On Statistically Secure Obfuscation with Approximate Correctness

  • Zvika Brakerski
  • Christina Brzuska
  • Nils FleischhackerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9815)


Goldwasser and Rothblum (TCC ’07) prove that statistical indistinguishability obfuscation (iO) cannot exist if the obfuscator must maintain perfect correctness (under a widely believed complexity theoretic assumption: \(\mathcal {NP}\not \subseteq \mathcal {SZK}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\)). However, for many applications of iO, such as constructing public-key encryption from one-way functions (one of the main open problems in theoretical cryptography), approximate correctness is sufficient. It had been unknown thus far whether statistical approximate iO (saiO) can exist.

We show that saiO does not exist, even for a minimal correctness requirement, if \(\mathcal {NP}\not \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\), and if one-way functions exist. A simple complementary observation shows that if one-way functions do not exist, then average-case saiO exists. Technically, previous approaches utilized the behavior of the obfuscator on evasive functions, for which saiO always exists. We overcome this barrier by using a PRF as a “baseline” for the obfuscated program.

We broaden our study and consider relaxed notions of security for iO. We introduce the notion of correlation obfuscation, where the obfuscations of equivalent circuits only need to be mildly correlated (rather than statistically indistinguishable). Perhaps surprisingly, we show that correlation obfuscators exist via a trivial construction for some parameter regimes, whereas our impossibility result extends to other regimes. Interestingly, within the gap between the parameters regimes that we show possible and impossible, there is a small fraction of parameters that still allow to build public-key encryption from one-way functions and thus deserve further investigation.

1 Introduction

Constructing public-key cryptography (e.g. public-key encryption) from private-key cryptography (such as one-way functions) is one of the most fundamental questions in theoretical cryptography, going back to the seminal paper of Diffie and Hellman [9]. Diffie and Hellman suggested that program obfuscators with sufficiently strong security properties would allow to realize this transformation. A program obfuscator is a compiler that takes as input a program, and outputs another program with equivalent functionality, but which is harder to reverse engineer. Diffie and Hellman suggested to obfuscate the encryption circuit of a symmetric-key encryption scheme, and use the obfuscated program as a public key so as to obtain a public-key encryption scheme. An additional hint that obfuscation may be instrumental in solving this riddle was provided by Impagliazzo and Rudich [20, 21], who proved that a transformation from symmetric to public-key must make non black-box use of the underlying symmetric primitive. Indeed, program obfuscation is one of very few non black-box techniques known in cryptography.

Modern research showed that the Diffie-Hellman transformation requires obfuscators with security guarantees that do not exist in general [1, 2, 16]. However, recent years have seen incredibly prolific study of weak notions of obfuscation, following the introduction of a candidate indistinguishability obfuscator (iO) by Garg et al. [10]. The security guarantee of iO is that the obfuscation of two functionally equivalent circuits should result in indistinguishable output distributions. That is, that reverse engineering could not detect which of two equivalent implementations had been the source of the obfuscated program. Sahai and Waters [30] showed that even this seemingly weak notion suffices for private-key to public-key transformation (via a clever construction that does not resemble the Diffie-Hellman suggestion).

One would have hoped that a weak notion such as iO may be realizable with statistical security, i.e. that reverse engineering (to the limited extent required by iO) will not be possible even to an attacker with unlimited computational power. The existence of such statistical indistinguishability obfuscator (siO) would resolve the question of constructing public key cryptography from one-way functions, as well as would allow to construct one-way functions based on the hardness of \(\mathcal {NP}\) [23]. Alas, Goldwasser and Rothblum [14, 15] proved that siO cannot exist unless the polynomial hierarchy collapses (in particular that it implies \(\mathcal {NP}\subseteq \mathcal {SZK}\), and it is known that \(\mathcal {SZK}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\)), which is considered quite unlikely in computational complexity, and at any rate way beyond the current understanding of complexity theory. This seems to put a damper on our hopes to achieve statistically secure obfuscation.

However, the [14, 15] negative result crucially relies on the correctness of the obfuscator. That is, it only rules out such obfuscators that perfectly preserve the functionality of the underlying primitive (at least with high probability over the coins of the obfuscator). In contrast, the symmetric to public key transformation can be made to work with only approximate correctness, i.e. a non-negligible correlation between the functionality of the input circuit and that of the output circuit (where the probability is taken over the randomness of the obfuscator and the input domain). The question of whether statistical approximate iO (saiO) exists was therefore the new destination in the quest for understanding obfuscation. Interestingly, it turns out that ruling out computational notions of iO in some idealized models also boils down to the question of whether saiO exists (see Sect. 1.2 below). The study of this notion is the objective of this paper.

Our Results. We show that statistical approximate iO (saiO) does not exist if one-way functions exist (under the assumption that \(\mathcal {NP}\not \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\)). Thus, in particular, that saiO cannot be used for the transformation from symmetric to public-key cryptography. We show that if one-way functions exist, then any non-negligible correlation between the output of the obfuscator and the input program would imply an \(\mathcal {SZK}\) algorithm for unique SAT (USAT). As SAT reduces to USAT via a randomized reduction [32], a result of Mahmoody and Xiao [27] shows that this implies that SAT is in \(\mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).

To complement our result, we observe that if one-way functions do not exist, then an average-case notion of saiO exists for any distribution. Specifically, for any efficiently samplable distribution over circuits, there exists an saiO obfuscator whose correctness holds with high probability over the circuits in that distribution (inverting the order of quantifiers would imply a worst-case saiO).

A Study of Correlation Obfuscation. Our impossibility results extend beyond the case of saiO. In fact, the result applies even when the security of the obfuscator is approximate. Namely, when we are only guaranteed that the obfuscation of functionally equivalent circuits results in distributions that have mild statistical distance (as opposed to negligible). This motivated us to explore the properties of this new kind of obfuscators, that as far as we know have not been studied in the literature before.

We consider statistical approximate correlation obfuscation sacO. A sacO obfuscator is characterized by two parameters \(\epsilon \in [0,1/2)\) and \(\delta \in [0,1)\). The requirement is that correctness holds with probability \(1-\epsilon \) (with respect to the randomness of the obfuscator and a random choice of input), and that obfuscating two functionally equivalent circuits results in distributions with statistical distance \(\delta \). The case of negligible \(\delta \) is exactly saiO, discussed above, and the case of \(\epsilon =0\) corresponds to perfect correctness.

We observe that our impossibility result degrades gracefully and holds so long as \(2\epsilon +3\delta < 1\). We found this state of affairs unsatisfactory, and tried to extend the result to hold for the entire parameter range. However, it turns out that sacO exists via an almost trivial construction whenever \(2\epsilon +\delta > 1\) (e.g. \(\epsilon =\delta =0.4\)). We do not know if sacO exists in the intermediate parameter regime.

Lastly, we conduct a study of whether sacO is sufficient to construct public-key encryption from one-way functions. We present an amplified version of the Sahai-Waters construction using an amplification technique due to Holenstein. Interestingly, it appears that there is a region in the parameter domain that would allow to construct public-key encryption from one-way functions, but is not ruled out by our current technique. See Fig. 1 for the landscape of sacO parameters. We leave it as an intriguing open problem to close the gap between the various parameter regimes.
Fig. 1.

The graph gives an overview over the possible range of parameters for sacO. In the upper right are parameter regimes that can be achieved using the construction described in Appendix A. In the lower left are the strong parameter regimes ruled out by our negative result in Sect. 3. The graph shows nicely the gap between the parameters that can be ruled out and those that can be used to construct public key encryption using the construction of Sahai and Waters as well as the amplification technique of Holenstein.

1.1 Our Techniques

Our starting point is the Goldwasser-Rothblum impossibility result. Consider a statistical iO obfuscator such that for any pair of functionally equivalent circuits, the obfuscator generates statistically indistinguishable distributions, and in addition the output circuit of the obfuscator is always functionally equivalent to the input circuit (this can be relaxed to hold only with high probability over the random coins of the obfuscator). Goldwasser-Rothblum observe that an unsatisfiable SAT formula \(\varPsi \) is functionally equivalent to the all-zero function \(\mathbf {0}\) and therefore the distributions produced by a siO obfuscator in both cases should be statistically indistinguishable. Slightly more formally, let X[C] denote the distribution output by the obfuscator on input circuit C, then we get that \(X[\varPsi ] \equiv X[\mathbf {0}]\), where \(\equiv \) denotes statistical indistinguishability. On the contrary, if \(\varPsi \) is a satisfiable formula, then it has a different functionality than \(\mathbf {0}\) and therefore the support of \(X[\varPsi ]\) and \(X[\mathbf {0}]\) will be disjoint (and thus obviously not statistically indistinguishable). It follows that in order to solve SAT, it suffices to tell whether \(X[\varPsi ]\) is close to \(X[\mathbf {0}]\). As we know due to Sahai and Vadhan [29], there is an \(\mathcal {SZK}\) protocol that takes two polynomial-time samplers, and decides whether they sample from distributions that are \(\epsilon _1\)-statistically close or \(\epsilon _2\)-statistically far, so long as \((\epsilon _2-\epsilon _1)\) is a noticeable function. The conclusion is that an siO obfuscator implies an \(\mathcal {SZK}\) protocol for SAT which in turn implies that \(\mathcal {NP}\subseteq \mathcal {SZK}\).

