(\mathcal {D}\) there exists a negligible function \(\mu (\cdot )\), such that for all \(\lambda \in \mathbb {N}\), inputs \(x_0,x_1\in \{0,1\}^n\), and circuit \(C \in \mathcal {C}_\lambda \) such that \(C(x_0)=C(x_1)\):

  

  where for \((b,i)\in \{0,1\}\times [k]\), , and .

Remark 2.4

(difference from SFE). There are two main differences from SFE. The first is in security, in the above we do not require any type of function-hiding, but require residual input-hiding. The second is the functionality: we allow distributed evaluation (with some resilience to faults). The second difference is not essential, and is considered in order to reduce the underlying computational assumptions. In particular, a (non-distributed) SFE with residual input-hiding implies DSFE with \(k=1,\tau =0\).

Remark 2.5

(deterministic \(\mathsf {Eval}\)). Jumping ahead, we remark that we will use distributed SFE in a setting where the encryptor is always honest. Since we are not requiring any privacy against the encryptor, we may assume w.l.o.g that \(\mathsf {Eval}\) is deterministic. Indeed, we can always sample any required randomness as part of the encryption process and embed it in the shares \(\mathsf {CT}_1,\dots ,\mathsf {CT}_k\).

Instantiations. We now mention known instantiations of SFE and DSFE schemes, which we can rely on.

SFE. As mentioned above, for our application, we will require rather strong function-hiding. To instantiate the scheme we may rely on the SFE protocol obtained by using the oblivious transfer protocol of Naor and Pinkas [52] that is based on DDH and is secure against unbounded receivers in conjunction with an information-theoretic variant of Yao’s garbled circuit [59] for \(\text{ NC } ^1\) [46]. The resulting SFE scheme is for classes of circuits in \(\text{ NC } ^1\), which will suffice for our purposes. Alternatively, we can use a strong enough computational variant of Yao based on sub-exponential one-way functions, resulting in a construction for all polynomial-size circuits.

More generally, the Naor-Pinkas OT can be replaced with any OT that has statistical function-hiding. In the CRS model, such two-message protocols exist from other standard assumptions as well [56]. While our main transformation is described using SFE in the plain model, it can be naturally extended to the CRS setting (see Remark 3.6).

DSFE. An information-theoretically secure DSFE scheme for circuit classes in \(\text{ NC } ^1\) can be obtained based on a non-interactive variant of the BGW protocol [9] similar to that used in [44]. In the full version of this paper, we outline this variant.In the resulting DSFE scheme, the complexity of encryption does not grow with the size of the circuits evaluated, but does grow exponentially with their maximal depth. As will be discussed later on, this will still be good enough in our context, to bootstrap functional encryption to indistinguishability obfuscation, as shown in [14].

2.2 Symmetric Encryption

A symmetric encryption scheme consists of a tuple of two PPT algorithms \((\mathsf {Sym.Enc},{\mathsf {Sym.Dec}})\). The encryption algorithm takes as input a symmetric key \(\mathsf {SK}\in \{0,1\}^\lambda \), where \(\lambda \) is the security parameter, and a message \(m\in \{0,1\}^{*}\) of polynomial size in the security parameter, and outputs a ciphertext \(\mathsf {SCT}\). The decryption algorithm takes as input \((\mathsf {SK},\mathsf {SCT})\), and outputs the decrypted message m. For this work, we only require one-time security. The detailed definition is standard and is given in the full version of this paper.

2.3 Puncturable Pseudorandom Functions

We consider a simple case of puncturable pseudo-random functions (\(\mathsf {PRF}\)s) where any \(\mathsf {PRF}\) may be punctured at a single point. The definition is formulated as in [57], and is satisfied by the Goldreich-Goldwasser-Micali PRF construction [18, 20, 41, 47].

Definition 2.6

(Puncturable \(\mathsf {PRF}\)s). Let n, k be polynomially bounded length functions. An efficiently computable family of functions

associated with an efficient (probabilistic) key sampler \(\mathsf {Gen}_{\mathcal {PRF}}\), is a puncturable \(\mathsf {PRF}\) if there exists a poly-time puncturing algorithm \(\mathsf {Punc}\) that takes as input a key \(\mathsf {K}\), and a point \(x^*\), and outputs a punctured key \(\mathsf {K}\{x^*\}\), so that the following conditions are satisfied:

1. 1.

   Functionality is preserved under puncturing: For every \(x^*\in \{0,1\}^{*}\),

   

2. 2.

   Indistinguishability at punctured points: for any polysize distinguisher \(\mathcal {D}\) there exists a negligible function \(\mu (\cdot )\), such that for all \(\lambda \in \mathbb {N}\), and any \(x^*\in \{0,1\}^{*}\),

   

   where \(\mathsf {K}\leftarrow \mathsf {Gen}_{\mathcal {PRF}}(1^\lambda ), \mathsf {K}\{x^*\}=\mathsf {Punc}(\mathsf {K},x^*)\), and \(u \leftarrow \{0,1\}^{\lambda }\). We further say that \(\mathcal {PRF}\) is \(\delta \)-secure, for some concrete negligible function \(\delta (\cdot )\), if for all polysize distinguishers the above indistinguishability gap \(\mu (\lambda )\) is smaller than \(\delta (\lambda )^{\varOmega (1)}\).

Remark 2.7

(uniform output). For some of our constructions, it will be convenient to assume that the PRF family is one-universal; that is, for any fixed x, \(\mathsf{PRF}_{\mathsf {K}}(x)\) is distributed uniformly at random (when \(\mathsf {K}\) is sampled at random). It is not hard to see that such a puncturable PRF can be easily obtained from any puncturable PRF by adding a random string U to the key and XORing U to every output.

3 Correcting Errors in Indistinguishability Obfuscation

In this section, we define approximate IO and show how to transform any approximate IO to (almost) perfectly correct IO, based on SFE.

3.1 Approximate and Exact IO

We start by defining indistinguishability obfuscation (IO) with almost perfect correctness. The definition is formulated as in [7].

Definition 3.1

(Indistinguishability Obfuscation). A \(\text{ PPT } \) algorithm \(\mathcal {O}\) is said to be an indistinguishability obfuscator for a class of circuits \(\mathcal {C}=\left\{ \mathcal {C}_\lambda \right\} \), if it satisfies:

1. 1.

   Almost Perfect Correctness: for any security parameter \(\lambda \) and \(C\in \mathcal {C}_\lambda \),

   

2. 2.

   Indistinguishability: for any polysize distinguisher \(\mathcal {D}\) there exists a negligible function \(\mu (\cdot )\), such that for any two circuits \(C_0,C_1\in \mathcal {C}\) that compute the same function and are of the same size:

   

   where the probability is over the coins of \(\mathcal {D}\) and \(\mathcal {O}\). We further say that \(\mathcal {O}\) is \(\delta \)-secure, for some concrete negligible function \(\delta (\cdot )\), if for all polysize distinguishers the above indistinguishability gap \(\mu (\lambda )\) is smaller than \(\delta (\lambda )^{\varOmega (1)}\).

We now define an approximate notion of correctness that allows the obfuscated circuit to err with some probability over inputs taken from some samplable distribution.

Definition 3.2

( \((\alpha ,\mathcal {X})\) -correct IO). For \(\alpha (\lambda ) \in [0,1]\) and an ensemble of input samplers \(\mathcal {X}=\left\{ \mathcal {X}_\lambda \right\} \), we say that \(\mathcal {O}\) is \((\alpha ,\mathcal {X})\)-correct if instead of (almost) perfect correctness, it satisfies the following relaxed requirement:

1. 1.

