Proof Outline for Lemma 7

Proof Intuition The main differences betweenProgandProg-1 is thatProg-1 has the halt-timet∗and the correct outputb∗also hardwired, along with other constants. It outputs⊥for all inputs corresponding tot > t∗. Att∗, it checks if the input passes the verification of accumulator and the verification of signature. If so, it outputsb∗, without decrypting the ciphertext. In order to show thatProgandProg-1 are computationally indistinguishable, we will break this into two big steps. First, we will modify Prog into a programPabort.

Pabort is identical toProg, except that it outputs b∗ if the signature and accumulator verification passes.

The next step is to transformPabortso that it aborts for allt > t∗.

For the first step, our strategy is very similar to the proof of Theorem 6.15_{. For the second step, our} approach is very similar to the approach in the proof of Lemma 6.5. Note that at step t∗, Pabort does

not output an ‘A’ signature. As a result, we can replace the verification key at step t∗+ 1 with a ‘reject’ verification key. Continuing this way, we can ensure that it is fine to output⊥for allt > t∗.

Proof Outline We will first define hybrid experimentsHint, Hint0 andHabort.

HybridHint In this hybrid, the challenger first computes the correct messagemt∗₋₁output at timet∗−1.

Next, it outputs an obfuscation of Pint = Pint{t∗, KE, KA, KB, mt∗₋1} (defined in Figure 40) which has

mt∗₋₁ hardwired. It accepts only ‘A’ type signatures. However, at t = t∗ −1, it checks if the outgoing

message ismt∗₋₁. If so, it outputs an ‘A’ type signature, else it outputs a ‘B’ type signature.

Program Pint

Constants: Turing machineM=hQ,Σtape, δ, q0, qacc, qreji, time boundT, halt-timet∗∈[T], Public param-

eters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keysKE, KA, KB∈ K,

messagemt∗_−1.

Input: Timet∈[T], encrypted symbol and last-write time (ctsym,in,lw), encrypted statectst,in, accumulator

valuewin∈ {0,1}`Acc, Iterator valuevin, signatureσin, accumulator proofπ, auxiliary valueaux.

1. Letpos_in=tmf(t−1) andpos_out=tmf(t).

2. IfVerify-Read(PPAcc, win,(ctsym,in,lw),posin, π) = 0orlw≥toutput⊥.

3. LetrS,A=F(KA, t−1),rS,B =F(KB, t−1). Compute (SKA,VKA,VKA,rej) =Setup-Spl(1λ;rS,A)

and (SKB,VKB,VKB,rej) =Setup-Spl(1λ;rS,B).

4. Letmin= (vin,ctst,in, win,posin).

5. IfVerify-Spl(VKA, min, σin) = 0 output⊥.

6. Let (rlw,1, rlw,2, rlw,3) =F(KE,lw), (pklw,sklw) =Setup-PKE(1

λ

;rlw,1),sym=Dec-PKE(sklw,ctsym,in).

7. Let (rt−1,1, rt−1,2, rt−1,3) = F(KE, t − 1), (pkst,skst) = Setup-PKE(1

λ

, rt−1,1), st =

Dec-PKE(skst,ctst,in).

8. Let (st0,sym0, β) =δ(st,sym).

9. Ifstout=qrejoutput 0, else ifstout=qaccoutput 1.

10. Compute (rt,1, rt,2, rt,3) = F(KE, t), (pk0,sk0) = Setup-PKE(1λ;rt,01), ctsym,out =

Enc-PKE(pk0,sym0;rt,2) andctst,out=Enc-PKE(pk0,st0;rt,3).

11. Computewout=Update(PPAcc, win,(ctsym,out, t),posin, aux). Ifwout=Reject, output⊥.

12. Computevout=Iterate(PPItr, vin,(ctst,in, win,posin)).

13. Let r0S,A = F(KA, t), rS,B0 = F(KB, t). Compute (SK0A,VK

0 A,VK 0 A,rej) ← Setup-Spl(1 λ ;r0S,A), (SK0B,VK 0 B,VK 0 B,rej)←Setup-Spl(1λ;r 0 S,B).

14. Letmout= (vout,ctst,out, wout,posout).

Ift=t∗−1andmout=mt∗−1,σout=Sign-Spl(SK0A, mout).

