On Statistically Secure Obfuscation with Approximate Correctness
 2 Citations
 1.7k Downloads
Abstract
Goldwasser and Rothblum (TCC ’07) prove that statistical indistinguishability obfuscation (iO) cannot exist if the obfuscator must maintain perfect correctness (under a widely believed complexity theoretic assumption: \(\mathcal {NP}\not \subseteq \mathcal {SZK}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\)). However, for many applications of iO, such as constructing publickey encryption from oneway functions (one of the main open problems in theoretical cryptography), approximate correctness is sufficient. It had been unknown thus far whether statistical approximate iO (saiO) can exist.
We show that saiO does not exist, even for a minimal correctness requirement, if \(\mathcal {NP}\not \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\), and if oneway functions exist. A simple complementary observation shows that if oneway functions do not exist, then averagecase saiO exists. Technically, previous approaches utilized the behavior of the obfuscator on evasive functions, for which saiO always exists. We overcome this barrier by using a PRF as a “baseline” for the obfuscated program.
We broaden our study and consider relaxed notions of security for iO. We introduce the notion of correlation obfuscation, where the obfuscations of equivalent circuits only need to be mildly correlated (rather than statistically indistinguishable). Perhaps surprisingly, we show that correlation obfuscators exist via a trivial construction for some parameter regimes, whereas our impossibility result extends to other regimes. Interestingly, within the gap between the parameters regimes that we show possible and impossible, there is a small fraction of parameters that still allow to build publickey encryption from oneway functions and thus deserve further investigation.
1 Introduction
Constructing publickey cryptography (e.g. publickey encryption) from privatekey cryptography (such as oneway functions) is one of the most fundamental questions in theoretical cryptography, going back to the seminal paper of Diffie and Hellman [9]. Diffie and Hellman suggested that program obfuscators with sufficiently strong security properties would allow to realize this transformation. A program obfuscator is a compiler that takes as input a program, and outputs another program with equivalent functionality, but which is harder to reverse engineer. Diffie and Hellman suggested to obfuscate the encryption circuit of a symmetrickey encryption scheme, and use the obfuscated program as a public key so as to obtain a publickey encryption scheme. An additional hint that obfuscation may be instrumental in solving this riddle was provided by Impagliazzo and Rudich [20, 21], who proved that a transformation from symmetric to publickey must make non blackbox use of the underlying symmetric primitive. Indeed, program obfuscation is one of very few non blackbox techniques known in cryptography.
Modern research showed that the DiffieHellman transformation requires obfuscators with security guarantees that do not exist in general [1, 2, 16]. However, recent years have seen incredibly prolific study of weak notions of obfuscation, following the introduction of a candidate indistinguishability obfuscator (iO) by Garg et al. [10]. The security guarantee of iO is that the obfuscation of two functionally equivalent circuits should result in indistinguishable output distributions. That is, that reverse engineering could not detect which of two equivalent implementations had been the source of the obfuscated program. Sahai and Waters [30] showed that even this seemingly weak notion suffices for privatekey to publickey transformation (via a clever construction that does not resemble the DiffieHellman suggestion).
One would have hoped that a weak notion such as iO may be realizable with statistical security, i.e. that reverse engineering (to the limited extent required by iO) will not be possible even to an attacker with unlimited computational power. The existence of such statistical indistinguishability obfuscator (siO) would resolve the question of constructing public key cryptography from oneway functions, as well as would allow to construct oneway functions based on the hardness of \(\mathcal {NP}\) [23]. Alas, Goldwasser and Rothblum [14, 15] proved that siO cannot exist unless the polynomial hierarchy collapses (in particular that it implies \(\mathcal {NP}\subseteq \mathcal {SZK}\), and it is known that \(\mathcal {SZK}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\)), which is considered quite unlikely in computational complexity, and at any rate way beyond the current understanding of complexity theory. This seems to put a damper on our hopes to achieve statistically secure obfuscation.
However, the [14, 15] negative result crucially relies on the correctness of the obfuscator. That is, it only rules out such obfuscators that perfectly preserve the functionality of the underlying primitive (at least with high probability over the coins of the obfuscator). In contrast, the symmetric to public key transformation can be made to work with only approximate correctness, i.e. a nonnegligible correlation between the functionality of the input circuit and that of the output circuit (where the probability is taken over the randomness of the obfuscator and the input domain). The question of whether statistical approximate iO (saiO) exists was therefore the new destination in the quest for understanding obfuscation. Interestingly, it turns out that ruling out computational notions of iO in some idealized models also boils down to the question of whether saiO exists (see Sect. 1.2 below). The study of this notion is the objective of this paper.
Our Results. We show that statistical approximate iO (saiO) does not exist if oneway functions exist (under the assumption that \(\mathcal {NP}\not \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\)). Thus, in particular, that saiO cannot be used for the transformation from symmetric to publickey cryptography. We show that if oneway functions exist, then any nonnegligible correlation between the output of the obfuscator and the input program would imply an \(\mathcal {SZK}\) algorithm for unique SAT (USAT). As SAT reduces to USAT via a randomized reduction [32], a result of Mahmoody and Xiao [27] shows that this implies that SAT is in \(\mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).
To complement our result, we observe that if oneway functions do not exist, then an averagecase notion of saiO exists for any distribution. Specifically, for any efficiently samplable distribution over circuits, there exists an saiO obfuscator whose correctness holds with high probability over the circuits in that distribution (inverting the order of quantifiers would imply a worstcase saiO).
A Study of Correlation Obfuscation. Our impossibility results extend beyond the case of saiO. In fact, the result applies even when the security of the obfuscator is approximate. Namely, when we are only guaranteed that the obfuscation of functionally equivalent circuits results in distributions that have mild statistical distance (as opposed to negligible). This motivated us to explore the properties of this new kind of obfuscators, that as far as we know have not been studied in the literature before.
We consider statistical approximate correlation obfuscation sacO. A sacO obfuscator is characterized by two parameters \(\epsilon \in [0,1/2)\) and \(\delta \in [0,1)\). The requirement is that correctness holds with probability \(1\epsilon \) (with respect to the randomness of the obfuscator and a random choice of input), and that obfuscating two functionally equivalent circuits results in distributions with statistical distance \(\delta \). The case of negligible \(\delta \) is exactly saiO, discussed above, and the case of \(\epsilon =0\) corresponds to perfect correctness.
