On Statistically Secure Obfuscation with Approximate Correctness

  • Zvika Brakerski
  • Christina Brzuska
  • Nils Fleischhacker
Conference paper

DOI: 10.1007/978-3-662-53008-5_19

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9815)
Cite this paper as:
Brakerski Z., Brzuska C., Fleischhacker N. (2016) On Statistically Secure Obfuscation with Approximate Correctness. In: Robshaw M., Katz J. (eds) Advances in Cryptology – CRYPTO 2016. CRYPTO 2016. Lecture Notes in Computer Science, vol 9815. Springer, Berlin, Heidelberg


Goldwasser and Rothblum (TCC ’07) prove that statistical indistinguishability obfuscation (iO) cannot exist if the obfuscator must maintain perfect correctness (under a widely believed complexity theoretic assumption: \(\mathcal {NP}\not \subseteq \mathcal {SZK}\subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\)). However, for many applications of iO, such as constructing public-key encryption from one-way functions (one of the main open problems in theoretical cryptography), approximate correctness is sufficient. It had been unknown thus far whether statistical approximate iO (saiO) can exist.

We show that saiO does not exist, even for a minimal correctness requirement, if \(\mathcal {NP}\not \subseteq \mathcal {AM}\cap \mathbf {co}\mathcal {AM}\), and if one-way functions exist. A simple complementary observation shows that if one-way functions do not exist, then average-case saiO exists. Technically, previous approaches utilized the behavior of the obfuscator on evasive functions, for which saiO always exists. We overcome this barrier by using a PRF as a “baseline” for the obfuscated program.

We broaden our study and consider relaxed notions of security for iO. We introduce the notion of correlation obfuscation, where the obfuscations of equivalent circuits only need to be mildly correlated (rather than statistically indistinguishable). Perhaps surprisingly, we show that correlation obfuscators exist via a trivial construction for some parameter regimes, whereas our impossibility result extends to other regimes. Interestingly, within the gap between the parameters regimes that we show possible and impossible, there is a small fraction of parameters that still allow to build public-key encryption from one-way functions and thus deserve further investigation.

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Zvika Brakerski
    • 1
  • Christina Brzuska
    • 2
  • Nils Fleischhacker
    • 3
  1. 1.Weizmann Institute of ScienceRehovotIsrael
  2. 2.Technical University of HamburgHamburgGermany
  3. 3.CISPASaarland UniversitySaarbrückenGermany

Personalised recommendations