Does simulation extractability require that the protocol have a backdoor in it?

Question

As I understand it, one of the properties required to prove UC-security is simulation extractability. One example is the paper by Kosba et al adapting NIZKs to the UC model, but in their construction the witness is encrypted and the ciphertext appended to the proof, and whoever holds the private key can extract the (confidential) witness. (There's also a separate trapdoor that can forge proofs, but for the forged proofs the extractor is not required to work.)

Is this property required for simulation extractability? Would any UC-secure NIZK system also have a backdoor in it? Or am I misinterpreting what simulation extractability means?

Link to the Kosba et al preprint: http://eprint.iacr.org/2015/1093

Answer 1

Extractability inherently requires that the party who holds the extraction trapdoor can extract the witness. Therefore, it is important that the common reference string (CRS) is set up by a trusted party in the real protocol. However, this requirement for setting up the CRS in a trusted way is not only specific to extractability but also required by other notions such as soundness or zero-knowledge (see, e.g., [1] where the fact that the CRS is not set up by a trusted party is used to attack a protocol). Ultimately, you may observe that this trusted setup requirement is not only specific to zero-knowledge protocols, but applies to every protocol which relies on a CRS.

Regarding the UC-secure NIZK part of the question: Roughly speaking, realising a UC compatible zero-knowledge protocol requires to achieve simulation extractability. Therefore, one also has to take care that the CRS is set up by a trusted party in real instances of the protocol.

References

[1] http://stevengoldfeder.com/papers/ZKCSP.pdf