1 theory and application of extractable functions ramzi ronny dakdouk
Post on 20-Dec-2015
220 views
TRANSCRIPT
2
Driving Questions
• Study computational knowledge of functions
• What does the ability to produce f(x) have to do with “knowing” x ?
• Extractable Function:
Outputting f(x) knowledge of x
3
Example: Software Protection
• Outputting a hash of a license
Knowledge of license
Possession of license
• Hash is one-way
Hard to extract license
4
Our Results• Introduce, formalize, and construct extractable functions. This appeared in:Extractable Perfectly One-Way Functions. ICALP (2) 2008: 449-460 (with Ran Canetti) • Characterize extractable functions & relation to obfuscation. This appeared
in:Towards a Theory of Extractable Functions. TCC 2009: 595-613 (with Ran Canetti)• Use extractable functions in constructing 3-round zero-knowledge. This
appeared in the ICALP paper.• Use extractable functions in instantiating Random Oracle. This appeared in
the ICALP paper.• Use techniques from work on extractable functions to obfuscate multibit
output point functions. This appeared in:Obfuscating Point Functions with Multibit Output. EUROCRYPT 2008:
489-508 (with Ran Canetti)
5
Other Work
• Study inter-domain routing from a social choice perspective. This appeared in:
Interdomain Routing as Social Choice. ICDCS Workshop 2006: 38
(with Semih Salihoglu, Hao Wang, Haiyong Xie, Yang Richard Yang)
7
Computational Knowledge
• In protocols:– Proofs of knowledge
(interactive, non-interactive)
• Apply computational knowledge to functions extractable functions
9
Extractable Functions: Definition (I)
A family of functions {F_k} is extractable if for every adversary A that, given random k, computes F_k(x), there is an extractor E that outputs x whp.
• E depends on A (inherently non-blackbox).• Variants:
– Deterministic/randomized functions– negligible / noticeable extraction error– presence/absence of auxiliary information
(both dependent and independent)
10
Extractable Functions vs Non-interactive Proofs of Knowledge
• Extractable Functions– No CRS– Non-verifiable– Nonblackbox extractor– view(extractor)=
view(adversary)
• Proofs of Knowledge– CRS– Verifiable– Blackbox extractor– view(extractor)≠
view(prover)
Extractable functions and Noninteractive Proofs of Knowledge are incomparable.
12
Do extractable functions exist?
• Yes: The identity function…
• Do there exist extractable one-way functions?
• Do there exist extractable functions with other hardness properties?
14
Extractable Functions vs Knowledge Assumptions
The Knowledge of Exponent (KE) assumption [Hada-Tanaka98]: Fg,h(x)=gx,hx is extractable.
tantamount to extractable functions
• Extractable functions: abstraction away from specific number-theoretic assumptions
(e.g., knowledge of exponent)• Extractable functions: formulation in a general
complexity-theoretic setting.
15
Extractable Functions:Definition (II)
• Weaker knowledge guarantee
• Requires weaker assumptions
• Considers randomized functions
• Involves a structured 3-round game between adversary and challenger:– If interaction is “consistent”, extractor can
recover preimage.
17
Extractable vs Interactively-extractable functions
• Extractable– 1 round– Non-verifiable– Nonblackbox extractor
– 1 output: y=f(x)
• Interactively-extractable – 3 rounds– Non-verifiable– Extractor can be blackbox
(even for POW functions)– A lot more: y_1=f(x,r_1),…
19
Non-interactive EPOW Construction
Hada-Tanaka: Fg,h (x)=gx,hx
Our construction: • Stronger than HT function (POW)• A randomized variant of the HT function
Fg,h (x,r)= gr,hr,grx,hrx
• Extraction:– by KE assumption can recover rx and r, thus can compute x.
• POW:– “2-POW” based on “strong” DDH– “2-POW” “t-POW” for any polynomial t
Given 2 images y and z, it is possible to generate a new image w:1. Fg,h -1(y)=Fg,h -1(z) Fg,h -1(w)=Fg,h -1(y)2. Fg,h -1(y)≠Fg,h -1(z) Fg,h -1(w) is independent of y and z
20
Interactive EPOW Construction
• Given any POW function F, construct:
EF(x=(x1,...,xn),r=(r0,…,rn+2))=F(x,r0),F(tx1,r1)…,F(txn
,rn)
– t0=F(x,rn+1)
– t1=F(x,rn+2)
• POW:– Follows from POW of F. (In fact, need a “composable” variant of POW.)
