Abstract
The dream of software obfuscation is to take programs, as they are, and then generically compile them into obfuscated versions that hide their secret inner workings. In this work we investigate notions of obfuscations weaker than virtual black-box (\(\textsf{VBB} \)) but which still allow obfuscating cryptographic primitives preserving their original functionalities as much as possible.
In particular we propose two new notions of obfuscations, which we call oracle-differing-input obfuscation (\(\textsf{odiO} \)) and oracle-indistinguishability obfuscation (\(\textsf{oiO} \)). In a nutshell, \(\textsf{odiO} \) is a natural strengthening of differing-input obfuscation (\(\textsf{diO} \)) and allows obfuscating programs for which it is hard to find a differing-input when given only oracle access to the programs. An \(\textsf{oiO} \) obfuscator allows to obfuscate programs that are hard to distinguish when treated as oracles.
We then show applications of these notions, as well as positive and negative results around them. A few highlights include:
-
Our new notions are weaker than \(\textsf{VBB} \) and stronger than \(\textsf{diO} \).
-
As it is the case for \(\textsf{VBB} \), we show that there exist programs that cannot be obfuscated with \(\textsf{odiO} \) or \(\textsf{oiO} \).
-
Our new notions allow to generically compile several flavours of secret-key primitives (e.g., SKE, MAC, designated verifier NIZK) into their public-key equivalent (e.g., PKE, signatures, publicly verifiable NIZK) while preserving one of the algorithms of the original scheme (function-preserving), or the structure of their outputs (format-preserving).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Note that a function-preserving transformation is also format-preserving. This is because the former does not modify the algorithms of the original primitive. Hence, the format of the output is preserved by definition.
- 2.
As for straight-line knowledge soundness, we do not consider succinctness (i.e., we do not cover \(\textsf{dv}\text {-}\textsf{SNARG}\)/\(\textsf{pv}\text {-}\textsf{SNARG}\)) since, in order to have a straight-line extraction, the size of the proof is proportional to the size of the witness.
- 3.
We will elaborate on this later, but intuitively this is because the obfuscated program will use the puncturable PRF to generate a fresh symmetric key for different input (e.g., messages, initialization vectors). Hence, on decryption/verification, the receiver needs to evaluate the same PRF in order to recompute the symmetric key used to decrypt/verify a particular ciphertext/signature.
- 4.
Note that Barak et al. [8] demonstrates the impossibility of transforming a SKE into a PKE (through the obfuscation of its encryption algorithm \(\textsf{Enc}({\textsf{k}},\cdot )\)) by building a (contrived) secure SKE that, after applying the transformation, yields an insecure PKE. However, their contrived SKE is not key indistinguishable. For this reason, in order to prove the impossibility of our \(\textsf{oiO} \)-based transformation (5) (from key indistinguishable SKE to PKE) we need to rework their result.
- 5.
This follows the same spirit of the UCE framework proposed by Bellare et al. [9] that allows to identify which property of the random oracle model (ROM) is needed to imply security of the (ROM-based) construction..
- 6.
The rest of the input besides the key is irrelevant for this discussion.
- 7.
In particular, soundness (of underlying designated-verifier non-interactive proof system) must hold even if the adversary has oracle access to the verification algorithm. The latter is essential during the reduction to simulate the input-output behavior of the two circuits (treated as oracles). Hence, our transformation does not apply to non-interactive proofs systems that suffer from the so called verifier rejection problem, i.e., giving oracle access to the verifier allows the adversary to break soundness..
- 8.
Despite the construction is the same, the sampler required to prove knowledge soundness is different.
- 9.
If, instead of generating \(\textsf{iv}\) using the first PRF, we allow the circuit to take directly in input \(\textsf{iv}\) then the PKE (output by the transformation) is trivially broken. This is because (following the syntax of the \(\textsf{IV}\)-based SKE) \(\textsf{iv}\) is included into the ciphertext. Hence, an adversary can break the selective IND-CPA security of the compiled PKE by simply re-encrypting a message using the \(\textsf{iv}\) that is included into the challenge ciphertext.
- 10.
Recall that \(|C_0| = |C_1|\) by definition of sampler (Definition 3.1).
- 11.
For instance, we can have that \(\textsf{S}_{b}\) only outputs circuits whose description starts with a bit b, and that \(\textsf{Obf}_b\) rejects any circuit whose description starts with the bit \(1-b\).
- 12.
Otherwise, if \(\textsf{S}\in \mathcal {S}_{\textsf{odiO}}\), there exists a \((\{\textsf{S}\})\)-\(\textsf{odiO} \)-obfuscator that in turn is also a \((\{\textsf{S}\})\)-\(\textsf{diO} \)-obfuscator.
- 13.
Indeed, any PPT obfuscator \(\textsf{Obf}\) that satisfies correctness and polynomial slowdown is a \((\{\textsf{S}\})\)-\(\textsf{odiO} \)-obfuscator (resp. \((\{\textsf{S}\})\)-\(\textsf{oiO} \)-obfuscator), e.g., \(\textsf{Obf}\) is the identity function or \(\textsf{Obf}\) is an \(\textsf{iO} \)-obfuscator.
