Paper 2013/703

Limits of Extractability Assumptions with Distributional Auxiliary Input

Elette Boyle and Rafael Pass

Abstract

Extractability, or "knowledge," assumptions have recently gained popularity in the cryptographic community, leading to the study of primitives such as extractable one-way functions, extractable hash functions, succinct non-interactive arguments of knowledge (SNARKs), and differing-inputs obfuscation (diO), and spurring the development of a wide spectrum of new applications relying on these primitives. For most of these applications, it is required that the extractability assumption holds even in the presence of attackers receiving some auxiliary information that is sampled from some fixed efficiently computable distribution Z. We show that, assuming the existence of collision-resistant hash functions, there exist efficient distributions Z, D such that either: * Extractable one-way functions w.r.t. auxiliary input Z do not exist, or * diO for a distribution of Turing machines and auxiliary input specified by D does not exist. A corollary of this result shows that assuming existence of fully homomorphic encryption with decryption in NC1, there exist efficient distributions Z, D such that either: * SNARKs for NP w.r.t. auxiliary input Z do not exist, or * diO for a distribution of NC1 circuits and aux input specified by D does not exist. To achieve our results, we develop a "succinct punctured program" technique, mirroring the powerful punctured program technique of Sahai and Waters (STOC'14), and present several other applications of this new technique. We additionally demonstrate that diO w.r.t. any distribution D of programs and bounded-length auxiliary input is directly implied by any obfuscator that satisfies the weaker indistinguishability obfuscation iO security notion and diO for a slightly modified distribution D' of programs (of slightly greater size) and no auxiliary input. As a consequence, we directly obtain negative results for diO \emph{in the absence of auxiliary input}.