The Impossibility of Obfuscation withAuxiliary Input or a Universal Simulator
Nir Bitansky Ran CanettiHenry CohnShafi GoldwasserYael Tauman-Kalai Omer PanethAlon Rosen
Program Obfuscation
Obfuscated program
𝑥 y
Obfuscation
Program
𝑥 y
Private Key to Public Key
Public Key
𝑚 cipher
Obfuscation
𝐸𝑛𝑐𝑠𝑘(𝑚)
𝑚 cipher
Ideal Obfuscation
Hides everything about the program except for its input\output behavior
Point Function etc.[Canetti 97, Wee 05, Bitansky-Canetti 10, Canetti-Rothblum-Varia 10]
Unobfuscatable Functions[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
?All functions
Obfuscation Constructions
All functions
Before 2013: No general solution.
All functions
Obfuscation Constructions
Before 2013: No general solution.
2013: Candidate obfuscation for all circuits [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]
All functionsAll functions
New Impossibility Result Under computational assumptions,
a natural notion of ideal obfuscationcannot be achieved
for a large family of cryptographic functionalities.
(strengthen the impossibility of [Goldwasser-Kalai 05])
Virtual Black-Box (VBB)[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Algorithm is an obfuscator for a class if:
For every PPT adversary there exists a PPT simulator such that for every and every predicate :
𝐴 𝑆𝜋 (𝐶 )𝒪(𝐶 )
𝐶
Inefficient!
𝑆
Using Obfuscation
Reduction
𝐴𝑁=𝑝 ⋅𝑞 𝑝 ,𝑞
VBB with a Universal Simulator
Algorithm is an obfuscator for a class if:
There exists a PPT simulator such that for every PPT adversary such that for every and every predicate :
𝐴 𝑆 (𝐴)𝜋 (𝐶 )𝒪(𝐶 )
𝐶
Universal Simulation
Universal Simulators
Black-boxSimulators
Barak’s ZKsimulator
New Impossibility Result Under computational assumptions,
VBB obfuscation with a universal simulator cannot be achieved
for a large family of cryptographic functionalities.
Pseudo-Entropic functions
A function family has super-polynomial pseudo-entropy if there exists a set of inputs such that for a random function ,there exists with super-polynomial min-entropy:
𝐷 ≈𝑐
1 2 3 …
…
Examples
• Pseudo-random functions • Semantically-secure encryption
(when the randomness is a PRF of the message)
𝑚 cipher 𝐸𝑛𝑐𝑠𝑘𝑃𝑅𝐹 𝑠𝑟
New Impossibility Result Under computational assumptions,
VBB obfuscation with a universal simulator is impossible for any pseudo-entropic function
𝐶1𝒪(𝐶¿¿1)¿𝐶2 𝒪(𝐶¿¿2)¿≡ ≈𝑐
Indistinguishability Obfuscation[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Assumption: indistinguishability obfuscation for all circuits
(A candidate construction given in [GGHRSW13])
This Work
Assuming indistinguishability obfuscation,
VBB obfuscation with a universal simulator
is impossible for any pseudo-entropic function
This Work
Average-case VBB with a universal simulator
Is Impossible for pseudo-entropic functions
Assuming indistinguishability obfuscation
for all functions
Worst-case VBB with a universal simulator
Is Impossible for pseudo-entropic functions
Assuming indistinguishability obfuscation
for point-filter functionsor equivalently,
witness encryption
Average-case VBB with a universal simulator
Is Impossible for Filter functions
Unconditionally
Is Impossible for pseudo-entropic functions
Assuming indistinguishability obfuscation
for all functions
Worst-case VBB with a universal simulator
Is Impossible for pseudo-entropic functions
Assuming VBB obfuscation
for point-filter functions
Is Impossible for pseudo-entropic functions
Assuming indistinguishability obfuscation
for point-filter functions
[Goldwasser-Kalai 05]:
This work:
Universal Simulation and Auxiliary Input
𝐴 (𝑧 ) 𝑆 (𝑧 )𝜋 (𝐶 )𝒪(𝐶 )
𝐶
For every PPT adversary there exists a PPT simulator such that for every , every predicate
and every auxiliary input :
VBB with a universal simulator
Universal Simulation and Auxiliary Input
Average-case VBB with a universal simulator
Average-case VBB with independent auxiliary input
Worst-case VBB with a universal simulator
Worst-case VBB with dependent auxiliary input
Proof Idea
What can we do with an obfuscated code
that we cannot do with black-box access?
[Goldwasser-Kalai 05]:
Find a polynomial size circuit computing the function!
Impossibility for Worst-Case VBB
𝐶𝑏¿𝐴
Let be a family of PRFs.
Fix the simulator . Sample a random .
Construct an adversary (that depends on ) that fail .
Let be the set of inputs
: If and :
output the secret , else output .
Impossibility for Worst-Case VBB
𝒪( 𝑓 𝑘)𝑏¿𝐴
𝑓 𝑘
𝑆𝑏𝑏𝐴
Using Indistinguishability Obfuscation
𝑏¿𝐴 𝑏¿𝐴 ⊥𝐴≈𝑐 ≡
𝑏¿𝐴 𝑏¿𝐴 ⊥𝐴≈𝑐 ≈𝑐
𝑏¿𝐴
Impossibility for Average-Case VBB
𝐶𝐴
: If :
output else output .
𝑃𝑅𝐹 𝑠()→𝑏
Impossibility for Average-Case VBB
Obfuscation should hide
Use Indistinguishability Obfuscation together with puncturable pseudo-random functions
𝐴
𝑃𝑅𝐹 𝑠()→𝑏
Thanks!