   Approximate Correctness: for any security parameter \(\lambda \), \(C\in \mathcal {C}_\lambda \),

   

   where the probability is also over the coins of \(\mathcal {O}\).

3.2 The Transformation

We now describe a transformation from approximately correct IO to (almost) perfectly correct IO and analyze it. The transformation is based on SFE satisfying a strong function-hiding guarantee. We discuss an instantiation based on standard computational assumptions in Sect. 3.3.

In Sect. 5, we discuss an alternative transformation through functional encryption based on weaker computational assumptions.

A Worst-Case Approximate Obfuscator. The main step of the transformation is to obtain random self-reducibility; that is,to convert an approximate obfuscator \({\mathsf {ap}\mathcal {O}}\), which works reasonably well on average for random inputs taken from an appropriate distribution, into a worst-case approximate obfuscator \(\mathsf {wc}\mathcal {O}\) that, for any (worst-case) input, works well on average over the random coins of the obfuscator alone. Then, in the second step, we invoke standard “BPP amplification”.

Ingredients. In the following, let \(\lambda \) denote a security parameter, let \(\varepsilon <1\) be some constant, \(\eta (\lambda )=\lambda ^{-\varOmega (1)}\) and let \(\mathcal {C}=\left\{ \mathcal {C}_\lambda \right\} \) denote a circuit class. We rely on the following primitives:

• A secure function evaluation scheme \(\mathsf {SFE}\) for \(\mathcal {C}\) that is \(2^{-\omega (\sigma (\lambda )+\log \lambda )}\)-function-hiding, where \(\sigma (\lambda )\) is the length of fresh ciphertexts generated by the encryption algorithm \(\mathsf {Enc}\) for security parameter \(\lambda \) (and inputs of size \(n=n(\lambda )\) in the domain of \(\mathcal {C}_\lambda \)).

• A \(2^{-{\tilde{\lambda }}^\varepsilon }\)-secure puncturable pseudo-random function family \(\mathcal {PRF}\), where the security parameter is \({\tilde{\lambda }}=\omega (\sigma (\lambda )+\log \lambda )^{1/\varepsilon }\).

• A \((\frac{1}{2}+\eta (\lambda ),\mathcal {X})\)-correct, \(2^{-{\tilde{\lambda }}^\varepsilon }\)-secure indistinguishability obfuscator \({\mathsf {ap}\mathcal {O}}\) for \(\overline{\mathcal {C}}\), where the security parameter is \({\tilde{\lambda }}=\omega (\sigma (\lambda )+\log \lambda )^{1/\varepsilon }\). The sampler class \(\mathcal {X}\) depends on \(\mathsf {SFE}\) and the class \(\overline{\mathcal {C}}\) depends on \(\mathsf {SFE}\), \(\mathcal {PRF}\), and \(\mathcal {C}\). Both \(\mathcal {X}\) and \(\overline{\mathcal {C}}\) are specified below as part of the description of the constructed (exact) obfuscator \(\mathcal {O}\).

The Worst-Case Obfuscator \(\mathsf {wc}\mathcal {O}\) :

Given a circuit \(C:\{0,1\}^n\rightarrow \{0,1\}\) and security parameter \(\lambda \), the obfuscator \(\mathsf {wc}\mathcal {O}(C,1^\lambda )\)

1. 1.

   computes a new security parameter \({\tilde{\lambda }}=\omega (\sigma (\lambda )+{\log \lambda })^{1/\varepsilon }\), where \(\sigma (\lambda )\) is the length of ciphertexts as defined above,

2. 2.

   samples a puncturable PRF seed \(\mathsf {K}\leftarrow \mathsf {Gen}_{\mathcal {PRF}}(1^{\tilde{\lambda }})\),

3. 3.

   computes the augmented C-evaluation circuit \(C_{\mathsf {K}}\) defined in Fig. 1,

4. 4.

   outputs an approximate obfuscation .

Fig. 1.

The augmented C-evaluation circuit.

We next describe the how the obfuscation \(\widetilde{C}\) is evaluated on any input x via a randomized procedure.

Randomized Evaluation:

Given an obfuscation \(\widetilde{C}\), an input \(x\in \{0,1\}^n\), and security parameter \(\lambda \):

1. 1.

   compute \((\mathsf {CT},\mathsf {R}) \leftarrow \mathsf {Enc}(x)\),

2. 2.

   compute ,

3. 3.

   output .

The ensemble of samplers \(\mathcal {X}\) consists of samplers \(\mathcal {X}^\mathbf{0}\) that sample encryptions from \(\mathsf {Enc}(0^n)\) whereas the class \(\overline{\mathcal {C}}\) consists of circuits \(C_{\mathsf {K}}\) as defined in Fig. 1.

Proposition 3.3

\(\mathsf {wc}\mathcal {O}\) satisfies:

1. 1.

   Worst-Case Approximate Correctness: for any \(\lambda \), \(C\in \mathcal {C}_\lambda \), \(x\in \{0,1\}^n\),

   

   where the probability is over the coins of \({\mathsf {ap}\mathcal {O}}\).

2. 2.

   Indistinguishability: as in Definition 3.1.

The intuition behind the proof is outlined in the introduction. We now turn to the actual proof.

Proof

We first prove that the new obfuscator is worst-case approximately correct, and then prove that it is secure.

Correctness. For any \(\lambda ,n=n(\lambda )\), input \(x\in \{0,1\}^n\), let us denote \(\mathcal {X}^x := \mathsf {Enc}(x)\) a sampler for encryptions of x. Then, by the input-hiding guarantee of \(\mathsf {SFE}\), and the approximate correctness of \({\mathsf {ap}\mathcal {O}}\), we claim that the approximate obfuscation is correct on encryptions of an arbitrary \(x\in \{0,1\}^n\) as on encryptions of \(0^n\). That is, there exists a negligible \(\mu (\lambda )\) such that

where in both of the above \(\mathsf {K}\leftarrow \mathsf {Gen}_{\mathcal {PRF}}(1^{\tilde{\lambda }})\), .

It now follows that decryption is correct with probability noticeably larger than half. Concretely,

where in all of the above \(\mathsf {K}\leftarrow \mathsf {Gen}_{\mathcal {PRF}}(1^{\tilde{\lambda }})\), , and \(\nu (\cdot )\) is some negligible function (corresponding to the negligible decryption error of \(\mathsf {SFE}\)). In the last step, we relied on the fact that for any fixed \(\mathsf {CT}\), \(\mathsf{PRF}_{\mathsf {K}}(\mathsf {CT})\) is distributed uniformly at random (Remark 2.7), and the (almost) perfect correctness of \(\mathsf {SFE}\).

This completes the proof of correctness.

