1 / 55

Extractable Functions

Extractable Functions. Nir Bitansky , Ran Canetti, Omer Paneth , Alon Rosen. Largest Known Prime. 2 57,885,161  − 1. Electronic Frontier Foundation offers $250,000 prize for a prime with at least a billion digits.

yvon
Download Presentation

Extractable Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extractable Functions NirBitansky, Ran Canetti, Omer Paneth, Alon Rosen

  2. Largest Known Prime 257,885,161 − 1 Electronic Frontier Foundation offers $250,000 prize for a prime with at least a billion digits “The first number larger then that is not divisible by any number other than 1 and itself”

  3. Knowledge Algorithm Polynomial Time Extraction Procedure Knowledge

  4. Proofs of Knowledge Hide the Witness Extraction Witness Secrecy : Zero-Knowledge \ Witness indistinguishability Goal: Extract knowledge that is not publicly available

  5. CCA Encryption Reduction To CPA Extraction

  6. More Knowledge Reduction Extraction Zero-knowledge Proofs, Signatures, Non-malleable Commitments, Multi-party Computation, Obfuscation,…

  7. How to Extract? Algorithm Extraction? Knowledge

  8. Extraction by Interaction Or : Black-Box Extraction Public Parameters Adversary Extraction

  9. Out of Reach Applications 2-Message Succinct Argument (SNARG) 3-Message Zero-Knowledge

  10. Out of Reach Applications Black-Box Security Proof is Impossible [Gentry-Wichs] [Goldreich-Krawczyk]

  11. Knowledge of Exponent [Damgård 92] Adversary Extraction Non-Black-Box Extraction

  12. Applications of KEA [HT98,BP04,Mie08,G10,L12,BCCT13,GGPR13,BCIOP13] Knowledge of Exponent Assumption* (KEA) * and variants 2-Message Succinct Argument (SNARG) 3-Message Zero-Knowledge

  13. Extractable Functions [Canetti-Dakdouk 08] A family of function is extractable if: Adversary Extraction

  14. Remarks on EF • KEA is an example for EF. • We want EF that are also one-way. • The image of should be sparse. Adversary Extraction OWF, CRHF

  15. Applications of EF [BCCT12,GLR12,DFH12] Knowledge of Exponent Extractable One-Way Functions (EOWF) Extractable Collision-Resistant Hash Functions (ECRH) 3-Message Zero-Knowledge 2-Message Succinct Argument (Privately Verifiable)

  16. What is missing? • Clean assumptions • Candidates • Strong applications

  17. A Reduction Using EF Assuming: Reduction

  18. Do Extractable One-Way Functions with an Explicit Extractor Exist?

  19. It depends on the Auxiliary Input.

  20. Example: Zero-Knowledge Auxiliary input

  21. Definition of EF with A.I. For every and auxiliary input there exist and auxiliary input such that for every auxiliary input :

  22. Types of A.I. For every and auxiliary input there exist and auxiliary input such that for every auxiliary input : Individual \Common Bounded \ Unbounded

  23. What type of A.I. do we need?

  24. Example: Zero-Knowledge Zero-Knowledge: For every there exists a simulator such that for every , For need bounded A.I. For sequential composition need unbounded A.I. What you get from individual A.I.: For every and every there exists a simulator such that

  25. EOWF with unboundedcommon A.I.: EOWF* with bounded A.I.: Explicit Extractor Impossible Open Possible Delegation for P from Subexp-PIR [Kalai-Raz-Rothblum13] Indistinguishability Obfuscation Subexp-LWE

  26. Generalized EOWF EOWF* = Privately-Verifiable Generalized EOWF EOWF* suffices for applications of EOWF. The impossibility results holds also for EOWF* Can remove * assuming publicly-verifiable delegation for P (P-certificates)

  27. Application [BCCGLRT13] 3-Message Zero-Knowledge EOWF 3-Message Zero-Knowledge For verifiers w. bounded A.I. EOWF with bounded A.I. EOWF* with bounded A.I.

  28. Survey Construction Impossibility

  29. Construction EOWF* with Bounded A.I from Privately-Verifiable Delegation for P EOWF with Bounded A.I from Publicly-Verifiable Delegation for P

  30. First Attempt • OWF • Extraction from (no restriction on space or running time) • Single function - No key (impossible for unbounded A.I)

  31. First Attempt

  32. First Attempt Interpert as a program outputting bits

  33. Extraction ()

  34. One-Wayness • The image of is sparse

  35. Problem is not poly-time computable! Solution: Delegation for P (following the protocols of [B01,BLV03])

  36. Delegation for P

  37. Final Construction Output: If is a valid proof for under Output:

  38. Extraction When is a proof that under

  39. One-Wayness • The image of is sparse • Soundness of delegation

  40. Generalized EOWF Hardness: For a random it is hard to find Extraction: For every there exists such that Privately-Verifiable GEOWF: Can efficiently test only given

  41. Impossibility Assuming indistinguishability obfuscation, there is not EOWF with unbounded common auxiliary input

  42. Intuition Adversary Non-Black-Box Extractor Adversary Common A.I Universal Extractor There exists s.t. for every and :

  43. Plan Assuming virtual black-box obfuscation [Goldreich, Hada-Tanaka] Assuming indistinguishability obfuscation

  44. Common A.I.

  45. Universal Extraction Universal Adversary Universal Extractor

  46. Black-Box Extraction Universal Adversary Black-box obfuscation Universal Extractor

  47. Black-Box Extraction Black-Box Extractor Adversary Adversary

  48. Indistinguishability Obfuscation Compute the same function

  49. Indistinguishability Obfuscation Extractor Adversary Prove that the obfuscation hides

  50. Indistinguishability Obfuscation Extractor Extractor Alternative adversary hides

More Related