Property of D FE w.r.t a Special Purpose Function Distribution

InSection 7, we will useDFEto compute functionsf sampled from a special-purpose distribution

F N over DFN,S_{, where the functionf is determined by a fixed function gand a distributional}

input-output dependency graphG(sampled in F N), such that everyfi(x,x0) equalsgi(xG(i),x0) and depends on a constant `=O(1)number of xvariables specified by G(i) (the dependency on x0 variables is arbitrary). In addition, the inputxis binary and its distribution is uniformly random (and the distribution of x0 is independent and arbitrary). When using DFE to compute functions on inputs from such distributions, the special-purpose simulation security guarantees that only a small setxK ofO(`λε2)x variables get compromised. We now show further that the

locationsK of compromisedxvariables only “weakly depends” onG, in the sense that there is a setK independent ofG such thatG(K) contains K.

Special-purpose distributions.The function distributionF N samples a functionf = (g, G), where

g:ZN →_ZM _{is a fixed function in DF}N,S _{andG is sampled according to some distribution. For}

every input (x,x0)∈ {0,1}N0

×_ZN−N0

pD for someN

0 _{≤N and everyi∈[M],f}

i(x,x0) is defined

to begi(xG(i),x0). Let `be the locality of f onx, that is,`= maxi(|G(i)|).

The input distribution X on the other hand is(x,x0)← U_{0,1}N0× X0, where xis a randomly

and independently sampled binary string andX0 _{is arbitrary.}

For any such special-purpose distributionsF N and X, the special-purposeO(µ)-simulation security ofDFEimplies the existence of an efficient and universal simulatorSimand a distribution

D_Sim, such that theReal distribution is indistinguishable to the followingIdeal distribution:

   f = (g, G)← F N, ((xK, x0_K0),(K, K0),st)← DSim(f) x← U_{0,1}N0|xK,K,x 0 _{← X}0_| x0_K0,K0 : f, (x,x 0_), Sim st, f, y=f(x,x0),(x1,x01), . . . ,(xt,xt)    .

With probability 1 −O(µ), |K|+|K0| = O(`λε2_{). We now show that the locations K of} compromised xvariables only weakly depends on the graph G.

Lemma 6.12. For every λ, every µthat is superpolynomially small, and every pair of special- purpose distributions F N and X as described above, there exists a random variable K correlated with (f ← F N, ((xK, x0K0),(K, K0),st) ← D_Sim(f)), satisfying that i) K is independent of G,

andii) K ⊆G(K) and |K|=O(2`λε2_{) with probability1−O(}√_µ).

Proof. Recall thatD_Sim operates as follows:

DSim(f) : V ← V, Z ← Z, bad← {BADρ(Eρf(V), Z)}ρ, I = Γ(E_badf ), V ← V|_VI,I, letxK, xK0 0 be thex and x0 variables contained inV_I, output(xK, x0K0),(K, K0),st = (V, Z, V ,bad).

Further recall that each noise Eρf(V) falls into one of the following three cases: It is eithered,j_i , od,j_i , orof_i. By Claim 6.9, for every fi(x) =gi(xG(i),x0), everyed,ji ,o

d,j i , or o

f

i can be computed

by i) functions e˜d,j_i , or o˜d,j_i , or o˜f_i that are independent of G(i) and independent of G, on ii) inputs that depend only on x_G(i) and variables in(x0,s≤D,e≤D,{Adsd}). Overall, the function

Ef is independent ofGand every Eρf(V) depends on xG(i) for some i.

By the definition of flawed-smudging distributions, the set of randomized predicates {BADρ}

that determines the set of compromised noises depends only on Z, the function E, and the distribution V (which in turn depends on the distribution of G) of its input, all independent of the actually sampled graph G. Therefore, every BADρ can be re-written as a randomized

predicate Pρ still independent ofGsuch that

BADρ(Eρ(V), Z;rρ) =Pρ(xG(i),aux; rρ),

for some iandaux = (x0,s≤D,e≤D,{Adsd}, Z).

With probability 1−O(µ), the number ofBADρ (or equivalently the number of Pρ) that

evaluate to 1 is bounded by O(λε2_{). Therefore, there is a set ofauxand randomness r of allP}

ρ

predicates that has probability1−O(√µ) of being sampled, and conditioned on them being sampled, the number of Pρ(xG(i),aux; r) that outputs 1 is bounded byO(λε2) with probability 1−O(√µ) over the choice of xand G.

For any such (aux, r), we have that the expectation of the sum of outputs of Pρis bounded:

E x,G " X ρ Pρ xG(i),aux ; r # = (1−O(√µ))·O(λε2_{) +O(}√_{µ)·poly(λ, S) =O(λ}ε2_).

(The first equality follows as in the rare event of |bad|₁ not being bounded byO(λε2_{), it is still} bounded by the total number of noises which is bounded by poly(λ, S). Since µ is superpoly- nomially small, the second equality follows.) Furthermore, letEρ=Ex,G[Pρ(xG(i),aux ; r)]be the expectation of Pρ itself. Since |G(i)| ≤`and the marginal distribution of the binary string xG(i) is uniform, the expectationEρ is either zero if Pρ(?,aux;r) is constantly zero, or at least

1/O(2`)otherwise. By the linearity of expectation, the number of ρ s.t. Pρ(?,aux;r) is non-zero

is at mostO(2`λε2_{). We now define the correlated random variable K:}

K=i : ∃ρ s.t.Pρ(?,aux;r)is non-zero, and Pρ depends on xG(i) . Clearly, |K|=O(2`λε2_).

Since the above holds for a set ofaux, rthat appear with probability1−O(√µ), we have that with probability1−O(√µ)over the choice ofauxandr,|K|=O(2`λε2_{). We further observe that}

K is independent of G, as it only depends on the randomized predicatesPρ, their randomness r, andaux = (x0,s≤D,e≤D,{

Ad,sd

}, Z)), all of which are independent of G. Finally, the set of compromised variablesK must be a subset of these variablesG(K) that non-zero predicates depend on. Therefore, K is the set promised by the lemma.

7

Functional Encryption for

NC

and Transformation to IO

In this section, we construct sublinearly compact FE schemes for NC1 with standard fully- selective indistinguishability security, using a constant-locality PRG, the AIK randomized encoding [AIK04], our special-purpose FE scheme DFE constructed in Section 6, and a new primitive called bit-fixing homomorphic sharing. Below, we start with introducing the new primitive and constructing it from multi-key FHE inSection 7.1, and then move to the construction of FE for NC1 in Section 7.2. Finally, in Section 7.3, we describe how existing results can be used to transform our FE scheme to IO.