## Abstract

Indistinguishability obfuscation has become one of the most exciting cryptographic primitives due to its far-reaching applications in cryptography and other fields. However, to date, obtaining a plausibly secure construction has been an illusive task, thus motivating the study of seemingly weaker primitives that imply it, with the possibility that they will be easier to construct. In this work, we provide a systematic study of compressing obfuscation, one of the most natural and simple to describe primitives that is known to imply indistinguishability obfuscation when combined with other standard assumptions. A compressing obfuscator is roughly an indistinguishability obfuscator that outputs just a slightly compressed encoding of the truth table. This generalizes notions introduced by Lin et al. (Functional signatures and pseudorandom functions, PKC, 2016) and Bitansky et al. (From Cryptomania to Obfustopia through secret-key functional encryption, TCC, 2016) by allowing for a broader regime of parameters. We view compressing obfuscation as an independent cryptographic primitive and show various positive and negative results concerning its power and plausibility of existence, demonstrating significant differences from full-fledged indistinguishability obfuscation. First, we show that as a cryptographic building block, compressing obfuscation is weak. In particular, when combined with one-way functions, it cannot be used (in a black-box way) to achieve public-key encryption, even under (sub-)exponential security assumptions. This is in sharp contrast to indistinguishability obfuscation, which together with one-way functions implies almost all cryptographic primitives. Second, we show that to construct compressing obfuscation with perfect correctness, one only needs to assume its existence with a very weak correctness guarantee and polynomial hardness. Namely, we show a correctness amplification transformation with optimal parameters that relies only on polynomial hardness assumptions. This implies a universal construction assuming only polynomially secure compressing obfuscation with approximate correctness. In the context of indistinguishability obfuscation, we know how to achieve such a result only under sub-exponential security assumptions together with derandomization assumptions. Lastly, we characterize the existence of compressing obfuscation with *statistical* security. We show that in some range of parameters and for some classes of circuits such an obfuscator *exists*, whereas it is unlikely to exist with better parameters or for larger classes of circuits. These positive and negative results reveal a deep connection between compressing obfuscation and various concepts in complexity theory and learning theory.

This is a preview of subscription content, access via your institution.

## Notes

Assuming any average- or worst-case hardness assumption. This is necessary as XiO exists unconditionally if \({\mathsf {P}}=\mathsf {NP}\).

The obfuscator we get is weak due to two reasons. First, the class for which we obtain XiO does not contain (puncturable) PRFs and thus is not sufficient for known transformations to iO. Second, the compression we achieve is not enough for cryptographic applications.

Using the recent work of [69], we believe that the assumption on NIZKs can be removed. We leave this modification to future work.

While the whole proof can be applied to XiO, this last step does not work for SXiO since we cannot go over all inputs and check the correctness of the obfuscation.

This formalization allows us to capture functionalities like mux, even if an oracle gate returns \(\bot \).

Throughout this section, we will restrict \(\ell (s,n) = 2^{n\epsilon } \cdot s^{2}\), but we note that the proof holds when \(\ell (s,n) = 2^{n\epsilon } \cdot s^{c}\) for any constant \(c > 1\).

We note that this technique, of enumerating all inputs, can only be done because we are constructing XiO. In particular, this step is the reason that this separation does not apply to perfectly correct SXiO.

Recently, Carmosino et al. [36] generalized their result to get an implication from “tolerant” natural proofs to agnostic learning [67]. In agnostic learning, it is the same as in PAC learning except that the learner is only guaranteed that

*f*is close to the concept class \({\mathcal {C}} \) (rather than assuming it belongs to it).The argument works even with sub-exponential security by increasing the size of the key.

## References

P. Ananth, A. Jain, M. Naor, A. Sahai, E. Yogev, Universal constructions and robust combiners for indistinguishability obfuscation and witness encryption, in

*Advances in Cryptology - CRYPTO*(2016), pp. 491–520P. Ananth, A. Jain, A. Sahai, Robust transforming combiners from indistinguishability obfuscation to functional encryption, in

*Advances in Cryptology - EUROCRYPT*(2017), pp. 91–121P. Ananth, A. Jain, Indistinguishability obfuscation from compact functional encryption, in

*Advances in Cryptology - CRYPTO*(2015), pp. 308–326P. Ananth, A. Sahai, Projective arithmetic functional encryption and indistinguishability obfuscation from degree-5 multilinear maps, in

*Advances in Cryptology - EUROCRYPT*(2017), pp. 152–181P.V. Ananth, D. Gupta, Y. Ishai, A. Sahai, Optimizing obfuscation: Avoiding barrington’s theorem, in

*Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security*(2014), pp. 646–658D. Angluin, Queries and concept learning.

