extractable functions fiction or reality?
DESCRIPTION
Extractable Functions Fiction or Reality?. Nir Bitansky (TAU). Ran Canetti (BU & TAU). Omer Paneth (BU). Alon Rosen (IDC). Knowledge is Elusive (assuming ). Knowing isn’t like knowing. Knowing isn’t like knowing. Knowing how to prove isn’t like knowing. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/1.jpg)
EXTRACTABLE FUNCTIONSFICTION OR REALITY?
Nir Bitansky (TAU) Ran Canetti (BU & TAU)
Omer Paneth (BU) Alon Rosen (IDC)
![Page 2: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/2.jpg)
2
Knowledge is Elusive (assuming )
Knowing isn’t like knowing
Knowing isn’t like knowing
Knowing how to prove isn’t like knowing
![Page 3: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/3.jpg)
3
ZK Proofs of KnowledgeGoldwasser-Micali-Rackoff, Feige-Shamir, Goldreich-Bellare
efficientextractor
𝒱𝒫∗
𝑤∈𝑹𝑳(𝑥 )
𝑥
𝑎𝑐𝑐𝑒𝑝𝑡
![Page 4: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/4.jpg)
4
Effective Knowledge
=what can be
efficiently extractedfrom the adversary
![Page 5: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/5.jpg)
5
Extraction is Essential to Cryptographic Analysis
Composition
Input Independence in MPC
ZK simulation (the trapdoor paradigm)
⋮
⋮
![Page 6: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/6.jpg)
6
How is Knowledge Extracted?
![Page 7: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/7.jpg)
7
The Black-Box Tradition (aka Rewinding)
extractor
𝐴
![Page 8: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/8.jpg)
8
extractor
𝐴
reduction/simulator
Black-Box (Turing) Reductions/Simulators
![Page 9: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/9.jpg)
9
Using The Adversary’s Code
Aextractor
reduction/simulator
![Page 10: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/10.jpg)
10
The Black-Box Barrier
Black-Box
SNARGs for NP(Succinct Non-Interactive Arguments)
Gentry-Wichs
3-ZKGoldreich-Krawczyk
O(1)-public-coin-ZKGoldreich-Krawczyk
most of cryptoas we know it!
Non-Black-Box
![Page 11: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/11.jpg)
11
Beyond the Barrier
-round public-coin ZKwith
non-black-box simulation
Barak
![Page 12: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/12.jpg)
12
Post Barak
SNARGs3-ZK
O(1)-public-coin-ZKBarak
resettably-sound-ZKBarak-Goldreich-Goldwasser-Lindell
simultaneously-resettable-ZKDeng-Goyal-Sahai
O(1)-covert-MPCGoyal-Jain
(uniform) O(1)-concurrent-ZKChung-Lin-Pass
interaction
…
![Page 13: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/13.jpg)
13
Knowledge Assumptionsand
Extractable Functions
![Page 14: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/14.jpg)
14
Damgård’s Knowledge of Exponent Assumption
![Page 15: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/15.jpg)
15
𝐴
Damgård’s Knowledge of Exponent Assumption
𝑔𝑥 , h𝑥𝑔 , h𝑔 , h←𝐺∗
𝑥
![Page 16: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/16.jpg)
16
𝑔h
𝑔2𝑔3…
h2
h3
⋮
is -sparse
![Page 17: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/17.jpg)
17
𝐴
Damgård’s Knowledge of Exponent Assumption
efficientextractor 𝑥
𝑔𝑥 , h𝑥𝑔 , h𝑔 , h←𝐺∗
𝐴
𝑥
![Page 18: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/18.jpg)
18
Extractable FunctionsCanetti-Dakdouk
![Page 19: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/19.jpg)
19
efficientextractor
𝑘
Extractable FunctionsCanetti-Dakdouk
𝑓 𝑘(𝑥)
𝑥 ′𝑓 𝑘 (𝑥′ )= 𝑓 𝑘(𝑥)
OWFCRH
COM
𝐴
𝐴
![Page 20: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/20.jpg)
21
Black-Box Extraction is Impossible
![Page 21: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/21.jpg)
