International Association
for Cryptologic Research

The traditional notion of {\\em program obfuscation} requires that an obfuscation $\\tilde{f}$ of a program $f$ computes the exact same function as $f$, but beyond that, the code of $\\tilde{f}$ should not leak any information about $f$. This strong notion of {\\em virtual black-box} security was shown by Barak et al. (CRYPTO 2001) to be impossible to achieve, for certain {\\em unobfuscatable function families}. The same work raised the question of {\\em approximate obfuscation}, where the obfuscated $\\tilde{f}$ is only required to approximate $\\tilde{f}$; that is, $\\tilde{f}$ only agrees with $f$ on some input distribution.

We show that, assuming {\\em trapdoor permutations}, there exist families of {\\em robust unobfuscatable functions} for which even approximate obfuscation is impossible. That is, obfuscation is impossible even if the obfuscated $\\tilde{f}$ only agrees with $f$ with probability slightly more than $\\frac{1}{2}$, on a uniformly sampled input (below $\\frac{1}{2}$-agreement, the function obfuscated by $\\tilde{f}$ is not uniquely defined). Additionally, we show that, assuming only one-way functions, we can rule out approximate obfuscation where $\\tilde{f}$ is not allowed to err, but may refuse to compute $f$ with probability close to $1$.

We then demonstrate the power of robust unobfuscatable functions by exhibiting new implications to resettable protocols that so far have been out of our reach. Concretely, we obtain a new non-black-box simulation technique that reduces the assumptions required for resettably-sound zero-knowledge protocols to {\\em one-way functions}, as well as reduce round-complexity. We also present a new simplified construction of simultaneously resettable zero-knowledge protocols that does not rely on collision-resistent hashing. Finally, we construct a three-message simultaneously resettable $\\WI$ {\\em argument of knowledge} (with a non-black-box knowledge extractor). Our constructions are based on a special kind of ``resettable slots\" that are useful for a non-black-box simulator, but not for a resetting prover.