Transcript Slides

Nir Bitansky and Omer Paneth
The Result
Assuming OT there exist a
resettably-sound ZK protocol
(Previous constructions of
resettably-sound ZK relied on CRHF)
Zero-Knowledge Proofs
Zero
Knowledge
Soundness
π‘₯ ∈ β„’?
𝒫
𝒱
Zero-Knowledge Proofs
Soundness
π‘₯βˆ‰β„’
π’«βˆ—
𝒱
Zero-Knowledge Proofs
Zero
Knowledge
π‘₯βˆˆβ„’
𝒫
π’±βˆ—
Intuition:
𝒱 βˆ— β€œknows” how to generate a proof itself!
𝒫
π’±βˆ—
We can efficiently extract a proof from 𝒱 βˆ—
The Simulator
Accepting transcript:
π’±βˆ—
Simulator
The Simulator
π’±βˆ—
𝒫
β‰ˆ
π’±βˆ—
Simulator
Black-Box Simulator
π’±βˆ—
Black Box
Simulator
Non-Black-Box Simulator
𝒱
βˆ—
Non Black Box
Simulator
Black-Box vs. Non-Black-Box
Can Non-Black-Box Simulation
really achieve more than
Black-Box Simulation?
Black-Box vs. Non-Black-Box
Constant-round public-coin ZK
(for NP, with negligible soundness error)
Not considering 3-round ZK from KEA
[Hada-Tanaka 98, Bellare-Palacio
04]
CRHF + PCP
Argument
Black Box
Simulator
[Goldreich-Krawczyk 90]
Non Black Box
Simulator
[Barak 01]
Black-Box vs. Non-Black-Box
Black Box
Simulator
Non Black Box
Simulator
Constant-round public-coin ZK
GK90,B01
Resettably-sound ZK
BGGL01
Constant-round bounded-concurrent ZK and MPC
B01,PR03
Constant-round ZK with strict polynomial-time
simulation\knowledge extraction
BL02
Simultaneously resettable ZK and MPC
DGS09,GM11
Constant-round covert MPC
GJ10
Constant-round public-coin parallel ZK
PRT11
Simultaneously resettable WI proof of knowledge
COSV12
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12…
Barak
Barak 01
01
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12…
Barak 01
CRHF + PCP
Barak’s ZK Protocol
The FLS paradigm: [Feige-Lapidot-Shamir 99]
Generation protocol for
trapdoor 𝑇
𝒫
Witness indistinguishable
proof that π‘₯ ∈ β„’ or
𝒫 β€œknows” 𝑇
𝒱
Barak’s ZK Protocol
The FLS paradigm: [Feige-Lapidot-Shamir 99]
A proof generated using a witness for π‘₯ ∈ β„’
and a proof generated using the trapdoor 𝑇
are protocol
indistinguishable
Generation
for
trapdoor 𝑇
𝒫
Witness indistinguishable
proof that π‘₯ ∈ β„’ or
𝒫 β€œknows” 𝑇
𝒱
Barak’s ZK Protocol
Q: Can we have a trapdoor generation
protocol where 𝒱 is public-coin?
A: Not using black-box simulation.
Barak’s ZK Protocol
Q: Can we have a trapdoor generation
protocol where 𝒱 is public-coin?
A: (Barak 01) Yes!
Trapdoor is the entire code of 𝒱
βˆ—
Problem of β€œLong” Trapdoor
(Or: problem of β€œshort” messages)
𝒫
Witness indistinguishable
proof that π‘₯ ∈ β„’ or
𝒫 β€œknows” 𝑇 = 𝒱 βˆ—
𝒱 βˆ— is an arbitrary
polynomial
𝒱
Barak’s ZK Protocol
Fixing the problem:
1. Use a Universal Argument – a succinct
witness indistinguishable proof
based on PCPs [kilian 92, Barak-Goldreich 08]
2. Use a collision-resistant hash function to give a
shrinking commitment to trapdoor.
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12…
Barak 01
CRHF + UA\PCP
Are Barak’s techniques inherent in
non-black-box simulation?
No!
Can its applications be achieved
without collision-resistant hashing
and universal arguments?
Yes!