Else ift=t∗−1andmout6=mt∗_{−1,σout=Sign-Spl(SK}0 B, mout).

Else,σout=Sign-Spl(SK0A, mout).

15. Outputposin,ctsym,out,ctct,out, wout, vout, σout.

Figure 40: ProgramPint

Hybrid H0

int This hybrid is similar to Hint, except that the challenger also computes b∗ = Mb(x) and

outputs an obfuscation of P_int0 =P_int0 {t∗, KE, KA, KB, mt∗₋₁, b∗} (defined in Figure 41). This program is

identical to Pint, except for inputs corresponding to t=t∗. At t=t∗, the program verifies the validity of

signature, and then outputsb∗ (which it has hardwired). It does not decrypt the ciphertexts.

5_{There is a slight difference between the approach here and the one in the proof of Theorem 6.1. There, we allowed the final} program to output ‘B’ type signatures. Here, in order to remove the ‘B’ signatures completely, we use additionalt∗hybrids

Program Pint0

Constants: Turing machineM=hQ,Σtape, δ, q0, qacc, qreji, time boundT, halt-timet∗∈[T], Public param-

eters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keysKE, KA, KB∈ K,

messagemt∗_{−1, bitb}∗_.

Input: Timet∈[T], encrypted symbol and last-write time (ctsym,in,lw), encrypted statectst,in, accumulator

valuewin∈ {0,1}`Acc, Iterator valuevin, signatureσin, accumulator proofπ, auxiliary valueaux.

1. Letpos_in=tmf(t−1) andpos_out=tmf(t).

2. IfVerify-Read(PPAcc, win,(ctsym,in,lw),posin, π) = 0orlw≥toutput⊥.

3. LetrS,A=F(KA, t−1),rS,B =F(KB, t−1). Compute (SKA,VKA,VKA,rej) =Setup-Spl(1λ;rS,A)

and (SKB,VKB,VKB,rej) =Setup-Spl(1λ;rS,B).

4. Letmin= (vin,ctst,in, win,posin).

5. IfVerify-Spl(VKA, min, σin) = 0 output⊥.

6. Ift=t∗outputb∗.

7. Let (rlw,1, rlw,2, rlw,3) =F(KE,lw), (pklw,sklw) =Setup-PKE(1

λ

;rlw,1),sym=Dec-PKE(sklw,ctsym,in).

8. Let (rt−1,1, rt−1,2, rt−1,3) = F(KE, t − 1), (pkst,skst) = Setup-PKE(1

λ_{, r}

t−1,1), st =

Dec-PKE(skst,ctst,in).

9. Let (st0,sym0, β) =δ(st,sym).

10. Ifstout=qrejoutput 0, else ifstout=qaccoutput 1.

11. Compute (rt,1, rt,2, rt,3) = F(KE, t), (pk0,sk0) = Setup-PKE(1λ;rt,01), ctsym,out =

Enc-PKE(pk0,sym0;rt,2) andctst,out=Enc-PKE(pk0,st0;rt,3).

12. Computewout=Update(PPAcc, win,(ctsym,out, t),posin, aux). Ifwout=Reject, output⊥.

13. Computevout=Iterate(PPItr, vin,(ctst,in, win,posin)).

14. Let r0S,A = F(KA, t), rS,B0 = F(KB, t). Compute (SK0A,VK

0 A,VK 0 A,rej) ← Setup-Spl(1 λ ;r0S,A), (SK0B,VK 0 B,VK 0 B,rej)←Setup-Spl(1λ;r 0 S,B).

15. Letmout= (vout,ctst,out, wout,posout).

Ift=t∗−1andmout=mt∗−1,σout=Sign-Spl(SK0A, mout).

Else ift=t∗−1andmout6=mt∗_{−1,σout=Sign-Spl(SK}0_{B, mout).}

Else,σout=Sign-Spl(SK0A, mout).

16. Outputposin,ctsym,out,ctct,out, wout, vout, σout.

Figure 41: ProgramP0

int

Hybrid Habort In this hybrid, the challenger outputs an obfuscation ofPabort{t∗, KA, KE, b∗}(defined in

Figure 42). This program is similar toP_int0 , except that it does not output ‘B’ type signatures.