Security Analysis. Consistently with the notation above, for \(\mathsf {K}\leftarrow \mathsf {Gen}_{\mathcal {PRF}}(1^{\tilde{\lambda }})\), and a circuit \(C\in \mathcal {C}_\lambda \), we denote by the corresponding approximate obfuscation of the (derandomized) evaluation circuit. We show that for any polysize distinguisher there exists a neglgible \(\mu (\cdot )\), such that for any \(C_0,C_1\in \mathcal {C}_\lambda \) that compute the same function it holds that

Roguhly, the above follows from the fact that the output of the two underlying obfuscated circuits on any point \(\mathsf {CT}\in \{0,1\}^{\sigma (\lambda )}\) is indistinguishable even given \(C_0,C_1\). Indeed, because the circuits \(C_0,C_1\) compute the same function, by the function-hiding of \(\mathsf {SFE}\), for any ciphertext \(\mathsf {CT}\in \{0,1\}^{\sigma (\lambda )}\), the evaluated ciphers \(\mathsf {Eval}(\mathsf {CT},C_0)\) and \(\mathsf {Eval}(\mathsf {CT},C_1)\) are indistinguishable. Canetti, Lin, Tessaro, and Vaikuntanathan [24] show that (sub-exponential) IO in conjunction with (sub-exponential) puncuturable PRFs are sufficient in this setting, which they formalize by probabilistic IO notion. For the sake of completeness, we next sketch the argument.

We consider a sequence of \(2^{\sigma }+1\) hybrids , where we naturally identify integers in \([2^{\sigma }]\) with strings in \(\{0,1\}^{\sigma }\). In \(\mathcal {H}_{\mathsf {CT}}\), we obfuscate a circuit \(\mathbb {C}_{\mathsf {CT}}(\mathsf {CT}')\) that computes \(C_{0,\mathsf {K}}\) for all \(\mathsf {CT}' > \mathsf {CT}\) and \(C_{1,\mathsf {K}}\) for all \(\mathsf {CT}' \le \mathsf {CT}\); the circuit is padded to size \(\ell \) (as in Fig. 1).

We first note that \(\mathbb {C}_{0}\) computes the same function as \(C_{0,\mathsf {K}}\) and that \(\mathbb {C}_{2^{\sigma }}\) computes the same function as \(C_{1,\mathsf {K}}\), and thus by the IO security,

We show that for any \(\mathsf {CT}\in [2^{\sigma }]\),

This follows a standard puncturing argument with respect to the point \(\mathsf {CT}\), consisting of:

• puncturing \(\mathsf{PRF}_{\mathsf {K}}\) at \(\mathsf {CT}\), and hardwiring \(C_{0,\mathsf {K}}(\mathsf {CT})=\mathsf {Eval}(\mathsf {CT},C_0;\mathsf{PRF}_{\mathsf {K}}(\mathsf {CT}))\), which relies on IO security,

• replacing \(\mathsf{PRF}_{\mathsf {K}}(\mathsf {CT})\) with true randomness, which relies on pseudorandomness at punctured points,

• replacing \(\mathsf {Eval}(\mathsf {CT},C_0)\) with \(\mathsf {Eval}(\mathsf {CT},C_1)\), which relies on function hiding.

• reversing the above steps.

Each of the steps induces a loss of \(2^{-{\tilde{\lambda }}^\varepsilon }=2^{-\omega (\sigma (\lambda )+\log \lambda )}\) in the indistinguishability gap.

This completes the security analysis.

The (Almost) Exact Obfuscator \(\mathcal {O}\) : to obtain an (almost) exact obfuscator \(\mathcal {O}\) from the worst-case approximate obfuscator we apply standard “BPP amplification”. Such a transformation is given in [48, Appendix B]. For the sake of completeness, we sketch it here.

Obfuscation: Given a circuit \(C:\{0,1\}^n\rightarrow \{0,1\}\) and security parameter \(\lambda \), the obfuscator \(\mathcal {O}(C,1^\lambda )\) outputs \(N=\frac{\omega (n+\lambda )}{\eta ^{2}(\lambda )}\) obfuscations , where \(\widetilde{C}_i \leftarrow \mathsf {wc}\mathcal {O}(C,1^\lambda )\), and N random strings \(r_1,\dots ,r_N\), where \(r_i\leftarrow \{0,1\}^\lambda \).

Evaluation: Given an obfuscation , input \(x\in \{0,1\}^n\), and security parameter \(\lambda \):

1. 1.

   For \(i \in [N]\), invoke the randomized evaluation procedure for \(\widetilde{C}_i\), for input x, using randomness \(r_i\), store the result \(y_{i}\).

2. 2.

   Output \(y = \mathsf {majority}(y_{1},\dots ,y_{N})\).

Remark 3.4

(deterministic evaluator). Publishing the random strings \(r_i\) is done to match the usual obfuscation syntax where the evaluation is deterministic. We may also let the evaluator sample this randomness.

Proposition 3.5

\(\mathcal {O}\) is an (almost) perfectly correct indistinguishability obfuscator.

Proof

(Proof Sketch). We show correctness and security.

Correctness. By a Chernoff bound, for large enough \(\lambda \), and any \(x\in \{0,1\}^n\), the probability that the majority value y among all decrypted \(y_1,\dots ,y_N\) is incorrect is bounded by

$$ \Pr \left[ y\ne C(x)\right] \le 2^{-\varOmega (N\cdot \eta ^2(\lambda ))} \le 2^{-n+\lambda }. $$

The required correctness follows by a union bound over all inputs in \(\{0,1\}^n\).

Security. The obfuscation consists of N independent copies of worst-case obfuscations \(\widetilde{C}_i \leftarrow \mathsf {wc}\mathcal {O}(C)\), where \(\mathsf {wc}\mathcal {O}\) satisfies indistinguishability. Security thus follows by a standard hybrid argument.

Remark 3.6

(SFE in the CRS model). The above construction can be naturally extended to rely also on non-interactive SFE schemes in the CRS model (rather than the plain model). Indeed, the CRS can be generated by the (honest) obfuscator.

3.3 Instantiating the Scheme

As discussed in Sect. 2.1, we can instantiate the SFE based on the (polynomial) DDH assumption and sub-exponential one-way functions. Sub-exponential one-way functions are also needed here in order to obtain sub-exponentially-secure puncturable PRFs.

We can thus state the following theorem

Theorem 3.7

Assuming sub-exponentially secure approximate IO for \(\mathbf{P}/\mathbf{poly}\), (polynomial) DDH, and sub-exponentially-secure one-way functions, there exists (almost) perfectly correct IO for \(P/\mathbf{poly}\).

Alternative instantiations of the above under more computational assumptions [56] can be obtained when extending the scheme to SFE in the CRS model.

4 Correcting Errors in Functional Encryption

In this section, we define approximate FE and show how to transform any approximate FE to (almost) perfectly correct FE, based on DSFE. For the sake of concreteness, we focus on the public-key setting. We also focus on selective-security, which can be generically boosted to adaptive security [2].

4.1 Approximate and Exact FE

We recall the definition of public-key functional encryption (FE) with selective indistinguishability-based security [17, 53], and extend the definition to the case of approximate correctness.

A public-key functional encryption (FE) scheme \(\mathsf {FE}\), for a function class \(\mathcal {F}=\left\{ \mathcal {F}_\lambda \right\} \) (represented by boolean circuits) and message space \(\mathcal {M}=\left\{ \{0,1\}^{n(\lambda )}:\lambda \in \mathbb {N}\right\} \), consists of four PPT algorithms \((\mathsf {FE}.\mathsf {Setup},\) \(\mathsf {FE}.\mathsf {Gen},\) \(\mathsf {FE}.\mathsf {Enc},\) \(\mathsf {FE}.\mathsf {Dec})\) with the following syntax:

• \(\mathsf {FE}.\mathsf {Setup}(1^{\lambda })\): Takes as input a security parameter \(\lambda \) in unary and outputs a (master) public key and a secret key \((\mathsf {MPK},\mathsf {MSK})\).

