Our Current Knowledge of Knowledge Assumptions Nir Bitansky Survey talk Technically light The tree of knowledge discovers where paper comes from

A (Somewhat) True Story \ Galileo (circa 1610) “I have observed saturn 3-formed” 𝜋 “I formed the 3-nosed verb suvara ”

“I am an uber soft 3-d horsed verve” Kepler’s Discovery \ Kepler “I am an uber soft 3-d horsed verve”

What a Coincidence… 𝜋 −1 𝜎 −1 “I have observed saturn 3-formed” “I formed the 3-nosed verb suvara ” 𝜋 −1 “I have observed saturn 3-formed” \ 𝜎 −1 “I am an uber soft 3-d horsed verve”

Explanations Challenge: demonstrate knowledge w/o revealing it “concurrent and independent work” “K didn't know what he’s committing to” \ Challenge: demonstrate knowledge w/o revealing it

ZK Proofs of Knowledge [Gloldwasser-Micali-Rackoff, Feige-Shamir, Goldreich-Bellare] 𝑥∈ℒ Hide the Witness Efficient Extraction 𝑃 𝑉 Witness We say that an interactive proof is a proof of knowledge if every prover that can convince the verifier of some NP statement, must know a witness. Witness is hidden makes it non-trivial And the way that this is formalize is by requiring an efficient extractor.

Knowledge ≈ efficiently extractable from adversary The Extraction Paradigm Adversary Reduction/Sim Knowledge ≈ efficiently extractable from adversary Extractor So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out. Such knowledge extraction doesn’t only stand on its own, but it’s commonly used in our security analysis: reduction or simulator. Knowledge

Extraction in Cryptographic Analysis CCA2 encryption ZK simulation . . . . . . Extraction Owner of sk also generates proof of correctness What does correctness mean. The function is generated with a vk. Correctness is consistency input independence In MPC composition

How is Knowledge Extracted? Adversary ? So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out. Knowledge

“fake” public parameters Black-Box Extraction “fake” public parameters Adversary + trapdoor Adversary Extractor ? So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out. Knowledge by rewinding

Black-box reductions/simulators have barriers Non-Black-Box Techniques Limits of Black-Box Extraction Black-box reductions/simulators have barriers […, Goldreich-Krawczyk, …,Gentry-Wichs, …] Adversary Non-Black-Box Techniques [Barak, … ,B-Kalai-Paneth] ? constant-round public-coin ZK 3-message ZK SNARGs for NP . . . So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out. Knowledge

Knowledge Assumptions So now I want to get to our main topic which is knowledge assumptions and extractable functions and see how they fit into this picture The tree of knowledge discovers knowledge assumptions (and where violins come from)

non-black-box extractor Knowledge of Exponent Assumption [Damgård] 𝐺∼ 𝑍 𝑝 Adversary 𝑔 𝒗 𝑔 𝛼𝒗 𝑍 𝑝 non-black-box extractor meaningful assuming DLOG! 𝒗 Note that this is meaningful only assuming DLOG, or trivial. And this hardness is also why such an extractor must be non-BB. 𝑍 𝑝 𝛼 ∀𝐴 ∃𝐸 : 𝑖𝑓 𝐴 𝑔, 𝑔 𝒗 = 𝑔 𝛼𝒗 𝑡ℎ𝑒𝑛 𝐸 𝑔, 𝑔 𝒗 =𝛼

non-black-box extractor Abstracting: Extractable Primitives [Canetti-Dakdouk,…] Adversary 𝑘 𝑓 𝑘 𝑥 non-black-box extractor meaningful assuming Hardness! So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out. EWOF, ECRH, ENC,… 𝑥 ∀𝐴 ∃𝐸 : 𝑖𝑓 𝐴 𝑘 = 𝑓 𝑘 (𝑥) 𝑡ℎ𝑒𝑛 𝐸 𝑘 =𝑥

Other Extraction Beasts Concurrently extractable OWFs [B-Canetti-Chiesa-Goldwasser-Lin-Rubinstein-Tromer, Gupta-Sahai] Extractable IO (aka differing-input obfuscation) [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang, Boyle-Chung-Pass, Ananth-Boneh-Garg-Sahai-Zhandry, Ishai-Pandey-Sahai] Auxiliary-input point obfuscation [Canetti, B-Paneth,…] So what we show is that you can combine SKFE with plain PKE to go all the way to PKFE. Not today…

Applications Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior.

Damgard CCA KEA Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior.

KEA CCA EOWF 3-ZK Canetti-Dakdouk B-Canetti-Chiesa-Goldwasser- Lin-Rubinstein-Tromer KEA 3-ZK Hada-Tanaka, Bellare-Palacio Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior.

Gennaro-Gentry-Parno-Raykova linear encryption (lattices, factoring) CCA KEA EOWF linear-only encryption ECRH B-Canetti- Chiesa-Tromer 3-ZK B-Chiesa-Ishai- Paneth-Ostrovsky Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. SNARKs (NP) Mie, Groth, Lipmaa, Gennaro-Gentry-Parno-Raykova

KEA linear encryption (lattices, factoring) CCA EOWF linear-only ECRH 3-ZK Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. SNARKs (NP)

Applications SNARKs (NP) Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. SNARKs (NP)

[Boneh-Ishai-Sahai-Wu] The Power of SNARKs delegating computation proof-carrying data [Chiesa-Tromer] . . . . . . SNARKs Owner of sk also generates proof of correctness What does correctness mean. The function is generated with a vk. Correctness is consistency efficient obfuscation image authentication crypto currency [ZCash] [Boneh-Ishai-Sahai-Wu] [Tromer-Naveh]

Succinct Non-Interactive Argument of Knowledge computationally sound What’s a SNARK? Succinct Non-Interactive Argument of Knowledge 𝑐𝑟𝑠 𝑃(𝑥,𝑤) (reusable) 𝑉(𝑥) 𝜋 computationally sound fast verification |𝜋|≪|𝑤| Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior.

