Transcript Slides

Nir Bitansky and Omer Paneth
The Result
Assuming OT there exist a
resettably-sound ZK protocol
(Previous constructions of
resettably-sound ZK relied on CRHF)
Zero-Knowledge Proofs
Zero
Knowledge
Soundness
𝑥 ∈ ℒ?
𝒫
𝒱
Zero-Knowledge Proofs
Soundness
𝑥∉ℒ
𝒫∗
𝒱
Zero-Knowledge Proofs
Zero
Knowledge
𝑥∈ℒ
𝒫
𝒱∗
Intuition:
𝒱 ∗ “knows” how to generate a proof itself!
𝒫
𝒱∗
We can efficiently extract a proof from 𝒱 ∗
The Simulator
Accepting transcript:
𝒱∗
Simulator
The Simulator
𝒱∗
𝒫
≈
𝒱∗
Simulator
Black-Box Simulator
𝒱∗
Black Box
Simulator
Non-Black-Box Simulator
𝒱
∗
Non Black Box
Simulator
Black-Box vs. Non-Black-Box
Can Non-Black-Box Simulation
really achieve more than
Black-Box Simulation?
Black-Box vs. Non-Black-Box
Constant-round public-coin ZK
(for NP, with negligible soundness error)
Not considering 3-round ZK from KEA
[Hada-Tanaka 98, Bellare-Palacio
04]
CRHF + PCP
Argument
Black Box
Simulator
[Goldreich-Krawczyk 90]
Non Black Box
Simulator
[Barak 01]
Black-Box vs. Non-Black-Box
Black Box
Simulator
Non Black Box
Simulator
Constant-round public-coin ZK
GK90,B01
Resettably-sound ZK
BGGL01
Constant-round bounded-concurrent ZK and MPC
B01,PR03
Constant-round ZK with strict polynomial-time
simulation\knowledge extraction
BL02
Simultaneously resettable ZK and MPC
DGS09,GM11
Constant-round covert MPC
GJ10
Constant-round public-coin parallel ZK
PRT11
Simultaneously resettable WI proof of knowledge
COSV12
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12…
Barak
Barak 01
01
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12…
Barak 01
CRHF + PCP
Barak’s ZK Protocol
The FLS paradigm: [Feige-Lapidot-Shamir 99]
Generation protocol for
trapdoor 𝑇
𝒫
Witness indistinguishable
proof that 𝑥 ∈ ℒ or
𝒫 “knows” 𝑇
𝒱
Barak’s ZK Protocol
The FLS paradigm: [Feige-Lapidot-Shamir 99]
A proof generated using a witness for 𝑥 ∈ ℒ
and a proof generated using the trapdoor 𝑇
are protocol
indistinguishable
Generation
for
trapdoor 𝑇
𝒫
Witness indistinguishable
proof that 𝑥 ∈ ℒ or
𝒫 “knows” 𝑇
𝒱
Barak’s ZK Protocol
Q: Can we have a trapdoor generation
protocol where 𝒱 is public-coin?
A: Not using black-box simulation.
Barak’s ZK Protocol
Q: Can we have a trapdoor generation
protocol where 𝒱 is public-coin?
A: (Barak 01) Yes!
Trapdoor is the entire code of 𝒱
∗
Problem of “Long” Trapdoor
(Or: problem of “short” messages)
𝒫
Witness indistinguishable
proof that 𝑥 ∈ ℒ or
𝒫 “knows” 𝑇 = 𝒱 ∗
𝒱 ∗ is an arbitrary
polynomial
𝒱
Barak’s ZK Protocol
Fixing the problem:
1. Use a Universal Argument – a succinct
witness indistinguishable proof
based on PCPs [kilian 92, Barak-Goldreich 08]
2. Use a collision-resistant hash function to give a
shrinking commitment to trapdoor.
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12…
Barak 01
CRHF + UA\PCP
Are Barak’s techniques inherent in
non-black-box simulation?
No!
Can its applications be achieved
without collision-resistant hashing
and universal arguments?
Yes!
