Extractable Functions
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen
Largest Known Prime
257,885,161 โ 1
Electronic Frontier Foundation offers $250,000 prize for a prime with at least a billion
digitsโThe first number larger then that is not divisible
by any number other than 1 and itselfโ
Knowledge
Algorithm
Knowledge
Polynomial TimeExtraction Procedure
Proofs of Knowledge
๐ ๐๐ฅโโ
Witness Extraction Hide the Witness
Secrecy : Zero-Knowledge \ Witness indistinguishability
Goal: Extract knowledge that is not publicly available
CCA Encryption
๐ด๐๐พ๐ธ๐๐ (๐)
๐
๐ท๐๐๐ธ๐๐ (๐ฅ)
๐ฅ
ReductionTo CPA
Extraction๐ฅ
More Knowledge
Zero-knowledge Proofs, Signatures, Non-malleable Commitments, Multi-party Computation, Obfuscation,โฆ
๐ดReduction
Extraction๐ฅ
How to Extract?
Algorithm
Knowledge
Extraction?
Extraction by Interaction
Or : Black-Box Extraction
Adversary Extraction
Public Parameters
Out of Reach Applications
๐ ๐๐ ๐
3-MessageZero-Knowledge
2-MessageSuccinct Argument
(SNARG)
Out of Reach Applications
๐ ๐๐ ๐
[Goldreich-Krawczyk][Gentry-Wichs]
Black-Box Security Proof is Impossible
Knowledge of Exponent
Adversary๐ , h๐๐ฅ , h๐ฅ
๐ฅ Extraction
[Damgรฅrd 92]
Non-Black-Box
Extraction
Applications of KEA
3-MessageZero-Knowledge
2-MessageSuccinct Argument
(SNARG)
Knowledge of Exponent Assumption* (KEA) *and
variants
[HT98,BP04,Mie08,G10,L12,BCCT13,GGPR13,BCIOP13]
Extractable Functions
Adversary๐โ$
๐ ๐(๐ฅ)๐ฅ Extraction
A family of function is extractable if:
[Canetti-Dakdouk 08]
Remarks on EF
โข KEA is an example for EF.โข We want EF that are also one-
way.โข The image of should be
sparse.Adversary
๐โ$
๐ ๐(๐ฅ)๐ฅ Extraction
OWF, CRHF
Applications of EF
3-MessageZero-Knowledge
2-MessageSuccinct Argument
(Privately Verifiable)
Knowledge of Exponent
Extractable One-Way Functions (EOWF)
Extractable Collision-Resistant Hash Functions (ECRH)
[BCCT12,GLR12,DFH12]
What is missing?
โข Clean assumptions โข Candidatesโข Strong applications
A Reduction Using EF
๐ดReduction
๐ธ๐ฅ
Assuming:
๐โ$
๐ ๐(๐ฅ)
Do Extractable One-Way
Functions with an Explicit Extractor
Exist?
It depends on the Auxiliary Input.
Example: Zero-Knowledge
๐ ๐๐ฅโโ๐๐ ๐ (๐ก )
๐ฅ
Auxiliary input
Definition of EF with A.I.For every and auxiliary inputthere exist and auxiliary inputsuch that for every auxiliary input :
Types of A.I.For every and auxiliary inputthere exist and auxiliary inputsuch that for every auxiliary input :
Individual \ CommonBounded \ Unbounded
What type of A.I.
do we need?
Example: Zero-KnowledgeZero-Knowledge:For every there exists a simulator such that for every , For need bounded A.I.For sequential composition need unbounded A.I. What you get from individual A.I.:For every and every there exists a simulator such that
PossibleImpossible Open
EOWF* with bounded A.I.:EOWF with unbounded common A.I.:
Subexp-LWEIndistinguishability Obfuscation
Explicit ExtractorDelegation for P from Subexp-PIR[Kalai-Raz-Rothblum13]
Generalized EOWF
EOWF* = Privately-Verifiable Generalized EOWF1. EOWF* suffices for applications of EOWF.2. The impossibility results holds also for EOWF* 3. Can remove * assuming publicly-verifiable delegation for P (P-certificates)
Application
3-Message Zero-KnowledgeEOWF
3-Message Zero-Knowledge
For verifiers w. bounded A.I .
EOWF withbounded
A.I.
EOWF* withbounded
A.I.
