 Hello everyone and welcome. Today's talk will be about extractable one-way functions. We will record a definition in some previous results and then discuss the barriers these functions face. We will suggest a way to overcome those barriers using a new relaxed definition. And begin with a reminder. An extractable one-way function is a family of functions that satisfies two properties. First, it is one-way, meaning that for a randomly sampled key and randomly sampled input, an efficient adversary will not be able to invert the function. Second property is extractability, meaning that for any efficient adversary that given a key produces an image, there exists an efficient extractor that given the same key extracts some pre-image with very high probability. This intuitively captures the idea that it is hard to sample an image without knowing a corresponding pre-image. The default settings are that both properties hold for a randomly chosen key. So what do we know about extractable functions? The good thing is that they are very powerful. Since extraction is done without any interaction, it results in some highly desirable application. For example, encryption with strong CCA security. Furthermore, if we achieve universal extraction, meaning that the extractor is the same for all adversaries, we also get three message zero knowledge arguments, which is the optimal round complexity. If we extend one wayness to create a resistance hardness, then it also implies a succinct non-interactive argument of knowledge. So where is the catch? The bad thing is constructing such functions is subject to strong barriers. First, since there is no interaction, traditional black box extraction techniques provably do not work. For example, rewinding becomes useless. So the extractor must use the code of the adversary in a non-black box manner. This by itself already makes the task very challenging, as we have only a few non-black box techniques and the ones we do have require more interaction. The second barrier is that EFs are subject to an impossibility resort by BCPR. Mitansky et al. showed that assuming in the same ability of refuscation, no efficient extractor can work against or polynomial time non-uniform adversaries, even non-black box ones. To get around those barriers, there are a few alternatives. First, we could use a non-explicit extractor, meaning the existence of the extractor is only assumed for a adversary. This can be achieved, for example, using knowledge assumptions, such as the knowledge of exponent assumption. But it might be insufficient for some applications. For example, in zero knowledge, the simulator may inefficiently depend on the instance. Also, it will result in non-explicit reductions. Another approach is to restrict the class of adversaries, for example, to bounded non-uniform advice. This falls short of the gold standard of non-uniform adversaries and of course also carry over to applications. In this work, we suggest a newly last definition for extractable functions that will allow us to overcome those barriers. We put forward a new definition of weakly extractable one-way functions that will circumvent the previous barriers and allow explicit universal extractor against arbitrary non-uniform adversaries. Our main results show that wefts are strongly connected to zero knowledge with optimal run complexity that is both sufficient and necessary for pre-message zero knowledge. We further draw two connections. One between incompressibility and extraction. BKP showed that pre-message zero knowledge is implied by keyless hash functions though it is impossible to compress collisions. Our results show that the same notion implies a certain non-interactive extractability. Second is a byproduct of our proof. We show that unbounded honest-prover pre-message zero knowledge imply bounded-prover pre-message zero knowledge. This is since in our weft construction we do not require the honest zero knowledge prover to be efficient. So let me present the new definition. The main difference in our variation is weak extraction where we allow the extractor to sample the keys for the adversary for which it is supposed to extract. We do require that the simulated keys are computationally indistinguishable from a predefined distribution of keys. Now, since we have weakened the extraction property, we have to strengthen the one-wayness. If we would require one-wayness only for random keys then it can be trivially obtained using trapdoor implementations. The extractor will sample a implementation along with a trapdoor and simply use it to invert every image. The inverter on the other hand which gets a randomly chosen key will not be able to invert. Therefore, we require hardness for any key. We will generalize this requirement a little bit and actually require that hardness stands for valid keys defined by some NP set. Now, the extractor must also sample valid keys. With this strengthen property, we can now proceed to our last adjustment. Following the generalization in BCPR, we also allow a more general form of hardness. We require that there is some hard NP relation rather than an image per image relation. Now, it should be hard to find a witness to a random statement. The extractor is also required to find such a witness. Our main motivation for studying webs is that they circumvent the impossibility result of BCPR. The impossibility result heavily relies on the fact that the extractor has no control over the key. In weak extraction, it is clearly not the case. While we have no reason to expect that previous EF candidates like Knowledge of Experiment Assumption satisfy this new definition, we do show how to engineer a function that satisfies it, making it achievable. Let me now state our results in more detail. So our results show a tight connection between webs and zero knowledge. First, assuming general webs, non-interactive commitments and two-message, witness indistinguishable arguments, there exists a publicly