Table Of ContentHow To Construct Extractable One-Way Functions
Against Uniform Adversaries
NirBitansky∗,RanCanetti†,andOmerPaneth‡
TelAvivUniversityandBostonUniversity
June3,2014
Thisisanoutofdatedraft. ThepaperwasmergedwithIndistinguishabilityObfuscationvs.
Auxiliary-InputExtractableFunctions: OneMustFall[BCPR13]toformOntheExistence
ofExtractableOne-WayFunctions[BCPR14].
Abstract
A function f is extractable if it is possible to algorithmically “extract,” from any program that
outputsavalueyintheimageoff,apreimageofy. Whencombinedwithhardnesspropertiessuch
as one-wayness or collision-resistance, extractability has proven to be a powerful tool. However,
so far, extractability has not been explicitly shown. Instead, it has only been considered as a non-
standardknowledgeassumptiononcertainfunctions.
Wegivethefirstconstructionofextractableone-wayfunctionsassumingonlystandardhardness
assumptions (e.g., subexponential security of Decision Diffie-Hellman or Quadratic Residousity).
Our functions are extractable against adversaries with bounded polynomial advice and unbounded
polynomialrunningtime.Wethenusethesefunctionstoconstructthefirst2-messagezero-knowledge
arguments and 3-message zero-knowledge arguments of knowledge, against the same class of ad-
versarialverifiers,fromessentiallythesameassumptions.
Theconstructionusesideasfrom[Barak,FOCS01]and[Barak,Lindell,andVadhan,FOCS03],
andrelyontherecentbreakthroughconstructionofprivatelyverifiableP-delegationschemes[Kalai,
Raz, and Rothblum]. The extraction procedure uses the program evaluating f in a non-black-box
way,whichweshowtobenecessary.
1 Introduction
Theabilitytoargueaboutwhatadversarialprograms“know”inthecontextofagiveninteractioniscen-
traltomoderncryptography. Acentralfacetofsuchargumentationistheabilitytoefficiently“extract”
knowledgefromtheadversarialprogram,oralternativelytochannelitintomeaningfuluse. Establishing
thisabilityisoftenacrucialstepinsecurityanalysisofcryptographicprotocolsandschemes.
One basic flavor of such extraction takes the form of security reductions; namely, efficiently trans-
forming an adversarial program that breaks the security of the analyzed scheme into a program that
performs some computational task that is believed to be hard. Examples include transforming a distin-
guisherforapseudorandomgeneratorintoaninverteroftheunderlyingone-wayfunction[BM84,GL89,
∗SupportedbyanIBMPh.D.Fellowship,theCheckPointInstituteforInformationSecurity,andanISFgrant20006317.
PartofthisresearchwasconductedwhilevisitingBostonUniversity.
†SupportedbytheCheckPointInstituteforInformationSecurity,anISFgrant20006317,andanNSFgrant1218461.
‡SupportedbytheSimonsawardforgraduatestudentsintheoreticalcomputerscienceandNSFaward1218461. Partof
thisresearchwasconductedwhileatMicrosoftResearchNewEngland.
1
HILL99], or transforming a cheating prover in a proof system into a collision-finder in the underlying
function[Kil92].
Adversarial knowledge also plays a central role in formulating definitions of security: Here we
oftenrequirethatadversarialparticipantsinacomputation“know”theirinputstothecomputation. This
is used as a means for guaranteeing global meaningfulness and secure composition of protocols, for
instanceinthecontextofproofsofknowledgeandideal-processbasedsecurity[FS89,Can00,Can01].
Theabilitytoextractvaluesfromtheadversaryisalsousefulwhensimulatingtheadversary’sview
inagivenprotocol,toestablishprivacyofsecretinputs,asinthecaseofzero-knowledgeormulti-party
computation[GMR89,GMW87]. AquintessentialexamplehereistheFeige-Lapidot-Shamirparadigm
[FLS99],discussedinmoredetailbelowandusedextensivelyintheprotocoldesignliterature.
How is knowledge extracted? Traditionally, the basic technique for extracting knowledge from an
adversary is to run it on multiple related inputs to deduce what it “knows” from the resulting outputs.
Inthecontextofinteractiveprotocols(whichwillbeinthefocusofthiswork),thistechniqueisknown
as rewinding. The power of the technique is in that it treats the adversary as a black-box and does
not need to know anything regarding its “internals”. However, as a number of impossibility results for
black-box reductions and simulation show, this technique is also quite limited. One main limitation of
rewinding-basedextractionisthatitrequiresmultipleroundsofinteractionwiththeadversary. Indeed,
provingsecurityofcandidate3-messagezero-knowledgeprotocols,succinctnon-interactivearguments
(SNARGs),andothertasksareoutofthetechnique’sreach[GK96,GW11].
