Papers
Topics
Authors
Recent
Search
2000 character limit reached

Scrambler: Mixed Boolean Arithmetic Obfuscation Tool Using E-graph and Equality Expansion

Published 4 Mar 2026 in cs.CR | (2603.03624v2)

Abstract: We propose Scrambler, and e-graph-based MBA obfuscation tool using Equality Expansion to efficiently generate complex and diverse expressions with equivalence guaranteed by construction. Experiments show Scrambler improves existing tools in expressiveness and complexity.

Authors (3)

Summary

  • The paper introduces Scrambler, a novel tool that employs e-graph-based equality expansion to generate semantically equivalent but structurally complex MBA expressions.
  • It leverages configurable termination conditions and exhaustive rewrite rules to achieve significantly larger AST sizes and increased MBA alternation compared to existing tools.
  • The study demonstrates enhanced obfuscation efficiency and reduced verification overhead, setting a new benchmark for resilience against reverse engineering.

Scrambler: An E-Graph-Based MBA Obfuscation Tool via Equality Expansion

Introduction

Mixed Boolean-Arithmetic (MBA) obfuscation constitutes a pivotal technique in software protection, targeting the transformation of simple arithmetic expressions into semantically equivalent yet structurally complex forms via interleaved Boolean and arithmetic operations. Conventional MBA obfuscators predominantly rely on rule-driven systems, truth tables, or linear algebra representations, which, while effective, suffer from rigidity in operator support, lack of scalability, and escalating computational overhead in verification as expression complexity increases. In "Scrambler: Mixed Boolean Arithmetic Obfuscation Tool Using E-graph and Equality Expansion" (2603.03624), the authors propose Scrambler, a novel obfuscation tool founded upon e-graph data structures and a unique equality expansion algorithm, systematically overcoming existing limitations in diversity, complexity, and verification overhead for MBA obfuscation.

E-Graphs and Equality Expansion

E-graphs were originally developed for efficient equivalence reasoning in automated theorem proving but have been recently adapted for optimization in program analysis via equality saturation [egg]. E-graphs organize expressions into equivalence classes (e-classes), enabling simultaneous representation and manipulation of all semantically equivalent forms generated by a set of rewrite rules.

Scrambler extends the equality saturation paradigm with an "Equality Expansion" approach. Contrary to traditional optimization (which terminates after finding the simplest expression), Scrambler's expansion algorithm targets the generation of highly complex expressions guided by a user-defined termination condition (e.g., a minimum AST size). This adaptation leverages the egg framework's efficient traversal and rewriting mechanisms. Figure 1

Figure 1: x+yx + y in e-graph representation (left) and after applying the rule y∗1=yy*1=y (right). The * operation and yy are labeled with the same e-class, indicating semantic equivalence preservation.

Scrambler Architecture and Workflow

Scrambler's architecture centers on three inputs: a set of semantics-preserving rewrite rules, the expression for obfuscation, and a configurable termination criterion. Upon execution, Scrambler ingests the expression and exhaustively applies the provided rules within the e-graph structure, expanding the equivalence class space until the prescribed termination condition is met. This process guarantees that all generated forms remain semantically equivalent to the original input by construction, obviating the necessity for external equivalence verification (e.g., SMT solvers like Z3 [z3]) and thus markedly improving efficiency. The set of supported operators is not constrained by the underlying verification mechanism, enabling the generation of more diverse and complex MBA expressions compared to prior tools.

Comparative Analysis and Numerical Results

Comprehensive experiments evaluated Scrambler against the state-of-the-art MBA Obfuscator [mbaobfsucator], Loki [loki], and NeuReduce [neureduce] across multiple metrics: AST size, variable count, constant count, operator count, MBA alternation, and entropy. Results exhibited marked superiority in structural complexity for expressions generated by Scrambler, with average AST sizes exceeding those from all competing tools by several orders of magnitude (Scrambler: 34,786.77 vs. Loki: 216.17, MBA Obfuscator: 235.22, NeuReduce: 23.85 for obfuscated variants). MBA alternation—a proxy for obfuscation complexity—also showed a substantial increase (Scrambler: 6,387.58 vs. MBA Obfuscator: 31.83).

These numerical outcomes underscore Scrambler's capability to systematically synthesize highly obfuscated expressions without compromising semantic equivalence or incurring substantial verification overhead. Unlike prior approaches, Scrambler's complexity scales with rule and node limits, rather than being bounded by truth table or operator restrictions.

Implications and Future Directions

The practical implication of Scrambler is twofold: it materially enhances the resilience of software against reverse engineering by maximizing obfuscation complexity, and it sets a new paradigm for obfuscation tool verification by embedding semantic correctness within the expansion process itself. This intrinsic verification alleviates the computational bottlenecks of SMT solvers, which become prohibitive for large expressions.

Theoretically, the success of e-graph-driven obfuscation prompts reconsideration of equivalence-preserving transformation frameworks for other forms of code obfuscation, deobfuscation, and optimization. It also suggests that advances in rule synthesis, automated correctness checking, and scalable e-graph traversal could further expand the boundaries of feasible MBA expression generation.

Future developments may focus on automated rule validation to prevent semantic errors, dynamic operator set adaptation, integration with program synthesis pipelines, and cross-domain applications in malware analysis and cryptographic software protection. Additionally, optimizing memory consumption and traversal strategies in ultra-large e-graphs remains a key area for enhancement.

Conclusion

Scrambler represents a robust advancement in MBA obfuscation methodology, leveraging e-graphs and equality expansion to synthesize semantically equivalent but structurally intricate expressions, outperforming existing tools in complexity and efficiency. By embedding correctness guarantees and eliminating reliance on external verification, Scrambler opens new avenues for scalable, expressive, and resilient software obfuscation. Critical future work includes rigorous rule validation and further optimizing expansion algorithms for large-scale deployments.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We're still in the process of identifying open problems mentioned in this paper. Please check back in a few minutes.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 18 likes about this paper.