• \(\mathsf {FE}.\mathsf {Gen}(\mathsf {MSK},f)\): Takes as input a secret key \(\mathsf {MSK}\), a function \(f \in \mathcal {F}_\lambda \) and outputs a functional key \(\mathsf {FSK}_f\).

• \(\mathsf {FE}.\mathsf {Enc}(\mathsf {MPK},M)\): Takes as input a public key \(\mathsf {MPK}\), a message \(M \in \{0,1\}^{n(\lambda )}\) and outputs an encryption of M.

• \(\mathsf {FE}.\mathsf {Dec}(\mathsf {FSK}_f,\mathsf {FCT})\): Takes as input a functional key \(\mathsf {FSK}_f\), a ciphertext \(\mathsf {FCT}\) and outputs \(\widehat{M}\).

We next recall the required security properties as well the common (almost) perfect correctness requirement.

Definition 4.1

(Selectively-Secure Public-key FE). A tuple of PPT algorithms \(\mathsf {FE}=(\mathsf {FE}.\mathsf {Setup},\) \(\mathsf {FE}.\mathsf {Gen},\) \(\mathsf {FE}.\mathsf {Enc},\) \(\mathsf {FE}.\mathsf {Dec})\) is a selectively-secure public-key functional encryption scheme, for function class \(\mathcal {F}=\left\{ \mathcal {F}_\lambda \right\} \), and message space \(\mathcal {M}=\left\{ \{0,1\}^{n(\lambda )}:\lambda \in \mathbb {N}\right\} \), if it satisfies:

1. 1.

   Almost Perfect Correctness: for every \(\lambda \in \mathbb {N}\), message \(M \in \{0,1\}^{n(\lambda )}\), and function \(f \in \mathcal {F}_\lambda \),

   

2. 2.

   Selective-Security: for any polysize adversary \(\mathcal {A}\), there exists a negligible function \(\mu (\lambda )\) such that for any \(\lambda \in \mathbb {N}\), it holds that

   

   where for each \(b \in \{0,1\}\) and \(\lambda \in \mathbb {N}\) the experiment \(\mathsf {Expt}_{\mathcal {A}}^{\mathsf {FE}}(1^{\lambda },b)\), modeled as a game between the challenger and the adversary \(\mathcal {A}\), is defined as follows:

   1. (a)

      The adversary submits the challenge message-pair \(M_0,M_1 \in \{0,1\}^{n(\lambda )}\) to the challenger.

   2. (b)

      The challenger executes \(\mathsf {FE}.\mathsf {Setup}(1^{\lambda })\) to obtain \((\mathsf {MPK},\mathsf {MSK})\). It then executes \(\mathsf {FE}.\mathsf {Enc}(\mathsf {MPK},M_b)\) to obtain \(\mathsf {FCT}\). The challenger sends \((\mathsf {MPK},\mathsf {FCT})\) to the adversary.

   3. (c)

      The adversary submits function queries to the challenger. For any submitted function query \(f\in \mathcal {F}_\lambda \), if \(f(M_0) = f(M_1)\), the challenger generates and sends \(\mathsf {FSK}_f\leftarrow \mathsf {FE}.\mathsf {Gen}(\mathsf {MSK},f)\). In any other case, the challenger aborts.

   4. (d)

      The output of the experiment is the output of \(\mathcal {A}\).

   We further say that \(\mathsf {FE}\) is \(\delta \)-secure, for some concrete negligible function \(\delta (\cdot )\), if for all polysize adversaries the above indistinguishability gap \(\mu (\lambda )\) is smaller than \(\delta (\lambda )^{\varOmega (1)}\).

We now define an approximate notion of correctness that allows decryption to error with some probability over encryption of messages taken from some given distribution.

Definition 4.2

( \((\alpha ,\mathcal {X})\) -correct FE). For \(\alpha (\lambda )\in [0,1]\) and an ensemble of samplers \(\mathcal {X}=\left\{ \mathcal {X}_\lambda \right\} \) with support \(\mathcal {M}= \left\{ \{0,1\}^{n(\lambda )}:\lambda \in \mathbb {N}\right\} \), we say that \(\mathsf {FE}\) is \((\alpha ,\mathcal {X})\)-correct if instead of (almost) perfect correctness, it satisfies the following relaxed requirement:

1. 1.

   Approximate Correctness: for every \(\lambda \in \mathbb {N}\), and function \(f \in \mathcal {F}_\lambda \),

   

4.2 The Transformation

We now describe the transformation from approximately correct FE to (almost) perfectly correct FE and analyze it. The transformation is based on DSFE. We discuss instantiations in Sect. 4.3.

A Worst-Case Approximate FE. As in the case of obfuscation, the main step of the FE transformation is to obtain random self-reducibility; that is,to convert an approximate FE scheme \(\mathsf {ap}{\mathsf {FE}}\), which works reasonably well on average for random messages taken from some appropriate distribution, into a worst-case approximate scheme \(\mathsf {wc}{\mathsf {FE}}\) that, for any (worst-case) message, works well on average over the random coins of the obfuscator alone. Then, in the second step, we invoke standard “BPP amplification”.

Ingredients. In the following, let \(\lambda \) denote a security parameter, and let \(\mathcal {F}=\left\{ \mathcal {F}_\lambda \right\} \) denote a function class. Consider functions \(k(\lambda )\in \mathbb {N}\), and \(\rho (\lambda ),\eta (\lambda )\in [0,1]\) such that \(\eta =\frac{1}{2}-\sqrt{\rho } \in [\frac{1}{\lambda ^{O(1)}},\frac{1}{2}-\frac{1}{\lambda ^{O(1)}}]\). We rely on the following primitives:

• A \((k,\sqrt{\rho })\)-secure distributed function evaluation scheme \(\mathsf {DSFE}\) for \(\mathcal {C}\). We shall further assume that when encrypting an input, the shares \(\mathsf {CT}_1,\dots ,\mathsf {CT}_k\) all have the same marginal distribution (i.e., \(\mathsf {CT}_i\equiv \mathsf {CT}_j\)).²

• A \((1-\rho ,\mathcal {X})\)-correct (single-key, selectively-secure) functional encryption scheme \(\mathsf {ap}{\mathsf {FE}}= (\mathsf {ap}{\mathsf {FE}}.\mathsf {Setup},\) \(\mathsf {ap}{\mathsf {FE}}.\mathsf {Gen},\) \(\mathsf {ap}{\mathsf {FE}}.\mathsf {Enc},\) \(\mathsf {ap}{\mathsf {FE}}.\mathsf {Dec})\) for \(\overline{\mathcal {C}}\). The sampler class \(\mathcal {X}\) depends on \(\mathsf {DSFE}\) and the class \(\overline{\mathcal {F}}\) depends on \(\mathsf {DSFE}\), and \(\mathcal {F}\). Both \(\mathcal {X}\) and \(\overline{\mathcal {F}}\) are specified below as part of the description of the constructed (almost exact) scheme \(\mathsf {FE}\).

• A one-time symmetric key encryption scheme .