Starting with the work of Barak et al. [Bar01], a handful of extraction techniques that go beyond
the limitations of black-box extraction have been developed. These techniques use in an essential way
having access to the actual adversarial program. However, these techniques too require at least several
rounds of protocol interaction. Thus, like black-box rewinding techniques, do not work in the above
contexts.
Extractable functions. Originating in Damga˚rd’s work [Dam92], and abstracted by Canetti and Dak-
douk [CD08, CD09], the notion of extractable functions provides an alternative extraction method that
does not rely on multiple rounds of interaction with the adversary. These are function families {f }
k
where, in addition to standard hardness properties, such as one-wayness or collision-resistance, any
program M that given k outputs v in the image of f has an “extractor” Ext that given k and the
k
code of M, outputs a preimage of v. As an expression to their power, extractable one-way functions
are known to suffice for constructing 3-message zero-knowledge protocols [HT98, BP04, CD09]. Ex-
tractablecollision-resistanthashfunctionsareknowntosufficeforconstructingsuccinctnon-interactive
arguments(SNARGs)[BCCT12]. ExtractablefunctionsalsogivenrisetorelativelyefficientCCAcon-
structions[Dam92,BP04].
The black-box impossibility of some of the above applications imply that it is impossible to obtain
extractablefunctionswheretheextractorusestheadversary’sprogramM onlyasablackbox. Coming
up with the suitable non-black-box techniques has been the main obstacle in constructing extractable
function,andtodate,noconstructionwithanexplicitextractionprocedureisknown. Instead,forallthe
existing candidate constructions of extractable functions (e.g., [Dam92, CD09, BCCT12, BC12]), the
existence of such an extractor is merely assumed. Such assumptions are arguably not satisfying. For
one,theydonotqualifyas“efficientlyfalsifiable”[Nao03];namely,unlikestandardassumptionswhere
itpossibletoalgorithmicallystudythebestpossible“breakers”,herewedonotevenhaveanalgorithmic
way to test whether a given adversary M breaks the assumption. In addition, the impossibility of ex-
tractablefunctionswithblack-boxextractiononlyfurtherdecreasesourconfidenceinsuchassumptions,
asourcurrentunderstandingofnon-black-boxtechniquesandtheirlimitationsisquitepartial.
Thus,anaturalquestionarises:
Canweconstructusefulextractablefunctionsfromstandardhardnessassumptions?
2
1.1 Results
We provide a positive answer to this question. Specifically, we construct one-way functions that are
extractableagainstadversarieswithnon-uniformadviceofboundedpolynomiallength,butunbounded
polynomialrunningtime(fromhereon,BAPTadversaries). Notethatthisclassincludes,inparticular,all
uniformPTadversaries. Wealsoshowhowtouseourconstructionstoobtain3-messageand2-message
zero-knowledge,againstBAPTadversarialverifiers.
A bit more precisely, we construct a variant of EOWF, which we call generalized extractable one-
way functions (GEOWF). A GEOWF is associated with an equivalence relation on its range. The
one-waynessrequirementisstrengthened: notonlyisithardtofindanexactpreimageofv,butitisalso
hard to find a preimage of any equivalent v(cid:48). The extractability requirement is weakened commensu-
rately: theextractordoesnothavetooutputapreimageofv,butonlyapreimageofsomeequivalentv(cid:48).
Such a generalization was previously considered in [BCCT12] for a similar purpose, in the context of
extractablecollision-resistanthashfunctions(referredtoasproximityECRHs).
Our extraction technique is inspired by the uniform public-coin ZK protocol of Barak [Bar01].1
Themaintechnicaltoolusedinourconstructionsarenon-interactivecomputationallysoundproofsfor
deterministic polytime statements, from hereon referred to as P-delegation schemes. In a recent break-
through,Kalai,Raz,andRothblum[KRR]constructaP-delegationschemebasedontheassumptionof
asubexponentiallysecureprivateinformationretrievalscheme.
Weshow:
Theorem1.1(informal).
1. Assuming P-delegation, and 1-Hop homomorphic encryption with function privacy [GHV10],
thereexistGEOWFsagainstBAPTadversaries.
2. AssumingGEOWFsasaboveandZAPs[DN07],thereexista3-messageZKargumentofknowl-
edgeagainstBAPTverifiers.
3. AssumingtheGEOWFsareone-wayagainstsubexponentialadversaries,thereexistsa2-message
ZKargumentagainstBAPTverifiers.
We note that all the assumptions above can be reduced, for example, to subexponential Decision
Diffie-Hellman (or Quadratic Residuosity) and trapdoor permutations [AIR01, NP01, DN07, OI07,
GHV10,HK12,KRR].
