On the (im)possibility of obfuscating programs
Steven Rudich2012, Journal of the ACM
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Informally, an obfuscator O is an (efficient, probabilistic) "compiler" that takes as input a program (or circuit) P and produces a new program O(P ) that has the same functionality as P yet is "unintelligible" in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic and complexity-theoretic applications, ranging from software protection to homomorphic encryption to complexity-theoretic analogues of Rice's theorem. Most of these applications are based on an interpretation of the "unintelligibility" condition in obfuscation as meaning that O(P ) is a "virtual black box," in the sense that anything one can efficiently compute given O(P ), one could also efficiently compute given oracle access to P .
Related papers
Obfuscation from Polynomial Hardness: Beyond Decomposable Obfuscation
2018
Every known construction of general indistinguishability obfuscation (\(\mathsf {i}\mathcal {O}\)) is either based on a family of exponentially many assumptions, or is based on a single assumption – e.g. functional encryption (\(\mathsf {FE}\)) – using a reduction that incurs an exponential loss in security. This seems to be an inherent limitation if we insist on providing indistinguishability for any pair of functionally equivalent circuits.
Non-malleable Obfuscation
Lecture Notes in Computer Science, 2009
Existing definitions of program obfuscation do not rule out malleability attacks, where an adversary that sees an obfuscated program is able to generate another (potentially obfuscated) program that is related to the original one in some way.
Protecting obfuscation against arithmetic attacks
Obfuscation, the task of compiling circuits or programs to make the internal computation unintelligible while preserving input/output functionality, has become an object of central focus in the cryptographic community. A work of Garg et al. [FOCS 2013] gave the first candidate obfuscator for general polynomial-size circuits, and led to several other works constructing candidate obfuscators. Each of these constructions is built upon another cryptographic primitive called a multilinear map, or alternatively a graded encoding scheme. Several of these candidates have been shown to achieve the strongest notion of security (virtual black-box, or VBB) against "purely algebraic" attacks in a model that we call the fully-restricted graded encoding model. In this model, each operation performed by an adversary is required to obey the algebraic restrictions of the graded encoding scheme. These restrictions essentially impose strong forms of homogeneity and multilinearity on the allowed polynomials. While important, the scope of the security proofs is limited by the stringency of these restrictions. We propose and analyze another variant of the Garg et al. obfuscator in a setting that imposes fewer restrictions on the adversary, which we call the arithmetic setting. This setting captures a broader class of attacks than considered in previous works. We also explore connections between notions of obfuscation security and longstanding questions in arithmetic circuit complexity. Our results include the following.
Post-zeroizing Obfuscation: New Mathematical Tools, and the Case of Evasive Circuits
Advances in Cryptology – EUROCRYPT 2016, 2016
Recent devastating attacks by Cheon et al. [Eurocrypt'15] and others have highlighted significant gaps in our intuition about security in candidate multilinear map schemes, and in candidate obfuscators that use them. The new attacks, and some that were previously known, are typically called "zeroizing" attacks because they all crucially rely on the ability of the adversary to create encodings of 0. In this work, we initiate the study of post-zeroizing obfuscation, and we obtain a key new mathematical tool to analyze security in a postzeroizing world. Our new mathematical tool allows for analyzing polynomials constructed by the adversary when given encodings of randomized matrices arising from a general matrix branching program. This technique shows that the types of encodings an adversary can create are much more restricted than was previously known, and is a crucial step toward achieving post-zeroizing security. We also believe the technique is of independent interest, as it yields efficiency improvements for existing schemes-efficiency improvements that have already found application in other settings. Finally, we show how to apply our new mathematical tool to the special case of evasive functions. We show that our obfuscator survives all known attacks on the underlying multilinear maps, by proving that no top-level encodings of 0 can be created by a generic-model adversary. Previous obfuscators (for both evasive and general functions) were either analyzed in a less-conservative "pre-zeroizing" model that does not capture recent attacks, or were proved secure relative to assumptions that no longer have any plausible instantiation due to zeroizing attacks.
Computation-Trace Indistinguishability Obfuscation and its Applications
IACR Cryptol. ePrint Arch., 2015
We introduce a new, instance-based notion of indistinguishability obfuscation, called computation-trace indistinguishability obfuscation (CiO), for (parallel) RAM computation. CiO only obfuscates a fixed, single computation instance, as opposed to iO which obfuscates a function on all input instances. Specifically, for Π defined by (P, x) consisting of a (parallel) RAM program P and an input x, the obfuscations of two instances Π and Π′ are required to be indistinguishable only when the execution of Π and Π′ generate an identical computation trace; namely, identical sequences of CPU states and memory content. On the other hand, we require the obfuscation to be (i) fully succinct: the runtime of the obfuscator (and thus the size of the obfuscated instance) depends only on the description and input/output size of Π, but is independent of the time and space complexities of Π, and (ii) efficiency preserving: the obfuscated instance is a (parallel) RAM program that preserves parallel/tot...
