From Point Obfuscation To 3-Round Zero-

Knowledge

Nir Bitansky and Omer Paneth

Interactive Proofs

An interactive proof :𝒫 𝒱𝑥∈ℒ?

Interactive Proofs

Negligible soundness error𝒱𝑥∉ℒ𝒫∗

Prover’s security

• Zero-Knowledge[Goldwasser-Micali-Rackoff-85]

• Weak Zero-Knowlage[Dwork-Naor-Reingold-Stockmeyer-99]

• Witness Hiding[Feige-Shamir-90]

• Witness Indistinguishability[Feige-Shamir-90]

Prover’s security • Zero-Knowledge (ZK)

• Weak Zero-Knowlage

• Witness Hiding (WI)

• Witness Indistinguishability (WH)𝒫𝒱∗𝒮≈ 𝒱∗

Prover’s security • Zero-Knowledge (ZK)

• Weak Zero-Knowlage

• Witness Hiding (WI)

• Witness Indistinguishability (WH)𝒫𝒱∗𝒮≈ 𝒱∗𝐷

𝐷

Prover’s security • Zero-Knowledge (ZK)

• Weak Zero-Knowlage

• Witness Hiding (WI)

• Witness Indistinguishability (WH)

𝑤𝒫 𝒱∗

Prover’s security • Zero-Knowledge (ZK)

• Weak Zero-Knowlage

• Witness Hiding (WI)

• Witness Indistinguishability (WH)𝒫𝒱∗≈ 𝒱∗𝒫 𝑤1𝑤2

Relation Between Notions

Zero-Knowledge

Weak ZK

WI WHOnly if every instance hes two independent witnesses [FS90]

The Round-Complexity of ZK

2 3 4 5

Proofs[Goldreich-Kahan-96]

Impossible[Goldreich-Oren-94] ?

#rounds

Arguments[Feige-Shamir-90]

[Bellare-Jakobsson-Yung-97]

Black-Box vs. Non-Black-Box Simulation 𝒱∗𝒮 𝒱∗𝒮Black-box simulationNon-black-box simulation

Theorem:

3-round ZK protocols with black-box simulator

exist only for trivial languages

Getting 3-Round ZK – The Challenge [GK96]:

Relaxations of ZKBlack-box reduction \ simulation is impossible

Black-box reduction \ simulation exist

Notion(3-round)

[GK96] ZK

[GK96] Weak ZK

[FS90] WI

[HRS09](One witness case)

[FS90](Two witnesses

case)

WH

Barak’s Non-black-box ZK protocol

[B01]:- Overcomes black-box impossibilities- But: too many rounds

Non-Black-Box Techniques

Example: Assume parallel repetition of some

basic ZK protocol is also ZK. [GMW91,B86]

.

An Alternative: Assumptions

Non-Black-Box Transformation 𝒱∗ S

For every: There exists:

Under what assumptions

do 3-round ZK protocols exist?

3-Round ZK from Other Assumptions

Work Assumption Result[Hada-Tanaka-98][Bellare-Palacio-04]

Knowledge of Exponent [D91]

3-round ZK argument

[Lepinski-Micali-01]

A specific number theoretic protocol is a POK

3-round ZK Proof

[Canetti-Dakdouk-08][Goldwasser-Lin-Rubinstein-12]

Extractable 1-to-1 OWF

3-round ZK argument

3-Round ZK from Non-Standard AssumptionsAll of the assumptions used imply the

existence of Extractable OWFs

Extractabl

e OWF

[D91] [HT98] [LM01] [BP04] [CD08] [GLR12]

Are extractable OWFs necessary?- We do not know.

Can we get 3-round ZK

from different assumptions?

Our Results:

Auxiliary Input Point Obfuscation

Relaxations of ZK

From:

To:

Our Results:

Auxiliary Input Point Obfuscation

Indistinguishability definition (weaker)

3-RoundWitness hiding

Our Results:

Auxiliary Input Point Obfuscation

Indistinguishability definition (weaker)

3-RoundWitness hiding

Simulationdefinition (stronger)

3-RoundWeak ZK

• Point Obfuscation• Witness Hiding

Definitions

Point Program:

Point Obfuscation

An obfuscation computes the function but hides all other information about.