Limitations and previous work. 3-message zero-knowledge protocols with black-box simulation ex-
ist only for trivial languages [GK96]. Impossibility extends to the case of adversaries with bounded
advice of size nΩ(1), where n is the security parameter. See Appendix A for more details. All pre-
vious 3-message zero-knowledge protocols were based on knowledge of exponent (or more general
extractability)assumptions,wherethesimulatorusesanon-blackextractorthatisonlyassumedtoexist,
butnotexplicitlyconstructed[HT98,BP04,CD08].
Two-message zero-knowledge arguments against adversaries with unbounded polynomial advice
exist only for trivial languages (regardless of how simulation is done) [GO94]. In fact, impossibility
extends even to adversaries with bounded advice, provided that the advice string is longer than the
verifier’smessage. Baraketal. [BLV06]constructa2-messageargumentthatiszero-knowledgeaslong
astheverifier’sadviceisshorterthantheverifiermessagebysuper-logarithmicadditivefactor. However,
security of the Barak et al. protocol is only shown assuming existence of P-delegation 2 schemes that
1Theterm“uniformZK”isusedinBarak[Bar01]. Barak,Lindell,Vadhan[BLV06]usetheterm“plainZK”instead,to
stressthefactthatonlytheverifierisuniform,whileallothercomponents(includingproveranddistinguisher)arenon-uniform.
2Infact,[BLV06]assumenon-interactiveCSproofsforallofNP;however,theirargumentcanbeaugmentedandbasedon
CSproofsforP
3
arepubliclyverifiable. Whilethisassumptionisfalsifiable[CLP13],itsonlycandidateconstructionsare
either Micali’s CS proof construction in the random oracle model, or the publicly verifiable SNARGs
of[BCCT13]basedonknowledgeofexponenttypeassumptions. Weobtainthesameresult, underthe
assumptionsstatedabove.
1.2 Techniques
Constructing extractable functions. We now sketch how we construct extractable one-way functions
againstBAPTadversaries. Toconveythebasicideabehindourconstruction,considerthefollowingfirst
attempt. LetPRG : {0,1}n → {0,1}3n beapseudorandomgenerator. Definef : {0,1}n ×{0,1}n →
{0,1}3n asso:
(cid:40)
PRG(s) ifi (cid:54)= 0n
f(i;s) = .
s(1n) ifi = 0n
Thatis,ifi (cid:54)= 0n,applythePRGtotheseeds. Otherwise,interpretsasamachine,andoutputitsfirst
3n output bits. The one-wayness of f follows from the pseudo-randomness of its output and the fact
thatatrulyrandomoutputwouldhavehighKolmogorovcomplexity. f isalsoextractablewithrespect
toprogramsM whosedescriptionsizeisboundedbyn: IfM outputssomev ∈ {0,1}3n,theextractor
Extjustoutputs(0n,M).
The main problem is that the time required to compute f is not bounded by any particular polyno-
mial. Onecantrytofixthisbypaddingtheinputwith1t wheretistherunningtimeofs(1n). However,
now the length of the extracted primage depends on the running time of M and is not bounded by any
particularpolynomialinthelengthoftheimage. Suchextractablefunctionsdonotseemtobeaspow-
erfulthough;inparticular,wedonotknowhowtousethemforconstructing2-messageand3-message
ZKprotocols.
A similar problem is encountered in Barak’s zero-knowledge protocol [Bar01], where the entire
computation of a malicious verifier is used as the simulation trapdoor. As in the protocol of [BLV06],
we get around this problem using a non-interactive proof system that allows for quick verification of
(possibly long) computations. Instead of computing the output v of s(1n), f will (quickly) verify a
proof for the fact that s(1n) outputs v. That is, we define f(cid:48)(0n,s,v,π) that outputs v only if π is
a convincing proof that s(1n) = v. Intuitively, the soundness of the proof guarantees that function
is still one-way. Extraction from a BAPT adversary M is done by simply computing a proof for its
computation.
However, which proof system should we use? Barak [Bar01] uses interactive universal arguments
[Kil92, BG08], whereas we need a non-interactive version of universal arguments that we call NIUA.
Moreprecisely,inaNIUA,theverifiergenerates,onceandforall,an“offlinemessage”σ togetherwith
a private verification state τ and sends σ to the prover. Then, the prover can compute a non-interactive
proof π for any adaptively chosen statement of the sort: “machine M outputs v within t steps”. We
requirethattheverifierrunsintimepolynomialinthesecurityparametern,butonlypolylogarithmicin
t,andtheproverrunsintimepolynomialin(t,n).
EOWFs can be constructed from NIUA that are publicly verifiable, that is, where the verification
stateτ canbepublishedwithoutcompromisingsoundness. Wedefineafunctionfamily{f(cid:48)}asabove,
k
where the the key k contains the NIUA offline message σ and the verification state τ. The function f(cid:48)
k
willverifyanNIUAproofπ forthefactthattheprogramsoutputsv within,say,nlogn steps.