• Extraction:
21
Extraction for Interactive EPOW
EF(x,s)
r=(r0,…,rn+2)
EF(x,r)=(t*=F(x,r0),…)
Rewind
u=(u0,…,un+1,un+2=r0)
EF(x,r)=F(x,u0),F(tx1,u1),…
xi=1 if F(t*=F(x,r0),ui)
=F(txi,ui)
23
Interactive Extraction vs Obfuscation
• We formalize the intuitive notion that extraction and obfuscation complement each other.
• Various notions of extraction:– “weak extraction”: noticeable success– “strong extraction”: extraction with noticeable error– “very strong extraction”:extraction with negligible error
• Weak obfuscation: ability to compute on a hidden point
24
Weak Obfuscation
• A program O is a weak obfuscation of a probabilistic function f if it can compute f on a hidden point:
• Secrecy: <Ox> is one-way in x
• Functionality: Ox(r)=f(x,r) with noticeable probability
25
First Characterization
• Weak extraction: For every adversary A there is an extractor that succeeds noticeably.
• Theorem 1: Every family of probabilistic functions is either “weakly obfuscatable” or “weakly extractable”.
• Note: No assumptions about the function
26
Proof Highlights
• Suppose f is not weakly extractable
• There is an adversary A that plays the 3-round game successfully.
• However, there is no corresponding extractor
• A and its input constitute a weak obfuscation
27
Second Characterization
• Verification: easy to verify whether y is an image of x.
• Theorem 2: – Every verifiable family is either weakly
obfuscatable or “strongly extractable”.– Extraction with noticeable error verification
(injective functions)
28
Proof Highlights
• Uses variant of Impagliazzo’s hard-core lemma (FOCS95):– Gives a family of extractors K– K fails no other machine can succeed noticeably
• f is not extractable an adversary A produces 2 consistent messages even when K fails.
• f is not obfuscatable f is weakly extractable against A (Theorem 1)
• This contradicts the lemma (property of K)
29
Corollary
• Every POW function with auxiliary information is strongly extractable.
• Supersedes our earlier results – more efficient communication: 1 challenge vs
n challenges
• However, extraction is nonblackbox.
30
Third Characterization
• Reliably-consistent adversaries: Consistency is lower-bounded by inverse of a fixed polynomial.
• Theorem 3: – Every verifiable family is either “weakly obfuscatable”
or extractable with negligible error against reliably-consistent adversaries.
– Extraction with negligible error condition on adversaries is satisfied.
(verifiable and efficiently-computable functions)
• Proof similar to proof of Theorem 2.
31
Outline
• Notions
• Constructions
• Characterization
• Applications– Zero Knowledge– Random Oracle Instantiation
32
Zero-knowledge
• Prover convinces verifier of the validity of a statement without revealing anything beyond the validity.
• Soundness: Guarantee against a possibly malicious prover– If malicious provers are restricted to polynomial-time machines
ZK arguments– Otherwise, ZK proofs
• Zero-knowledge: Guarantee against a possibly malicious verifier– If malicious verifiers are restricted to polynomial-time machines
computational ZK– Else, statistical ZK
33
Zero-knowledge Definition
• L is in any language from NP • An efficient pair of machines, (P,V), is a ZK argument for L if:
(Completeness) For any x in L (with witness w):
Pr [<P(x,w),V(x)>=1] = 1- neg (Soundness) For any x outside L and any efficient P’:
Pr [<P’(x),V(x)>=1] = neg (Zero-knowledge) For any verifier V’, there is a simulator S, such that for any x in L:
ViewV(<P(x,w),V’(x)>) ≈ S(x)
34
3-round Zero Knowledge
• Black-Box 3-round ZK is possible only for BPP [Goldreich-Krawczyk96].