Resettable Protocols
𝐴
𝐡
Resettable Protocols
𝐴𝐴
𝐡
Resettable Protocols
𝐴
𝐡
Resettable ZK
[Canetti-Goldreich-Goldwasser-Micali 00]
π‘₯βˆˆβ„’
𝒫
π’±βˆ—
Resettably-Sound ZK
[Micali-Reyzin 01,
Barak-Goldreich-Goldwasser-Lindell 01]
π‘₯βˆ‰β„’
π’«βˆ—
𝒱
Resettably-Sound ZK
[Barak-Goldreich-Goldwasser-Lindell01,
Goldreich-Krawczyk 90]
𝒫
𝒱
Black Box
Simulator
Resettably-Sound ZK
Black Box
Simulator
𝒱
π’«βˆ—
𝒱
π’±βˆ—
Black Box
Simulator
Resettably-Sound ZK
[Barak-Goldreich-Goldwasser-Lindell 01]
𝒫
𝒱
Non Black Box
Simulator
Using CRHF and UA
The Result
Assuming only OT there exist a
constant-round resettably-sound ZK
protocol that does not make use of UA.
The Technique
A new non-black-box simulation technique
from the Impossibility of Obfuscation
Program Obfuscation
π’ͺ is an obfuscation of a function family π‘“π‘˜ :
π‘“π‘˜
π‘₯
𝐴
π‘˜
π’ͺ
Ξ k
π‘“π‘˜ (π‘₯)
β‰ˆ
Ξ k
𝐴
Obfuscation and ZK
If we can obfuscate 𝒱 βˆ— :
π’±βˆ—
βˆ—
π’ͺ(𝒱 )
Non Black Box
Simulator
Black Box
Simulator
Resettably-Sound ZK
Obfuscation and ZK
Assuming OWFs, there exist a family of
functions π‘“π‘˜ that can not be obfuscated.
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Resettably-Sound ZK
β€œEasy”
Impossibility of obfuscation
Obfuscation and ZK
Assuming OWFs, there exist a family of
functions π‘“π‘˜ that can not be obfuscated.
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Resettably-Sound ZK
β€œHard”
Impossibility of obfuscation + OT
Unobfuscatable functions
π‘“π‘˜
1. βˆ€π΄, π‘˜ ← π‘ˆ:
2. βˆƒπΈ, βˆ€πΆ ≑ π‘“π‘˜ :
𝐴
𝐢
𝐸
π‘˜
π‘˜
The Protocol
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦=0
𝑐
𝒫
π‘˜ ← π‘ˆπ‘›
π‘˜
Secure function
evaluation of π‘“π‘˜ (𝑦)
π‘“π‘˜ (𝑦) where 𝑐 = πΆπ‘œπ‘š(π‘˜)
Witness Indistinguishable
proof that π‘₯ ∈ β„’ or
𝒫 β€œknows” π‘˜
𝑑
𝒱
Proof Idea - Resettable Soundness
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦
π’«βˆ—
π‘˜
π‘“π‘˜ (𝑦) SFE of π‘“π‘˜ (𝑦)
π‘˜ ← π‘ˆπ‘›
𝒱
π‘“π‘˜
π’«βˆ—
π‘˜
Proof Idea – Zero Knowledge
Non Black Box Simulator
π’±βˆ—
𝐢 ≑ π‘“π‘˜
𝐸
π‘˜
Proof Idea – Zero Knowledge
𝐢 ≑ π‘“π‘˜
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦
π‘“π‘˜ (𝑦)
π‘˜
SFE of π‘“π‘˜ (𝑦)
π’±βˆ—
Non Black Box Simulator
π’±βˆ—
𝐢 ≑ π‘“π‘˜
𝐸
π‘˜
Proof Idea – Zero Knowledge
𝐢 ≑ π‘“π‘˜
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦
βŠ₯
βŠ₯
SFE of π‘“π‘˜ (𝑦)
𝑓
𝑦
π‘˜
𝐢 𝑦 =
βŠ₯
π’±βˆ—
𝑝
w.p.