22
Black-Box Extraction is Impossible
efficientextractor
𝐴
black-box extractor must invert the one-way
𝑘 𝑓 𝑘(𝑥)
𝑘 ′ 𝑓 𝑘′ (𝑃𝑅𝐹 𝑠(𝑘
′))
![Page 22: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/22.jpg)
23
Extractable Functionsin Non-Interactive Applications
O(1)-concurrent ZK*assuming concurrent extraction
3-ZK
KEAEOWF
B-Canetti-Chiesa-Goldwasser-Lin-
Rubinstein-Tromer
Hada-Tanaka,Micali-Lepinski*,Bellare-Palacio
BCCGLRT
Canetti-Dakdouk Damgard
Gupta-Sahai
![Page 23: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/23.jpg)
24
Extractable Functionsin Non-Interactive Applications
O(1)-concurrent ZK*assuming concurrent extraction
3-ZK
SNARKs (NP)
KEAEOWF ECRH
publicly verifiable
privatelyverifiable
Mie, DiCrescenzo
-Lipmaa*
Damgard BCCGLRT,Damgard-
Faust-Hazay
Groth,Lipmaa,B-Canetti-Chiesa-Tromer,Gennaro-Gentry-Parno-
Raykiova, B-Chiesa-Ishai-Ostrovsky-Paneth
BCCGLRT,DFH
![Page 24: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/24.jpg)
25
Extractable Functionsin Non-Interactive Applications
O(1)-concurrent ZK*assuming concurrent extraction
3-ZK
SNARKs (NP)
KEAEOWF ECRH
publicly verifiable
privatelyverifiable
proof-carrying data
delegation
targeted-malleabilitysuccinct keysin functional
enc/sig
![Page 25: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/25.jpg)
27
Example: 3-ZK
![Page 26: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/26.jpg)
28
The Feige-Shamir Protocol
𝑉𝑢←𝑈
𝑃𝑓 (𝑢)
𝑥 ,𝑤 𝑥
witness-hidingproof of knowing
witness-indistinguishable proof of knowing
![Page 27: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/27.jpg)
30
The Feige-Shamir Protocol
𝑉𝑢←𝑈
𝑃𝑥 ,𝑤 𝑥
witness-indistinguishable proof of knowing
``interactively-extractable”
![Page 28: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/28.jpg)
31
3-ZK from EOWFsB-Goldwasser-Canetti-Chiesa-Lin-Rubinstein-Tromer
𝑉𝑢←𝑈
𝑃𝑥 ,𝑤 𝑥
witness-indistinguishable proof of knowing
``interactively-extractable”
![Page 29: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/29.jpg)
32
𝑉𝑢←𝑈
𝑃𝑥 ,𝑤 𝑥
witness-indistinguishable proof of knowing
𝑘
EOWF
+𝑊 𝐼 1
+𝑊 𝐼 2
𝑘←𝐾
3-ZK from EOWFsB-Goldwasser-Canetti-Chiesa-Lin-Rubinstein-Tromer
![Page 30: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/30.jpg)
33
Do Extractable Functions Really Exist?
What’s Beyond Knowledge Assumptions?
Can We Construct Explicit Extractors?
![Page 31: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/31.jpg)
34
Auxiliary Information
![Page 32: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/32.jpg)
35
Auxiliary Information
efficientextractor
𝑘𝑓 𝑘(𝑥)
𝑥 ′𝐴
𝐴
𝑧
![Page 33: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/33.jpg)
36
𝑉𝑢←𝑈
𝑃𝑥 ,𝑤 𝑥
witness-indistinguishable proof of knowing
𝑘
EOWF
+𝑊 𝐼 1
+𝑊 𝐼 2
A.I.
𝑘←𝐾
![Page 34: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/34.jpg)
37
Common Auxiliary Information
efficientextractor
𝑘𝑓 𝑘(𝑥)
𝑥 ′𝐴
𝐴
𝑧 ∀ 𝐴∃ 𝐸∀ 𝑧
![Page 35: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/35.jpg)
38
Common A.I. EOWFs vs obfuscationHada-Tanaka, Goldreich
efficientextractor
𝑧=¿ 𝐴
𝑘 𝐴 𝑓 𝑘(𝑥)
may be “obfuscated”
![Page 36: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/36.jpg)
39
Individual Auxiliary Information
efficientextractor
𝑘𝑓 𝑘(𝑥)
𝑥 ′𝐴
𝐴
𝑧𝑧 ′≠ ∀ 𝐴∃ 𝐸∀ 𝑧∃𝑧 ′
![Page 37: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/37.jpg)
40
Individual Auxiliary Information
𝑘𝑓 𝑘(𝑥)
𝑥 ′
……
…
𝐴
……
…
𝐸……
∀ 𝐴∃ 𝐸
![Page 38: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/38.jpg)
41
𝑉𝑢←𝑈
𝑃𝑥 ,𝑤 𝑥
witness-indistinguishable proof of knowing
𝑘
EOWF
+𝑊 𝐼 1
+𝑊 𝐼 2
can’t fixin advance
Is Individual A.I. Enough?