*Mach. Learn.***2**(4), 319–342 (1987)D. Apon, N. Döttling, S. Garg, P. Mukherjee, Cryptanalysis of indistinguishability obfuscations of circuits over GGH13, in

*44th International Colloquium on Automata, Languages, and Programming, ICALP*(2017), pp. 38:1–38:16B. Applebaum, Z. Brakerski, Obfuscating circuits via composite-order graded encoding, in

*Theory of Cryptography - TCC*(2015), pp. 528–556G. Asharov, G. Segev, Limits on the power of indistinguishability obfuscation and functional encryption.

*SIAM J. Comput.***45**(6), 2117–2176 (2016)G. Asharov, G. Segev, On constructing one-way permutations from indistinguishability obfuscation, in

*Theory of Cryptography Conference*(2016)C.A. Asmuth, G.R. Blakley, An efficient algorithm for constructing a cryptosystem which is harder to break than two other cryptosystems.

*Comput. Math. Appl.***7**(6), 447 – 450 (1981)B. Barak, Z. Brakerski, I. Komargodski, P.K. Kothari, Limits on low-degree pseudorandom generators (or: Sum-of-squares meets program obfuscation), in

*Advances in Cryptology - EUROCRYPT*(2018), pp. 649–679B. Barak, S. Garg, Y.T. Kalai, O. Paneth, A. Sahai, Protecting obfuscation against algebraic attacks, in

*Advances in Cryptology - EUROCRYPT*(2014), pp. 221–238B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs.

*J. ACM***59**(2), 6:1–6:48 (2012)N. Bitansky, A. Degwekar, V. Vaikuntanathan, Structure vs. hardness through the obfuscation lens, in

*Advances in Cryptology - CRYPTO*(2017), pp. 696–723N. Bitansky, H. Lin, O. Paneth, On removing graded encodings from functional encryption, in

*Advances in Cryptology - EUROCRYPT*(2017), pp. 3–29N. Bitansky, R. Nishimaki, A. Passelègue, D. Wichs, From Cryptomania to Obfustopia through secret-key functional encryption, in

*Theory of Cryptography - TCC*(2016), pp. 391–418N. Bitansky, O. Paneth, Zaps and non-interactive witness indistinguishability from indistinguishability obfuscation, in

*Theory of Cryptography - TCC*(2015), pp. 401–427N. Bitansky, O. Paneth, D. Wichs, Perfect structure on the edge of chaos - trapdoor permutations from indistinguishability obfuscation, in

*Theory of Cryptography - TCC*(2016), pp. 474–502N. Bitansky, V. Vaikuntanathan, Indistinguishability obfuscation from functional encryption, in

*IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS*(2015), pp. 171–190N. Bitansky, V. Vaikuntanathan, Indistinguishability obfuscation: From approximate to exact, in

*Theory of Cryptography - TCC*(2016), pp. 67–95N. Bitansky, V. Vaikuntanathan, A note on perfect correctness by derandomization, in

*Advances in Cryptology - EUROCRYPT*(2017), pp. 592–606D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, V. Nikolaenko, G. Segev, V. Vaikuntanathan, D. Vinayagamurthy, Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits, in

*Advances in Cryptology - EUROCRYPT*(2014), pp. 533–556D. Boneh, A. Sahai, B. Waters, Functional encryption: a new vision for public-key cryptography.

*Commun. ACM***55**(11), 56–64 (2012)D. Boneh, B. Waters, Constrained pseudorandom functions and their applications, in

*Advances in Cryptology - ASIACRYPT*(2013), pp. 280–300D. Boneh, D.J. Wu, J. Zimmerman, Immunizing multilinear maps against zeroizing attacks.