We observe that our impossibility result degrades gracefully and holds so long as \(2\epsilon +3\delta < 1\). We found this state of affairs unsatisfactory, and tried to extend the result to hold for the entire parameter range. However, it turns out that sacO exists via an almost trivial construction whenever \(2\epsilon +\delta > 1\) (e.g. \(\epsilon =\delta =0.4\)). We do not know if sacO exists in the intermediate parameter regime.
1.1 Our Techniques
Our starting point is the GoldwasserRothblum impossibility result. Consider a statistical iO obfuscator such that for any pair of functionally equivalent circuits, the obfuscator generates statistically indistinguishable distributions, and in addition the output circuit of the obfuscator is always functionally equivalent to the input circuit (this can be relaxed to hold only with high probability over the random coins of the obfuscator). GoldwasserRothblum observe that an unsatisfiable SAT formula \(\varPsi \) is functionally equivalent to the allzero function \(\mathbf {0}\) and therefore the distributions produced by a siO obfuscator in both cases should be statistically indistinguishable. Slightly more formally, let X[C] denote the distribution output by the obfuscator on input circuit C, then we get that \(X[\varPsi ] \equiv X[\mathbf {0}]\), where \(\equiv \) denotes statistical indistinguishability. On the contrary, if \(\varPsi \) is a satisfiable formula, then it has a different functionality than \(\mathbf {0}\) and therefore the support of \(X[\varPsi ]\) and \(X[\mathbf {0}]\) will be disjoint (and thus obviously not statistically indistinguishable). It follows that in order to solve SAT, it suffices to tell whether \(X[\varPsi ]\) is close to \(X[\mathbf {0}]\). As we know due to Sahai and Vadhan [29], there is an \(\mathcal {SZK}\) protocol that takes two polynomialtime samplers, and decides whether they sample from distributions that are \(\epsilon _1\)statistically close or \(\epsilon _2\)statistically far, so long as \((\epsilon _2\epsilon _1)\) is a noticeable function. The conclusion is that an siO obfuscator implies an \(\mathcal {SZK}\) protocol for SAT which in turn implies that \(\mathcal {NP}\subseteq \mathcal {SZK}\).
To sum up the core argument, to show that an siO obfuscator does not exists unless \(\mathcal {NP}\subseteq \mathcal {SZK}\), GoldwasserRothblum built the formulaindexed distribution \(X[\varPsi ]\) that samples an siO obfuscation of \(\varPsi \) and has the properties that it is (i) efficiently sampleable, (ii) if \(\varPsi \) is not satisfiable, then \(X[\varPsi ]\) and \(X[\mathbf {0}]\) are close, while (iii) if \(\varPsi \) not satisfiable, then \(X[\varPsi ]\) and \(X[\mathbf {0}]\) are far.
Allowing the obfuscator to have approximate correctness thwarts this approach completely. Hard SAT instances are obviously ones where the density of accepting inputs is subpolynomial, since otherwise random sampling would yield a satisfying assignment with nonnegligible probability. Therefore a satisfiable and unsatisfiable SAT formulae will have almost identical functionality. One could consider an saiO obfuscator that on any SAT formula that is not trivially satisfiable, would just produce an obfuscation of \(\mathbf {0}\). This means that \(X[\varPsi ]\) will have the same distribution whether \(\varPsi \) is satisfiable or not and thus, property (iii) is not satisfied anymore.
In order to overcome this issue, we construct a different distribution on formulaindexed circuits \(C_X[k,\varPsi ]\) (where k is some uniformly random key k) such that if \(\varPsi \) is not satisfiable, then \(C_X[k,\varPsi ]\) and \(C_X[k,\mathbf {0}]\) have the same functionality, and if \(\varPsi \) is satisfiable, then \(C_X[k,\varPsi ]\) and \(C_X[k,\mathbf {0}]\) differ on a single point. Then, assuming oneway functions exist, we show that, although these two circuits differ on a single point only, the obfuscator saiO of \(C_X[k,\varPsi ]\) has to produce a distribution that is statistically far from saiO of \(C_X[k,\mathbf {0}]\). To do this, we rely on the fact that the obfuscator itself is computationally efficient, and therefore it cannot break the hardness of oneway functions and derived cryptographic objects such as pseudorandom functions (PRFs) or puncturable PRFs (see below). This way, we construct a new formulaindexed distribution \(X[\varPsi ]\) that satisfies properties (i), (ii) and (iii) as discussed above.
Puncturable PRFs were introduced simultaneously in [6, 7, 22] and were utilized as an essential building block for indistinguishability obfuscation in [30]. A standard PRF is a function that can be efficiently computable using a key k, but is indistinguishable from a random function via oracle access. A puncturable PRF is a PRF where one can generate a punctured key \(k\{x_0\}\) which allows to compute the PRF at all points except \(x_0\), but the value at \(x_0\) is still indistinguishable from uniform, even given the punctured key. Punctured PRFs can be constructed from any oneway function.
Based on a puncurable PRF and an saiO obfuscator \(\mathsf {O}\), we now construct a distribution on pairs of circuits (for now not indexed by a formula) such that the two circuits differ on a single point only and yet, an saiO obfuscator will produce distributions that are far. Let k be a key for a puncturable PRF, let \(x_0\) be a random point in the domain, let \(k\{x_0\}\) be a key punctured at \(x_0\) and consider the function \(f_{k\{x_0\},y}\) that outputs \(\mathsf {PRF}(k\{x_0\},x)=\mathsf {PRF}(k,x)\) for all \(x \ne x_0\), and outputs y on input \(x_0\). Then by definition \(f_{k\{x_0\},y}\) for a random y and \(f_{k\{x_0\},y_0}=\mathsf {PRF}(k,\cdot )\) for \(y_0=\mathsf {PRF}(k,x_0)\) are identical in functionality except maybe at point \(x_0\). However, using puncturing, we can guarantee that the distributions \(\mathsf {O}(f_{k\{x_0\},y})\) and \(\mathsf {O}(f_{k\{x_0\},y_0})\), where \(k, x_0, y\) are chosen uniformly at random are statistically far. To see this, it is enough to show that \(\mathsf {O}(f_{k\{x_0\},y})\) and \(\mathsf {O}(\mathsf {PRF}(k,\cdot ))\) are statistically far since \(f_{k\{x_0\},y_0}=\mathsf {PRF}(k,\cdot )\) and thus \(\mathsf {O}(f_{k\{x_0\},y_0}) \equiv \mathsf {O}(\mathsf {PRF}(k,\cdot ))\). Consider the predicate that checks whether \(\mathsf {O}(\mathsf {PRF}(k,\cdot ))(x_0)=\mathsf {PRF}(k,x_0)\). This predicate must have nonnegligible bias towards holding true, and is efficiently checkable, which also implies that \(\mathsf {O}(f_{k\{x_0\},y})(x_0)=f_{k\{x_0\},y}(x_0)\) holds true with noticeable bias, since otherwise we will have an efficient distinguisher from \(f_{k\{x_0\},y_0}=\mathsf {PRF}(k,\cdot )\) in contradiction to the puncturable PRF security. Finally, since \(y \ne y_0\) with high probability (assume for simplicity that the PRF and the obfuscator have long outputs and keys of half the size), this implies that \(\mathsf {O}(f_{k\{x_0\},y})\) and \(\mathsf {O}(f_{k\{x_0\},y_0})\) have noticeable statistical distance, since they will have noticeable probability mass on circuits that respect the functionality on \(x_0\). Note that we used a computational argument, the security of punctured PRFs, to derive a statistical statement about the output distribution of the obfuscator.