• 3-round arguments exist based on two “knowledge of exponent” assumptions [HT98, BP04].
• 3-round proofs exist based on similar assumptions [Lepinski02].
35
Idea Behind Our Construction
FLS technique [Feige-Lapidot-Shamir99]:• Prover convinces verifier either:
1) Statement is true, or2) Prover knows something only the verifier knows
• Any efficient prover can not benefit from (2) soundness
• ZK simulator uses extraction functions to extract knowledge from verifier
zero-knowledge• Verifier can not distinguish between a real
interaction and a ZK simulation.
36
Main Tools
• Extractable POW functions
(with an additional property)
• Noninteractive witness-indistinguishable (WI) proofs
37
Witness Indistinguishability
• Weaker than ZK
• Hard to tell which witness is used in a proof.
• Witness Indistinguishability: For any x in L and any witness pair w1,w2:
P(x,w1) ≈ P(x,w2)
38
Notations
• L ε NP
• F is an extractable POW family, {Fk}.
• L’={x’=(x,y,s): x ε L or
there exist u1,u2 s.t.
u1=F-1(y) & (u1,u2)=F-1(s)}
• π is noninteractive WI proof for L’.
39
3-round ZK Argument for Any L ε NP
x w x
Fk1
Fk2,y
s, π
Accept
Fk1 {Fk}
r’,u1,u2 Un
s= Fk2((u1,u2),r’)
If y in range(Fk1)
π= π((x,y,s),w)
Fk2 {Fk}
r Un
u Un
y= Fk1(u,r)
If s in range(Fk2)
& π is valid
40
Soundness & Zero KnowledgeSoundness: – If V accepts and x not in L, then by WI soundness preimage of y
belongs to preimage of s.– This means prover can recover preimage of y (by extracting preimage of s).– This contradicts one-wayness of F (since F is POW).
Zero-Knowledge: Simulator recovers u, the preimage of y (via extraction). Simulator then behaves like an honest prover except:
s= Fk2((u,u2),r’)
π= π( (x,y,s), (u,u2)) Fk2
((u1,u2),r’), π((x,y,s),w) ≈ Fk2((u,u2),r’), π((x,y,s),(u,u2))
(using POW & WI)
41
Potential Advantages over [HT98]
• Does not explicitly use algebraic properties of DL
• Opens the door to building 3-round ZK from other assumptions (that suffice for constructing EPOW functions)
42
Outline
• Constructions
• Characterization
• Applications– Zero Knowledge– Random Oracle Instantiation
43
The Random Oracle Methodology[Fiat-Shamir86,Bellare-Rogaway93]
• The idea: – Design and analyze crypto schemes assuming global access to a random function R.
– Implement R via a “cryptographic hash function” (e.g. SHA2)
• Unsound in and of itself [Canetti-Goldreich-Halevi98,...]• But, perhaps can be used as a methodological
step towards constructing fully specified schemes?
44
Replacing the RO by concrete functions
• The Random Oracle has many convenient features:– Perfect hiding of preimage– Knowledge of preimage– Collision resistant– Correlation intractable– “Programmable”
• Can we have fully specified functions that have some of these properties?
• Can such functions replace the RO?
45
EPOW functions as an instantiation of a RO
• Can capture “perfect hiding of preimage” property [C97].• Can capture the “knowledge of preimage” property.• Can be used to demonstrate security of the [BR92]
encryption schemes, via the same argument as in the RO model.
• Can be used to demonstrate security of a large class of encryption schemes, via a new method of instantiating the RO.
However:• Need extractability w.r.t. dependent auxiliary information• Alternative: use interactive EPOW, resulting in
interactive encryption.
46
Summary
We advanced our understanding of computational knowledge and its relationship with Cryptography through:
• Introducing & formalizing Extractable Functions• Constructing several extractable functions with
different hardness properties• Characterizing extractable functions• Applying extractable functions:
– 3-round Zero-knowledge– Random Oracle Instantiation
47
Open Questions
• Realize noninteractive extractable functions with dependent auxiliary information
• Realize noninteractive extractable functions from other assumptions
• Explore connections to stronger notions of obfuscation
• Find new applications of extractable functions