Statistical Zero-Knowledge Arguments from One

Download Report

Transcript Statistical Zero-Knowledge Arguments from One 

Statistical Zero-Knowledge Arguments
& Statistically Hiding Commitments
from Any One-Way Function
Minh Nguyen
Shien Jin Ong
Salil Vadhan
Harvard University
Iftach Haitner
Omer Reingold
Weizmann Institute
Assumptions for Cryptography
 One-way functions )
– Pseudorandom generators [Hastad-Impagliazzo-Levin-Luby90].
– Pseudorandom functions & private-key cryptography
[Goldreich-Goldwasser-Micali84]
– Commitment schemes [Naor89].
– Zero-knowledge proofs for NP [Goldreich-Micali-Wigderson86].
– Digital signatures [Rompel90].
 Almost all cryptographic tasks ) one-way functions.
[Impagliazzo-Luby89, Ostrovsky-Wigderson93]
 Some tasks not “black-box reducible” to one-way fns.
– Public-key encryption [Impagliazzo-Rudich89]
– Collision-resistant hashing [Simon98]
Main Results
One-Way Functions )
Statistical ZK Arguments for NP &
Statistically Hiding Commitments
– Resolves an open problem posed by
[Naor-Ostrovsky-Venkatesan-Yung92].
– OWF implied by commitments &
ZK for hard-on-avg problems
[Impagliazzo-Luby89,Ostrovsky-Wigderson93].
– Key to unconditional results about ZK
Arguments [Ong-Vadhan07].
outline
 Introduction
 Commitments & ZK
 Constructions from OWF with structure
 Construction from any OWF
 ZK ´ “Instance-Dependent” Commitments
 Open Problems
outline
 Introduction
 Commitments & ZK
 Constructions from OWF with structure
 Construction from any OWF
 ZK ´ “Instance-Dependent” Commitments
 Open Problems
Commitment Schemes
S
m2{0,1}t
R
COMMIT STAGE
REVEAL STAGE
(m,K)
accept/
reject
Security of Commitments
 Hiding
COMMIT(m)
& COMMIT(m’)
indistinguishable
even to cheatingSR*
– Statistical
– Computational
 Binding
m2{0,1}t
Even cheating S*
cannot reveal
(m,K), (m’,K’)
with mm’
– Statistical
– Computational
R
COMMIT STAGE
REVEAL STAGE
(m,K)
accept/
reject
Statistical Security?
 Hiding
– Statistical
– Computational
S
m2{0,1}t
 Binding
– Statistical
– Computational
Impossible!
R
COMMIT STAGE
REVEAL STAGE
(m,K)
accept/
reject
Statistical Binding
 Hiding
– Statistical
– Computational
 Binding
– Statistical
– Computational
S
m2{0,1}t
R
COMMIT STAGE
REVEAL STAGE
(m,K)
Thm [HILL90,Naor91]: One-way functions
) Statistically Binding Commitments
accept/
reject
Statistical Hiding
 Hiding
– Statistical
– Computational
 Binding
– Statistical
– Computational
S
m2{0,1}t
R
COMMIT STAGE
REVEAL STAGE
(m,K)
This work: One-way functions
) Statistically Hiding Commitments
accept/
reject
Benefit of Statistical Hiding
In most protocols that use commitments:
 Binding only required during protocol execution
– Depends on adversary’s current capabilities
– Safe to be computational
 Hiding may matter long after execution
– Adversary may gain computational resources
– Hardness assumption may be broken
– Statistical hiding ) “everlasting secrecy”
Example: Zero Knowledge for NP
[Goldreich-Micali-Wigderson86]
Hiding ) Zero Knowledge
– Verifier learns nothing
other than x2L
Binding ) Soundness
– Prover cannot convince
verifier if xL
Corollary: One-Way Functions
) Statistical Zero Knowledge
Arguments for NP
[Brassard-Chaum-Crepeau88]
P
V
1
6
2
5
3
4
(1,4)
Complexity of Statistically Hiding
Commitments
number-theoretic
assumptions
[BCC]
stat. hiding
commitments
[GMR,BKK]
claw-free perm
[NY]
collision-resistant
hash functions
Complexity of Statistically Hiding
Commitments
number-theoretic
assumptions
[BCC]
stat. hiding
commitments
[GMR,BKK]
claw-free perm
[NY]
one-way perm
regular OWF
collision-resistant
hash functions
Complexity of Statistically Hiding
Commitments
number-theoretic
assumptions
[BCC]
stat. hiding
commitments
[GMR,BKK]
claw-free perm
[NY]
one-way perm
regular OWF
one-way function
collision-resistant
hash functions
Overview of the construction
stat hiding
One-way
“1-out-of-2
function [NOV06]
binding”
[HR07]
stat hiding
comp binding
outline
 Introduction
 Commitments & ZK
 Constructions from OWF with structure
 Construction from any OWF
 ZK ´ “Instance-Dependent” Commitments
 Open Problems
Structured One-Way Functions
 f : {0,1}n! {0,1}n is one-way function if:
– Computable in poly-time.
