TY - JOUR

T1 - On the (Im)possibility of obfuscating programs

AU - Barak, Boaz

AU - Goldreich, Oded

AU - Impagliazzo, Russell

AU - Rudich, Steven

AU - Ucla, Amit Sahai

AU - Vadhan, Salil

AU - Yang, Ke

N1 - DOD/NDSEG; NSF [0627526, 0426582, 0205594, 0312809, 0456717, 0627781, 0716389, 0830803, 0916574, 1065276, 1118096, 1136174, 0430336, 0831289]; US-Israel BSF [2004288]; Packard and Sloan fellowships; Minerva Foundation (Germany); Israel Science Foundation [460/05]; Sloan Research Fellowship; Okawa Research Award; Guggenheim Fellowship; Miller Institute for Basic Research in ScienceMost of this work was done when B. Barak was a graduate student at Weizmann Institute of Science, A. Sahai was a graduate student at MIT (supported by a DOD/NDSEG Graduate Fellowship), S. Vadhan was a graduate student and a postdoctoral fellow at MIT (supported by a DOD/NDSEG Graduate Fellowship and an NSF Mathematical Sciences Postdoctoral Research Fellowship), and K. Yang was a graduate student at CMU. Further support for this work was provided to B. Barak by NSF grants 0627526 and 0426582, US-Israel BSF grant 2004288, and Packard and Sloan fellowships; to O. Goldreich by the Minerva Foundation (Germany) and the Israel Science Foundation (Grant No. 460/05); to A. Sahai by a Sloan Research Fellowship, an Okawa Research Award, and NSF grants 0205594, 0312809, 0456717, 0627781, 0716389, 0830803, 0916574, 1065276, 1118096, and 1136174; and to S. Vadhan by NSF grants 0430336 and 0831289, a Guggenheim Fellowship, and the Miller Institute for Basic Research in Science.

PY - 2012/4

Y1 - 2012/4

N2 - Informally, an obfuscator O is an (efficient, probabilistic) "compiler" that takes as input a program (or circuit) P and produces a new program O(P) that has the same functionality as P yet is "unintelligible" in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic and complexity-theoretic applications, ranging from software protection to homomorphic encryption to complexity-theoretic analogues of Rice's theorem.Most of these applications are based on an interpretation of the "unintelligibility" condition in obfuscation as meaning that O(P) is a "virtual black box," in the sense that anything one can efficiently compute given O(P), one could also efficiently compute given oracle access to P. In this work, we initiate a theoretical investigation of obfuscation. Our main result is that, even under very weak formalizations of the above intuition, obfuscation is impossible. We prove this by constructing a family of efficient programs P that are unobfuscatable in the sense that (a) given any efficient program P that computes the same function as a program P ε P, the "source code" P can be efficiently reconstructed, yet (b) given oracle access to a (randomly selected) program P ε P, no efficient algorithm can reconstruct P (or even distinguish a certain bit in the code from random) except with negligible probability. We extend our impossibility result in a number of ways, including even obfuscators that (a) are not necessarily computable in polynomial time, (b) only approximately preserve the functionality, and (c) only need to work for very restricted models of computation (TC0).We also rule out several potential applications of obfuscators, by constructing "unobfuscatable" signature schemes, encryption schemes, and pseudorandom function families.

AB - Informally, an obfuscator O is an (efficient, probabilistic) "compiler" that takes as input a program (or circuit) P and produces a new program O(P) that has the same functionality as P yet is "unintelligible" in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic and complexity-theoretic applications, ranging from software protection to homomorphic encryption to complexity-theoretic analogues of Rice's theorem.Most of these applications are based on an interpretation of the "unintelligibility" condition in obfuscation as meaning that O(P) is a "virtual black box," in the sense that anything one can efficiently compute given O(P), one could also efficiently compute given oracle access to P. In this work, we initiate a theoretical investigation of obfuscation. Our main result is that, even under very weak formalizations of the above intuition, obfuscation is impossible. We prove this by constructing a family of efficient programs P that are unobfuscatable in the sense that (a) given any efficient program P that computes the same function as a program P ε P, the "source code" P can be efficiently reconstructed, yet (b) given oracle access to a (randomly selected) program P ε P, no efficient algorithm can reconstruct P (or even distinguish a certain bit in the code from random) except with negligible probability. We extend our impossibility result in a number of ways, including even obfuscators that (a) are not necessarily computable in polynomial time, (b) only approximately preserve the functionality, and (c) only need to work for very restricted models of computation (TC0).We also rule out several potential applications of obfuscators, by constructing "unobfuscatable" signature schemes, encryption schemes, and pseudorandom function families.

UR - http://www.scopus.com/inward/record.url?scp=84860577964&partnerID=8YFLogxK

U2 - https://doi.org/10.1145/2160158.2160159

DO - https://doi.org/10.1145/2160158.2160159

M3 - مقالة

SN - 0004-5411

VL - 59

JO - Journal of the ACM

JF - Journal of the ACM

IS - 2

M1 - 2160159

ER -