Journal of Cryptology

, Volume 27, Issue 3, pp 480–505 | Cite as

On Best-Possible Obfuscation

  • Shafi Goldwasser
  • Guy N. Rothblum


An obfuscator is a compiler that transforms any program (which we will view in this work as a boolean circuit) into an obfuscated program (also a circuit) that has the same input-output functionality as the original program, but is “unintelligible”. Obfuscation has applications for cryptography and for software protection. Barak et al. (CRYPTO 2001, pp. 1–18, 2001) initiated a theoretical study of obfuscation, which focused on black-box obfuscation, where the obfuscated circuit should leak no information except for its (black-box) input-output functionality. A family of functionalities that cannot be obfuscated was demonstrated. Subsequent research has showed further negative results as well as positive results for obfuscating very specific families of circuits, all with respect to black box obfuscation. This work is a study of a new notion of obfuscation, which we call best-possible obfuscation. Best possible obfuscation makes the relaxed requirement that the obfuscated program leaks as little information as any other program with the same functionality (and of similar size). In particular, this definition allows the program to leak information that cannot be obtained from a black box. Best-possible obfuscation guarantees that any information that is not hidden by the obfuscated program is also not hidden by any other similar-size program computing the same functionality, and thus the obfuscation is (literally) the best possible. In this work we study best-possible obfuscation and its relationship to previously studied definitions. Our main results are: (1) A separation between black-box and best-possible obfuscation. We show a natural obfuscation task that can be achieved under the best-possible definition, but cannot be achieved under the black-box definition. (2) A hardness result for best-possible obfuscation, showing that strong (information-theoretic) best-possible obfuscation implies a collapse in the Polynomial-Time Hierarchy. (3) An impossibility result for efficient best-possible (and black-box) obfuscation in the presence of random oracles. This impossibility result uses a random oracle to construct hard-to-obfuscate circuits, and thus it does not imply impossibility in the standard model.

Key words




We thank Yael Tauman Kalai and Tali Kaufman for helpful and enjoyable discussions. Thanks also to the anonymous TCC reviewers for their insightful comments which much improved (or so we hope) the presentation. We particularly thank an anonymous reviewer for suggesting a simplification to construction of un-obfuscatable circuits in the random oracle model and the proof of Theorem 5.2. Finally, we are very grateful to Oded Goldreich for his many helpful and insightful comments on this work and its presentation.


  1. [1]
    W. Aiello, J. Håstad, Statistical zero-knowledge languages can be recognized in two rounds. J. Comput. Syst. Sci. 42(3), 327–345 (1991) CrossRefzbMATHGoogle Scholar
  2. [2]
    B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang, On the (Im)possibility of obfuscating programs, in CRYPTO 2001 (2001), pp. 1–18 CrossRefGoogle Scholar
  3. [3]
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in ACM Conference on Computer and Communications Security 1993 (1993), pp. 62–73 Google Scholar
  4. [4]
    R.B. Boppana, J. Håstad, S. Zachos, Does co-NP have short interactive proofs? Inf. Process. Lett. 25(2), 127–132 (1987) CrossRefzbMATHGoogle Scholar
  5. [5]
    R.E. Bryant, Graph-based algorithms for boolean function manipulation. IEEE Trans. Comput. C 35(8), 677–691 (1986) CrossRefzbMATHGoogle Scholar
  6. [6]
    R. Canetti, Towards realizing random oracles: hash functions that hide all partial information, in CRYPTO 1997 (1997), pp. 455–469 Google Scholar
  7. [7]
    R. Canetti, D. Micciancio, O. Reingold, Perfectly one-way probabilistic hash functions (Preliminary version), in STOC 1998 (1998), pp. 131–140 Google Scholar
  8. [8]
    R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004) CrossRefzbMATHMathSciNetGoogle Scholar
  9. [9]
    Y. Dodis, A. Smith, Correcting errors without leaking partial information, in STOC 2005 (2005), pp. 654–663 Google Scholar
  10. [10]
    A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in CRYPTO 1986 (1986), pp. 186–194 Google Scholar
  11. [11]
    L. Fortnow, The complexity of perfect zero-knowledge, in Advances in Computing Research, vol. 5, ed. by S. Micali (JAI Press, Greenwich, 1989), pp. 327–343 Google Scholar
  12. [12]
    O. Goldreich, S.P. Vadhan, Comparing entropies in statistical zero knowledge with applications to the structure of SZK, in IEEE Conference on Computational Complexity 1999 (1999), p. 54 Google Scholar
  13. [13]
    S. Goldwasser, Y. Tauman Kalai, On the (In)security of the Fiat–Shamir paradigm, in FOCS 2003 (2003), pp. 102–113 Google Scholar
  14. [14]
    S. Goldwasser, Y. Tauman Kalai, On the impossibility of obfuscation with auxiliary input, in FOCS 2005 (2005), pp. 553–562 Google Scholar
  15. [15]
    S. Goldwasser, S. Micali, Probabilistic encryption and how to play mental poker keeping secret all partial information, in STOC 1982 (1982), pp. 365–377 Google Scholar
  16. [16]
    S. Hada, Zero-knowledge and code obfuscation, in Asiacrypt 2000 (2000), pp. 443–457 CrossRefGoogle Scholar
  17. [17]
    D. Hofheinz, J. Malone-Lee, M. Stam, Obfuscation for cryptographic purposes, in TCC 2007 (2007), pp. 214–232 Google Scholar
  18. [18]
    S. Hohenberger, G.N. Rothblum, A. Shelat, V. Vaikuntanathan, Securely obfuscating re-encryption, in TCC 2007 (2007), pp. 233–252 Google Scholar
  19. [19]
    B. Lynn, M. Prabhakaran, A. Sahai, Positive results and techniques for obfuscation, in EUROCRYPT 2004 (2004), pp. 20–39 CrossRefGoogle Scholar
  20. [20]
    T. Malkin, Personal communication (2006) Google Scholar
  21. [21]
    A. Narayanan, V. Shmatikov, Obfuscated databases and group privacy, in ACM Conference on Computer and Communications Security 2005 (2005), pp. 102–111 Google Scholar
  22. [22]
    T. Okamoto, On relationships between statistical zero-knowledge proofs. J. Comput. Syst. Sci. 60(1), 47–108 (2000) CrossRefzbMATHGoogle Scholar
  23. [23]
    A. Sahai, S.P. Vadhan, A complete problem for statistical zero knowledge. J. ACM 50(2), 196–249 (2003) CrossRefMathSciNetGoogle Scholar
  24. [24]
    H. Wee, On obfuscating point functions, in STOC 2005 (2005), pp. 523–532 Google Scholar
  25. [25]
    A.C.-C. Yao, Theory and applications of trapdoor functions (extended abstract), in FOCS 1982 (1982), pp. 80–91 Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Weizmann Institute of ScienceRehovotIsrael
  2. 2.CSAILMITCambridgeUSA
  3. 3.Microsoft ResearchSilicon Valley, Mountain ViewUSA

Personalised recommendations