On the impossibility of approximate obfuscation and applications to resettable cryptography

The traditional notion of program obfuscation requires that an obfuscation ~Prog of a program Prog computes the exact same function as Prog, but beyond that, the code of ~Prog should not leak any information about Prog. This strong notion of virtual black-box security was shown by Barak et al. (CRYPTO 2001) to be impossible to achieve, for certain unobfuscatable function families. The same work raised the question of approximate obfuscation, where the obfuscated ~Prog is only required to approximate Prog; that is, ~Prog only agrees with Prog with high enough probability on some input distribution. We show that, assuming trapdoor permutations, there exist families of robust unobfuscatable functions for which even approximate obfuscation is impossible. Specifically, obfuscation is impossible even if the obfuscated ~Prog is only required to agree with Prog with probability slightly more than 1/2, on a uniformly sampled input (below 1/2-agreement, the function obfuscated by ~Prog is not uniquely defined). Additionally, assuming only one-way functions, we rule out approximate obfuscation where ~Prog may output bot with probability close to $1$, but otherwise must agree with Prog. We demonstrate the power of robust unobfuscatable functions by exhibiting new implications to resettable protocols. Concretely, we reduce the assumptions required for resettably-sound zero-knowledge to one-way functions, as well as reduce round-complexity. We also present a new simplified construction of a simultaneously-resettable zero-knowledge protocol. Finally, we construct a three-message simultaneously-resettable witness-indistinguishable argument of knowledge (with a non-black-box knowledge extractor). Our constructions use a new non-black-box simulation technique that is based on a special kind of "resettable slots". These slots are useful for a non-black-box simulator, but not for a resetting prover.

[1]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[2]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[3]  Kai-Min Chung,et al.  Simultaneous Resettable WI from One-way Functions , 2013, IACR Cryptol. ePrint Arch..

[4]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[5]  Rafail Ostrovsky,et al.  Simultaneous Resettability from Collision Resistance , 2012, Electron. Colloquium Comput. Complex..

[6]  Moni Naor,et al.  Zaps and their applications , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[7]  Ben Adida,et al.  How to Shuffle in Public , 2007, TCC.

[8]  Guy N. Rothblum,et al.  On Best-Possible Obfuscation , 2007, Journal of Cryptology.

[9]  Nir Bitansky,et al.  From the Impossibility of Obfuscation to a New Non-Black-Box Simulation Technique , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[10]  Oded Goldreich,et al.  How to construct constant-round zero-knowledge proof systems for NP , 1996, Journal of Cryptology.

[11]  Ivan Damgård,et al.  On the Existence of Bit Commitment Schemes and Zero-Knowledge Proofs , 1989, CRYPTO.

[12]  Joe Kilian,et al.  On the Concurrent Composition of Zero-Knowledge Proofs , 1999, EUROCRYPT.

[13]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[14]  Abhi Shelat,et al.  Securely Obfuscating Re-Encryption , 2007, Journal of Cryptology.

[15]  Nir Bitansky,et al.  On Strong Simulation and Composable Point Obfuscation , 2010, Journal of Cryptology.

[16]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[17]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[18]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[19]  Manuel Blum,et al.  How to Prove a Theorem So No One Else Can Claim It , 2010 .

[20]  Dennis Hofheinz,et al.  Obfuscation for Cryptographic Purposes , 2007, Journal of Cryptology.

[21]  Amit Sahai,et al.  Resettably Secure Computation , 2009, EUROCRYPT.

[22]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[23]  Amit Sahai,et al.  Concurrent zero knowledge with logarithmic round-complexity , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[24]  Amit Sahai,et al.  Resolving the Simultaneous Resettability Conjecture and a New Non-Black-Box Simulation Strategy , 2009, 2009 50th Annual IEEE Symposium on Foundations of Computer Science.

[25]  Dongdai Lin,et al.  Resettable Cryptography in Constant Rounds - the Case of Zero Knowledge , 2011, IACR Cryptol. ePrint Arch..

[26]  Kai-Min Chung,et al.  Non-black-box simulation from one-way functions and applications to resettable security , 2013, STOC '13.

[27]  Yehuda Lindell,et al.  Resettably-sound zero-knowledge and its applications , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[28]  Silvio Micali,et al.  Min-round Resettable Zero-Knowledge in the Public-Key Model , 2001, EUROCRYPT.

[29]  Rafail Ostrovsky,et al.  Simultaneously Resettable Arguments of Knowledge , 2012, TCC.

[30]  Ran Canetti,et al.  Resettable zero-knowledge (extended abstract) , 2000, STOC '00.

[31]  Ran Canetti,et al.  Adaptive Hardness and Composable Security in the Plain Model from Standard Assumptions , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[32]  Vipul Goyal,et al.  Stateless Cryptographic Protocols , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[33]  Manuel Blum,et al.  Coin Flipping by Telephone. , 1981, CRYPTO 1981.