To sum up the core argument, to show that an siO obfuscator does not exists unless \(\mathcal {NP}\subseteq \mathcal {SZK}\), Goldwasser-Rothblum built the formula-indexed distribution \(X[\varPsi ]\) that samples an siO obfuscation of \(\varPsi \) and has the properties that it is (i) efficiently sampleable, (ii) if \(\varPsi \) is not satisfiable, then \(X[\varPsi ]\) and \(X[\mathbf {0}]\) are close, while (iii) if \(\varPsi \) not satisfiable, then \(X[\varPsi ]\) and \(X[\mathbf {0}]\) are far.

Allowing the obfuscator to have approximate correctness thwarts this approach completely. Hard SAT instances are obviously ones where the density of accepting inputs is sub-polynomial, since otherwise random sampling would yield a satisfying assignment with non-negligible probability. Therefore a satisfiable and unsatisfiable SAT formulae will have almost identical functionality. One could consider an saiO obfuscator that on any SAT formula that is not trivially satisfiable, would just produce an obfuscation of \(\mathbf {0}\). This means that \(X[\varPsi ]\) will have the same distribution whether \(\varPsi \) is satisfiable or not and thus, property (iii) is not satisfied anymore.

In order to overcome this issue, we construct a different distribution on formula-indexed circuits \(C_X[k,\varPsi ]\) (where k is some uniformly random key k) such that if \(\varPsi \) is not satisfiable, then \(C_X[k,\varPsi ]\) and \(C_X[k,\mathbf {0}]\) have the same functionality, and if \(\varPsi \) is satisfiable, then \(C_X[k,\varPsi ]\) and \(C_X[k,\mathbf {0}]\) differ on a single point. Then, assuming one-way functions exist, we show that, although these two circuits differ on a single point only, the obfuscator saiO of \(C_X[k,\varPsi ]\) has to produce a distribution that is statistically far from saiO of \(C_X[k,\mathbf {0}]\). To do this, we rely on the fact that the obfuscator itself is computationally efficient, and therefore it cannot break the hardness of one-way functions and derived cryptographic objects such as pseudorandom functions (PRFs) or puncturable PRFs (see below). This way, we construct a new formula-indexed distribution \(X[\varPsi ]\) that satisfies properties (i), (ii) and (iii) as discussed above.

Puncturable PRFs were introduced simultaneously in [6, 7, 22] and were utilized as an essential building block for indistinguishability obfuscation in [30]. A standard PRF is a function that can be efficiently computable using a key k, but is indistinguishable from a random function via oracle access. A puncturable PRF is a PRF where one can generate a punctured key \(k\{x_0\}\) which allows to compute the PRF at all points except \(x_0\), but the value at \(x_0\) is still indistinguishable from uniform, even given the punctured key. Punctured PRFs can be constructed from any one-way function.

Based on a puncurable PRF and an saiO obfuscator \(\mathsf {O}\), we now construct a distribution on pairs of circuits (for now not indexed by a formula) such that the two circuits differ on a single point only and yet, an saiO obfuscator will produce distributions that are far. Let k be a key for a puncturable PRF, let \(x_0\) be a random point in the domain, let \(k\{x_0\}\) be a key punctured at \(x_0\) and consider the function \(f_{k\{x_0\},y}\) that outputs \(\mathsf {PRF}(k\{x_0\},x)=\mathsf {PRF}(k,x)\) for all \(x \ne x_0\), and outputs y on input \(x_0\). Then by definition \(f_{k\{x_0\},y}\) for a random y and \(f_{k\{x_0\},y_0}=\mathsf {PRF}(k,\cdot )\) for \(y_0=\mathsf {PRF}(k,x_0)\) are identical in functionality except maybe at point \(x_0\). However, using puncturing, we can guarantee that the distributions \(\mathsf {O}(f_{k\{x_0\},y})\) and \(\mathsf {O}(f_{k\{x_0\},y_0})\), where \(k, x_0, y\) are chosen uniformly at random are statistically far. To see this, it is enough to show that \(\mathsf {O}(f_{k\{x_0\},y})\) and \(\mathsf {O}(\mathsf {PRF}(k,\cdot ))\) are statistically far since \(f_{k\{x_0\},y_0}=\mathsf {PRF}(k,\cdot )\) and thus \(\mathsf {O}(f_{k\{x_0\},y_0}) \equiv \mathsf {O}(\mathsf {PRF}(k,\cdot ))\). Consider the predicate that checks whether \(\mathsf {O}(\mathsf {PRF}(k,\cdot ))(x_0)=\mathsf {PRF}(k,x_0)\). This predicate must have non-negligible bias towards holding true, and is efficiently checkable, which also implies that \(\mathsf {O}(f_{k\{x_0\},y})(x_0)=f_{k\{x_0\},y}(x_0)\) holds true with noticeable bias, since otherwise we will have an efficient distinguisher from \(f_{k\{x_0\},y_0}=\mathsf {PRF}(k,\cdot )\) in contradiction to the puncturable PRF security. Finally, since \(y \ne y_0\) with high probability (assume for simplicity that the PRF and the obfuscator have long outputs and keys of half the size), this implies that \(\mathsf {O}(f_{k\{x_0\},y})\) and \(\mathsf {O}(f_{k\{x_0\},y_0})\) have noticeable statistical distance, since they will have noticeable probability mass on circuits that respect the functionality on \(x_0\). Note that we used a computational argument, the security of punctured PRFs, to derive a statistical statement about the output distribution of the obfuscator.

We would like to use the aforementioned distributions to distinguish between satisfiable and unsatisfiable formulae. Let us restrict our attention to Unique-SAT formulae that are either unsatisfiable or have only one satisfying assignment. Unique-SAT is known to be \(\mathcal {NP}\)-Hard via a randomized reduction [32], and a result of Mahmoody and Xiao [27] shows that if Unique-\(\mathsf {SAT}\) is in \(\mathcal {SZK}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\), then \(\mathsf {SAT}\) is in \(\mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) (See Sect. 2.1).

Let \(\varPsi \) be a formula that has a unique satisfying assignment, then one can randomize the satisfying assignment (if it exists) to be uniformly distributed over the input space (e.g. by XORing all variables with a random string). Now, consider the function \(f_{k,y,\varPsi }\) defined s.t. \(f_{k,y,\varPsi }(x)=\mathsf {PRF}(k,x)\) if x does not satisfy \(\varPsi \), and \(f_{k,y,\varPsi }(x)=y\) otherwise. By definition, if \(\varPsi \) is unsatisfiable then \(f_{k,y,\varPsi }=\mathsf {PRF}(k,\cdot )\) and if \(\varPsi \) is satisfiable by some \(x_0\) (which is uniformly distributed) then \(f_{k,y,\varPsi }=f_{k\{x_0\}, y}\). Therefore \(\mathsf {O}(f_{k,y,\varPsi })\) is guaranteed to have a noticeable statistical distance in the case where \(\varPsi \) is unsatisfiable (in which case it is close to \(\mathsf {O}(f_{k,y,\mathbf {0}})\)) and in the case where it is uniquely satisfiable (in which case it is far from \(\mathsf {O}(f_{k,y,\mathbf {0}})\)). This will allow us to produce an \(\mathcal {SZK}\) protocol to distinguish the two possibilities.

In a World without OWFs. We recall that if OWFs do not exist then for any efficiently computable function f and with overwhelming probability over a y sampled from the output distribution of f, it is possible to efficiently sample (almost) uniformly (up to negligible error) from the set \(f^{-1}(y)=\{x: f(x)=y\}\) [19]. Given an efficiently sampleable distribution over circuits, we can construct an average-case obfuscator for this family as follows. Let \(\mathsf {sampC}\) be a sampler for this distribution of circuits and consider the function \(f(r,x_1, \ldots , x_m)\) for a large polynomial m such that \(f(r,x_1, \ldots , x_m) = (x_1, \ldots , x_m, C(x_1), \ldots , C(x_m))\), for \(C=\mathsf {sampC}(r)\).