– If xÃ{0,1}n, no poly-time algorithm can find a
preimage of f(x) w/nonneg. prob.
 Regular OWF: f-1(y) same size for all
y2f({0,1}n).
 One-Way Permutation: f a permutation.
One-way permutations )
Stat. hiding commitments
S
1. x Ã
R
{0,1}n
2. y = f(x)
3. Run
Interactive
Hashing
4. Output: y0, y1
Reveal stage:
b, y, x
[Naor-OstrovskyVenkatesan-Yung92]
Desired Properties of IH
1. Correctness: 9b y=yb
2. Hiding: R* cannot tell
whether y = y0 or y = y1.
3. Binding: S* can only
“control” the output of
one yb. The other y1-b is
random.
Interactive Hashing
y2
{0,1}n
S
[OstrovskyVenkatesan-Yung]
3. Run
Interactive
Hashing
h1
{0,1}n
R
c1 = h1(y)
…
hn-1
h2
y’
y
cn-1 = hn-1(y)
Output = { y0, y1: 8 i hi(yb) = ci }
= { y, y’ }
h3
h1
Interactive Hashing
3. Run
Interactiveof IH
y 2 {0,1}nProperties
Hashing
1. Correctness:
h 9b y=yb
S
1
[OstrovskyVenkatesan-Yung]
{0,1}n
R
If y uniform
in {0,1}n
…
2. Hiding: R* cannot tell
c1 y==hy
1(y)
whether
0 or y = y1.
3. Binding: S* can only
“control” the output of
h
one yb. Then-1other y1-b is
random.
cn-1 = hn-1(y)
Output = { y0, y1: 8 i hi(yb) = ci }
= { y, y’ }
h2
y’
y
h3
h1
One-way permutations )
Stat. hiding commitments
S
1. x Ã
R
{0,1}n
2. y = f(x)
3. Run
Interactive
Hashing
4. Output: y0, y1
Reveal stage:
b, y, x
[Naor-OstrovskyVenkatesan-Yung]
Properties of IH
1. Correctness: 9b y=yb
2. Hiding: R* cannot tell
whether y = y0 or y = y1.
3. Binding: S* can only
“control” the output of
one yb. The other y1-b is
random.
Regular one-way functions
) Stat. hiding commitments
Extk(Y) ¼ Uk if
Y has min-entropy ¸ k
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
x
[Haitner et al.]
{0,1}n
f
y
{0,1}n-t
Extn-t
min-entropy ¼ n - t
Y has min-entropy k if
Pr[Y = y] · 2-k 8 y 2 Supp(Y)
z
Regular one-way functions
) Stat. hiding commitments
|{x’: f(x’) = y}| 2 [2t, 2t+1]
S
1. x à {0,1}n
2. y = f(x)
x
{0,1}n
3. z = Extn-t(y)
{0,1}l
f
4. Runy
Interactive
Hashing
[Haitner et al.]
