1. No category

Slides

Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen
Largest Known Prime
257,885,161 βˆ’ 1
Electronic Frontier Foundation offers
$250,000 prize for a prime with at least a billion digits
9
10
10
β€œThe first number larger then
that is not divisible
by any number other than 1 and itself”
Knowledge
Algorithm
Polynomial Time
Extraction Procedure
Knowledge
Proofs of Knowledge
π‘₯βˆˆβ„’
Witness
Extraction
𝑃
Hide the
Witness
𝑉
Secrecy : Zero-Knowledge \ Witness indistinguishability
Goal: Extract knowledge that is not publicly available
CCA Encryption
𝑃𝐾
Reduction
𝐸𝑛𝑐(π‘₯)
To CPA
π‘₯
Extraction
𝐸𝑛𝑐(𝑏)
𝐴
𝐷𝑒𝑐
π‘₯
𝑏
More Knowledge
Reduction
π‘₯
Extraction
𝐴
Zero-knowledge Proofs, Signatures, Non-malleable
Commitments, Multi-party Computation, Obfuscation,…
How to Extract?
Algorithm
Extraction?
Knowledge
Extraction by Interaction
Or : Black-Box Extraction
Public
Parameters
Adversary
Extraction
Out of Reach Applications
2-Message
Succinct Argument
(SNARG)
𝑃
𝑉
3-Message
Zero-Knowledge
𝑃
𝑉
Out of Reach Applications
Black-Box Security Proof is Impossible
[Goldreich-Krawczyk]
[Gentry-Wichs]
𝑃
𝑉
𝑃
𝑉
Knowledge of Exponent
[Damgård 92]
π‘₯
Non-Black-Box
Extraction
Extraction
𝑔, β„Ž
Adversary
π‘₯
βˆ€π΄ βˆƒπΈ s.t. 𝐴 𝑔,β„Ž β†’ 𝑔 ,β„Ž
π‘₯
𝑔π‘₯ , β„Žπ‘₯
β‡’ 𝐸 𝑔,β„Ž β†’ π‘₯
Applications of KEA
[HT98,BP04,Mie08,G10,L12,BCCT13,GGPR13,BCIOP13]
Knowledge of Exponent Assumption* (KEA)
* and variants
2-Message
Succinct Argument
(SNARG)
3-Message
Zero-Knowledge
Extractable Functions
[Canetti-Dakdouk 08]
A family of function π‘“π‘˜ is extractable if:
π‘˜β†$
π‘₯
Extraction
Adversary
π‘“π‘˜ (π‘₯)
βˆ€π΄ βˆƒπΈ s.t. 𝐴 π‘˜ β†’ π‘“π‘˜ (π‘₯) β‡’ 𝐸 π‘˜ β†’ π‘₯
Remarks on EF
β€’ KEA is an example for EF.
β€’ We want EF that are also one-way.
β€’ The image of 𝑓 should be sparse.
π‘˜β†$
π‘₯
Extraction
Adversary
π‘“π‘˜ (π‘₯)
OWF, CRHF
Applications of EF
[BCCT12,GLR12,DFH12]
Knowledge of Exponent
Extractable One-Way
Functions (EOWF)
3-Message
Zero-Knowledge
Extractable Collision-Resistant
Hash Functions (ECRH)
2-Message
Succinct Argument
(Privately Verifiable)
β€’ Clean assumptions
β€’ Candidates
β€’ Strong applications
What is missing?
A Reduction Using EF
Assuming:
βˆ€π΄ βˆƒπΈ s.t. 𝐴 π‘˜ β†’ π‘“π‘˜ (π‘₯) β‡’ 𝐸 π‘˜ β†’ π‘₯
Reduction
π‘₯
𝐸
𝐴
π‘˜β†$
π‘“π‘˜ (π‘₯)
Do Extractable One-Way
Functions with an
Explicit Extractor Exist?
It depends on the
Auxiliary Input.
Example: Zero-Knowledge
Auxiliary input
π‘₯βˆˆβ„’
π‘₯
π‘˜
𝑃
π‘“π‘˜ 𝑑
𝑉
Definition of EF with A.I.
For every 𝐴 and auxiliary input 𝑧𝐴
there exist 𝐸 and auxiliary input 𝑧𝐸
such that for every auxiliary input 𝑧:
𝐴 𝑧𝐴 , 𝑧, π‘˜ β†’ π‘“π‘˜ (π‘₯) β‡’ 𝐸 𝑧𝐸 , 𝑧, π‘˜ β†’ π‘₯
Types of A.I.
