Weakly extractable one-way functions

Nir Bitansky*, Noa Eizenstadt, Omer Paneth

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


A family of one-way functions is extractable if given a random function in the family, an efficient adversary can only output an element in the image of the function if it knows a corresponding preimage. This knowledge extraction guarantee is particularly powerful since it does not require interaction. However, extractable one-way functions (EFs) are subject to a strong barrier: assuming indistinguishability obfuscation, no EF can have a knowledge extractor that works against all polynomial-size non-uniform adversaries. This holds even for non-black-box extractors that use the adversary’s code. Accordingly, the literature considers either EFs based on non-falsifiable knowledge assumptions, where the extractor is not explicitly given, but it is only assumed to exist, or EFs against a restricted class of adversaries with a bounded non-uniform advice. This falls short of cryptography’s gold standard of security that requires an explicit reduction against non-uniform adversaries of arbitrary polynomial size. Motivated by this gap, we put forward a new notion of weakly extractable one-way functions (WEFs) that circumvents the known barrier. We then prove that WEFs are inextricably connected to the long standing question of three-message zero knowledge protocols. We show that different flavors of WEFs are sufficient and necessary for three-message zero knowledge to exist. The exact flavor depends on whether the protocol is computational or statistical zero knowledge and whether it is publicly or privately verifiable. Combined with recent progress on constructing three message zero-knowledge, we derive a new connection between keyless multi-collision resistance and the notion of incompressibility and the feasibility of non-interactive knowledge extraction. Another interesting corollary of our result is that in order to construct three-message zero knowledge arguments, it suffices to construct such arguments where the honest prover strategy is unbounded.

Original languageEnglish
Title of host publicationTheory of Cryptography - 18th International Conference, TCC 2020, Proceedings
EditorsRafael Pass, Krzysztof Pietrzak
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages31
ISBN (Print)9783030643744
StatePublished - 2020
Event18th International Conference on Theory of Cryptography, TCCC 2020 - Durham, United States
Duration: 16 Nov 202019 Nov 2020

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12550 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference18th International Conference on Theory of Cryptography, TCCC 2020
Country/TerritoryUnited States


FundersFunder number
Alon Young Faculty Fellowship
Blavatnik Foundation1789/19
Blavatnik Family Foundation
Israel Science Foundation484/18
Tel Aviv University


    Dive into the research topics of 'Weakly extractable one-way functions'. Together they form a unique fingerprint.

    Cite this