# MachinaIO: Project Proposal to Build Practical Indistinguishability/Ideal Obfuscation and its Applications Authors: Sora, Enrico <!-- The goal of MachinaIO is to build novel and fully trustless applications made possible by indistinguishability/ideal obfuscation (iO). Two examples are a trustless bitcoin bridge and an AGI with restricted access policy. The focus of the team will be split between sketching out the design of such applications to get people excited about iO (25%) and the build out of the underlying cryptographic primitives (75%). We believe that the convergence of these two lines of work will yield a usable application of iO in the next x (??) years. Similarly, this proposal will be split between these two categories. --> ## Introduction This document proposes the establishment of a new research team within PSE to develop the first practical implementation of an indistinguishability/ideal obfuscation (iO) scheme that is built based on popular cryptographic assumptions. Many applications leveraging advanced cryptography, specifically multi party computation (MPC) and (multi-key) fully homomorphic encryption (FHE), rely on a committee where a majority exceeding a certain threshold of its members must remain honest and stay online even beyond the setup phase. This requirement introduces a trade-off between the security and scalability of such applications. Improving scalability by increasing the hardware requirements for committee parties raises the cost of participation, which reduces the number of committee members and their decentralization, thereby increasing the risk of adversarial collusion. We address this issue by developing a practical implementation of indistinguishability/ideal obfuscation (iO). In essence, iO transforms any program into a black-box representation that hides its inner workings without altering its functionality. While users can locally execute obfuscated programs on arbitrary inputs, they gain no additional information beyond the input-output relation of the program. These features of iO eliminate the need for a committee in applications based on MPC and FHE. As a result, iO provides these applications with unlimited scalability while preserving their security. Furthermore, we believe Ethereum can play a complementary role in the context of iO. For example, while iO obfuscates stateless programs, Ethereum provides a platform for preserving private states, accessible and modifiable only by the obfuscated program. On the other side, developments in iO will unlock a new range of on-chain applications based on encrypted smart contracts. This synergy indicates that some demand for iO could translate into demand for Ethereum. ## Risk of the project ### Technical evidences supporting the feasibility of practical iO Although many people, including cryptography researchers, have considered iO to be merely a theoretical concept, the following technical evidences show that our attempt to build practical iO is promising. First, assuming FHE and SNARK, the only operations that need to be obfuscated are FHE decryption and SNARK verification [GGH+13, BIS+17]. Specifically, FHE handles main computation of the circuit being obfuscated, which is proved with SNARK. On the other hand, a circuit obfuscated by (minimum) iO simply decrypts the given FHE encryption of the circuit output with the hardcoded FHE secret key, if and only if the given proof of the correct homomorphic evaluation is valid. This suggests that 1) the effifiency of iO can be optimized for the simple and specific functionality and 2) the rapid improvements in the efficiency of FHE and ZKPs in recent years will similarly improve the efficiency of iO. Second, in October 2024, [AKY24a] and [BDJ+24] proposed new obfuscation schemes based on LWE and evaisve LWE assumptions. Notably, [AKY24b], a companion paper to [AKY24a], presented a remarkably simple construction of functional encryption (FE), which is a main building block of iO, in just two pages. Therefore, we expect we can easily implement it within three months. Additionally, its efficiency can be improved by replacing the LWE-based construction with one based on ring-LWE (RLWE). In fact, benchmarks in [DDP+17] demonstrate that the homomorphic evaluation algorithm of the BGG+ encoding, which could be a major bottleneck in this FE scheme, performed a binary NAND tree circuit with 128 encoded bits at depth 7 in 643 ms, and another circuit with 1024 encoded bits at depth 10 in 9,411 ms. Third, most of the iO building blocks described above rely on FFT, which can be easily parallelized using GPUs. Notably, if FFT is the main bottleneck in these building blocks, a larger number of GPUs might allow evaluating obfuscated circuits with a greater number of gates without substantially increasing the execution time. ### Side-quest deliverables Although achieving a secure and practical iO in a short period is challenging, we can implement the following useful iO building blocks as side-quest deliverables with a high probability. **(Updated in June, 2025) Functional Encryption (FE):** Functional encryption (FE) is another building block that can be useful for Ethereum, enabling non-interactive private delegation of computation. For example, consider a scenario where Alice wants to make