โ
โโ
[BCCGLRT13]
Construction
Survey
Impossibility
Construction
EOWF* with Bounded A.I fromPrivately-Verifiable Delegation for P
EOWF with Bounded A.I fromPublicly-Verifiable Delegation for P
First Attemptโข OWF โข Extraction from
(no restriction on space or running time)
โข Single function - No key (impossible for unbounded A.I)
First Attempt
๐ (๐ , ๐ )=ยฟ
๐ ,๐ โ {0 ,1 }๐ , PRG: {0 ,1 }๐โ {0 ,1 }๐
First Attempt
๐ (๐ , ๐ )={PRG (๐ ) if ๐โ 0๐
๐ (1๐ ) if ๐=0๐
๐ ,๐ โ {0 ,1 }๐ , PRG: {0 ,1 }๐โ {0 ,1 }๐
Interpert as a program outputting bits
Extraction
๐ด (1๐)โ ๐ฆ
๐ (๐ , ๐ )={PRG (๐ ) if ๐โ 0๐
๐ (1๐ ) if ๐=0๐
๐ธ (1๐ )โ0๐ , ๐ด
๐ (0๐ ,๐ด )=๐ด (1๐)=๐ฆ
()
One-Wayness
๐ (๐ , ๐ )={PRG (๐ ) if ๐โ 0๐
๐ (1๐ ) if ๐=0๐
1. The image of is sparse
Problem
is not poly-time computable!
๐ (๐ , ๐ )={๐ ๐ ๐บ๐ (๐ ) if ๐โ 0๐
๐ (1๐) if ๐=0๐
Solution: Delegation for P(following the protocols of
[B01,BLV03])
Delegation for P
๐ ๐Gen ($ )โ๐
poly (๐๐ ) polylog (๐๐ )<๐
๐ :๐ (1๐)โ ๐ฆ
Final Construction ๐ (๐ , ๐ ,๐ , ๐ฆโ ,๐ โ ,๐โ)
๐=0๐๐โ 0๐
Output:
If is a valid proof for under Output:
Extraction
๐ด (1๐)โ(๐ฆ ,๐ )
When is a proof that under ๐ธ (1๐ )โ(0๐ ,๐ด ,๐ , ๐ฆ ,๐ ,๐โ)
๐
One-Wayness
1. The image of is sparse2. Soundness of delegation
Generalized EOWF๐ ( ๐ (๐ฅ ) ,๐ฅ โฒ )Hardness: For a random it is hard to find Extraction:For every there exists such that
Privately-Verifiable GEOWF:Can efficiently test only given
Impossibility
Assuming indistinguishability obfuscation,
there is not EOWF with unbounded common auxiliary input
Intuition
Adversary ๐๐ ๐ (๐ฅ )๐ฅ AdversaryNon-Black-
Box Extractor
Common A.I Universal ExtractorThere exists s.t. for every and :
Plan
1. Assuming virtual black-box obfuscation [Goldreich, Hada-Tanaka]
2. Assuming indistinguishability obfuscation
Common A.I.
๐ด๐ ,๐ง
๐ ๐(๐ฅ)
๐ฅ๐ธ
Universal Extraction
๐ ๐(๐ฅ)
๐ฅUniversa
l Extracto
r
๐ ,๐ง=ยฟ๐ด
Universal Adversary๐ด๐
Black-Box Extraction
๐ ๐(๐ฅ)
๐ฅUniversa
l Extracto
r
๐ ,๐ง=ยฟ๐ด
Universal Adversary๐ ๐ด
Black-box obfuscation
Black-Box Extraction
Black-Box Extractor
๐Adversary๐ฅ๐=๐๐ ๐น ๐ (๐) ๐ ๐(๐ฅ๐)
๐ฅ๐ Adversary๐ฅ๐=๐๐
Indistinguishability Obfuscation
๐ถ1๐ถ2 โก
Compute the same function
Indistinguishability Obfuscation
Extractor
๐Adversary๐ฅ๐=๐๐ ๐น ๐ (๐) ๐ ๐(๐ฅ๐)
๐ฅ๐
Prove that the obfuscation hides
Indistinguishability Obfuscation
Extractor
๐ ๐ฅ๐=๐๐ ๐น ๐ (๐) ๐ ๐(๐ฅ๐)๐ฅ๐
Extractor
๐ ๐ ๐(๐ฅ๐)๐ฅ๐
โ
hides Alternative adversary
Alternative Adversary Using the Sahai-Waters puncturing technique
๐๐ ๐น ๐ ๐ ๐
๐ ๐ ๐(๐ฅ๐)
Indistinguishability Obfuscation
Extractor
๐ ๐ ๐(๐ฅ๐)๐ฅ๐
hides
Back to the Construction?
PossibleImpossible Open
EOWF withunbounded individual A.I. Extractable CRHF\COM\1-to-1 OWF
Thank You