Now, to obfuscate a circuit C, sample \(x_1, \ldots , x_m\) and compute \(y_i = C(x_i)\). Then sample \((r,x_1, \ldots , x_m)\) from \(f^{-1}(x_1, \ldots , x_m, y_1, \ldots , y_m)\) and finally output \(C'=\mathsf {sampC}(r)\). This is clearly a perfect indistinguishability obfuscator (i.e. two circuits with the same functionality will produce identical distributions). It is also approximately correct on the average, because on average, if two circuits agree on a randomly chosen set of points, then they will have a large agreement altogether.

We note that a similar and even simpler argument shows that if all efficiently computable functions are PAC learnable [31], even allowing membership queries, then saiO with perfect indistinguishability exists. This follows immediately by definition by giving the learner (black-box) access to C, and outputting its hypothesis \(C'\) as the output of the obfuscator. In such case OWFs trivially do not exist.

The Landscape of Correlation Obfuscation. Extending our techniques to rule out sacO with \(2\epsilon +3\delta < 1\) follows from carefully analyzing the parameters in the proof outlined above (one can get \(2\epsilon +4\delta < 1\) by straightforward analysis, and the slight improvement comes from properly defining the random variables in the problem). We can show a trivial sacO obfuscator for \(2\epsilon +\delta > 1\) as follows. Given an input circuit C, use random sampling to find the majority value of the truth table of C (if C is approximately balanced, then any value works). Then output the constant function taking the majority value with probability \(2\epsilon \), and output C itself with probability \(1-2\epsilon \). Correctness will hold with probability \(1-\epsilon \), since if C is output then correctness is perfect, and if the constant function is output then correctness is approximately 1 / 2. The correlation between two functionally equivalent circuits is at least \(2\epsilon \) since the calculation of the majority value only depends on the truth table. We provide a more formal analysis in Appendix A. It seems that such a trivial obfuscator cannot imply any non-trivial results.

We notice that a sacO obfuscator can be plugged into the Sahai-Waters construction, and would imply weak notions of security and correctness for the resulting public-key encryption scheme. Holenstein [18] shows that, for some parameters, this weak notion can be amplified to standard security and correctness. Plugging in our parameters, we get that roughly when \(\tfrac{1}{2} - 3\epsilon +2\epsilon ^2 > \delta \), sacO would imply symmetric to public key transformation using this method. This leaves a small region of parameters where sacO is not known to be impossible, and if it is possible it will imply highly non-trivial results. It is not clear whether other parameter regimes can also be useful, or whether our impossibility can be extended to rule out the entire useful regime. We refer to Fig. 1 again for a visual characterization of the parameter regimes.

1.2 Consequences of Our Result

Our result strengthens previous negative results for proving the existence of iO in several ideal models. Previous works show that a construction of statistically secure (perfectly correct) iO in any of those ideal models implies the existence of saiO in the standard model. Actually, one can generalize these results to also hold for saiO. Combined with our result, we now yield that a construction of iO or saiO in these ideal models implies that \(\mathcal {NP}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) or the non-existence of one-way functions.

This line of research was initiated by Canetti et al. [8] who show that given a VBB obfuscator in the random oracle model, one can remove the random oracle at the cost of relaxing the correctness of the obfuscator. Pass and Shelat [28] show an analogous result for VBB obfuscators in the ideal constant-degree encoding model, and Mahmoody et al. [25] show analogous results for the generic group model and the generic trapdoor permutation model. All these results transform a VBB obfuscator in an oracle world into an approximately correct VBB obfuscator in the standard model. They yield an impossibility result for VBB obfuscation in the ideal models, as approximately correct VBB is known not to exist, assuming trapdoor permutations, see [3, 8]. The crucial insight of Mahmoody et al. [26] is that all these oracle removal procedures are actually oblivious to the exact notion of obfuscation. The reason is that all proofs proceed by showing that the oracle-free obfuscation is as secure as the oracle-based obfuscation, i.e., the oracle-free obfuscated circuit can be simulated by an adversary in the oracle world, given the oracle-based obfuscated circuit. Therefore, if one has an iO obfuscator in any of the ideal models, via the oracle removal procedures, one obtains an saiO obfuscator in the standard model. Mahmoody et al. [26] conclude that, as an saiO obfuscator in the standard model allows to resolve the long-standing open problem of building public-key encryption from symmetric-key encryption, it seems very hard to construct such an object. In other words, their result rules out saiO assuming that building public-key encryption from symmetric-key encryption is impossible. Our result strengthens1 their result by ruling out saiO based on the accepted complexity postulate that \(\mathcal {NP}\not \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) and the fundamental assumption of cryptography that one-way functions exist. Therefore, based on the same assumptions, iO in all aforementioned idealized models cannot exist.

1.3 Open Problems

The main question that we leave open is the set of parameters for sacO that are useful and that are (im)possible. Note that it is desirable to have more positive results not only for sacO, but also for acO, the computational variant of sacO, in the spirit of Bitansky-Vaikuntanathan [4] who give an assumption-based transformations from aiO to standard iO. Even if sacO for useful parameters turns out to be impossible, it might still be easier to build acO for useful parameters and then use amplification rather than to build fully secure fully correct iO directly.

In particular, note that for a certain parameter range of sacO, we do not know of any impossibility results of building sacO in ideal models. The oracle removal procedures that we discuss in Sect. 1.2 maintain security and only weaken correctness. Therefore, a variant of the oracle removal procedures can also be proven for sacO (losing some amount of correctness). As not all useful parameters for sacO are ruled out by our results, one might aim for building sacO in an ideal model for these parameters. Note that one can use our result as a sanity check for any potential oracle construction: If the construction would also work for parameters that we rule out, then it is probably better to pursue a different approach.

Another direction for building useful statistical variants of iO is to relax the computational efficiency of the obfuscator in which case the distributions \(X[\varPsi ]\) that we considered before are not efficiently sampleable anymore (condition (i)) and thus, the \(\mathcal {SZK}\) argument fails. Interestingly, Lin et al. [24] recently showed that such a notion of iO that they call XiO has indeed useful applications to transformations on functional encryption.

2 Preliminaries

We first introduce some general notation. By \(n\in \mathbb {N}\), we denote the security parameter that we give to all algorithms implicitly in unary representation \(1^n\). By \(\{0,1\}^\ell \) we denote the set of all bit-strings of length \(\ell \). For a finite set S, we denote the action of sampling x uniformly at random from S by Open image in new window , and denote the cardinality of S by \(\left|S \right|\). Algorithms are assumed to be randomized, unless otherwise stated. We call an algorithm efficient or \(\mathsf {PPT}\) if it runs in time polynomial in the security parameter. If \(\mathcal {A}\) is randomized then by \(y \leftarrow \mathcal {A}(x;r)\) we denote that \(\mathcal {A}\) is run on input x and with random coins r and produced output y. If no randomness is specified, then we assume that \(\mathcal {A}\) is run with freshly sampled uniform random coins, and write this as Open image in new window or in shorthand Open image in new window . For a circuit C we denote by \(\left|C \right|\) the size of the circuit. We say a function \(\mathsf {negl}\,\,\!\!\left( n \right) \) is negligible if for any positive polynomial \(\mathsf {poly}\,\,\!\!\left( n \right) \), there exists an \(N \in \mathbb {N}\), such that for all \(n > N\), \(\mathsf {negl}\,\,\!\!\left( n \right) \le \frac{1}{\mathsf {poly}\,\,\!\!\left( n \right) }\). To define statistically secure variants of obfuscation we will use the following definition of statistical distance.

Definition 1

(Statistical Distance). For two probability distributions XY we define the statistical distance \(\mathsf {SD}(X,Y)\) aswhere \(\mathcal {A}\) ranges over all probabilistic algorithms including inefficient ones.

2.1 Complexity Theory

We refer the reader to Goldreich’s book [11] for a detailed exposition of complexity theory. We now discuss a few object that are most relevant to our proof. We let \(\mathsf {SAT}\) denote the set of all satisfiable CNF formulae, we let \(\mathsf {USAT}\) denote the set of CNF formulae that have exactly one satisfying assignment, and \(\mathsf {UNSAT}\) denote the set of CNF formulae that have no satisfying assignment. Given a formula \(\varPsi \), deciding whether \(\varPsi \in \mathsf {SAT}\) is an \(\mathcal {NP}\)-Complete problem. We recall that a promise problem \(\varPi = (\varPi _\mathsf {Yes},\varPi _\mathsf {No})\) is a pair of disjoint subsets of \(\{0,1\}^*\). Of particular interest to us is the unique SAT (promise) problem \(\mathsf {UniqueSAT}= (\mathsf {USAT}, \mathsf {UNSAT})\). Total problems (a.k.a languages) are a special case of promise problems, e.g. \((\mathsf {SAT}, \mathsf {UNSAT})\) is exactly the SAT problem. In such a case, it suffices to specify \(\varPi _\mathsf {Yes}\) in order to completely define the problem.

