Extractability, or "knowledge," assumptions have recently gained popularity in the cryptographic community, leading to the study of primitives such as extractable one-way functions, extractable hash functions, succinct non-interactive arguments of knowledge (SNARKs), and (public-coin) differing-inputs obfuscation ((PC-)diO), and spurring the development of a wide spectrum of new applications relying on these primitives. For most of these applications, it is required that the extractability assumption holds even in the presence of attackers receiving some auxiliary information that is sampled from some fixed efficiently computable distribution Z. We show that, assuming the existence of public-coin collision-resistant hash functions, there exists an efficient distributions Z such that either 1. PC-diO for Turing machines does not exist, or 2. extractable one-way functions w.r.t. auxiliary input Z do not exist. A corollary of this result shows that additionally assuming existence of fully homomorphic encryption with decryption in NC~1, there exists an efficient distribution Z such that either 1. SNARKs for NP w.r.t. auxiliary input Z do not exist, or 2. PC-diO for NC~1 circuits does not exist. To achieve our results, we develop a "succinct punctured program" technique, mirroring the powerful punctured program technique of Sahai and Waters (STOC'14), and present several other applications of this new technique. In particular, we construct succinct perfect zero knowledge SNARGs and give a universal instantiation of random oracles in full-domain hash applications, based on PC-diO. As a final contribution, we demonstrate that even in the absence of auxiliary input, care must be taken when making use of extractability assumptions. We show that (standard) diO w.r.t. any distribution D over programs and bounded-length auxiliary input is directly implied by any obfuscator that satisfies the weaker indistinguishability obfuscation (iO) security notion and diO for a slightly modified distribution D′ of programs (of slightly greater size) and no auxiliary input. As a consequence, we directly obtain negative results for (standard) diO in the absence of auxiliary input.
展开▼
机译:可提取性(或“知识”)假设最近在密码界变得越来越流行,从而导致了对原语的研究,例如可提取的单向函数,可提取的哈希函数,简洁的非交互式知识论点(SNARK)和(硬币)差异输入混淆((PC-)diO),并刺激了依赖于这些原语的各种新应用程序的开发。对于大多数这些应用程序,即使在攻击者收到从某些固定有效可计算分布Z采样的一些辅助信息的情况下,也要求可提取性假设成立。我们证明,假设存在公共硬币抗冲突哈希函数存在一个有效的分布Z,使得1.图灵机的PC-diO不存在,或者2.可提取的单向函数wrt辅助输入Z不存在。该结果的推论表明,另外假设在NC_1中存在具有解密的完全同态加密,则存在有效分配Z,使得NP w.r.t的1个SNARKs。辅助输入Z不存在,或者2。NC〜1电路的PC-diO不存在。为了获得我们的结果,我们开发了一种“简洁的删节程序”技术,以模仿Sahai and Waters(STOC'14)强大的删节程序技术,并介绍了此新技术的其他一些应用。特别是,我们构造了简洁的完美零知识SNARG,并基于PC-diO在全域哈希应用程序中给出了随机预言的通用实例。作为最后的贡献,我们证明,即使在没有辅助输入的情况下,在使用可萃取性假设时也必须小心。我们证明(标准)diO w.r.t.对于任何稍加修改的程序分布D'(大小较大)且没有辅助输入的情况,满足较弱的不可混淆性(iO)安全性概念和diO的混淆器都将直接隐含程序和有界长度辅助输入上的任何分布D。结果,在没有辅助输入的情况下,我们直接获得(标准)diO的阴性结果。
展开▼
