Upload
keegan
View
74
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Extractable Functions Fiction or Reality?. Nir Bitansky (TAU). Ran Canetti (BU & TAU). Omer Paneth (BU). Alon Rosen (IDC). Knowledge is Elusive (assuming ). Knowing isn’t like knowing. Knowing isn’t like knowing. Knowing how to prove isn’t like knowing. - PowerPoint PPT Presentation
Citation preview
EXTRACTABLE FUNCTIONSFICTION OR REALITY?
Nir Bitansky (TAU) Ran Canetti (BU & TAU)
Omer Paneth (BU) Alon Rosen (IDC)
2
Knowledge is Elusive (assuming )
Knowing isn’t like knowing
Knowing isn’t like knowing
Knowing how to prove isn’t like knowing
3
ZK Proofs of KnowledgeGoldwasser-Micali-Rackoff, Feige-Shamir, Goldreich-Bellare
efficientextractor
𝒱𝒫∗
𝑤∈𝑹𝑳(𝑥 )
𝑥
𝑎𝑐𝑐𝑒𝑝𝑡
4
Effective Knowledge
=what can be
efficiently extractedfrom the adversary
5
Extraction is Essential to Cryptographic Analysis
Composition
Input Independence in MPC
ZK simulation (the trapdoor paradigm)
⋮
⋮
6
How is Knowledge Extracted?
7
The Black-Box Tradition (aka Rewinding)
extractor
𝐴
8
extractor
𝐴
reduction/simulator
Black-Box (Turing) Reductions/Simulators
9
Using The Adversary’s Code
Aextractor
reduction/simulator
10
The Black-Box Barrier
Black-Box
SNARGs for NP(Succinct Non-Interactive Arguments)
Gentry-Wichs
3-ZKGoldreich-Krawczyk
O(1)-public-coin-ZKGoldreich-Krawczyk
most of cryptoas we know it!
Non-Black-Box
11
Beyond the Barrier
-round public-coin ZKwith
non-black-box simulation
Barak
12
Post Barak
SNARGs3-ZK
O(1)-public-coin-ZKBarak
resettably-sound-ZKBarak-Goldreich-Goldwasser-Lindell
simultaneously-resettable-ZKDeng-Goyal-Sahai
O(1)-covert-MPCGoyal-Jain
(uniform) O(1)-concurrent-ZKChung-Lin-Pass
interaction
…
13
Knowledge Assumptionsand
Extractable Functions
14
Damgård’s Knowledge of Exponent Assumption
15
𝐴
Damgård’s Knowledge of Exponent Assumption
𝑔𝑥 , h𝑥𝑔 , h𝑔 , h←𝐺∗
𝑥
16
𝑔h
𝑔2𝑔3…
h2
h3
⋮
is -sparse
17
𝐴
Damgård’s Knowledge of Exponent Assumption
efficientextractor 𝑥
𝑔𝑥 , h𝑥𝑔 , h𝑔 , h←𝐺∗
𝐴
𝑥
18
Extractable FunctionsCanetti-Dakdouk
19
efficientextractor
𝑘
Extractable FunctionsCanetti-Dakdouk
𝑓 𝑘(𝑥)
𝑥 ′𝑓 𝑘 (𝑥′ )= 𝑓 𝑘(𝑥)
OWFCRH
COM
𝐴
𝐴
21
Black-Box Extraction is Impossible
22
Black-Box Extraction is Impossible
efficientextractor
𝐴
black-box extractor must invert the one-way
𝑘 𝑓 𝑘(𝑥)
𝑘 ′ 𝑓 𝑘′ (𝑃𝑅𝐹 𝑠(𝑘
′))
23
Extractable Functionsin Non-Interactive Applications
O(1)-concurrent ZK*assuming concurrent extraction
3-ZK
KEAEOWF
B-Canetti-Chiesa-Goldwasser-Lin-
Rubinstein-Tromer
Hada-Tanaka,Micali-Lepinski*,Bellare-Palacio
BCCGLRT
Canetti-Dakdouk Damgard
Gupta-Sahai
24
Extractable Functionsin Non-Interactive Applications
O(1)-concurrent ZK*assuming concurrent extraction
3-ZK
SNARKs (NP)
KEAEOWF ECRH
publicly verifiable
privatelyverifiable
Mie, DiCrescenzo
-Lipmaa*
Damgard BCCGLRT,Damgard-
Faust-Hazay
Groth,Lipmaa,B-Canetti-Chiesa-Tromer,Gennaro-Gentry-Parno-
Raykiova, B-Chiesa-Ishai-Ostrovsky-Paneth
BCCGLRT,DFH
25
Extractable Functionsin Non-Interactive Applications
O(1)-concurrent ZK*assuming concurrent extraction
3-ZK
SNARKs (NP)
KEAEOWF ECRH
publicly verifiable
privatelyverifiable
proof-carrying data
delegation
targeted-malleabilitysuccinct keysin functional
enc/sig
27
Example: 3-ZK
28
The Feige-Shamir Protocol
𝑉𝑢←𝑈
𝑃𝑓 (𝑢)
𝑥 ,𝑤 𝑥
witness-hidingproof of knowing
witness-indistinguishable proof of knowing
30
The Feige-Shamir Protocol
𝑉𝑢←𝑈
𝑃𝑥 ,𝑤 𝑥
witness-indistinguishable proof of knowing
``interactively-extractable”
31
3-ZK from EOWFsB-Goldwasser-Canetti-Chiesa-Lin-Rubinstein-Tromer
𝑉𝑢←𝑈
𝑃𝑥 ,𝑤 𝑥
witness-indistinguishable proof of knowing
``interactively-extractable”
32
𝑉𝑢←𝑈
𝑃𝑥 ,𝑤 𝑥
witness-indistinguishable proof of knowing
𝑘
EOWF
+𝑊 𝐼 1
+𝑊 𝐼 2
𝑘←𝐾
3-ZK from EOWFsB-Goldwasser-Canetti-Chiesa-Lin-Rubinstein-Tromer
33
Do Extractable Functions Really Exist?
