From the Impossibility of
Obfuscation to
a New Non-Black-Box Simulation Technique
Nir Bitansky and Omer Paneth
Assuming OT there exist a
resettably-sound ZK protocol
The Result
(Previous constructions of resettably-sound ZK relied on CRHF)
Zero-Knowledge Proofs ๐ซ ๐ฑ๐ฅโโ?
Zero Knowledg
eSoundness
Zero-Knowledge Proofs ๐ฑ๐ฅโโ๐ซโ
Soundness
Zero-Knowledge Proofs ๐ซ ๐ฅโโ ๐ฑโ
Zero Knowledg
e
โknowsโ how to generate a proof itself!Intuition:
We can efficiently extract a proof from
๐ซ ๐ฑโ
Simulator
The Simulator
๐ฑโ
Accepting transcript:
Simulator
๐ซ ๐ฑโ
The Simulator
๐ฑโโ
Black Box Simulator
Black-Box Simulator๐ฑโ
Non-Black-Box Simulator
๐ฑโ Non Black Box Simulator
Can Non-Black-Box
Simulation really achieve more than
Black-Box Simulation?
Black-Box vs. Non-Black-Box
Black-Box vs. Non-Black-Box
Constant-round public-coin ZK(for NP, with negligible soundness error)
Black Box Simulator
Non Black Box
Simulator
CRHF + PCPArgument
[Goldreich-Krawczyk 90] [Barak 01]
Not considering 3-round ZK from KEA[Hada-Tanaka 98, Bellare-Palacio 04]
Black-Box vs. Non-Black-Box
Constant-round public-coin ZK GK90,B01Resettably-sound ZK BGGL01Constant-round bounded-concurrent ZK and MPC B01,PR03Constant-round ZK with strict polynomial-time simulation\knowledge extraction
BL02
Simultaneously resettable ZK and MPC DGS09,GM11Constant-round covert MPC GJ10Constant-round public-coin parallel ZK PRT11Simultaneously resettable WI proof of knowledge COSV12
Black Box Simulator
Non Black Box
Simulator
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12โฆ
Barak 01Barak 01
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12โฆ
Barak 01
CRHF + PCP
Barakโs ZK Protocol ๐ซ ๐ฑGeneration protocol for
trapdoor
Witness indistinguishable proof
that or โknowsโ
The FLS paradigm: [Feige-Lapidot-Shamir 99]
Barakโs ZK Protocol ๐ซ ๐ฑGeneration protocol for
trapdoor
Witness indistinguishable proof
that or โknowsโ
The FLS paradigm: [Feige-Lapidot-Shamir 99]
A proof generated using a witness for and a proof generated using the
trapdoor are indistinguishable
Barakโs ZK Protocol
Q: Can we have a trapdoor generation protocol where is public-coin?
A: Not using black-box simulation.
Barakโs ZK Protocol
Q: Can we have a trapdoor generation protocol where is public-coin?
A: (Barak 01) Yes! Trapdoor is the entire code of
Problem of โLongโ Trapdoor๐ซ ๐ฑWitness
indistinguishable proof that or
โknowsโ
(Or: problem of โshortโ messages)
is an arbitrary polynomial
Fixing the problem:
1. Use a Universal Argument โ a succinct witness indistinguishable proofbased on PCPs [kilian 92, Barak-Goldreich 08]
2. Use a collision-resistant hash function to give a shrinking commitment to trapdoor.
Barakโs ZK Protocol
Non-Black-Box Simulation
BGGL01,B01,PR03,BL02,DGS9,GS09,
GM11,GJ10,PRT11,COSV12โฆ
Barak 01
CRHF + UA\PCP
Are Barakโs techniques inherent in non-black-box
simulation?
Can its applications be achieved without collision-
resistant hashing and universal arguments?
Yes!
No!
Resettable Protocols
๐ด ๐ต
๐ดResettable Protocols
๐ด ๐ต
Resettable Protocols
๐ต๐ด
Resettable ZK ๐ฑโ
๐ฅโโ
[Canetti-Goldreich-Goldwasser-Micali 00]
๐ซ
Resettably-Sound ZK
๐ฑ๐ซโ๐ฅโโ
[Micali-Reyzin 01,Barak-Goldreich-Goldwasser-Lindell 01]
Resettably-Sound ZK[Barak-Goldreich-Goldwasser-Lindell01, Goldreich-Krawczyk 90]
๐ฑ๐ซ Black Box Simulator
Resettably-Sound ZK๐ซโ ๐ฑ
๐ฑ
Black Box Simulator
๐ฑโ
Black Box Simulator
Resettably-Sound ZK[Barak-Goldreich-Goldwasser-Lindell 01]
๐ฑ๐ซ Non Black Box Simulator
Using CRHF and UA
Assuming only OT there exist a constant-round resettably-sound ZK protocol that does not make
use of UA.
