Paper 2022/1204

The Pseudorandom Oracle Model and Ideal Obfuscation

Abstract

We introduce a new idealized model of hash functions, which we refer to as the *pseudorandom oracle* ($\mathrm{Pr}\mathcal{O}$) model. Intuitively, it allows us to model cryptosystems that use the code of an ideal hash function in a non-black-box way. Formally, we model hash functions via a combination of a pseudorandom function (PRF) family and an ideal oracle. A user can initialize the hash function by choosing a PRF key $$ and mapping it to a public handle $$ using the oracle. Given the handle $$ and some input $$, the oracle can also be called to evaluate the PRF at $$ with the corresponding key $$. A user who chooses the PRF key $$ therefore has a complete description of the hash function and can use its code in non-black-box constructions, while an adversary, who just gets the handle $$, only has black-box access to the hash function via the oracle. As our main result, we show how to construct ideal obfuscation in the $$ model, starting from functional encryption (FE), which in turn can be based on well-studied polynomial hardness assumptions. In contrast, we know that ideal obfuscation cannot be instantiated in the basic random oracle model under any assumptions. We believe our result provides heuristic justification for the following: (1) most natural security goals implied by ideal obfuscation can be achieved in the real world; (2) obfuscation can be constructed from FE at polynomial security loss. We also discuss how to interpret our result in the $$ model as a construction of ideal obfuscation using simple hardware tokens or as a way to bootstrap ideal obfuscation for PRFs to that for all functions.