R
{0,1}n-t
Extn-t
min-entropy
5. Output:
z0, z1 ¼ n - t
Reveal stage:
z, y, x
z
Regular one-way functions
) Stat. hiding commitments
[Haitner et al.]
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
x
{0,1}l
f
y
{0,1}n-t
Extn-t
z
min-entropy ¼ n - t
Hiding: When x à {0,1}n, z = Ext(f(x)) is close to uniform.
Regular one-way functions
) Stat. hiding commitments
[Haitner et al.]
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
x
{0,1}l
f
y
{0,1}n-t
z’
Extn-t
z
¢2n-t
Binding: Inverting Extn-t±f for ¢2n-t strings in Z space
) Inverting f for ¢2n-t¢2t = ¢2n strings in X space.
Regular one-way functions
(unknown preimage size)
S
1. x à {0,1}n
R
t
2. y = f(x)
3. z = Extn-t(y)
R does not know t
4. Run
Interactive
Hashing
5. Output: z0, z1
Reveal stage:
z, y, x
Can the receiver trust sender’s t*?
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
x
{0,1}l
f
y
{0,1}n-t*
Extn-t*
z
¢2n-t*
Binding: Inverting Extn-t±f for ¢2n-t* strings in Z space
) Inverting f for ¢2n-t*¢2t ¿ ¢2n strings in X space,
if t* À t.
1-out-of-2 binding commitments
[Nguyen-Vadhan06]
 Commitment in
2 phases.
 Statistically
hiding in both
phases.
S
PHASE 1 COMMIT
m
PHASE 1 REVEAL
(m,K)
m’
 Computational
binding in at
least one phase.
may be dynamically
determined by S*
PHASE 2 COMMIT
PHASE 2 REVEAL
(m’,K’)
R
Regular one-way functions
(unknown preimage size)
S
1. x à {0,1}n
1st phase
R
t
2. y = f(x)
3. z = Extn-t(y)
S
2nd phase
R
1. w = Extt(x)
4. Run
Interactive
Hashing
2. Run
Interactive
Hashing
5. Output: z0, z1
3. Output: w0, w1
Reveal stage:
z, y
Reveal stage:
x
Regular one-way functions
(unknown preimage size)
Binding analysis
t* · t
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
x
{0,1}l
f
y
{0,1}n-t*
Extn-t*
z
¢2n-t*
Binding: Inverting Extn-t±f for ¢2n-t* strings in Z space
) Inverting f for ¢2n-t*¢2t ¸ ¢2n strings in X space.
) 1st phase binding!
Regular one-way functions
(unknown preimage size)
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
{0,1}l
f
x
y
Extt*
Binding analysis
t* > t
1st phase:
Run NOVY IH
with (S(z), R)
Extn-t’
{0,1}t*
w
w’
2nd phase binding!
Run NOVY IH
with (S(w), R)
z
1-out-of-2 binding commitments
 Commitment in
2 phases.
 Statistically
hiding in both
phases.
 Computational
binding in at
least one phase.
S
PHASE 1 COMMIT
m
PHASE 1 REVEAL
(m,K)
m’
PHASE 2 COMMIT
PHASE 2 REVEAL
(m’,K’)
R
Regular one-way functions
(unknown preimage size)
S
1. x à {0,1}n
1st phase
R
t
2. y = f(x)
3. z = Extn-t(y)
S
2nd phase
R
1. w = Extt(x)
4. Run
Interactive
Hashing
2. Run
Interactive
Hashing
5. Output: z0, z1
3. Output: w0, w1
Reveal stage:
z, y
Reveal stage:
x
Regular one-way functions
(unknown preimage size)
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
f
x
minentropy ¼ t
{0,1}l
Extt
y
Hiding analysis
1st phase:
Run NOVY IH
with (S(z), R)
Extn-t
z
min-entropy ¼ n - t
w
2nd phase:
Run NOVY IH
with (S(w), R)
If f is regular
then both
phases hiding
outline
 Introduction
 Commitments & ZK
 Constructions from OWF with structure
 Construction from any OWF
 ZK ´ “Instance-Dependent” Commitments
 Open Problems
Overview of the construction
One-way
function
stat hiding
1-out-of-2
binding
weakly hiding
1-out-of-2
binding
stat hiding
comp binding
Regular one-way functions
(unknown preimage size)
S
1. x à {0,1}n
1st phase
R
t
2. y = f(x)
3. z = Extn-t(y)
S
2nd phase
R
1. w = Extt(x)
4. Run
Interactive
Hashing
2. Run
Interactive
Hashing
5. Output: z0, z1
3. Output: w0, w1
Reveal stage:
z, y
Reveal stage:
x
Regular one-way functions
same protocol
0. tÃ{1,…,n}
1. x à {0,1}n
S
1st phase
R
t
2. y = f(x)
3. z = Extn-t(y)
S
2nd phase
R
1. w = Extt(x)
4. Run
Interactive
Hashing
2. Run
Interactive
Hashing
5. Output: z0, z1
3. Output: w0, w1
Reveal stage:
z, y
Reveal stage:
x
Regular one-way functions
(unknown preimage size)
Binding analysis
t*· t
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
x
{0,1}l
f
y
{0,1}n-t*
z’
Extn-t’
z
¢2n-t*
Binding: Inverting Extn-t±f for ¢2n-t* strings in Z space
) Inverting f for ¢2n-t*¢2t ¸ ¢2n strings in X space.
) 1st phase binding!
Regular one-way functions
Binding analysis
t* · t
|f-1(y)| ¸ 2t*?
{0,1}n
x
{0,1}l
f
y
{0,1}n-t*
z’
Extn-t*
z
¢2n-t*
Binding: Inverting ¢2n-t* strings in Z space w/|f-1(y)| ¸ 2t*?
) Inverting ¢2n-t*¢2t ¸ ¢2n strings in X space.
) 1st phase binding wrt “heavy” y
Regular one-way functions
|f-1(y)| < 2t*
{0,1}n
{0,1}l
f
x
y
Binding analysis
1st phase:
Run NOVY IH
with (S(z), R)
Extn-t’
z
Extt*
{0,1}t*
w
w’
2nd phase binding!
Run NOVY IH
with (S(w), R)
1-out-of-2 binding commitments
 Commitment in
2 phases.
 Statistically
hiding in both
phases.
S
PHASE 1 COMMIT
m
PHASE 1 REVEAL
(m,K)
m’
 Computational
binding in at
least one phase.
may be dynamically
determined by S*
PHASE 2 COMMIT
PHASE 2 REVEAL
(m’,K’)
R
Regular one-way functions
(unknown preimage size)
S
1. x à {0,1}n
1st phase
R
t
2. y = f(x)
3. z = Extn-t(y)
S
2nd phase
R
1. w = Extt(x)
4. Run
Interactive
Hashing
2. Run
Interactive
Hashing
5. Output: z0, z1
3. Output: w0, w1
Reveal stage:
z, y
Reveal stage:
x
Regular one-way functions
(unknown preimage size)
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
f
x
minentropy ¼ t
{0,1}l
Extt
y
Hiding analysis
1st phase:
Run NOVY IH
with (S(z), R)
Extn-t
z
min-entropy ¼ n - t
w
2nd phase:
Run NOVY IH
with (S(w), R)
If f is regular
then both
phases hiding
(1/n)-hiding 1-out-2 binding
commitments from one-way functions
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
¸ 1/n
…
second phase hiding
min-ent. of x|y ¸ t
…
first phase hiding
min-ent. of y=f(x) ¸ n-t
Regular one-way functions
(unknown preimage size)
|{x’: f(x’) = y}| 2 [2t, 2t+1]
{0,1}n
{0,1}l
f
x
y
Extn-t
z
Z uniform if
min-entropy Y ¸ n - t
Extt
w
W uniform if
min-entropy X|y ¸ t
1st phase:
Run NOVY IH
with (S(z), R)
2nd phase:
Run NOVY IH
with (S(w), R)
Overview of the construction
UOWHF
[Rompel90]
One-way
function
stat hiding
1-out-of-2
binding

(1/n)-hiding
1-out-of-2
binding
stat hiding
comp binding
(1/n)-hiding ) (1)-hiding
 Amplify in O(log n) stages
– Each time -hiding  2-hiding
– Inspired by [Reingold05,Dinur06]
 Each Stage
– O(1) repetitions of protocol.
