Download - Extractable Functions Fiction or Reality?
EXTRACTABLE FUNCTIONSFICTION OR REALITY?
Nir Bitansky (TAU) Ran Canetti (BU & TAU)
Omer Paneth (BU) Alon Rosen (IDC)
2
Knowledge is Elusive (assuming )
Knowing isnโt like knowing
Knowing isnโt like knowing
Knowing how to prove isnโt like knowing
3
ZK Proofs of KnowledgeGoldwasser-Micali-Rackoff, Feige-Shamir, Goldreich-Bellare
efficientextractor
๐ฑ๐ซโ
๐คโ๐น๐ณ(๐ฅ )
๐ฅ
๐๐๐๐๐๐ก
4
Effective Knowledge
=what can be
efficiently extractedfrom the adversary
5
Extraction is Essential to Cryptographic Analysis
Composition
Input Independence in MPC
ZK simulation (the trapdoor paradigm)
โฎ
โฎ
6
How is Knowledge Extracted?
7
The Black-Box Tradition (aka Rewinding)
extractor
๐ด
8
extractor
๐ด
reduction/simulator
Black-Box (Turing) Reductions/Simulators
9
Using The Adversaryโs Code
Aextractor
reduction/simulator
10
The Black-Box Barrier
Black-Box
SNARGs for NP(Succinct Non-Interactive Arguments)
Gentry-Wichs
3-ZKGoldreich-Krawczyk
O(1)-public-coin-ZKGoldreich-Krawczyk
most of cryptoas we know it!
Non-Black-Box
11
Beyond the Barrier
-round public-coin ZKwith
non-black-box simulation
Barak
12
Post Barak
SNARGs3-ZK
O(1)-public-coin-ZKBarak
resettably-sound-ZKBarak-Goldreich-Goldwasser-Lindell
simultaneously-resettable-ZKDeng-Goyal-Sahai
O(1)-covert-MPCGoyal-Jain
(uniform) O(1)-concurrent-ZKChung-Lin-Pass
interaction
โฆ
13
Knowledge Assumptionsand
Extractable Functions
14
Damgรฅrdโs Knowledge of Exponent Assumption
15
๐ด
Damgรฅrdโs Knowledge of Exponent Assumption
๐๐ฅ , h๐ฅ๐ , h๐ , hโ๐บโ
๐ฅ
16
๐h
๐2๐3โฆ
h2
h3
โฎ
is -sparse
17
๐ด
Damgรฅrdโs Knowledge of Exponent Assumption
efficientextractor ๐ฅ
๐๐ฅ , h๐ฅ๐ , h๐ , hโ๐บโ
๐ด
๐ฅ
18
Extractable FunctionsCanetti-Dakdouk
19
efficientextractor
๐
Extractable FunctionsCanetti-Dakdouk
๐ ๐(๐ฅ)
๐ฅ โฒ๐ ๐ (๐ฅโฒ )= ๐ ๐(๐ฅ)
OWFCRH
COM
๐ด
๐ด
21
Black-Box Extraction is Impossible
22
Black-Box Extraction is Impossible
efficientextractor
๐ด
black-box extractor must invert the one-way
๐ ๐ ๐(๐ฅ)
๐ โฒ ๐ ๐โฒ (๐๐ ๐น ๐ (๐
โฒ))
23
Extractable Functionsin Non-Interactive Applications
O(1)-concurrent ZK*assuming concurrent extraction
3-ZK
KEAEOWF
B-Canetti-Chiesa-Goldwasser-Lin-
Rubinstein-Tromer
Hada-Tanaka,Micali-Lepinski*,Bellare-Palacio
BCCGLRT
Canetti-Dakdouk Damgard
Gupta-Sahai
24
Extractable Functionsin Non-Interactive Applications
O(1)-concurrent ZK*assuming concurrent extraction
3-ZK
SNARKs (NP)
KEAEOWF ECRH
publicly verifiable
privatelyverifiable
Mie, DiCrescenzo
-Lipmaa*
Damgard BCCGLRT,Damgard-
Faust-Hazay
Groth,Lipmaa,B-Canetti-Chiesa-Tromer,Gennaro-Gentry-Parno-
Raykiova, B-Chiesa-Ishai-Ostrovsky-Paneth
BCCGLRT,DFH
25
Extractable Functionsin Non-Interactive Applications
O(1)-concurrent ZK*assuming concurrent extraction
3-ZK
SNARKs (NP)
KEAEOWF ECRH
publicly verifiable
privatelyverifiable
proof-carrying data
delegation
targeted-malleabilitysuccinct keysin functional
enc/sig
27
Example: 3-ZK
28
The Feige-Shamir Protocol
๐๐ขโ๐
๐๐ (๐ข)
๐ฅ ,๐ค ๐ฅ
witness-hidingproof of knowing
witness-indistinguishable proof of knowing
30
The Feige-Shamir Protocol
๐๐ขโ๐
๐๐ฅ ,๐ค ๐ฅ
witness-indistinguishable proof of knowing
``interactively-extractableโ
31
3-ZK from EOWFsB-Goldwasser-Canetti-Chiesa-Lin-Rubinstein-Tromer
๐๐ขโ๐
๐๐ฅ ,๐ค ๐ฅ
witness-indistinguishable proof of knowing
``interactively-extractableโ
32
๐๐ขโ๐
๐๐ฅ ,๐ค ๐ฅ
witness-indistinguishable proof of knowing
๐
EOWF
+๐ ๐ผ 1
+๐ ๐ผ 2
๐โ๐พ
3-ZK from EOWFsB-Goldwasser-Canetti-Chiesa-Lin-Rubinstein-Tromer
33
Do Extractable Functions Really Exist?