InstantiatingNIUAs. Alas,wedonotknowhowtoconstructpubliclyverifiableNIUAsfromstandard
assumptions. Still, inarecentbreakthroughresult, Kalai, RazandRothblum[KRR13,KRR]construct
P-delegation scheme based on any private information retrieval scheme with sub-exponential security.
Such P-delegation scheme directly yield NIUA that are privately-verifiable. The problem is that now,
4
including the NIUA’s private verification state τ as part of the key k will break the soundness of the
NIUAandthusalsotheone-waynessoff(cid:48).
k
Our solution is to modify the function as follows: The key k will contain the offline message σ
together with a fully homomorphic encryption c of the corresponding verification state τ. (In fact, a
τ
1-HOP, non-compact homomorphic encryption suffices.) Intuitively, the function is defined as before
except that verification of the proof π is done homomorphically, using the encrypted verification state
τ. Thatis,wedefinef(cid:48)(cid:48) (0n,s,v,π) = (v,ˆc),whereˆcistheresultofhomomorphicallyevaluatingthe
σ,cτ
privately-verifiable NIUA verifier. In the case that the first field i is not 0n, instead of just outputting
PRG(s),theoutputincludesalsoanencryptionc ofthevalue1.
1
Generalized EOWF. Note that the function f(cid:48)(cid:48) is no longer extractable in the standard sense. Given a
BAPTadversaryM thatoutputsanimage(v,ˆc),theextractorcancomputeaproofπforthecomputation
ofM andoutputthepreimage(0n,M,v,π)asbefore. However,f(cid:48)(cid:48) onthispreimagewilloutput(v,ˆc(cid:48))
whereˆc(cid:48) isanencryptionof1thatismostprobablydifferentthanˆc. Nonetheless,f(cid:48)(cid:48) satisfiesthenotion
of generalized extractable one-way functions (GEOWF). We define an equivalence relation ∼ on the
range of f as follows: (v,ˆc) ∼ (v(cid:48),ˆc(cid:48)) iff v = v(cid:48) and bothˆc andˆc(cid:48) are encryptions of 1. As required,
k
theextractordescribedaboveoutputsapreimgeof(v,ˆc(cid:48))suchthat(v,ˆc) ∼ (v,ˆc(cid:48)). Theone-waynessof
f(cid:48)(cid:48) with respect to ∼ follows from the one-wayness of f(cid:48) and the semantic security of the encryption:
k
given an image (v,ˆc), finding a primage u of (v,ˆc(cid:48)) such that (v,ˆc) ∼ (v,ˆc(cid:48)) is hard, since if ˆc(cid:48) is an
encryptionof1,umustalsobeavalidpreimageofvunderf(cid:48),whereasbysematicsecuritytheencrypted
verificationstatec shouldnothelpininvertingf(cid:48). Notethattherelation∼canonlybetestedgiventhe
τ
secretkeyfortheencryption. Werefertosucharelationasprivatelytestable. (Theaboveissomewhat
ofanoversimplificationoftheactualdefinitionoff(cid:48)(cid:48). Seethebodyfordetails.)
k
Next,weshowhowtoconstruct2-messageand3-messagezero-knowledgeprotocolsfromGEOWF
withaprivatelytestablerelation.
From EOWF to 3-message zero-knowledge. We start by describing a 3-message zero-knowledge
protocolfromstrictEOWFs(namely,whentheequivalencerelation∼isequality). Theprotocolfollows
the Feige-Lapidot-Shamir trapdoor paradigm [FLS99]. The basic idea is to have the verifier sample a
function f from the EOWF family, and send an image v = f (u) of a random element u, which
k k
will serve as the trapdoor. The prover would then give a witness-indistinguishable proof of knowledge
attesting that it either knows a witness w for the proven statement, or it knows a preimage u(cid:48) of v.
Intuitively, soundness (and actually proof of knowledge) follow from the one-wayness of f and the
k
proof of knowledge property of the WI system. Zero-knowledge follows from the extractability of f .
k
Indeed, the simulator, given the code of the verifier, can run the extractor of the EOWF, obtain u, and
useittosimulatetheWIproof.
Followingthroughonthisintuitionencountersseveraldifficulties. First,sinceaWIproofofknowl-
edgerequires3messages,thefirstWIprovermessagemustbesentinthefirstmessageoftheprotocol.
However,theWIstatementisonlydeterminedwhentheverifiersendsvinthesecondprotocolmessage.
Therefore,wemustmakesuretouseaWIproofofknowledgewherethefirstprovermessagedoesnot
depend on the statement. Another basic problem concerns the length of the first WI message. Recall
that, in our construction of EOWFs against BAPT adversaries, the function’s output is longer than the
adversary’sadvice. SinceacheatingverifiermaycomputevusingthefirstWImessageasanadvice,we
must use a WI system where the length of the first message is independent of the length of the proven
statement. WedesignaWIproofofknowledgewiththerequiredpropertiesbasedonZAPs[DN07]and
extractablecommitments[PW09].