We would like to use the aforementioned distributions to distinguish between satisfiable and unsatisfiable formulae. Let us restrict our attention to UniqueSAT formulae that are either unsatisfiable or have only one satisfying assignment. UniqueSAT is known to be \(\mathcal {NP}\)Hard via a randomized reduction [32], and a result of Mahmoody and Xiao [27] shows that if Unique\(\mathsf {SAT}\) is in \(\mathcal {SZK}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\), then \(\mathsf {SAT}\) is in \(\mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) (See Sect. 2.1).
Let \(\varPsi \) be a formula that has a unique satisfying assignment, then one can randomize the satisfying assignment (if it exists) to be uniformly distributed over the input space (e.g. by XORing all variables with a random string). Now, consider the function \(f_{k,y,\varPsi }\) defined s.t. \(f_{k,y,\varPsi }(x)=\mathsf {PRF}(k,x)\) if x does not satisfy \(\varPsi \), and \(f_{k,y,\varPsi }(x)=y\) otherwise. By definition, if \(\varPsi \) is unsatisfiable then \(f_{k,y,\varPsi }=\mathsf {PRF}(k,\cdot )\) and if \(\varPsi \) is satisfiable by some \(x_0\) (which is uniformly distributed) then \(f_{k,y,\varPsi }=f_{k\{x_0\}, y}\). Therefore \(\mathsf {O}(f_{k,y,\varPsi })\) is guaranteed to have a noticeable statistical distance in the case where \(\varPsi \) is unsatisfiable (in which case it is close to \(\mathsf {O}(f_{k,y,\mathbf {0}})\)) and in the case where it is uniquely satisfiable (in which case it is far from \(\mathsf {O}(f_{k,y,\mathbf {0}})\)). This will allow us to produce an \(\mathcal {SZK}\) protocol to distinguish the two possibilities.
In a World without OWFs. We recall that if OWFs do not exist then for any efficiently computable function f and with overwhelming probability over a y sampled from the output distribution of f, it is possible to efficiently sample (almost) uniformly (up to negligible error) from the set \(f^{1}(y)=\{x: f(x)=y\}\) [19]. Given an efficiently sampleable distribution over circuits, we can construct an averagecase obfuscator for this family as follows. Let \(\mathsf {sampC}\) be a sampler for this distribution of circuits and consider the function \(f(r,x_1, \ldots , x_m)\) for a large polynomial m such that \(f(r,x_1, \ldots , x_m) = (x_1, \ldots , x_m, C(x_1), \ldots , C(x_m))\), for \(C=\mathsf {sampC}(r)\).
Now, to obfuscate a circuit C, sample \(x_1, \ldots , x_m\) and compute \(y_i = C(x_i)\). Then sample \((r,x_1, \ldots , x_m)\) from \(f^{1}(x_1, \ldots , x_m, y_1, \ldots , y_m)\) and finally output \(C'=\mathsf {sampC}(r)\). This is clearly a perfect indistinguishability obfuscator (i.e. two circuits with the same functionality will produce identical distributions). It is also approximately correct on the average, because on average, if two circuits agree on a randomly chosen set of points, then they will have a large agreement altogether.
We note that a similar and even simpler argument shows that if all efficiently computable functions are PAC learnable [31], even allowing membership queries, then saiO with perfect indistinguishability exists. This follows immediately by definition by giving the learner (blackbox) access to C, and outputting its hypothesis \(C'\) as the output of the obfuscator. In such case OWFs trivially do not exist.
The Landscape of Correlation Obfuscation. Extending our techniques to rule out sacO with \(2\epsilon +3\delta < 1\) follows from carefully analyzing the parameters in the proof outlined above (one can get \(2\epsilon +4\delta < 1\) by straightforward analysis, and the slight improvement comes from properly defining the random variables in the problem). We can show a trivial sacO obfuscator for \(2\epsilon +\delta > 1\) as follows. Given an input circuit C, use random sampling to find the majority value of the truth table of C (if C is approximately balanced, then any value works). Then output the constant function taking the majority value with probability \(2\epsilon \), and output C itself with probability \(12\epsilon \). Correctness will hold with probability \(1\epsilon \), since if C is output then correctness is perfect, and if the constant function is output then correctness is approximately 1 / 2. The correlation between two functionally equivalent circuits is at least \(2\epsilon \) since the calculation of the majority value only depends on the truth table. We provide a more formal analysis in Appendix A. It seems that such a trivial obfuscator cannot imply any nontrivial results.
We notice that a sacO obfuscator can be plugged into the SahaiWaters construction, and would imply weak notions of security and correctness for the resulting publickey encryption scheme. Holenstein [18] shows that, for some parameters, this weak notion can be amplified to standard security and correctness. Plugging in our parameters, we get that roughly when \(\tfrac{1}{2}  3\epsilon +2\epsilon ^2 > \delta \), sacO would imply symmetric to public key transformation using this method. This leaves a small region of parameters where sacO is not known to be impossible, and if it is possible it will imply highly nontrivial results. It is not clear whether other parameter regimes can also be useful, or whether our impossibility can be extended to rule out the entire useful regime. We refer to Fig. 1 again for a visual characterization of the parameter regimes.
1.2 Consequences of Our Result
Our result strengthens previous negative results for proving the existence of iO in several ideal models. Previous works show that a construction of statistically secure (perfectly correct) iO in any of those ideal models implies the existence of saiO in the standard model. Actually, one can generalize these results to also hold for saiO. Combined with our result, we now yield that a construction of iO or saiO in these ideal models implies that \(\mathcal {NP}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) or the nonexistence of oneway functions.