*IACR Cryptology ePrint Archive*2014:930 (2014)E. Boyle, S. Goldwasser, I. Ivan, Functional signatures and pseudorandom functions, in

*Public-Key Cryptography - PKC*(2014), pp. 501–519Z. Brakerski, C. Brzuska, N. Fleischhacker, On statistically secure obfuscation with approximate correctness, in

*Advances in Cryptology - CRYPTO*(2016), pp. 551–578Z. Brakerski, N. Döttling, S. Garg, G. Malavolta, Candidate io from homomorphic encryption schemes, in

*EUROCRYPT (1)*, volume 12105 of*Lecture Notes in Computer Science*(Springer, 2020), pp. 79–109Z. Brakerski, N. Döttling, S. Garg, G. Malavolta, Factoring and pairings are not necessary for io: Circular-secure LWE suffices,

*IACR Cryptol. ePrint Arch.*, 2020:1024 (2020)Z. Brakerski, A. Jain, I. Komargodski, A. Passelègue, D. Wichs, Non-trivial witness encryption and null-io from standard assumptions,

*IACR Cryptology ePrint Archive*, 2017:874 (2017)Z. Brakerski, J. Katz, G. Segev, A. Yerukhimovich, Limits on the power of zero-knowledge proofs in cryptographic constructions, in

*Theory of Cryptography - TCC*(2011), pp. 559–578Z. Brakerski, G.N. Rothblum, Virtual black-box obfuscation for all circuits via generic graded encoding, in

*Theory of Cryptography - TCC*(2014), pp. 1–25N.H. Bshouty, C. Tamon, On the fourier spectrum of monotone functions.

*J. ACM***43**(4), 747–770 (1996)M.L. Carmosino, R. Impagliazzo, V. Kabanets, A. Kolokolova, Learning algorithms from natural proofs, in

*31st Conference on Computational Complexity, CCC*(2016), pp. 10:1–10:24M.L. Carmosino, R. Impagliazzo, V. Kabanets, A. Kolokolova, Agnostic learning from tolerant natural proofs, in

*Approximation, Randomization, and Combinatorial Optimization, APPROX/RANDOM*(2017), pp. 35:1–35:19R. Chen, V. Kabanets, A. Kolokolova, R. Shaltiel, D. Zuckerman, Mining circuit lower bound proofs for meta-algorithms.

*Comput. Complex.***24**(2), 333–392 (2015)Y. Chen, C. Gentry, S. Halevi, Cryptanalyses of candidate branching program obfuscators, in

*Advances in Cryptology - EUROCRYPT*(2017), pp. 278–307J.H. Cheon, K. Han, C. Lee, H. Ryu, D. Stehlé, Cryptanalysis of the multilinear map over the integers, in

*Advances in Cryptology - EUROCRYPT*(2015), pp. 3–12J.-S. Coron, C. Gentry, S. Halevi, T. Lepoint, H.K. Maji, E. Miles, M. Raykova, A. Sahai, M. Tibouchi, Zeroizing without low-level zeroes: New MMAP attacks and their limitations, in

*Advances in Cryptology - CRYPTO*(2015), pp. 247–266J.-S. Coron, T. Lepoint, M. Tibouchi, Practical multilinear maps over the integers, in

*Advances in Cryptology - CRYPTO*(2013), pp. 476–493Jean-Sébastien Coron, Tancrède Lepoint, Mehdi Tibouchi. New multilinear maps over the integers, in

*Advances in Cryptology - CRYPTO*(2015), pp. 267–286W. Diffie, M.E. Hellman, Multiuser cryptographic techniques, in

*American Federation of Information Processing Societies*(1976), pp. 109–112M. Fischlin, A. Herzberg, H.B. Noon, H. Shulman, Obfuscation combiners, in

*Advances in Cryptology - CRYPTO*(2016), pp. 521–550S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits, in

*54th Annual IEEE Symposium on Foundations of Computer Science, FOCS*(IEEE Computer Society, 2013), pp. 40–49S. Garg, C. Gentry, A. Sahai, B. Waters, Witness encryption and its applications, in

*Symposium on Theory of Computing Conference, STOC*(2013), pp. 467–476S. Garg, M. Hajiabadi, M. Mahmoody, A. Mohammed, Limits on the power of garbling techniques for public-key encryption, in

*Advances in Cryptology - CRYPTO*(2018), pp. 335–364Sanjam Garg, Mohammad Mahmoody, Ameer Mohammed. Lower bounds on obfuscation from all-or-nothing encryption primitives, in

*Advances in Cryptology - CRYPTO*(2017), pp. 661–695S. Garg, M. Mahmoody, A. Mohammed, When does functional encryption imply obfuscation? In

*Theory of Cryptography - TCC*(2017), pp. 82–115R. Gay, R. Pass, Indistinguishability obfuscation from circular security, in

*STOC*(ACM, 2021), pp. 736–749C. Gentry, S. Gorbunov, S. Halevi, Graph-induced multilinear maps from lattices, in

*Theory of Cryptography - TCC*(2015), pp. 498–527C. Gentry, A.B. Lewko, A. Sahai, B. Waters, Indistinguishability obfuscation from the multilinear subgroup elimination assumption, in

*IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS*(2015), pp. 151–170O. Goldreich,

*The Foundations of Cryptography - Volume 1, Basic Techniques*, chapter 4.10.3.1 (Cambridge University Press, 2001)O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions.

