On The (m)possibility of

Software Obfuscation
Boaz Barak
Joint work with Oded Goldreich, Russell mpagliazzo, Steven
Rudich, Amit Sahai, Salil Vadhan and Ke Yang.
An obfuscator: An algorithm O such that for any program
P , O(P) is a program such that:
O(P) has the same functionality as P
O(P) is infeasible to analyze / "reverse-engineer.
Intuition: an obfuscator should provide a "virtuaI bIack-
box" in the sense that giving someone O(P) should be
equivalent to giving her a black-box that computes P.
What Is an Obfuscator?
hy Might Obfuscators Exist?
PracticaI Reasons:
Understanding code is very difficult
Obfuscation used (successfully?) in practice for
security purposes
TheoreticaI Reasons:
All canonical hard problems are problems of
reverse engineering: SAT, HALTING
Rice's Theorem: You can't look at the code
(Turing Machine description) of a function and
find out a non-trivial property of it.
Applications for Obfuscators
Distributing music on-line
Removing Random Oracles for specific natural
protocols.
Converting a private key encryption to a public key
encryption
Give someone ability to sign/decrypt a restricted subset
of the message space.
!rivate (Shared) Key Encryption
!ublic Key Encryption

k
m
D
k
c m
Private Key ncryption Scheme:
CPA (Chosen !laintext Attack) Security:

k
A
c m

e
m
D
d
c m
PubIic Key ncryption Scheme:
Security:
e
A
c m
The Conversion
'
e
m
D'
d
c m
nstead of publishing the key k, publish e=O(
k
)
Security of The Converted Scheme

