On the Impossibility of Approximate Obfuscation

Nir Bitansky and Omer Paneth

Program Obfuscation

Compute

𝑥

𝑦= 𝑓 𝑠𝑘(𝑥 )

Program Obfuscation𝑥

𝑦= 𝑓 𝑠𝑘(𝑥 )

Program Obfuscation

Sign email with If starts with

“omer@bu.edu”

𝑥

𝑦=𝜎 (𝑥)/⊥

Virtual Black-Box

is an obfuscation of :

- Functionality:

𝑆𝑓 𝑠𝑘𝐴 ≈𝒪𝑠𝑘

- Security:

[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Impossibility of Obfuscation

There exist families of functions that cannot be obfuscated

[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Relaxed Security

- Functionality:

𝑆𝑓 𝑠𝑘𝐴 ≈𝒪𝑠𝑘

- Security:

[Barak et al. 01, Goldwasser-Rothblum07, Hofheinz-Malone-Lee-Stam07, Hohenberger-Rothblum-Shelat-Vaikuntanathan07,

Bitansky-Canetti10]

Relaxed Functionality?

- Functionality:

𝑆𝑓 𝑠𝑘𝐴 ≈𝒪𝑠𝑘

- Security:

Approximate Obfuscation[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

is an approximate obfuscation of :

- Functionality:

𝑆𝑓 𝑠𝑘𝐴 ≈𝒪𝑠𝑘

- Security:

Main ResultAssuming trapdoor permutations, there exist families of functions that cannot be approximately

obfuscatedMotivation?

Positive applications

From Impossibility to

Applications

Impossibility of approximate obfuscation

Non-black-box extraction

𝐴𝑠𝑘𝑥 𝑓 𝑠𝑘(𝑥 )

𝑠𝑘

Zero-knowledge with

resettable security

Worst-case extractable signatures

Plan[BGIRSVY 01]:

This work:

Impossibility of Obfuscation

Impossibility of Approximate Obfuscation

Unobfuscatable Functions

Robust Unobfuscatable

Functions

Applications

Unobfuscatable Functions

𝐴𝑓 𝑠𝑘

𝑠𝑘

𝐸𝒪 𝑠𝑘

1. Black-box unlearnability:

:2. Extraction: Pr𝑥←𝑈

[𝒪 (𝑥 )= 𝑓 𝑠𝑘 (𝑥 ) ]=1⇒

From Barak et al.

Robust Unobfuscatable Functions

1. Black-box unlearnability:

:2. Robust extraction:

𝐴𝑓 𝑠𝑘

𝑠𝑘

𝐸𝒪 𝑠𝑘Pr𝑥←𝑈

[𝒪 (𝑥 )= 𝑓 𝑠𝑘 (𝑥 ) ]>0 .9⇒

Robust Unobfuscatable Functions

𝑓 𝑠𝑘𝒪𝑆𝑓 𝑠𝑘𝐴 ≈𝒪

𝑠𝑘𝑠𝑘

𝐸

RUFs Construction

Unobfuscatable FunctionsConstruction of Barak et al. (using FHE for simplicity)

– two -bit strings - secret key for FHE

𝑓 𝑎 ,𝑏 , 𝑠𝑘 (𝑥 ) :

𝑓 𝑎 ,𝑏 , 𝑠𝑘(𝑥 )¿ {¿¿𝑥=𝑎𝑥=0𝑛De c𝑠𝑘(𝑥)=𝑏o . w .

En c𝑠𝑘(𝑎)𝑏

𝑏

⊥

0𝑛 𝐸𝑛𝑐 (𝑎) 𝐸𝑛𝑐 (b )

𝑎 𝑏

𝑓

𝑓

𝑓

Unobfuscatable Functions

0𝑛 𝐸𝑛𝑐 (𝑎) 𝐸𝑛𝑐 (b )

𝑎 𝑏

𝑓

𝑓

𝑓

Black-Box Unlearnability

𝐴𝑓𝑏

𝐶

0𝑛 𝐸𝑛𝑐 (𝑎) 𝐸𝑛𝑐 (b )

𝑎 𝑏

Extraction

𝐸𝐶≡ 𝑓 𝑏

𝐸𝑣𝑎𝑙 (𝐶 )𝐶𝐶

𝐶

0𝑛 𝐸𝑛𝑐 (𝑎) 𝐸𝑛𝑐 (b )

𝑎 𝑏

Robust Extraction?

𝐸

𝐶∗𝐶∗

𝐶∗ 𝑏 𝐶∗(𝑥)={ ⊥𝐸𝑛𝑐𝑠𝑘(𝑎)

𝑥=𝑎𝑥=0𝑛

𝑏⊥

𝐷𝑒𝑐𝑠 𝑘(𝑥 )=𝑏𝑜 .𝑤 .

