extractable functions fiction or reality?

EXTRACTABLE FUNCTIONSFICTION OR REALITY?

Nir Bitansky (TAU) Ran Canetti (BU & TAU)

Omer Paneth (BU) Alon Rosen (IDC)

2

Knowledge is Elusive (assuming )

Knowing isn’t like knowing

Knowing isn’t like knowing

Knowing how to prove isn’t like knowing

3

ZK Proofs of KnowledgeGoldwasser-Micali-Rackoff, Feige-Shamir, Goldreich-Bellare

efficientextractor

𝒱𝒫∗

𝑤∈𝑹𝑳(𝑥 )

𝑥

𝑎𝑐𝑐𝑒𝑝𝑡

4

Effective Knowledge

=what can be

efficiently extractedfrom the adversary

5

Extraction is Essential to Cryptographic Analysis

Composition

Input Independence in MPC

ZK simulation (the trapdoor paradigm)

⋮

⋮

6

How is Knowledge Extracted?

7

The Black-Box Tradition (aka Rewinding)

extractor

𝐴

8

extractor

𝐴

reduction/simulator

Black-Box (Turing) Reductions/Simulators

9

Using The Adversary’s Code

Aextractor

reduction/simulator

10

The Black-Box Barrier

Black-Box

SNARGs for NP(Succinct Non-Interactive Arguments)

Gentry-Wichs

3-ZKGoldreich-Krawczyk

O(1)-public-coin-ZKGoldreich-Krawczyk

most of cryptoas we know it!

Non-Black-Box

11

Beyond the Barrier

-round public-coin ZKwith

non-black-box simulation

Barak

12

Post Barak

SNARGs3-ZK

O(1)-public-coin-ZKBarak

resettably-sound-ZKBarak-Goldreich-Goldwasser-Lindell

simultaneously-resettable-ZKDeng-Goyal-Sahai

O(1)-covert-MPCGoyal-Jain

(uniform) O(1)-concurrent-ZKChung-Lin-Pass

interaction

…

13

Knowledge Assumptionsand

Extractable Functions

14

Damgård’s Knowledge of Exponent Assumption

15

𝐴

Damgård’s Knowledge of Exponent Assumption

𝑔𝑥 , h𝑥𝑔 , h𝑔 , h←𝐺∗

𝑥

16

𝑔h

𝑔2𝑔3…

h2

h3

⋮

is -sparse

17

𝐴

Damgård’s Knowledge of Exponent Assumption

efficientextractor 𝑥

𝑔𝑥 , h𝑥𝑔 , h𝑔 , h←𝐺∗

𝐴

𝑥

18

Extractable FunctionsCanetti-Dakdouk

19

efficientextractor

𝑘

Extractable FunctionsCanetti-Dakdouk

𝑓 𝑘(𝑥)

𝑥 ′𝑓 𝑘 (𝑥′ )= 𝑓 𝑘(𝑥)

OWFCRH

COM

𝐴

𝐴

21

Black-Box Extraction is Impossible

22

Black-Box Extraction is Impossible

efficientextractor

𝐴

black-box extractor must invert the one-way

𝑘 𝑓 𝑘(𝑥)

𝑘 ′ 𝑓 𝑘′ (𝑃𝑅𝐹 𝑠(𝑘

′))

23

Extractable Functionsin Non-Interactive Applications

O(1)-concurrent ZK*assuming concurrent extraction

3-ZK

KEAEOWF

B-Canetti-Chiesa-Goldwasser-Lin-

Rubinstein-Tromer

Hada-Tanaka,Micali-Lepinski*,Bellare-Palacio

BCCGLRT

Canetti-Dakdouk Damgard

Gupta-Sahai

24

Extractable Functionsin Non-Interactive Applications

O(1)-concurrent ZK*assuming concurrent extraction

3-ZK

SNARKs (NP)

KEAEOWF ECRH

publicly verifiable

privatelyverifiable

Mie, DiCrescenzo

-Lipmaa*

Damgard BCCGLRT,Damgard-

Faust-Hazay

Groth,Lipmaa,B-Canetti-Chiesa-Tromer,Gennaro-Gentry-Parno-

Raykiova, B-Chiesa-Ishai-Ostrovsky-Paneth

BCCGLRT,DFH

25

Extractable Functionsin Non-Interactive Applications

O(1)-concurrent ZK*assuming concurrent extraction

3-ZK

SNARKs (NP)

KEAEOWF ECRH

publicly verifiable

privatelyverifiable

proof-carrying data

delegation

targeted-malleabilitysuccinct keysin functional

enc/sig

27

Example: 3-ZK

28

The Feige-Shamir Protocol

𝑉𝑢←𝑈

𝑃𝑓 (𝑢)