For every there exists :

Virtual Black-Box [BGI+01]

𝑆𝐴𝐼 𝑦𝒪 ( 𝑦 )

𝑧 𝑧

𝑏 ′𝑏 ≈

Unpredictable Distribution: is unpredictable if for every poly-size circuit family :

Indistinguishability Definition

Auxiliary Input Point Obfuscation [C97]:

For every unpredictable :

Indistinguishability Definition

Constructions: [Canetti97], extensions of [Wee05]

Witness Hiding𝒫 𝒱∗

𝑤 , 𝑥

𝑤

Witness Hiding𝒫 𝒱∗

𝑤 , 𝑥←𝒟𝑤

For every hard distribution* on an NP relation :

* is hard if poly-size circuits cannot f.

Witness Hiding

Our Witness Hiding Protocol

Our Witness Hiding Protocol𝒫 𝒱2-party computation

𝑉 ℒ (𝑥 ,𝑤 )

𝑥 ,𝑤 𝑥

• – The NP verification circuit of .

𝒫 𝒱OT1(𝑤)

𝑥 ,𝑤 𝑥

Garbled  Circuit   for  𝑉 ℒ(𝑥 , ⋅)OT2

𝑉 ℒ (𝑥 ,𝑤)

3-Round Witness Hiding (1)• , - 2-message malicious oblivious transfer

3-Round Witness Hiding (1)𝒫 𝒱Enc (𝑤)

𝑥 ,𝑤 𝑥

Enc (𝑉 ℒ (𝑥 ,𝑤))𝑉 ℒ (𝑥 ,𝑤)

• – A 1-hop homomorphic encryption [GHV10]

3-Round Witness Hiding (2)𝒫 𝒱Enc (𝑤)

𝑥 ,𝑤 𝑥

Enc (𝑉 ℒ , 𝑠(𝑥 ,𝑤))

𝑠

• – The NP verification circuit of outputs only if is in the relation.

𝑠←𝒰𝑠

𝒱∗

Attack on Witness Hiding𝒫 Enc (𝑤)

𝑥 ,𝑤 𝑥

Enc (𝐼 (𝑤))

𝑤 𝑤

• cheats by evaluating the identity function instead of .

The Final Protocol𝒫 𝒱Enc (𝑤)

𝑥 ,𝑤 𝑥

Enc (𝑉 ℒ , 𝑠(𝑥 ,𝑤))

𝑠

• – A point obfuscator.For soundness, must be recognizable.

𝑠←𝒰𝒪(𝑠 )

𝒱∗

Fixing the Attack𝒫 Enc (𝑤)

𝑥 ,𝑤 𝑥

Enc (𝐼 (𝑤))

𝑤 𝒪(𝑤)

is hard

𝒱∗

Fixing the Attack𝒫 Enc (𝑤)

𝑥 ,𝑤 𝑥

Enc (𝐼 (𝑤))

𝑤 𝒪(𝑤)

is hard

Given

𝒱∗

Fixing the Attack𝒫 Enc (𝑤)

𝑥 ,𝑤 𝑥

Enc (𝐼 (𝑤))𝒪(𝒰)

is hard

𝒱∗

Fixing the Attack𝒫 Enc (0𝑛)

𝑥 ,𝑤 𝑥

𝒪(𝒰)

is hard

Properties of the Protocol

• Protocol is not zero-knowledge.

• Protocol is a proof-of-knowledge.

• Unconditional soundness (proof). 𝒱∗𝒫 Enc (𝑤)

Enc (𝑃 (𝑤 )→ 𝑠0 {s¿¿1)𝒪(𝑠0 {s¿¿1)

𝑠0 ,𝑠1

Attack on ZK:

What is the non-black-boxcomponent in our

reduction?

For every unpredictable :

Auxiliary Input Point Obfuscation

𝒪 ( 𝑦 )/𝒪 (𝒰 )

0 /1

𝑧

𝑦

For every distinguisher there exists a predictor

Non-Black-Box Transformation

Distinguisher

Predictor

𝑧𝑦 , 𝑧←𝒟

Auxiliary Input Point Obfuscation

The Non-Black-Box Component𝒫 𝒱∗

𝑤 , 𝑥←𝒟𝑤

The Non-Black-Box Component 𝒱∗

𝑥←𝒟𝒪 (𝑤 )¿ (𝒰 )

0 /1

𝑤

The Non-Black-Box Component

𝑥←𝒟𝒪 (𝑤 )¿ (𝒰 )

0 /1𝒱∗Predictor

Some assumptions give us a non-black-box transformation:• Some 3-round protocol is indeed ZK• Extructable OWF \ Knowledge of

Exponent• Auxiliary Input Point Obfuscation

Conclusion

Distinguisher Predictor

Non-Black-Box Transformations

𝒱∗ S

• Given such assumptions we can get

3-round ZK.• How to compare these

assumptions?• What type of non-black-box

transformation is required for 3-round ZK?

Conclusion

?