1 / 48

Theory and Application of Extractable Functions

Theory and Application of Extractable Functions. Ramzi Ronny Dakdouk. Driving Questions. Study computational knowledge of functions What does the ability to produce f(x) have to do with “knowing” x ? Extractable Function: Outputting f(x) knowledge of x.

terrica
Download Presentation

Theory and Application of Extractable Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Theory and Application of Extractable Functions Ramzi Ronny Dakdouk

  2. Driving Questions • Study computational knowledge of functions • What does the ability to produce f(x) have to do with “knowing” x ? • Extractable Function: Outputting f(x) knowledge of x

  3. Example: Software Protection • Outputting a hash of a license Knowledge of license Possession of license • Hash is one-way Hard to extract license

  4. Our Results • Introduce, formalize, and construct extractable functions. This appeared in: Extractable Perfectly One-Way Functions. ICALP (2) 2008: 449-460 (with Ran Canetti) • Characterize extractable functions & relation to obfuscation. This appeared in: Towards a Theory of Extractable Functions. TCC 2009: 595-613 (with Ran Canetti) • Use extractable functions in constructing 3-round zero-knowledge. This appeared in the ICALP paper. • Use extractable functions in instantiating Random Oracle. This appeared in the ICALP paper. • Use techniques from work on extractable functions to obfuscate multibit output point functions. This appeared in: Obfuscating Point Functions with Multibit Output. EUROCRYPT 2008: 489-508 (with Ran Canetti)

  5. Other Work • Study inter-domain routing from a social choice perspective. This appeared in: Interdomain Routing as Social Choice. ICDCS Workshop 2006: 38 (with Semih Salihoglu, Hao Wang, Haiyong Xie, Yang Richard Yang)

  6. Outline • Concepts • Constructions • Characterization • Applications

  7. Computational Knowledge • In protocols: • Proofs of knowledge (interactive, non-interactive) • Apply computational knowledge to functions  extractable functions

  8. Extractable Functions Fk Fk(x) x Fk Fk F(x) Fk(x) z F(x) Fk(x) F Fk x z

  9. Extractable Functions: Definition (I) A family of functions {F_k} is extractable if for every adversary A that, given random k, computes F_k(x), there is an extractor E that outputs x whp. • E depends on A (inherently non-blackbox). • Variants: • Deterministic/randomized functions • negligible / noticeable extraction error • presence/absence of auxiliary information (both dependent and independent)

  10. Extractable Functions No CRS Non-verifiable Nonblackbox extractor view(extractor)= view(adversary) Proofs of Knowledge CRS Verifiable Blackbox extractor view(extractor)≠ view(prover) Extractable Functions vs Non-interactive Proofs of Knowledge Extractable functions and Noninteractive Proofs of Knowledge are incomparable.

  11. Do extractable functions exist?

  12. Do extractable functions exist? • Yes: The identity function… • Do there exist extractable one-way functions? • Do there exist extractable functions with other hardness properties?

  13. Example: Exponentiation with two generators g,h gx,hx x g,h gx,hx z gx,hx g,h x z

  14. Extractable Functions vs Knowledge Assumptions The Knowledge of Exponent (KE) assumption [Hada-Tanaka98]: Fg,h(x)=gx,hx is extractable. • tantamount to extractable functions • Extractable functions: abstraction away from specific number-theoretic assumptions (e.g., knowledge of exponent) • Extractable functions: formulation in a general complexity-theoretic setting.

  15. Extractable Functions:Definition (II) • Weaker knowledge guarantee • Requires weaker assumptions • Considers randomized functions • Involves a structured 3-round game between adversary and challenger: • If interaction is “consistent”, extractor can recover preimage.

