1 / 68

Extractable Functions Fiction or Reality?

Extractable Functions Fiction or Reality?. Nir Bitansky (TAU). Ran Canetti (BU & TAU). Omer Paneth (BU). Alon Rosen (IDC). Knowledge is Elusive (assuming ). Knowing isn’t like knowing. Knowing isn’t like knowing. Knowing how to prove isn’t like knowing.

keegan
Download Presentation

Extractable Functions Fiction or Reality?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extractable FunctionsFiction or Reality? NirBitansky (TAU) Ran Canetti (BU & TAU) Omer Paneth (BU) Alon Rosen (IDC)

  2. Knowledge is Elusive (assuming ) Knowing isn’t like knowing Knowing isn’t like knowing Knowing how to prove isn’t like knowing

  3. ZK Proofs of KnowledgeGoldwasser-Micali-Rackoff, Feige-Shamir, Goldreich-Bellare efficient extractor

  4. Effective Knowledge=what can be efficiently extractedfrom the adversary

  5. Extraction is Essential to Cryptographic Analysis Input Independence in MPC Composition ZK simulation (the trapdoor paradigm)

  6. How is Knowledge Extracted?

  7. The Black-Box Tradition (aka Rewinding) extractor

  8. Black-Box (Turing) Reductions/Simulators reduction/simulator extractor

  9. Using The Adversary’s Code reduction/simulator A extractor

  10. The Black-Box Barrier O(1)-public-coin-ZK Goldreich-Krawczyk 3-ZK Goldreich-Krawczyk SNARGs for NP (Succinct Non-Interactive Arguments) Gentry-Wichs most of crypto as we know it! Black-Box Non-Black-Box

  11. Beyond the Barrier Barak -round public-coin ZK with non-black-box simulation

  12. Post Barak resettably-sound-ZK Barak-Goldreich-Goldwasser-Lindell O(1)-public-coin-ZK Barak simultaneously-resettable-ZK Deng-Goyal-Sahai O(1)-covert-MPC Goyal-Jain (uniform) O(1)-concurrent-ZK Chung-Lin-Pass interaction 3-ZK SNARGs

  13. Knowledge AssumptionsandExtractable Functions

  14. Damgård’sKnowledge of Exponent Assumption

  15. Damgård’sKnowledge of Exponent Assumption

  16. is -sparse

  17. Damgård’sKnowledge of Exponent Assumption efficient extractor

  18. Extractable FunctionsCanetti-Dakdouk

  19. Extractable FunctionsCanetti-Dakdouk CRH COM OWF efficient extractor

  20. Black-Box Extraction is Impossible

  21. Black-Box Extraction is Impossible efficient extractor black-box extractor must invert the one-way

  22. Extractable Functionsin Non-Interactive Applications EOWF KEA Canetti-Dakdouk Damgard 3-ZK B-Canetti-Chiesa- Goldwasser-Lin- Rubinstein-Tromer Hada-Tanaka, Micali-Lepinski*, Bellare-Palacio O(1)-concurrent ZK *assuming concurrent extraction Gupta-Sahai BCCGLRT

  23. Extractable Functionsin Non-Interactive Applications ECRH EOWF KEA Damgard BCCGLRT, Damgard- Faust-Hazay publicly verifiable privately verifiable 3-ZK SNARKs (NP) Groth,Lipmaa, B-Canetti-Chiesa-Tromer, Gennaro-Gentry-Parno- Raykiova, B-Chiesa-Ishai- Ostrovsky-Paneth Mie, DiCrescenzo -Lipmaa* BCCGLRT, DFH O(1)-concurrent ZK *assuming concurrent extraction

  24. Extractable Functionsin Non-Interactive Applications ECRH EOWF KEA publicly verifiable privately verifiable 3-ZK SNARKs (NP) O(1)-concurrent ZK *assuming concurrent extraction delegation succinct keys in functional enc/sig targeted-malleability proof-carrying data

  25. Example: 3-ZK

  26. The Feige-Shamir Protocol witness-hiding proof of knowing witness-indistinguishable proof of knowing

  27. The Feige-Shamir Protocol ``interactively-extractable” witness-indistinguishable proof of knowing

  28. 3-ZK from EOWFsB-Goldwasser-Canetti-Chiesa-Lin-Rubinstein-Tromer ``interactively-extractable” witness-indistinguishable proof of knowing

  29. 3-ZK from EOWFsB-Goldwasser-Canetti-Chiesa-Lin-Rubinstein-Tromer EOWF witness-indistinguishable proof of knowing

  30. Do Extractable Functions Really Exist?What’s Beyond Knowledge Assumptions?Can We Construct Explicit Extractors?

  31. Auxiliary Information

  32. Auxiliary Information efficient extractor

  33. A.I. EOWF witness-indistinguishable proof of knowing

  34. Common Auxiliary Information efficient extractor

  35. Common A.I. EOWFs vs obfuscationHada-Tanaka, Goldreich may be “obfuscated” efficient extractor

  36. Individual Auxiliary Information efficient extractor

  37. Individual Auxiliary Information … … … … … … … …

  38. Is Individual A.I. Enough? can’t fix in advance EOWF witness-indistinguishable proof of knowing

  39. Some Answers

  40. uniform EOWFs with noA.I. EOWFs with commonA.I. explicit efficient extractor efficient extractor open possible impossible indistinguishability obfuscation

  41. EOWFs with bounded A.I. EOWFs with commonA.I. explicit efficient extractor efficient extractor open possible impossible indistinguishability obfuscation

  42. EOWFs with bounded A.I. EOWFs with commonunboundedA.I. explicit efficient extractor efficient extractor open possible impossible indistinguishability obfuscation NIUA for (SNARGs for P, P-certificates Chung-Lin-Pass)

  43. privately-verifiable Generalized EOWFs with bounded A.I. EOWFs with commonunboundedA.I. efficient extractor efficient extractor open possible impossible indistinguishability obfuscation priv’-ver’ SNARGs for P Kalai-Raz-Rothblum: subexp-PIR (e.g., LWE)

  44. privately-verifiable Generalized EOWFs common (unbounded) A.I. privately-verifiable Generalized EOWFs with bounded A.I. efficient extractor efficient extractor open possible impossible indistinguishability obfuscation priv’-ver’ SNARGs for P Kalai-Raz-Rothblum: subexp-PIR (e.g., LWE)

  45. privately-verifiable Generalized EOWFs common (unbounded) A.I. privately-verifiable Generalized EOWFs with bounded A.I. 3-ZK ArgOK 2-ZK Arg bounded A.I. verifiers efficient extractor open possible impossible indistinguishability obfuscation priv’-ver’ SNARGs for P Kalai-Raz-Rothblum: subexp-PIR (e.g., LWE)

  46. EOWFs with (unbounded) individualA.I. efficient extractor efficient extractor efficient extractor open possible impossible

  47. Ideas

  48. Common A.I. Extractionvs.Indistinguishability Obfuscation

  49. The Universal Adversary efficient extractor

  50. The Universal Adversary Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL may be “obfuscated” efficient extractor

More Related