Extractable Functions

Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen

Largest Known Prime

257,885,161 − 1

Electronic Frontier Foundation offers $250,000 prize for a prime with at least a billion

digits

“The first number larger then that is not divisible by any number other than 1 and itself”

Knowledge

Algorithm

Knowledge

Polynomial TimeExtraction Procedure

Proofs of Knowledge

𝑃 𝑉𝑥∈ℒ

Witness Extraction Hide the Witness

Secrecy : Zero-Knowledge \ Witness indistinguishability

Goal: Extract knowledge that is not publicly available

CCA Encryption

𝐴𝑃𝐾𝐸𝑛𝑐 (𝑏)

𝑏

𝐷𝑒𝑐𝐸𝑛𝑐 (𝑥)

𝑥

ReductionTo CPA

Extraction𝑥

More Knowledge

Zero-knowledge Proofs, Signatures, Non-malleable Commitments, Multi-party Computation, Obfuscation,…

𝐴Reduction

Extraction𝑥

How to Extract?

Algorithm

Knowledge

Extraction?

Extraction by Interaction

Or : Black-Box Extraction

Adversary Extraction

Public Parameters

Out of Reach Applications

𝑃 𝑉𝑃 𝑉

3-MessageZero-Knowledge

2-MessageSuccinct Argument

(SNARG)

Out of Reach Applications

𝑃 𝑉𝑃 𝑉

[Goldreich-Krawczyk][Gentry-Wichs]

Black-Box Security Proof is Impossible

Knowledge of Exponent

Adversary𝑔 , h

𝑔𝑥 , h𝑥𝑥 Extraction

[Damgård 92]

Non-Black-Box

Extraction

Applications of KEA

3-MessageZero-Knowledge

2-MessageSuccinct Argument

(SNARG)

Knowledge of Exponent Assumption* (KEA) *and

variants

[HT98,BP04,Mie08,G10,L12,BCCT13,GGPR13,BCIOP13]

Extractable Functions

Adversary𝑘←$

𝑓 𝑘(𝑥)𝑥 Extraction

A family of function is extractable if:

[Canetti-Dakdouk 08]

Remarks on EF

• KEA is an example for EF.

• We want EF that are also one-

way.• The image of should be

sparse.Adversary

𝑘←$

𝑓 𝑘(𝑥)𝑥 Extraction

OWF, CRHF

Applications of EF

3-MessageZero-Knowledge

2-MessageSuccinct Argument(Privately Verifiable)

Knowledge of Exponent

Extractable One-Way Functions (EOWF)

Extractable Collision-Resistant Hash Functions (ECRH)

[BCCT12,GLR12,DFH12]

What is missing?

• Clean assumptions

• Candidates

• Strong applications

A Reduction Using EF

𝐴Reduction

𝐸𝑥

Assuming:

𝑘←$

𝑓 𝑘(𝑥)

Do Extractable One-

Way Functions with an Explicit Extractor

Exist?

It depends on the Auxiliary Input.

Example: Zero-Knowledge

𝑃 𝑉𝑥∈ℒ𝑘𝑓 𝑘 (𝑡 )

𝑥

Auxiliary input

Definition of EF with A.I.

For every and auxiliary inputthere exist and auxiliary inputsuch that for every auxiliary input :

Types of A.I.For every and auxiliary inputthere exist and auxiliary inputsuch that for every auxiliary input :

Individual \ CommonBounded \ Unbounded

What type of A.I.

do we need?

Example: Zero-KnowledgeZero-Knowledge:For every there exists a simulator such that for every , For need bounded A.I.For sequential composition need unbounded A.I. What you get from individual A.I.:For every and every there exists a simulator such that

PossibleImpossible Open

EOWF* with bounded A.I.:EOWF with unbounded common A.I.:

Subexp-LWEIndistinguishability Obfuscation

Explicit ExtractorDelegation for P from Subexp-PIR[Kalai-Raz-Rothblum13]

Generalized EOWF

EOWF* = Privately-Verifiable Generalized EOWF1. EOWF* suffices for applications of EOWF.2. The impossibility results holds also for EOWF* 3. Can remove * assuming publicly-verifiable delegation for P (P-certificates)

Application

3-Message Zero-KnowledgeEOWF

3-Message Zero-Knowledge

For verifiers w. bounded A.I .

EOWF withbounded

A.I.

EOWF* withbounded

A.I.

