From the Impossibility of

Obfuscation to

a New Non-Black-Box Simulation Technique

Nir Bitansky and Omer Paneth

Assuming OT there exist a

resettably-sound ZK protocol

The Result

(Previous constructions of resettably-sound ZK relied on CRHF)

Zero-Knowledge Proofs 𝒫 𝒱𝑥∈ℒ?

Zero Knowledg

eSoundness

Zero-Knowledge Proofs 𝒱𝑥∉ℒ𝒫∗

Soundness

Zero-Knowledge Proofs 𝒫 𝑥∈ℒ 𝒱∗

Zero Knowledg

e

“knows” how to generate a proof itself!Intuition:

We can efficiently extract a proof from

𝒫 𝒱∗

Simulator

The Simulator

𝒱∗

Accepting transcript:

Simulator

𝒫 𝒱∗

The Simulator

𝒱∗≈

Black Box Simulator

Black-Box Simulator𝒱∗

Non-Black-Box Simulator

𝒱∗ Non Black Box Simulator

Can Non-Black-Box

Simulation really achieve more than

Black-Box Simulation?

Black-Box vs. Non-Black-Box

Black-Box vs. Non-Black-Box

Constant-round public-coin ZK(for NP, with negligible soundness error)

Black Box Simulator

Non Black Box

Simulator

CRHF + PCPArgument

[Goldreich-Krawczyk 90] [Barak 01]

Not considering 3-round ZK from KEA[Hada-Tanaka 98, Bellare-Palacio 04]

Black-Box vs. Non-Black-Box

Constant-round public-coin ZK GK90,B01Resettably-sound ZK BGGL01Constant-round bounded-concurrent ZK and MPC B01,PR03Constant-round ZK with strict polynomial-time simulation\knowledge extraction

BL02

Simultaneously resettable ZK and MPC DGS09,GM11Constant-round covert MPC GJ10Constant-round public-coin parallel ZK PRT11Simultaneously resettable WI proof of knowledge COSV12

Black Box Simulator

Non Black Box

Simulator

Non-Black-Box Simulation

BGGL01,B01,PR03,BL02,DGS9,GS09,

GM11,GJ10,PRT11,COSV12…

Barak 01Barak 01

Non-Black-Box Simulation

BGGL01,B01,PR03,BL02,DGS9,GS09,

GM11,GJ10,PRT11,COSV12…

Barak 01

CRHF + PCP

Barak’s ZK Protocol 𝒫 𝒱Generation protocol for

trapdoor

Witness indistinguishable proof

that or “knows”

The FLS paradigm: [Feige-Lapidot-Shamir 99]

Barak’s ZK Protocol 𝒫 𝒱Generation protocol for

trapdoor

Witness indistinguishable proof

that or “knows”

The FLS paradigm: [Feige-Lapidot-Shamir 99]

A proof generated using a witness for and a proof generated using the

trapdoor are indistinguishable

Barak’s ZK Protocol

Q: Can we have a trapdoor generation protocol where is public-coin?

A: Not using black-box simulation.

Barak’s ZK Protocol

Q: Can we have a trapdoor generation protocol where is public-coin?

A: (Barak 01) Yes! Trapdoor is the entire code of

Problem of “Long” Trapdoor𝒫 𝒱Witness

indistinguishable proof that or

“knows”

(Or: problem of “short” messages)

is an arbitrary polynomial

Fixing the problem:

1. Use a Universal Argument – a succinct witness indistinguishable proofbased on PCPs [kilian 92, Barak-Goldreich 08]

2. Use a collision-resistant hash function to give a shrinking commitment to trapdoor.

Barak’s ZK Protocol

Non-Black-Box Simulation

BGGL01,B01,PR03,BL02,DGS9,GS09,

GM11,GJ10,PRT11,COSV12…

Barak 01

CRHF + UA\PCP

Are Barak’s techniques inherent in non-black-box

simulation?

Can its applications be achieved without collision-

resistant hashing and universal arguments?

Yes!

No!