2-messagezero-knowledge. Inthe2-messageprotocol, wereplacethe3-messageWIproofofknowl-
edge with a 2-message WI proof (e.g. ZAP). However, in the above 3-message protocol, soundness
is established by using the proof-of-knowledge property of the WI, whereas 2-message WI proofs of
knowledge are not known. Instead, we prove soundness using complexity leveraging. The prover adds
5
toitsmessageastatisticallybindingcommitmenttojunk,andprovesthateither“x ∈ L”,or“f (u) = v
k
and the commitment is to u”. We require that the commitment is invertible in some superpolynomial
time T, whereas the one-wayness of f still holds against adversaries that run in time poly(T). Now,
k
aninverteroff canrunthecheatingproverwithaverifiermessagethatcontainsitsinputimagev,and
k
brute-forcebreakthecommitmenttoobtainapreimageofv.
ReplacingEOWFwithGEOWF. Thezero-knowledgeprotocolsfrom GEOWFsaresimilar, withthe
exceptionthatnow,ratherthanprovingknowledgeofapreimageofv,theproverwillsendanimagev(cid:48)
suchthatv(cid:48) ∼ v andproveknowledgeofapreimageofv(cid:48). TokeeptheprotocolZK,thehonestprover
must be able to sample an image v(cid:48) that is distributed like the image that is sent by the simulator even
withoutknowingacorrespondingpreimage. InourGEOWFconstruction,suchanequivalentimagecan
beefficientlysampled.
1.3 WhyExtractableFunctions?
Aspointedoutabove,theextractablefunctionsconstructedheremimicBarak’szero-knowledgeprotocol
[Bar01]. Thesimilaritybecomesevenstrongerwhenconsideringthetwo-messagezero-knowledgepro-
tocolofBaraket. al[BLV06]: Ourtwomessageprotocolcanbedirectlyobtainedfromthatof[BLV06]
byreplacingtheCSproofswithP-delegation,andaccountingforprivateverifiabilityassketchedabove.
This can be done without mention of extractable functions. Still, we believe that the abstraction of ex-
tractablefunctionsishelpfulinthiscontext. Inparticular,ithelpsseparatingtheprotocolstructurefrom
theunderlyingmechanismofextractingasecretvaluefromagivenadversarialprogram.
Furthermore,wehopethatthisabstractionwillproveusefulforadditionalapplicationsbeyondtwo
and three-message zero-knowledge. Applications like succinct non-interactive arguments (SNARGs)
andefficientCCAencryptionseemtorequireextractablefunctionswithstrongerpropertiessuchasin-
jectivenessorcollision-resistance[Dam92,BCCT12]. Atthispoint,candidatesforextractablefunctions
withsuchpropertiesareknownbasedonnon-standardassumptionsregardingdifferentnumbertheoretic
and algebraic structures, such as the knowledge-of-exponent assumption. In contrast, our construction
is unstructured and does not satisfy the above properties. Indeed, in our function it is easy to find col-
lisions: Consider a machine M that just evaluates the function on any arbitrary input u. By simply
applyingtheextractoronM,wecanobtainadifferentpreimageu(cid:48) mappingtoanequivalentimage.
We hope that the proposed construction will provide a stepping stone to improved constructions of
strongerextractablefunctionsbasedonstandardandbetterunderstoodhardnessassumptions. Twonat-
ural targets here are extractable collision-resistant hash functions and extractable non-interactive com-
mitments.
Organization. Section 2 defines the notion of NIUA and other main tools used in our constructions.
Section 3 presents our main construction of GEOWF against BAPT adversaries. Section 4 constructs
2-messageand3-messageZKprotocolsagainstBAPTverifiers.
2 Tools
2.1 Non-InteractiveUniversalArgumentsforDeterministicComputations&Delegation
We define non-interactive universal arguments for deterministic computations (NIUAs), which can be
seen as a special case of Barak’s and Goldreich’s [BG08] UAs. We then explain the relation to the
problemofdelegationandthecorrespondingexistenceresultofKalai,Raz,andRothblum[KRR].
Inwhatfollows,wedenotebyL theuniversallanguageconsistingofalltuples(M,x,t)suchthatM
U
acceptsy withintsteps. WedenotebyL (T)allpairs(M,x)suchthat(M,x,T) ∈ L .