an on-chain transaction if her intent satisfies a certain algorithm $f$. With FE, she can non-interactively delegate this process to an untrusted party without revealing her intent and private key, and without running the entire algorithm $f$ herself. Notably, FE is stronger than FHE because FE decryption directly provides the plaintext result of the function output, removing the need for interaction with the encryptor. These advantages are significant especially when 1) $f$ is complex such as a deep-learning algorithm, or 2) the encryptor goes offline quickly, for example, due to a weak Internet environment. Specifically, we can implement the FE scheme proposed in [AKY24b]. Moreover, if it is acceptable for the user’s ciphertext to be usable with only a single algorithm, the FE scheme can be simplified to laconic function evaluation, eliminating the need for lattice preimages—the most expensive component of the [AKY24] construction. <!-- LFE is a cryptographic primitive that delegates a specific computation on a private input to an untrusted party. Compared to FHE, which also allows delegation of private computation, LFE has the following advantages: - Non-interactive: while a user in FHE holding a secret key needs to remain online until they receives the encryption of the evaluation output and decrypt it, one in LFE only needs to send an encryption of their input $x$. This is because this encryption is tied to a specific circuit $C$, and --> <!-- 1. Efficiently verifiable FHE Verifiable FHE, i.e., FHE with proof of the correct homomorphic evaluation, is significant not only for the pracitical iO scheme but also for use of FHE on Ethereum. We plan to implement one of lattice-based designed-verifier SNARK schemes, such as [BIS+17, ISW21, SSE+22]. They are based on lattice assumptions, which could prove FHE evaluation efficiently [BIS+17]. Moreover, in similar to Groth16 [Gro16], their verification time and proof size are sufficiently short, remaining constant except for the size of the public inputs and outputs. However, the verifier in these schemes must hold a private verification key to verify proofs. You might think such schemes are not useful for Ethereum because they do not appear to be publicly verifiable. Nonetheless, we think they can be easily transformed into publicly-verifiable schemes assuming a threshold-based committee, which is already required when using multi-key FHE. The committee prepares secret shares of the private verification key in advance. For each FHE evaluation, they perform MPC for the proof verification process using those shares, and generates a publicly-verifiable proof for this process with collaborative zkSNARKs [OB22]. This transformation eventually produces a publicly-verifiable SNARK scheme in the threshold setting that is friendly for proof of FHE evaluation and maintains constant costs for the verifier. Although we will not implement the part of this transformation, we believe our implementation of the lattice-based designed-verifier SNARK scheme will be useful to extend the use of FHE for Ethereum. 2. Functional Encryption Functional encryption (FE) is another building block that can be useful for Ethereum, enabling non-interactive private delegation of computation. For example, consider a scenario where Alice wants to make an on-chain transaction if her intent satisfies a certain algorithm $f$. With FE, she can non-interactively delegate this process to an untrusted party without revealing her intent and private key, and without running the entire algorithm $f$ herself. Notably, FE is stronger than FHE because FE decryption directly provides the plaintext result of the function output, removing the need for interaction with the encryptor. These advantages are significant especially when 1) $f$ is complext such as a deep-learning algorithm, or 2) the encryptor goes offline quickly, for example, due to a weak Internet environment. --> ### Remaining bottlenecks There are still three challenges to be addressed in building a practical iO. 1. Efficient bootsrapping from FE to iO. 2. SNARK scheme easily verifiable inside iO. 3. Sub-exponential security loss. The first challenge is the largest bottleneck because existing bootsrapping techniques in [BV15, AJ15] requires running FE encryption recursively. We already have a concrete idea of a more straightforward bootstrapping techniques that is based on the FE scheme in [AKY24b]. **Updated in June, 2025:** We have proposed a new iO construction called [Diamond iO](https://eprint.iacr.org/2025/236.pdf) that solves the first challenge. This replaces the recursive FE encryption with simple matrix operations. The second challenge is also important. Since recent lattice-based SNARK schemes were not designed with iO usage in mind, there may be an opportunity to optimize them for iO. For example, we are considering to optimize the latest designated-verifier SNARK proposed in [SSE+22]. **Updated in June, 2025:** We identified that the biggest bottleneck to support SNARK verification within iO is the input size of the obfuscated circuit. While lattice-based SNARK schemes require more than 10KB proof size, [our current implementation can support only a few input bits](https://machina-io.com/posts/hello_world_first.html). Therefore, the second