Towards a Theory of Extractable Functions

Extractable functions are functions where any adversary that outputs a point in the range of the function is guaranteed to "know" a corresponding preimage. Here, knowledge is captured by the existence of an efficient extractor that recovers the preimage from the internal state of the adversary . Extractability of functions was defined by the authors (ICALP'08) in the context of perfectly one-way functions. It can be regarded as an abstraction from specific knowledge assumptions, such as the Knowledge of Exponent assumption (Hada and Tanaka, Crypto 1998). We initiate a more general study of extractable functions. We explore two different approaches. The first approach is aimed at understanding the concept of extractability in of itself; in particular we demonstrate that a weak notion of extraction implies a strong one, and make rigorous the intuition that extraction and obfuscation are complementary notions. In the second approach, we study the possibility of constructing cryptographic primitives from simpler or weaker ones while maintaining extractability. Results are generally positive. Specifically, we show that several cryptographic reductions are either "knowledge-preserving" or can be modified to be so. Examples include reductions from extractable weak one-way functions to extractable strong ones, from extractable pseudorandom generators to extractable pseudorandom functions, and from extractable one-way functions to extractable commitments. Other questions, such as constructing extractable pseudorandom generators from extractable one way functions, remain open.

[1]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[2]  Russell Impagliazzo,et al.  Hard-core distributions for somewhat hard problems , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[3]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[4]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[5]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[6]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[7]  Giovanni Di Crescenzo,et al.  Equivocable and Extractable Commitment Schemes , 2002, SCN.

[8]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[9]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[10]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[11]  Ran Canetti,et al.  Extractable Perfectly One-Way Functions , 2008, ICALP.

[12]  Ran Canetti,et al.  Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[13]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[14]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[15]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[16]  Alexander W. Dent,et al.  The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model , 2006, IACR Cryptol. ePrint Arch..

[17]  Jennifer Seberry,et al.  Immunizing Public Key Cryptosystems Against Chosen Ciphertext Attacks , 1993, IEEE J. Sel. Areas Commun..

[18]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[19]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[20]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[21]  Matthew Lepinski,et al.  On the Existence of 3-Round Zero-Knowledge Proofs , 2002 .

[22]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[23]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[24]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[25]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[26]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[27]  Giovanni Di Crescenzo,et al.  Necessary and Sufficient Assumptions for Non-iterative Zero-Knowledge Proofs of Knowledge for All NP Relations , 2000, ICALP.

[28]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[29]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[30]  Yael Tauman Kalai,et al.  On the impossibility of obfuscation with auxiliary input , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[31]  Pil Joong Lee,et al.  Advances in Cryptology — ASIACRYPT 2001 , 2001, Lecture Notes in Computer Science.

[32]  Johan Hstad,et al.  Construction of a pseudo-random generator from any one-way function , 1989 .

[33]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[34]  Silvio Micali,et al.  Plaintext Awareness via Key Registration , 2003, CRYPTO.

[35]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[36]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .