nir bitansky and omer paneth. interactive proofs
TRANSCRIPT
From Point Obfuscation To 3-Round Zero-
Knowledge
Nir Bitansky and Omer Paneth
Interactive Proofs
An interactive proof :𝒫 𝒱𝑥∈ℒ?
Interactive Proofs
Negligible soundness error𝒱𝑥∉ℒ𝒫∗
Prover’s security
• Zero-Knowledge[Goldwasser-Micali-Rackoff-85]
• Weak Zero-Knowlage[Dwork-Naor-Reingold-Stockmeyer-99]
• Witness Hiding[Feige-Shamir-90]
• Witness Indistinguishability[Feige-Shamir-90]
Prover’s security • Zero-Knowledge (ZK)
• Weak Zero-Knowlage
• Witness Hiding (WI)
• Witness Indistinguishability (WH)𝒫𝒱∗𝒮≈ 𝒱∗
Prover’s security • Zero-Knowledge (ZK)
• Weak Zero-Knowlage
• Witness Hiding (WI)
• Witness Indistinguishability (WH)𝒫𝒱∗𝒮≈ 𝒱∗𝐷
𝐷
Prover’s security • Zero-Knowledge (ZK)
• Weak Zero-Knowlage
• Witness Hiding (WI)
• Witness Indistinguishability (WH)
𝑤𝒫 𝒱∗
Prover’s security • Zero-Knowledge (ZK)
• Weak Zero-Knowlage
• Witness Hiding (WI)
• Witness Indistinguishability (WH)𝒫𝒱∗≈ 𝒱∗𝒫 𝑤1𝑤2
Relation Between Notions
Zero-Knowledge
Weak ZK
WI WHOnly if every instance hes two independent witnesses [FS90]
The Round-Complexity of ZK
2 3 4 5
Proofs[Goldreich-Kahan-96]
Impossible[Goldreich-Oren-94] ?
#rounds
Arguments[Feige-Shamir-90]
[Bellare-Jakobsson-Yung-97]
Black-Box vs. Non-Black-Box Simulation 𝒱∗𝒮 𝒱∗𝒮Black-box simulationNon-black-box simulation
Theorem:
3-round ZK protocols with black-box simulator
exist only for trivial languages
Getting 3-Round ZK – The Challenge [GK96]:
Relaxations of ZKBlack-box reduction \ simulation is impossible
Black-box reduction \ simulation exist
Notion(3-round)
[GK96] ZK
[GK96] Weak ZK
[FS90] WI
[HRS09](One witness case)
[FS90](Two witnesses
case)
WH
Barak’s Non-black-box ZK protocol
[B01]:- Overcomes black-box impossibilities- But: too many rounds
Non-Black-Box Techniques
Example: Assume parallel repetition of some
basic ZK protocol is also ZK. [GMW91,B86]
.
An Alternative: Assumptions
Non-Black-Box Transformation 𝒱∗ S
For every: There exists:
Under what assumptions
do 3-round ZK protocols exist?
3-Round ZK from Other Assumptions
Work Assumption Result[Hada-Tanaka-98][Bellare-Palacio-04]
Knowledge of Exponent [D91]
3-round ZK argument
[Lepinski-Micali-01]
A specific number theoretic protocol is a POK
3-round ZK Proof
[Canetti-Dakdouk-08][Goldwasser-Lin-Rubinstein-12]
Extractable 1-to-1 OWF
3-round ZK argument
3-Round ZK from Non-Standard AssumptionsAll of the assumptions used imply the
existence of Extractable OWFs
Extractabl
e OWF
[D91] [HT98] [LM01] [BP04] [CD08] [GLR12]
Are extractable OWFs necessary?- We do not know.
Can we get 3-round ZK
from different assumptions?
Our Results:
Auxiliary Input Point Obfuscation
Relaxations of ZK
From:
To:
Our Results:
Auxiliary Input Point Obfuscation
Indistinguishability definition (weaker)
3-RoundWitness hiding
Our Results:
Auxiliary Input Point Obfuscation
Indistinguishability definition (weaker)
3-RoundWitness hiding
Simulationdefinition (stronger)
3-RoundWeak ZK
• Point Obfuscation• Witness Hiding
Definitions
Point Program:
Point Obfuscation
An obfuscation computes the function but hides all other information about.
