Post on 16-Dec-2015
Extractable Functions
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen
Largest Known Prime
257,885,161 − 1
Electronic Frontier Foundation offers $250,000 prize for a prime with at least a billion
digits
“The first number larger then that is not divisible by any number other than 1 and itself”
Knowledge
Algorithm
Knowledge
Polynomial TimeExtraction Procedure
Proofs of Knowledge
𝑃 𝑉𝑥∈ℒ
Witness Extraction Hide the Witness
Secrecy : Zero-Knowledge \ Witness indistinguishability
Goal: Extract knowledge that is not publicly available
CCA Encryption
𝐴𝑃𝐾𝐸𝑛𝑐 (𝑏)
𝑏
𝐷𝑒𝑐𝐸𝑛𝑐 (𝑥)
𝑥
ReductionTo CPA
Extraction𝑥
More Knowledge
Zero-knowledge Proofs, Signatures, Non-malleable Commitments, Multi-party Computation, Obfuscation,…
𝐴Reduction
Extraction𝑥
How to Extract?
Algorithm
Knowledge
Extraction?
Extraction by Interaction
Or : Black-Box Extraction
Adversary Extraction
Public Parameters
Out of Reach Applications
𝑃 𝑉𝑃 𝑉
3-MessageZero-Knowledge
2-MessageSuccinct Argument
(SNARG)
Out of Reach Applications
𝑃 𝑉𝑃 𝑉
[Goldreich-Krawczyk][Gentry-Wichs]
Black-Box Security Proof is Impossible
Knowledge of Exponent
Adversary𝑔 , h
𝑔𝑥 , h𝑥𝑥 Extraction
[Damgård 92]
Non-Black-Box
Extraction
Applications of KEA
3-MessageZero-Knowledge
2-MessageSuccinct Argument
(SNARG)
Knowledge of Exponent Assumption* (KEA) *and
variants
[HT98,BP04,Mie08,G10,L12,BCCT13,GGPR13,BCIOP13]
Extractable Functions
Adversary𝑘←$
𝑓 𝑘(𝑥)𝑥 Extraction
A family of function is extractable if:
[Canetti-Dakdouk 08]
Remarks on EF
• KEA is an example for EF.
• We want EF that are also one-
way.• The image of should be
sparse.Adversary
𝑘←$
𝑓 𝑘(𝑥)𝑥 Extraction
OWF, CRHF
Applications of EF
3-MessageZero-Knowledge
2-MessageSuccinct Argument(Privately Verifiable)
Knowledge of Exponent
Extractable One-Way Functions (EOWF)
Extractable Collision-Resistant Hash Functions (ECRH)
[BCCT12,GLR12,DFH12]
What is missing?
• Clean assumptions
• Candidates
• Strong applications
A Reduction Using EF
𝐴Reduction
𝐸𝑥
Assuming:
𝑘←$
𝑓 𝑘(𝑥)
Do Extractable One-
Way Functions with an Explicit Extractor
Exist?
It depends on the Auxiliary Input.
Example: Zero-Knowledge
𝑃 𝑉𝑥∈ℒ𝑘𝑓 𝑘 (𝑡 )
𝑥
Auxiliary input
Definition of EF with A.I.
For every and auxiliary inputthere exist and auxiliary inputsuch that for every auxiliary input :
Types of A.I.For every and auxiliary inputthere exist and auxiliary inputsuch that for every auxiliary input :
Individual \ CommonBounded \ Unbounded
What type of A.I.
do we need?
Example: Zero-KnowledgeZero-Knowledge:For every there exists a simulator such that for every , For need bounded A.I.For sequential composition need unbounded A.I. What you get from individual A.I.:For every and every there exists a simulator such that
PossibleImpossible Open
EOWF* with bounded A.I.:EOWF with unbounded common A.I.:
Subexp-LWEIndistinguishability Obfuscation
Explicit ExtractorDelegation for P from Subexp-PIR[Kalai-Raz-Rothblum13]
Generalized EOWF
EOWF* = Privately-Verifiable Generalized EOWF1. EOWF* suffices for applications of EOWF.2. The impossibility results holds also for EOWF* 3. Can remove * assuming publicly-verifiable delegation for P (P-certificates)
Application
3-Message Zero-KnowledgeEOWF
3-Message Zero-Knowledge
For verifiers w. bounded A.I .
EOWF withbounded
A.I.
EOWF* withbounded
A.I.
