Extractable Functions
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen
Largest Known Prime
257,885,161 β 1
Electronic Frontier Foundation offers $250,000 prize for a prime with at least a billion
digits
βThe first number larger then that is not divisible by any number other than 1 and itselfβ
Knowledge
Algorithm
Knowledge
Polynomial TimeExtraction Procedure
Proofs of Knowledge
π ππ₯ββ
Witness Extraction Hide the Witness
Secrecy : Zero-Knowledge \ Witness indistinguishability
Goal: Extract knowledge that is not publicly available
CCA Encryption
π΄ππΎπΈππ (π)
π
π·πππΈππ (π₯)
π₯
ReductionTo CPA
Extractionπ₯
More Knowledge
Zero-knowledge Proofs, Signatures, Non-malleable Commitments, Multi-party Computation, Obfuscation,β¦
π΄Reduction
Extractionπ₯
How to Extract?
Algorithm
Knowledge
Extraction?
Extraction by Interaction
Or : Black-Box Extraction
Adversary Extraction
Public Parameters
Out of Reach Applications
π ππ π
3-MessageZero-Knowledge
2-MessageSuccinct Argument
(SNARG)
Out of Reach Applications
π ππ π
[Goldreich-Krawczyk][Gentry-Wichs]
Black-Box Security Proof is Impossible
Knowledge of Exponent
Adversaryπ , h
ππ₯ , hπ₯π₯ Extraction
[DamgΓ₯rd 92]
Non-Black-Box
Extraction
Applications of KEA
3-MessageZero-Knowledge
2-MessageSuccinct Argument
(SNARG)
Knowledge of Exponent Assumption* (KEA) *and
variants
[HT98,BP04,Mie08,G10,L12,BCCT13,GGPR13,BCIOP13]
Extractable Functions
Adversaryπβ$
π π(π₯)π₯ Extraction
A family of function is extractable if:
[Canetti-Dakdouk 08]
Remarks on EF
β’ KEA is an example for EF.
β’ We want EF that are also one-
way.β’ The image of should be
sparse.Adversary
πβ$
π π(π₯)π₯ Extraction
OWF, CRHF
Applications of EF
3-MessageZero-Knowledge
2-MessageSuccinct Argument(Privately Verifiable)
Knowledge of Exponent
Extractable One-Way Functions (EOWF)
Extractable Collision-Resistant Hash Functions (ECRH)
[BCCT12,GLR12,DFH12]
What is missing?
β’ Clean assumptions
β’ Candidates
β’ Strong applications
A Reduction Using EF
π΄Reduction
πΈπ₯
Assuming:
πβ$
π π(π₯)
Do Extractable One-
Way Functions with an Explicit Extractor
Exist?
It depends on the Auxiliary Input.
Example: Zero-Knowledge
π ππ₯ββππ π (π‘ )
π₯
Auxiliary input
Definition of EF with A.I.
For every and auxiliary inputthere exist and auxiliary inputsuch that for every auxiliary input :
Types of A.I.For every and auxiliary inputthere exist and auxiliary inputsuch that for every auxiliary input :
Individual \ CommonBounded \ Unbounded
What type of A.I.
do we need?
Example: Zero-KnowledgeZero-Knowledge:For every there exists a simulator such that for every , For need bounded A.I.For sequential composition need unbounded A.I. What you get from individual A.I.:For every and every there exists a simulator such that
PossibleImpossible Open
EOWF* with bounded A.I.:EOWF with unbounded common A.I.:
Subexp-LWEIndistinguishability Obfuscation
Explicit ExtractorDelegation for P from Subexp-PIR[Kalai-Raz-Rothblum13]
Generalized EOWF
EOWF* = Privately-Verifiable Generalized EOWF1. EOWF* suffices for applications of EOWF.2. The impossibility results holds also for EOWF* 3. Can remove * assuming publicly-verifiable delegation for P (P-certificates)
Application
3-Message Zero-KnowledgeEOWF
3-Message Zero-Knowledge
For verifiers w. bounded A.I .