This line of research was initiated by Canetti et al. [8] who show that given a VBB obfuscator in the random oracle model, one can remove the random oracle at the cost of relaxing the correctness of the obfuscator. Pass and Shelat [28] show an analogous result for VBB obfuscators in the ideal constantdegree encoding model, and Mahmoody et al. [25] show analogous results for the generic group model and the generic trapdoor permutation model. All these results transform a VBB obfuscator in an oracle world into an approximately correct VBB obfuscator in the standard model. They yield an impossibility result for VBB obfuscation in the ideal models, as approximately correct VBB is known not to exist, assuming trapdoor permutations, see [3, 8]. The crucial insight of Mahmoody et al. [26] is that all these oracle removal procedures are actually oblivious to the exact notion of obfuscation. The reason is that all proofs proceed by showing that the oraclefree obfuscation is as secure as the oraclebased obfuscation, i.e., the oraclefree obfuscated circuit can be simulated by an adversary in the oracle world, given the oraclebased obfuscated circuit. Therefore, if one has an iO obfuscator in any of the ideal models, via the oracle removal procedures, one obtains an saiO obfuscator in the standard model. Mahmoody et al. [26] conclude that, as an saiO obfuscator in the standard model allows to resolve the longstanding open problem of building publickey encryption from symmetrickey encryption, it seems very hard to construct such an object. In other words, their result rules out saiO assuming that building publickey encryption from symmetrickey encryption is impossible. Our result strengthens^{1} their result by ruling out saiO based on the accepted complexity postulate that \(\mathcal {NP}\not \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) and the fundamental assumption of cryptography that oneway functions exist. Therefore, based on the same assumptions, iO in all aforementioned idealized models cannot exist.
1.3 Open Problems
The main question that we leave open is the set of parameters for sacO that are useful and that are (im)possible. Note that it is desirable to have more positive results not only for sacO, but also for acO, the computational variant of sacO, in the spirit of BitanskyVaikuntanathan [4] who give an assumptionbased transformations from aiO to standard iO. Even if sacO for useful parameters turns out to be impossible, it might still be easier to build acO for useful parameters and then use amplification rather than to build fully secure fully correct iO directly.
In particular, note that for a certain parameter range of sacO, we do not know of any impossibility results of building sacO in ideal models. The oracle removal procedures that we discuss in Sect. 1.2 maintain security and only weaken correctness. Therefore, a variant of the oracle removal procedures can also be proven for sacO (losing some amount of correctness). As not all useful parameters for sacO are ruled out by our results, one might aim for building sacO in an ideal model for these parameters. Note that one can use our result as a sanity check for any potential oracle construction: If the construction would also work for parameters that we rule out, then it is probably better to pursue a different approach.
Another direction for building useful statistical variants of iO is to relax the computational efficiency of the obfuscator in which case the distributions \(X[\varPsi ]\) that we considered before are not efficiently sampleable anymore (condition (i)) and thus, the \(\mathcal {SZK}\) argument fails. Interestingly, Lin et al. [24] recently showed that such a notion of iO that they call XiO has indeed useful applications to transformations on functional encryption.
2 Preliminaries
We first introduce some general notation. By \(n\in \mathbb {N}\), we denote the security parameter that we give to all algorithms implicitly in unary representation \(1^n\). By \(\{0,1\}^\ell \) we denote the set of all bitstrings of length \(\ell \). For a finite set S, we denote the action of sampling x uniformly at random from S by Open image in new window , and denote the cardinality of S by \(\leftS \right\). Algorithms are assumed to be randomized, unless otherwise stated. We call an algorithm efficient or \(\mathsf {PPT}\) if it runs in time polynomial in the security parameter. If \(\mathcal {A}\) is randomized then by \(y \leftarrow \mathcal {A}(x;r)\) we denote that \(\mathcal {A}\) is run on input x and with random coins r and produced output y. If no randomness is specified, then we assume that \(\mathcal {A}\) is run with freshly sampled uniform random coins, and write this as Open image in new window or in shorthand Open image in new window . For a circuit C we denote by \(\leftC \right\) the size of the circuit. We say a function \(\mathsf {negl}\,\,\!\!\left( n \right) \) is negligible if for any positive polynomial \(\mathsf {poly}\,\,\!\!\left( n \right) \), there exists an \(N \in \mathbb {N}\), such that for all \(n > N\), \(\mathsf {negl}\,\,\!\!\left( n \right) \le \frac{1}{\mathsf {poly}\,\,\!\!\left( n \right) }\). To define statistically secure variants of obfuscation we will use the following definition of statistical distance.
Definition 1
2.1 Complexity Theory
We refer the reader to Goldreich’s book [11] for a detailed exposition of complexity theory. We now discuss a few object that are most relevant to our proof. We let \(\mathsf {SAT}\) denote the set of all satisfiable CNF formulae, we let \(\mathsf {USAT}\) denote the set of CNF formulae that have exactly one satisfying assignment, and \(\mathsf {UNSAT}\) denote the set of CNF formulae that have no satisfying assignment. Given a formula \(\varPsi \), deciding whether \(\varPsi \in \mathsf {SAT}\) is an \(\mathcal {NP}\)Complete problem. We recall that a promise problem \(\varPi = (\varPi _\mathsf {Yes},\varPi _\mathsf {No})\) is a pair of disjoint subsets of \(\{0,1\}^*\). Of particular interest to us is the unique SAT (promise) problem \(\mathsf {UniqueSAT}= (\mathsf {USAT}, \mathsf {UNSAT})\). Total problems (a.k.a languages) are a special case of promise problems, e.g. \((\mathsf {SAT}, \mathsf {UNSAT})\) is exactly the SAT problem. In such a case, it suffices to specify \(\varPi _\mathsf {Yes}\) in order to completely define the problem.
We consider the notion of randomized polynomial time Turing reductions between problems. A promise oracle to a problem \(\varPi =(\varPi _\mathsf {Yes},\varPi _\mathsf {No})\), is one that always answers 1 on inputs in \(\varPi _\mathsf {Yes}\) and always answers 0 on inputs in \(\varPi _\mathsf {No}\), but otherwise can answer arbitrarily, and even inconsistently between calls. We define the class \(\mathcal {BPP}^{\varPi }\) as the class of problems solvable using a probabilistic polynomial time algorithm with access to a \(\varPi \) oracle. In other words, \(\mathcal {BPP}^{\varPi }\) is the class of problems that are reducible to \(\varPi \). One can verify that this class indeed composes, i.e. if \(\widetilde{\varPi } \in \mathcal {BPP}^{\varPi }\) then \(\mathcal {BPP}^{\widetilde{\varPi }} \subseteq \mathcal {BPP}^{\varPi }\). Valiant and Vazirani [32] showed that SAT is reducible to unique SAT.