The Result
A new non-black-box simulation technique from the Impossibility of
Obfuscation
The Technique
Program Obfuscation
is an obfuscation of a function family :
๐ฅ
ฮ k๐๐ ๐(๐ฅ)
๐ช ๐ด๐ ๐
๐ดฮ k
โ
Obfuscation and ZK
If we can obfuscate :
Black Box Simulator
๐ฑโNon Black
Box Simulator๐ช(๐ฑโ)
Resettably-Sound ZK
Obfuscation and ZKAssuming OWFs, there exist a family of functions that can not be obfuscated.[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossibility of obfuscation
Resettably-Sound ZK
โEasyโ
Obfuscation and ZKAssuming OWFs, there exist a family of functions that can not be obfuscated.[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
Impossibility of obfuscation + OT
Resettably-Sound ZK
โHardโ
Unobfuscatable functions
๐ด๐ ๐
๐
๐ธ๐ถ ๐
:
:
The Protocol๐ซ ๐ฑ๐โ๐๐
๐=๐ถ๐๐(๐)
๐๐ฆ=0
๐ ๐(๐ฆ)
Witness Indistinguishable proof
that or โknowsโ
Secure function evaluation of
where
๐ ๐
Proof Idea - Resettable Soundness
๐โ๐๐
๐=๐ถ๐๐(๐)
๐๐ฆ๐ ๐(๐ฆ) SFE of ๐ซโ
๐ซโ๐ ๐
๐
๐ฑ
Proof Idea โ Zero Knowledge
๐ฑโNon Black Box Simulator
๐ถโก ๐ ๐ ๐ธ ๐
Proof Idea โ Zero Knowledge ๐ฑโ
๐ถโก ๐ ๐๐=๐ถ๐๐(๐)
๐๐ฆ๐ ๐(๐ฆ) SFE of
๐ฑโNon Black Box Simulator
๐ถโก ๐ ๐ ๐ธ ๐
Proof Idea โ Zero Knowledge
๐ถโก ๐ ๐๐=๐ถ๐๐(๐)
โฅ๐ฆโฅ SFE of
๐ถ (๐ฆ )={ ๐ ๐ ( ๐ฆ )โฅ
w .p . w .p .
๐1โ๐
๐ฑโ
Proof Idea โ Zero Knowledge
๐ฑโ๐ถ โฒ โก ๐ ๐ยฟ๐ฆ ๐ฑโ๐ถ โฒ โก ๐ ๐ยฟ
โฆ
๐ฑโ๐ถ โฒ โก ๐ ๐ยฟ
๐ ๐(๐ฆ)โฅ
โฅ
๐ ๐(๐ฆ)
๐ถโก ๐ ๐
1๐
Proof Idea โ Zero Knowledge
๐โ๐๐
๐=๐ถ๐๐(๐)
๐๐ฆ=0๐ ๐(๐ฆ)
Witness Indistinguishable proof
that or โknowsโ
SFE of ๐ฑโNon Black Box Simulator
๐
๐ถโก ๐ ๐ ๐ธ ๐๐ฑโ
๐
The SFE Protocol
๐ถโก ๐ ๐๐=๐ถ๐๐(๐)
๐๐ฆ๐ ๐(๐ฆ) SFE of ๐ฑโ
๐ซโ ๐=๐ถ๐๐(๐)
๐ฆ๐ ๐(๐ฆ) SFE of
๐ฑ ๐ซโ๐ ๐
How to instantiate this box?
How to instantiate this
box?
