the impossibility of obfuscation with auxiliary input or a universal simulator nir bitansky ran...

The Impossibility of Obfuscation withAuxiliary Input or a Universal Simulator

Nir Bitansky Ran CanettiHenry CohnShafi GoldwasserYael Tauman-Kalai Omer PanethAlon Rosen

Program Obfuscation

Obfuscated program

𝑥 y

Obfuscation

Program

𝑥 y

Private Key to Public Key

Public Key

𝑚 cipher  

Obfuscation

𝐸𝑛𝑐𝑠𝑘(𝑚)

𝑚 cipher  

Ideal Obfuscation

Hides everything about the program except for its input\output behavior

Point Function etc.[Canetti 97, Wee 05, Bitansky-Canetti 10, Canetti-Rothblum-Varia 10]

Unobfuscatable Functions[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

?All functions

Obfuscation Constructions

All functions

Before 2013: No general solution.

All functions

Obfuscation Constructions

Before 2013: No general solution.

2013: Candidate obfuscation for all circuits [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]

All functionsAll functions

New Impossibility Result Under computational assumptions,

a natural notion of ideal obfuscationcannot be achieved

for a large family of cryptographic functionalities.

(strengthen the impossibility of [Goldwasser-Kalai 05])

Virtual Black-Box (VBB)[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Algorithm is an obfuscator for a class if:

For every PPT adversary there exists a PPT simulator such that for every and every predicate :

𝐴 𝑆𝜋 (𝐶 )𝒪(𝐶 )

𝐶

Inefficient!

𝑆

Using Obfuscation

Reduction

𝐴𝑁=𝑝 ⋅𝑞 𝑝 ,𝑞

VBB with a Universal Simulator

Algorithm is an obfuscator for a class if:

There exists a PPT simulator such that for every PPT adversary such that for every and every predicate :

𝐴 𝑆 (𝐴)𝜋 (𝐶 )𝒪(𝐶 )

𝐶

Universal Simulation

Universal Simulators

Black-boxSimulators

Barak’s ZKsimulator

New Impossibility Result Under computational assumptions,

VBB obfuscation with a universal simulator cannot be achieved

for a large family of cryptographic functionalities.

Pseudo-Entropic functions

A function family has super-polynomial pseudo-entropy if there exists a set of inputs such that for a random function ,there exists with super-polynomial min-entropy:

𝐷 ≈𝑐

1 2 3 …

…

Examples

• Pseudo-random functions • Semantically-secure encryption

(when the randomness is a PRF of the message)

𝑚 cipher  𝐸𝑛𝑐𝑠𝑘𝑃𝑅𝐹 𝑠𝑟

New Impossibility Result Under computational assumptions,

VBB obfuscation with a universal simulator is impossible for any pseudo-entropic function

𝐶1𝒪(𝐶¿¿1)¿𝐶2 𝒪(𝐶¿¿2)¿≡ ≈𝑐

Indistinguishability Obfuscation[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Assumption: indistinguishability obfuscation for all circuits

(A candidate construction given in [GGHRSW13])

This Work

Assuming indistinguishability obfuscation,

VBB obfuscation with a universal simulator

is impossible for any pseudo-entropic function

This Work

Average-case VBB with a universal simulator

Is Impossible for pseudo-entropic functions

Assuming indistinguishability obfuscation

for all functions

Worst-case VBB with a universal simulator

Is Impossible for pseudo-entropic functions

Assuming indistinguishability obfuscation

for point-filter functionsor equivalently,

witness encryption

Average-case VBB with a universal simulator

Is Impossible for Filter functions

Unconditionally

Is Impossible for pseudo-entropic functions

Assuming indistinguishability obfuscation

for all functions

Worst-case VBB with a universal simulator

Is Impossible for pseudo-entropic functions

Assuming VBB obfuscation

for point-filter functions

Is Impossible for pseudo-entropic functions

Assuming indistinguishability obfuscation

for point-filter functions

[Goldwasser-Kalai 05]:

This work:

Universal Simulation and Auxiliary Input

𝐴 (𝑧 ) 𝑆 (𝑧 )𝜋 (𝐶 )𝒪(𝐶 )

𝐶

For every PPT adversary there exists a PPT simulator such that for every , every predicate

and every auxiliary input :

VBB with a universal simulator

Universal Simulation and Auxiliary Input

Average-case VBB with a universal simulator

Average-case VBB with independent auxiliary input

Worst-case VBB with a universal simulator

Worst-case VBB with dependent auxiliary input

Proof Idea

What can we do with an obfuscated code

that we cannot do with black-box access?

[Goldwasser-Kalai 05]:

Find a polynomial size circuit computing the function!

Impossibility for Worst-Case VBB

𝐶𝑏¿𝐴

Let be a family of PRFs.

Fix the simulator . Sample a random .

Construct an adversary (that depends on ) that fail .

Let be the set of inputs

: If and :

output the secret , else output .

Impossibility for Worst-Case VBB

𝒪( 𝑓 𝑘)𝑏¿𝐴

𝑓 𝑘

𝑆𝑏𝑏𝐴

Using Indistinguishability Obfuscation

𝑏¿𝐴 𝑏¿𝐴 ⊥𝐴≈𝑐 ≡

𝑏¿𝐴 𝑏¿𝐴 ⊥𝐴≈𝑐 ≈𝑐

𝑏¿𝐴

Impossibility for Average-Case VBB

𝐶𝐴

: If :

output else output .

𝑃𝑅𝐹 𝑠()→𝑏

Impossibility for Average-Case VBB

Obfuscation should hide

Use Indistinguishability Obfuscation together with puncturable pseudo-random functions

𝐴

𝑃𝑅𝐹 𝑠()→𝑏

Thanks!