On the (im)possibility of obfuscating programs

Informally, an <i>obfuscator</i> <i>O</i> is an (efficient, probabilistic) “compiler” that takes as input a program (or circuit) <i>P</i> and produces a new program <i>O</i>(<i>P</i>) that has the same functionality as <i>P</i> yet is “unintelligible” in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic and complexity-theoretic applications, ranging from software protection to homomorphic encryption to complexity-theoretic analogues of Rice's theorem. Most of these applications are based on an interpretation of the “unintelligibility” condition in obfuscation as meaning that <i>O</i>(<i>P</i>) is a “virtual black box,” in the sense that anything one can efficiently compute given <i>O</i>(<i>P</i>), one could also efficiently compute given oracle access to <i>P</i>. In this work, we initiate a theoretical investigation of obfuscation. Our main result is that, even under very weak formalizations of the above intuition, obfuscation is impossible. We prove this by constructing a family of efficient programs <i>P</i> that are <i>unobfuscatable</i> in the sense that (a) given <i>any</i> efficient program <i>P</i>' that computes the same function as a program <i>P</i> ∈ <i>p</i>, the “source code” <i>P</i> can be efficiently reconstructed, yet (b) given <i>oracle access</i> to a (randomly selected) program <i>P</i> ∈ <i>p</i>, no efficient algorithm can reconstruct <i>P</i> (or even distinguish a certain bit in the code from random) except with negligible probability. We extend our impossibility result in a number of ways, including even obfuscators that (a) are not necessarily computable in polynomial time, (b) only approximately preserve the functionality, and (c) only need to work for very restricted models of computation (<b>TC<sup>0</sup></b>). We also rule out several potential applications of obfuscators, by constructing “unobfuscatable” signature schemes, encryption schemes, and pseudorandom function families.

[1]  Jörg Rothe,et al.  A second step towards complexity-theoretic analogs of Rice's Theorem , 2000, Theor. Comput. Sci..

[2]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004, JACM.

[3]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[4]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[5]  Moti Yung,et al.  Non-interactive cryptocomputing for NC/sup 1/ , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[6]  Amit Sahai,et al.  Positive Results and Techniques for Obfuscation , 2004, EUROCRYPT.

[7]  Giovanni Di Crescenzo,et al.  Image Density is Complete for Non-Interactive-SZK (Extended Abstract) , 1998, ICALP.

[8]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.

[9]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[10]  Guy N. Rothblum,et al.  On Best-Possible Obfuscation , 2007, TCC.

[11]  Vitaly Shmatikov,et al.  On the Limits of Point Function Obfuscation , 2006, IACR Cryptol. ePrint Arch..

[12]  Ran Canetti,et al.  Perfectly One-Way Probabilistic Hash Functions , 1998, Symposium on the Theory of Computing.

[13]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[14]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[15]  David Naccache,et al.  How to Copyright a Function? , 1999, Public Key Cryptography.

[16]  Amit Sahai,et al.  A complete problem for statistical zero knowledge , 2003, JACM.

[17]  Yevgeniy Dodis,et al.  Correcting errors without leaking partial information , 2005, STOC '05.

[18]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[19]  Guy N. Rothblum,et al.  On Best-Possible Obfuscation , 2007, Journal of Cryptology.

[20]  Yacov Yacobi,et al.  The Complexity of Promise Problems with Applications to Public-Key Cryptography , 1984, Inf. Control..

[21]  Ran Canetti,et al.  Perfectly one-way probabilistic hash functions (preliminary version) , 1998, STOC '98.

[22]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[23]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[24]  Richard J. Lipton,et al.  Algorithms for Black-Box Fields and their Application to Cryptography (Extended Abstract) , 1996, CRYPTO.

[25]  Dan Suciu,et al.  Journal of the ACM , 2006 .

[26]  SahaiAmit,et al.  A complete problem for statistical zero knowledge , 2003 .

[27]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[28]  Moni Naor,et al.  Magic Functions: In Memoriam: Bernard M. Dwork 1923--1998 , 2003, JACM.

[29]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[30]  Lane A. Hemaspaandra,et al.  Lower bounds and the hardness of counting properties , 2004, Theor. Comput. Sci..

[31]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[32]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[33]  Hoeteck Wee,et al.  On obfuscating point functions , 2005, STOC '05.

[34]  Luca Trevisan,et al.  Lower bounds on the efficiency of generic cryptographic constructions , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[35]  Vitaly Shmatikov,et al.  Obfuscated databases and group privacy , 2005, CCS '05.

[36]  Ronald L. Rivest,et al.  ON DATA BANKS AND PRIVACY HOMOMORPHISMS , 1978 .

[37]  Ran Canetti,et al.  Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[38]  Frank Stephan,et al.  Looking for an Analogue of Rice's Theorem in Circuit Complexity Theory , 1997, Math. Log. Q..

[39]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[40]  Umesh V. Vazirani,et al.  An Introduction to Computational Learning Theory , 1994 .

[41]  Markus G. Kuhn,et al.  Information hiding-a survey , 1999, Proc. IEEE.

[42]  Yael Tauman Kalai,et al.  On the impossibility of obfuscation with auxiliary input , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[43]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[44]  Frank Stephan,et al.  Looking for an Analogue of Rice's Theorem in Circuit Complexity Theory , 2000 .

[45]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[46]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[47]  Moni Naor,et al.  Magic functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[48]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[49]  Dennis Hofheinz,et al.  Obfuscation for Cryptographic Purposes , 2007, Journal of Cryptology.

[50]  Amit Sahai,et al.  Can Statistical Zero Knowledge Be Made Non-interactive? or On the Relationship of SZK and NISZK , 1998, CRYPTO.

[51]  Dennis Hofheinz,et al.  Obfuscation for Cryptographic Purposes , 2007, TCC.

[52]  Satoshi Hada,et al.  Zero-Knowledge and Code Obfuscation , 2000, ASIACRYPT.

[53]  Joan Feigenbaum,et al.  Distributed Computing and Cryptography , 1991 .

[54]  Jonathan Katz,et al.  Complete characterization of security notions for probabilistic private-key encryption , 2000, STOC '00.

[55]  Abhi Shelat,et al.  Securely Obfuscating Re-encryption , 2007, TCC.

[56]  S. Rajsbaum Foundations of Cryptography , 2014 .

[57]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[58]  Eitan M. Gurari,et al.  Introduction to the theory of computation , 1989 .

[59]  Robert E. Tarjan,et al.  Robustness and Security of Digital Watermarks , 1998, Financial Cryptography.