𝑘←𝐾
![Page 39: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/39.jpg)
43
Some Answers
![Page 40: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/40.jpg)
44
impossible possibleopen
EOWFswith common A.I.
indistinguishabilityobfuscation
efficientextractor
𝐴
𝑧
uniform EOWFswith no A.I.
efficientextractor
𝐴
𝑧explicit
![Page 41: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/41.jpg)
45
impossible possibleopen
EOWFswith common A.I.
indistinguishabilityobfuscation
efficientextractor
𝐴
𝑧
efficientextractor
𝐴
EOWFswith bounded A.I.
|𝑧|<𝐵(𝑛)explicit
![Page 42: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/42.jpg)
46
impossible possibleopen
EOWFs withcommon unbounded A.I.
indistinguishabilityobfuscation
efficientextractor
𝐴
EOWFswith bounded A.I.
efficientextractor
𝐴
|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿ explicit
NIUA for (SNARGs for P,
P-certificates Chung-Lin-Pass)
![Page 43: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/43.jpg)
47
impossible possibleopen
indistinguishabilityobfuscation
priv’-ver’ SNARGs for PKalai-Raz-Rothblum:
subexp-PIR (e.g., LWE)
efficientextractor
𝐴
privately-verifiable Generalized EOWFs
with bounded A.I.
efficientextractor
𝐴
|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿
EOWFs withcommon unbounded A.I.
![Page 44: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/44.jpg)
48
impossible possibleopen
indistinguishabilityobfuscation
priv’-ver’ SNARGs for PKalai-Raz-Rothblum:
subexp-PIR (e.g., LWE)
efficientextractor
𝐴
privately-verifiable Generalized EOWFs
with bounded A.I.
efficientextractor
𝐴
|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿
privately-verifiable Generalized EOWFs
common (unbounded) A.I.
![Page 45: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/45.jpg)
49
impossible possibleopen
indistinguishabilityobfuscation
priv’-ver’ SNARGs for PKalai-Raz-Rothblum:
subexp-PIR (e.g., LWE)
efficientextractor
𝐴
privately-verifiable Generalized EOWFs
with bounded A.I.
|𝑧|>¿ 𝑓 (𝑥 )∨¿
privately-verifiable Generalized EOWFs
common (unbounded) A.I.
3-ZK ArgOK2-ZK Arg
bounded A.I. verifiers
![Page 46: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/46.jpg)
50
impossible possibleopen
efficientextractor
𝐴
efficientextractor
𝐴
|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿
efficientextractor
𝐴
𝑧≠ 𝑧 ′
EOWFswith (unbounded)
individual A.I.
![Page 47: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/47.jpg)
51
Ideas
![Page 48: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/48.jpg)
52
Common A.I. Extractionvs.
Indistinguishability Obfuscation
![Page 49: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/49.jpg)
53
The Universal Adversary
efficientextractor
𝑧=¿ 𝐴
𝑘 𝐴 𝑓 𝑘(𝑥)
![Page 50: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/50.jpg)
54
The Universal Adversary
efficientextractor
𝑧=¿
𝑘 𝐴 𝑓 𝑘(𝑥)
may be “obfuscated”
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOLKd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL
![Page 51: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/51.jpg)
55
The Universal Adversary
efficientextractor
𝑘 𝑓 𝑘(𝑥)Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL
𝐴
![Page 52: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/52.jpg)
56
Black-Box Extraction is Impossible
efficientextractor
𝐴
black-box extractor must invert the one-way
𝑘 𝑓 𝑘(𝑥)
𝑘 ′ 𝑓 𝑘′ (𝑃𝑅𝐹 𝑠(𝑘
′))
![Page 53: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/53.jpg)
57
The Universal Adversary
efficientextractor
𝑘 𝑓 𝑘(𝑥)Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL
𝐴𝑠
![Page 54: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/54.jpg)
58
What Kind of Obfuscation?
𝐴𝑠
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?
Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)
Goldwasser-Kalai, B-Canetti-Paneth-Rosen
Need to hide PRF value only on the particular point (out of Ext’s control) – use Sahai-Waters puncturing
![Page 55: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/55.jpg)
59
What Kind of Obfuscation?
𝐴𝑠
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?
Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)
Goldwasser-Kalai, B-Canetti-Paneth-Rosen
Need to hide PRF value only on the particular point (out of Ext’s control) – use Sahai-Waters puncturing
![Page 56: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/56.jpg)
60
What Kind of Obfuscation?
𝐴𝑠
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?
Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)
Goldwasser-Kalai, B-Canetti-Paneth-Rosen
Need to hide PRF value only on the particular point (out of Ext’s control) – use Sahai-Waters puncturing
A.I. depends on – but, with IndObf looks as if it doesn’t
![Page 57: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/57.jpg)
61
Extractable One-Way Functionsw.r.t Bounded A.I.
![Page 58: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/58.jpg)
62
efficientextractor
𝑘 𝑓 𝑘(𝑥)𝐴
If You Can’t Extract What’s inside the Head,
Extract the Head [Barak]
𝐴
![Page 59: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/59.jpg)
63
First Attempt
𝑓 (𝑖 , 𝑠)
Goal: keyless
parsed as a machinewith output bits
normal branch trapdoor branch
Ingredient:
𝑖≠0𝑛 𝑖=0𝑛
𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)
![Page 60: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/60.jpg)
65
Extractability
𝑦∈ {0 ,1 }2𝑛𝐴(𝑧 , ⋅)1𝑛
≤𝑛
efficientextractor
𝐴(𝑧 , ⋅)0𝑛 ,
𝑓
𝑓 (𝑖 , 𝑠)𝑖≠0𝑛 𝑖=0𝑛
𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)
![Page 61: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/61.jpg)
66
One-Wayness
For :
Inverter finds s.t But a.s. has Kolmogorov complexity
𝑓 (𝑖 , 𝑠)𝑖≠0𝑛 𝑖=0𝑛
𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)
![Page 62: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/62.jpg)
67
not bounded by any polynomial
Barak ZK: solved by interactive universal arguments for non-deterministic computations Barak-Lindell-Vadhan ZK: solved assuming non-interactive universal argumentsfor non-deterministic computations (Micali’s CS proofs)
Problem
𝑓 (𝑖 , 𝑠)𝑖≠0𝑛 𝑖=0𝑛
𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)
![Page 63: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/63.jpg)
68
NIUAs for Deterministic Computations
𝑃 𝑉
𝐺𝜎
𝜋
= “ outputs after steps”
referencestring
poly ¿ poly ¿
𝜎
![Page 64: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/64.jpg)
69
𝑓 (𝑖 , 𝑠 ,𝑟 ,𝜋∗ , 𝑦 ∗ ,𝜎∗)
Instead of running , the trapdoor branch verifies a proof that
out:
if is a valid proofthat w.r.t out:
𝑖≠0𝑛 𝑖=0𝑛
One-wayness: maintained by the soundness of the NIUA.
Extraction: given the code of , compute a proof for
EOWFs from NIUAs
![Page 65: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/65.jpg)
70
𝑓 (𝑖 , 𝑠 ,𝑟 ,𝜋∗ , 𝑦 ∗ ,𝜎∗)
Instead of running , the trapdoor branch verifies a proof that
out:
if is a valid proofthat w.r.t out:
𝑖≠0𝑛 𝑖=0𝑛
One-wayness: maintained by the soundness of the NIUA.
Extraction: given the code of , compute a proof for
EOWFs from NIUAs
relies on public-verifiability(soundness holds in presence of verification key )
![Page 66: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/66.jpg)
71
Generalized EOWFs from privately-verifiable NIUAs
𝑅 ( 𝑓 (𝑥 ) ,𝑥 ′ )
Hardness: given where hard to find
Extractabilitygiven code that outputs ,
can extract
Private-verification: can be computed given the private
Public-verification: can be eff’ computed by anyone
Can be constructed from subexp LWE [Kalai-Raz-Rothblum]Sufficient for 2/3-ZK
![Page 67: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/67.jpg)
73
impossible possibleopen
Open Questions
Construct a (uniform) ECRH
EOWFs w.r.t individual auxiliary information
EOWFs w.r.t to common “benign” distributions
![Page 68: Extractable Functions Fiction or Reality?](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814327550346895daf975b/html5/thumbnails/68.jpg)
74