⇒
⇒
⇒
[BCCGLRT13]
Construction
Survey
Impossibility
Construction
EOWF* with Bounded A.I fromPrivately-Verifiable Delegation for P
EOWF with Bounded A.I fromPublicly-Verifiable Delegation for P
First Attempt
• OWF
• Extraction from (no restriction on space or running time)
• Single function - No key (impossible for unbounded A.I)
First Attempt
𝑓 (𝑖 , 𝑠)=¿
𝑖 ,𝑠∈ {0 ,1 }𝑛 , PRG: {0 ,1 }𝑛→ {0 ,1 }𝑛
First Attempt
𝑓 (𝑖 , 𝑠)={PRG (𝑠) if 𝑖≠0𝑛
𝑠 (1𝑛 ) if 𝑖=0𝑛
𝑖 ,𝑠∈ {0 ,1 }𝑛 , PRG: {0 ,1 }𝑛→ {0 ,1 }𝑛
Interpert as a program outputting bits
Extraction
𝐴 (1𝑛)→ 𝑦
𝑓 (𝑖 , 𝑠)={PRG (𝑠 ) if 𝑖≠0𝑛
𝑠 (1𝑛 ) if 𝑖=0𝑛
𝐸 (1𝑛 )→0𝑛 , 𝐴
𝑓 (0𝑛 ,𝐴 )=𝐴 (1𝑛)=𝑦
()
One-Wayness
𝑓 (𝑖 , 𝑠)={PRG (𝑠 ) if 𝑖≠0𝑛
𝑠 (1𝑛 ) if 𝑖=0𝑛
1. The image of is sparse
Problem
is not poly-time computable!
𝑓 (𝑖 , 𝑠)={𝑃 𝑅𝐺𝑠 (𝑠 ) if 𝑖≠0𝑛
𝑠 (1𝑛) if 𝑖=0𝑛
Solution: Delegation for P(following the protocols of
[B01,BLV03])
Delegation for P
𝑃 𝑉Gen ($ )→𝜎
poly (𝑇𝑀 ) polylog (𝑇𝑀 )<𝑛
𝜋 :𝑀 (1𝑛)→ 𝑦
Final Construction
𝑓 (𝑖 , 𝑠 ,𝑟 , 𝑦∗ ,𝜎 ∗ ,𝜋∗)
𝑖=0𝑛𝑖≠0𝑛
Output:
If is a valid proof for under Output:
Extraction
𝐴 (1𝑛)→(𝑦 ,𝜎 )
When is a proof that under
𝐸 (1𝑛 )→(0𝑛 ,𝐴 ,𝑟 , 𝑦 ,𝜎 ,𝜋∗)
𝑓
One-Wayness
1. The image of is sparse
2. Soundness of delegation
Generalized EOWF𝑅 ( 𝑓 (𝑥 ) ,𝑥 ′ )Hardness: For a random it is hard to find
Extraction:For every there exists such that
Privately-Verifiable GEOWF:Can efficiently test only given
Impossibility
Assuming indistinguishability obfuscation,
there is not EOWF with unbounded common auxiliary input
Intuition
Adversary 𝑘𝑓 𝑘 (𝑥 )𝑥 AdversaryNon-Black-
Box Extractor
Common A.I Universal ExtractorThere exists s.t. for every and :
Plan
1. Assuming virtual black-box obfuscation [Goldreich, Hada-Tanaka]
2. Assuming indistinguishability obfuscation
Common A.I.
𝐴𝑘 ,𝑧
𝑓 𝑘(𝑥)
𝑥𝐸
Universal Extraction
𝑓 𝑘(𝑥)
𝑥Universa
l Extracto
r
𝑘 ,𝑧=¿𝐴
Universal Adversary𝐴𝑘
Black-Box Extraction
𝑓 𝑘(𝑥)
𝑥Universa
l Extracto
r
𝑘 ,𝑧=¿𝐴
Universal Adversary𝑘 𝐴
Black-box obfuscation
Black-Box Extraction
Black-Box Extractor
𝑘Adversary
𝑥𝑘=𝑃𝑅𝐹 𝑠(𝑘) 𝑓 𝑘(𝑥𝑘)𝑥𝑘
Adversary
𝑥𝑘=𝑈𝑛
Indistinguishability Obfuscation
𝐶1𝐶2 ≡
Compute the same function
Indistinguishability Obfuscation
Extractor
𝑘Adversary
𝑥𝑘=𝑃𝑅𝐹 𝑠(𝑘) 𝑓 𝑘(𝑥𝑘)𝑥𝑘
Prove that the obfuscation hides
Indistinguishability Obfuscation
Extractor
𝑘 𝑥𝑘=𝑃𝑅𝐹 𝑠(𝑘) 𝑓 𝑘(𝑥𝑘)𝑥𝑘
Extractor
𝑘 𝑓 𝑘(𝑥𝑘)𝑥𝑘
≈
hides Alternative adversary
Alternative Adversary Using the Sahai-Waters puncturing technique
𝑃𝑅𝐹 𝑠 𝑓 𝑘
𝑘 𝑓 𝑘(𝑥𝑘)
Indistinguishability Obfuscation
Extractor
𝑘 𝑓 𝑘(𝑥𝑘)𝑥𝑘
hides
Back to the Construction?
PossibleImpossible Open
EOWF withunbounded individual A.I. Extractable CRHF\COM\1-to-1 OWF
Thank You