Black-box obfuscation explained

In cryptography, black-box obfuscation was a proposed cryptographic primitive which would allow a computer program to be obfuscated in a way such that it was impossible to determine anything about it except its input and output behavior.^[1] Black-box obfuscation has been proven to be impossible, even in principle.^[2]

Impossibility

The unobfuscatable programs

Barak et al. constructed a family of unobfuscatable programs, for which an efficient attacker can always learn more from any obfuscated code than from black-box access.^[3]

Broadly, they start by engineering a special pair of programs that cannot be obfuscated together. For some randomly selected strings

\alpha,\beta

of a fixed, pre-determined length

, define one program to be one that computes

C_\alpha,(x):=\begin{cases} \beta&ifx=\alpha\\ 0&otherwise \end{cases}

and the other program to one that computes

D_\alpha,(X):=\begin{cases} 1&ifX(\alpha)=\betaandXrunsintime\leqpoly(k)\\ 0&otherwise \end{cases}.

(Here,

D_\alpha,

interprets its input as the code for a Turing machine. The second condition in the definition of

D_\alpha,

is to prevent the function from being uncomputable.)

If an efficient attacker only has black-box access, Barak et al. argued, then the attacker only has an exponentially small chance of guessing the password

\alpha

, and so cannot distinguish the pair of programs from a pair where

C_\alpha,

is replaced by some program

that always outputs "0". However, if the attacker has access to any obfuscated implementations

C'_\alpha,,D'_\alpha,

C_\alpha,,D_\alpha,

, then the attacker will find

D'_\alpha,(C'_\alpha,)=1

with probability 1, whereas the attacker will always find

D'_\alpha,(Z)=0

unless

\beta=0

(which should happen with negligible probability). This means that the attacker can always distinguish the pair

(C'_\alpha,,D'_\alpha,)

from the pair

(Z,D'_\alpha,)

with obfuscated code access, but not black-box access. Since no obfuscator can prevent this attack, Barak et al. conclude that no black-box obfuscator for pairs of programs exists.

To conclude the argument, Barak et al. define a third program to implement the functionality of the two previous:

F_\alpha,(b,x):=\begin{cases} C_\alpha,(x)&ifb=0\\ D_\alpha,(x)&ifb=1\\ \end{cases}.

Since equivalently efficient implementations of

C_\alpha,,D_\alpha,

can be recovered from one of

F_\alpha,

by hardwiring the value of

, Barak et al. conclude that

F_\alpha,

cannot be obfuscated either, which concludes their argument.

Impossible variants of black-box obfuscation and other types of unobfuscable programs

In their paper, Barak et al. also prove the following (conditional to appropriate cryptographic assumptions):

There are unobfuscatable circuits.
There is no black-box approximate obfuscator.
There are unobfuscatable, secure, probabilistic private-key cryptosystems.
There are unobfuscatable, secure, deterministic digital signature schemes.
There are unobfuscatable, secure, deterministic message authentication schemes.
There are unobfuscatable, secure pseudorandom functions.
For many protocols that are secure in the random oracle model, the protocol becomes insecure if the random oracle is replaced with an artificial cryptographic hash function; in particular, Fiat-Shamir schemes can be attacked.
There are unobfuscatable circuits in TC0 (that is, constant-depth threshold circuits).
There are unobfuscatable sampling algorithms (in fact, these cannot be obfuscated approximately).
There is no secure software watermarking scheme.

Weaker variants

In their original paper exploring black-box obfuscation, Barak et al. defined two weaker notions of cryptographic obfuscation which they did not rule out: indistinguishability obfuscation and extractability obfuscation (which they called "differing-inputs obfuscation".) Informally, an indistinguishability obfuscator should convert input programs with the same functionality into output programs such that the outputs cannot be efficiently related to the inputs by a bounded attacker, and an extractability obfuscator should be an obfuscator such that if the efficient attacker could relate the outputs to the inputs for any two programs, then the attacker could also produce an input such that the two programs being obfuscated produce different outputs. (Note that an extractability obfuscator is necessarily an indistinguishability obfuscator.) ^[4]

, a candidate implementation of indistinguishability obfuscation is under investigation.^[5] In 2013, Boyle et al. explored several candidate implementations of extractability obfuscation.

Notes and References

Goldwasser. Shafi. Rothblum. Guy N.. 2014-07-01. On Best-Possible Obfuscation. Journal of Cryptology. en. 27. 3. 480–505. 10.1007/s00145-013-9151-z. 1432-1378. 1721.1/129413. 1186014 . free.
Barak. Boaz. Goldreich. Oded. Impagliazzo. Russell. Rudich. Steven. Sahai. Amit. Vadhan. Salil. Yang. Ke. 2012-05-03. On the (im)possibility of obfuscating programs. Journal of the ACM. 59. 2. 6:1–6:48. 10.1145/2160158.2160159. 2409597 . 0004-5411.
Web site: 2014-02-21. Cryptographic obfuscation and 'unhackable' software. 2021-03-14. A Few Thoughts on Cryptographic Engineering. en.
Boyle. Elette. Chung. Kai-Min. Pass. Rafael. 2013. On Extractability (a.k.a. Differing-Inputs) Obfuscation. Cryptology ePrint Archive .
News: Klarreich. Erica. November 10, 2020. Computer Scientists Achieve 'Crown Jewel' of Cryptography. en. Quanta Magazine. 2020-11-10.