## Abstract

A function f is extractable if it is possible to algorithmically "extract," from any adversarial program that outputs a value y in the image of f, a preimage of y. When combined with hardness properties such as one-wayness or collision-resistance, extractability has proven to be a powerful tool. However, so far, extractability has not been explicitly shown. Instead, it has only been considered as a nonstandard knowledge assumption on certain functions. We make headway in the study of the existence of extractable one-way functions (EOWFs) along two directions. On the negative side, we show that if there exist indistinguishability obfuscators for circuits, then there do not exist EOWFs where extraction works for any adversarial program with auxiliary input of unbounded polynomial length. On the positive side, for adversarial programs with bounded auxiliary input (and unbounded polynomial running time), we give the first construction of EOWFs with an explicit extraction procedure, based on relatively standard assumptions (such as subexponential hardness of learning with errors). We then use these functions to construct the first 2-message zero-knowledge arguments and 3-message zero-knowledge arguments of knowledge, against verifiers in the same class of adversarial programs, from essentially the same assumptions.

Original language | English (US) |
---|---|

Pages (from-to) | 1910-1952 |

Number of pages | 43 |

Journal | SIAM Journal on Computing |

Volume | 45 |

Issue number | 5 |

DOIs | |

State | Published - 2016 |

## Keywords

- Extraction
- Knowledge
- Obfuscation
- Zero knowledge

## ASJC Scopus subject areas

- General Computer Science
- General Mathematics