challenge requires increasing the input size. The third challenge implies that, to make the implementation consistent with the theoretical security proof, some parameter sizes must be increased on the order of $2^L$, where $L$ is the bit size of the input. Although larger parameters reduce efficiency, having parameter sizes smaller than those required by the security proof does not immediately mean that the iO scheme is vulnerable to concrete attacks. Therefore, we plan to overlook this issue until the development of a production-level application, and we will focus on quickly creating a proof-of-concept (PoC) implementation and demonstration applications. More detailed steps to resolve each challenge is described below. ## Milestones We set the following milestones for the period from January to November 2025. - [x] end of Feb 2025 - Invent a new iO scheme that is more straight-forward to understand and implement. It is assumed to solves the **challenge #1**. However, the scheme is still "leveled" because parameters depends on the total input size. - Estimate its performance, such as circuit size and error growth. - Publish a paper describing our solution -> Published at https://eprint.iacr.org/2025/236. - [x] end of March 2025 - Construct an E2E toy implementation of `Obfuscate` and `Evaluate` algorithms of Diamond iO in its RLWE version. - Publish an article (either blogpost or paper) describing our solutions + the implementaton. <!-- - Publish an application using the above implementation for a simple program. Given the limitations of the iO implementation at this stage, potential applications that can be implemented might include the following: - Obfuscating a problem that performs [hash-based one-time signatures](https://en.wikipedia.org/wiki/Lamport_signature). - Obfuscating a bitcoin mining-like application: the obfuscated program encodes a seed and a bitcoin secret key; the user inputs x and based on some conditions (range checks) on H(input, seed) the bitcoin secret key is conditionally released. This can be also seen as witness encryption for the condition of mining. --> <!-- - [ ] middle of August, 2025 - Construct gadgets for efficient evaluation of BGG+ encodings, in particular lookup table, arithmetic in a large modulus, and pseudorandom function (PRF). Note that they will be useful not only for iO but also for many cryptographic primitives, such as attribute-based encryption, laconic function evaluation, and functional encryption. - Publish the implementation for those gadgets. - Publish a paper about those gadgets, though it can be after September. --> - [ ] end of August, 2025 - Construct an efficient lookup table evaluation on BGG+ encodings of public data, i.e., public lookup evaluation. Note that they will be useful not only for iO but also for many cryptographic primitives, such as attribute-based encryption, laconic function evaluation, and functional encryption. - Publish the implementation. - Publish a paper about this technique and its applications in September. - [ ] end of October 2025 - Implement FHE evaluation on BGG+ encodings and leverage it to homomorphically evaluate PRF on the encodings. - Publish the implementation. - [ ] by Devconnect - Construct an "input-scalable" iO scheme (no longer levelled) such that the parameters are independent of the total input size. To achieve this, we will develop a noise refershing technique for the Diamond iO. - Publish article (either blogpost or paper) describing our solutions + the implementaton. <!--The technique will be based on the techniques introduced in [HLL23], but additional or novel techniques to generate LWE instance with freshly sampled errors within the BGG+ encoding leveraging lookup table operations--> - [ ] after Devconnect - Construct an obfuscated program performing ZKP verification, implying that we will solve the **challenge #2** at this stage. ~~This would require extensive research over lattice-based ZKP schemes to choose or invent the best candidate. Note that by accomplishing this task we would be able to achieve iO construction for **all** circuits leveraging the bootstrapping techniques from [GGH+13].~~ (**Updated in July 15th**) we focus on implementing the ZKP verification first. This allows building a practical witness encryption, which is already useful for many trustless applications such as [trustless bitcoin bridge](https://ethresear.ch/t/trustless-bitcoin-bridge-creation-with-witness-encryption/11953/28). - Publish an article (either blogpost or paper) describing our solutions + the implementaton. - [ ] after Devconnect - Deliver an interesting iO-based application. It should be simple to implement while able to communicate the core value proposition of iO. ~~Specifically, we plan to build a demo of untraceable mixing protocol using iO.~~ - Publish an article (either blogpost or paper) describing the application + the demo implementaton. <!-- We present the following three example ideas of the applications: --> <!-- 1. A fully-encrypted SQL database for smart contracts. An obfuscated program allows users to search and decrypt the encrypted data if and only if it matches with the SQL query conditions issued by smart contracts. 