For every there exists :
Virtual Black-Box [BGI+01]
𝑆𝐴𝐼 𝑦𝒪 ( 𝑦 )
𝑧 𝑧
𝑏 ′𝑏 ≈
Unpredictable Distribution: is unpredictable if for every poly-size circuit family :
Indistinguishability Definition
Auxiliary Input Point Obfuscation [C97]:
For every unpredictable :
Indistinguishability Definition
Constructions: [Canetti97], extensions of [Wee05]
Witness Hiding𝒫 𝒱∗
𝑤 , 𝑥
𝑤
Witness Hiding𝒫 𝒱∗
𝑤 , 𝑥←𝒟𝑤
For every hard distribution* on an NP relation :
* is hard if poly-size circuits cannot f.
Witness Hiding
Our Witness Hiding Protocol
Our Witness Hiding Protocol𝒫 𝒱2-party computation
𝑉 ℒ (𝑥 ,𝑤 )
𝑥 ,𝑤 𝑥
• – The NP verification circuit of .
𝒫 𝒱OT1(𝑤)
𝑥 ,𝑤 𝑥
Garbled Circuit for 𝑉 ℒ(𝑥 , ⋅)OT2
𝑉 ℒ (𝑥 ,𝑤)
3-Round Witness Hiding (1)• , - 2-message malicious oblivious transfer
3-Round Witness Hiding (1)𝒫 𝒱Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝑉 ℒ (𝑥 ,𝑤))𝑉 ℒ (𝑥 ,𝑤)
• – A 1-hop homomorphic encryption [GHV10]
3-Round Witness Hiding (2)𝒫 𝒱Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝑉 ℒ , 𝑠(𝑥 ,𝑤))
𝑠
• – The NP verification circuit of outputs only if is in the relation.
𝑠←𝒰𝑠
𝒱∗
Attack on Witness Hiding𝒫 Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝐼 (𝑤))
𝑤 𝑤
• cheats by evaluating the identity function instead of .
The Final Protocol𝒫 𝒱Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝑉 ℒ , 𝑠(𝑥 ,𝑤))
𝑠
• – A point obfuscator.For soundness, must be recognizable.
𝑠←𝒰𝒪(𝑠 )
𝒱∗
Fixing the Attack𝒫 Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝐼 (𝑤))
𝑤 𝒪(𝑤)
is hard
𝒱∗
Fixing the Attack𝒫 Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝐼 (𝑤))
𝑤 𝒪(𝑤)
is hard
Given
𝒱∗
Fixing the Attack𝒫 Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝐼 (𝑤))𝒪(𝒰)
is hard
𝒱∗
Fixing the Attack𝒫 Enc (0𝑛)
𝑥 ,𝑤 𝑥
𝒪(𝒰)
is hard
Properties of the Protocol
• Protocol is not zero-knowledge.
• Protocol is a proof-of-knowledge.
• Unconditional soundness (proof). 𝒱∗𝒫 Enc (𝑤)
Enc (𝑃 (𝑤 )→ 𝑠0 {s¿¿1)𝒪(𝑠0 {s¿¿1)
𝑠0 ,𝑠1
Attack on ZK:
What is the non-black-boxcomponent in our
reduction?
For every unpredictable :
Auxiliary Input Point Obfuscation
𝒪 ( 𝑦 )/𝒪 (𝒰 )
0 /1
𝑧
𝑦
For every distinguisher there exists a predictor
Non-Black-Box Transformation
Distinguisher
Predictor
𝑧𝑦 , 𝑧←𝒟
Auxiliary Input Point Obfuscation
The Non-Black-Box Component𝒫 𝒱∗
𝑤 , 𝑥←𝒟𝑤
The Non-Black-Box Component 𝒱∗
𝑥←𝒟𝒪 (𝑤 )¿ (𝒰 )
0 /1
𝑤
The Non-Black-Box Component
𝑥←𝒟𝒪 (𝑤 )¿ (𝒰 )
0 /1𝒱∗Predictor
Some assumptions give us a non-black-box transformation:• Some 3-round protocol is indeed ZK• Extructable OWF \ Knowledge of
Exponent• Auxiliary Input Point Obfuscation
Conclusion
Distinguisher Predictor
Non-Black-Box Transformations
𝒱∗ S
• Given such assumptions we can get
3-round ZK.• How to compare these
assumptions?• What type of non-black-box
transformation is required for 3-round ZK?
Conclusion
?