On Best-Possible Obfuscation

An obfuscator is a compiler that transforms any program (which we will view in this work as a boolean circuit) into an obfuscated program (also a circuit) that has the same input-output functionality as the original program, but is “unintelligible”. Obfuscation has applications for cryptography and for software protection. Barak et al. (CRYPTO 2001, pp. 1–18, 2001) initiated a theoretical study of obfuscation, which focused on black-box obfuscation, where the obfuscated circuit should leak no information except for its (black-box) input-output functionality. A family of functionalities that cannot be obfuscated was demonstrated. Subsequent research has showed further negative results as well as positive results for obfuscating very specific families of circuits, all with respect to black box obfuscation. This work is a study of a new notion of obfuscation, which we call best-possible obfuscation. Best possible obfuscation makes the relaxed requirement that the obfuscated program leaks as little information as any other program with the same functionality (and of similar size). In particular, this definition allows the program to leak information that cannot be obtained from a black box. Best-possible obfuscation guarantees that any information that is not hidden by the obfuscated program is also not hidden by any other similar-size program computing the same functionality, and thus the obfuscation is (literally) the best possible. In this work we study best-possible obfuscation and its relationship to previously studied definitions. Our main results are: (1) A separation between black-box and best-possible obfuscation. We show a natural obfuscation task that can be achieved under the best-possible definition, but cannot be achieved under the black-box definition. (2) A hardness result for best-possible obfuscation, showing that strong (information-theoretic) best-possible obfuscation implies a collapse in the Polynomial-Time Hierarchy. (3) An impossibility result for efficient best-possible (and black-box) obfuscation in the presence of random oracles. This impossibility result uses a random oracle to construct hard-to-obfuscate circuits, and thus it does not imply impossibility in the standard model.

[1]  Hoeteck Wee,et al.  On obfuscating point functions , 2005, STOC '05.

[2]  Dennis Hofheinz,et al.  Obfuscation for Cryptographic Purposes , 2007, Journal of Cryptology.

[3]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[4]  Satoshi Hada,et al.  Zero-Knowledge and Code Obfuscation , 2000, ASIACRYPT.

[5]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[6]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[7]  Amit Sahai,et al.  Positive Results and Techniques for Obfuscation , 2004, EUROCRYPT.

[8]  Lance Fortnow,et al.  The Complexity of Perfect Zero-Knowledge , 1987, Proceeding Structure in Complexity Theory.

[9]  Vitaly Shmatikov,et al.  Obfuscated databases and group privacy , 2005, CCS '05.

[10]  Ran Canetti,et al.  Perfectly one-way probabilistic hash functions (preliminary version) , 1998, STOC '98.

[11]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[12]  Tatsuaki Okamoto,et al.  On relationships between statistical zero-knowledge proofs , 1996, STOC '96.

[13]  Johan Håstad,et al.  Statistical Zero-Knowledge Languages can be Recognized in Two Rounds , 1991, J. Comput. Syst. Sci..

[14]  Stathis Zachos,et al.  Does co-NP Have Short Interactive Proofs? , 1987, Inf. Process. Lett..

[15]  Yael Tauman Kalai,et al.  On the impossibility of obfuscation with auxiliary input , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[16]  Oded Goldreich,et al.  Comparing entropies in statistical zero knowledge with applications to the structure of SZK , 1999, Proceedings. Fourteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat.No.99CB36317).

[17]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[18]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[19]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[20]  Yevgeniy Dodis,et al.  Correcting errors without leaking partial information , 2005, STOC '05.

[21]  Kathleen M. Hannafin,et al.  The Effect of Computerized Tests on the Performance and Attitudes of College Students , 1989 .

[22]  Ran Canetti,et al.  Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[23]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[24]  Abhi Shelat,et al.  Securely Obfuscating Re-Encryption , 2007, Journal of Cryptology.

[25]  Joan Feigenbaum,et al.  Random-Self-Reducibility of Complete Sets , 1993, SIAM J. Comput..

[26]  SahaiAmit,et al.  A complete problem for statistical zero knowledge , 2003 .

[27]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).