U U
6
Let T(n) ∈ (2ω(logn),2poly(n)) be a computable superpolynomial function. An NIUA system for
Dtime(T) consists of three algorithms (G,P,V) that work as follows. The (probabilistic) generator G,
given a security parameter 1n, outputs a reference string σ and a corresponding verification state τ; in
particular,G isindependentofanystatementtobeprovenlater. ThehonestproverP(M,x;σ)produces
acertificateπforthefactthat(M,x) ∈ L (T(n)). TheverifierV(M,x;π,τ)verifiesthevalidityofπ.
U
Definition2.1(NIUA). Atripleofalgorithms(G,P,V)isanon-interactiveuniversalargumentsystem
forforDtime(T)ifitsatisfies:
• PerfectCompleteness:
Foranyn ∈ Nand(M,x) ∈ L (T(n)):
U
Pr [V(M,x;π,τ) = 1 | π ← P(M,x;σ)] = 1 .
(σ,τ)←G(1n)
• Adaptivesoundness:
ForanypolysizeproverP∗ andlargeenoughn ∈ N:
(cid:20) (cid:12)(cid:12) (M,x,π) ← P∗(σ) (cid:21)
Pr V(M,x;π,τ) = 1 (cid:12) ≤ negl(n) .
(σ,τ)←G(1n) (cid:12) (M,x) ∈ {0,1}n\LU(T(n))
• Fastverificationandrelativeproverefficiency:
Thereexistsapolynomialpsuchthatforeveryn ∈ N,t ≤ T(n),and(M,x) ∈ L (t):
U
– thegeneratorG runsintimep(n);
– theverifierV runsintimep(n+|M|+|x|);
– theproverP runsintimep(n+|M|+|x|+t).
The system is said to be publicly verifiable if it is sound when τ is public. In this case, we will assume
WLOGthatσ = τ.
Existenceandconnectiontodelegationofcomputation. Therearetwodifferencesbetweenthenotion
of delegation for deterministic computations (See, e.g., [KRR13]) and the NIUA notion defined above.
ThefirstisthatadelegationsystemisassociatedwithagivenlanguageL(M)forafixeddeterministic
machine M, and the corresponding efficiency parameters depend on the worst-case running time T
M
of M. In particular, the generator G depends on T as an extra parameter, and the prover’s efficiency
M
is polynomial in the worst-case running time T . The second difference is that only non-adaptive
M
soundnessisrequired;inparticular,thegenerator’smessageσ maydependontheinputx.
Kalai, Raz, and Rothblum [KRR] show how to construct such a privately verifiable delegation
scheme for every language in Dtime(T) ⊆ EXP, assuming subexponentially secure private informa-
tion retrieval schemes that are subexponentially secure, which can in turn be constructed based the
subexponentialLearningwithErrorsassumption[BV11].3
Inordertogeta(privatelyverifiable)NIUAforDtime(T),wecouldpotentiallyusetheirresultwith
respect to a universal machine and worst-case running time O(T). However, this solution would lack
the required prover efficiency, as the prover will always run in time poly(T), even for machines M
with running time t << T. This is undesired in our case, as we will be interested inT that is super-
M
polynomial. Fortunately,aratherstandardtransformationdoesallowtogettherequiredefficiencyfrom
3Private information retrieval based on Quadratic Residousity, Decision Diffie-Helmman, or more generally additively
homomorphic encryption can also be used. However, this induces worst communication complexity [OI07], and leads to
NIUAsforsmaller,butstillsuper-polynomial,upperboundT;thisisstillsufficientforourpurpose.
7
their result. Specifically, we could run the generator in their solution to generate reference string and
verificationstate(σ,τ)forcomputationsofsizetforallt ∈ (cid:8)1,2,22,...,2logT(cid:9),andhavetheprover
and verifier use the right (σ,τ) according to the concrete running time t < T, guaranteeing that the
M
prover’srunningtimeisatmostpoly(2t )asrequired.
M
Also, in their scheme, the generator works independently of the input x, but soundness is shown
only when σ is generated independently of x. To guarantee soundness for adaptively chosen inputs
x ∈ {0,1}n, we may repeat the above argument 2n times. Since parallel repetition exponentially
reduces the soundness error in two-message arguments, we can then take a union bound over all 2n
adaptivechoicesofxandgettherequiredsoundness. The2n-factorhitinsuccinctnessandverification
timearestilltolerableforourpurposes(andstillsatisfytheabovedefinition).
2.2 1-HopHomomorphicEncryption
A 1-Hop homomorphic encryption scheme [GHV10] allows a pair of parties to securely evaluate a
function as follows: the first party encrypts an input, the second party homomorphically evaluates a
function on the ciphertext, and the first party decrypts the evaluation result. Such a scheme can be
instantiated based on garbled-circuits and an appropriate 2-message oblivious transfer protocol, based
oneitherDecisionDiffie-HellmanorQuadraticResiduosity[Yao86,GHV10,NP01,AIR01,HK12].