Resettable Protocols
𝐴
𝐵
Resettable Protocols
𝐴𝐴
𝐵
Resettable Protocols
𝐴
𝐵
Resettable ZK
[Canetti-Goldreich-Goldwasser-Micali 00]
𝑥∈ℒ
𝒫
𝒱∗
Resettably-Sound ZK
[Micali-Reyzin 01,
Barak-Goldreich-Goldwasser-Lindell 01]
𝑥∉ℒ
𝒫∗
𝒱
Resettably-Sound ZK
[Barak-Goldreich-Goldwasser-Lindell01,
Goldreich-Krawczyk 90]
𝒫
𝒱
Black Box
Simulator
Resettably-Sound ZK
Black Box
Simulator
𝒱
𝒫∗
𝒱
𝒱∗
Black Box
Simulator
Resettably-Sound ZK
[Barak-Goldreich-Goldwasser-Lindell 01]
𝒫
𝒱
Non Black Box
Simulator
Using CRHF and UA
The Result
Assuming only OT there exist a
constant-round resettably-sound ZK
protocol that does not make use of UA.
The Technique
A new non-black-box simulation technique
from the Impossibility of Obfuscation
Program Obfuscation
𝒪 is an obfuscation of a function family 𝑓𝑘 :
𝑓𝑘
𝑥
𝐴
𝑘
𝒪
Πk
𝑓𝑘 (𝑥)
≈
Πk
𝐴
Obfuscation and ZK
If we can obfuscate 𝒱 ∗ :
𝒱∗
∗
𝒪(𝒱 )
Non Black Box
Simulator
Black Box
Simulator
Resettably-Sound ZK
Obfuscation and ZK
Assuming OWFs, there exist a family of
functions 𝑓𝑘 that can not be obfuscated.
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Resettably-Sound ZK
“Easy”
Impossibility of obfuscation
Obfuscation and ZK
Assuming OWFs, there exist a family of
functions 𝑓𝑘 that can not be obfuscated.
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Resettably-Sound ZK
“Hard”
Impossibility of obfuscation + OT
Unobfuscatable functions
𝑓𝑘
1. ∀𝐴, 𝑘 ← 𝑈:
2. ∃𝐸, ∀𝐶 ≡ 𝑓𝑘 :
𝐴
𝐶
𝐸
𝑘
𝑘
The Protocol
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦=0
𝑐
𝒫
𝑘 ← 𝑈𝑛
𝑘
Secure function
evaluation of 𝑓𝑘 (𝑦)
𝑓𝑘 (𝑦) where 𝑐 = 𝐶𝑜𝑚(𝑘)
Witness Indistinguishable
proof that 𝑥 ∈ ℒ or
𝒫 “knows” 𝑘
𝑑
𝒱
Proof Idea - Resettable Soundness
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦
𝒫∗
𝑘
𝑓𝑘 (𝑦) SFE of 𝑓𝑘 (𝑦)
𝑘 ← 𝑈𝑛
𝒱
𝑓𝑘
𝒫∗
𝑘
Proof Idea – Zero Knowledge
Non Black Box Simulator
𝒱∗
𝐶 ≡ 𝑓𝑘
𝐸
𝑘
Proof Idea – Zero Knowledge
𝐶 ≡ 𝑓𝑘
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦
𝑓𝑘 (𝑦)
𝑘
SFE of 𝑓𝑘 (𝑦)
𝒱∗
Non Black Box Simulator
𝒱∗
𝐶 ≡ 𝑓𝑘
𝐸
𝑘
Proof Idea – Zero Knowledge
𝐶 ≡ 𝑓𝑘
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦
⊥
⊥
SFE of 𝑓𝑘 (𝑦)
𝑓
𝑦
𝑘
𝐶 𝑦 =
⊥
𝒱∗
𝑝
w.p.