*J. ACM***33**(4), 792–807 (1986)S. Goldwasser, S.D. Gordon, V. Goyal, A. Jain, J. Katz, F.-H. Liu, A. Sahai, E. Shi, H.-S. Zhou, Multi-input functional encryption, in

*Advances in Cryptology - EUROCRYPT*(2014), pp. 578–602S. Goldwasser, Y.T. Kalai, R.A. Popa, V. Vaikuntanathan, N. Zeldovich, Reusable garbled circuits and succinct functional encryption, in

*Symposium on Theory of Computing Conference, STOC*(2013), pp. 555–564S. Goldwasser, G.N. Rothblum, On best-possible obfuscation, in

*Theory of Cryptography - TCC*(2007), pp. 194–213S. Gorbunov, V. Vaikuntanathan, H. Wee, Functional encryption with bounded collusions via multi-party computation, in

*Advances in Cryptology - CRYPTO*(2012), pp. 162–179V. Guruswami, A. Rudra, M. Sudan, Essential coding theory, 2013. https://cse.buffalo.edu/faculty/atri/courses/coding-theory/book/index.html. Accessed May 31, 2018

V. Guruswami, M. Sudan, List decoding algorithms for certain concatenated codes, in

*Proceedings of the 32nd annual ACM symposium on Theory of computing, STOC*(ACM, 2000), pp. 181–190D. Harnik, J. Kilian, M. Naor, O. Reingold, A. Rosen, On robust combiners for oblivious transfer and other primitives, in

*Advances in Cryptology - EUROCRYPT*(2005), pp. 96–113J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function.

*SIAM J. Comput.***28**(4), 1364–1396 (1999)L. Hellerstein, R.A. Servedio, On PAC learning algorithms for rich boolean function classes.

*Theor. Comput. Sci.***384**(1), 66–76 (2007)A. Herzberg, On tolerant cryptographic constructions, in

*Topics in Cryptology - CT-RSA*(2005), pp. 172–190A. Herzberg, Folklore, practice and theory of robust combiners.

*J. Comput. Secur.***17**(2), 159–189 (2009)R. Impagliazzo, S. Rudich, Limits on the provable consequences of one-way permutations, in

*Proceedings of the 21st annual ACM symposium on Theory of computing, STOC*(ACM, 1989), pp. 44–61M.J. Kearns, R.E. Schapire, L. Sellie, Toward efficient agnostic learning.

*Mach. Learn.***17**(2-3), 115–141 (1994)A. Kiayias, S. Papadopoulos, N. Triandopoulos, T. Zacharias, Delegatable pseudorandom functions and applications, in

*Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security*(ACM, 2013), pp. 669–684S. Kim, D.J. Wu, Multi-theorem preprocessing nizks from lattices, in

*Advances in Cryptology - CRYPTO*(2018)F. Kitagawa, R. Nishimaki, K. Tanaka, Obfustopia built on secret-key functional encryption, in

*Advances in Cryptology - EUROCRYPT*(2018), pp. 603–648I. Komargodski, T. Moran, M. Naor, R. Pass, A. Rosen, E. Yogev, One-way functions and (im)perfect obfuscation, in

*55th IEEE Annual Symposium on Foundations of Computer Science, FOCS*(2014), pp. 374–383L.A. Levin, One-way functions and pseudorandom generators.

*Combinatorica*7(4), 357–363 (1987)H. Lin, Indistinguishability obfuscation from constant-degree graded encoding schemes, in

*Advances in Cryptology - EUROCRYPT*(2016), pp. 28–57H. Lin, Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs, in

*Advances in Cryptology - CRYPTO*(2017), pp. 599–629H. Lin, R. Pass, K. Seth, S. Telang, Indistinguishability obfuscation with non-trivial efficiency, in

*Public-Key Cryptography - PKC*(2016), pp. 447–462H. Lin, R. Pass, K. Seth, S. Telang, Output-compressing randomized encodings and applications, in

*Theory of Cryptography - TCC*(2016), pp. 96–124H. Lin, V. Vaikuntanathan, Indistinguishability obfuscation from ddh-like assumptions on constant-degree graded encodings, in