Cryptographic Formula Obfuscation
Foundations and Practice of Security, 2019
Under intractability assumptions commonly used in cryptography, we show an efficient program obfuscator for large classes of programs, including any arbitrary monotone formula over statements expressed as equalities to a secret. Previously, only a handful set of individual functions were known to have such program obfuscators. This result has both theoretical and practical relevance. On the theoretical side, it significantly increases the class of functions that are known to have a cryptographically secure program obfuscator, and it shows that general-purpose program obfuscation results do exist with at least some level of generality, despite the likely impossibility, proved in [2], to achieve a related notion of obfuscation for any arbitrary polynomial-time program. On the practical side, there are many computational programs that can be expressed as monotone formulae over equality statements, and can now be securely obfuscated. Our most foundational contribution is a new type of obfuscation: protecting the privacy of the formula gates, and thus of much of the computation carried out by the program, in addition to the privacy of secrets used by the program. Previous program obfuscators only targeted the privacy of secrets used by the program.
Post-Zeroizing Obfuscation: The case of Evasive Circuits
IACR Cryptol. ePrint Arch., 2015
Recent devastating attacks by Cheon et al. [Eurocrypt’15] and others have highlighted significant gaps in our intuition about security in candidate multilinear map schemes, and in candidate obfuscators that use them. The new attacks, and some that were previously known, are typically called “zeroizing” attacks because they all crucially rely on the ability of the adversary to create encodings of 0. In this work, we initiate the study of post-zeroizing obfuscation, and we present a construction for the special case of evasive functions. We show that our obfuscator survives all known attacks on the underlying multilinear maps, by proving that no encodings of 0 can be created by a generic-model adversary. Previous obfuscators (for both evasive and general functions) were either analyzed in a less-conservative “pre-zeroizing” model that does not capture recent attacks, or were proved secure relative to assumptions that are now known to be false. To prove security, we introduce a new tec...
Indistinguishability Obfuscation from Simple-to-State Hard Problems: New Assumptions, New Techniques, and Simplification
Lecture Notes in Computer Science, 2021
In this work, we study the question of what set of simpleto-state assumptions suffice for constructing functional encryption and indistinguishability obfuscation (iO), supporting all functions describable by polynomial-size circuits. Our work improves over the state-ofthe-art work of Jain, Lin, Matt, and Sahai (Eurocrypt 2019) in multiple dimensions. New Assumption: Previous to our work, all constructions of iO from simple assumptions required novel pseudorandomness generators involving LWE samples and constant-degree polynomials over the integers, evaluated on the error of the LWE samples. In contrast, Boolean pseudorandom generators (PRGs) computable by constant-degree polynomials have been extensively studied since the work of Goldreich (2000). (Goldreich and follow-up works study Boolean pseudorandom generators with constant-locality, which can be computed by constant-degree polynomials.) We show how to replace the novel pseudorandom objects over the integers used in previous works, with appropriate Boolean pseudorandom generators with sufficient stretch, when combined with LWE with binary error over suitable parameters. Both binary error LWE and constant degree Goldreich PRGs have been a subject of extensive cryptanalysis since much before our work and thus we back the plausibility of our assumption with security against algorithms studied in context of cryptanalysis of these objects. New Techniques: we introduce a number of new techniques:
On White-box Cryptography and Obfuscation
We study the relationship between obfuscation and white-box cryptography. We capture the requirements of any white-box primitive using a \emph{White-Box Property (WBP)} and give some negative/positive results. Loosely speaking, the WBP is defined for some scheme and a security notion (we call the pair a \emph{specification}), and implies that w.r.t. the specification, an obfuscation does not leak any ``useful'' information, even though it may leak some ``useless'' non-black-box information. Our main result is a negative one - for most interesting programs, an obfuscation (under \emph{any} definition) cannot satisfy the WBP for every specification in which the program may be present. To do this, we define a \emph{Universal White-Box Property (UWBP)}, which if satisfied, would imply that under \emph{whatever} specification we conceive, the WBP is satisfied. We then show that for every non-approximately-learnable family, there exist (contrived) specifications for which ...
