How To Construct Extractable One-Way Functions Against Uniform Adversaries

A function f is extractable if it is possible to algorithmically “extract,” from any program that outputs a value y in the image of f, a preimage of y. When combined with hardness properties such as one-wayness or collision-resistance, extractability has proven to be a powerful tool. However, so far, extractability has not been explicitly shown. Instead, it has only been considered as a nonstandard knowledge assumption on certain functions. We give the first construction of extractable one-way functions assuming only standard hardness assumptions (e.g., subexponential security of Decision Diffie-Hellman or Quadratic Residousity). Our functions are extractable against adversaries with bounded polynomial advice and unbounded polynomial running time. We then use these functions to construct the first 2-message zero-knowledge arguments and 3-message zero-knowledge arguments of knowledge, against the same class of adversarial verifiers, from essentially the same assumptions. The construction uses ideas from [Barak, FOCS01] and [Barak, Lindell, and Vadhan, FOCS03], and rely on the recent breakthrough construction of privately verifiable P-delegation schemes [Kalai, Raz, and Rothblum]. The extraction procedure uses the program evaluating f in a non-black-box way, which we show to be necessary.

[1]  Ran Canetti,et al.  Towards a Theory of Extractable Functions , 2009, TCC.

[2]  Rafail Ostrovsky,et al.  A Survey of Single-Database Private Information Retrieval: Techniques and Applications , 2007, Public Key Cryptography.

[3]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[4]  Adi Shamir,et al.  Publicly Verifiable Non-Interactive Zero-Knowledge Proofs , 1990, CRYPTO.

[5]  Craig Gentry,et al.  i-Hop Homomorphic Encryption and Rerandomizable Yao Circuits , 2010, IACR Cryptol. ePrint Arch..

[6]  R. Cramer,et al.  Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments , 1996 .

[7]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, IACR Cryptol. ePrint Arch..

[8]  Rafail Ostrovsky,et al.  Simultaneously Resettable Arguments of Knowledge , 2012, TCC.

[9]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[10]  Yael Tauman Kalai,et al.  Delegation for bounded space , 2013, STOC '13.

[11]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[12]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[13]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[14]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[15]  Nir Bitansky,et al.  Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall , 2013, IACR Cryptol. ePrint Arch..

[16]  Yehuda Lindell,et al.  Lower bounds for non-black-box zero knowledge , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[17]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[18]  Kai-Min Chung,et al.  Constant-Round Concurrent Zero Knowledge from P-Certificates , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[19]  Moni Naor,et al.  Efficient oblivious transfer protocols , 2001, SODA '01.

[20]  Ran Canetti,et al.  Extractable Perfectly One-Way Functions , 2008, ICALP.

[21]  Yuval Ishai,et al.  Priced Oblivious Transfer: How to Sell Digital Goods , 2001, EUROCRYPT.

[22]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[23]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[24]  Moni Naor,et al.  Zaps and their applications , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[25]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[26]  Hoeteck Wee,et al.  Black-Box Constructions of Two-Party Protocols from One-Way Functions , 2009, TCC.

[27]  Nir Bitansky,et al.  On the existence of extractable one-way functions , 2014, SIAM J. Comput..

[28]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[29]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[30]  Ivan Damgård,et al.  Linear zero-knowledge—a note on efficient zero-knowledge proofs and arguments , 1997, STOC '97.

[31]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[32]  Nir Bitansky,et al.  On the impossibility of approximate obfuscation and applications to resettable cryptography , 2013, STOC '13.

[33]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[34]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[35]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[36]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[37]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[38]  Andrew Chi-Chih Yao,et al.  How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[39]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[40]  Manuel Blum,et al.  How to Prove a Theorem So No One Else Can Claim It , 2010 .

[41]  Nir Bitansky,et al.  Succinct Arguments from Multi-prover Interactive Proofs and Their Efficiency Benefits , 2012, CRYPTO.

[42]  Oded Goldreich,et al.  Universal arguments and their applications , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[43]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[44]  Rafail Ostrovsky,et al.  Simultaneous Resettability from Collision Resistance , 2012, Electron. Colloquium Comput. Complex..

[45]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[46]  Yael Tauman Kalai,et al.  Smooth Projective Hashing and Two-Message Oblivious Transfer , 2005, Journal of Cryptology.

[47]  Oded Goldreich,et al.  Definitions and properties of zero-knowledge proof systems , 1994, Journal of Cryptology.