For every 𝐴 and auxiliary input 𝑧𝐴
there exist 𝐸 and auxiliary input 𝑧𝐸
such that for every auxiliary input 𝑧:
𝐴 𝑧𝐴 , 𝑧, π‘˜ β†’ π‘“π‘˜ (π‘₯) β‡’ 𝐸 𝑧𝐸 , 𝑧, π‘˜ β†’ π‘₯
Individual \ Common
Bounded \ Unbounded
What type of A.I.
do we need?
Example: Zero-Knowledge
Zero-Knowledge:
βˆ—
For every 𝑉 there exists a simulator 𝑆
βˆ—
such that for every π‘₯, 𝑆 π‘₯ β‰ˆ (𝑃, 𝑉 )(π‘₯)
What
For
π‘₯ need
you get
bounded
from individual
A.I.
A.I.:
For every
sequential
𝑉 βˆ— and
composition
every π‘₯ there
need
exists a
unbounded
simulator
𝑆 such
A.I. that 𝑆 π‘₯ β‰ˆ (𝑃, 𝑉)(π‘₯)
EOWF with unbounded
common A.I.:
𝑧 > |𝑓(π‘₯)|
EOWF* with
bounded A.I.:
𝑧𝐴 , 𝑧 < |𝑓(π‘₯)|
Explicit
Extractor
Impossible
Indistinguishability
Obfuscation
Open
Possible
Delegation for P
Subexp-LWE
from Subexp-PIR
[Kalai-Raz-Rothblum13]
Generalized EOWF
EOWF* = Privately-Verifiable Generalized EOWF
1. EOWF* suffices for applications of EOWF.
2. The impossibility results holds also for EOWF*
3. Can remove * assuming publicly-verifiable
delegation for P (P-certificates)
Application
[BCCGLRT13]
EOWF
EOWF with
bounded A.I.
EOWF* with
bounded A.I.
β‡’
3-Message Zero-Knowledge
β‡’
3-Message Zero-Knowledge
For verifiers w. bounded A.I.
Survey
Construction
Impossibility
Construction
EOWF* with Bounded A.I from
Privately-Verifiable Delegation for P
EOWF with Bounded A.I from
Publicly-Verifiable Delegation for P
First Attempt
β€’ OWF 𝑓: 0,1
2𝑛
β†’ 0,1
2𝑛
β€’ Extraction from 𝐴 < 𝑛
(no restriction on space or running time)
β€’ Single function - No key
(impossible for unbounded A.I)
First Attempt
𝑛
𝑖, 𝑠 ∈ 0,1 , PRG: 0,1
𝑓(𝑖, 𝑠) =
PRG 𝑠
𝑛
β†’ 0,1
if 𝑖 β‰ 
𝑛
𝑛
0
First Attempt
𝑛
𝑖, 𝑠 ∈ 0,1 , PRG: 0,1
PRG 𝑠
𝑓(𝑖, 𝑠) =
𝑛
𝑠 1
𝑛
β†’ 0,1
𝑛
𝑛
if 𝑖 β‰  0
𝑛
if 𝑖 = 0
Interpert 𝑠 as a program outputting 2𝑛 bits
Extraction
𝑛
𝐴 1
( 𝐴 < 𝑛)
→𝑦
𝑓 0𝑛 , 𝐴 = 𝐴 1𝑛 = 𝑦
𝐸 1𝑛 β†’ 0𝑛 , 𝐴
PRG 𝑠
𝑓(𝑖, 𝑠) =
𝑠 1𝑛
𝑛
if 𝑖 β‰  0
if 𝑖 = 0𝑛
One-Wayness
1. 𝑓 π‘ˆπ‘› , π‘ˆπ‘› β‰ˆ π‘ˆ2𝑛
2. The image of 𝑓 is sparse
PRG 𝑠
𝑓(𝑖, 𝑠) =
𝑠 1𝑛
𝑛
if 𝑖 β‰  0
if 𝑖 = 0𝑛
Problem
𝑓 is not poly-time computable!
