Cryptanalysis on the HHSS Obfuscation Arising From Absence of Safeguards

Abstract

Indistinguishability Obfuscation ( $iO$ ) is a hopeful tool which obfuscates a program with the least-possible leakage, and produces various applications including functional encryption and deniable encryption. Recently, Halevi et. al. proposed a state-of-the-art obfuscator implementation, called HHSS obfuscation, in ACM-CCS’17. In this paper, we describe a polynomial time distinguishing attack on HHSS obfuscation. In other words, we show that there exist two functionally equivalent branching programs but obfuscated programs are actually distinguishable. This attack implies that HHSS obfuscation fails to achieve a general purpose of $iO$ security. The idea of the attack is quite simple; we multiply a left kernel vector of the branching program ${\mathcal P}$ to an evaluation of obfuscated matrix, which yields a small value when the program ${\mathcal P}$ is obfuscated. Our attack algorithm is also applicable even if evasive functions are obfuscated.