– Combine using interactive hashing [OVY,CCM,DHRS].
– Lose O(1) bits in message length.
• Nonstandard measures of hiding & binding quality.
• Start & end with O(log n)-bit messages.
(1)-hiding ) statistically hiding
 Amplify in 1 more stage
 Each Stage
– poly(n) repetitions of protocol.
– Combine using interactive hashing.
– Gain poly(n) bits in message length.
• Standard measures of hiding & binding quality.
• End with poly(n)-bit messages.
Overview of the construction
One-way
function
stat hiding
1-out-of-2
binding


(1/n)-hiding
1-out-of-2
binding
stat hiding
comp binding
Overview of the construction
UOWHF
[Rompel90]
One-way
function
stat hiding
1-out-of-2
binding


(1/n)-hiding
1-out-of-2
binding
© stat hiding
comp binding
1-out-of-2 binding commitments
 Commitment in
2 phases.
 Statistically
hiding in both
phases.
S
PHASE 1 COMMIT
m
PHASE 1 REVEAL
(m,K)
m’
 Computational
binding in at
least one phase.
may be dynamically
determined by S*
PHASE 2 COMMIT
PHASE 2 REVEAL
(m’,K’)
R
To Standard Commitments
S
 Idea: Receiver
m
randomly
COMMIT
chooses
whether to use
1st or 2nd phase.
PHASE 1 COMMIT
m’
PHASE 2 COMMIT
phase =1
PHASE 1 REVEAL
(m,K)
REVEAL
PHASE 2 REVEAL
(m’,K’)
R
To Standard Commitments
 Idea: Receiver
randomly
chooses
whether to use
1st or 2nd phase.
S
PHASE 1 COMMIT
m
phase =2
COMMIT
 Problem: Sender
m’
may decide
which phase to
break after
choice of phase. REVEAL
PHASE 1 REVEAL
(m,K)
PHASE 2 COMMIT
PHASE 2 REVEAL
(m’,K’)
R
To Standard Commitments
 Fix: Have sender
provide a “collisionresistant” hash of m
S
m
h
h(m)
phase
– Determines m
(computationally).
– Enough entropy left
in m to extract a
random secret.
– At most one value of
m allows breaking
Phase 2 binding.
) only need UOWHF
PHASE 1 COMMIT
(m,K)
m’
PHASE 2 COMMIT
PHASE 2 REVEAL
(m’,K’)
R
Overview of the construction
UOWHF
[Rompel90]
One-way
function
stat hiding
1-out-of-2
binding


(1/n)-hiding
1-out-of-2
binding
© stat hiding
 comp binding
outline
 Introduction
 Commitments & ZK
 Constructions from OWF with structure
 Construction from any OWF
 ZK ´ “Instance-Dependent” Commitments
 Open Problems
Instance-Dependent Commitments
Thm [OV07]: For every L2 NP,
L has ZK protocol iff L has i.d. commitments [IOS94].
x  (S,R) s.t.
x2 L ) (S,R) hiding
x L ) (S,R) binding
Moreover,
stat/comp ZK $ stat/comp hiding
proof/argument $ stat/comp binding
Previously partial results
[D89,D93,O91,OW93,MV03,V04,NV06,KMS07]
Instance-Dependent Commitments
Thm [OV]: For every L2 NP,
L has ZK protocol iff L has i.d. commitments.
stat/comp ZK $ stat/comp hiding
proof/argument $ stat/comp binding
Proof overview ()):
 9 characterizations of all 4 ZK classes in terms of SZKP
and “i.d. OWFs” [V04,OV07].
 i.d. OWFs ) i.d. commitments [HILL90,N91,NOV06,HR07].