Theorem 1
(ValiantVazirani). \(\mathsf {SAT}\in \mathcal {BPP}^{\mathsf {UniqueSAT}}\).
An additional promise problem which will be of interest to us is the GapSD problem, defined by Sahai and Vadhan [29]. This problem essentially captures the hardness of distinguishing between efficient samplers for statistically close distributions and ones for statistically far distributions. We recall that for a circuit C (which we regard as a sampler from a distribution), \(C(\mathcal{U})\) denotes the distribution generated by running C on a random input.
Definition 2
Combining results by Mahmoody and Xiao [27] and by Bogdanov and Lee [5] as follows implies that \(\mathcal {BPP}^\mathsf {GapSD}\) is contained in \(\mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).^{2}
Theorem 2
\(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).
Proof
It follows from [5, Theorem 9] that \(\mathsf {GapSD}\in \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\). This means that both \((\mathsf {GapSD}_\mathsf {Yes}, \mathsf {GapSD}_\mathsf {No})\) and its complement \((\mathsf {GapSD}_\mathsf {No}, \mathsf {GapSD}_\mathsf {Yes})\) have \(\mathcal {AM}\) protocols, say with completeness 9 / 10 and soundness 1 / 10. Consider the protocol that takes \((C_0, C_1, \nu , 1^\ell )\) and does the following. First, execute the \(\mathcal {AM}\) protocol for \((\mathsf {GapSD}_\mathsf {Yes}, \mathsf {GapSD}_\mathsf {No})\) on input \(x_1 = (C_0, C_1, \nu +1/(4\ell ), 1^{(4\ell )})\). Then, execute the \(\mathcal {AM}\) protocol for \((\mathsf {GapSD}_\mathsf {No}, \mathsf {GapSD}_\mathsf {Yes})\) (note the reverse order) on \(x_2 = (C_0, C_1, \nu 1/(2\ell ), 1^{(4\ell )})\). Accept only if the two executions accepted. Now, assume that \(\nu = \mathsf {SD}(C_0, C_1)\). Then it holds that \(x_1 \in \mathsf {GapSD}_\mathsf {Yes}\) and \(x_2 \in \mathsf {GapSD}_\mathsf {No}\) and therefore our new protocol accepts with probability at least 8 / 10. However, if \(\left\nu  \mathsf {SD}(C_0, C_1) \right > 1/\ell \) then either \(x_1 \in \mathsf {GapSD}_\mathsf {No}\) or \(x_2 \in \mathsf {GapSD}_\mathsf {Yes}\) and therefore our new protocol accepts with probability at most 2 / 10. This means that our protocol is an \(\mathcal {AM}\) protocol that, for any \(\epsilon \), can decide given \((C_0, C_1)\), \(1^{\left\lceil 1/\epsilon \right\rceil }\) and \(\nu \) whether \(\nu = \mathsf {SD}(C_0(\mathcal{U}), C_1(\mathcal{U}))\) or whether \(\left\nu \mathsf {SD}(C_0(\mathcal{U}), C_1(\mathcal{U})) \right > \epsilon \).
Consider the class \(\mathbb {R}\mathbf TFAM \) as defined in [27, Definition 3.1] and consider the real valued function \(f_{\mathsf {SD}}: \{0,1\}^*\rightarrow \mathbb {R}\) defined as \(f_{\mathsf {SD}}(C_0,C_1,1^k)=\mathsf {SD}(C_0(\mathcal{U}), C_1(\mathcal{U}))\) (note that the third parameter is ignored and is used only for padding purposes). Our protocol above implies, by definition, that \(f_{\mathsf {SD}}\in \mathbb {R}\mathbf TFAM \).
Furthermore, it holds that \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {BPP}^{\mathcal{O}_{f_{\mathsf {SD}}}}\), for any oracle \(\mathcal{O}_{f_{\mathsf {SD}}}\) that on input \(x \in \{0,1\}^n\) outputs a value y such that \(\leftyf_{\mathsf {SD}}(x) \right \le 1/n\). To see this, we notice that we can answer \(\mathsf {GapSD}\) queries of the form \((C_0, C_1, \nu , 1^\ell )\) as follows: First compute \(y = \mathcal{O}_{f_{\mathsf {SD}}}(C_0, C_1, 1^{2\ell })\), then if \(y < \nu + 1/(2\ell )\) return \(\mathsf {Yes}\), otherwise return \(\mathsf {No}\). This implies that \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {BPP}^{\mathbb {R}\mathbf TFAM }\) by [27, Definition 3.2] (when choosing \(\epsilon (n)=1/n\)).
Finally, [27, Theorem 1.1] states that \(\mathcal {BPP}^{\mathbb {R}\mathbf TFAM } \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\), which implies that \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) as desired.
We now state an important corollary of Theorem 2 which shows that there would be unlikely consequences if \(\mathsf {UniqueSAT}\in \mathcal {BPP}^{\mathsf {GapSD}}\).
Corollary 3
If \(\mathsf {UniqueSAT}\in \mathcal {BPP}^\mathsf {GapSD}\), then \(\mathcal {NP}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).
Proof
2.2 Obfuscation
In this subsection, we define the statistically secure variant of approximately correct indistinguishability obfuscation (saiO) and its generalization that we call statistically secure Approximately Correct Correlation Obfuscation (sacO). We start with the generalized variant sacO first and then define saiO as a special case. The notion of correlation obfuscation, in contrast to standard indistinguishability obfuscation, does not require that the output of the obfuscator is indistinguishable for functionally equivalent circuits. Rather, it only requires that there is a noticeable correlation between the outputs.
Definition 3
(Approximately Correct Correlation Obfuscation). Let O be a \(\mathsf {PPT}\) algorithm that takes boolean circuits (with a single output bit) as inputs and produces boolean circuits as output. For a circuit C, we let O(C;r) denote the output of running O on C with randomness r, and we let O(C) denote the distribution O(C;r) with uniform r.
 Approximate Correctness. For any circuit C it holds that$$ {\text {Pr}}_{r,x}\left[ \mathsf{O}(C; r)(x) = C(x)\right] \ge 1\epsilon (C,n). $$

Correlation. For any pair of circuits \(C_1, C_2\) which compute the same function and such that \(C_1=C_2\) it holds that \(\mathsf {SD}(\mathsf{O}(C_1), \mathsf{O}(C_2)) \le \delta (C_1,n)\).