We consider the notion of randomized polynomial time Turing reductions between problems. A promise oracle to a problem \(\varPi =(\varPi _\mathsf {Yes},\varPi _\mathsf {No})\), is one that always answers 1 on inputs in \(\varPi _\mathsf {Yes}\) and always answers 0 on inputs in \(\varPi _\mathsf {No}\), but otherwise can answer arbitrarily, and even inconsistently between calls. We define the class \(\mathcal {BPP}^{\varPi }\) as the class of problems solvable using a probabilistic polynomial time algorithm with access to a \(\varPi \) oracle. In other words, \(\mathcal {BPP}^{\varPi }\) is the class of problems that are reducible to \(\varPi \). One can verify that this class indeed composes, i.e. if \(\widetilde{\varPi } \in \mathcal {BPP}^{\varPi }\) then \(\mathcal {BPP}^{\widetilde{\varPi }} \subseteq \mathcal {BPP}^{\varPi }\). Valiant and Vazirani [32] showed that SAT is reducible to unique SAT.

Theorem 1

(Valiant-Vazirani). \(\mathsf {SAT}\in \mathcal {BPP}^{\mathsf {UniqueSAT}}\).

An additional promise problem which will be of interest to us is the GapSD problem, defined by Sahai and Vadhan [29]. This problem essentially captures the hardness of distinguishing between efficient samplers for statistically close distributions and ones for statistically far distributions. We recall that for a circuit C (which we regard as a sampler from a distribution), \(C(\mathcal{U})\) denotes the distribution generated by running C on a random input.

Definition 2

(GapSD Problem). The problem \(\mathsf {GapSD}= (\mathsf {GapSD}_\mathsf {Yes}, \mathsf {GapSD}_\mathsf {No})\) is defined as follows. Consider tuples of the form \((C_0,C_1,\nu ,1^{\ell })\), where \(C_0, C_1\) are circuits, \(\nu \) is a threshold value and \(1^{\ell }\) is a unary encoding of a probability gap. Define
$$ \mathsf {GapSD}_\mathsf {Yes}= \{(C_0,C_1,\nu ,1^{\ell }) : \mathsf {SD}(C_0(\mathcal{U}), C_1(\mathcal{U}))<\nu \}, $$
$$ \mathsf {GapSD}_\mathsf {No}= \{(C_0,C_1,\nu ,1^{\ell }) : \mathsf {SD}(C_0(\mathcal{U}), C_1(\mathcal{U}))>\nu +1/\ell \}. $$

Combining results by Mahmoody and Xiao [27] and by Bogdanov and Lee [5] as follows implies that \(\mathcal {BPP}^\mathsf {GapSD}\) is contained in \(\mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).2

Theorem 2

\(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).


It follows from [5, Theorem 9] that \(\mathsf {GapSD}\in \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\). This means that both \((\mathsf {GapSD}_\mathsf {Yes}, \mathsf {GapSD}_\mathsf {No})\) and its complement \((\mathsf {GapSD}_\mathsf {No}, \mathsf {GapSD}_\mathsf {Yes})\) have \(\mathcal {AM}\) protocols, say with completeness 9 / 10 and soundness 1 / 10. Consider the protocol that takes \((C_0, C_1, \nu , 1^\ell )\) and does the following. First, execute the \(\mathcal {AM}\) protocol for \((\mathsf {GapSD}_\mathsf {Yes}, \mathsf {GapSD}_\mathsf {No})\) on input \(x_1 = (C_0, C_1, \nu +1/(4\ell ), 1^{(4\ell )})\). Then, execute the \(\mathcal {AM}\) protocol for \((\mathsf {GapSD}_\mathsf {No}, \mathsf {GapSD}_\mathsf {Yes})\) (note the reverse order) on \(x_2 = (C_0, C_1, \nu -1/(2\ell ), 1^{(4\ell )})\). Accept only if the two executions accepted. Now, assume that \(\nu = \mathsf {SD}(C_0, C_1)\). Then it holds that \(x_1 \in \mathsf {GapSD}_\mathsf {Yes}\) and \(x_2 \in \mathsf {GapSD}_\mathsf {No}\) and therefore our new protocol accepts with probability at least 8 / 10. However, if \(\left|\nu - \mathsf {SD}(C_0, C_1) \right| > 1/\ell \) then either \(x_1 \in \mathsf {GapSD}_\mathsf {No}\) or \(x_2 \in \mathsf {GapSD}_\mathsf {Yes}\) and therefore our new protocol accepts with probability at most 2 / 10. This means that our protocol is an \(\mathcal {AM}\) protocol that, for any \(\epsilon \), can decide given \((C_0, C_1)\), \(1^{\left\lceil 1/\epsilon \right\rceil }\) and \(\nu \) whether \(\nu = \mathsf {SD}(C_0(\mathcal{U}), C_1(\mathcal{U}))\) or whether \(\left|\nu -\mathsf {SD}(C_0(\mathcal{U}), C_1(\mathcal{U})) \right| > \epsilon \).

Consider the class \(\mathbb {R}\mathbf -TFAM \) as defined in [27, Definition 3.1] and consider the real valued function \(f_{\mathsf {SD}}: \{0,1\}^*\rightarrow \mathbb {R}\) defined as \(f_{\mathsf {SD}}(C_0,C_1,1^k)=\mathsf {SD}(C_0(\mathcal{U}), C_1(\mathcal{U}))\) (note that the third parameter is ignored and is used only for padding purposes). Our protocol above implies, by definition, that \(f_{\mathsf {SD}}\in \mathbb {R}\mathbf -TFAM \).

Furthermore, it holds that \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {BPP}^{\mathcal{O}_{f_{\mathsf {SD}}}}\), for any oracle \(\mathcal{O}_{f_{\mathsf {SD}}}\) that on input \(x \in \{0,1\}^n\) outputs a value y such that \(\left|y-f_{\mathsf {SD}}(x) \right| \le 1/n\). To see this, we notice that we can answer \(\mathsf {GapSD}\) queries of the form \((C_0, C_1, \nu , 1^\ell )\) as follows: First compute \(y = \mathcal{O}_{f_{\mathsf {SD}}}(C_0, C_1, 1^{2\ell })\), then if \(y < \nu + 1/(2\ell )\) return \(\mathsf {Yes}\), otherwise return \(\mathsf {No}\). This implies that \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {BPP}^{\mathbb {R}\mathbf -TFAM }\) by [27, Definition 3.2] (when choosing \(\epsilon (n)=1/n\)).

Finally, [27, Theorem 1.1] states that \(\mathcal {BPP}^{\mathbb {R}\mathbf -TFAM } \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\), which implies that \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) as desired.

We now state an important corollary of Theorem 2 which shows that there would be unlikely consequences if \(\mathsf {UniqueSAT}\in \mathcal {BPP}^{\mathsf {GapSD}}\).

Corollary 3

If \(\mathsf {UniqueSAT}\in \mathcal {BPP}^\mathsf {GapSD}\), then \(\mathcal {NP}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).


By definition it holds that \(\mathcal {NP}\subseteq \mathcal {BPP}^\mathsf {SAT}\). Theorem 1 implies that \(\mathcal {BPP}^\mathsf {SAT}\subseteq \mathcal {BPP}^{\mathsf {UniqueSAT}}\). If \(\mathsf {UniqueSAT}\in \mathcal {BPP}^\mathsf {GapSD}\) then \(\mathcal {BPP}^\mathsf {UniqueSAT}\subseteq \mathcal {BPP}^\mathsf {GapSD}\). Together with \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) from Theorem 2, we get
$$ \mathcal {NP}\subseteq \mathcal {BPP}^\mathsf {SAT}\subseteq \mathcal {BPP}^{\mathsf {UniqueSAT}}\subseteq \mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}, $$
and the corollary follows.

2.2 Obfuscation

In this subsection, we define the statistically secure variant of approximately correct indistinguishability obfuscation (saiO) and its generalization that we call statistically secure Approximately Correct Correlation Obfuscation (sacO). We start with the generalized variant sacO first and then define saiO as a special case. The notion of correlation obfuscation, in contrast to standard indistinguishability obfuscation, does not require that the output of the obfuscator is indistinguishable for functionally equivalent circuits. Rather, it only requires that there is a noticeable correlation between the outputs.