*IEEE 57th Annual Symposium on Foundations of Computer Science, FOCS*(2016), pp. 11–20N. Linial, Y. Mansour, Noam Nisan. Constant depth circuits, fourier transform, and learnability, in

*30th Annual Symposium on Foundations of Computer Science, FOCS*(1989), pp. 574–579Q. Liu, M. Zhandry, Decomposable obfuscation: A framework for building applications of obfuscation from polynomial hardness, in

*Theory of Cryptography - TCC*(2017), pp. 138–169A. Lombardi, V. Vaikuntanathan, Limits on the locality of pseudorandom generators and applications to indistinguishability obfuscation, in

*Theory of Cryptography - TCC*(2017), pp. 119–137M. Mahmoody, A. Mohammed, S. Nematihaji, R. Pass, A. Shelat, Lower bounds on assumptions behind indistinguishability obfuscation, in

*Theory of Cryptography - TCC*(2016), pp. 49–66M. Mahmoody, D. Xiao, On the power of randomized reductions and the checkability of SAT, in

*Proceedings of the 25th Annual IEEE Conference on Computational Complexity, CCC*(IEEE Computer Society, 2010), pp. 64–75S. Micali, C. Peikert, M. Sudan, D.A Wilson, Optimal error correction against computationally bounded noise, in

*Theory of Cryptography - TCC*(Springer, 2005), pp. 1–16E. Miles, A. Sahai, M. Zhandry, Annihilation attacks for multilinear maps: Cryptanalysis of indistinguishability obfuscation over GGH13, in

*Advances in Cryptology - CRYPTO*(2016), pp. 629–658M. Naor, Bit commitment using pseudorandomness.

*J. Cryptol.***4**(2), 151–158 (1991)T. Okamoto, On relationships between statistical zero-knowledge proofs.

*J. Comput. Syst. Sci.*60(1), 47–108 (2000)A. O’Neill, Definitional issues in functional encryption.

*IACR Cryptology ePrint Archive*2010:556 (2010)R. Pass, K. Seth, S. Telang, Indistinguishability obfuscation from semantically-secure multilinear encodings, in

*Advances in Cryptology - CRYPTO*(2014), pp. 500–517A. Sahai, S.P. Vadhan, A complete problem for statistical zero knowledge.

*J. ACM*50(2), 196–249 (2003)A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in

*Symposium on Theory of Computing, STOC*(2014), pp. 475–484L.G. Valiant, A theory of the learnable.

*Commun. ACM*27(11), 1134–1142 (1984)H. Wee, D. Wichs, Candidate obfuscation via oblivious LWE sampling, in

*EUROCRYPT (3)*, volume 12698 of*Lecture Notes in Computer Science*(Springer, 2021), pp. 127–156R.R. Williams, Strong ETH breaks with merlin and arthur: Short non-interactive proofs of batch evaluation, in

*31st Conference on Computational Complexity, CCC*(2016), pp. 2:1–2:17J. Zimmerman, How to obfuscate programs directly, in

*Advances in Cryptology - EUROCRYPT*(2015), pp. 439–467

## Acknowledgements

We thank Zvika Brakerski for discussions about the possibility of SXiO and XiO with statistical security. This work is supported in part by a Junior Fellow award from the Simons Foundation, by the Israel Science Foundation (Grants no. 2439/20 and 1774/20), by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office, by the European Union’s Horizon 2020 research and innovation program under the Marie Skłodowska-Curie grant agreement No. 891234, by a Packard Foundation Fellowship, by an AFOSR grant FA9550-15-1-0262, by an Alon Young Faculty Fellowship, by NSF Award CNS-1561209, NSF Award CNS-1217821, NSF Award CNS-1704788, a Microsoft Faculty Fellowship, and a Google Faculty Research Award.

## Author information

### Authors and Affiliations

### Corresponding author

## Additional information

Communicated by Marc Fischlin.

### Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

A preliminary version of this work appeared in IACR-CRYPTO 2018.

Gilad Asharov and Ilan Komargodski: Most of the work was conducted while at Cornell Tech, New York, NY 10044.

## Rights and permissions

## About this article

### Cite this article

Asharov, G., Komargodski, I., Pass, R. *et al.* On the Complexity of Compressing Obfuscation.
*J Cryptol* **35**, 21 (2022). https://doi.org/10.1007/s00145-022-09431-5

Received:

Revised:

Accepted:

Published:

DOI: https://doi.org/10.1007/s00145-022-09431-5