Definition 2.2. A scheme (Gen,Enc,Eval,Dec) is a semantically-secure, circuit-private, 1-Hop homo-
morphicencryptionschemeifitsatisfiesthefollowingproperties:
• Perfectcorrectness:
Foranyn ∈ N,u ∈ {0,1}n andcircuitC:
(cid:20) (cid:21)
ˆc ← Eval (c,C)
Pr sk = 1 .
sk←Gen(1n) Decsk(ˆc) = C(u)
c←Enc (u)
sk
Eval
• Semanticsecurity:
ForanypolysizeA,largeenoughn ∈ N,andanypairofinputsu ,u ∈ {0,1}n
0 1
1
Pr [A(Enc (u )) = b] < +negl(n) .
sk b
b←{0,1} 2
sk←Gen(1n)
• Circuitprivacy:ArandomizedevaluationshouldnotleakinformationontheinputcircuitC. This
shouldholdevenformalformedciphertexts. Formally,letE(x) = Supp(Enc(x))bethesetofall
legalencryptionsofx,letE = ∪ E(x)bethesetlegalencryptionsforstringsoflengthn,
n x∈{0,1}n
andletC bethesetofallcircuitsonninputbits. Thereexistsa(possiblyunbounded)simulator
n
S suchthat:
{C,Eval(c,C)} n∈N,C∈Cn ≈c {C,S(c,C(x),|C|)} n∈N,C∈Cn
x∈{0,1}n,c∈E(x) x∈{0,1}n,c∈E(x)
{C,Eval(c,C)} n∈N ≈c {C,S(c,⊥,|C|)} n∈N .
C∈Cn,c∈/En C∈Cn,c∈/En
3 Extractable One-Way Functions
against Adversaries with Bounded Advice
Inthissection,wedefineandconstructextractableone-wayfunctionsagainstadversarieswithbounded
advice.
8
3.1 Definitions
For brevity, we refer to extractable one-way functions against polytime adversaries with m-bounded
advice as EOWFs against m-BAPT adversaries. Such functions are one-way in the usual sense, and in
addition it is possible to efficiently extract a pre-image from the code of any adversary that outputs a
validimage,providedthattheadversaryonlyhasboundednon-uniformadvice,butarbitrarypolynomial
runningtime;this,inparticular,includestheclassofuniformpolytimeadversaries. Concretely,weshall
focus on PPT adversaries with non-uniform advice z ∈ {0,1}m(n). We treat any randomness that the
machines may use as part of their advice z; in particular, our adversaries are only allowed bounded
randomness, which in most application is not a restriction, as they can use a PRG to stretch it (see
Remark3.2).
Definition 3.1 (EOWFs against m-BAPT adversaries). Let (cid:96),(cid:96)(cid:48) be polynomially bounded length func-
tions. Anefficientlycomputablefamilyoffunctions
(cid:110) (cid:12) (cid:111)
F = f : {0,1}(cid:96)(n) → {0,1}(cid:96)(cid:48)(n) (cid:12) k ∈ {0,1}poly(n),n ∈ N ,
k (cid:12)
associated with an efficient (probabilistic) key sampler K, is an extractable one-way function against
adversarieswithm-boundedadviceifitsatisfies:
• One-wayness:ForanypolysizeA,andlargeenoughsecurityparametern ∈ N:
(cid:20) u(cid:48) ← A(k,f (u)) (cid:21)
Pr k ≤ negl(n) .
k←K(1n) fk(u(cid:48)) = fk(u)
u←{0,1}(cid:96)(n)
• Extractability: For any PPT adversary M, there exists a PPT extractor Ext such that, for any
largeenoughsecurityparametern ∈ N,andadvicez ∈ {0,1}m(n):
(cid:20) v ← M(k;z) u(cid:48) ← Ext(k;z) (cid:21)
Pr ∧ ≤ negl(n) .
k←K(1n) ∃u : fk(u) = v fk(u(cid:48)) (cid:54)= v
Generalized EOWFs. We next define generalized EOWFs (GEOWFs), analogous to the proximity
extractable collision-resistance in [BCCT12]. Here the extractable function family {f } is associated
k
with an equivalence relation ∼ on the range of f . The one-wayness requirement is then strengthened:
k
notonlyisithardtofindanexactpreimageofv,butitisalsohardtofindapreimageofanyequivalent
v(cid:48) ∼ v(weshalloftenrefertosuchapreimageasa“relativepreimage”). Theextractabilityrequirement
is weakened accordingly: the extractor does not have to output an exact preimage of v, but only a
preimage of some equivalent v(cid:48) ∼ v. Intuitively, one can think of a generalized EOWF where each f
k
maps{0,1}(cid:96)to{0,1}(cid:96)(cid:48) asastandardEOWFthatmaps{0,1}(cid:96)tothequotientspaceofco-setsin{0,1}(cid:96)(cid:48)
modulo∼.