 SZKP i.d. commitments by combining
– i.d. 1-out-of-2 binding commitments [NV06]
– i.d. UOWHFs [OV]
Open Problems
 Simplify the construction.
 Better (sub-polynomial) round complexity.
– Requires non-black-box construction, even for
one-way permutations [HHRS07].
 Complexity of other crypto primitives.
– Noninteractive zero knowledge for NP.
– Chosen-ciphertext secure encryption.
Pr[both phases hiding] =  = 1/n
c1
1st phase commitment
d1
2nd phase commitment
c1 & d1 are both
k-bit strings
Properties:
1. Either first or second phase hiding.
2. Both phases stat. hiding w.p. ¸ .
3. 1-out-2 comp. binding.
Pr[both phases hiding] =  = 1/n
hiding entropy
k( + 1) = k + k
 + 1 hiding in 1st phase
c1
c2
…
cm
ci & di are k-bit strings
k(m - )
d1
d2
…
dm
m -  hiding in 2nd phase
Pr[(+1) 1st hiding & (m-) 2nd hiding]
¼ m ¢ (m-½)
= (m½ )
> 2 , for m large enough constant.
1st phase
c1
…
c2
cm
– 1st phase: k + k
Ext – k+k
y
– 2nd phase: k(m-)
NOVY IH
c
2nd phase
d1
…
d2
Ext – k(m-)
y’
NOVY IH
c’
 Hiding entropy
dm
# ways to open
(binding)
·  not binding in 1st phase
2k
c1
…
c
c+1
c+ 2
…
cm
d1
…
d
d+ 1 d+ 2
…
dm
OR
2k(m -  - 1)
· (m -  - 1) not binding in 2nd phase
# ways to open
(binding)
·  not binding in 1st phase
2m 2k = 2k + m
c1
…
c
c+1
c+ 2
…
cm
d1
…
d
d+ 1 d+ 2
…
dm
OR
2k(m -  - 1)
· (m -  - 1) not binding in 2nd phase
1st phase
c1
…
c2
cm
– 1st phase: k + k
Ext – k+k
y
– 2nd phase: k(m-)
NOVY IH
d1
 Hiding entropy
c
 “Binding entropy” =
log(# ways to open)
2nd phase
– 1st phase: k + m
…
d2
Ext – k(m-)
y’
NOVY IH
c’
dm
OR
– 2nd phase: k(m - ) - k
 In at least one phase,
entropy gap ¼ k – m
= O(log n).
1st phase
c1
c2
…
cm
2k - m
Ext – k(+1)
y
 Hiding entropy
c
d1
 # ways to open (binding)
phase
…
d2
Y’
– 1st phase: k(+1)
– 2ndOR
phase: k(m-)
NOVY IH
2nd
Pr[(+1) 1st phase hiding &
Y(m-) 2nd phase
- 1)
2k(m - hiding]
dm
– 1st phase: 2m 2k’=2k(’ - m/k)
– 2nd phase: 2k(m-’)
 In at least one phase,
Ext – k(m-)In at least one phase, the
¼fraction
k–m
# ways toentropy
open is agap
small
y’
NOVY IH
c’
of the total space.
= O(log n).
1st phase
c1
c2
…
cm
2k - m
Ext – k(+1)
y
 Hiding entropy
c
d1
 # ways to open (binding)
phase
…
d2
Y’
– 1st phase: k(+1)
– 2ndOR
phase: k(m-)
NOVY IH
2nd
Pr[(+1) 1st phase hiding &
Y(m-) 2nd phase
- 1)
2k(m - hiding]
dm
– 1st phase: 2m 2k’=2k(’ - m/k)
– 2nd phase: 2k(m-’)
 In at least one phase,
Ext – k(m-)In at least one phase, the
¼fraction
k–m
# ways toentropy
open is agap
small
y’
NOVY IH
c’
of the total space.
= O(log n).