Definition 3

(Approximately Correct Correlation Obfuscation). Let O be a \(\mathsf {PPT}\) algorithm that takes boolean circuits (with a single output bit) as inputs and produces boolean circuits as output. For a circuit C, we let O(C;r) denote the output of running O on C with randomness r, and we let O(C) denote the distribution O(C;r) with uniform r.

We say that O is a \((1-\epsilon )\)-approximately correct and \((1-\delta )\)-secure correlation obfuscator sacO if the following conditions hold:
  • Approximate Correctness. For any circuit C it holds that
    $$ {\text {Pr}}_{r,x}\left[ \mathsf{O}(C; r)(x) = C(x)\right] \ge 1-\epsilon (|C|,n). $$
  • Correlation. For any pair of circuits \(C_1, C_2\) which compute the same function and such that \(|C_1|=|C_2|\) it holds that \(\mathsf {SD}(\mathsf{O}(C_1), \mathsf{O}(C_2)) \le \delta (|C_1|,n)\).

The definition of statistically secure approximately correct indistinguishability obfuscation (saiO) follows by requiring negligible statistical distance \(\delta \).

Definition 4

(Approximately Correct Indistinguishability Obfuscation). Let O be a \((1-\epsilon )\)-approximately correct and \((1-\delta )\)-secure correlation obfuscator. We say that O is also a \((1-\epsilon )\)-approximately correct statistically secure indistinguishability obfuscator (saiO) if there exists a negligible function \(\mathsf {negl}\,\,\!\!\left( |C|,n \right) \) such that for all circuits C it holds that \(\delta (|C|,n) \le \mathsf {negl}\,\,\!\!\left( |C|,n \right) \).

2.3 Puncturable Pseudorandom Functions

We use a weak notion of puncturable pseudorandom function. This notion suffices for our results and follows trivially from the stronger standard definition.

Definition 5

(Puncturable Pseudorandom Functions). A pair of \(\mathsf {PPT}\) algorithms \((\mathsf {PRF},\mathsf {Puncture})\) is a puncturable pseudorandom function with one-bit output if, on input a key \(k \in \{0,1\}^n\) or a punctured key \(k^*\) and an input value \(x \in \{0,1\}^n\), \(\mathsf {PRF}\) deterministically outputs a bit b and on input a key \(k \in \{0,1\}^n\) and an input value \(x_0\), \(\mathsf {Puncture}\) outputs a punctured key \(k^*\) such that the following two properties are satisfied. Functionality Preserved Under Puncturing. For all keys k, all input values \(x_0\), all punctured keys Open image in new window , and all input values \(x \ne x_0\), it holds that
$$\begin{aligned} \mathsf {PRF}(k^*,x) = \mathsf {PRF}(k,x). \end{aligned}$$
Security. For every \(\mathsf {PPT}\) adversary \((\mathcal {A}_1,\mathcal {A}_2)\) such that \(\mathcal {A}_1(1^n;r_1)\) outputs an input value \(x_0\) and state \(\mathsf {st}\), consider an experiment where Open image in new window , \(\mathsf {k}^* = \mathsf {Puncture}(\mathsf {k},x_0;t)\), and Open image in new window . Then we have
$$\begin{aligned}\vert {\text {Pr}}_{k,r_1,t,r_2}\left[ \mathcal {A}_2(\mathsf {st}, \mathsf {k}^*, x_0, \mathsf {PRF}(k,x_0);r_2) = 1\right]&\\- {\text {Pr}}_{k,b,r_1,t,r_2}\left[ \mathcal {A}_2(\mathsf {st},\mathsf {k}^*,x_0,b;r_2)=1\right]&\le \mathsf {negl}\,\,\!\!\left( n \right) .\end{aligned}$$

As observed by [6, 7, 22] puncturable PRFs can, for example, be constructed from pseudorandom generators (and thereby one-way functions [17]) via the GGM tree-based construction [12, 13].

3 Negative Results for sacO and saiO

We now prove our main theorem that sacO for a large class of parameters, in particular the saiO parameters, is impossible assuming one-way functions and \(\mathcal {NP}\not \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).

Theorem 4

(Impossibility of sacO). If \((1-\epsilon )\)-approximately correct, \((1-\delta )\)-secure sacO for \(\mathcal {P}\) exists, and there exists some polynomial \(\mathsf {poly}\,\,\!\!\left( \left|C \right|,n \right) \) such that \(\delta (\left|C \right|,n) \le \tfrac{1}{3}-\tfrac{2}{3}\epsilon (\left|C \right|,n) - \tfrac{1}{\mathsf {poly}\,\,\!\!\left( \left|C \right|,n \right) }\), then one-way functions do not exist or \(\mathcal {NP}\subseteq \mathbf {co}\mathcal {AM}\cap \mathcal {AM}\).

By setting \(\delta \) to be some negligible function, impossibility of saiO follows immediately as a corollary.

Corollary 5

(Impossibility of saiO). If \((1-\epsilon )\)-approximately correct, saiO for \(\mathcal {P}\) exists, and there exists some polynomial \(\mathsf {poly}\,\,\!\!\left( \left|C \right|,n \right) \) such that \(\epsilon (\left|C \right|,n) \le \tfrac{1}{2} - \tfrac{1}{\mathsf {poly}\,\,\!\!\left( \left|C \right|,n \right) }\), then one-way functions do not exist or \(\mathcal {NP}\subseteq \mathbf {co}\mathcal {AM}\cap \mathcal {AM}\).


(Theorem 4 ). We define an efficiently samplable distribution \(X[\varPsi ]\) that is parametrized by a formula \(\varPsi \), and we define a reference distribution Y that should be parametrized by the size of \(\varPsi \) and the number of variables in \(\varPsi \), but we omit the dependency on \(\varPsi \) for readability. We note that in the introduction, we discussed to use \(Y=X[\mathbf {0}]\), where \(\mathbf {0}\) is a canonical representation of an unsatisfiable formula of the same size as \(\varPsi \). It is intuitive to think of Y as being indeed equal to \(X[\mathbf {0}]\). However, for the sake of tightness, jumping ahead, we will use a slightly different distribution and note that this allows us to gain an additive term of \(\delta \) in Claim 11.

As in the proof by Goldwasser and Rothblum [14, 15] that we sketched in the introduction, we want to define \(X[\varPsi ]\) (and Y) in a way such that properties (1), (2) and (3) are satisfied, assuming one-way functions and sacO. If we manage to do so, then we suceed in showing that these assumptions imply the collapse of the polynomial hierarchy.

Our proof will rely on the promise problem \((\mathsf {USAT},\mathsf {UNSAT})\) rather than the language \(\mathsf {SAT}\) (See Subsect. 2.1) and therefore, instead of using the gap statistical distance problem \(\mathsf {GapSD}\) directly as Goldwasser-Rothblum, we will consider \(\mathcal {BPP}^\mathsf {GapSD}\) to be able to accommodate the randomized reduction from \(\mathsf {SAT}\) to \(\mathsf {USAT}\) (See Theorem 1).

Our proof does not rely on complexity-theoretic techniques, except for proving the following claim and showing that the theorem follows from it.

Claim 6

Assume that there is a formula-indexed distribution \(X[\varPsi ]\), a reference distribution Y, a function \(\nu \), and a polynomial \(\mathsf {poly}\,\,\!\!\left( n \right) \) such that the following three conditions are satisfied.

  1. (1)

    There is a uniform polynomial-time algorithm \(\mathcal {A}\), that on input \(\varPsi \), constructs two polynomial-size randomized circuits that sample from \(X[\varPsi ]\) and Y respectively.

  2. (2)

    If \(\varPsi \) is in \(\mathsf {UNSAT}\), then \(X[\varPsi ]\) is has statistical distance at most \(\nu (n)\) from Y.

  3. (3)

    If \(\varPsi \) is in \(\mathsf {USAT}\), then \(X[\varPsi ]\) has statistically distance at least \(\nu (n) + \tfrac{1}{\mathsf {poly}\,\,\!\!\left( n \right) }\) from Y.


Then \(\mathsf {USAT}\) is in \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).