EOWF withbounded
A.I.
EOWF* withbounded
A.I.
β
β
β
[BCCGLRT13]
Construction
Survey
Impossibility
Construction
EOWF* with Bounded A.I fromPrivately-Verifiable Delegation for P
EOWF with Bounded A.I fromPublicly-Verifiable Delegation for P
First Attempt
β’ OWF
β’ Extraction from (no restriction on space or running time)
β’ Single function - No key (impossible for unbounded A.I)
First Attempt
π (π , π )=ΒΏ
π ,π β {0 ,1 }π , PRG: {0 ,1 }πβ {0 ,1 }π
First Attempt
π (π , π )={PRG (π ) if πβ 0π
π (1π ) if π=0π
π ,π β {0 ,1 }π , PRG: {0 ,1 }πβ {0 ,1 }π
Interpert as a program outputting bits
Extraction
π΄ (1π)β π¦
π (π , π )={PRG (π ) if πβ 0π
π (1π ) if π=0π
πΈ (1π )β0π , π΄
π (0π ,π΄ )=π΄ (1π)=π¦
()
One-Wayness
π (π , π )={PRG (π ) if πβ 0π
π (1π ) if π=0π
1. The image of is sparse
Problem
is not poly-time computable!
π (π , π )={π π πΊπ (π ) if πβ 0π
π (1π) if π=0π
Solution: Delegation for P(following the protocols of
[B01,BLV03])
Delegation for P
π πGen ($ )βπ
poly (ππ ) polylog (ππ )<π
π :π (1π)β π¦
Final Construction
π (π , π ,π , π¦β ,π β ,πβ)
π=0ππβ 0π
Output:
If is a valid proof for under Output:
Extraction
π΄ (1π)β(π¦ ,π )
When is a proof that under
πΈ (1π )β(0π ,π΄ ,π , π¦ ,π ,πβ)
π
One-Wayness
1. The image of is sparse
2. Soundness of delegation
Generalized EOWFπ ( π (π₯ ) ,π₯ β² )Hardness: For a random it is hard to find
Extraction:For every there exists such that
Privately-Verifiable GEOWF:Can efficiently test only given
Impossibility
Assuming indistinguishability obfuscation,
there is not EOWF with unbounded common auxiliary input
Intuition
Adversary ππ π (π₯ )π₯ AdversaryNon-Black-
Box Extractor
Common A.I Universal ExtractorThere exists s.t. for every and :
Plan
1. Assuming virtual black-box obfuscation [Goldreich, Hada-Tanaka]
2. Assuming indistinguishability obfuscation
Common A.I.
π΄π ,π§
π π(π₯)
π₯πΈ
Universal Extraction
π π(π₯)
π₯Universa
l Extracto
r
π ,π§=ΒΏπ΄
Universal Adversaryπ΄π
Black-Box Extraction
π π(π₯)
π₯Universa
l Extracto
r
π ,π§=ΒΏπ΄
Universal Adversaryπ π΄
Black-box obfuscation
Black-Box Extraction
Black-Box Extractor
πAdversary
π₯π=ππ πΉ π (π) π π(π₯π)π₯π
Adversary
π₯π=ππ
Indistinguishability Obfuscation
πΆ1πΆ2 β‘
Compute the same function
Indistinguishability Obfuscation
Extractor
πAdversary
π₯π=ππ πΉ π (π) π π(π₯π)π₯π
Prove that the obfuscation hides
Indistinguishability Obfuscation
Extractor
π π₯π=ππ πΉ π (π) π π(π₯π)π₯π
Extractor
π π π(π₯π)π₯π
β
hides Alternative adversary
Alternative Adversary Using the Sahai-Waters puncturing technique
ππ πΉ π π π
π π π(π₯π)
Indistinguishability Obfuscation
Extractor
π π π(π₯π)π₯π
hides
Back to the Construction?
PossibleImpossible Open
EOWF withunbounded individual A.I. Extractable CRHF\COM\1-to-1 OWF
Thank You
Top Related