k
A
c m
A'
c m
e=O(
k
)
Defining Obfuscators
Definition 1 An algorithm O is an obfuscator if for any
circuit C:
1. (functionality) O(C) ~ C (i.e., O(C) computes the same
function as C)
2. (polynomial slowdown) |O(C)| A p(|C|) for some
polynomial p( ).
e say that O is efficient if it runs in polynomial time.
Defining Security
A NaturaI FormaI Interpretation:
For any adversary A there's a simulator S such that for any
circuit C
A(O(C))
C.I.
S
C
(1
|C|
)
"Anything that can be learned from the obfuscated form,
could have been learned by merely observing the circuit's
input-output behavior (i.e., by treating the circuit as a
black-box)''
This definition is impossibIe to meet!
Defining Security (2)
ReIaxation: simulator should only compute a specific
function (even predicate) rather than generate an
indistinguishable output.
Weak Obfuscators: A (poly time) predicate
p:{0,1}
*
{0,1} S such that for all circuits C
Pr[ A(O(C)) = p(C) ] A Pr[ S
C
(1
|C|
) = p(C) ] + negI(|C|)
Note: may be too weak for desired applications, but still
we'll prove that it is impossibIe to meet.
nherently Unobfuscatable Functions
Definition 2 A (efficiently computable) function ensemble {
F
t
} ( F
t
:{0,1}
|t|
{0,1}
|t|
) is an unobfuscatabIe function
ensembIe (UF) if it satisfies:
There's a poly time predicate p:{0,1}
*
{0,1} such that:
(a) (p easy to compute with a circuit) There's a p.p.t A
such that for any circuit C such that C ~ F
t
A(C) = p(F
t
)
(b) (p hard to compute with black-box access) For
any p.p.t S , if t {0,1}
n
then
Pr [ S
F
t
(1
n
) = p(t) ] A + negI(n)
The Main Result
Theorem 1: unobfuscatable functions
"very weak obfuscators.
Theorem 2: one way functions
unobfuscatable functions
Theorem 3: efficient weak obfuscators
one way functions
CoroIIary 4: Efficient weak obfuscators do not exist.
The image cannot be displayed.
Your computer may not have
enough memory to open the
image, or the image may have
been corrupted. Restart your
computer, and then open the file
again. !f the red x still appears,
you may have to delete the image
and then insert it again.
The image cannot be displayed.
Your computer may not have
enough memory to open the
image, or the image may have
been corrupted. Restart your
computer, and then open the file
again. !f the red x still appears,
you may have to delete the image
and then insert it again.
The image cannot be displayed.
Your computer may not have
enough memory to open the
image, or the image may have
been corrupted. Restart your
computer, and then open the file
again. !f the red x still appears,
you may have to delete the image
and then insert it again.
The Combination Operator
For f
0
, f
1
: X , define f
0
#f
1
: {0,1} - X by:
f
0
#f
1
(b,x) : f
b
(x)
Properties:
1. From a circuit C that computes f
0
#f
1
one can compute
circuits C
0
,C
1
that compute f
0
and f
1
(C
b
(x) := C(b,x)
.
)
2. Oracle access to f
0
#f
1
oracle access to both f
0
and f
1
Using the combination operator, we can attempt to prove Theorem 2.
Solving The nput Size !roblem
emma 5: f one-way functions exist then there exists an
(efficiently constructible) ensemble { D
,,z
} such that:
1. There's a p.p.t A' such that for any circuit C that
satisfies C()= and for any z
A'
D
,,z
(C) =
l
2. Oracle access to D
,,z
does not help in learning anything
about .
FormaI Interpretation (semantic security):
For any p.p.t S there's a p.p.t S' such that for any (poly time) function
p:{0,1}
*
{0,1}
*
Pr
,,z
[S
D,,z
(1
n
) = p() ] A Pr
,,z
[ S'(1
n
) = p() ] + negI(n)
(in particular there's a p.p.t A'' such that A''(C# D
,,z
) =
l
)
emma 5 !roves Theorem 2
Define F
,,z
:= C
,
#D
,,z
p(,,z) :=
l
e claim that { F
,,z
} is an UF w.r.t the function p .
AIgorithm A: hen given a circuit F do:
1. Decompose F into circuits C,D such that F~C#D
2. Return A'
D
(C)
CIaim 1: For any circuit F such that F~ F
,,z
,
A(F) =
l
CIaim 2: For any p.p.t S
Pr
,,z
[ S
F
,,z
(1
n
) =
l
J A + negI(n)
!roof of emma 5
et (NC
k
, DC
k
) be a private key encryption scheme.
Define:
I
,i
constant function NC
k
(
l
).NC
k
(
n
)
H
k
(c,d,) := NC
k
( DC
k
(c) DC
k
(d) )
B
,,i
(c
1
,.,c
n
) :=
1
if DC
k
(c
1
) =
1
,., DC
k
(c
n
) =
n
B
,,i
(c
1
,.,c
n
) := 0 otherwise
et { h
k'
} be a pseudorandom function ensemble.
We define:
D
,,i
,
,i'
I
,i,i'
|H
k,k'
# B
,,i
Unobfuscatable Encryption Scheme
Definition 3: A (C!A secure) private key encryption
scheme (GN, NC , DC) is unobfuscatabIe if there
is an alg A such that A(C) = k for any circuit C s.t.
C~NC
k
That is, A can totaIIy break the encryption scheme given
any circuit that computes the encryption function.
Theorem 6: f secure private key encryption schemes exist
then so do inherently unobfuscatable encryption schemes.
!roof of Theorem 6
Suppose that (GN,NC,DC) is a (C!A) secure private
key encryption scheme. t follows that one way function
exist.
et { F
,,z
} be the ensemble from the proof of Theorem 2
and change it to F'
,,z,k
such that there's an algorithm A
such that A(F') = (,,z,k) for any circuit F' such that F' ~
F'
,,z,k.
Define (GN' , NC' ,DC') to be the following:
GN'(1
n
) := (k, , ,z) where kGN'(1
n
)
NC'
k , ,z
(m) := NC
k
(m);F'
,,z,k
(m)
DC'
k , ,z
(c;y) := DC
k
(c)
Similar Results
f signature schemes exist then so do unobfuscatable
signature schemes.
f pseudorandom functions exist then so do
unobfuscatable pseudorandom functions.
This results mean that any algorithm that satisfies
Definition 1 can not be used to obtain the applications
described before in the way that we thought.
They do not mean that these applications can't be
obtained in other ways. (n particular, we believe that public
key encryption schemes do exist).
Other Results
Generalization: obfuscators that only (strongly)
approximate input circuit: for any circuit C , and for any
input x
Pr[ C(x) (O(C) )(x) ] = negI(|C|)
(probability only over O 's coin tosses)
Note: our proof does not directly apply here
A promise problem version of a complexity theory
analog of Rice's Theorem is false.
eaker "obfuscation-like notions: (e.g., sampling
obfuscators).
Conclusions
s there any hope for obfuscation?
eaker / different definitions.
Restricted classes of algorithms.