Download presentation

Presentation is loading. Please wait.

Published byMervyn Wright Modified about 1 year ago

1
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen

2
Largest Known Prime 2 57,885,161 − 1 Electronic Frontier Foundation offers $250,000 prize for a prime with at least a billion digits

3
Knowledge Algorithm Knowledge Polynomial Time Extraction Procedure

4
Proofs of Knowledge Witness Extraction Hide the Witness Secrecy : Zero-Knowledge \ Witness indistinguishability Goal: Extract knowledge that is not publicly available

5
CCA Encryption Reduction To CPA Extraction

6
More Knowledge Zero-knowledge Proofs, Signatures, Non-malleable Commitments, Multi-party Computation, Obfuscation,… Reduction Extraction

7
How to Extract? Algorithm Knowledge Extraction?

8
Extraction by Interaction Or : Black-Box Extraction Adversary Extraction Public Parameters

9
Out of Reach Applications 3-Message Zero-Knowledge 2-Message Succinct Argument (SNARG)

10
Out of Reach Applications [Goldreich-Krawczyk][Gentry-Wichs] Black-Box Security Proof is Impossible

11
Knowledge of Exponent Adversary Extraction [Damgård 92] Non-Black-Box Extraction

12
Applications of KEA 3-Message Zero-Knowledge 2-Message Succinct Argument (SNARG) Knowledge of Exponent Assumption* (KEA) * and variants [HT98,BP04,Mie08,G10,L12,BCCT13,GGPR13,BCIOP13]

13
Extractable Functions Adversary Extraction [Canetti-Dakdouk 08]

14
Remarks on EF Adversary Extraction OWF, CRHF

15
Applications of EF 3-Message Zero-Knowledge 2-Message Succinct Argument (Privately Verifiable) Knowledge of Exponent Extractable One-Way Functions (EOWF) Extractable Collision-Resistant Hash Functions (ECRH) [BCCT12,GLR12,DFH12]

16
What is missing? Clean assumptions Candidates Strong applications

17
A Reduction Using EF Reduction

18
Do Extractable One-Way Functions with an Explicit Extractor Exist?

19
It depends on the Auxiliary Input.

20
Example: Zero-Knowledge Auxiliary input

21
Definition of EF with A.I.

22
Types of A.I. Individual \ Common Bounded \ Unbounded

23
What type of A.I. do we need?

24
Example: Zero-Knowledge

25
PossibleImpossibleOpen Subexp-LWEIndistinguishability Obfuscation Explicit Extractor Delegation for P from Subexp-PIR [Kalai-Raz-Rothblum13]

26
Generalized EOWF EOWF* = Privately-Verifiable Generalized EOWF 1.EOWF* suffices for applications of EOWF. 2.The impossibility results holds also for EOWF* 3.Can remove * assuming publicly-verifiable delegation for P (P-certificates)

27
Application 3-Message Zero-Knowledge EOWF 3-Message Zero-Knowledge For verifiers w. bounded A.I. EOWF with bounded A.I. EOWF* with bounded A.I. [BCCGLRT13]

28
Construction Survey Impossibility

29
Construction EOWF* with Bounded A.I from Privately-Verifiable Delegation for P EOWF with Bounded A.I from Publicly-Verifiable Delegation for P

30
First Attempt

31

32

33
Extraction

34
One-Wayness

35
Problem Solution: Delegation for P (following the protocols of [B01,BLV03])

36
Delegation for P

37
Final Construction

38
Extraction

39
One-Wayness

40
Generalized EOWF

41
Impossibility Assuming indistinguishability obfuscation, there is not EOWF with unbounded common auxiliary input

42
Intuition Adversary Non-Black-Box Extractor

43
Plan 1.Assuming virtual black-box obfuscation [Goldreich, Hada-Tanaka] 2.Assuming indistinguishability obfuscation

44
Common A.I.

45
Universal Extraction Universal Extractor Universal Adversary

46
Black-Box Extraction Universal Extractor Universal Adversary Black-box obfuscation

47
Black-Box Extraction Black-Box Extractor Adversary

48
Indistinguishability Obfuscation Compute the same function

49
Indistinguishability Obfuscation Extractor Adversary

50
Indistinguishability Obfuscation Extractor Alternative adversary

51
Alternative Adversary Using the Sahai-Waters puncturing technique

52
Indistinguishability Obfuscation Extractor

53
Back to the Construction?Construction

54
PossibleImpossibleOpen Extractable CRHF\COM\1-to-1 OWF

55
Thank You

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google