  16. Interactive Extraction F(x,r) F s z F(x,s) F F(x,r) z x

  17. Extractable vs Interactively-extractable functions • Extractable • 1 round • Non-verifiable • Nonblackbox extractor • 1 output: y=f(x) • Interactively-extractable • 3 rounds • Non-verifiable • Extractor can be blackbox (even for POW functions) • A lot more: y_1=f(x,r_1),…

  18. Outline • Notions • Constructions • Characterization • Applications

  19. Non-interactive EPOW Construction Hada-Tanaka: Fg,h (x)=gx,hx Our construction: • Stronger than HT function (POW) • A randomized variant of the HT function Fg,h (x,r)= gr,hr,grx,hrx • Extraction: – by KE assumption can recover rx and r, thus can compute x. • POW: • “2-POW” based on “strong” DDH • “2-POW”  “t-POW” for any polynomial t Given 2 images y and z, it is possible to generate a new image w: • Fg,h-1(y)=Fg,h-1(z)  Fg,h-1(w)=Fg,h-1(y) • Fg,h-1(y)≠Fg,h-1(z) Fg,h-1(w) is independent of y and z

  20. Interactive EPOW Construction • Given any POW function F, construct: EF(x=(x1,...,xn),r=(r0,…,rn+2))=F(x,r0),F(tx1,r1)…,F(txn,rn) – t0=F(x,rn+1) – t1=F(x,rn+2) • POW: – Follows from POW of F. (In fact, need a “composable” variant of POW.) • Extraction:

  21. Extraction for Interactive EPOW EF(x,s) r=(r0,…,rn+2) EF(x,r)=(t*=F(x,r0),…) Rewind xi=1 if F(t*=F(x,r0),ui) =F(txi,ui) u=(u0,…,un+1,un+2=r0) EF(x,r)=F(x,u0),F(tx1,u1),…

  22. Outline • Constructions • Characterization • Applications

  23. Interactive Extraction vs Obfuscation • We formalize the intuitive notion that extraction and obfuscation complement each other. • Various notions of extraction: • “weak extraction”: noticeable success • “strong extraction”: extraction with noticeable error • “very strong extraction”:extraction with negligible error • Weak obfuscation: ability to compute on a hidden point

  24. Weak Obfuscation • A program O is a weak obfuscation of a probabilistic function f if it can compute f on a hidden point: • Secrecy: <Ox> is one-way in x • Functionality: Ox(r)=f(x,r) with noticeable probability

  25. First Characterization • Weak extraction: For every adversary A there is an extractor that succeeds noticeably. • Theorem 1: Every family of probabilistic functions is either “weakly obfuscatable” or “weakly extractable”. • Note: No assumptions about the function

  26. Proof Highlights • Suppose f is not weakly extractable • There is an adversary A that plays the 3-round game successfully. • However, there is no corresponding extractor • A and its input constitute a weak obfuscation

  27. Second Characterization • Verification: easy to verify whether y is an image of x. • Theorem 2: • Every verifiable family is either weakly obfuscatable or “strongly extractable”. • Extraction with noticeable error  verification (injective functions)

  28. Proof Highlights • Uses variant of Impagliazzo’s hard-core lemma (FOCS95): • Gives a family of extractors K • K fails  no other machine can succeed noticeably • f is not extractable  an adversary A produces 2 consistent messages even when K fails. • f is not obfuscatable  f is weakly extractable against A (Theorem 1) • This contradicts the lemma (property of K)

  29. Corollary • Every POW function with auxiliary information is strongly extractable. • Supersedes our earlier results • more efficient communication: 1 challenge vs n challenges • However, extraction is nonblackbox.

  30. Third Characterization • Reliably-consistent adversaries: Consistency is lower-bounded by inverse of a fixed polynomial. • Theorem 3: • Every verifiable family is either “weakly obfuscatable” or extractable with negligible error against reliably-consistent adversaries. • Extraction with negligible error  condition on adversaries is satisfied. (verifiable and efficiently-computable functions) • Proof similar to proof of Theorem 2.

  31. Outline • Notions • Constructions • Characterization • Applications • Zero Knowledge • Random Oracle Instantiation

  32. Zero-knowledge • Prover convinces verifier of the validity of a statement without revealing anything beyond the validity. • Soundness: Guarantee against a possibly malicious prover • If malicious provers are restricted to polynomial-time machines  ZK arguments • Otherwise, ZK proofs • Zero-knowledge: Guarantee against a possibly malicious verifier • If malicious verifiers are restricted to polynomial-time machines  computational ZK • Else, statistical ZK

  33. Zero-knowledge Definition • L is in any language from NP • An efficient pair of machines, (P,V), is a ZK argument for L if: • (Completeness) For any x in L (with witness w): Pr [<P(x,w),V(x)>=1] = 1- neg • (Soundness) For any x outside L and any efficient P’: Pr [<P’(x),V(x)>=1] = neg • (Zero-knowledge) For any verifier V’, there is a simulator S, such that for any x in L: ViewV(<P(x,w),V’(x)>) ≈ S(x)

  34. 3-round Zero Knowledge • Black-Box 3-round ZK is possible only for BPP [Goldreich-Krawczyk96]. • 3-round arguments exist based on two “knowledge of exponent” assumptions [HT98, BP04]. • 3-round proofs exist based on similar assumptions [Lepinski02].