The Worst-Case Scheme \(\mathsf {wc}{\mathsf {FE}}\) : The scheme \(\mathsf {wc}{\mathsf {FE}}\), for function class \(\mathcal {F}=\left\{ \mathcal {F}_\lambda \right\} \) and message space \(\mathcal {M}=\left\{ \{0,1\}^{n(\lambda )}:\lambda \in \mathbb {N}\right\} \), consists of the algorithms \((\mathsf {wc}{\mathsf {FE}}.\mathsf {Setup},\) \(\mathsf {wc}{\mathsf {FE}}.\mathsf {Gen},\) \(\mathsf {wc}{\mathsf {FE}}.\mathsf {Enc},\) \(\mathsf {wc}{\mathsf {FE}}.\mathsf {Dec})\) defined as follows:

• \(\mathsf {wc}{\mathsf {FE}}.\mathsf {Setup}(1^{\lambda })\): generate \((\mathsf {ap}{\mathsf {MPK}},\mathsf {ap}{\mathsf {MSK}})\leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Setup}(1^{\lambda })\). The public key \(\mathsf {MPK}\) and secret key \(\mathsf {MSK}\) are accordingly set to be the \(\mathsf {ap}{\mathsf {MPK}}\) and \(\mathsf {ap}{\mathsf {MSK}}\).

• \(\mathsf {wc}{\mathsf {FE}}.\mathsf {Gen}(\mathsf {wc}{\mathsf {MSK}},f)\): sample \(\mathsf {SCT}\leftarrow \mathsf {Sym.Enc}(\mathsf {SK},0^{\ell \times k})\), where \(\ell =\ell (\lambda )\) is a polynomial specified in the security analysis, and \(\mathsf {SK}\leftarrow \{0,1\}^\lambda \). Consider the augmented f-evaluation function \(f_{\mathsf {SCT}}\) as defined in Fig. 2. Generate \(\mathsf {ap}{\mathsf {FSK}}_{\mathsf {SCT}} \leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Gen}(\mathsf {ap}{\mathsf {MSK}},f_{\mathsf {SCT}})\). The functional key \(\mathsf {wc}{\mathsf {FSK}}_f\) will consists of the functional key \(\mathsf {ap}{\mathsf {FSK}}_{\mathsf {SCT}}\).

• \(\mathsf {wc}{\mathsf {FE}}.\mathsf {Enc}(\mathsf {wc}{\mathsf {MPK}},M)\):

  1. 1.

     Compute \((\mathsf {CT}_{1},\dots ,\mathsf {CT}_{k},\mathsf {R}) \leftarrow \mathsf {DSFE}.\mathsf {Enc}(M)\),

  2. 2.

     For \(j\in [k]\)

     • let \(\mathsf {ap}{M}_{j} = (\mathtt {norm},\mathsf {CT}_{j},\bot ,\bot )\)

     • generate \(\mathsf {ap}{\mathsf {FCT}}_{j} \leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Enc}(\mathsf {ap}{\mathsf {MPK}},\mathsf {ap}{M}_{j})\).

  Output \(\mathsf {wc}{\mathsf {FCT}}= \left\{ \mathsf {ap}{\mathsf {FCT}}_{1},\dots ,\mathsf {ap}{\mathsf {FCT}}_{k},\mathsf {R}\right\} \).

• \(\mathsf {wc}{\mathsf {FE}}.\mathsf {Dec}(\mathsf {wc}{\mathsf {FSK}}_f,\mathsf {wc}{\mathsf {FCT}})\):

  1. 1.

     Parse \(\mathsf {wc}{\mathsf {FSK}}_f= \mathsf {ap}{\mathsf {FSK}}_{\mathsf {SCT}}\) and \(\mathsf {wc}{\mathsf {FCT}}= (\mathsf {ap}{\mathsf {FCT}}_{1},\dots ,\mathsf {ap}{\mathsf {FCT}}_{k},\mathsf {R})\).

  2. 2.

     for \(j\in [k]\), compute .

  3. 3.

     output .

Fig. 2.

The augmented f-evaluation circuit.

The ensemble of samplers \(\mathcal {X}\) consists of samplers \(\mathcal {X}^\mathbf{0}\) that sample FE plaintexts of the form \(\mathsf {ap}{M}=(\mathtt {norm},\mathsf {CT},\bot ,\bot )\) where \(\mathsf {CT}\) is the first of k ciphertext components sampled from \(\mathsf {DSFE}.\mathsf {Enc}(0^n)\), i.e. it is a share of a zero-encryption in the underlying DSFE scheme. The class \(\overline{\mathcal {F}}\) consists of circuits \(f_{\mathsf {SCT}}\) as in Fig. 2.

Proposition 4.3

\(\mathsf {wc}{\mathsf {FE}}\) satisfies:

1. 1.

   Worst-Case Approximate Correctness: for every \(\lambda \in \mathbb {N}\), function \(f \in \mathcal {F}_\lambda \), and message \(M\in \{0,1\}^n\),

   

2. 2.

   Selective Security: as in Definition 4.1.

We now turn to the proof.

Proof

We first prove that the new obfuscator has worst-case approximate correctness, and then prove that it is selectively secure.

Correctness. For any \(\lambda ,n=n(\lambda )\), message \(M\in \{0,1\}^n\), let us denote \(\mathcal {X}^M\) a sampler for FE plaintexts of the form \(\mathsf {ap}{M}=(\mathtt {norm},\mathsf {CT},\bot ,\bot )\) that is defined just like \(\mathcal {X}^{\mathbf{0}}\) except that \(\mathsf {CT}\) is a share of an encryption of M sampled from \(\mathsf {DSFE}.\mathsf {Enc}(M)\) in the underlying DSFE scheme, rather than a share of an encryption of \(0^n\).

Then, by the input-hiding guarantee of \(\mathsf {SFE}\), and the approximate correctness of \(\mathsf {ap}{\mathsf {FE}}\), we claim that, for any function \(f\in \mathcal {F}\) and corresponding \(f_{\mathsf {SCT}}\), decryption in \(\mathsf {ap}{\mathsf {FE}}\) is correct on encryptions of an arbitrary \(M\in \{0,1\}^n\) as on encryptions of \(0^n\). That is, there exists a negligible \(\mu (\lambda )\) such that

where \((\mathsf {ap}{\mathsf {MPK}},\mathsf {ap}{\mathsf {MSK}}) \leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Setup}(1^{\lambda })\), \(\mathsf {ap}{\mathsf {FSK}}_{f_{\mathsf {SCT}}}\leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Gen}(\mathsf {ap}{\mathsf {MSK}},\) \(f_{\mathsf {SCT}})\), \(\mathsf {ap}{\mathsf {FCT}}\leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Enc}(\mathsf {ap}{\mathsf {MPK}},\mathsf {ap}{M})\), as defined above in the construction of the exact scheme, and \(\mathsf {ap}{M}=(\mathtt {norm},\mathsf {CT},\bot ,\bot )\).

We now consider alternative samplers that sample \(\mathsf {ap}{M}_j\) just as in the canonical \(\mathcal {X}^M\), except that \(\mathsf {CT}\) is sampled as the jth share of a DSFE encryption of M (rather than the first). Note that by our assumption that the shares \(\mathsf {CT}_1,\dots ,\mathsf {CT}_k \leftarrow \mathsf {DSFE}.\mathsf {Enc}(M)\) have the same marginal distribution, the samplers \(\mathcal {X}^M,\mathcal {X}^M_{1},\dots ,\mathcal {X}^M_{k}\) all sample from the same distribution. In particular, they satisfy the above statement regarding the probability of correct decryption, satisfied by \(\mathcal {X}^M\).