LetAdvint_A ,Adv0_Aint,Advabort_A be the advantages of an adversaryAinHint,Hint0 andHabort respectively.

RecallAdv0_AandAdv1_AdenoteA’s advantage inHyb0andHyb1respectively.

Lemma B.1. AssumingiOis a secure indistinguishability obfuscator,F is a selectively secure puncturable PRF, Itr is an iterator satisfying Definitions 3.1 and 3.2, Acc is an accumulator satisfying Definitions 4.1, 4.2, 4.3 and 4.4, S is a splittable signature scheme satisfying security Definitions 5.1, 5.2, 5.3 and 5.4, |Adv0_A−Advint_A | ≤negl(λ).

Proof. The proof of this lemma is very similar to the proof of Theorem 6.1. Therefore, in this section, we

will give outline of the proof, consisting of the outer hybrids, and refer to proof of Theorem 6.1. We will first define intermediate hybridsH0, H1 andH2,j, H20,j for 0≤j < t∗.

Hybrid H0 The challenger outputsP0=Prog{t∗,KE,KA}.

Hybrid H1 The challenger outputsP1=P1{t∗, KE,KA, KB} (defined in Figure 43). This is similar to

Prog-1 defined in Figure 18. This program has PRF keyKB hardwired and accepts both ‘A’ and ‘B’ type

signatures fort < t∗. If the incoming signature is of typeα, then so is the outgoing signature.

ProgramPabort

Constants: Turing machineM=hQ,Σtape, δ, q0, qacc, qreji, time boundT, halt-timet∗∈[T], Public param-

eters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keysKE, KA∈ K, bitb∗.

Input: Timet∈[T], encrypted symbol and last-write time (ctsym,in,lw), encrypted statectst,in, accumulator

valuewin∈ {0,1}`Acc, Iterator valuevin, signatureσin, accumulator proofπ, auxiliary valueaux.

1. Letposin=tmf(t−1) andposout=tmf(t).

2. IfVerify-Read(PPAcc, win,(ctsym,in,lw),posin, π) = 0orlw≥toutput⊥.

3. LetrS,A=F(KA, t−1). Compute (SKA,VKA,VKA,rej) =Setup-Spl(1λ;rS,A).

4. Letmin= (vin,ctst,in, win,posin).

5. IfVerify-Spl(VKA, min, σin) = 0 output⊥.

6. Ift=t∗outputb∗.

7. Let (rlw,1, rlw,2, rlw,3) =F(KE,lw), (pklw,sklw) =Setup-PKE(1

λ

;rlw,1),sym=Dec-PKE(sklw,ctsym,in).

8. Let (rt−1,1, rt−1,2, rt−1,3) = F(KE, t − 1), (pkst,skst) = Setup-PKE(1

λ

, rt−1,1), st =

Dec-PKE(skst,ctst,in).

9. Let (st0,sym0, β) =δ(st,sym).

10. Ifstout=qrejoutput 0, else ifstout=qaccoutput 1.

11. Compute (rt,1, rt,2, rt,3) = F(KE, t), (pk0,sk0) = Setup-PKE(1λ;rt,01), ctsym,out =

Enc-PKE(pk0,sym0;rt,2) andctst,out=Enc-PKE(pk0,st0;rt,3).

12. Computewout=Update(PPAcc, win,(ctsym,out, t),posin, aux). Ifwout=Reject, output⊥.

13. Computevout=Iterate(PPItr, vin,(ctst,in, win,posin)).

14. LetrS,A0 =F(KA, t). Compute (SK0A,VK

0 A,VK 0 A,rej)←Setup-Spl(1λ;r 0 S,A).

15. Letmout= (vout,ctst,out, wout,posout). σout=Sign-Spl(SK0A, mout).

16. Outputposin,ctsym,out,ctct,out, wout, vout, σout.

Figure 42: ProgramPabort

Next, we define 2t∗ intermediate circuits -P2,j, P20,j for 0≤j ≤t∗−1. These programs are analogous to

Prog-2-iandProg0-2-iin the proof of Theorem 6.1.

Hybrid H2,j In this hybrid, the challenger outputs an obfuscation ofP2,j =P2,j{j, t∗, KE, KA, KB, mj}.