References
Ananth, P., Boneh, D., Garg, S., Sahai, A., Zhandry, M.: Differing-inputs obfuscation and applications. IACR Cryptol. ePrint Arch. 2013, 689 (2013)
Ananth, P., Jain, A., Lin, H., Matt, C., Sahai, A.: Indistinguishability obfuscation without multilinear maps: new paradigms via low degree weak pseudorandomness and security amplification. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 284–332. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_10
Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 308–326. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_15
Ananth, P., Jain, A., Sahai, A.: Indistinguishability obfuscation from functional encryption for simple functions. Cryptology ePrint Archive (2015)
Barak, B., Bitansky, N., Canetti, R., Kalai, Y.T., Paneth, O., Sahai, A.: Obfuscation for evasive functions. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 26–51. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_2
Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 221–238. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_13
Barak, B., et al.: On the (Im)Possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Barak, B., et al.: On the (im) possibility of obfuscating programs. J. ACM (JACM) 59(2), 1–48 (2012)
Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 398–415. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_23
Bellare, M., Stepanovs, I., Tessaro, S.: Poly-many hardcore bits for any one-way function and a framework for differing-inputs obfuscation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 102–121. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_6
Bellare, M., Stepanovs, I., Waters, B.: New negative results on differing-inputs obfuscation. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 792–821. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_28
Bitansky, N., Canetti, R.: On strong simulation and composable point obfuscation. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 520–537. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_28
Bitansky, N., et al.: The impossibility of obfuscation with auxiliary input or a universal simulator. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 71–89. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_5
Bitansky, N., Canetti, R., Kalai, Y.T., Paneth, O.: On virtual grey box obfuscation for general circuits. Algorithmica 79(4), 1014–1051 (2017)
Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation from functional encryption. In: 2015 IEEE 56th Annual Symposium on Foundations of Computer Science (FOCS), pp. 171–190. IEEE Computer Society (2015)
Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation from functional encryption. J. ACM (JACM) 65(6), 1–37 (2018)
Boyle, E., Chung, K.-M., Pass, R.: On extractability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 52–73. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_3
Boyle, E., Pass, R.: Limits of extractability assumptions with distributional auxiliary input. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 236–261. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_10
Brakerski, Z., Döttling, N., Garg, S., Malavolta, G.: Candidate iO from homomorphic encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 79–109. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_4
Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 1–25. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_1
Campanelli, M., Francati, D., Orlandi, C.: Structure-preserving compilers from new notions of obfuscations. Cryptology ePrint Archive, Paper 2022/732 (2022). https://eprint.iacr.org/2022/732
Canetti, R., Kalai, Y.T., Paneth, O.: On obfuscation with random oracles. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 456–467. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_18
Canetti, R., Rothblum, G.N., Varia, M.: Obfuscation of hyperplane membership. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 72–89. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_5
Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_5
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 2013 IEEE 54th Annual Symposium on Foundations of Computer Science (FOCS), pp. 40–49. IEEE Computer Society (2013)
Garg, S., Gentry, C., Halevi, S., Wichs, D.: On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. Algorithmica 79(4), 1353–1373 (2017)
Garg, S., Mahmoody, M., Mohammed, A.: When does functional encryption imply obfuscation? In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 82–115. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_4
Gay, R., Pass, R.: Indistinguishability obfuscation from circular security. In: Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, pp. 736–749 (2021)
Goldwasser, S., Kalai, Y.T.: On the impossibility of obfuscation with auxiliary input. In: 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS2005), pp. 553–562. IEEE (2005)
Goldwasser, S., Kalai, Y.T.: A note on the impossibility of obfuscation with auxiliary input. IACR Cryptol. ePrint Arch. 2013, 665 (2013)
Goldwasser, S., Rothblum, G.N.: On best-possible obfuscation. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 194–213. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_11
Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. In: 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS), pp. 612–621. IEEE (2017)
Ishai, Y., Pandey, O., Sahai, A.: Public-coin differing-inputs obfuscation and its applications. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 668–697. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_26
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. In: Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, pp. 60–73 (2021)
Lin, H., Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation with non-trivial efficiency. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 447–462. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49387-8_17
Lynn, B., Prabhakaran, M., Sahai, A.: Positive results and techniques for obfuscation. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 20–39. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_2
Mahmoody, M., Mohammed, A., Nematihaji, S.: On the impossibility of virtual black-box obfuscation in idealized models. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 18–48. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_2
Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semantically-secure multilinear encodings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 500–517. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_28
Pass, R., Shelat, A.: Impossibility of VBB obfuscation with ideal constant-degree graded encodings. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 3–17. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_1
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Proceedings of the Forty-Sixth Annual ACM Symposium on Theory of Computing, pp. 475–484 (2014)
Shacham, H., Waters, B.: Compact proofs of retrievability. J. Cryptol. 26(3), 442–483 (2013)
Wee, H.: On obfuscating point functions. In: Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing, pp. 523–532 (2005)
Wee, H., Wichs, D.: Candidate obfuscation via oblivious LWE sampling. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12698, pp. 127–156. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77883-5_5
Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS), pp. 600–611. IEEE (2017)
Acknowledgments
The authors would like to thank the anonymous reviewers for useful feedback. The research described in this paper received funding from: the Concordium Blockhain Research Center, Aarhus University, Denmark; the Carlsberg Foundation under the Semper Ardens Research Project CF18-112 (BCM); the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation programme under grant agreement No 803096 (SPEC).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Campanelli, M., Francati, D., Orlandi, C. (2023). Structure-Preserving Compilers from New Notions of Obfuscations. In: Boldyreva, A., Kolesnikov, V. (eds) Public-Key Cryptography – PKC 2023. PKC 2023. Lecture Notes in Computer Science, vol 13941. Springer, Cham. https://doi.org/10.1007/978-3-031-31371-4_23
Download citation
DOI: https://doi.org/10.1007/978-3-031-31371-4_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-31370-7
Online ISBN: 978-3-031-31371-4
eBook Packages: Computer ScienceComputer Science (R0)