We shall denote by \(\mathcal {X}^M_{j}|\mathsf {CT}_j\) the corresponding sampler conditioned on \(\mathsf {CT}= \mathsf {CT}_j\) for some fixed \(\mathsf {CT}_j\). We now consider the joint sampler \((\mathsf {ap}{M}_1,\dots ,\mathsf {ap}{M}_k)\leftarrow \mathcal {X}^M_{[k]}\) where first shares \((\mathsf {CT}_1,\dots ,\mathsf {CT}_k)\) are sampled from \(\mathsf {DSFE}.\mathsf {Enc}(M)\), and then each \(\mathsf {ap}{M}_j\) is sampled from \(\mathcal {X}_j|\mathsf {CT}_j\). Note that this sampler corresponds to the way that encryption is done in our actual scheme \(\mathsf {wc}{\mathsf {FE}}\) defined above.

Noting that the marginal distribution of each \(\mathsf {ap}{M}_j\) sampled accordingly to \(\mathcal {X}^M_{[k]}\) is the same as \(\mathcal {X}^M_{j}\), it follows that the expected number of successful decryptions for a sample from \(\mathcal {X}^M_{[k]}\) can be lower bounded as follows

where \((\mathsf {ap}{\mathsf {MPK}},\mathsf {ap}{\mathsf {MSK}}) \leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Setup}(1^{\lambda })\), \(\mathsf {ap}{\mathsf {FSK}}_{f_{\mathsf {SCT}}}\leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Gen}(\mathsf {ap}{\mathsf {MSK}},\) \(f_{\mathsf {SCT}})\), \(\mathsf {ap}{\mathsf {FCT}}_j\leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Enc}(\mathsf {ap}{\mathsf {MPK}},\mathsf {ap}{M}_j)\).

It follows by averaging that with probability at least \(1-\sqrt{\rho }-\frac{2\mu }{\sqrt{\rho }}\) the number of successful decryptions as defined above is larger than \(k\cdot (1-\sqrt{\rho })\). In particular, (for large enough \(\lambda \)) the fraction of faults is below the threshold \(\sqrt{\rho }\) allowing to reconstruct \(f_\mathsf {SCT}(\mathsf {ap}{M})\).

Going to our actual encryption scheme \(\mathsf {wc}{\mathsf {FE}}\), we now claim that decryption is correct with probability noticeably larger than half. Concretely,

where in all of the above \((\mathsf {ap}{\mathsf {MPK}},\mathsf {ap}{\mathsf {MSK}}) \leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Setup}(1^{\lambda })\), \(\mathsf {ap}{\mathsf {FSK}}_{f_{\mathsf {SCT}}}\leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Gen}(\mathsf {ap}{\mathsf {MSK}},f_{\mathsf {SCT}})\), \(\mathsf {ap}{M}_j =(\mathtt {norm},\mathsf {CT}_j,\bot ,\bot )\), \(\mathsf {ap}{\mathsf {FCT}}_j\leftarrow \mathsf {ap}{\mathsf {FE}}.\mathsf {Enc}(\mathsf {ap}{\mathsf {MPK}},\mathsf {ap}{M}_j)\), and \(\nu (\cdot )\) is some negligible function (corresponding to the negligible decryption error of \(\mathsf {DSFE}\)).

This completes the proof of correctness.

Security Analysis. We prove the selective security of \(\mathsf {wc}{\mathsf {FE}}\) in a sequence of hybrids, showing that any adversary \(\mathcal {A}\) cannot tell the case that the challenge is an encryption of \(M_0\) from the case that the challenge is an encryption of \(M_1\), for the corresponding \((M_0,M_1)\) of his choice.

\(\mathcal {H}_1\): this corresponds to the usual security game where the challenge is an encryption of \(M_0\).

\(\mathcal {H}_2\): here, when generating a key \(\mathsf {FSK}_f\) for a function f, and accordingly generating an (approximate) key \(\mathsf {ap}{\mathsf {FSK}}_{f_{\mathsf {SCT}}}\) for the function \(f_{\mathsf {SCT}}\), the symmetric ciphertext \(\mathsf {SCT}\) is not an encryption of \(0^{\ell \times k}\) as in the previous hybrid, but rather an encryption of the DSFE evaluation corresponding to the challenge ciphertext. Concretely, consider the generation of the challenge ciphertext \(\mathsf {FCT}^*\):

• :

  1. 1.

     Compute ,

  2. 2.

     For \(j\in [k]\)

     • let

     • generate .

  Output .

Then \(\mathsf {SCT}\) will now encrypt , where .

Indistinguishability from the previous hybrid follows by the semantic-security of symmetric encryption. (At this point, a corresponding symmetric secret key \(\mathsf {SK}\) is not present – in all encryptions the symmetric-key slot is set to \(\bot \).)

\(\mathcal {H}_3\): here, we change the generation of the challenge ciphertext so to invoke the trapdoor mode rather than the normal mode. Concretely, for each \(j\in [k]\), we generate \(\mathsf {ap}{M}^*_{j} = (\mathtt {trap},\bot ,\bot ,\mathsf {SK},j)\), where \(\mathsf {SK}\) is the symmetric key corresponding \(\mathsf {SCT}\).

Indistinguishability from the previous hybrid follows from the security of the underlying scheme \(\mathsf {ap}{\mathsf {FE}}\). Indeed, at this point, for every function f for which a key \(\mathsf {ap}{\mathsf {FSK}}_{f_\mathsf {SCT}}\) was generated,

\(\mathcal {H}_4\): here, we change how the evaluations are generated. Recall that in the previous hybrid , where \(\mathsf {CT}_j^*\) was generated as part of \((\mathsf {CT}^*_{1},\dots ,\mathsf {CT}^*_{k},\mathsf {R}^*) \leftarrow \mathsf {DSFE}.\mathsf {Enc}(M_0)\). Now, instead of encrypting \(M_0\) in the latter we encrypt \(M_1\).

Indistinguishability now follows from the residual input privacy of the underlying \(\mathsf {DSFE}\), since \(f(M_0)=f(M_1)\). (Recall, that this is guaranteed also in the presence of \(\mathsf {R}^*\), provided that \(\mathsf {CT}^*_{1},\dots ,\mathsf {CT}^*_{k}\) are absent from the adversary’s view, which is indeed the case in this hybrid.)

\(\mathcal {H}_5\)–\(\mathcal {H}_8\): symmetrically follow the above hybrids in reverse order, until the usual security game where \(M_1\) is encrypted in the challenge.

This completes the security analysis.

Remark 4.4

(removing the assumption on equally-distributed shares). In the above construction we have assumed that the DSFE shares \(\mathsf {CT}_1,\dots ,\mathsf {CT}_k\) have the same marginal distribution (for which we have also exhibited an instantiation in Sect. 2.1). To remove this assumption, we could have an instance of an approximate FE scheme \(\mathsf {ap}{\mathsf {FE}}_i\) for each i with respect to the corresponding distribution on \(\mathsf {CT}_i\) (whereas in the construction above we relied on one instance of an approximate FE defined with respect to the marginal distribution which was the same for all shares).

The (Almost) Exact Scheme \(\mathsf {FE}\) : to obtain an (almost) exact scheme from the worst-case approximate scheme we again apply standard “BPP amplification”. Namely, we consider N parallel copies of the scheme for a large enough N.