This circuit, defined in Figure 44, accepts ‘B’ type signatures only for inputs corresponding toj+ 1≤t≤

t∗−1. It also has the correct output message for step j-mj hardwired. If an input hasj+ 1≤t≤t∗−1,

then the output signature, if any, is of the same type as the incoming signature. If t = j, the program outputs an ‘A’ type signature ifmout =mj, else it outputs a ‘B’ type signature.

Hybrid H₂0_,j In this hybrid, the challenger outputs an obfuscation ofP₂0_,j =P₂0_,j{j, t∗, KE, KA, KB, mj}.

This circuit, defined in Figure 45, accepts ‘B’ type signatures only for inputs corresponding toj+ 2≤t≤

t∗_{−1. It also has the correct input message for step j+ 1 - m}

j hardwired. Ift =j+ 1 and min =mj it

outputs an ‘A’ type signature, else it outputs a ‘B’ type signature. If an input hasj+ 2≤t≤t∗−1, then the output signature, if any, is of the same type as the incoming signature.

Analysis

Claim B.1. AssumingiOis a secure indistinguishability obfuscator,F is a secure puncturable PRF andS is a splittable signature scheme satisfying Definition 5.1, for any PPT adversaryA,|Adv0_A−Adv1_A| ≤negl(λ).

The proof of this claim is similar to the proof of Lemma 6.1.

Claim B.2. AssumingiO is a secure indistinguishability obfuscator, for any PPT adversary A, |Adv1_A−

Adv2_A| ≤negl(λ).

P1

Constants: i, Turing machine M = hQ,Σtape, δ, q0, qacc, qreji, time bound T, halt-time t∗ ≤ T, Pub-

lic parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys

KE, KA, KB∈ K, outputb∗.

Input: Timet∈[T], encrypted symbol and last-write time (ctsym,in,lw), encrypted statectst,in, accumulator

valuewin∈ {0,1}`Acc, Iterator valuevin, signatureσin, accumulator proofπ, auxiliary valueaux.

1. Ift > t∗, output⊥.

2. Letpos_in=tmf(t−1) andpos_out=tmf(t).

3. IfVerify-Read(PPAcc, win,(ctsym,in,lw),posin, π) = 0orlw≥toutput⊥.

4. LetF(KA, t−1) =rS,A. Compute (SKA,VKA,VKA,rej) =Setup-Spl(1λ;rS,A).

5. LetF(KA, t) =r0S,A. Compute (SK0A,VK0A,VK0A,rej)←Setup-Spl(1λ;rS,A0 ).

6. LetF(KB, t−1) =rS,B. Compute (SKB,VKB,VKB,rej) =Setup-Spl(1λ;rS,B).

7. LetF(KB, t) =rS,B0 . Compute (SK 0 B,VK 0 B,VK 0 B,rej)←Setup-Spl(1 λ ;rS,B0 ).

8. Letmin= (vin,ctst,in, win,posin) andα=‘-’.

IfVerify-Spl(VKA, min, σin) = 1 setα=‘A’.

Ifα=‘-’andt≥t∗output⊥.

Ifα= ‘-’andVerify-Spl(VKB, min, σin) = 1 setα=‘B’.

Ifα= ‘-’ output⊥.

9. Let (rlw,1, rlw,2, rlw,3) =F(KE,lw), (pklw,sklw) =Setup-PKE(1

λ_;r

lw,1),sym=Dec-PKE(sklw,ctsym,in).

10. Let (rt−1,1, rt−1,2, rt−1,3) = F(KE, t − 1), (pkst,skst) = Setup-PKE(1

λ

, rt−1,1), st =

Dec-PKE(skst,ctst,in).

11. Let (st0,sym0, β) =δ(st,sym). 12. Ifstout=qrejoutput 0.

13. Ifstout=qacc output 1.

14. Compute (rt,1, rt,2, rt,3) = F(KE, t), (pk0,sk0) = Setup-PKE(1λ;rt,01), ctsym,out =

Enc-PKE(pk0,sym0;rt,2) andctst,out=Enc-PKE(pk0,st0;rt,3).