The definition of statistically secure approximately correct indistinguishability obfuscation (saiO) follows by requiring negligible statistical distance \(\delta \).
Definition 4
(Approximately Correct Indistinguishability Obfuscation). Let O be a \((1\epsilon )\)approximately correct and \((1\delta )\)secure correlation obfuscator. We say that O is also a \((1\epsilon )\)approximately correct statistically secure indistinguishability obfuscator (saiO) if there exists a negligible function \(\mathsf {negl}\,\,\!\!\left( C,n \right) \) such that for all circuits C it holds that \(\delta (C,n) \le \mathsf {negl}\,\,\!\!\left( C,n \right) \).
2.3 Puncturable Pseudorandom Functions
We use a weak notion of puncturable pseudorandom function. This notion suffices for our results and follows trivially from the stronger standard definition.
Definition 5
As observed by [6, 7, 22] puncturable PRFs can, for example, be constructed from pseudorandom generators (and thereby oneway functions [17]) via the GGM treebased construction [12, 13].
3 Negative Results for sacO and saiO
We now prove our main theorem that sacO for a large class of parameters, in particular the saiO parameters, is impossible assuming oneway functions and \(\mathcal {NP}\not \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).
Theorem 4
(Impossibility of sacO). If \((1\epsilon )\)approximately correct, \((1\delta )\)secure sacO for \(\mathcal {P}\) exists, and there exists some polynomial \(\mathsf {poly}\,\,\!\!\left( \leftC \right,n \right) \) such that \(\delta (\leftC \right,n) \le \tfrac{1}{3}\tfrac{2}{3}\epsilon (\leftC \right,n)  \tfrac{1}{\mathsf {poly}\,\,\!\!\left( \leftC \right,n \right) }\), then oneway functions do not exist or \(\mathcal {NP}\subseteq \mathbf {co}\mathcal {AM}\cap \mathcal {AM}\).
By setting \(\delta \) to be some negligible function, impossibility of saiO follows immediately as a corollary.
Corollary 5
(Impossibility of saiO). If \((1\epsilon )\)approximately correct, saiO for \(\mathcal {P}\) exists, and there exists some polynomial \(\mathsf {poly}\,\,\!\!\left( \leftC \right,n \right) \) such that \(\epsilon (\leftC \right,n) \le \tfrac{1}{2}  \tfrac{1}{\mathsf {poly}\,\,\!\!\left( \leftC \right,n \right) }\), then oneway functions do not exist or \(\mathcal {NP}\subseteq \mathbf {co}\mathcal {AM}\cap \mathcal {AM}\).
Proof
(Theorem 4 ). We define an efficiently samplable distribution \(X[\varPsi ]\) that is parametrized by a formula \(\varPsi \), and we define a reference distribution Y that should be parametrized by the size of \(\varPsi \) and the number of variables in \(\varPsi \), but we omit the dependency on \(\varPsi \) for readability. We note that in the introduction, we discussed to use \(Y=X[\mathbf {0}]\), where \(\mathbf {0}\) is a canonical representation of an unsatisfiable formula of the same size as \(\varPsi \). It is intuitive to think of Y as being indeed equal to \(X[\mathbf {0}]\). However, for the sake of tightness, jumping ahead, we will use a slightly different distribution and note that this allows us to gain an additive term of \(\delta \) in Claim 11.
As in the proof by Goldwasser and Rothblum [14, 15] that we sketched in the introduction, we want to define \(X[\varPsi ]\) (and Y) in a way such that properties (1), (2) and (3) are satisfied, assuming oneway functions and sacO. If we manage to do so, then we suceed in showing that these assumptions imply the collapse of the polynomial hierarchy.
Our proof will rely on the promise problem \((\mathsf {USAT},\mathsf {UNSAT})\) rather than the language \(\mathsf {SAT}\) (See Subsect. 2.1) and therefore, instead of using the gap statistical distance problem \(\mathsf {GapSD}\) directly as GoldwasserRothblum, we will consider \(\mathcal {BPP}^\mathsf {GapSD}\) to be able to accommodate the randomized reduction from \(\mathsf {SAT}\) to \(\mathsf {USAT}\) (See Theorem 1).
Our proof does not rely on complexitytheoretic techniques, except for proving the following claim and showing that the theorem follows from it.
Claim 6
Assume that there is a formulaindexed distribution \(X[\varPsi ]\), a reference distribution Y, a function \(\nu \), and a polynomial \(\mathsf {poly}\,\,\!\!\left( n \right) \) such that the following three conditions are satisfied.
 (1)
There is a uniform polynomialtime algorithm \(\mathcal {A}\), that on input \(\varPsi \), constructs two polynomialsize randomized circuits that sample from \(X[\varPsi ]\) and Y respectively.
 (2)
If \(\varPsi \) is in \(\mathsf {UNSAT}\), then \(X[\varPsi ]\) is has statistical distance at most \(\nu (n)\) from Y.
 (3)
If \(\varPsi \) is in \(\mathsf {USAT}\), then \(X[\varPsi ]\) has statistically distance at least \(\nu (n) + \tfrac{1}{\mathsf {poly}\,\,\!\!\left( n \right) }\) from Y.
Then \(\mathsf {USAT}\) is in \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).
Proof
Given that conditions (1), (2) and (3) are satisfied, we construct an algorithm \(\mathcal {B}\) such that for all \(\mathsf {GapSD}\) oracles and all formulae \(\varPsi \), \(\mathcal {B}^\mathsf {GapSD}(\varPsi )\) outputs 1 with probability 1 if \(\varPsi \in \mathsf {USAT}\) and 0 with probability 1 if \(\varPsi \in \mathsf {UNSAT}\). On input \(\varPsi \), the algorithm \(\mathcal {B}\) runs \(\mathcal {A}\) to get circuits for \(X[\varPsi ]\) and Y and queries \((X[\varPsi ],Y,\nu (n),1^{\mathsf {poly}\,\,\!\!\left( n \right) })\) to the \(\mathsf {GapSD}\) oracle. \(\mathcal {B}\) returns whatever the oracle returns. By properties (1), (2) and (3), the query that \(\mathcal {B}\) makes is in \(\mathsf {GapSD}_\mathsf {Yes}\) if \(\varPsi \in \mathsf {USAT}\) and in \(\mathsf {GapSD}_\mathsf {No}\) if \(\varPsi \in \mathsf {UNSAT}\). Hence, \(\mathcal {B}\) is correct and \(\mathsf {USAT}\) is in \(\mathcal {BPP}^\mathsf {GapSD}\). Moreover, due to Theorem 2 by Mahmoody and Xiao, \(\mathcal {BPP}^\mathsf {GapSD}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\).