Formally, the scheme \(\mathsf {FE}\), for function class \(\mathcal {F}=\left\{ \mathcal {F}_\lambda \right\} \) and message space \(\mathcal {M}=\left\{ \{0,1\}^{n(\lambda )}:\lambda \in \mathbb {N}\right\} \), consists of the algorithms \((\mathsf {FE}.\mathsf {Setup},\) \(\mathsf {FE}.\mathsf {Gen},\) \(\mathsf {FE}.\mathsf {Enc},\) \(\mathsf {FE}.\mathsf {Dec})\) defined as follows:

• \(\mathsf {FE}.\mathsf {Setup}(1^{\lambda })\): let \(N=\frac{\omega (n+\lambda )}{\eta ^{2}}\). For \(i\in [N]\), generate \((\mathsf {wc}{\mathsf {MPK}}_i,\mathsf {wc}{\mathsf {MSK}}_i)\leftarrow \mathsf {wc}{\mathsf {FE}}.\mathsf {Setup}(1^{\lambda })\). The public key \(\mathsf {MPK}\) and secret key \(\mathsf {MSK}\) are accordingly set to be all of the public keys \(\left\{ \mathsf {wc}{\mathsf {MPK}}_i\right\} _{i\in [N]}\) and secret keys \(\left\{ \mathsf {wc}{\mathsf {MSK}}_i\right\} _{i\in [N]}\).

• \(\mathsf {FE}.\mathsf {Gen}(\mathsf {MSK},f)\): For \(i\in [N]\), generate \(\mathsf {wc}{\mathsf {FSK}}_{f,i} \leftarrow \mathsf {wc}{\mathsf {FE}}.\mathsf {Gen}(\mathsf {wc}{\mathsf {MSK}}_i,f)\). The functional key \(\mathsf {FSK}_f\) will consists of the functional keys \(\left\{ \mathsf {wc}{\mathsf {FSK}}_{f,i}\right\} _{i\in [N]}\).

• \(\mathsf {FE}.\mathsf {Enc}(\mathsf {MPK},M)\): For \(i\in [N]\), compute \(\mathsf {wc}{\mathsf {FCT}}_i \leftarrow \mathsf {wc}{\mathsf {FE}}.\mathsf {Enc}(\mathsf {wc}{\mathsf {MPK}}_i,M)\). The ciphertext \(\mathsf {FCT}\) consists of the ciphertexts \((\mathsf {wc}{\mathsf {FCT}}_1,\dots ,\mathsf {wc}{\mathsf {FCT}}_N)\).

• \(\mathsf {FE}.\mathsf {Dec}(\mathsf {FSK}_f,\mathsf {FCT})\):

  1. 1.

     Parse \(\mathsf {FSK}_f=\left\{ \mathsf {wc}{\mathsf {FSK}}_{f,i}\right\} _{i\in [N]}\) and \(\mathsf {FCT}= \left\{ \mathsf {wc}{\mathsf {FCT}}_{i}\right\} _{i \in [N]}\).

  2. 2.

     For \(i\in [N]\), compute \(y_i = \mathsf {wc}{\mathsf {FE}}.\mathsf {Dec}(\mathsf {wc}{\mathsf {FSK}}_{f,i},\mathsf {wc}{\mathsf {FCT}}_i)\).

  3. 3.

     Output \(y = \mathsf {majority}(y_{1},\dots ,y_{N})\).

Proposition 4.5

\(\mathsf {FE}\) is an (almost) perfectly correct selectively-secure functional encryption scheme.

Proof

(Proof Sketch). We show correctness and security.

Correctness. By a Chernoff bound, for large enough \(\lambda \), and message \(M\in \{0,1\}^n\), the probability that the majority value y among all decrypted \(y_1,\dots ,y_N\) is incorrect is bounded by

$$ \Pr \left[ y\ne f(M)\right] \le 2^{-\varOmega (N\cdot \eta ^2(\lambda ))} \le 2^{-n+\lambda }. $$

The required correctness follows by a union bound over all messages in \(\{0,1\}^n\).

Security. The scheme consists of N independent copies of the worst-case scheme that is selectively secure. Security thus follows by a standard hybrid argument.

4.3 Instantiating the Scheme

As discussed in Sect. 2.1, we can instantiate the DSFE based an information-theoretic variant of BGW for \(\text{ NC } ^1\), resulting in an FE scheme for \(\text{ NC } ^1\). The scheme can then be generically bootstrapped to \(\mathbf{P}/\mathbf{poly}\) assuming weak PRFs in \(\text{ NC } ^1\) [2].

Theorem 4.6

Assuming approximate FE for \(\mathbf{P}/\mathbf{poly}\) and weak PRFs in \(\text{ NC } ^1\), there exists (almost) perfectly correct FE for \(\mathbf{P}/\mathbf{poly}\).

5 An Alternative Transformation for IO Based on FE

Recall that the transformation from (subexponential) approximate IO to (almost) exact IO described in Sect. 3.2 required SFE with function hiding against malicious receivers, and was instantiated based on (polynomial) DDH and subexponential one-way functions. In this section, we show an alternative transformation based on any subexponential puncturable PRF in \(\text{ NC } ^1\). The transformation is based on a combination of the FE transformation from Sect. 4 and known results from the literature.

The high-level idea consists of three basic steps:

1. 1.

   Start with a (subexponentially-secure) approximate IO and implement directly (subexponentially-secure) approximate FE with compact ciphertexts by following a construction from the exact IO setting [35].

2. 2.

   Apply the transformation from approximate FE to obtain exact FE with compact ciphertexts, based on weaker assumptions.

3. 3.

   Apply a transformation from exact FE to (exact) IO [3, 14].

Fulfilling this high-level plan requires some care though. The transformation of Garg et al. [35] from IO to FE naturally extends to the approximate setting, but relies on additional assumptions: (exact) public-key encryption and (exact, or rather complete) NIZKs. While these primitives are known based on exact IO [13, 57], they do not work in the approximate setting. Nevertheless, we show how these constructions can be extended to imply the exact versions of the primitives (from approximate IO). A second issue that should be addressed is how the approximate FE to exact FE transformation affects the complexity of FE encryption. Indeed, the transformations of [3, 14] require certain succinctness properties. We observe that the transformation, when instantiated with the BGW-based DSFE, satisfies the required compactness, when assuming additionally (sub-exponentially-secure) puncturable PRFs in \(\text{ NC } ^1\).

Overall, we prove

Theorem 5.1

Assuming approximate IO for \(\mathbf{P}/\mathbf{poly}\) and puncturable PRFs in \(\text{ NC } ^1\), both with sub-exponential security there exists (almost) perfectly correct IO \(\mathbf{P}/\mathbf{poly}\).

We next provide further details.

5.1 Approximate FE from Approximate IO

The starting point for this step is the Garg et al. [35]. To obtain FE from IO and PKE, and NIZKs, the transformation works as follows. Each encryption has the form \((e_0,e_1,\pi )\), where \(e_0,e_1\) encrypt a message M under two independent copies of a plain (exact) public-key encryption scheme, and \(\pi \) is a proof that \((e_0,e_1)\) are indeed well-formed using an (exact) NIZK with statistical simulation-soundness.

A functional key for a function f is an obfuscation of a circuit \(C_{\mathsf {SK}_0,\mathsf {CRS}}\) that given \((e_0,e_1,\pi )\):

• verifies the correctness of \(\pi \) with respect to the hardwired common reference string \(\mathsf {CRS}\),

• if the proof is accepting, decrypts \(e_0\) using the hardwired secret key \(\mathsf {SK}_0\) to obtain M,

• and outputs f(M).