15. Computewout=Update(PPAcc, win,(ctsym,out, t),posin, aux). Ifwout=Reject, output⊥.

16. Computevout=Iterate(PPItr, vin,(ctst,in, win,posin)).

17. Letmout= (vout,ctst,out, wout,posout) andσout=Sign-Spl(SK0α, mout).

18. Outputpos_in,ctsym,out,ctct,out, wout, vout, σout.

Figure 43: P1

Claim B.3. Let 0≤j ≤t∗_{−1. Assuming iO is a secure indistinguishability obfuscator,F is a selectively} secure puncturable PRF and S is a splittable signature scheme satisfying definitions 5.1, 5.2, 5.3 and 5.4, for any PPT adversaryA,|Adv2_A,j−Adv0_A2,j| ≤negl(λ).

The proof of this claim is similar to the proof of Lemma 6.2.

Claim B.4. Let 0≤j≤t∗_{−2. AssumingiO is a secure indistinguishability obfuscator,Itris an iterator} satisfying indistinguishability of Setup (Definition 3.1) and is enforcing (Definition 3.2), and Acc is an ac- cumulator satisfying indistinguishability of Read/Write Setup (Definitions 4.1 and 4.2) and is Read/Write enforcing (Definitions 4.3 and 4.4), for any PPT adversaryA,|Adv0_A2,j−Adv2_A,j+1| ≤negl(λ). indistinguish- able.

The proof of this claim is similar to the proof of Lemma 6.3.

Claim B.5. AssumingiOis a secure indistinguishability obfuscator, for any PPT adversaryA,|Adv2_A,t∗−1−

Advint_A | ≤negl(λ).

P2,j

Constants: j, Turing machine M = hQ,Σtape, δ, q0, qacc, qreji, time bound T, halt-time t∗ ≤ T, Pub-

lic parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys

KE, KA, KB∈ K, outputb∗, messagemj.

Input: Timet∈[T], encrypted symbol and last-write time (ctsym,in,lw), encrypted statectst,in, accumulator

valuewin∈ {0,1}`Acc, Iterator valuevin, signatureσin, accumulator proofπ, auxiliary valueaux.

1. Letposin=tmf(t−1) andposout=tmf(t).

2. IfVerify-Read(PPAcc, win,(ctsym,in,lw),posin, π) = 0orlw≥toutput⊥.

3. LetF(KA, t−1) =rS,A. Compute (SKA,VKA,VKA,rej) =Setup-Spl(1λ;rS,A).

4. LetF(KA, t) =r0S,A. Compute (SK

0 A,VK 0 A,VK 0 A,rej)←Setup-Spl(1 λ ;rS,A0 ).

5. LetF(KB, t−1) =rS,B. Compute (SKB,VKB,VKB,rej) =Setup-Spl(1λ;rS,B).

6. LetF(KB, t) =rS,B0 . Compute (SK 0 B,VK 0 B,VK 0 B,rej)←Setup-Spl(1 λ ;rS,B0 ).

7. Letmin= (vin,ctst,in, win,posin) andα=‘-’.

IfVerify-Spl(VKA, min, σin) = 1 setα=‘A’.

Ifα=‘-’and(t≥t∗ort≤j) output⊥.

Ifα= ‘-’andVerify-Spl(VKB, min, σin) = 1 setα=‘B’.

Ifα= ‘-’ output⊥.

8. Let (rlw,1, rlw,2, rlw,3) =F(KE,lw), (pklw,sklw) =Setup-PKE(1

λ_;r

lw,1),sym=Dec-PKE(sklw,ctsym,in).

9. Let (rt−1,1, rt−1,2, rt−1,3) = F(KE, t − 1), (pkst,skst) = Setup-PKE(1

λ

, rt−1,1), st =

Dec-PKE(skst,ctst,in).

10. Let (st0,sym0, β) =δ(st,sym). 11. Ifstout=qrejoutput 0.

12. Ifstout=qacc output 1.

13. Compute (rt,1, rt,2, rt,3) = F(KE, t), (pk0,sk0) = Setup-PKE(1λ;rt,01), ctsym,out =

Enc-PKE(pk0,sym0;rt,2) andctst,out=Enc-PKE(pk0,st0;rt,3).

14. Computewout=Update(PPAcc, win,(ctsym,out, t),posin, aux). Ifwout=Reject, output⊥.

15. Computevout=Iterate(PPItr, vin,(ctst,in, win,posin)).

16. Letmout= (vout,ctst,out, wout,posout).

Ift=jandmout=mj,σout=Sign-Spl(SK0A, mout).