Succinct Non-Interactive Argument of Knowledge non-black-box extractor What’s a SNARK? Succinct Non-Interactive Argument of Knowledge 𝑐𝑟𝑠 𝑃(𝑥,𝑤) (reusable) 𝑉(𝑥) 𝜋 fast verification |𝜋|≪|𝑤| non-black-box extractor Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. 𝑤 Variants: short/long crs, privately/publicly verifiable

Approach for SNARKs (Oversimplified) [IKOS,…,BCIOP, GGPR,…] Linear PCP + So to demonstrate how we could use knowledge to get SNARKs. I want to briefly tell you about a simple paradigm to do this (and this will be somewhat sketchy and oversimplified) Linear-Only Encryption

Linear PCP ∃LPCP w/ quasi-optimal 𝑃, “very simple” 𝑉 𝑃(𝑥,𝑤) 𝑉(𝑥) 𝝅∈ 𝔽 𝑛 𝒒∈ 𝔽 𝑛 〈𝒒,𝝅〉 𝑃(𝑥,𝑤) this talk: 1 query 𝑉(𝑥) Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. ∃LPCP w/ quasi-optimal 𝑃, “very simple” 𝑉 [QSPs: Gentry-Gennaro-Parno-Raykova]

Linear-Only Encryption [Boneh-Segev-Waters] 𝐸 𝑥 1 ⋯𝐸( 𝑥 𝑛 ) 𝐴 linearly-homomorphic, semantic-secure 𝐸(𝑧) “valid” non-black-box extractor Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. 𝒚∈ 𝔽 𝑛 :𝑧=〈𝒙,𝒚〉 candidates from linear schemes + KEA* (also some relaxed formulations)

Putting Them Together 𝑃(𝑥,𝑤) 𝑉(𝑥) 𝐸(𝑞 1 ),…, 𝐸(𝑞 𝑚 )∈𝔽 𝐸( 𝝅,𝒒 ) Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior.

Soundness (Knowledge) Intuition 𝐸(𝑞 1 ),…, 𝐸(𝑞 𝑚 )∈𝔽 𝑃 ∗ 𝑉(𝑥) 𝐸( 𝑧 ∗ ) accepts! non-black-box extractor Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. 𝑧 ∗ valid PCP answer semantic-security 𝝅 ∗ ∈ 𝔽 𝑛 : 𝑧 ∗ =〈 𝝅 ∗ ,𝒒〉 decode 𝑤 〈 𝝅 ∗ ,𝒒′←$〉 valid w.h.p

Was Knowledge So Important Here? Relaxed “linear-only” ⇒ soundness (SNARG) But, knowledge is crucial when composing! “I know a hash preimage” “I also know a SNARK of previous preimage ” Often needed in applications…. bootstrapping SNARKs

Knowledge Assumptions? So Why Don’t We Like Knowledge Assumptions? candidates intuition applications What’s missing? So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out.

Hope for explicit non-black-box extractor? A Hole in the Reduction ZCash Adversary Reduction Extractor collision in SHA ∀𝐴 ∃𝐸 : 𝑖𝑓 𝐴 𝑘 = 𝑓 𝑘 (𝑥) 𝑡ℎ𝑒𝑛 𝐸 𝑘 =𝑥 Hope for explicit non-black-box extractor?

Hope for Explicit Extractor?

Hope for Explicit Extractor? ∃𝐸 ∀𝐴: 𝑖𝑓 𝐴 𝑘 = 𝑓 𝑘 (𝑥) 𝑡ℎ𝑒𝑛 𝐸 𝑘 =𝑥 ∀𝐴 ∃𝐸 Adversary 𝑘 𝑓 𝑘 𝑥 Universal Extractor 𝑥

Adversary’s code may be obfuscated… Made formal assuming IO Limitation [Hada-Tanak, Goldreich] Adversary’s code may be obfuscated… Adversary 𝑘 𝑓 𝑘 𝑥 Universal Extractor 𝑥 Made formal assuming IO [B-Canetti-Paneh-Rosen]

Food for Thought

Something We Can Do (std. assumptions) [B-Canetti-Paneth-Rosen] Uniform Adversary 𝑘 𝑓 𝑘 𝑥 Universal Extractor 𝑥 unsatisfying! Q1: Other extractable primitives?

Relax the Definition 𝑘≈ 𝑘 𝑓 𝑘 𝑥 𝑥 Adversary 𝑘≈ 𝑘 𝑓 𝑘 𝑥 Universal Extractor 𝑥 Sufficient for 3ZK if one-way for all 𝒌 … Q2: Sufficient for SNARKs? Constructions?

Non-Uniform Techniques? ∃𝐸 ∀𝐴: 𝑖𝑓 𝐴 𝑘 = 𝑓 𝑘 (𝑥) 𝑡ℎ𝑒𝑛 𝐸 𝑘 =𝑥 ∀𝐴 ∃𝐸 Adversary 𝑘 𝑓 𝑘 𝑥 Extractor 𝑥 Q3: Prove existence (under better assumption)

Non-Uniform Techniques? ∃𝐸 ∀𝐴: 𝑖𝑓 𝐴 𝑘 = 𝑓 𝑘 (𝑥) 𝑡ℎ𝑒𝑛 𝐸 𝑘 =𝑥 ∀𝐴 ∃𝐸 Adversary 𝑘 𝑓 𝑘 𝑥 Extractor 𝑥 Q4: Disprove existence!

Thanks! Recall what is FE In plain, say public-key, encryption Those w/ the key, others can’t tell one encrypted message from the other