To obtain the main theorem, we need to show that \(\mathsf {USAT}\) is in \(\mathcal {BPP}^\mathsf {GapSD}\) implies that \(\mathcal {NP}\) is in \(\mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) which directly follows from Corollary 3 of Theorem 2 by Mahmoody and Xiao. Thus, if we can show that a distributions as described in conditions (1), (2) and (3) exist, then the theorem follows.
We now define \(X[\varPsi ]\) and Y and then show that they satisfy (1), (2) and (3) assuming the existence of oneway functions and sacO with suitable correctness and security.
Definition 6
(Distribution). Let \(\ell (n)\) be a sufficiently large polynomial designating the size to which all circuits are padded before being obfuscated. Let \(\varPsi \) be a formula, let \((\mathsf {PRF},\mathsf {Puncture})\) be a puncturable pseudorandom function, and let \(\mathsf {O}\) be a \((1\epsilon )\)correct, statistically \((1\delta )\)secure approximate correlation obfuscator, where \(\delta (\leftC \right,n) \le \tfrac{1}{3}\tfrac{2}{3}\epsilon (\leftC \right,n)  \tfrac{1}{\mathsf {poly}\,\,\!\!\left( \leftC \right,n \right) }\). We now define the distribution \(X[\varPsi ]\) and Y, where the circuits \(\mathsf {C}_X[k,b,s,\varPsi ]\) and \(\mathsf {C}_{\textsf {prf}}[k]\) are defined to the right of the distributions.
Claim 7
 (1)
There is a uniform polynomialtime algorithm \(\mathcal {A}\), that on input \(\varPsi \), constructs two polynomialsize randomized circuits that sample from \(X[\varPsi ]\) and Y respectively.
 (2)
If \(\varPsi \) is in \(\mathsf {UNSAT}\), then \(X[\varPsi ]\) is has statistical distance at most \(\nu (n)\) from Y.
 (3)
If \(\varPsi \) is in \(\mathsf {USAT}\), then \(X[\varPsi ]\) has statistically distance at least \(\nu (n) + \tfrac{1}{\mathsf {poly}\,\,\!\!\left( n \right) }\) from Y.
We will first state two claims and a lemma that will allow us to prove Claim 7. We will then prove Claim 7 and afterwards prove the claims and the lemma.
Claim 8
(Efficient Sampling). There is a uniform polynomialtime algorithm \(\mathcal {A}\), that on input \(\varPsi \), constructs two polynomialsize randomized circuits that sample from \(X[\varPsi ]\) and Y respectively.
Claim 9
(Statistical Proximity). For all formulae \(\varPsi \in \mathsf {UNSAT}\), \(X[\varPsi ]\) has statistical distance at most \(\delta (\ell (n),n)\) from Y.
Lemma 10
(Statistical Distance). There exists a negligible function \(\mathsf {negl}\,\,\!\!\left( n \right) \), such that for all formulae \(\varPsi \in \mathsf {USAT}\), \(X[\varPsi ]\) has statistical distance at least \(12\epsilon (\ell (n),n)  2\delta (\ell (n),n)  \mathsf {negl}\,\,\!\!\left( n \right) \) from Y.
Proof
Proof
(Claim 8 ). Sampling k and s is efficient and so is constructing \(\mathsf {C}_X[k,s,\varPsi ]\) and \(\mathsf {C}_{\textsf {prf}}[k]\). Finally, from the efficiency of the obfuscator, it follows that \(X[\varPsi ]\) and Y are efficiently samplable by polynomialsize randomized circuits.
Proof
(Claim 9 ). For all unsatisfiable formulae \(\varPsi \), the circuits \(\mathsf {C}_X[k,s,\varPsi ]\) and \(\mathsf {C}_{\textsf {prf}}[k]\) are functionally equivalent and of same size \(\ell (n)\). Hence, by statistical security of the obfuscator, the distributions \((k,s,\mathsf {O}(\mathsf {C}_X[k,s,\varPsi ]))\) and \((k,s,\mathsf {O}(\mathsf {C}_{\textsf {prf}}[k]))\) have statistical distance at most \(\delta (\ell (n),n)\).
We now turn to the most involved part of the proof, which is to show that Lemma 10 holds. In order to show that for all formulae \(\varPsi \in \mathsf {USAT}\), \(X[\varPsi ]\) is statistically far from Y, we show that, if \(\varPsi \in \mathsf {USAT}\), then the distribution \(X[\varPsi ]\) has a property that Y does not have. We state the property in two claims.
Claim 11
Claim 12
Proof
(Lemma 10 ). Lemma 10 follows directly from Claims 11 and 12, because the stated properties are statistical properties, i.e., we can give an inefficient distinguisher as follows: The distinguisher determines \(x_\varPsi \) through exhaustive search and then, given a sample \((k,s,C')\) from either \(X[\varPsi ]\) or Y, checks whether \(\mathsf {PRF}(k,\cdot )\) and \(C'\) differ on input \(x_\varPsi \oplus s\). If the sample is from \(X[\varPsi ]\), they will differ with probability greater than \(1  \epsilon (\ell (n),n)  2\delta (\ell (n), n)  \mathsf {negl}\,\,\!\!\left( n \right) \). If on the other hand the sample is from Y, then they will differ only with probability less than \(\epsilon (\ell (n),n)\). This concludes the proof of Lemma 10, subject to proving the claims.
It now remains to prove Claims 11 and 12. The proof of the first property is relatively straightforward, while the proof of the second property contains the technical key arguments that we discussed above.
Proof
Proof
(Claim 12 ). Let \(x_\varPsi \) denote the accepting assignment of \(\varPsi \). We first define the following game
Note that \(\mathsf {Game}_2\) is a rewrite of \(\mathsf {Game}_1\) by making \(X[\varPsi ]\) explicit.
Footnotes
 1.
Note that our result is only a “stronger” result in a moral sense, but not in a formal sense. While the nonexistence of oneway function would allow us to build a reduction from publickey encryption to symmetrickey encryption (as in this case, both do not exist), it is not known that \(\mathcal {NP}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\) implies that we can build a publickey encryption scheme from a oneway function.
 2.
In fact, by applying [27] we get that \(\mathcal {BPP}^\mathcal {SZK}\in \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\), which is almost what we need. However, it is only known that \(\mathsf {GapSD}\in \mathcal {SZK}\) under a somewhat weaker definition of the \(\mathsf {GapSD}\) problem.