Else ift=jandmout6=mj,σout=Sign-Spl(SK0B, mout).

Elseσout=Sign-Spl(SK0α, mout).

17. Outputposin,ctsym,out,ctct,out, wout, vout, σout.

P20,j

Constants: j, Turing machine M = hQ,Σtape, δ, q0, qacc, qreji, time bound T, halt-time t∗ ≤ T, Pub-

lic parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys

KE, KA, KB∈ K, outputb∗, messagemj.

Input: Timet∈[T], encrypted symbol and last-write time (ctsym,in,lw), encrypted statectst,in, accumulator

valuewin∈ {0,1}`Acc, Iterator valuevin, signatureσin, accumulator proofπ, auxiliary valueaux.

1. Letpos_in=tmf(t−1) andpos_out=tmf(t).

2. IfVerify-Read(PPAcc, win,(ctsym,in,lw),posin, π) = 0orlw≥toutput⊥.

3. LetF(KA, t−1) =rS,A. Compute (SKA,VKA,VKA,rej) =Setup-Spl(1λ;rS,A).

4. LetF(KA, t) =r0S,A. Compute (SK

0 A,VK 0 A,VK 0 A,rej)←Setup-Spl(1λ;r 0 S,A).

5. LetF(KB, t−1) =rS,B. Compute (SKB,VKB,VKB,rej) =Setup-Spl(1λ;rS,B).

6. LetF(KB, t) =rS,B0 . Compute (SK 0 B,VK 0 B,VK 0 B,rej)←Setup-Spl(1λ;r 0 S,B).

7. Letmin= (vin,ctst,in, win,posin) andα=‘-’.

IfVerify-Spl(VKA, min, σin) = 1 setα=‘A’.

Ifα=‘-’and(t≥t∗ort≤j+ 1) output⊥.

Ifα= ‘-’andVerify-Spl(VKB, min, σin) = 1 setα=‘B’.

Ifα= ‘-’ output⊥.

8. Let (rlw,1, rlw,2, rlw,3) =F(KE,lw), (pklw,sklw) =Setup-PKE(1

λ

;rlw,1),sym=Dec-PKE(sklw,ctsym,in).

9. Let (rt−1,1, rt−1,2, rt−1,3) = F(KE, t − 1), (pkst,skst) = Setup-PKE(1

λ

, rt−1,1), st =

Dec-PKE(skst,ctst,in).

10. Let (st0,sym0, β) =δ(st,sym). 11. Ifstout=qrejoutput 0.

12. Ifstout=qacc output 1.

13. Compute (rt,1, rt,2, rt,3) = F(KE, t), (pk0,sk0) = Setup-PKE(1λ;rt,01), ctsym,out =

Enc-PKE(pk0,sym0;rt,2) andctst,out=Enc-PKE(pk0,st0;rt,3).

14. Computewout=Update(PPAcc, win,(ctsym,out, t),posin, aux). Ifwout=Reject, output⊥.

15. Computevout=Iterate(PPItr, vin,(ctst,in, win,posin)).

16. Letmout= (vout,ctst,out, wout,posout).

Ift=j+ 1andmin=mj,σout=Sign-Spl(SK0A, mout).

Else ift=j+ 1andmin6=mj,σout=Sign-Spl(SK0B, mout).

Elseσout=Sign-Spl(SK0α, mout).

17. Outputposin,ctsym,out,ctct,out, wout, vout, σout.

Lemma B.2. AssumingiOis a secure indistinguishability obfuscator,F is a selectively secure puncturable PRF, Itr is an iterator satisfying Definitions 3.1 and 3.2, Acc is an accumulator satisfying Definitions 4.1, 4.2, 4.3 and 4.4, S is a splittable signature scheme satisfying security Definitions 5.1, 5.2, 5.3 and 5.4, |Advint_A −Adv0_Aint| ≤negl(λ).

Proof. To prove this lemma, we will define a sequence of hybrid experiments and show that they are com-

putationally indistinguishable.

Hybrid H0 In this experiment, the challenger outputs an obfuscation of P0 = Pint{t∗, KE, KA, KB,

mt∗₋1}.