What’s Beyond Knowledge Assumptions?
Can We Construct Explicit Extractors?
34
Auxiliary Information
35
Auxiliary Information
efficientextractor
𝑘𝑓 𝑘(𝑥)
𝑥 ′𝐴
𝐴
𝑧
36
𝑉𝑢←𝑈
𝑃𝑥 ,𝑤 𝑥
witness-indistinguishable proof of knowing
𝑘
EOWF
+𝑊 𝐼 1
+𝑊 𝐼 2
A.I.
𝑘←𝐾
37
Common Auxiliary Information
efficientextractor
𝑘𝑓 𝑘(𝑥)
𝑥 ′𝐴
𝐴
𝑧 ∀ 𝐴∃ 𝐸∀ 𝑧
38
Common A.I. EOWFs vs obfuscationHada-Tanaka, Goldreich
efficientextractor
𝑧=¿ 𝐴
𝑘 𝐴 𝑓 𝑘(𝑥)
may be “obfuscated”
39
Individual Auxiliary Information
efficientextractor
𝑘𝑓 𝑘(𝑥)
𝑥 ′𝐴
𝐴
𝑧𝑧 ′≠ ∀ 𝐴∃ 𝐸∀ 𝑧∃𝑧 ′
40
Individual Auxiliary Information
𝑘𝑓 𝑘(𝑥)
𝑥 ′
……
…
𝐴
……
…
𝐸……
∀ 𝐴∃ 𝐸
41
𝑉𝑢←𝑈
𝑃𝑥 ,𝑤 𝑥
witness-indistinguishable proof of knowing
𝑘
EOWF
+𝑊 𝐼 1
+𝑊 𝐼 2
can’t fixin advance
Is Individual A.I. Enough?
𝑘←𝐾
43
Some Answers
44
impossible possibleopen
EOWFswith common A.I.
indistinguishabilityobfuscation
efficientextractor
𝐴
𝑧
uniform EOWFswith no A.I.
efficientextractor
𝐴
𝑧explicit
45
impossible possibleopen
EOWFswith common A.I.
indistinguishabilityobfuscation
efficientextractor
𝐴
𝑧
efficientextractor
𝐴
EOWFswith bounded A.I.
|𝑧|<𝐵(𝑛)explicit
46
impossible possibleopen
EOWFs withcommon unbounded A.I.
indistinguishabilityobfuscation
efficientextractor
𝐴
EOWFswith bounded A.I.
efficientextractor
𝐴
|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿ explicit
NIUA for (SNARGs for P,
P-certificates Chung-Lin-Pass)
47
impossible possibleopen
indistinguishabilityobfuscation
priv’-ver’ SNARGs for PKalai-Raz-Rothblum:
subexp-PIR (e.g., LWE)
efficientextractor
𝐴
privately-verifiable Generalized EOWFs
with bounded A.I.
efficientextractor
𝐴
|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿
EOWFs withcommon unbounded A.I.
48
impossible possibleopen
indistinguishabilityobfuscation
priv’-ver’ SNARGs for PKalai-Raz-Rothblum:
subexp-PIR (e.g., LWE)
efficientextractor
𝐴
privately-verifiable Generalized EOWFs
with bounded A.I.
efficientextractor
𝐴
|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿
privately-verifiable Generalized EOWFs
common (unbounded) A.I.
49
impossible possibleopen
indistinguishabilityobfuscation
priv’-ver’ SNARGs for PKalai-Raz-Rothblum:
subexp-PIR (e.g., LWE)
efficientextractor
𝐴
privately-verifiable Generalized EOWFs
with bounded A.I.
|𝑧|>¿ 𝑓 (𝑥 )∨¿
privately-verifiable Generalized EOWFs
common (unbounded) A.I.
3-ZK ArgOK2-ZK Arg
bounded A.I. verifiers
50
impossible possibleopen
efficientextractor
𝐴
efficientextractor
𝐴
|𝑧|<¿ 𝑓 (𝑥 )∨¿|𝑧|>¿ 𝑓 (𝑥 )∨¿
efficientextractor
𝐴
𝑧≠ 𝑧 ′
EOWFswith (unbounded)
individual A.I.