w.p. 1 − 𝑝
Proof Idea – Zero Knowledge
𝐶 ≡ 𝑓𝑘
𝐶′ ≡ 𝑓𝑘 \ ⊥
𝑦
𝐶′ ≡ 𝑓𝑘 \ ⊥
𝒱
∗
⊥
𝑓𝑘 (𝑦)
…
1
𝑝
𝒱∗
𝐶′ ≡ 𝑓𝑘 \ ⊥
𝒱∗
⊥
𝑓𝑘 (𝑦)
Proof Idea – Zero Knowledge
Non Black Box Simulator
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦=0
𝑘
𝑓𝑘 (𝑦)
𝒱∗
𝑘
𝑘 ← 𝑈𝑛
SFE of 𝑓𝑘 (𝑦)
𝐶 ≡ 𝑓𝑘
𝐸 𝑘
Witness Indistinguishable
proof that 𝑥 ∈ ℒ or
𝒫 “knows” 𝑘
𝒱∗
The SFE Protocol
𝑓𝑘
𝑐 = 𝐶𝑜𝑚(𝑘)
𝒫
∗
𝑦
𝑓𝑘 (𝑦)
SFE of
𝑓𝑘 (𝑦)
𝑘
𝒱
𝒫∗
How
Howto
to instantiate
instantiate
this box?
box?
this
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦
𝑓𝑘 (𝑦)
SFE of
𝑓𝑘 (𝑦)
𝑘
𝒱∗
𝐶 ≡ 𝑓𝑘
The SFE Protocol
𝑦
Semi-honest SFE of 𝑓𝑘 (𝑦)
𝑘
ZK proof of knowledge
𝒫
ZK proof of knowledge
𝑓𝑘 (𝑦)
𝒱𝒱
The SFE Protocol
𝑦
Semi-honest SFE of 𝑓𝑘 (𝑦)
𝑘
ZK proof of knowledge
𝒫
ZK proof of knowledge
𝑓𝑘 (𝑦)
𝒱
The SFE Protocol
𝑦
Semi-honest SFE of 𝑓𝑘 (𝑦)
𝑘
Resettably-sound ZK POK
Based on resettably-sound ZK
[BGGL01,GS09]
𝒫
Resettable ZK POK
𝑓𝑘 (𝑦)
𝒱
The SFE Protocol
𝑓𝑘
𝑐 = 𝐶𝑜𝑚(𝑘)
𝒫
∗
𝑦
𝑓𝑘 (𝑦)
SFE of
𝑓𝑘 (𝑦)
𝑘
𝒱
𝒫∗
𝑥∉ℒ
𝑥∈ℒ
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦
𝑓𝑘 (𝑦)
SFE of
𝑓𝑘 (𝑦)
𝑘
𝒱∗
𝐶 ≡ 𝑓𝑘
Instance-dependent SFE
𝑥∈ℒ
𝑥∉ℒ
SFE 𝑥 of 𝑓𝑘 (𝑦)
ZK
POK
Resettable POK
Resettable ZK
+ Strongly unobfuscatable functions
Instance-dependent SFE
𝒫 𝒱𝑊𝐼
𝐵1
𝑟
𝒫𝑊𝐼 𝒱
𝐵3
𝑥∈ℒ
POK
𝑥∉ℒ
Resettable ZK WI
Instance-dependent SFE
Com(𝑟)
𝒫 𝒱𝑊𝐼
𝐵1
𝑟
𝒫𝑊𝐼 𝒱
𝐵3
𝑥∈ℒ
POK
𝑥∉ℒ
Resettable ZK
Instance-dependent SFE
Com𝑥 (𝑟)
𝒫 𝒱𝑊𝐼
𝐵1
𝑟
𝒫𝑊𝐼 𝒱
𝐵3
𝑥∈ℒ
POK
𝑥∉ℒ
Resettable ZK
Simulation Running Time
Non Black Box Simulator
𝒱∗
𝐶 ≡ 𝑓𝑘
𝐸
𝑘
Simulation Running Time
𝐶 ≡ 𝑓𝑘
𝐶′ ≡ 𝑓𝑘 \ ⊥
𝑦
𝐶′ ≡ 𝑓𝑘 \ ⊥
𝒱
∗
⊥
𝐶′ ≡ 𝑓𝑘 \ ⊥
𝒱∗
𝑓𝑘 (𝑦)
𝑓𝑘 (𝑦)
poly(𝑛)
𝐶 =
𝑝
…
1
𝑝
𝒱∗
⊥
Proof Idea – Zero Knowledge
Non Black Box Simulator
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦=0
𝑘
𝑓𝑘 (𝑦)
𝒱∗
𝑘
𝑘 ← 𝑈𝑛
SFE of 𝑓𝑘 (𝑦)
𝐶 ≡ 𝑓𝑘
𝐸 𝑘
Witness Indistinguishable
proof that 𝑥 ∈ ℒ or
𝒫 “knows” 𝑘
𝒱∗
Simulation Running Time
Non Black Box Simulator
𝒱∗
𝐶 ≡ 𝑓𝑘
𝐸
𝑘
𝑝
w.p.