2. Pokemon-like minter that leverages the randomness of the signatures produced by an obfuscated program---containing a hardcoded signing key---for the provided Pokemon name. Each Pokemon’s parameters are determined by this randomness. A player can mint their Pokemon on-chain with the signature and have it battle against the other Pokemons. All battles occur entirely on-chain, and once a Pokemon dies, it can never be revived as long as the Ethereum blockchain remains untampered. 3. An anonymous and unique identity derived from signatures on passports (or any identity proof). Specifically, a user can obtain a random ID corresponding to their passport number if and only if they can provide a zk proof of the signature on their passport. This implies the other users cannot obtain the ID even if they know the passport number itself but does not hold the signature (anonymity). Additionally, the ID derived from each passport nunber must be unique (uniquness). The ID with both properties is useful for voting, games with some penalties, rate-limited authentication. --> <!-- 1. Theoretically solve the first and second challenges. We will publish a paper at least for the first challenge. 2. Complete PoC implementations of iO and SNARK verifiable within iO. These implementations will leave plenty of room for efficiency improvements. 3. A demo application of iO. --> **⚠️ Warning**: the above milestones are set based on our current knowledge. Depending on the outcomes of the research, some of these milestones may be delayed or modified in the future. In such scenarios, we could consider exploring approaches other than the current lattice-based iO. Nevertheless, we commit to try our best to deliver a demo application to present the power of iO at Devconnect 2025. <!-- For example, the failed accomplishment of the third milestone will affect the accomplishment of the fourth milestone. --> <!-- we will turn into building an application-specific iO construction that is no longer based on ZKP verification. --> ## Team members We are a team of 2 FTE as follows: - 1 FTE for Sora: He leads the team - 1 FTE for Enrico: Researcher We actively look for adding more cryptography enginners/researchers. ## Team Strategy We will actively collaborate with academic researchers to ensure security while trying to optimize concrete efficiencies. After we complete at least the first implementation of iO, we plan to apply grants from ESP to secure funds for additional team members and hardwares to run our implementations. ## References - [JLS22] https://eprint.iacr.org/2021/1334.pdf - [AKY24a] https://eprint.iacr.org/2024/1720.pdf - [BDJ+24] https://eprint.iacr.org/2024/1742.pdf - [AKY24b] https://eprint.iacr.org/2024/1719.pdf - [CCM+24] https://eprint.iacr.org/2024/006.pdf - [Wee22] https://eprint.iacr.org/2023/906.pdf - [VWW22] https://eprint.iacr.org/2022/1140.pdf - [HLL23] https://eprint.iacr.org/2023/1716.pdf - [BGG+14] https://eprint.iacr.org/2014/356.pdf - [GGH+13] https://eprint.iacr.org/2013/451.pdf - [JLS20] https://eprint.iacr.org/2020/1003.pdf - [BOK+15] https://mediatum.ub.tum.de/doc/1246288/1246288.pdf - [SAS24] https://eprint.iacr.org/2024/762.pdf - [BIS+17] https://eprint.iacr.org/2017/240.pdf - [DDP+17] https://eprint.iacr.org/2017/601.pdf#page=16.76 - [ISW21] https://eprint.iacr.org/2021/977.pdf - [SSE+22] https://eprint.iacr.org/2022/1690.pdf - [Gro16] https://eprint.iacr.org/2016/260.pdf - [OB22] https://eprint.iacr.org/2021/1530.pdf - [AJ15] https://eprint.iacr.org/2015/173.pdf - [BV15] https://eprint.iacr.org/2015/163.pdf <!--  --> <!-- ## Applications ### Trustless bitcoin bridge [Sora to add] ### Secure multi-party applications A secure multi-party application is an application in which a function $f$ has to be computed over inputs coming from different $n$ parties, and this input should remain private: each party should not learn anything beyond what can be inferred from their input and the output of the function. Currently, such applications are built either using Fully Homomorphic Encryption (FHE) or Multi-party Computation (MPC). Indeed, FHE can be leveraged to perform computation over encrypted data. But there's a caveat: FHE still requires someone to hold the decryption key. Outsourcing the ownership of the decryption key to a single party is not a good idea since this party would have god-mode read access to every encrypted data. A more secure approach is to run a distributed decryption key generation (DKG) ceremony between the $n$ application participants, encrypt all the data under the corresponding encryption key, outsource the computation of $f$ to a server and require the parties to come together again and aggregate their decryption key shares to decrypt the output. The problem is that one negligent (or malicious) party that loses its decryption key share is sufficient to bring the whole protocol to a halt. An analogue problem [applies](https://hackmd.io/MoUTdYE3QLmF_1i0U-aeWg#Building-secure-multi-party-applications-with-MPC) to secure multi-party application powered by MPC. Sora describes this as a tradeoff between safety and liveness. <figure align="center"> <img src="https://hackmd.io/_uploads/r1UPF9Kz1e.jpg" alt="CCN Inference"> <figcaption>Source: https://speakerdeck.com/sorasuegami/ideal-obfuscation-io, where x-axis represents the probability of the program to succeed based on the liveness