It follows readily that if we replace exact IO in this transformation with approximate IO (say while still using exact PKE and NIZKs) the resulting FE scheme would be approximately-correct. Concretely to get \(\alpha \)-correct FE for a message sampler \(\mathcal {X}\), we start with IO that is \(\alpha \)-correct for an input sampler \(\mathcal {X}'\) that samples FE encryptions \((e_0,e_1,\pi )\) of random messages M taken from \(\mathcal {X}\).

In fact, even if we start with \(\alpha \)-correct versions of PKE and NIZKs we would get \(\varOmega (\alpha )\)-correct FE, however, the security of the FE scheme might no longer hold; indeed, the exact correctness of the PKE and NIZK play an important role in the security proof in [35]. To fill this gap we will show how to obtain exact NIZK and PKE directly from approximate IO. More accurately, we would obtain almost exactly correct versions where the NIZK and PKE are exactly correct with overwhelming probability over the choice of their public parameters (i.e., the common reference string and public-keys), which is sufficient for the security proof in [35].

(Almost) Exact PKE. To obtain (almost) exact PKE, we start with the PKE of Sahai and Waters [57] based on exact IO and one-way functions. Here the public key consists of an obfuscation \(\widetilde{C}\) of a circuit \(C_\mathsf {K}\) that given a PRG seed s outputs \(\mathsf{PRF}_{\mathsf {K}}(\mathsf {PRG}(s))\) for an appropriately stretching pseudo-random generator and a puncturable PRF. An encryption of M consists of \(\mathsf {PRG}(s),M\oplus \widetilde{C}(s)\). Replacing exact IO with \(\alpha \)-correct IO in their transformation results in approximate PKE in two senses: (a) the scheme is correct with probability \(\alpha \) over an encryption of any message M; (b) it is weakly semantically secure, the probability of guessing a random encrypted message M can be bounded by \(\beta = 2^{-|M|}+\lambda ^{-\omega (1)} + (1-\alpha )\). Schemes such as the latter can be corrected using techniques from the literature [31, Theorem 4] so long that \(\beta < O(\alpha ^4)\), which holds for constant \(\alpha \) that is sufficiently close to 1.

In the resulting scheme, the probability of decryption error is over the choice of public-key and the randomness used in encryption. In the same work [31], Dwork, Naor, and Reingold show how to shift the error probability to the choice of the public-key alone; namely, get a scheme where with overwhelming probability over the choice of keys there are no decryption errors at all. This is done as follows, assume the decryption error is bounded by \(2^{-\lambda }\), and encryption uses \(r(\lambda ) = \lambda ^{O(1)}\) bits of randomness. We will now publish together with the public key a random string \(R\leftarrow \{0,1\}^r\). Encryption will now be done with randomness \(R'=R\oplus \mathsf {PRG}(s)\), where \(\mathsf {PRG}:\{0,1\}^{\lambda /2}\rightarrow \{0,1\}^r\) is a pseudo-random generator and \(s\leftarrow \{0,1\}^{\lambda /2}\) is a random seed. Due to the sparseness of the PRG with probability \(2^{-\varOmega (\lambda )}\) over the choice of the keys the are no decryption errors. Semantic-security is maintained due to the security of the PRG.

(Almost) Exact NIZK. Statistical simulation-sound NIZKs can be constructed from any NIZK proof and non-interactive commitment schemes in the common reference string model [35]. The same also holds for the case that the NIZK is almost exact (where the resulting SSS NIZK will also be almost exact). The required commitments can be constructed from one-way functions [51]. We now describe how to obtain the required NIZKs from approximate IO.

Concretely, we examine the NIZK construction of Bitansky and Paneth [13] based on exact IO and one-way functions. In their construction, IO is used to implement invariant signatures [43], which are in turn used to implement the hidden-bit model [32]. Concretely, a verification key \(\mathsf {VK}\) in their scheme consists of an obfuscated circuit \(C_{\mathsf {CRS},\mathsf {K}}\) that given a message \(M\in \{0,1\}^n\), computes \((b,r)\leftarrow \mathsf{PRF}_{\mathsf {K}}(M)\) using a puncturable PRF, and outputs a Naor commitment \(\mathsf {C} =\mathsf {COM}_\mathsf {CRS}(b,r)\), with respect to common reference string \(\mathsf {CRS}\).

Replacing exact IO with \(\alpha \)-correct IO preserves two of the guarantees of the invariant signatures: 1) it is invariant in the sense that for every verification key \(\mathsf {VK}\) and message M, \(\mathsf {C}=\mathsf {VK}(M)\) can be opened to a unique bit b, due to the binding of the commitment; 2) it satisfies pseudorandomness of the unique property b, since the obfuscator is as secure as in the exact case. However, now completeness only holds with probability \(\alpha \) over random messages M. The implementation of the hidden bit model indeed invokes the invariant signatures for random messages. This leads to a corresponding NIZK with completeness error \((1-\alpha )\cdot \mathrm {poly}(\lambda )\), for some \(\mathrm {poly}\) that depends on the NIZK construction (and soundness error \(2^{-\lambda }\)). Assuming \(\alpha >1-\frac{1}{\lambda \cdot \mathrm {poly}(\lambda )}\), we can then take say \(\lambda ^{2}\) independent copies, requiring that the prover succeeds only on a single instance, resulting in a NIZK with completeness error \(2^{-\lambda }\) and soundness error \(\lambda ^2\cdot 2^{-\lambda }\).

In the resulting scheme, the completeness error is over the choice of the common-reference string and the randomness used by the prover. As before we can use the technique from [31], to shift the error probability to the choice of the CRS alone by sparsifying the coins used by the prover using a PRG. This transformation still maintains computational zero-knowledge due to the pseudo-randomness of the PRG, and has the same unconditional soundness.

A caveat of the latter transformation is that it can only correct a polynomial fraction \(1-\alpha =\lambda ^{-\varTheta (1)}\) of errors (and not say a constant, as in the previous construction). We stress that in the de-idealized constructions of obfuscation [23, 50, 54] the error rate can be made an arbitrary small polynomial. Thus the implication to constructions of IO with an ideal assisting oracle still holds.

5.2 FE to IO

Exact FE vs Almost Exact FE. The transformations of [3, 14] from FE to IO are naturally described in terms of perfectly correct FE, nevertheless it is easy to verify that they also work starting from FE that is perfectly-correct with overwhelming probability only over the setup phase generating the keys. The resulting IO will be almost perfectly correct.

To almost exact FE given in Sect. 4 can be turned to one that satisfies the above property using again the randomness sparsification technique of [31] described above.

Succinctness. In the previous subsection, we described how to obtain an approximate FE scheme where the complexity of encryption is independent of the circuit and output size of the corresponding functions, as inherited from the exact scheme of [35]. To fulfill our approach we need to make sure that applying our transformation to exact FE still preserves certain succinctness properties required by the transformations in [3, 14]. Concretely, we note that our approximate to exact FE transformation inherits its succinctness from the underlying DSFE scheme. As discussed in 4.3, using the BGW-based DSFE, incurs a \(2^{O(d)}\) overhead in the complexity of encryption, where d is the maximal depth of any circuit in the class, but is otherwise as efficient. Fortunately, Bitansky and Vaikuntanathan [14] show that this is still sufficient for a variant of their transformation from FE to IO, under the additional assumption of sub-exponentially-secure puncturable PRFs in \(\text{ NC } ^1\).