[ingenter]

I'd like to note that IO does not give a guarantee of impossibility of extracting keys.

AFAIK, the definition of IO is: we have two programs that perform the same computation. After we apply IO to both programs, we cannot figure out which obfuscated program corresponds to a particular original program.

However, there is a flaw: programs encrypting data with different keys are performing different computations.

So IO definition does not claim that IO is able to hide the key.

[aruss]

Your initial thought is why most people believed there to be little use in IO other than maybe removing software watermarks and the like. But this idea of a "punctured program" came around in which you can place the key in the program in a very clever way such that you get a security proof about hiding the key in the obfuscated program.

It turns out we can do just about anything in modern crypto using IO - it is an extremely powerful primitive - including symmetric encryption, public-key encryption, etc.

[phkahler]

>> So IO definition does not claim that IO is able to hide the key.

From what I've read, that doesn't even matter. The obfuscated program IS effectively the key. A copy of that obfuscated program is still a copy of the key. It's still not clear to me what the advantage is supposed to be.

[tromp]

The obfuscated program only uses its embedded key in ways it sees fit. You cannot sign arbitrary statements with the key.