w.p. 1 βˆ’ 𝑝
Proof Idea – Zero Knowledge
𝐢 ≑ π‘“π‘˜
𝐢′ ≑ π‘“π‘˜ \ βŠ₯
𝑦
𝐢′ ≑ π‘“π‘˜ \ βŠ₯
𝒱
βˆ—
βŠ₯
π‘“π‘˜ (𝑦)
…
1
𝑝
π’±βˆ—
𝐢′ ≑ π‘“π‘˜ \ βŠ₯
π’±βˆ—
βŠ₯
π‘“π‘˜ (𝑦)
Proof Idea – Zero Knowledge
Non Black Box Simulator
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦=0
π‘˜
π‘“π‘˜ (𝑦)
π’±βˆ—
π‘˜
π‘˜ ← π‘ˆπ‘›
SFE of π‘“π‘˜ (𝑦)
𝐢 ≑ π‘“π‘˜
𝐸 π‘˜
Witness Indistinguishable
proof that π‘₯ ∈ β„’ or
𝒫 β€œknows” π‘˜
π’±βˆ—
The SFE Protocol
π‘“π‘˜
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝒫
βˆ—
𝑦
π‘“π‘˜ (𝑦)
SFE of
π‘“π‘˜ (𝑦)
π‘˜
𝒱
π’«βˆ—
How
Howto
to instantiate
instantiate
this box?
box?
this
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦
π‘“π‘˜ (𝑦)
SFE of
π‘“π‘˜ (𝑦)
π‘˜
π’±βˆ—
𝐢 ≑ π‘“π‘˜
The SFE Protocol
𝑦
Semi-honest SFE of π‘“π‘˜ (𝑦)
π‘˜
ZK proof of knowledge
𝒫
ZK proof of knowledge
π‘“π‘˜ (𝑦)
𝒱𝒱
The SFE Protocol
𝑦
Semi-honest SFE of π‘“π‘˜ (𝑦)
π‘˜
ZK proof of knowledge
𝒫
ZK proof of knowledge
π‘“π‘˜ (𝑦)
𝒱
The SFE Protocol
𝑦
Semi-honest SFE of π‘“π‘˜ (𝑦)
π‘˜
Resettably-sound ZK POK
Based on resettably-sound ZK
[BGGL01,GS09]
𝒫
Resettable ZK POK
π‘“π‘˜ (𝑦)
𝒱
The SFE Protocol
π‘“π‘˜
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝒫
βˆ—
𝑦
π‘“π‘˜ (𝑦)
SFE of
π‘“π‘˜ (𝑦)
π‘˜
𝒱
π’«βˆ—
π‘₯βˆ‰β„’
π‘₯βˆˆβ„’
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦
π‘“π‘˜ (𝑦)
SFE of
π‘“π‘˜ (𝑦)
π‘˜
π’±βˆ—
𝐢 ≑ π‘“π‘˜
Instance-dependent SFE
π‘₯βˆˆβ„’
π‘₯βˆ‰β„’
SFE π‘₯ of π‘“π‘˜ (𝑦)
ZK
POK
Resettable POK
Resettable ZK
+ Strongly unobfuscatable functions
Instance-dependent SFE
𝒫 π’±π‘ŠπΌ
𝐡1
π‘Ÿ
π’«π‘ŠπΌ 𝒱
𝐡3
π‘₯βˆˆβ„’
POK
π‘₯βˆ‰β„’
Resettable ZK WI
Instance-dependent SFE
Com(π‘Ÿ)
𝒫 π’±π‘ŠπΌ
𝐡1
π‘Ÿ
π’«π‘ŠπΌ 𝒱
𝐡3
π‘₯βˆˆβ„’
POK
π‘₯βˆ‰β„’
Resettable ZK
Instance-dependent SFE
Comπ‘₯ (π‘Ÿ)
𝒫 π’±π‘ŠπΌ
𝐡1
π‘Ÿ
π’«π‘ŠπΌ 𝒱
𝐡3
π‘₯βˆˆβ„’
POK
π‘₯βˆ‰β„’
Resettable ZK
Simulation Running Time
Non Black Box Simulator
π’±βˆ—
𝐢 ≑ π‘“π‘˜
𝐸
π‘˜
Simulation Running Time
𝐢 ≑ π‘“π‘˜
𝐢′ ≑ π‘“π‘˜ \ βŠ₯
𝑦
𝐢′ ≑ π‘“π‘˜ \ βŠ₯
𝒱
βˆ—
βŠ₯
𝐢′ ≑ π‘“π‘˜ \ βŠ₯
π’±βˆ—
π‘“π‘˜ (𝑦)
π‘“π‘˜ (𝑦)
poly(𝑛)
𝐢 =
𝑝
…
1
𝑝
π’±βˆ—
βŠ₯
Proof Idea – Zero Knowledge
Non Black Box Simulator
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦=0
π‘˜
π‘“π‘˜ (𝑦)
π’±βˆ—
π‘˜
π‘˜ ← π‘ˆπ‘›
SFE of π‘“π‘˜ (𝑦)
𝐢 ≑ π‘“π‘˜
𝐸 π‘˜
Witness Indistinguishable
proof that π‘₯ ∈ β„’ or
𝒫 β€œknows” π‘˜
π’±βˆ—
Simulation Running Time
Non Black Box Simulator
π’±βˆ—
𝐢 ≑ π‘“π‘˜
𝐸
π‘˜
𝑝
w.p.
|𝐢|
𝑆 =
poly(𝑛) w.p. 1 βˆ’ 𝑝
𝔼 𝑆
poly 𝑛
=𝑝⋅
+ 1 βˆ’ 𝑝 β‹… poly 𝑛 = poly 𝑛
𝑝
Simulation Running Time
Non Black Box Simulator
π’±βˆ—
𝐸
𝐢 ≑ π‘“π‘˜
π‘˜
𝐸(𝐢) = 𝑂( 𝐢 2 )
𝔼 𝑆
poly 𝑛
=𝑝⋅
𝑝
2
1
+ 1 βˆ’ 𝑝 β‹… poly 𝑛 >
𝑝
Simulation Running Time
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦=0
𝒫
π‘˜ ← π‘ˆπ‘›
π‘˜
π‘“π‘˜ (𝑦)
SFE of π‘“π‘˜ (𝑦)
Witness Indistinguishable
proof that π‘₯ ∈ β„’ or
𝒫 β€œknows” π‘˜
𝒱
Simulation Running Time
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦=0
π‘˜
π‘“π‘˜ (𝑦)
𝒫
π‘˜ ← π‘ˆπ‘›
SFE of π‘“π‘˜ (𝑦)
𝑦=0
π‘˜
π‘“π‘˜ (𝑦)
SFE of π‘“π‘˜ (𝑦)
Witness Indistinguishable
proof that π‘₯ ∈ β„’ or
𝒫 β€œknows” π‘˜
𝒱
Simulation Running Time
Non Black Box Simulator
π’±βˆ—
𝐸
𝐢 ≑ π‘“π‘˜
π‘˜
poly 𝑛
𝐢 =
𝑝
𝔼 𝑆
poly 𝑛
=𝑝⋅
𝑝
2
+ 1 βˆ’ 𝑝 β‹… poly 𝑛 = poly 𝑛
Comparison to [Barak 01]
# rounds
Assumptions
Uses
Trapdoor
PCP\UA Length
PublicCoin
Barak 01
O(1)
CRHF
Yes
Long
Yes
This work
O(1)
OT
No
Short
No
One More Application
Simultaneously resettable ZK
π‘₯βˆ‰β„’
π’«βˆ—
π‘₯βˆˆβ„’
𝒱
𝒫
π’±βˆ—
[BGGL 01]: Can a protocol be resettable ZK
and resettably-sound simultaneously?
Simultaneously resettable ZK
π‘₯βˆ‰β„’
π’«βˆ—
π‘₯βˆˆβ„’
𝒱
[Deng-Goyal-Sahai 09]: Yes!
𝒫
π’±βˆ—
Simultaneously resettable ZK
Resettably-sound ZK
Non-black-box simulation
Long trapdoor
Short trapdoor
Black-box simulation
Bounded concurrent ZK
Concurrent ZK
Resettable ZK
Simultaneously resettable ZK
Resettably-sound ZK
Non-black-box simulation
Short trapdoor
Black-box simulation
Concurrent ZK
Resettable ZK
Simultaneously resettable ZK
𝑐 = πΆπ‘œπ‘š(π‘˜)
𝑦=0
×𝑛
𝒫
π‘“π‘˜ (𝑦)
π‘˜ ← π‘ˆπ‘›
π‘˜
SFE of π‘“π‘˜ (𝑦)
𝒱 12]
[Cho-Ostrovsky-Scafuro-Visconti
Simultaneously Resettable
Witness Indistinguishable
proof that π‘₯ ∈ β„’ or
𝒫 β€œknows” π‘˜
?
ο‚–