A Taste of the Construction

𝑓 𝑎 ,𝑏(𝑥)={𝑏 𝑥=𝑎⊥ 𝑜 .𝑤 .

Q: Find such that:

with errors 𝑓 a , b

Randomly reduce to

Getting Robustness

𝑓 𝑎 ,𝑏(𝑥)={𝑏 𝑥=𝑎⊥ 𝑜 .𝑤 .

with errors 𝑓 a , b

𝑔h

𝑎𝑟

𝑎⊕𝑟 ⊕

𝑟←𝑈𝑏⊕PRF (𝑟 )

PRF (𝑟 )

𝑓

𝑔 , h 𝑓 a , b

𝐴𝑔 , h

𝑏

𝑎 𝑎 queries on and queries on

Construction of RUFs

¿ { 𝑏𝐸𝑛𝑐𝑠 𝑘(𝑎)

𝑥=𝑎𝑥=0𝑛

𝑏⊥

𝐷𝑒𝑐𝑠𝑘(𝑥)=𝑏𝑜 .𝑤 .

𝑓 𝑎 ,𝑏 , 𝑠𝑘(𝑥 )

• RUFs from trapdoor permutations.

• Weak RUFs from OWF only:

Assumptions

𝐸𝒪 𝑠𝑘

∀ 𝑥 :𝒪 (𝑥 )∈ { 𝑓 𝑠𝑘 (𝑥 ) ,⊥}

Applications

Publicly-Verifiable RUOFs

𝐴𝑓 𝑠𝑘

𝑠𝑘 𝐸𝒪 𝑠𝑘

iff

𝑣𝑘 𝑣𝑘

𝑠𝑘,𝑣𝑘←Gen () Pr𝑥←𝑈

[Ver𝑣𝑘 (𝑥 ,𝒪 (𝑥 ) )=1 ]> 1poly(𝑛)

Resettably-Sound ZK[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]

𝑥∈ℒ?𝒫Standard ZK

ResettableSoundnes

s𝒱

Resettable Soundness[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]

𝒱𝒫∗𝑥∉ℒ

Resettable Soundness[Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]

𝒱𝒫∗𝑥∉ℒ𝒱

No Black-Box Simulator

𝒱𝒫∗

Resettable soundness Zero-knowledge(black-box simulator) 𝒫∗

𝒱 𝒮𝒱∗

[Barak-Goldreich-Goldwasser-Lindell 01]

Resettably-Sound ZK

𝒱𝒫∗ 𝒮𝒱∗

Resettable soundness Zero-knowledge (non-black-box simulator)𝒫∗

𝒱

[Barak-Goldreich-Goldwasser-Lindell 01, BP 12, Chung-Pass-Seth 13]

𝒫 𝒱Resettably-Sound ZK𝑠𝑘,𝑣𝑘𝑣𝑘

𝑥←𝑈𝑓 𝑠𝑘(𝑥 )

Witness indistinguishable proof:

or “knows”

𝒫 𝒱Resettably-Sound ZK𝑠𝑘,𝑣𝑘𝑣𝑘𝑥𝑓 𝑠𝑘(𝑥 )

Witness indistinguishable proof:

or “knows”

𝒱𝒫∗𝑥𝑓 𝑠𝑘(𝑥 )

Analysis

𝒮 𝑖𝑚𝒱∗

Resettable soundness Zero-knowledge

𝒫∗𝑓 𝑠𝑘

𝑠𝑘

𝒮𝑠𝑘

𝐸

• Resettably-sound ZK from OWFs (Different approach from Chung-Pass-Seth 13)

• Simultaneously-resettable ZK from OWFs (using srWI by Chung-Ostrovsky-Pass-Visconti 13)

• 4-message resettably-sound ZK • 3-message simultaneously-resettable

WI proof of knowledge

More Resettable Crypto

Sign 𝑠𝑘

Sign 𝑠𝑘

𝐴𝑚 𝑖

𝜎 (𝑚¿¿ 𝑖)¿𝑣𝑘

Digital Signatures:

Worst-Case Extractable Signatures

∀𝑠𝑘 ,𝑣𝑘

Worst-Case Extractable SignaturesFor every

breaks security for ⟹

𝐴

𝐸𝑠𝑘

Thank You.#define _ -F<00||--F-OO--;int F=00,OO=00;main(){F_OO();printf("%1.3f\n",4.*-F/OO/OO);}F_OO(){

_-_-_-_ _-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_-_-_-_-_ _-_-_-_-_-_-_-_ _-_-_-_

}

IOCCC 88