Whatโs Beyond Knowledge Assumptions?
Can We Construct Explicit Extractors?
34
Auxiliary Information
35
Auxiliary Information
efficientextractor
๐๐ ๐(๐ฅ)
๐ฅ โฒ๐ด
๐ด
๐ง
36
๐๐ขโ๐
๐๐ฅ ,๐ค ๐ฅ
witness-indistinguishable proof of knowing
๐
EOWF
+๐ ๐ผ 1
+๐ ๐ผ 2
A.I.
๐โ๐พ
37
Common Auxiliary Information
efficientextractor
๐๐ ๐(๐ฅ)
๐ฅ โฒ๐ด
๐ด
๐ง โ ๐ดโ ๐ธโ ๐ง
38
Common A.I. EOWFs vs obfuscationHada-Tanaka, Goldreich
efficientextractor
๐ง=ยฟ ๐ด
๐ ๐ด ๐ ๐(๐ฅ)
may be โobfuscatedโ
39
Individual Auxiliary Information
efficientextractor
๐๐ ๐(๐ฅ)
๐ฅ โฒ๐ด
๐ด
๐ง๐ง โฒโ โ ๐ดโ ๐ธโ ๐งโ๐ง โฒ
40
Individual Auxiliary Information
๐๐ ๐(๐ฅ)
๐ฅ โฒ
โฆโฆ
โฆ
๐ด
โฆโฆ
โฆ
๐ธโฆโฆ
โ ๐ดโ ๐ธ
41
๐๐ขโ๐
๐๐ฅ ,๐ค ๐ฅ
witness-indistinguishable proof of knowing
๐
EOWF
+๐ ๐ผ 1
+๐ ๐ผ 2
canโt fixin advance
Is Individual A.I. Enough?
๐โ๐พ
43
Some Answers
44
impossible possibleopen
EOWFswith common A.I.
indistinguishabilityobfuscation
efficientextractor
๐ด
๐ง
uniform EOWFswith no A.I.
efficientextractor
๐ด
๐งexplicit
45
impossible possibleopen
EOWFswith common A.I.
indistinguishabilityobfuscation
efficientextractor
๐ด
๐ง
efficientextractor
๐ด
EOWFswith bounded A.I.
|๐ง|<๐ต(๐)explicit
46
impossible possibleopen
EOWFs withcommon unbounded A.I.
indistinguishabilityobfuscation
efficientextractor
๐ด
EOWFswith bounded A.I.
efficientextractor
๐ด
|๐ง|<ยฟ ๐ (๐ฅ )โจยฟ|๐ง|>ยฟ ๐ (๐ฅ )โจยฟ explicit
NIUA for (SNARGs for P,
P-certificates Chung-Lin-Pass)
47
impossible possibleopen
indistinguishabilityobfuscation
privโ-verโ SNARGs for PKalai-Raz-Rothblum:
subexp-PIR (e.g., LWE)
efficientextractor
๐ด
privately-verifiable Generalized EOWFs
with bounded A.I.
efficientextractor
๐ด
|๐ง|<ยฟ ๐ (๐ฅ )โจยฟ|๐ง|>ยฟ ๐ (๐ฅ )โจยฟ
EOWFs withcommon unbounded A.I.
48
impossible possibleopen
indistinguishabilityobfuscation
privโ-verโ SNARGs for PKalai-Raz-Rothblum:
subexp-PIR (e.g., LWE)
efficientextractor
๐ด
privately-verifiable Generalized EOWFs
with bounded A.I.
efficientextractor
๐ด
|๐ง|<ยฟ ๐ (๐ฅ )โจยฟ|๐ง|>ยฟ ๐ (๐ฅ )โจยฟ
privately-verifiable Generalized EOWFs
common (unbounded) A.I.
49
impossible possibleopen
indistinguishabilityobfuscation
privโ-verโ SNARGs for PKalai-Raz-Rothblum:
subexp-PIR (e.g., LWE)
efficientextractor
๐ด
privately-verifiable Generalized EOWFs
with bounded A.I.
|๐ง|>ยฟ ๐ (๐ฅ )โจยฟ
privately-verifiable Generalized EOWFs
common (unbounded) A.I.
