Limits of Extractability Assumptions with Distributional Auxiliary Input

Extractability, or “knowledge,” assumptions have recently gained popularity in the cryptographic community, leading to the study of primitives such as extractable one-way functions, extractable hash functions, succinct non-interactive arguments of knowledge (SNARKs), and differing-inputs obfuscation (diO), and spurring the development of a wide spectrum of new applications relying on these primitives. For most of these applications, it is required that the extractability assumption holds even in the presence of attackers receiving some auxiliary information that is sampled from some fixed efficiently computable distribution Z. We show that, assuming the existence of collision-resistant hash functions, there exist efficient distributions Z,D such that either • extractable one-way functions w.r.t. auxiliary input Z do not exist, or • diO for a distribution of Turing machines and auxiliary input specified by D does not exist. A corollary of this result shows that assuming existence of fully homomorphic encryption with decryption in NC, there exist efficient distributions Z,D such that either • SNARKs for NP w.r.t. auxiliary input Z do not exist, or • diO for a distribution of NC circuits and aux input specified by D does not exist. To achieve our results, we develop a “succinct punctured program” technique, mirroring the powerful punctured program technique of Sahai and Waters (STOC’14), and present several other applications of this new technique. We additionally demonstrate that diO w.r.t. any distribution D of programs and boundedlength auxiliary input is directly implied by any obfuscator that satisfies the weaker indistinguishability obfuscation (iO) security notion and diO for a slightly modified distribution D′ of programs (of slightly greater size) and no auxiliary input. As a consequence, we directly obtain negative results for diO in the absence of auxiliary input. ∗This work was primarily completed while the first author was a postdoc at Cornell University, supported in part by AFOSR YIP Award FA9550-10-1-0093. This research has received funding from the European Union’s Tenth Framework Programme (FP10/ 2010-2016) under grant agreement no. 259426 ERC-CaC. †Pass is supported in part by a Alfred P. Sloan Fellowship, Microsoft New Faculty Fellowship, NSF Award CNS1217821, NSF CAREER Award CCF-0746990, NSF Award CCF-1214844, AFOSR YIP Award FA9550-10-1-0093, and DARPA and AFRL under contract FA8750-11-20211. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the US Government.