, Volume 79, Issue 4, pp 1353–1373 | Cite as

On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input

  • Sanjam Garg
  • Craig Gentry
  • Shai Halevi
  • Daniel WichsEmail author


The notion of differing-inputs obfuscation (diO) was introduced by Barak et al. (CRYPTO, pp 1–18, 2001). It guarantees that, for any two circuits \(C_0, C_1\) for which it is difficult to come up with an input x on which \(C_0(x) \ne C_1(x)\), it should also be difficult to distinguish the obfuscation of \(C_0\) from that of \(C_1\). This is a strengthening of indistinguishability obfuscation, where the above is only guaranteed for circuits that agree on all inputs. Two recent works of Ananth et al. (Differing-inputs obfuscation and applications,, 2013) and Boyle et al. (Lindell, pp 52–73, 2014) study the notion of diO in the setting where the attacker is also given some auxiliary information related to the circuits, showing that this notion leads to many interesting applications. In this work, we show that the existence of general-purpose diO with general auxiliary input has a surprising consequence: it implies that a specific circuit \(C^*\) with specific auxiliary input \({\mathsf {aux}}^*\) cannot be obfuscated in a way that hides some specific information. In other words, under the conjecture that such special-purpose obfuscation exists, we show that general-purpose diO cannot exist. This conjecture is a falsifiable assumption which we do not know how to break for candidate obfuscation schemes. We also show similar implausibility results for extractable witness encryption with auxiliary input and for “output-only dependent” hardcore bits for general one-way functions.


Obfuscation Witness encryption 



We thank Mariana Raykvoa and Amit Sahai for initial discussions relating to this work, Nir Bitansky for suggesting we look at extractable witness encryption, and Mihir Bellare for pointing us to his paper on poly-many hardcore bits and for suggesting we consider diO with bounded-length auxiliary input.


  1. 1.
    Ananth, P., Boneh, D., Garg, S., Sahai, A., Zhandry, M.: Differing-inputs obfuscation and applications. Cryptology ePrint Archive. Report 2013/689 (2013)
  2. 2.
    Applebaum, B.: Bootstrapping obfuscators via fast pseudorandom functions. In: Sarkar and Iwata [21], pp. 162–172Google Scholar
  3. 3.
    Bitansky, N., Canetti, R., Cohn, H., Goldwasser, S., Kalai, Y.T., Paneth, O., Rosen, A.: The impossibility of obfuscation with auxiliary input or a universal simulator. In: Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part II, pp. 71–89 (2014)Google Scholar
  4. 4.
    Boyle, E., Chung, K.-M., Pass, R.: On extractability obfuscation. In: Lindell [10], pp. 52–73Google Scholar
  5. 5.
    Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: On the existence of extractable one-way functions. In: Shmoys [20], pp. 505–514Google Scholar
  6. 6.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: CRYPTO, pp. 1–18 (2001)Google Scholar
  7. 7.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Phong, Q. Nguyen, Elisabeth O., (eds.) Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings, volume 8441 of Lecture Notes in Computer Science, pp. 221–238. Springer (2014)Google Scholar
  9. 9.
    Boyle, E., Pass, R.: Limits of extractability assumptions with distributional auxiliary input. In: Tetsu I., Jung H.C. (eds.) Advances in cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29—December 3, 2015, Proceedings, Part II, volume 9453 of Lecture Notes in Computer Science, pp. 236–261. Springer, (2015)Google Scholar
  10. 10.
    Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding. In: Lindell [18], pp. 1–25Google Scholar
  11. 11.
    Bellare, M., Stepanovs, I., Tessaro, S.: Poly-many hardcore bits for any one-way function and a framework for differing-inputs obfuscation. In: Sarkar, Iwata [2,21], pp. 102–121Google Scholar
  12. 12.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26–29 October, 2013, Berkeley, CA, USA, pp. 40–49. IEEE Computer Society (2013)Google Scholar
  13. 13.
    Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Dan, B., Tim, R., Joan, F., (eds), Symposium on Theory of Computing Conference, STOC’13, Palo Alto, CA, USA, June 1–4, 2013, pp. 467–476. ACM (2013)Google Scholar
  14. 14.
    Goldwasser, S., Kalai, Y.T.: On the impossibility of obfuscation with auxiliary input. In: FOCS, pp. 553–562 (2005)Google Scholar
  15. 15.
    Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Ran C., Juan A.G. (eds), CRYPTO (2), volume 8043 of Lecture Notes in Computer Science, pp. 536–553. Springer (2013)Google Scholar
  16. 16.
    Hada, S.: Zero-knowledge and code obfuscation. In: Tatsuaki O., (ed), ASIACRYPT, volume 1976 of Lecture Notes in Computer Science, pp. 443–457. Springer (2000)Google Scholar
  17. 17.
    Ishai, Y., Pandey, O., Sahai, A.: Public-coin differing-inputs obfuscation and its applications. In: Yevgeniy D., Jesper Buus N., (eds), Theory of Cryptography—12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23–25, 2015, Proceedings, Part II, volume 9015 of Lecture Notes in Computer Science, pp. 668–697. Springer (2015)Google Scholar
  18. 18.
    Lindell, Y. (ed): Theory of cryptography—11th Theory of cryptography conference, TCC 2014, San Diego, CA, USA, February 24–26, 2014. Proceedings, volume 8349 of Lecture Notes in Computer Science. Springer (2014)Google Scholar
  19. 19.
    Naor, M.: On cryptographic assumptions and challenges. In: Dan B., (ed), CRYPTO, volume 2729 of Lecture Notes in Computer Science, pp. 96–109. Springer (2003)Google Scholar
  20. 20.
    Shmoys, D.B. (ed): Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31—June 03, 2014. ACM (2014)Google Scholar
  21. 21.
    Sarkar, P., Iwata, T. (eds): Advances in cryptology—ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014, Proceedings, Part II, volume 8874 of Lecture Notes in Computer Science. Springer (2014)Google Scholar
  22. 22.
    Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys [20], pp. 475–484Google Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  • Sanjam Garg
    • 1
  • Craig Gentry
    • 2
  • Shai Halevi
    • 2
  • Daniel Wichs
    • 3
    Email author
  1. 1.UC BerkeleyBerkeleyUSA
  2. 2.IBM Research, T.J. WatsonYorktown HeightsUSA
  3. 3.Department of Computer ScienceNortheastern UniversityBostonUSA

Personalised recommendations