Given that conditions (1), (2) and (3) are satisfied, we construct an algorithm \(\mathcal {B}\) such that for all \(\mathsf {GapSD}\) oracles and all formulae \(\varPsi \), \(\mathcal {B}^\mathsf {GapSD}(\varPsi )\) outputs 1 with probability 1 if \(\varPsi \in \mathsf {USAT}\) and 0 with probability 1 if \(\varPsi \in \mathsf {UNSAT}\). On input \(\varPsi \), the algorithm \(\mathcal {B}\) runs \(\mathcal {A}\) to get circuits for \(X[\varPsi ]\) and Y and queries \((X[\varPsi ],Y,\nu (n),1^{\mathsf {poly}\,\,\!\!\left( n \right) })\) to the \(\mathsf {GapSD}\) oracle. \(\mathcal {B}\) returns whatever the oracle returns. By properties (1), (2) and (3), the query that \(\mathcal {B}\) makes is in \(\mathsf {GapSD}_\mathsf {Yes}\) if \(\varPsi \in \mathsf {USAT}\) and in \(\mathsf {GapSD}_\mathsf {No}\) if \(\varPsi \in \mathsf {UNSAT}\). Hence, \(\mathcal {B}\) is correct and \(\mathsf {USAT}\) is in \(\mathcal {BPP}^\mathsf {GapSD}\). Moreover, due to Theorem 2 by Mahmoody and Xiao, \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).

To obtain the main theorem, we need to show that \(\mathsf {USAT}\) is in \(\mathcal {BPP}^\mathsf {GapSD}\) implies that \(\mathcal {NP}\) is in \(\mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) which directly follows from Corollary 3 of Theorem 2 by Mahmoody and Xiao. Thus, if we can show that a distributions as described in conditions (1), (2) and (3) exist, then the theorem follows.

We now define \(X[\varPsi ]\) and Y and then show that they satisfy (1), (2) and (3) assuming the existence of one-way functions and sacO with suitable correctness and security.

Definition 6

(Distribution). Let \(\ell (n)\) be a sufficiently large polynomial designating the size to which all circuits are padded before being obfuscated. Let \(\varPsi \) be a formula, let \((\mathsf {PRF},\mathsf {Puncture})\) be a puncturable pseudorandom function, and let \(\mathsf {O}\) be a \((1-\epsilon )\)-correct, statistically \((1-\delta )\)-secure approximate correlation obfuscator, where \(\delta (\left|C \right|,n) \le \tfrac{1}{3}-\tfrac{2}{3}\epsilon (\left|C \right|,n) - \tfrac{1}{\mathsf {poly}\,\,\!\!\left( \left|C \right|,n \right) }\). We now define the distribution \(X[\varPsi ]\) and Y, where the circuits \(\mathsf {C}_X[k,b,s,\varPsi ]\) and \(\mathsf {C}_{\textsf {prf}}[k]\) are defined to the right of the distributions.

Claim 7

(Distribution). The distributions defined in Definition 6 satisfy the conditions demanded in Claim 6. I.e., there exists a function \(\nu \) and a polynomial \(\mathsf {poly}\,\,\!\!\left( n \right) \) such that they satisfy the following:
  1. (1)

    There is a uniform polynomial-time algorithm \(\mathcal {A}\), that on input \(\varPsi \), constructs two polynomial-size randomized circuits that sample from \(X[\varPsi ]\) and Y respectively.

  2. (2)

    If \(\varPsi \) is in \(\mathsf {UNSAT}\), then \(X[\varPsi ]\) is has statistical distance at most \(\nu (n)\) from Y.

  3. (3)

    If \(\varPsi \) is in \(\mathsf {USAT}\), then \(X[\varPsi ]\) has statistically distance at least \(\nu (n) + \tfrac{1}{\mathsf {poly}\,\,\!\!\left( n \right) }\) from Y.


We will first state two claims and a lemma that will allow us to prove Claim 7. We will then prove Claim 7 and afterwards prove the claims and the lemma.

Claim 8

(Efficient Sampling). There is a uniform polynomial-time algorithm \(\mathcal {A}\), that on input \(\varPsi \), constructs two polynomial-size randomized circuits that sample from \(X[\varPsi ]\) and Y respectively.

Claim 9

(Statistical Proximity). For all formulae \(\varPsi \in \mathsf {UNSAT}\), \(X[\varPsi ]\) has statistical distance at most \(\delta (\ell (n),n)\) from Y.

Lemma 10

(Statistical Distance). There exists a negligible function \(\mathsf {negl}\,\,\!\!\left( n \right) \), such that for all formulae \(\varPsi \in \mathsf {USAT}\), \(X[\varPsi ]\) has statistical distance at least \(1-2\epsilon (\ell (n),n) - 2\delta (\ell (n),n) - \mathsf {negl}\,\,\!\!\left( n \right) \) from Y.


(Claim 7 ). Condition (1) follows immediately from Claim 8. Condition (2) follows from Claim 9 for a function \(\nu (n) = \delta (\ell (n),n)\). From Lemma 10, it follows that, if \(\varPsi \) is in \(\mathsf {USAT}\), then \(X[\varPsi ]\) has statistically distance at least \(1-2\epsilon (\ell (n),n) - 2\delta (\ell (n),n) - \mathsf {negl}\,\,\!\!\left( n \right) \) from Y. Combining this with the \(\nu (n)\) obtained from Claim 9 we get that condition (3) holds, if there exists a polynomial \(\mathsf {poly}\,\,\!\!\left( n \right) \), such that
$$\begin{aligned}&\delta (\ell (n),n) + \tfrac{1}{\mathsf {poly}\,\,\!\!\left( n \right) }&\le 1-2\epsilon (\ell (n),n) - 2\delta (\ell (n),n) - \mathsf {negl}\,\,\!\!\left( n \right) \nonumber \\\Leftrightarrow & {} 3\delta (\ell (n),n)&\le 1-2\epsilon (\ell (n),n) - \tfrac{1}{\mathsf {poly}\,\,\!\!\left( n \right) } - \mathsf {negl}\,\,\!\!\left( n \right) \nonumber \\\Leftrightarrow & {} \delta (\ell (n),n)&\le \frac{1}{3}-\frac{2}{3}\epsilon (\ell (n),n) - \tfrac{1}{\mathsf {poly}\,\,\!\!\left( n \right) } - \mathsf {negl}\,\,\!\!\left( n \right) . \end{aligned}$$
And, since \(\mathsf {negl}\,\,\!\!\left( n \right) \) is dominated by an inverse polynomial, Eq. 1 is already ensured by Definition 6, condition (3) holds, and the claim follows.


(Claim 8 ). Sampling k and s is efficient and so is constructing \(\mathsf {C}_X[k,s,\varPsi ]\) and \(\mathsf {C}_{\textsf {prf}}[k]\). Finally, from the efficiency of the obfuscator, it follows that \(X[\varPsi ]\) and Y are efficiently samplable by polynomial-size randomized circuits.


(Claim 9 ). For all unsatisfiable formulae \(\varPsi \), the circuits \(\mathsf {C}_X[k,s,\varPsi ]\) and \(\mathsf {C}_{\textsf {prf}}[k]\) are functionally equivalent and of same size \(\ell (n)\). Hence, by statistical security of the obfuscator, the distributions \((k,s,\mathsf {O}(\mathsf {C}_X[k,s,\varPsi ]))\) and \((k,s,\mathsf {O}(\mathsf {C}_{\textsf {prf}}[k]))\) have statistical distance at most \(\delta (\ell (n),n)\).

We now turn to the most involved part of the proof, which is to show that Lemma 10 holds. In order to show that for all formulae \(\varPsi \in \mathsf {USAT}\), \(X[\varPsi ]\) is statistically far from Y, we show that, if \(\varPsi \in \mathsf {USAT}\), then the distribution \(X[\varPsi ]\) has a property that Y does not have. We state the property in two claims.

Claim 11

For all \(x_0\), it holds that

Claim 12

If \(\varPsi \in \mathsf {USAT}\), then there exists \(x_\varPsi \), such that


(Lemma 10 ). Lemma 10 follows directly from Claims 11 and 12, because the stated properties are statistical properties, i.e., we can give an inefficient distinguisher as follows: The distinguisher determines \(x_\varPsi \) through exhaustive search and then, given a sample \((k,s,C')\) from either \(X[\varPsi ]\) or Y, checks whether \(\mathsf {PRF}(k,\cdot )\) and \(C'\) differ on input \(x_\varPsi \oplus s\). If the sample is from \(X[\varPsi ]\), they will differ with probability greater than \(1 - \epsilon (\ell (n),n) - 2\delta (\ell (n), n) - \mathsf {negl}\,\,\!\!\left( n \right) \). If on the other hand the sample is from Y, then they will differ only with probability less than \(\epsilon (\ell (n),n)\). This concludes the proof of Lemma 10, subject to proving the claims.

