## Abstract

An obfuscator is a compiler that transforms any program (which we will view in this work as a boolean circuit) into an obfuscated program (also a circuit) that has the same input-output functionality as the original program, but is “unintelligible”. Obfuscation has applications for cryptography and for software protection. Barak et al. (CRYPTO 2001, pp. 1–18, 2001) initiated a theoretical study of obfuscation, which focused on *black-box obfuscation*, where the obfuscated circuit should leak no information except for its (black-box) input-output functionality. A family of functionalities that cannot be obfuscated was demonstrated. Subsequent research has showed further negative results as well as positive results for obfuscating very specific families of circuits, all with respect to black box obfuscation. This work is a study of a new notion of obfuscation, which we call *best-possible obfuscation*. Best possible obfuscation makes the relaxed requirement that the obfuscated program leaks as little information as *any other program* with the same functionality (and of similar size). In particular, this definition allows the program to leak information that cannot be obtained from a black box. Best-possible obfuscation guarantees that *any* information that is not hidden by the obfuscated program is also not hidden by *any other* similar-size program computing the same functionality, and thus the obfuscation is (literally) the best possible. In this work we study best-possible obfuscation and its relationship to previously studied definitions. Our main results are: (1) A separation between black-box and best-possible obfuscation. We show a natural obfuscation task that can be achieved under the best-possible definition, but cannot be achieved under the black-box definition. (2) A hardness result for best-possible obfuscation, showing that strong (information-theoretic) best-possible obfuscation implies a collapse in the Polynomial-Time Hierarchy. (3) An impossibility result for efficient best-possible (and black-box) obfuscation in the presence of random oracles. This impossibility result uses a random oracle to construct hard-to-obfuscate circuits, and thus it does *not* imply impossibility in the standard model.

## Key words

Obfuscation## Notes

### Acknowledgements

We thank Yael Tauman Kalai and Tali Kaufman for helpful and enjoyable discussions. Thanks also to the anonymous TCC reviewers for their insightful comments which much improved (or so we hope) the presentation. We particularly thank an anonymous reviewer for suggesting a simplification to construction of un-obfuscatable circuits in the random oracle model and the proof of Theorem 5.2. Finally, we are very grateful to Oded Goldreich for his many helpful and insightful comments on this work and its presentation.

## References

- [1]W. Aiello, J. Håstad, Statistical zero-knowledge languages can be recognized in two rounds.
*J. Comput. Syst. Sci.***42**(3), 327–345 (1991) CrossRefzbMATHGoogle Scholar - [2]B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang, On the (Im)possibility of obfuscating programs, in
*CRYPTO 2001*(2001), pp. 1–18 CrossRefGoogle Scholar - [3]M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in
*ACM Conference on Computer and Communications Security 1993*(1993), pp. 62–73 Google Scholar - [4]R.B. Boppana, J. Håstad, S. Zachos, Does co-NP have short interactive proofs?
*Inf. Process. Lett.***25**(2), 127–132 (1987) CrossRefzbMATHGoogle Scholar - [5]R.E. Bryant, Graph-based algorithms for boolean function manipulation.
*IEEE Trans. Comput. C***35**(8), 677–691 (1986) CrossRefzbMATHGoogle Scholar - [6]R. Canetti, Towards realizing random oracles: hash functions that hide all partial information, in
*CRYPTO 1997*(1997), pp. 455–469 Google Scholar - [7]R. Canetti, D. Micciancio, O. Reingold, Perfectly one-way probabilistic hash functions (Preliminary version), in
*STOC 1998*(1998), pp. 131–140 Google Scholar - [8]R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited.
*J. ACM***51**(4), 557–594 (2004) CrossRefzbMATHMathSciNetGoogle Scholar - [9]Y. Dodis, A. Smith, Correcting errors without leaking partial information, in
*STOC 2005*(2005), pp. 654–663 Google Scholar - [10]A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in
*CRYPTO 1986*(1986), pp. 186–194 Google Scholar - [11]L. Fortnow, The complexity of perfect zero-knowledge, in
*Advances in Computing Research*, vol. 5, ed. by S. Micali (JAI Press, Greenwich, 1989), pp. 327–343 Google Scholar - [12]O. Goldreich, S.P. Vadhan, Comparing entropies in statistical zero knowledge with applications to the structure of SZK, in
*IEEE Conference on Computational Complexity 1999*(1999), p. 54 Google Scholar - [13]S. Goldwasser, Y. Tauman Kalai, On the (In)security of the Fiat–Shamir paradigm, in
*FOCS 2003*(2003), pp. 102–113 Google Scholar - [14]S. Goldwasser, Y. Tauman Kalai, On the impossibility of obfuscation with auxiliary input, in
*FOCS 2005*(2005), pp. 553–562 Google Scholar - [15]S. Goldwasser, S. Micali, Probabilistic encryption and how to play mental poker keeping secret all partial information, in
*STOC 1982*(1982), pp. 365–377 Google Scholar - [16]S. Hada, Zero-knowledge and code obfuscation, in
*Asiacrypt 2000*(2000), pp. 443–457 CrossRefGoogle Scholar - [17]D. Hofheinz, J. Malone-Lee, M. Stam, Obfuscation for cryptographic purposes, in
*TCC 2007*(2007), pp. 214–232 Google Scholar - [18]S. Hohenberger, G.N. Rothblum, A. Shelat, V. Vaikuntanathan, Securely obfuscating re-encryption, in
*TCC 2007*(2007), pp. 233–252 Google Scholar - [19]B. Lynn, M. Prabhakaran, A. Sahai, Positive results and techniques for obfuscation, in
*EUROCRYPT 2004*(2004), pp. 20–39 CrossRefGoogle Scholar - [20]T. Malkin, Personal communication (2006) Google Scholar
- [21]A. Narayanan, V. Shmatikov, Obfuscated databases and group privacy, in
*ACM Conference on Computer and Communications Security 2005*(2005), pp. 102–111 Google Scholar - [22]T. Okamoto, On relationships between statistical zero-knowledge proofs.
*J. Comput. Syst. Sci.***60**(1), 47–108 (2000) CrossRefzbMATHGoogle Scholar - [23]A. Sahai, S.P. Vadhan, A complete problem for statistical zero knowledge.
*J. ACM***50**(2), 196–249 (2003) CrossRefMathSciNetGoogle Scholar - [24]H. Wee, On obfuscating point functions, in
*STOC 2005*(2005), pp. 523–532 Google Scholar - [25]A.C.-C. Yao, Theory and applications of trapdoor functions (extended abstract), in
*FOCS 1982*(1982), pp. 80–91 Google Scholar