We may further allow that the relation ∼ depends on the key k, where the relation ∼ can either be
publicly-testablegivenk,orrequiretheprivatecoinsusedtosamplekforefficienttesting. Inparticular,
anystandardEOWFisaGEOWFwiththepublicly-testableequalityrelation.
Definition3.2(GEOWFsagainstm-BAPTadversaries). Anefficientlycomputablefamilyoffunctions
(cid:110) (cid:12) (cid:111)
F = f : {0,1}(cid:96)(n) → {0,1}(cid:96)(cid:48)(n) (cid:12) k ∈ {0,1}poly(n),n ∈ N ,
k (cid:12)
associatedwithanefficient(probabilistic)keysamplerK,isanextractableone-wayfunction,withprox-
imityrelation∼on{0,1}(cid:96)(cid:48)(n)×{0,1}(cid:96)(cid:48)(n),againstadversarieswithm-boundedadvice,ifitsatisfies:
9
• Strongone-wayness:foranypolysizeA,andlargeenoughsecurityparametern ∈ N:
(cid:20) u(cid:48) ← A(k,f (u)) (cid:21)
Pr k ≤ negl(n) .
k←K(1n) fk(u) ∼ fk(u(cid:48))
u←{0,1}(cid:96)(n)
• Weakextractability:foranyPPTadversaryM,thereexistsaPPTextractorExtsuchthat,forany
largeenoughsecurityparametern ∈ N,andadvicez ∈ {0,1}m(n):
(cid:20) v ← M(k;z) u(cid:48) ← Ext(k;z) (cid:21)
Pr ∧ ≤ negl(n) .
k←K(1n) ∃u : fk(u) = v fk(u(cid:48)) (cid:54)∼ v
• Testablerelation: There exists a deterministic polytime machine T such that, given the random
coinsusedbyK tosamplek, T acceptsv,v(cid:48) ∈ {0,1}(cid:96)(cid:48)(n) ifandonlyifv ∼ v(cid:48). Therelationis
k
publicly-testableT onlyrequiresk,butnottheprivatecoinsusedtosampleit.
Remark3.1(universalextractor). Intheabovedefinitions,eachPPTM isrequiredtohaveadesignated
PPT extractor Ext . Our constructions will, in fact, guarantee the existence of one universal extractor
M
Ext that given any (M,z,k) and a bound 1tM on the running time of M(k;z), can perform extraction.
Moreover,therunningtimeofExtisboundedbysome(universal)polynomialpoly(t )intherunning
M
timeofM.
Remark 3.2 (bounded randomness). In our definitions, we assumed that any randomness used by the
machines is part of their bounded advice, and in particular, is bounded itself. For many applications,
this is sufficient as we can transform any adversary that uses arbitrary polynomial randomness to one
that uses bounded randomness, by having it stretch its randomness with a PRG. (Alternatively, we can
achieveanalternativeextractiondefinitionwheretheextractorisrandomizedandisallowedtosimulate
the adversary’s randomness.) This approach is applicable for example for ZK against BAPT verifiers
(see Section 4), as well as for any application where testing if the adversary breaks the scheme can be
doneefficiently.
AdditionalpropertiesofGEOWFs. WenextdiscussadditionalpropertiesofGEOWFsthatwillprove
usefulinthedesignofprotocols.
The first property is called everywhere extractability and requires that extractability does not only hold
withoverwhelmingoverkeysk ← K(1n),butalsoholdsforanymaliciouslychosenkey.
Definition3.3. AGEOWF(orEOWF)issaidtosatisfyeverywhereextractabilityifweakextractability
holdsforanyk ∈ {0,1}poly(n),wherepoly(n)isthelengthofkeysoutputbyK(1n).
Wenotethateverywhereextractabilitycannotbeachievediftheoutputofthefunction(cid:96)(cid:48) isshorter
than the length of the advice m that the adversary is allowed; otherwise, the adversary may simply get
asadvicearandomimageundersomekey,andtheextractorwouldfailtoinvertforthatkey. Indeed,in
our constructions that achieve everywhere extractability, the output of the function will be longer than
theallowedadvice.
Also,wenotethatonecanmakeananalogouspropertyofeverywhereone-wayness,whichforsome
applications may be a sufficient alternative to everywhere extractability; however, we will not require
(norachieve)thispropertyinthiswork.
The second property, called oblivious image sampling, strengthens even further the extractability re-
quirement,sayingthatthedistributionofimagesv(cid:48) = f (u(cid:48))inducedbytheextractionprocedureExtis
k
simulatable, given only the image v output by the adversary M (and without the code of M). Accord-
ingly,theextractorExtwillnowberandomized.
10
Description:We give the first construction of extractable one-way functions assuming only . extractable against adversaries with non-uniform advice of bounded