Solution: Delegation for P
(following the protocols of [B01,BLV03])
𝑃𝑅𝐺𝑠 𝑠
𝑓(𝑖, 𝑠) =
𝑠 1𝑛
𝑛
if 𝑖 β‰  0
if 𝑖 = 0𝑛
Delegation for P
Gen $ β†’ 𝜎
𝑃
poly 𝑇𝑀
πœ‹: 𝑀 1𝑛 β†’ 𝑦
𝑉
polylog 𝑇𝑀 < 𝑛
Final Construction
βˆ—
βˆ—
βˆ—
𝑓(𝑖, 𝑠, π‘Ÿ, 𝑦 , 𝜎 , πœ‹ )
𝑖 β‰  0𝑛
𝑦 = PRG 𝑠
𝜎 = Gen π‘Ÿ
Output: (𝑦, 𝜎)
𝑖 = 0𝑛
If πœ‹ βˆ— is a valid proof
for 𝑠 1𝑛 β†’ 𝑦 βˆ— under 𝜎 βˆ—
Output: (𝑦 βˆ— , 𝜎 βˆ— )
Extraction
𝑛
𝐴 1
β†’ (𝑦, 𝜎)
𝑓
𝐸 1𝑛 β†’ (0𝑛 , 𝐴, π‘Ÿ, 𝑦, 𝜎, πœ‹ βˆ— )
βˆ—
𝑛
When πœ‹ is a proof that 𝐴 1
β†’ 𝑦 under 𝜎
One-Wayness
1. 𝑓 π‘ˆπ‘› , π‘ˆπ‘› β‰ˆ (π‘ˆ2𝑛 , 𝜎)
2. The image of 𝑓 is sparse
3. Soundness of delegation
Generalized EOWF
𝑅(𝑓 π‘₯ , π‘₯β€²)
Hardness:
For a random π‘₯ it is hard to find π‘₯ β€² ∈ 𝑅(𝑓(𝑐))
Extraction:
For every 𝐴 there exists 𝐸 such that
𝐴 β†’ 𝑓 π‘₯ β‡’ 𝐸 β†’ π‘₯ β€² ∈ 𝑅(𝑓(π‘₯))
Privately-Verifiable GEOWF:
Can efficiently test π‘₯ ∈ 𝑅(𝑓(π‘₯)) only given π‘₯
Impossibility
Assuming indistinguishability obfuscation,
there is not EOWF with unbounded
common auxiliary input
Intuition
π‘₯
Non-Black-Box
Extractor
Adversary
π‘˜
π‘“π‘˜ π‘₯
Common A.I β‡’ Universal Extractor
There exists 𝐸 s.t. for every A and 𝑧:
𝐴 𝑧, π‘˜ β†’ π‘“π‘˜ (π‘₯) β‡’ 𝐸 𝐴, 𝑧, π‘˜ β†’ π‘₯
Plan
1.
Assuming virtual black-box obfuscation
2.
Assuming indistinguishability obfuscation
[Goldreich, Hada-Tanaka]
Common A.I.
π‘“π‘˜ (π‘₯)
𝐴
π‘˜, 𝑧
𝐸
π‘₯
Universal Extraction
Universal Adversary
π‘˜
π‘“π‘˜ (π‘₯)
𝐴
π‘˜, 𝑧 = 𝐴
Universal
Extractor
π‘₯
Black-Box Extraction
Black-box
obfuscation
Universal Adversary
π‘˜
π‘“π‘˜ (π‘₯)
𝐴
π‘˜, 𝑧 = 𝐴
Universal
Extractor
π‘₯
Black-Box Extraction
Black-Box Extractor
Adversary
π‘˜
π‘₯π‘˜ = π‘ˆ
𝑃𝑅𝐹
𝑛 𝑠 (π‘˜)
π‘“π‘˜ (π‘₯π‘˜ )
π‘₯π‘˜
Indistinguishability Obfuscation
𝐢2
≑
𝐢1
Compute the same function
Indistinguishability Obfuscation
Extractor
Adversary
π‘˜
π‘₯π‘˜ = 𝑃𝑅𝐹𝑠 (π‘˜)
π‘“π‘˜ (π‘₯π‘˜ )
π‘₯π‘˜
Prove that the obfuscation hides π‘₯π‘˜
Indistinguishability Obfuscation
Extractor
π‘˜
π‘₯π‘˜ = 𝑃𝑅𝐹𝑠 (π‘˜)
π‘“π‘˜ (π‘₯π‘˜ )
π‘₯π‘˜
β‰ˆ
Extractor
π‘˜
Alternative
adversary
hides π‘₯π‘˜
π‘“π‘˜ (π‘₯π‘˜ )
π‘₯π‘˜
Alternative Adversary
Using the Sahai-Waters puncturing technique
𝑃𝑅𝐹𝑠
π‘˜
π‘“π‘˜
π‘“π‘˜ (π‘₯π‘˜ )
Indistinguishability Obfuscation
Extractor
π‘˜
π‘“π‘˜ (π‘₯π‘˜ )
hides π‘₯π‘˜
π‘₯π‘˜
Back to the Construction?
EOWF with
unbounded individual A.I.
|𝑧𝐴 | > |𝑓(π‘₯)|
Extractable
CRHF\COM\1-to-1 OWF
Impossible
Open
Possible
Thank You
ο‚–

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz