Embed Size (px)
DESCRIPTION
From the Impossibility of Obfuscation to a New Non-Black-Box Simulation Technique. Nir Bitansky and Omer Paneth. The Result. Assuming OT there exist a resettably -sound ZK protocol. (Previous constructions of resettably -sound ZK relied on CRHF). Zero-Knowledge Proofs . Zero - PowerPoint PPT Presentation
Citation preview
From the Impossibility of
Obfuscation to
a New Non-Black-Box Simulation Technique
Nir Bitansky and Omer Paneth
Assuming OT there exist a
resettably-sound ZK protocol
The Result
(Previous constructions of resettably-sound ZK relied on CRHF)
Zero-Knowledge Proofs 𝒫 𝒱𝑥∈ℒ?
Zero Knowledg
eSoundness
Zero-Knowledge Proofs 𝒱𝑥∉ℒ𝒫∗
Soundness
Zero-Knowledge Proofs 𝒫 𝑥∈ℒ 𝒱∗
Zero Knowledg
e
“knows” how to generate a proof itself!Intuition:
We can efficiently extract a proof from
𝒫 𝒱∗
Simulator
The Simulator
𝒱∗
Accepting transcript:
Simulator
𝒫 𝒱∗
The Simulator
𝒱∗≈
Black Box Simulator
Black-Box Simulator𝒱∗
Non-Black-Box Simulator
𝒱∗ Non Black Box Simulator
Can Non-Black-Box
Simulation really achieve more than
Black-Box Simulation?
Black-Box vs. Non-Black-Box
Black-Box vs. Non-Black-Box
Constant-round public-coin ZK(for NP, with negligible soundness error)
Black Box Simulator
Non Black Box
Simulator
CRHF + PCPArgument
[Goldreich-Krawczyk 90] [Barak 01]
Not considering 3-round ZK from KEA[Hada-Tanaka 98, Bellare-Palacio 04]
Black-Box vs. Non-Black-Box
Constant-round public-coin ZK GK90,B01Resettably-sound ZK BGGL01Constant-round bounded-concurrent ZK and MPC B01,PR03Constant-round ZK with strict polynomial-time simulation\knowledge extraction
BL02
Simultaneously resettable ZK and MPC DGS09,GM11Constant-round covert MPC GJ10Constant-round public-coin parallel ZK PRT11Simultaneously resettable WI proof of knowledge COSV12
Black Box Simulator
Non Black Box
Simulator
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12…
Barak 01Barak 01
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12…
Barak 01
CRHF + PCP
Barak’s ZK Protocol 𝒫 𝒱Generation protocol for
trapdoor
Witness indistinguishable proof
that or “knows”
The FLS paradigm: [Feige-Lapidot-Shamir 99]
Barak’s ZK Protocol 𝒫 𝒱Generation protocol for
trapdoor
Witness indistinguishable proof
that or “knows”
The FLS paradigm: [Feige-Lapidot-Shamir 99]
A proof generated using a witness for and a proof generated using the
trapdoor are indistinguishable
Barak’s ZK Protocol
Q: Can we have a trapdoor generation protocol where is public-coin?
A: Not using black-box simulation.
Barak’s ZK Protocol
Q: Can we have a trapdoor generation protocol where is public-coin?
A: (Barak 01) Yes! Trapdoor is the entire code of
Problem of “Long” Trapdoor𝒫 𝒱Witness
indistinguishable proof that or
“knows”
(Or: problem of “short” messages)
is an arbitrary polynomial
Fixing the problem:
1. Use a Universal Argument – a succinct witness indistinguishable proofbased on PCPs [kilian 92, Barak-Goldreich 08]
2. Use a collision-resistant hash function to give a shrinking commitment to trapdoor.
Barak’s ZK Protocol
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12…
Barak 01
CRHF + UA\PCP
Are Barak’s techniques inherent in non-black-box
simulation?
Can its applications be achieved without collision-
resistant hashing and universal arguments?
Yes!
No!
Resettable Protocols
𝐴 𝐵
𝐴Resettable Protocols
𝐴 𝐵
Resettable Protocols
𝐵𝐴
Resettable ZK 𝒱∗
𝑥∈ℒ
[Canetti-Goldreich-Goldwasser-Micali 00]
𝒫
Resettably-Sound ZK
𝒱𝒫∗𝑥∉ℒ
[Micali-Reyzin 01,Barak-Goldreich-Goldwasser-Lindell 01]
Resettably-Sound ZK[Barak-Goldreich-Goldwasser-Lindell01, Goldreich-Krawczyk 90]
𝒱𝒫 Black Box Simulator
Resettably-Sound ZK𝒫∗ 𝒱
𝒱
Black Box Simulator
𝒱∗
Black Box Simulator
Resettably-Sound ZK[Barak-Goldreich-Goldwasser-Lindell 01]
𝒱𝒫 Non Black Box Simulator
Using CRHF and UA
Assuming only OT there exist a constant-round resettably-sound ZK protocol that does not make
use of UA.
The Result
A new non-black-box simulation technique from the Impossibility of
Obfuscation
The Technique
Program Obfuscation
is an obfuscation of a function family :
𝑥
Π k𝑘𝑓 𝑘(𝑥)
𝒪 𝐴𝑓 𝑘
𝐴Π k
≈
Obfuscation and ZK
If we can obfuscate :
Black Box Simulator
𝒱∗Non Black
Box Simulator𝒪(𝒱∗)
Resettably-Sound ZK
Obfuscation and ZKAssuming OWFs, there exist a family of functions that can not be obfuscated.[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossibility of obfuscation
Resettably-Sound ZK
“Easy”
Obfuscation and ZKAssuming OWFs, there exist a family of functions that can not be obfuscated.[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossibility of obfuscation + OT
Resettably-Sound ZK
“Hard”
Unobfuscatable functions
𝐴𝑓 𝑘
𝑘
𝐸𝐶 𝑘
:
:
The Protocol𝒫 𝒱𝑘←𝑈𝑛
𝑐=𝐶𝑜𝑚(𝑘)
𝑘𝑦=0
𝑓 𝑘(𝑦)
Witness Indistinguishable proof
that or “knows”
Secure function evaluation of
where
𝑐 𝑑
Proof Idea - Resettable Soundness
𝑘←𝑈𝑛
𝑐=𝐶𝑜𝑚(𝑘)
𝑘𝑦𝑓 𝑘(𝑦) SFE of 𝒫∗
𝒫∗𝑓 𝑘
𝑘
𝒱
Proof Idea – Zero Knowledge
𝒱∗Non Black Box Simulator
𝐶≡ 𝑓 𝑘 𝐸 𝑘
Proof Idea – Zero Knowledge 𝒱∗
𝐶≡ 𝑓 𝑘𝑐=𝐶𝑜𝑚(𝑘)
𝑘𝑦𝑓 𝑘(𝑦) SFE of
𝒱∗Non Black Box Simulator
𝐶≡ 𝑓 𝑘 𝐸 𝑘
Proof Idea – Zero Knowledge
𝐶≡ 𝑓 𝑘𝑐=𝐶𝑜𝑚(𝑘)
⊥𝑦⊥ SFE of
𝐶 (𝑦 )={ 𝑓 𝑘 ( 𝑦 )⊥
w .p . w .p .
𝑝1−𝑝
𝒱∗
Proof Idea – Zero Knowledge
𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿𝑦 𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿
…
𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿
𝑓 𝑘(𝑦)⊥
⊥
𝑓 𝑘(𝑦)
𝐶≡ 𝑓 𝑘
1𝑝
Proof Idea – Zero Knowledge
𝑘←𝑈𝑛
𝑐=𝐶𝑜𝑚(𝑘)
𝑘𝑦=0𝑓 𝑘(𝑦)
Witness Indistinguishable proof
that or “knows”
SFE of 𝒱∗Non Black Box Simulator
𝑘
𝐶≡ 𝑓 𝑘 𝐸 𝑘𝒱∗
𝑘
The SFE Protocol
𝐶≡ 𝑓 𝑘𝑐=𝐶𝑜𝑚(𝑘)
𝑘𝑦𝑓 𝑘(𝑦) SFE of 𝒱∗
𝒫∗ 𝑐=𝐶𝑜𝑚(𝑘)
𝑦𝑓 𝑘(𝑦) SFE of
𝒱 𝒫∗𝑓 𝑘
How to instantiate this box?
How to instantiate this
box?