It now remains to prove Claims 11 and 12. The proof of the first property is relatively straightforward, while the proof of the second property contains the technical key arguments that we discussed above.


(Claim 11 ). To prove the claim, we will argue that the following equalities hold:Equation 3 is simply a restatement of the claim. Given that s is uniformly and independently distributed, s and \(x_0\oplus s\) are distributed identically and therefore, also Eq. 4 holds. Finally, Eq. 4 simply checks whether an obfuscated circuit does not agree with the original circuit on a uniformly chosen input. This happens by definition of correctness with probability at most \(\epsilon (\ell (n),n)\), yielding Eq. 5 and concluding the proof.


(Claim 12 ). Let \(x_\varPsi \) denote the accepting assignment of \(\varPsi \). We first define the following game

and observe thatWe will now bound this probability using a series of game hops. To specify the game hops, we need to specify an additional circuit \(\mathsf {C}_{\textsf {punct}}[k^*,x_0,b](x)\), that is parametrized by a punctured PRF key \(k^*\), an input \(x_0\), and a bit b.

Note that \(\mathsf {Game}_2\) is a re-write of \(\mathsf {Game}_1\) by making \(X[\varPsi ]\) explicit.

We will first bound the differences between each pair of consecutive games and then prove a bound for \({\text {Pr}}\left[ \mathsf {Game}_6(n)=1\right] \). Hop from \(\mathsf {Game}_1\) to \(\mathsf {Game}_2\). The changes between the two games are purely syntactic. I.e., the definition of the sampling process from \(X[\varPsi ]\) is explicitely written down in \(\mathsf {Game}_2\). Therefore, the two games are perfectly equivalent, and it holds that
$$\begin{aligned} {\text {Pr}}\left[ \mathsf {Game}_1(n) =1\right] = {\text {Pr}}\left[ \mathsf {Game}_2(n) =1\right] . \end{aligned}$$
Hop from \(\mathsf {Game}_2\) to \(\mathsf {Game}_3\). Here it is critical to observe that \(\mathsf {C}_X[k,s,\varPsi ]\) and \(\mathsf {C}_{\textsf {punct}}[k^*,x_0,b]\) are functionally equivalent. Even though the key is punctured on \(x_0=x_\varPsi \oplus s\) in \(\mathsf {C}_{\textsf {punct}}\), this makes no difference, since \(\mathsf {PRF}\) is never invoked on \(x_0\) in the circuit. Instead the circuit outputs the hardcoded value \(b = \mathsf {PRF}(k,x_0)\oplus 1\) on input \(x_0\), which is the same value output by \(\mathsf {C}_X[k,s,\varPsi ]\). Therefore, the two circuits are functionally equivalent and it follows from the statistical security of the obfuscator that the statistical difference between the distributions of \(C'\) in the two games is at most \(\delta (\ell (n),n)\). It follows, that also the distribution of the outputs of \(\mathsf {Game}_2\) and \(\mathsf {Game}_3\) have a statistical distance of at most \(\delta (\ell (n),n)\). I.e.,
$$\begin{aligned} \left|{\text {Pr}}\left[ \mathsf {Game}_3(n) =1\right] - {\text {Pr}}\left[ \mathsf {Game}_2(n) =1\right] \right| \le \delta (\ell (n),n). \end{aligned}$$
Hop from \(\mathsf {Game}_3\) to \(\mathsf {Game}_4\). Since s is no longer known to the obfuscator in \(\mathsf {Game}_3\), \(x_0 := x_\varPsi \oplus s\) is simply a uniformly distributed value. Thus, \(x_0\) is distributed identically in \(\mathsf {Game}_3\) and \(\mathsf {Game}_4\) and it follows that
$$\begin{aligned} {\text {Pr}}\left[ \mathsf {Game}_3(n) =1\right] = {\text {Pr}}\left[ \mathsf {Game}_4(n) =1\right] . \end{aligned}$$
Hop from \(\mathsf {Game}_4\) to \(\mathsf {Game}_5\). Note that \(x_\varPsi \) is no longer required to evaluate \(\mathsf {Game}_4\) and \(\mathsf {Game}_5\). Therefore, the two games can be evaluated efficiently. This allows us to bound the difference between the two games by the security of the puncturable pseudorandom function. To bound the difference between games \(\mathsf {Game}_4(n)\) and \(\mathsf {Game}_5(n)\), we construct a distinguisher \((\mathcal {A}_1,\mathcal {A}_2)\) with advantage
$$ \tfrac{1}{2}\cdot \left|{\text {Pr}}\left[ \mathsf {Game}_4(n) =1\right] - {\text {Pr}}\left[ \mathsf {Game}_5(n) =1\right] \right| $$
against the puncturable PRF as follows:
Observe, that in the case where \(\mathcal {A}_2\) receives the PRF value, it holds that
$$\begin{aligned} {\text {Pr}}_{k,r_1,t,r_2}\left[ \mathcal {A}_2(\mathsf {st}, \mathsf {k}^*, x_0, \mathsf {PRF}(k,x_0);r_2) = 1\right] = {\text {Pr}}\left[ \mathsf {Game}_5(n)=1\right] . \end{aligned}$$
If on the other hand, \(\mathcal {A}_2\) receives a b chosen uniformly at random, then b is equal to \(\mathsf {PRF}(k,x_0)\) and \(\mathsf {PRF}(k,x_0)\oplus 1\) with probability \(\tfrac{1}{2}\) respectively, and it holds that
$$\begin{aligned} {\text {Pr}}_{k,b,r_1,t,r_2}\left[ \mathcal {A}_2(\mathsf {st}, \mathsf {k}^*, x_0, b;r_2) = 1\right] = \frac{1}{2}{\text {Pr}}\left[ \mathsf {Game}_4(n)=1\right] +\frac{1}{2}{\text {Pr}}\left[ \mathsf {Game}_5(n)=1\right] \end{aligned}$$
By security of the puncturable PRF, it must hold that
$$\begin{aligned} \vert {\text {Pr}}_{k,r_1,t,r_2}\left[ \mathcal {A}_2(\mathsf {st}, \mathsf {k}^*, x_0, \mathsf {PRF}(k,x_0);r_2) = 1\right]&\\- {\text {Pr}}_{k,b,r_1,t,r_2}\left[ \mathcal {A}_2(\mathsf {st},\mathsf {k}^*,x_0,b;r_2)=1\right] \vert&\le \mathsf {negl}\,\,\!\!\left( n \right) \end{aligned}$$
Combining this with Eqs. 9 and 10 yields
$$\begin{aligned}&\left|{\text {Pr}}\left[ \mathsf {Game}_5(n)=1\right] - \frac{1}{2}{\text {Pr}}\left[ \mathsf {Game}_4(n)=1\right] -\frac{1}{2}{\text {Pr}}\left[ \mathsf {Game}_5(n)=1\right] \right| \le \mathsf {negl}\,\,\!\!\left( n \right) \nonumber \\ \implies&\frac{1}{2}\left|{\text {Pr}}\left[ \mathsf {Game}_5(n)=1\right] -{\text {Pr}}\left[ \mathsf {Game}_4(n)=1\right] \right| \le \mathsf {negl}\,\,\!\!\left( n \right) \nonumber \\ \implies&\left|{\text {Pr}}\left[ \mathsf {Game}_5(n)=1\right] -{\text {Pr}}\left[ \mathsf {Game}_4(n)=1\right] \right| \le 2\mathsf {negl}\,\,\!\!\left( n \right) . \end{aligned}$$
Hop from \(\mathsf {Game}_5\) to \(\mathsf {Game}_6\). Here it is critical to observe that \(\mathsf {C}_{\textsf {punct}}[k^*,x_0,b]\) and \(\mathsf {C}_{\textsf {prf}}[k]\) are functionally equivalent. Even though the key is punctured on \(x_0\) in \(\mathsf {C}_{\textsf {punct}}\), this makes no difference, since \(\mathsf {PRF}\) is never invoked on \(x_0\) in the circuit. Instead the circuit outputs the hardcoded value \(b = \mathsf {PRF}(k,x_0)\) on input \(x_0\). Therefore, the two circuits are functionally equivalent and it follows from the statistical security of the obfuscator that the statistical difference between the distributions of \(C'\) in the two games is at most \(\delta (\ell (n),n)\). It follows, that also the distribution of the outputs of \(\mathsf {Game}_5\) and \(\mathsf {Game}_6\) have a statistical distance of at most \(\delta (\ell (n),n)\). I.e.,
$$\begin{aligned} \left|{\text {Pr}}\left[ \mathsf {Game}_5(n) =1\right] - {\text {Pr}}\left[ \mathsf {Game}_6(n) =1\right] \right| \le \delta (\ell (n),n). \end{aligned}$$
It remains to bound the probability \({\text {Pr}}\left[ \mathsf {Game}_6(n)=1\right] \). Observe, that \(x_0\) is a uniformly chosen input unknown to the obfuscator. Further, the \(\mathsf {Game}_6(n)\) simply checks whether the output of circuit \(C'\) is the correct output value of the obfuscated circuit. Therefore, the correctness of the obfuscator implies that
$$\begin{aligned} {\text {Pr}}\left[ \mathsf {Game}_6(n) =1\right] \ge 1- \epsilon (\ell (n),n). \end{aligned}$$
Finally, combining Eq. 13 with Eqs. 6 through 12, we get
$$\begin{aligned}&{\text {Pr}}\left[ \mathsf {Game}_1(n)=1\right] \\ \ge&{\text {Pr}}\left[ \mathsf {Game}_6(n) =1\right] - \left|{\text {Pr}}\left[ \mathsf {Game}_1(n)=1\right] - {\text {Pr}}\left[ \mathsf {Game}_6(n)=1\right] \right|\\ \ge&1 - \epsilon (\ell (n),n) - 2\delta (\ell (n),n) - 2\mathsf {negl}\,\,\!\!\left( n \right) \end{aligned}$$
thus concluding the proof of Claim 12 and Theorem 4.