𝑥 ,𝑤 𝑥

witness-hidingproof of knowing

witness-indistinguishable proof of knowing

30

The Feige-Shamir Protocol

𝑉𝑢←𝑈

𝑃𝑥 ,𝑤 𝑥

witness-indistinguishable proof of knowing

``interactively-extractable”

31

3-ZK from EOWFsB-Goldwasser-Canetti-Chiesa-Lin-Rubinstein-Tromer

𝑉𝑢←𝑈

𝑃𝑥 ,𝑤 𝑥

witness-indistinguishable proof of knowing

``interactively-extractable”

32

𝑉𝑢←𝑈

𝑃𝑥 ,𝑤 𝑥

witness-indistinguishable proof of knowing

𝑘

EOWF

+𝑊 𝐼 1

+𝑊 𝐼 2

𝑘←𝐾

3-ZK from EOWFsB-Goldwasser-Canetti-Chiesa-Lin-Rubinstein-Tromer

33

Do Extractable Functions Really Exist?

What’s Beyond Knowledge Assumptions?

Can We Construct Explicit Extractors?

34

Auxiliary Information

35

Auxiliary Information

efficientextractor

𝑘𝑓 𝑘(𝑥)

𝑥 ′𝐴

𝐴

𝑧

36

𝑉𝑢←𝑈

𝑃𝑥 ,𝑤 𝑥

witness-indistinguishable proof of knowing

𝑘

EOWF

+𝑊 𝐼 1

+𝑊 𝐼 2

A.I.

𝑘←𝐾

37

Common Auxiliary Information

efficientextractor

𝑘𝑓 𝑘(𝑥)

𝑥 ′𝐴

𝐴

𝑧 ∀ 𝐴∃ 𝐸∀ 𝑧

38

Common A.I. EOWFs vs obfuscationHada-Tanaka, Goldreich

efficientextractor

𝑧=¿ 𝐴

𝑘 𝐴 𝑓 𝑘(𝑥)

may be “obfuscated”

39

Individual Auxiliary Information

efficientextractor

𝑘𝑓 𝑘(𝑥)

𝑥 ′𝐴

𝐴

𝑧𝑧 ′≠ ∀ 𝐴∃ 𝐸∀ 𝑧∃𝑧 ′

40

Individual Auxiliary Information

𝑘𝑓 𝑘(𝑥)

𝑥 ′

……

…

𝐴

……

…

𝐸……

∀ 𝐴∃ 𝐸

41

𝑉𝑢←𝑈

𝑃𝑥 ,𝑤 𝑥

witness-indistinguishable proof of knowing

𝑘

EOWF

+𝑊 𝐼 1

+𝑊 𝐼 2

can’t fixin advance

Is Individual A.I. Enough?

𝑘←𝐾

43

Some Answers

44

impossible possibleopen

EOWFswith common A.I.

indistinguishabilityobfuscation

efficientextractor

𝐴

𝑧

uniform EOWFswith no A.I.

efficientextractor

𝐴

𝑧explicit

45

impossible possibleopen

EOWFswith common A.I.

indistinguishabilityobfuscation

efficientextractor

𝐴

𝑧

efficientextractor

𝐴

EOWFswith bounded A.I.

|𝑧|<𝐵(𝑛)explicit

46

impossible possibleopen

EOWFs withcommon unbounded A.I.

indistinguishabilityobfuscation

efficientextractor

𝐴

EOWFswith bounded A.I.

efficientextractor

𝐴

|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿ explicit

NIUA for (SNARGs for P,

P-certificates Chung-Lin-Pass)

47

impossible possibleopen

indistinguishabilityobfuscation

priv’-ver’ SNARGs for PKalai-Raz-Rothblum:

subexp-PIR (e.g., LWE)

efficientextractor

𝐴

privately-verifiable Generalized EOWFs

with bounded A.I.

efficientextractor

𝐴

|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿

EOWFs withcommon unbounded A.I.

48

impossible possibleopen

indistinguishabilityobfuscation

priv’-ver’ SNARGs for PKalai-Raz-Rothblum:

subexp-PIR (e.g., LWE)

efficientextractor

𝐴

privately-verifiable Generalized EOWFs

with bounded A.I.

efficientextractor

𝐴

|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿

privately-verifiable Generalized EOWFs

common (unbounded) A.I.

49

impossible possibleopen

indistinguishabilityobfuscation

priv’-ver’ SNARGs for PKalai-Raz-Rothblum:

subexp-PIR (e.g., LWE)

efficientextractor

𝐴

privately-verifiable Generalized EOWFs

with bounded A.I.

|𝑧|>¿ 𝑓 (𝑥 )∨¿

privately-verifiable Generalized EOWFs

common (unbounded) A.I.

3-ZK ArgOK2-ZK Arg

bounded A.I. verifiers

50

impossible possibleopen

efficientextractor

𝐴

efficientextractor

𝐴

|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿

efficientextractor

𝐴

𝑧≠ 𝑧 ′

EOWFswith (unbounded)

individual A.I.

51

Ideas

52

Common A.I. Extractionvs.

Indistinguishability Obfuscation

53

The Universal Adversary

efficientextractor

𝑧=¿ 𝐴

𝑘 𝐴 𝑓 𝑘(𝑥)

54

The Universal Adversary

efficientextractor

𝑧=¿

𝑘 𝐴 𝑓 𝑘(𝑥)

may be “obfuscated”

Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOLKd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL

55

The Universal Adversary

efficientextractor

𝑘 𝑓 𝑘(𝑥)Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL

𝐴

56

Black-Box Extraction is Impossible

efficientextractor

𝐴

black-box extractor must invert the one-way

𝑘 𝑓 𝑘(𝑥)

𝑘 ′ 𝑓 𝑘′ (𝑃𝑅𝐹 𝑠(𝑘

′))

57

The Universal Adversary

efficientextractor

𝑘 𝑓 𝑘(𝑥)Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL

𝐴𝑠

58

What Kind of Obfuscation?

𝐴𝑠

Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?

Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)

Goldwasser-Kalai, B-Canetti-Paneth-Rosen

Need to hide PRF value only on the particular point (out of Ext’s control) – use Sahai-Waters puncturing

59

What Kind of Obfuscation?

𝐴𝑠

Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?

Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)

Goldwasser-Kalai, B-Canetti-Paneth-Rosen

Need to hide PRF value only on the particular point (out of Ext’s control) – use Sahai-Waters puncturing

60

What Kind of Obfuscation?

𝐴𝑠

Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?

Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)

Goldwasser-Kalai, B-Canetti-Paneth-Rosen

Need to hide PRF value only on the particular point (out of Ext’s control) – use Sahai-Waters puncturing

A.I. depends on – but, with IndObf looks as if it doesn’t

61

Extractable One-Way Functionsw.r.t Bounded A.I.

62

efficientextractor

𝑘 𝑓 𝑘(𝑥)𝐴

If You Can’t Extract What’s inside the Head,

Extract the Head [Barak]

𝐴

63

First Attempt

𝑓 (𝑖 , 𝑠)

Goal: keyless

parsed as a machinewith output bits

normal branch trapdoor branch

Ingredient:

𝑖≠0𝑛 𝑖=0𝑛

𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)

65

Extractability

𝑦∈ {0 ,1 }2𝑛𝐴(𝑧 , ⋅)1𝑛

≤𝑛

efficientextractor

𝐴(𝑧 , ⋅)0𝑛 ,

𝑓

𝑓 (𝑖 , 𝑠)𝑖≠0𝑛 𝑖=0𝑛

𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)

66

One-Wayness

For :

Inverter finds s.t But a.s. has Kolmogorov complexity

𝑓 (𝑖 , 𝑠)𝑖≠0𝑛 𝑖=0𝑛

𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)

67

not bounded by any polynomial

Barak ZK: solved by interactive universal arguments for non-deterministic computations Barak-Lindell-Vadhan ZK: solved assuming non-interactive universal argumentsfor non-deterministic computations (Micali’s CS proofs)

Problem

𝑓 (𝑖 , 𝑠)𝑖≠0𝑛 𝑖=0𝑛

𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)

68

NIUAs for Deterministic Computations

𝑃 𝑉

𝐺𝜎

𝜋

= “ outputs after steps”

referencestring

poly ¿ poly ¿

𝜎

69

𝑓 (𝑖 , 𝑠 ,𝑟 ,𝜋∗ , 𝑦 ∗ ,𝜎∗)

Instead of running , the trapdoor branch verifies a proof that

out:

if is a valid proofthat w.r.t out:

𝑖≠0𝑛 𝑖=0𝑛

One-wayness: maintained by the soundness of the NIUA.

Extraction: given the code of , compute a proof for

EOWFs from NIUAs

70

𝑓 (𝑖 , 𝑠 ,𝑟 ,𝜋∗ , 𝑦 ∗ ,𝜎∗)

Instead of running , the trapdoor branch verifies a proof that

out:

if is a valid proofthat w.r.t out:

𝑖≠0𝑛 𝑖=0𝑛

One-wayness: maintained by the soundness of the NIUA.

Extraction: given the code of , compute a proof for

EOWFs from NIUAs

relies on public-verifiability(soundness holds in presence of verification key )

71

Generalized EOWFs from privately-verifiable NIUAs

𝑅 ( 𝑓 (𝑥 ) ,𝑥 ′ )

Hardness: given where hard to find

Extractabilitygiven code that outputs ,

can extract

Private-verification: can be computed given the private

Public-verification: can be eff’ computed by anyone

Can be constructed from subexp LWE [Kalai-Raz-Rothblum]Sufficient for 2/3-ZK

73

impossible possibleopen

Open Questions

Construct a (uniform) ECRH

EOWFs w.r.t individual auxiliary information

EOWFs w.r.t to common “benign” distributions

74