Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen

Largest Known Prime 2 57,885,161 − 1 Electronic Frontier Foundation offers $250,000 prize for a prime with at least a billion digits

Knowledge Algorithm Knowledge Polynomial Time Extraction Procedure

Proofs of Knowledge Witness Extraction Hide the Witness Secrecy : Zero-Knowledge \ Witness indistinguishability Goal: Extract knowledge that is not publicly available

CCA Encryption Reduction To CPA Extraction

More Knowledge Zero-knowledge Proofs, Signatures, Non-malleable Commitments, Multi-party Computation, Obfuscation,… Reduction Extraction

How to Extract? Algorithm Knowledge Extraction?

Extraction by Interaction Or : Black-Box Extraction Adversary Extraction Public Parameters

Out of Reach Applications 3-Message Zero-Knowledge 2-Message Succinct Argument (SNARG)

Out of Reach Applications [Goldreich-Krawczyk][Gentry-Wichs] Black-Box Security Proof is Impossible

Knowledge of Exponent Adversary Extraction [Damgård 92] Non-Black-Box Extraction

Applications of KEA 3-Message Zero-Knowledge 2-Message Succinct Argument (SNARG) Knowledge of Exponent Assumption* (KEA) * and variants [HT98,BP04,Mie08,G10,L12,BCCT13,GGPR13,BCIOP13]

Extractable Functions Adversary Extraction [Canetti-Dakdouk 08]

Remarks on EF Adversary Extraction OWF, CRHF

Applications of EF 3-Message Zero-Knowledge 2-Message Succinct Argument (Privately Verifiable) Knowledge of Exponent Extractable One-Way Functions (EOWF) Extractable Collision-Resistant Hash Functions (ECRH) [BCCT12,GLR12,DFH12]

What is missing? Clean assumptions Candidates Strong applications

A Reduction Using EF Reduction

Do Extractable One-Way Functions with an Explicit Extractor Exist?

It depends on the Auxiliary Input.

Example: Zero-Knowledge Auxiliary input

Definition of EF with A.I.

Types of A.I. Individual \ Common Bounded \ Unbounded

What type of A.I. do we need?

Example: Zero-Knowledge

PossibleImpossibleOpen Subexp-LWEIndistinguishability Obfuscation Explicit Extractor Delegation for P from Subexp-PIR [Kalai-Raz-Rothblum13]

Generalized EOWF EOWF* = Privately-Verifiable Generalized EOWF 1.EOWF* suffices for applications of EOWF. 2.The impossibility results holds also for EOWF* 3.Can remove * assuming publicly-verifiable delegation for P (P-certificates)

Application 3-Message Zero-Knowledge EOWF 3-Message Zero-Knowledge For verifiers w. bounded A.I. EOWF with bounded A.I. EOWF* with bounded A.I. [BCCGLRT13]

Construction Survey Impossibility

Construction EOWF* with Bounded A.I from Privately-Verifiable Delegation for P EOWF with Bounded A.I from Publicly-Verifiable Delegation for P

First Attempt

Extraction

One-Wayness

Problem Solution: Delegation for P (following the protocols of [B01,BLV03])

Delegation for P

Final Construction

Extraction

One-Wayness

Generalized EOWF

Impossibility Assuming indistinguishability obfuscation, there is not EOWF with unbounded common auxiliary input

Intuition Adversary Non-Black-Box Extractor

Plan 1.Assuming virtual black-box obfuscation [Goldreich, Hada-Tanaka] 2.Assuming indistinguishability obfuscation

Common A.I.

Universal Extraction Universal Extractor Universal Adversary

Black-Box Extraction Universal Extractor Universal Adversary Black-box obfuscation

Black-Box Extraction Black-Box Extractor Adversary

Indistinguishability Obfuscation Compute the same function

Indistinguishability Obfuscation Extractor Adversary

Indistinguishability Obfuscation Extractor Alternative adversary

Alternative Adversary Using the Sahai-Waters puncturing technique

Indistinguishability Obfuscation Extractor

Back to the Construction?Construction

PossibleImpossibleOpen Extractable CRHF\COM\1-to-1 OWF

 Thank You