The SFE Protocol
𝑘𝑦
𝑓 𝑘(𝑦)
Semi-honest SFE of 𝒫 𝒱ZK proof of knowledge
ZK proof of knowledge 𝒱
The SFE Protocol
𝑘𝑦
𝑓 𝑘(𝑦)
Semi-honest SFE of 𝒫 𝒱ZK proof of knowledge
ZK proof of knowledge
The SFE Protocol
𝑘𝑦
𝑓 𝑘(𝑦)
Semi-honest SFE of 𝒫 𝒱Resettably-sound ZK POK
Resettable ZK POK
Based on resettably-sound ZK [BGGL01,GS09]
𝑘
The SFE Protocol
𝐶≡ 𝑓 𝑘𝑐=𝐶𝑜𝑚(𝑘)
𝑘𝑦𝑓 𝑘(𝑦) SFE of 𝒱∗
𝒫∗ 𝑐=𝐶𝑜𝑚(𝑘)
𝑦𝑓 𝑘(𝑦) SFE of
𝒱 𝒫∗𝑓 𝑘
𝑥∉ℒ𝑥∈ℒ
Instance-dependent
SFEof
ZK
𝑥∉ℒ𝑥∈ℒ
Resettable POK
POK Resettable ZK
+ Strongly unobfuscatable functions
Instance-dependent
SFE
𝑥∉ℒ𝑥∈ℒPOK Resettable ZK
𝐵1
𝐵3𝑟 𝒱𝒫 𝒫𝑊𝐼𝒱𝑊𝐼
WI
Instance-dependent
SFE
𝑥∉ℒ𝑥∈ℒPOK Resettable ZK
Com(𝑟 )𝐵1
𝐵3𝑟 𝒱𝒫 𝒫𝑊𝐼𝒱𝑊𝐼
Instance-dependent
SFE
𝑥∉ℒ𝑥∈ℒPOK Resettable ZK
Com𝑥(𝑟 )
𝒱𝒫 𝐵1𝐵3𝑟 𝒫𝑊𝐼𝒱𝑊𝐼
Simulation Running Time
𝒱∗Non Black Box Simulator
𝐶≡ 𝑓 𝑘 𝐸 𝑘
Simulation Running Time
𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿𝑦 𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿
…𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿
𝑓 𝑘(𝑦)⊥
⊥
𝑓 𝑘(𝑦)
𝐶≡ 𝑓 𝑘
1𝑝 |𝐶|=poly (𝑛)
𝑝
Proof Idea – Zero Knowledge
𝑘←𝑈𝑛
𝑐=𝐶𝑜𝑚(𝑘)
𝑘𝑦=0𝑓 𝑘(𝑦)
Witness Indistinguishable proof
that or “knows”
SFE of 𝒱∗Non Black Box Simulator
𝑘
𝐶≡ 𝑓 𝑘 𝐸 𝑘𝒱∗
Simulation Running Time𝒱∗
Non Black Box Simulator
𝐶≡ 𝑓 𝑘 𝐸 𝑘
Simulation Running Time𝒱∗
Non Black Box Simulator
𝐶≡ 𝑓 𝑘 𝐸 𝑘
𝒫 𝒱𝑘←𝑈𝑛𝑐=𝐶𝑜𝑚(𝑘)
𝑘𝑦=0𝑓 𝑘(𝑦)
Witness Indistinguishable proof
that or “knows”
SFE of
Simulation Running Time
𝒫 𝒱𝑘←𝑈𝑛𝑐=𝐶𝑜𝑚(𝑘)
𝑘𝑦=0𝑓 𝑘(𝑦)
Witness Indistinguishable proof
that or “knows”
SFE of
Simulation Running Time
𝑘𝑦=0𝑓 𝑘(𝑦) SFE of
𝒱∗Non Black Box Simulator
𝐶≡ 𝑓 𝑘 𝐸 𝑘
Simulation Running Time
Comparison to [Barak 01]
# rounds
Assumptions
UsesPCP\UA
Trapdoor
Length
Public- Coin
Barak 01 O(1) CRHF Yes Long YesThis work
O(1) OT No Short No
One More Application
Simultaneously resettable ZK 𝒱∗
𝑥∈ℒ
𝒫𝒱𝒫∗𝑥∉ℒ
[BGGL 01]: Can a protocol be resettable ZK and resettably-sound simultaneously?
Simultaneously resettable ZK 𝒱∗
𝑥∈ℒ
𝒫𝒱𝒫∗𝑥∉ℒ
[Deng-Goyal-Sahai 09]: Yes!
Simultaneously resettable ZK
Resettably-sound ZK
Non-black-box simulation
Long trapdoor
Bounded concurrent ZK
Short trapdoor
Black-box simulation
Concurrent ZK
Resettable ZK
Simultaneously resettable ZK
Resettably-sound ZK
Non-black-box simulation
Short trapdoor
Black-box simulation
Concurrent ZK
Resettable ZK
𝒫 𝒱𝑘←𝑈𝑛𝑐=𝐶𝑜𝑚(𝑘)
𝑘𝑦=0𝑓 𝑘(𝑦)
Simultaneously Resettable Witness
Indistinguishable proof that or
“knows”
SFE of
Simultaneously resettable ZK
×𝑛 [Cho-Ostrovsky-Scafuro-Visconti 12]
?