Optimizing Obfuscation
Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 2014
In this work, we seek to optimize the efficiency of secure general-purpose obfuscation schemes. We focus on the problem of optimizing the obfuscation of Boolean formulas and branching programs-this corresponds to optimizing the "core obfuscator" from the work of Garg, Gentry, Halevi, Raykova, Sahai, and Waters (FOCS 2013), and all subsequent works constructing general-purpose obfuscators. This core obfuscator builds upon approximate multilinear maps, where efficiency in proposed instantiations is closely tied to the maximum number of "levels" of multilinearity required. The most efficient previous construction of a core obfuscator, due to Barak, Garg, Kalai, Paneth, and Sahai (Eurocrypt 2014), required the maximum number of levels of multilinearity to be O(s 3.64), where s is the size of the Boolean formula to be obfuscated, and is the number of input bits to the formula. In contrast, our construction only requires the maximum number of levels of multilinearity to be roughly s, or only s when considering a keyed family of formulas, namely a class of functions of the form f z (x) = φ(z, x) where φ is a formula of size s. This results in significant improvements in both the total size of the obfuscation and the running time of evaluating an obfuscated formula. Our efficiency improvement is obtained by generalizing the class of branching programs that can be directly obfuscated. This generalization allows us to achieve a simple simulation of
Practical implementations of program obfuscators for point functions
2016 International Conference on High Performance Computing & Simulation (HPCS), 2016
Point function obfuscators have recently been shown to be the first examples of program obfuscators provable under hardness assumptions commonly used in cryptography. This is remarkable, in light of early results in this area, showing impossibility of a single obfuscation solution for all programs. Point functions can be seen as functions that return 1 if the input value is equal to a secret value stored in the program, and 0 otherwise. In this paper, we select representative point function obfuscators from the literature, state their theoretical guarantees, and report on their (slightly) optimized implementations. We show that implementations of point function obfuscators, satisfying different obfuscation notions, can be used with practical performance guarantees. Notable results due to our design and implementation optimizations are very fast obfuscators based on group theory, and obfuscators based on lattice theory with running time below 10 seconds.
Algorithmic Information Theory for Obfuscation Security
Proceedings of the 12th International Conference on Security and Cryptography, 2015
The main problem in designing effective code obfuscation is to guarantee security. State of the art obfuscation techniques rely on an unproven concept of security, and therefore are not regarded as provably secure. In this paper, we undertake a theoretical investigation of code obfuscation security based on Kolmogorov complexity and algorithmic mutual information. We introduce a new definition of code obfuscation that requires the algorithmic mutual information between a code and its obfuscated version to be minimal, allowing for controlled amount of information to be leaked to an adversary. We argue that our definition avoids the impossibility results of Barak et al. and is more advantageous then obfuscation indistinguishability definition in the sense it is more intuitive, and is algorithmic rather than probabilistic.
Software obfuscation on a theoretical basis and its implementation
IEICE Transactions on Fundamentals, Vol.E86-A
Software obfuscation is a promising approach to protect intellectual property rights and secret information of software in untrusted environments. Unfortunately previous software obfuscation techniques share a major drawback that they do not have a theoretical basis and thus it is unclear how effective they are. Therefore we propose new software obfuscation techniques in this paper. The techniques are based on the difficulty of interprocedural analysis of software programs. The essence of our obfuscation techniques is a new complexity problem to precisely determine the address a function pointer points to in the presence of arrays of function pointers. We show that the problem is NP-hard and the fact provides a theoretical basis for our obfuscation techniques. Furthermore, we have already implemented a prototype tool that obfuscates C programs according to our proposed techniques and in this paper we describe the implementation and discuss the experiments results.
On Obfuscating Compilation for Encrypted Computing
2017
Privacy for arbitrary encrypted remote computation in the cloud is known to be equivalent to security of the runtime data on the server against the operator in the computer room as an adversary. This paper shows mathematically that this is achieved on any platform running an appropriate machine code architecture, given the 'obfuscating' compiler described. Semantic security of the runtime data is obtained, modulo the encryption, because the instruction set permits arbitrary interpretations of the circulating data for any given object code and the compiler generates object codes that exercise all the possibilities with uniformly distributed probability.