Notes
Acknowledgment
We are grateful to Andrej Bogdanov, KaiMin Chung, Siyao Guo, Markulf Kohlweiss, Arno Mittelbach and Vinod Vaikuntanathan for helpful discussions. In particular, Andrej and Vinod pointed out that PAClearneability implies approximate obfuscation and that thus, CNF formulae are PAClearneable, which implies that impossibility results for saiO need to obfuscate more complex functions than CNF formulae. The discussions with Vinod at the Mathematisches Forschungsinstitut Oberwolfach (MFO) inspired the idea of embedding a formula into a PRF. Vinod also suggested that in the absence of oneway functions, there exists a perfectly secure variant of obfuscation where the correctness is on average over the circuit distribution, the input and the obfuscator.
Supplementary material
References
 1.Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)Google Scholar
 2.Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 3.Bitansky, N., Paneth, O.: On the impossibility of approximate obfuscation and applications to resettable cryptography. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, Palo Alto, CA, USA, 1–4 June 2013, pp. 241–250. ACM Press (2013)Google Scholar
 4.Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation: from approximate to exact. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016A. LNCS, vol. 9562, pp. 67–95. Springer, Heidelberg (2016). doi: 10.1007/9783662490969_4 CrossRefGoogle Scholar
 5.Bogdanov, A., Lee, C.H.: Limits of provable security for homomorphic encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 111–128. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 6.Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 7.Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 8.Canetti, R., Kalai, Y.T., Paneth, O.: On Obfuscation with random oracles. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 456–467. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 9.Diffie, W., Hellman, M.E.: Multiuser cryptographic techniques. In: American Federation of Information Processing Societies, 1976 National Computer Conference. AFIPS Conference Proceedings, New York, NY, USA, 7–10 June 1976, vol. 45, pp. 109–112. AFIPS Press (1976)Google Scholar
 10.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual Symposium on Foundations of Computer Science, Berkeley, CA, USA, 26–29 October 2013, pp. 40–49. IEEE Computer Society Press (2013)Google Scholar
 11.Goldreich, O.: Computational Complexity  A Conceptual Perspective. Cambridge University Press, Cambridge (2008)CrossRefzbMATHGoogle Scholar
 12.Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: 25th Annual Symposium on Foundations of Computer Science, Singer Island, Florida, 24–26 October 1984, pp. 464–479. IEEE Computer Society Press (1984)Google Scholar
 13.Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
 14.Goldwasser, S., Rothblum, G.N.: On bestpossible obfuscation. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 194–213. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 15.Goldwasser, S., Rothblum, G.N.: On bestpossible obfuscation. J. Cryptology 27(3), 480–505 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Hada, S., Sakurai, K.: A note on the (im)possibility of using obfuscators to transform privatekey encryption into publickey encryption. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 1–12. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 17.Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any oneway function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
 18.Holenstein, T.: Strengthening Key Agreement Using HardCore Sets. Ph.D. thesis, ETH Zurich (2006)Google Scholar
 19.Impagliazzo, R., Luby, M.: Oneway functions are essential for complexity based cryptography (extended abstract). In: 30th Annual Symposium on Foundations of Computer Science, Research Triangle Park, North Carolina, 30 October  1 November 1989, pp. 230–235. IEEE Computer Society Press (1989)Google Scholar
 20.Impagliazzo, R., Rudich, S.: Limits on the provable consequences of oneway permutations. In: 21st Annual ACM Symposium on Theory of Computing, Seattle, Washington, USA, 15–17 May 1989, pp. 44–61. ACM Press (1989)Google Scholar
 21.Impagliazzo, R., Rudich, S.: Limits on the provable consequences of oneway permutations. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 8–26. Springer, Heidelberg (1990)Google Scholar
 22.Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 13, 20th Conference on Computer and Communications Security, Berlin, Germany, 4–8 November 2013, pp. 669–684. ACM Press (2013)Google Scholar
 23.Komargodski, I., Moran, T., Naor, M., Pass, R., Rosen, A., Yogev, E.: Oneway functions and (im)perfect obfuscation. In: 55th Annual Symposium on Foundations of Computer Science, Philadelphia, PA, USA, 18–21 October 2014, pp. 374–383. IEEE Computer Society Press (2014)Google Scholar
 24.Lin, H., Pass, R., Seth, K., Telang, S.: Outputcompressing randomized encodings and applications. Cryptology ePrint Archive, Report 2015/720 (2015). http://eprint.iacr.org/2015/720 Google Scholar
 25.Mahmoody, M., Mohammed, A., Nematihaji, S.: On the impossibility of virtual blackbox obfuscation in idealized models. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016A. LNCS, vol. 9562, pp. 18–48. Springer, Heidelberg (2016). doi: 10.1007/9783662490969_2 CrossRefGoogle Scholar
 26.Mahmoody, M., Mohammed, A., Nematihaji, S., Pass, R., Shelat, A.: Lower bounds on assumptions behind indistinguishability obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016A. LNCS, vol. 9562, pp. 49–66. Springer, Heidelberg (2016). doi: 10.1007/9783662490969_3 CrossRefGoogle Scholar
 27.Mahmoody, M., Xiao, D.: On the power of randomized reductions and the checkability of SAT. In: Proceedings of the 25th Annual IEEE Conference on Computational Complexity, CCC 2010, Cambridge, Massachusetts, 9–12 June 2010, pp. 64–75. IEEE Computer Society (2010)Google Scholar
 28.Pass, R., Shelat, A.: Impossibility of VBB obfuscation with ideal constantdegree graded encodings. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016A. LNCS, vol. 9562, pp. 3–17. Springer, Heidelberg (2016). doi: 10.1007/9783662490969_1 CrossRefGoogle Scholar
 29.Sahai, A., Vadhan, S.P.: A complete promise problem for statistical zeroknowledge. In: 38th Annual Symposium on Foundations of Computer Science, Miami Beach, Florida, 19–22 October 1997, pp. 448–457. IEEE Computer Society Press (1997)Google Scholar
 30.Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th Annual ACM Symposium on Theory of Computing, New York, NY, USA, 31 May  3 June 2014, pp. 475–484. ACM Press (2014)Google Scholar
 31.Leslie, G.: Valiant.: a theory of the learnable. Commun. ACM 27(11), 1134–1142 (1984)CrossRefGoogle Scholar
 32.Valiant, L.G., Vazirani, V.V.: NP is as easy as detecting unique solutions. In: Sedgewick, R. (ed.) 17th Annual ACM Symposium on Theory of Computing, Providence, Rhode Island, USA, 6–8 May 1985, pp. 458–463. ACM Press (1985)Google Scholar