The SFE Protocol
๐๐ฆ
๐ ๐(๐ฆ)
Semi-honest SFE of ๐ซ ๐ฑZK proof of knowledge
ZK proof of knowledge ๐ฑ
The SFE Protocol
๐๐ฆ
๐ ๐(๐ฆ)
Semi-honest SFE of ๐ซ ๐ฑZK proof of knowledge
ZK proof of knowledge
The SFE Protocol
๐๐ฆ
๐ ๐(๐ฆ)
Semi-honest SFE of ๐ซ ๐ฑResettably-sound ZK POK
Resettable ZK POK
Based on resettably-sound ZK [BGGL01,GS09]
๐
The SFE Protocol
๐ถโก ๐ ๐๐=๐ถ๐๐(๐)
๐๐ฆ๐ ๐(๐ฆ) SFE of ๐ฑโ
๐ซโ ๐=๐ถ๐๐(๐)
๐ฆ๐ ๐(๐ฆ) SFE of
๐ฑ ๐ซโ๐ ๐
๐ฅโโ๐ฅโโ
Instance-dependent
SFEof
ZK
๐ฅโโ๐ฅโโ
Resettable POK
POK Resettable ZK
+ Strongly unobfuscatable functions
Instance-dependent
SFE
๐ฅโโ๐ฅโโPOK Resettable ZK
๐ต1
๐ต3๐ ๐ฑ๐ซ ๐ซ๐๐ผ๐ฑ๐๐ผ
WI
Instance-dependent
SFE
๐ฅโโ๐ฅโโPOK Resettable ZK
Com(๐ )๐ต1
๐ต3๐ ๐ฑ๐ซ ๐ซ๐๐ผ๐ฑ๐๐ผ
Instance-dependent
SFE
๐ฅโโ๐ฅโโPOK Resettable ZK
Com๐ฅ(๐ )
๐ฑ๐ซ ๐ต1๐ต3๐ ๐ซ๐๐ผ๐ฑ๐๐ผ
Simulation Running Time
๐ฑโNon Black Box Simulator
๐ถโก ๐ ๐ ๐ธ ๐
Simulation Running Time
๐ฑโ๐ถ โฒ โก ๐ ๐ยฟ๐ฆ ๐ฑโ๐ถ โฒ โก ๐ ๐ยฟ
โฆ๐ฑโ๐ถ โฒ โก ๐ ๐ยฟ
๐ ๐(๐ฆ)โฅ
โฅ
๐ ๐(๐ฆ)
๐ถโก ๐ ๐
1๐ |๐ถ|=poly (๐)
๐
Proof Idea โ Zero Knowledge
๐โ๐๐
๐=๐ถ๐๐(๐)
๐๐ฆ=0๐ ๐(๐ฆ)
Witness Indistinguishable proof
that or โknowsโ
SFE of ๐ฑโNon Black Box Simulator
๐
๐ถโก ๐ ๐ ๐ธ ๐๐ฑโ
Simulation Running Time๐ฑโ
Non Black Box Simulator
๐ถโก ๐ ๐ ๐ธ ๐
Simulation Running Time๐ฑโ
Non Black Box Simulator
๐ถโก ๐ ๐ ๐ธ ๐
๐ซ ๐ฑ๐โ๐๐๐=๐ถ๐๐(๐)
๐๐ฆ=0๐ ๐(๐ฆ)
Witness Indistinguishable proof
that or โknowsโ
SFE of
Simulation Running Time
๐ซ ๐ฑ๐โ๐๐๐=๐ถ๐๐(๐)
๐๐ฆ=0๐ ๐(๐ฆ)
Witness Indistinguishable proof
that or โknowsโ
SFE of
Simulation Running Time
๐๐ฆ=0๐ ๐(๐ฆ) SFE of
๐ฑโNon Black Box Simulator
๐ถโก ๐ ๐ ๐ธ ๐
Simulation Running Time
Comparison to [Barak 01]
# rounds
Assumptions
UsesPCP\UA
Trapdoor
Length
Public- Coin
Barak 01 O(1) CRHF Yes Long YesThis work
O(1) OT No Short No
One More Application
Simultaneously resettable ZK ๐ฑโ
๐ฅโโ
๐ซ๐ฑ๐ซโ๐ฅโโ
[BGGL 01]: Can a protocol be resettable ZK and resettably-sound simultaneously?
Simultaneously resettable ZK ๐ฑโ
๐ฅโโ
๐ซ๐ฑ๐ซโ๐ฅโโ
[Deng-Goyal-Sahai 09]: Yes!
Simultaneously resettable ZK
Resettably-sound ZK
Non-black-box simulation
Long trapdoor
Bounded concurrent ZK
Short trapdoor
Black-box simulation
Concurrent ZK
Resettable ZK
Simultaneously resettable ZK
Resettably-sound ZK
Non-black-box simulation
Short trapdoor
Black-box simulation
Concurrent ZK
Resettable ZK
๐ซ ๐ฑ๐โ๐๐๐=๐ถ๐๐(๐)
๐๐ฆ=0๐ ๐(๐ฆ)
Simultaneously Resettable Witness
Indistinguishable proof that or
โknowsโ
SFE of
Simultaneously resettable ZK
ร๐ [Cho-Ostrovsky-Scafuro-Visconti 12]
?