assumptions</figcaption> </figure> A perfect security model, "trust no one but yourself," presents limitations given the liveness requirement for all the $n$ protocol participants. To overcome this problem, current secure multi-party applications (see [Zama](https://github.com/zama-ai/fhevm/blob/main/fhevm-whitepaper.pdf) and [Penumbra](https://protocol.penumbra.zone/main/crypto/flow-encryption/threshold-encryption.html?highlight=Decryption#value-decryption)) in which $n$ is high and might not even be known during the set-up phase rely on a delegated security model, in which a small set of parties (commitee), often different from the application users, holds the decryption key shares and a threshold $t$ of them is required to perform decryption. However, the parties cannot do much to prevent the committee members from secretely meeting and gathering their shares to maliciously decrypt any data. To make things even worse, there is no immediate way to detect this malicious action and keep the commitee members accountable for any misbehaviour. iO promises to break the tradeoff between safety and liveness by removing any need for interaction during the decryption phase. [GGH+13] proposes an iO construction in which the decryption key of a FHE scheme is embedded inside an obfuscated program as a result of a trusted set-up ceremony. The obfuscated program is designed to take a FHE ciphertext as input together with a proof that such ciphertext is allowed to be decrypted according to the predefined application logic. The program will verify the proof, and, on succesful verification, output the decryption of the ciphertext. Since the obfuscated program is public, the decryption can be performed by anyone without requiring any interaction between parties holding the key! Notably, such construction yields a rather succint obfuscated program since the application logic is "outsourced" to FHE. Still, it requires to deploy an obfuscated program for each application since the verification logic must be hardcoded during the setup phase. Our [idea](https://hackmd.io/@SoraSuegami/H18y3P_Nkl#Appendix-12-Ethereum-as-coordinator-for-universal-iO) is to build a universal iO program orchestrated by Ethereum and we plan to write an article about this. Vitalik [describes](https://vitalik.eth.limo/general/2024/10/29/futures6.html) how a secure voting application can be built leveraging iO. In the next paragraph we explore how iO can save the world from AGI. ### AGI with restricted access policy Fast forward 10 years, all people data are encrypted and stored on Ethereum (either directly or via commitments) and the key to decrypt them is stored inside a universal iO program. Applications no longer requires to bootstrap meaningful datasets to provide value to their users because they can operate over such massive amount of **encrypted** data from day 0. Lending services are no longer dependent on a single credit score provider but can accurately portrait (if given permission by the user) the default-risk of a user from large and heterogenous datasets. Music streaming apps can finally accurately profile (again, if given permission) the preferences of a user across a broader set of behaviours. In the meanwhile, machine learning model architectures have evolved beyond LLMs and have developed better reasoning abilities. In this context, Universal iO orchestrated by Ethereum will help creating **safe and fair AGIs**. While anyone can leverage the publicly available encrypted data to obtain an encrypted AGI model and run encrypted inference function, the result of the inference will still be intelligible and require the decryption key inside the universal iO program to be accessed in clear. As an example, data owners can establish that their medical records can be leveraged to synthesizes drugs that cure cancers but not to create deadly viruses. Since these rules are encoded into a smart contract, any effort to leverage the AGI model to purposes against the access policies established by the data owners will be vain as it won't be possible to generate a valid proof that authorizes its decryption. ### Why iO? [Enrico to add] - Draw conclusions from the example, role of iO is to set permissions to access and consume a secret. This is not possible today since once a secret is out (even in a distributed manner) can be consumed by anyone without any limit or accountability as with the current state of the art of bitcoin bridges or FHE-based multi-party applications. iO creates an enviorment in which such secret are hidden from all humans forever at all conditions no matter what. Cryptograpic-based conditions can be enforced on top of the iO program to regulate the type of computations that can be performed on that secret. Example for AGI. - Alternative is TEE, but it might not good enough for high-stake applications ## Cryptographic primitives [Sora to add] - List up the cryptographic building blocks required - Why now? New constructions in academia that might be practical - Description based on milestone in the next 5/6 months on what we are planning to build and how we will evaluate its performance. Set concrete measure to evaluate success or not of our results. ## Team requests [Sora to add] ## References - [GGH+13] https://eprint.iacr.org/2013/451 -->