|𝐶|
𝑆 =
poly(𝑛) w.p. 1 − 𝑝
𝔼 𝑆
poly 𝑛
=𝑝⋅
+ 1 − 𝑝 ⋅ poly 𝑛 = poly 𝑛
𝑝
Simulation Running Time
Non Black Box Simulator
𝒱∗
𝐸
𝐶 ≡ 𝑓𝑘
𝑘
𝐸(𝐶) = 𝑂( 𝐶 2 )
𝔼 𝑆
poly 𝑛
=𝑝⋅
𝑝
2
1
+ 1 − 𝑝 ⋅ poly 𝑛 >
𝑝
Simulation Running Time
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦=0
𝒫
𝑘 ← 𝑈𝑛
𝑘
𝑓𝑘 (𝑦)
SFE of 𝑓𝑘 (𝑦)
Witness Indistinguishable
proof that 𝑥 ∈ ℒ or
𝒫 “knows” 𝑘
𝒱
Simulation Running Time
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦=0
𝑘
𝑓𝑘 (𝑦)
𝒫
𝑘 ← 𝑈𝑛
SFE of 𝑓𝑘 (𝑦)
𝑦=0
𝑘
𝑓𝑘 (𝑦)
SFE of 𝑓𝑘 (𝑦)
Witness Indistinguishable
proof that 𝑥 ∈ ℒ or
𝒫 “knows” 𝑘
𝒱
Simulation Running Time
Non Black Box Simulator
𝒱∗
𝐸
𝐶 ≡ 𝑓𝑘
𝑘
poly 𝑛
𝐶 =
𝑝
𝔼 𝑆
poly 𝑛
=𝑝⋅
𝑝
2
+ 1 − 𝑝 ⋅ poly 𝑛 = poly 𝑛
Comparison to [Barak 01]
# rounds
Assumptions
Uses
Trapdoor
PCP\UA Length
PublicCoin
Barak 01
O(1)
CRHF
Yes
Long
Yes
This work
O(1)
OT
No
Short
No
One More Application
Simultaneously resettable ZK
𝑥∉ℒ
𝒫∗
𝑥∈ℒ
𝒱
𝒫
𝒱∗
[BGGL 01]: Can a protocol be resettable ZK
and resettably-sound simultaneously?
Simultaneously resettable ZK
𝑥∉ℒ
𝒫∗
𝑥∈ℒ
𝒱
[Deng-Goyal-Sahai 09]: Yes!
𝒫
𝒱∗
Simultaneously resettable ZK
Resettably-sound ZK
Non-black-box simulation
Long trapdoor
Short trapdoor
Black-box simulation
Bounded concurrent ZK
Concurrent ZK
Resettable ZK
Simultaneously resettable ZK
Resettably-sound ZK
Non-black-box simulation
Short trapdoor
Black-box simulation
Concurrent ZK
Resettable ZK
Simultaneously resettable ZK
𝑐 = 𝐶𝑜𝑚(𝑘)
𝑦=0
×𝑛
𝒫
𝑓𝑘 (𝑦)
𝑘 ← 𝑈𝑛
𝑘
SFE of 𝑓𝑘 (𝑦)
𝒱 12]
[Cho-Ostrovsky-Scafuro-Visconti
Simultaneously Resettable
Witness Indistinguishable
proof that 𝑥 ∈ ℒ or
𝒫 “knows” 𝑘
?