⇒

⇒

⇒

[BCCGLRT13]

Construction

Survey

Impossibility

Construction

EOWF* with Bounded A.I fromPrivately-Verifiable Delegation for P

EOWF with Bounded A.I fromPublicly-Verifiable Delegation for P

First Attempt

• OWF

• Extraction from (no restriction on space or running time)

• Single function - No key (impossible for unbounded A.I)

First Attempt

𝑓 (𝑖 , 𝑠)=¿

𝑖 ,𝑠∈ {0 ,1 }𝑛 , PRG: {0 ,1 }𝑛→ {0 ,1 }𝑛

First Attempt

𝑓 (𝑖 , 𝑠)={PRG (𝑠)     if    𝑖≠0𝑛

𝑠 (1𝑛 ) if 𝑖=0𝑛

𝑖 ,𝑠∈ {0 ,1 }𝑛 , PRG: {0 ,1 }𝑛→ {0 ,1 }𝑛

Interpert as a program outputting bits

Extraction

𝐴 (1𝑛)→ 𝑦

𝑓 (𝑖 , 𝑠)={PRG (𝑠 )     if    𝑖≠0𝑛

𝑠 (1𝑛 ) if 𝑖=0𝑛

𝐸 (1𝑛 )→0𝑛 , 𝐴

𝑓 (0𝑛 ,𝐴 )=𝐴 (1𝑛)=𝑦

()

One-Wayness

𝑓 (𝑖 , 𝑠)={PRG (𝑠 )     if    𝑖≠0𝑛

𝑠 (1𝑛 ) if 𝑖=0𝑛

1. The image of is sparse

Problem

is not poly-time computable!

𝑓 (𝑖 , 𝑠)={𝑃 𝑅𝐺𝑠 (𝑠 )     if    𝑖≠0𝑛

𝑠 (1𝑛) if 𝑖=0𝑛

Solution: Delegation for P(following the protocols of

[B01,BLV03])

Delegation for P

𝑃 𝑉Gen ($ )→𝜎

poly (𝑇𝑀 ) polylog (𝑇𝑀 )<𝑛

𝜋 :𝑀 (1𝑛)→ 𝑦

Final Construction

𝑓 (𝑖 , 𝑠 ,𝑟 , 𝑦∗ ,𝜎 ∗ ,𝜋∗)

𝑖=0𝑛𝑖≠0𝑛

Output:

If is a valid proof for under Output:

Extraction

𝐴 (1𝑛)→(𝑦 ,𝜎 )

When is a proof that under

𝐸 (1𝑛 )→(0𝑛 ,𝐴 ,𝑟 , 𝑦 ,𝜎 ,𝜋∗)

𝑓

One-Wayness

1. The image of is sparse

2. Soundness of delegation

Generalized EOWF𝑅 ( 𝑓 (𝑥 ) ,𝑥 ′ )Hardness: For a random it is hard to find

Extraction:For every there exists such that

Privately-Verifiable GEOWF:Can efficiently test only given

Impossibility

Assuming indistinguishability obfuscation,

there is not EOWF with unbounded common auxiliary input

Intuition

Adversary 𝑘𝑓 𝑘 (𝑥 )𝑥 AdversaryNon-Black-

Box Extractor

Common A.I Universal ExtractorThere exists s.t. for every and :

Plan

1. Assuming virtual black-box obfuscation [Goldreich, Hada-Tanaka]

2. Assuming indistinguishability obfuscation

Common A.I.

𝐴𝑘 ,𝑧

𝑓 𝑘(𝑥)

𝑥𝐸

Universal Extraction

𝑓 𝑘(𝑥)

𝑥Universa

l Extracto

r

𝑘 ,𝑧=¿𝐴

Universal Adversary𝐴𝑘

Black-Box Extraction

𝑓 𝑘(𝑥)

𝑥Universa

l Extracto

r

𝑘 ,𝑧=¿𝐴

Universal Adversary𝑘 𝐴

Black-box obfuscation

Black-Box Extraction

Black-Box Extractor

𝑘Adversary

𝑥𝑘=𝑃𝑅𝐹 𝑠(𝑘) 𝑓 𝑘(𝑥𝑘)𝑥𝑘

Adversary

𝑥𝑘=𝑈𝑛

Indistinguishability Obfuscation

𝐶1𝐶2 ≡

Compute the same function

Indistinguishability Obfuscation

Extractor

𝑘Adversary

𝑥𝑘=𝑃𝑅𝐹 𝑠(𝑘) 𝑓 𝑘(𝑥𝑘)𝑥𝑘

Prove that the obfuscation hides

Indistinguishability Obfuscation

Extractor

𝑘 𝑥𝑘=𝑃𝑅𝐹 𝑠(𝑘) 𝑓 𝑘(𝑥𝑘)𝑥𝑘

Extractor

𝑘 𝑓 𝑘(𝑥𝑘)𝑥𝑘

≈

hides Alternative adversary

Alternative Adversary Using the Sahai-Waters puncturing technique

𝑃𝑅𝐹 𝑠 𝑓 𝑘

𝑘 𝑓 𝑘(𝑥𝑘)

Indistinguishability Obfuscation

Extractor

𝑘 𝑓 𝑘(𝑥𝑘)𝑥𝑘

hides

Back to the Construction?

PossibleImpossible Open

EOWF withunbounded individual A.I. Extractable CRHF\COM\1-to-1 OWF

Thank You