3-ZK ArgOK2-ZK Arg
bounded A.I. verifiers
50
impossible possibleopen
efficientextractor
๐ด
efficientextractor
๐ด
|๐ง|<ยฟ ๐ (๐ฅ )โจยฟ|๐ง|>ยฟ ๐ (๐ฅ )โจยฟ
efficientextractor
๐ด
๐งโ ๐ง โฒ
EOWFswith (unbounded)
individual A.I.
51
Ideas
52
Common A.I. Extractionvs.
Indistinguishability Obfuscation
53
The Universal Adversary
efficientextractor
๐ง=ยฟ ๐ด
๐ ๐ด ๐ ๐(๐ฅ)
54
The Universal Adversary
efficientextractor
๐ง=ยฟ
๐ ๐ด ๐ ๐(๐ฅ)
may be โobfuscatedโ
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOLKd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL
55
The Universal Adversary
efficientextractor
๐ ๐ ๐(๐ฅ)Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL
๐ด
56
Black-Box Extraction is Impossible
efficientextractor
๐ด
black-box extractor must invert the one-way
๐ ๐ ๐(๐ฅ)
๐ โฒ ๐ ๐โฒ (๐๐ ๐น ๐ (๐
โฒ))
57
The Universal Adversary
efficientextractor
๐ ๐ ๐(๐ฅ)Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL
๐ด๐
58
What Kind of Obfuscation?
๐ด๐
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?
Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)
Goldwasser-Kalai, B-Canetti-Paneth-Rosen
Need to hide PRF value only on the particular point (out of Extโs control) โ use Sahai-Waters puncturing
59
What Kind of Obfuscation?
๐ด๐
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?
Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)
Goldwasser-Kalai, B-Canetti-Paneth-Rosen
Need to hide PRF value only on the particular point (out of Extโs control) โ use Sahai-Waters puncturing
60
What Kind of Obfuscation?
๐ด๐
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?
Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)
Goldwasser-Kalai, B-Canetti-Paneth-Rosen
Need to hide PRF value only on the particular point (out of Extโs control) โ use Sahai-Waters puncturing
A.I. depends on โ but, with IndObf looks as if it doesnโt
61
Extractable One-Way Functionsw.r.t Bounded A.I.
62
efficientextractor
๐ ๐ ๐(๐ฅ)๐ด
If You Canโt Extract Whatโs inside the Head,
Extract the Head [Barak]
๐ด
63
First Attempt
๐ (๐ , ๐ )
Goal: keyless
parsed as a machinewith output bits
normal branch trapdoor branch
Ingredient:
๐โ 0๐ ๐=0๐
๐๐ ๐บ (๐ ) ๐ (1๐)
65
Extractability
๐ฆโ {0 ,1 }2๐๐ด(๐ง , โ )1๐
โค๐
efficientextractor
๐ด(๐ง , โ )0๐ ,
๐
๐ (๐ , ๐ )๐โ 0๐ ๐=0๐
๐๐ ๐บ (๐ ) ๐ (1๐)
66
One-Wayness
For :
Inverter finds s.t But a.s. has Kolmogorov complexity
๐ (๐ , ๐ )๐โ 0๐ ๐=0๐
๐๐ ๐บ (๐ ) ๐ (1๐)
67
not bounded by any polynomial
Barak ZK: solved by interactive universal arguments for non-deterministic computations Barak-Lindell-Vadhan ZK: solved assuming non-interactive universal argumentsfor non-deterministic computations (Micaliโs CS proofs)
Problem
๐ (๐ , ๐ )๐โ 0๐ ๐=0๐
๐๐ ๐บ (๐ ) ๐ (1๐)
68
NIUAs for Deterministic Computations
๐ ๐
๐บ๐
๐
= โ outputs after stepsโ
referencestring
poly ยฟ poly ยฟ
๐
69
๐ (๐ , ๐ ,๐ ,๐โ , ๐ฆ โ ,๐โ)
Instead of running , the trapdoor branch verifies a proof that
out:
if is a valid proofthat w.r.t out:
๐โ 0๐ ๐=0๐
One-wayness: maintained by the soundness of the NIUA.
Extraction: given the code of , compute a proof for
EOWFs from NIUAs
70
๐ (๐ , ๐ ,๐ ,๐โ , ๐ฆ โ ,๐โ)
Instead of running , the trapdoor branch verifies a proof that
out:
if is a valid proofthat w.r.t out:
๐โ 0๐ ๐=0๐
One-wayness: maintained by the soundness of the NIUA.
Extraction: given the code of , compute a proof for
EOWFs from NIUAs
relies on public-verifiability(soundness holds in presence of verification key )
71
Generalized EOWFs from privately-verifiable NIUAs
๐ ( ๐ (๐ฅ ) ,๐ฅ โฒ )
Hardness: given where hard to find
Extractabilitygiven code that outputs ,
can extract
Private-verification: can be computed given the private
Public-verification: can be effโ computed by anyone
Can be constructed from subexp LWE [Kalai-Raz-Rothblum]Sufficient for 2/3-ZK
73
impossible possibleopen
Open Questions
Construct a (uniform) ECRH
EOWFs w.r.t individual auxiliary information
EOWFs w.r.t to common โbenignโ distributions
74