51
Ideas
52
Common A.I. Extractionvs.
Indistinguishability Obfuscation
53
The Universal Adversary
efficientextractor
𝑧=¿ 𝐴
𝑘 𝐴 𝑓 𝑘(𝑥)
54
The Universal Adversary
efficientextractor
𝑧=¿
𝑘 𝐴 𝑓 𝑘(𝑥)
may be “obfuscated”
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOLKd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL
55
The Universal Adversary
efficientextractor
𝑘 𝑓 𝑘(𝑥)Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL
𝐴
56
Black-Box Extraction is Impossible
efficientextractor
𝐴
black-box extractor must invert the one-way
𝑘 𝑓 𝑘(𝑥)
𝑘 ′ 𝑓 𝑘′ (𝑃𝑅𝐹 𝑠(𝑘
′))
57
The Universal Adversary
efficientextractor
𝑘 𝑓 𝑘(𝑥)Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL
𝐴𝑠
58
What Kind of Obfuscation?
𝐴𝑠
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?
Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)
Goldwasser-Kalai, B-Canetti-Paneth-Rosen
Need to hide PRF value only on the particular point (out of Ext’s control) – use Sahai-Waters puncturing
59
What Kind of Obfuscation?
𝐴𝑠
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?
Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)
Goldwasser-Kalai, B-Canetti-Paneth-Rosen
Need to hide PRF value only on the particular point (out of Ext’s control) – use Sahai-Waters puncturing
60
What Kind of Obfuscation?
𝐴𝑠
Kd87x*$S49d6##nasdil&&KmwLPes6Vd#@,lLSfs03K(#talkem,;eHLSOL?
Evidence that VBB obfuscation of is impossible(it is pseudo-entropic)
Goldwasser-Kalai, B-Canetti-Paneth-Rosen
Need to hide PRF value only on the particular point (out of Ext’s control) – use Sahai-Waters puncturing
A.I. depends on – but, with IndObf looks as if it doesn’t
61
Extractable One-Way Functionsw.r.t Bounded A.I.
62
efficientextractor
𝑘 𝑓 𝑘(𝑥)𝐴
If You Can’t Extract What’s inside the Head,
Extract the Head [Barak]
𝐴
63
First Attempt
𝑓 (𝑖 , 𝑠)
Goal: keyless
parsed as a machinewith output bits
normal branch trapdoor branch
Ingredient:
𝑖≠0𝑛 𝑖=0𝑛
𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)
65
Extractability
𝑦∈ {0 ,1 }2𝑛𝐴(𝑧 , ⋅)1𝑛
≤𝑛
efficientextractor
𝐴(𝑧 , ⋅)0𝑛 ,
𝑓
𝑓 (𝑖 , 𝑠)𝑖≠0𝑛 𝑖=0𝑛
𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)
66
One-Wayness
For :
Inverter finds s.t But a.s. has Kolmogorov complexity
𝑓 (𝑖 , 𝑠)𝑖≠0𝑛 𝑖=0𝑛
𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)
67
not bounded by any polynomial
Barak ZK: solved by interactive universal arguments for non-deterministic computations Barak-Lindell-Vadhan ZK: solved assuming non-interactive universal argumentsfor non-deterministic computations (Micali’s CS proofs)
Problem
𝑓 (𝑖 , 𝑠)𝑖≠0𝑛 𝑖=0𝑛
𝑃𝑅𝐺 (𝑠 ) 𝑠(1𝑛)
68
NIUAs for Deterministic Computations
𝑃 𝑉
𝐺𝜎
𝜋
= “ outputs after steps”
referencestring
poly ¿ poly ¿
𝜎
69
𝑓 (𝑖 , 𝑠 ,𝑟 ,𝜋∗ , 𝑦 ∗ ,𝜎∗)
Instead of running , the trapdoor branch verifies a proof that
out:
if is a valid proofthat w.r.t out:
𝑖≠0𝑛 𝑖=0𝑛
One-wayness: maintained by the soundness of the NIUA.
Extraction: given the code of , compute a proof for
EOWFs from NIUAs
70
𝑓 (𝑖 , 𝑠 ,𝑟 ,𝜋∗ , 𝑦 ∗ ,𝜎∗)
Instead of running , the trapdoor branch verifies a proof that
out:
if is a valid proofthat w.r.t out:
𝑖≠0𝑛 𝑖=0𝑛
One-wayness: maintained by the soundness of the NIUA.
Extraction: given the code of , compute a proof for
EOWFs from NIUAs
relies on public-verifiability(soundness holds in presence of verification key )
71
Generalized EOWFs from privately-verifiable NIUAs
𝑅 ( 𝑓 (𝑥 ) ,𝑥 ′ )
Hardness: given where hard to find
Extractabilitygiven code that outputs ,
can extract
Private-verification: can be computed given the private
Public-verification: can be eff’ computed by anyone
Can be constructed from subexp LWE [Kalai-Raz-Rothblum]Sufficient for 2/3-ZK
73
impossible possibleopen
Open Questions
Construct a (uniform) ECRH
EOWFs w.r.t individual auxiliary information
EOWFs w.r.t to common “benign” distributions
74