Hybrid H1 In this hybrid, the challenger first computes the constants for program P1 as follows:

1. PRF keys KA andKB are punctured at t∗−1 to obtain KA{t∗−1} ←F.puncture(KA, t∗−1) and

KB{t∗−1} ←F.puncture(KB, t∗−1).

2. Letrc=F(KA, t∗−1), (SKC,VKC,VKC,rej) =Setup-Spl(1λ;rC),rD=F(KB, t∗−1), (SKD,VKD,VKD,rej) =

Setup-Spl(1λ_;r D).

It then outputs an obfuscation of P1 = P1{t∗, KE, KA{t∗−1}, KB{t∗−1},VKC,SKC,SKD, mt∗₋₁}

(defined in 46). P1 is identical to P0 on inputs corresponding tot6=t∗−1, t∗. Fort =t∗−1, it uses the hardwired signing keys. Fort=t∗, it uses the hardwired verification key.

P1

Constants: i, Turing machine M = hQ,Σtape, δ, q0, qacc, qreji, time bound T, halt-time t∗ ≤ T, Pub-

lic parameters for accumulator PPAcc, Public parameters for Iterator PPItr, Puncturable PRF keys

KE, KA{t∗−1}, KB{t∗−1} ∈ K, outputb∗, messagemt∗₋₁, VK_C, SK_C, SK_D.

Input: Timet∈[T], encrypted symbol and last-write time (ctsym,in,lw), encrypted statectst,in, accumulator

valuewin∈ {0,1}`Acc, Iterator valuevin, signatureσin, accumulator proofπ, auxiliary valueaux.

1. Letpos_in=tmf(t−1) andpos_out=tmf(t).

2. IfVerify-Read(PPAcc, win,(ctsym,in,lw),posin, π) = 0orlw≥toutput⊥.

3. Ift6=t∗, letrS,A=F.eval(KA{t∗−1}, t−1). Compute (SKA,VKA,VKA,rej) =Setup-Spl(1λ;rS,A).

Else VKA= VKC.

4. Ift6=t∗−1, letrS,A0 =F.eval(KA{t∗−1}, t). Compute (SK0A,VK

0 A,VK 0 A,rej)←Setup-Spl(1 λ ;rS,A0 ).

5. Ift6=t∗−1,rS,B0 =F.eval(KB{t∗−1}, t). Compute (SK0B,VK0B,VK0B,rej)←Setup-Spl(1λ;rS,B0 ).

6. Letmin= (vin,ctst,in, win,posin). IfVerify-Spl(VKA, min, σin) = 0 output⊥.

7. Let (rlw,1, rlw,2, rlw,3) =F(KE,lw), (pklw,sklw) =Setup-PKE(1

λ

;rlw,1),sym=Dec-PKE(sklw,ctsym,in).

8. Let (rt−1,1, rt−1,2, rt−1,3) = F(KE, t − 1), (pkst,skst) = Setup-PKE(1

λ_{, r}

t−1,1), st =

Dec-PKE(skst,ctst,in).

9. Let (st0,sym0, β) =δ(st,sym). 10. Ifstout=qrejoutput 0.

11. Ifstout=qacc output 1.

12. Compute (rt,1, rt,2, rt,3) = F(KE, t), (pk0,sk0) = Setup-PKE(1λ;rt,01), ctsym,out =

Enc-PKE(pk0,sym0;rt,2) andctst,out=Enc-PKE(pk0,st0;rt,3).

13. Computewout=Update(PPAcc, win,(ctsym,out, t),posin, aux). Ifwout=Reject, output⊥.

14. Computevout=Iterate(PPItr, vin,(ctst,in, win,posin)).

15. Letmout= (vout,ctst,out, wout,posout).

16. Ift=t∗−1 andmout=mt∗_{−1,σout=Sign-Spl(SKC, mout).}

Else ift=t∗−1 andmout6=mt∗−1 σout=Sign-Spl(SKD, mout).

Elseσout=Sign-Spl(SK0A, mout).

17. Outputposin,ctsym,out,ctct,out, wout, vout, σout.

Hybrid H2 In this hybrid, rC and rD are chosen uniformly at random; that is, the challenger computes

In document Indistinguishability Obfuscation for Turing Machines with Unbounded Memory (Page 64-76)