On hiding information from an oracle
Journal of Computer and System Sciences, 1989
Indistinguishability Obfuscation Without Multilinear Maps: New Paradigms via Low Degree Weak Pseudorandomness and Security Amplification
Advances in Cryptology – CRYPTO 2019, 2019
This paper is a merge of two independent works, one by Ananth, Jain, and Sahai [AJS18], and the other by Lin and Matt [LM18]. 5 Note that this does not necessarily mean that the resulting iO constructions are insecure; in particular, there have been efforts (e.g., [GMM + 16b]) in constructing iO in more complex security models for multilinear maps (e.g. [MSZ16]) that have resisted polynomial-time attacks. There have also been several other iO candidates proposed which are not known to polynomial-time broken (e.g. [CVW18, BGMZ18]). 6 A function has locality if every output element depends on at most input elements. 7 The attacks actually leave open a very small window of expansion. Nevertheless, they have weakened our confidence on the security of PRGs with block-locality 2. 8 n, m, p are parameterized by the security parameter λ
Universal Obfuscation and Witness Encryption: Boosting Correctness and Combining Security
IACR Cryptology ePrint Archive, 2016
Over the last few years a new breed of cryptographic primitives has arisen: on one hand they have previously unimagined utility and on the other hand they are not based on simple to state and tried out assumptions. With the on-going study of these primitives, we are left with several different candidate constructions each based on a different, not easy to express, mathematical assumptions, where some even turn out to be insecure. A combiner for a cryptographic primitive takes several candidate constructions of the primitive and outputs one construction that is as good as any of the input constructions. Furthermore, this combiner must be efficient: the resulting construction should remain polynomial-time even when combining polynomially many candidate. Combiners are especially important for a primitive where there are several competing constructions whose security is hard to evaluate, as is the case for indistinguishability obfuscation (IO) and witness encryption (WE). One place where the need for combiners appears is in design of a universal construction, where one wishes to find "one construction to rule them all": an explicit construction that is secure if any construction of the primitive exists. In a recent paper, Goldwasser and Kalai posed as a challenge finding universal constructions for indistinguishability obfuscation and witness encryption. In this work we resolve this issue: we construct universal schemes for IO, and for witness encryption, and also resolve the existence of combiners for these primitives along the way. For IO, our universal construction and combiners can be built based on either assuming DDH, or assuming LWE, with security against subexponential adversaries. For witness encryption, we need only one-way functions secure against polynomial time adversaries.
Obfuscation Combiners
Lecture Notes in Computer Science, 2016
Obfuscation is challenging; we currently have practical candidates with rather vague security guarantees on the one side, and theoretical constructions which have recently experienced jeopardizing attacks against the underlying cryptographic assumptions on the other side. This motivates us to study and present robust combiners for obfuscators, which integrate several candidate obfuscators into a single obfuscator which is secure as long as a quorum of the candidates is indeed secure. We give several results about building obfuscation combiners, with matching upper and lower bounds for the precise quorum of secure candidates. Namely, we show that one can build 3-out-of-4 obfuscation combiners where at least three of the four combiners are secure, whereas 2-out-of-3 structural combiners (which combine the obfuscator candidates in a black-box sense) with only two secure candidates, are impossible. Our results generalize to (2γ + 1)-out-of-(3γ + 1) combiners for the positive result, and to 2γ-out-of-3γ results for the negative result, for any integer γ. To reduce overhead, we define detecting combiners, where the combined obfuscator may sometimes produce an error-indication instead of the desired output, indicating that some of the component obfuscators is faulty. We present a (γ + 1)-out-of-(2γ + 1) detecting combiner for any integer γ, bypassing the previous lower bound. We further show that γ-out-of-2γ structural detecting combiners are again impossible. Since our approach can be used for practical obfuscators, as well as for obfuscators proven secure (based on assumptions), we also briefly report on implementation results for some applied obfuscator programs.
How to use indistinguishability obfuscation
Proceedings of the forty-sixth annual ACM symposium on Theory of computing, 2014
We introduce a new technique, that we call punctured programs, to apply indistinguishability obfuscation towards cryptographic problems. We use this technique to carry out a systematic study of the applicability of indistinguishability obfuscation to a variety of cryptographic goals. Along the way, we resolve the 16-year-old open question of Deniable Encryption, posed by Canetti, Dwork, Naor, and Ostrovsky in 1997: In deniable encryption, a sender who is forced to reveal to an adversary both her message and the randomness she used for encrypting it should be able to convincingly provide "fake" randomness that can explain any alternative message that she would like to pretend that she sent. We resolve this question by giving the first construction of deniable encryption that does not require any pre-planning by the party that must later issue a denial. In addition, we show the generality of our punctured programs technique by also constructing a variety of core cryptographic objects from indistinguishability obfuscation and one-way functions (or close variants). In particular we obtain: public key encryption, short "hash-and-sign" selec-
Applications for Provably Secure Intent Protection with Bounded Input-Size Programs
The Second International Conference on Availability, Reliability and Security (ARES'07), 2007
The de facto standard program obfuscation security model, termed the virtual black box (VBB), declares a program to be securely obfuscated if and only if an adversary can prove no more when given the obfuscated code than it can when only given oracle access to the original program. In this paper, we define and give methodology for a perfectly secure program intent obfuscation that is general and practical for bounded input-size programs, including those with input/output relationships that are easily learned. We also lay foundations for how to embed a key securely in a private-key encryption setting using such constructions.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.