  1. 1.

    Note that our result is only a “stronger” result in a moral sense, but not in a formal sense. While the non-existence of one-way function would allow us to build a reduction from public-key encryption to symmetric-key encryption (as in this case, both do not exist), it is not known that \(\mathcal {NP}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) implies that we can build a public-key encryption scheme from a one-way function.

  2. 2.

    In fact, by applying [27] we get that \(\mathcal {BPP}^\mathcal {SZK}\in \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\), which is almost what we need. However, it is only known that \(\mathsf {GapSD}\in \mathcal {SZK}\) under a somewhat weaker definition of the \(\mathsf {GapSD}\) problem.



We are grateful to Andrej Bogdanov, Kai-Min Chung, Siyao Guo, Markulf Kohlweiss, Arno Mittelbach and Vinod Vaikuntanathan for helpful discussions. In particular, Andrej and Vinod pointed out that PAC-learneability implies approximate obfuscation and that thus, CNF formulae are PAC-learneable, which implies that impossibility results for saiO need to obfuscate more complex functions than CNF formulae. The discussions with Vinod at the Mathematisches Forschungsinstitut Oberwolfach (MFO) inspired the idea of embedding a formula into a PRF. Vinod also suggested that in the absence of one-way functions, there exists a perfectly secure variant of obfuscation where the correctness is on average over the circuit distribution, the input and the obfuscator.

Supplementary material


  1. 1.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)Google Scholar
  2. 2.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Bitansky, N., Paneth, O.: On the impossibility of approximate obfuscation and applications to resettable cryptography. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, Palo Alto, CA, USA, 1–4 June 2013, pp. 241–250. ACM Press (2013)Google Scholar
  4. 4.
    Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation: from approximate to exact. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016-A. LNCS, vol. 9562, pp. 67–95. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49096-9_4 CrossRefGoogle Scholar
  5. 5.
    Bogdanov, A., Lee, C.H.: Limits of provable security for homomorphic encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 111–128. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  8. 8.
    Canetti, R., Kalai, Y.T., Paneth, O.: On Obfuscation with random oracles. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 456–467. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  9. 9.
    Diffie, W., Hellman, M.E.: Multiuser cryptographic techniques. In: American Federation of Information Processing Societies, 1976 National Computer Conference. AFIPS Conference Proceedings, New York, NY, USA, 7–10 June 1976, vol. 45, pp. 109–112. AFIPS Press (1976)Google Scholar
  10. 10.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual Symposium on Foundations of Computer Science, Berkeley, CA, USA, 26–29 October 2013, pp. 40–49. IEEE Computer Society Press (2013)Google Scholar
  11. 11.
    Goldreich, O.: Computational Complexity - A Conceptual Perspective. Cambridge University Press, Cambridge (2008)CrossRefzbMATHGoogle Scholar
  12. 12.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: 25th Annual Symposium on Foundations of Computer Science, Singer Island, Florida, 24–26 October 1984, pp. 464–479. IEEE Computer Society Press (1984)Google Scholar
  13. 13.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Goldwasser, S., Rothblum, G.N.: On best-possible obfuscation. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 194–213. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Goldwasser, S., Rothblum, G.N.: On best-possible obfuscation. J. Cryptology 27(3), 480–505 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Hada, S., Sakurai, K.: A note on the (im)possibility of using obfuscators to transform private-key encryption into public-key encryption. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 1–12. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Holenstein, T.: Strengthening Key Agreement Using Hard-Core Sets. Ph.D. thesis, ETH Zurich (2006)Google Scholar
  19. 19.
    Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography (extended abstract). In: 30th Annual Symposium on Foundations of Computer Science, Research Triangle Park, North Carolina, 30 October - 1 November 1989, pp. 230–235. IEEE Computer Society Press (1989)Google Scholar
  20. 20.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: 21st Annual ACM Symposium on Theory of Computing, Seattle, Washington, USA, 15–17 May 1989, pp. 44–61. ACM Press (1989)Google Scholar
  21. 21.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 8–26. Springer, Heidelberg (1990)Google Scholar
  22. 22.
    Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 13, 20th Conference on Computer and Communications Security, Berlin, Germany, 4–8 November 2013, pp. 669–684. ACM Press (2013)Google Scholar
  23. 23.
    Komargodski, I., Moran, T., Naor, M., Pass, R., Rosen, A., Yogev, E.: One-way functions and (im)perfect obfuscation. In: 55th Annual Symposium on Foundations of Computer Science, Philadelphia, PA, USA, 18–21 October 2014, pp. 374–383. IEEE Computer Society Press (2014)Google Scholar
  24. 24.
    Lin, H., Pass, R., Seth, K., Telang, S.: Output-compressing randomized encodings and applications. Cryptology ePrint Archive, Report 2015/720 (2015). Google Scholar
  25. 25.
    Mahmoody, M., Mohammed, A., Nematihaji, S.: On the impossibility of virtual black-box obfuscation in idealized models. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016-A. LNCS, vol. 9562, pp. 18–48. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49096-9_2 CrossRefGoogle Scholar
  26. 26.
    Mahmoody, M., Mohammed, A., Nematihaji, S., Pass, R., Shelat, A.: Lower bounds on assumptions behind indistinguishability obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016-A. LNCS, vol. 9562, pp. 49–66. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49096-9_3 CrossRefGoogle Scholar
  27. 27.
    Mahmoody, M., Xiao, D.: On the power of randomized reductions and the checkability of SAT. In: Proceedings of the 25th Annual IEEE Conference on Computational Complexity, CCC 2010, Cambridge, Massachusetts, 9–12 June 2010, pp. 64–75. IEEE Computer Society (2010)Google Scholar
  28. 28.
    Pass, R., Shelat, A.: Impossibility of VBB obfuscation with ideal constant-degree graded encodings. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016-A. LNCS, vol. 9562, pp. 3–17. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49096-9_1 CrossRefGoogle Scholar
  29. 29.
    Sahai, A., Vadhan, S.P.: A complete promise problem for statistical zero-knowledge. In: 38th Annual Symposium on Foundations of Computer Science, Miami Beach, Florida, 19–22 October 1997, pp. 448–457. IEEE Computer Society Press (1997)Google Scholar
  30. 30.
    Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th Annual ACM Symposium on Theory of Computing, New York, NY, USA, 31 May - 3 June 2014, pp. 475–484. ACM Press (2014)Google Scholar
  31. 31.
    Leslie, G.: Valiant.: a theory of the learnable. Commun. ACM 27(11), 1134–1142 (1984)CrossRefGoogle Scholar
  32. 32.
    Valiant, L.G., Vazirani, V.V.: NP is as easy as detecting unique solutions. In: Sedgewick, R. (ed.) 17th Annual ACM Symposium on Theory of Computing, Providence, Rhode Island, USA, 6–8 May 1985, pp. 458–463. ACM Press (1985)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Zvika Brakerski
    • 1
  • Christina Brzuska
    • 2
  • Nils Fleischhacker
    • 3
    Email author
  1. 1.Weizmann Institute of ScienceRehovotIsrael
  2. 2.Technical University of HamburgHamburgGermany
  3. 3.CISPASaarland UniversitySaarbrückenGermany

Personalised recommendations