  35. Idea Behind Our Construction FLS technique [Feige-Lapidot-Shamir99]: • Prover convinces verifier either: • Statement is true, or • Prover knows something only the verifier knows • Any efficient prover can not benefit from (2) soundness • ZK simulator uses extraction functions to extract knowledge from verifier zero-knowledge • Verifier can not distinguish between a real interaction and a ZK simulation.

  36. Main Tools • Extractable POW functions (with an additional property) • Noninteractive witness-indistinguishable (WI) proofs

  37. Witness Indistinguishability • Weaker than ZK • Hard to tell which witness is used in a proof. • Witness Indistinguishability: For any x in L and any witness pair w1,w2: P(x,w1) ≈ P(x,w2)

  38. Notations • L ε NP • F is an extractable POW family, {Fk}. • L’={x’=(x,y,s): x ε L or there exist u1,u2 s.t. u1=F-1(y) & (u1,u2)=F-1(s)} • π is noninteractive WI proof for L’.

  39. 3-round ZK Argument for Any L ε NP x x w Fk1 {Fk} r’,u1,u2 Un s= Fk2((u1,u2),r’) If y in range(Fk1) π= π((x,y,s),w) Fk1 Fk2 {Fk} r Un u Un y= Fk1(u,r) If s in range(Fk2) & π is valid Fk2,y s, π Accept

  40. Soundness & Zero Knowledge Soundness: – If V accepts and x not in L, then by WI soundness preimage of y belongs to preimage of s. – This means prover can recover preimage of y (by extracting preimage of s). – This contradicts one-wayness of F (since F is POW). Zero-Knowledge: • Simulator recovers u, the preimage of y (via extraction). • Simulator then behaves like an honest prover except: • s= Fk2((u,u2),r’) • π= π( (x,y,s), (u,u2)) • Fk2((u1,u2),r’), π((x,y,s),w) ≈ Fk2((u,u2),r’), π((x,y,s),(u,u2)) (using POW & WI)

  41. Potential Advantages over [HT98] • Does not explicitly use algebraic properties of DL • Opens the door to building 3-round ZK from other assumptions (that suffice for constructing EPOW functions)

  42. Outline • Constructions • Characterization • Applications • Zero Knowledge • Random Oracle Instantiation

  43. The Random Oracle Methodology[Fiat-Shamir86,Bellare-Rogaway93] • The idea: – Design and analyze crypto schemes assuming global access to a random function R. – Implement R via a “cryptographic hash function” (e.g. SHA2) • Unsound in and of itself [Canetti-Goldreich-Halevi98,...] • But, perhaps can be used as a methodological step towards constructing fully specified schemes?

  44. Replacing the RO by concrete functions • The Random Oracle has many convenient features: • Perfect hiding of preimage • Knowledge of preimage • Collision resistant • Correlation intractable • “Programmable” • Can we have fully specified functions that have some of these properties? • Can such functions replace the RO?

  45. EPOW functions as an instantiation of a RO • Can capture “perfect hiding of preimage” property [C97]. • Can capture the “knowledge of preimage” property. • Can be used to demonstrate security of the [BR92] encryption schemes, via the same argument as in the RO model. • Can be used to demonstrate security of a large class of encryption schemes, via a new method of instantiating the RO. However: • Need extractability w.r.t. dependent auxiliary information • Alternative: use interactive EPOW, resulting in interactive encryption.

  46. Summary We advanced our understanding of computational knowledge and its relationship with Cryptography through: • Introducing & formalizing Extractable Functions • Constructing several extractable functions with different hardness properties • Characterizing extractable functions • Applying extractable functions: • 3-round Zero-knowledge • Random Oracle Instantiation

  47. Open Questions • Realize noninteractive extractable functions with dependent auxiliary information • Realize noninteractive extractable functions from other assumptions • Explore connections to stronger notions of obfuscation • Find new applications of extractable functions

  48. Questions???

More Related