verifiable three-message zero-knowledge argument. By publicly verifiable, we mean that one can decide if the verifier will accept the proof or not from the transcript alone without the coin of the verifier. Second, assuming publicly verifiable three-message zero-knowledge arguments and non-interactive commitments, there exists a general web. These are the results that will be the focus of this presentation. But let me just mention some additional results from the paper. We show similar results with publicly verifiable zero-knowledge and also define a notion of publicly verifiable webs. The equivalence there is not completely tight because publicly verifiable webs require statistical zero-knowledge. Note that three-message statistical zero-knowledge is known from the same incompressibility assumption as computational zero-knowledge. I will now present the intuition behind both constructions and we will start with the three-message zero-knowledge from webs. We note that these follows closely previous constructions of zero-knowledge from strong EFs with some adaptations. This just goes to show that it is still a meaningful definition. So given a general web, the zero-knowledge protocol will be as follows. For some language L, in order to prove that a statement phi is in the language, an honest pover will sample a key to the function family and send it over to the verifier. The verifier in turn will sample an image to the corresponding function. In the last round, the pover will try to convince the verifier that either phi is in L or that it knows a pre-image to the function. This is actually a little more subtle than that, as in the second case, we also acquire the pover to show that the key is a valid WEF key. So our statement will actually be that either phi is in the language or that the key is a valid key for the WEF and the pover knows a witness for the image. Intuitively, someness will come from the hardness of the WEF. There's no efficient inverter that can invert the function. So the pover will have to prove that phi is in the language. Zero-knowledge will come from the extraction property, as the simulator will use the extractor on the verifier's code to find a valid pre-image. Formerly stating our ingredients, we have a general WEF, consisted of a function family, a hard relation, a set of valid keys and a key sampler. And three messages, offline-online, witness indistinguishable argument of knowledge. By offline-online, we mean that there is a setup stage in the first two messages, which is independent of the statement being proved in the last message. Note that those can be constructed from non-interactive commitments. Let's move on to the WEF construction from zero-knowledge. And again, let me begin by providing some intuition. Given a three-message zero-knowledge protocol for some language L, we will now construct our general WEF. Each valid key is consisted of a no statement for the language L and the first message in the zero-knowledge protocol. A hard instance, or the image if you'd like, will be the verifier's response in the protocol. A corresponding witness will be the last proven message that makes the verifier accept. Intuitively, hardness should follow from the soundness of the protocol. Finding a witness requires finding an accepting proof, and this would be hard for false statements. Extraction will come from the zero-knowledge property. If we choose fee from a language where false instances are indistinguishable from true instances, then the simulator must output accepting proof for both. So the extractor will be able to use the simulator on the adversaries code to generate an accepting transcript. One thing we didn't mention is that we require that the key's validity can be tested in NP. In our case, being valid means that fee is a no instance. So we want to choose fee from a language in NP, co-NP. We will now see the instruction in a little more detail. So our ingredients were a hard and average problem which consists of two samples, one for yes instances and one for no instances, supported on NP relations with these joint languages. This is equivalent to non-interactive commitment schemes, but it is conceptually clear for our purposes. Second, we have a publicly verifiable three-message zero-knowledge for the yes instances of the language. So, as we have mentioned, the valid keys are no instances along with the first zero-knowledge message where a witness to the no instance proved the key's validity. The functions are in fact the responses from the verifier, given the key and some randomness. The hard relation is now a set of keys and images and their witnesses, where a witness to an image is a third message in the zero-knowledge protocol that results in an accepting transcript when parsing the image and key appropriately. Finally, we have the key sampler which samples no statements and uses the simulator over the honest verifier to generate a simulated first message. Note that in fact, it could have used any arbitrary code that the first message alone can be simulated without the code of the verifier. The extractor also samples a no-instance and uses the adversaries code to generate an accepting transcript which it will use to find a witness. To summarize the construction, we will put it in the same presentation as we have seen in the definition. So we have our extractor that simulates keys that are then passed to the adversary that outputs an image of the function. And the extractor itself generates a witness using the adversaries code. To conclude, I would like to bring some of the still open questions. So can general wefts give two-message extractable commitments? And can we get any form of collision-resistance weakly extractable functions? And if so, will these suffice for snarks? And finally, is there any implication in the reverse direction from general wefts to incompassability? That's the end of our talk. Thank you very much for joining and enjoy the rest of the conference.