Limits of Extractability Assumptions with Distributional Auxiliary Input.

Extractability, or \"knowledge,\" assumptions have recently gained popularity in the cryptographic community, leading to the study of primitives such as extractable one-way functions, extractable hash functions, succinct non-interactive arguments of knowledge SNARKs, and public-coin differing-inputs obfuscation PC-$$di\\mathcal {O}$$, and spurring the development of a wide spectrum of new applications relying on these primitives. For most of these applications, it is required that the extractability assumption holds even in the presence of attackers receiving some auxiliary information that is sampled from some fixed efficiently computable distribution $$\\mathcal {Z}$$. We show that, assuming the existence of public-coin collision-resistant hash functions, there exists an efficient distributions $$\\mathcal {Z}$$ such that eitherPC-$$di\\mathcal {O}$$ for Turing machines does not exist, orextractable one-way functions w.r.t. auxiliary input $$\\mathcal {Z}$$ do not exist. A corollary of this result shows that additionally assuming existence of fully homomorphic encryption with decryption in $$NC^1$$, there exists an efficient distribution $$\\mathcal {Z}$$ such that eitherSNARKs for $$\\mathsf {NP}$$ w.r.t. auxiliary input $$\\mathcal {Z}$$ do not exist, orPC-$$di\\mathcal {O}$$ for $$NC^1$$ circuits does not exist. To achieve our results, we develop a \"succinct punctured program\" technique, mirroring the powerful punctured program technique of Sahai and Waters STOC'14, and present several other applications of this new technique. In particular, we construct succinct perfect zero knowledge SNARGs and give a universal instantiation of random oracles in full-domain hash applications, based on PC-$$di\\mathcal {O}$$. As a final contribution, we demonstrate that even in the absence of auxiliary input, care must be taken when making use of extractability assumptions. We show that standard $$di\\mathcal {O}$$ w.r.t. any distribution $$\\mathcal {D}$$ over programs and bounded-length auxiliary input is directly implied by any obfuscator that satisfies the weaker indistinguishability obfuscation i$$\\mathcal {O}$$ security notion and $$di\\mathcal {O}$$ for a slightly modified distribution $$\\mathcal {D}'$$ of programs of slightly greater size and no auxiliary input. As a consequence, we directly obtain negative results for standard $$di\\mathcal {O}$$ in the absence of auxiliary input.