Resettable Protocols

𝐴 𝐵

𝐴Resettable Protocols

𝐴 𝐵

Resettable Protocols

𝐵𝐴

Resettable ZK 𝒱∗

𝑥∈ℒ

[Canetti-Goldreich-Goldwasser-Micali 00]

𝒫

Resettably-Sound ZK

𝒱𝒫∗𝑥∉ℒ

[Micali-Reyzin 01,Barak-Goldreich-Goldwasser-Lindell 01]

Resettably-Sound ZK[Barak-Goldreich-Goldwasser-Lindell01, Goldreich-Krawczyk 90]

𝒱𝒫 Black Box Simulator

Resettably-Sound ZK𝒫∗ 𝒱

𝒱

Black Box Simulator

𝒱∗

Black Box Simulator

Resettably-Sound ZK[Barak-Goldreich-Goldwasser-Lindell 01]

𝒱𝒫 Non Black Box Simulator

Using CRHF and UA

Assuming only OT there exist a constant-round resettably-sound ZK protocol that does not make

use of UA.

The Result

A new non-black-box simulation technique from the Impossibility of

Obfuscation

The Technique

Program Obfuscation

is an obfuscation of a function family :

𝑥

Π k𝑘𝑓 𝑘(𝑥)

𝒪 𝐴𝑓 𝑘

𝐴Π k

≈

Obfuscation and ZK

If we can obfuscate :

Black Box Simulator

𝒱∗Non Black

Box Simulator𝒪(𝒱∗)

Resettably-Sound ZK

Obfuscation and ZKAssuming OWFs, there exist a family of functions that can not be obfuscated.[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Impossibility of obfuscation

Resettably-Sound ZK

“Easy”

Obfuscation and ZKAssuming OWFs, there exist a family of functions that can not be obfuscated.[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]

Impossibility of obfuscation + OT

Resettably-Sound ZK

“Hard”

Unobfuscatable functions

𝐴𝑓 𝑘

𝑘

𝐸𝐶 𝑘

:

:

The Protocol𝒫 𝒱𝑘←𝑈𝑛

𝑐=𝐶𝑜𝑚(𝑘)

𝑘𝑦=0

𝑓 𝑘(𝑦)

Witness Indistinguishable proof

that or “knows”

Secure function evaluation of

where

𝑐 𝑑

Proof Idea - Resettable Soundness

𝑘←𝑈𝑛

𝑐=𝐶𝑜𝑚(𝑘)

𝑘𝑦𝑓 𝑘(𝑦) SFE of 𝒫∗

𝒫∗𝑓 𝑘

𝑘

𝒱

Proof Idea – Zero Knowledge

𝒱∗Non Black Box Simulator

𝐶≡ 𝑓 𝑘 𝐸 𝑘

Proof Idea – Zero Knowledge 𝒱∗

𝐶≡ 𝑓 𝑘𝑐=𝐶𝑜𝑚(𝑘)

𝑘𝑦𝑓 𝑘(𝑦) SFE of

𝒱∗Non Black Box Simulator

𝐶≡ 𝑓 𝑘 𝐸 𝑘

Proof Idea – Zero Knowledge

𝐶≡ 𝑓 𝑘𝑐=𝐶𝑜𝑚(𝑘)

⊥𝑦⊥ SFE of

𝐶 (𝑦 )={ 𝑓 𝑘 ( 𝑦 )⊥

w .p . w .p .

𝑝1−𝑝

𝒱∗

Proof Idea – Zero Knowledge

𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿𝑦 𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿

…

𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿

𝑓 𝑘(𝑦)⊥

⊥

𝑓 𝑘(𝑦)

𝐶≡ 𝑓 𝑘

1𝑝

Proof Idea – Zero Knowledge

𝑘←𝑈𝑛

𝑐=𝐶𝑜𝑚(𝑘)

𝑘𝑦=0𝑓 𝑘(𝑦)

Witness Indistinguishable proof

that or “knows”

SFE of 𝒱∗Non Black Box Simulator

𝑘

𝐶≡ 𝑓 𝑘 𝐸 𝑘𝒱∗

𝑘

The SFE Protocol

𝐶≡ 𝑓 𝑘𝑐=𝐶𝑜𝑚(𝑘)

𝑘𝑦𝑓 𝑘(𝑦) SFE of 𝒱∗

𝒫∗ 𝑐=𝐶𝑜𝑚(𝑘)

𝑦𝑓 𝑘(𝑦) SFE of

𝒱 𝒫∗𝑓 𝑘

How to instantiate this box?

How to instantiate this

box?

The SFE Protocol

𝑘𝑦

𝑓 𝑘(𝑦)

Semi-honest SFE of 𝒫 𝒱ZK proof of knowledge

ZK proof of knowledge 𝒱

The SFE Protocol

𝑘𝑦

𝑓 𝑘(𝑦)

Semi-honest SFE of 𝒫 𝒱ZK proof of knowledge

ZK proof of knowledge

The SFE Protocol

𝑘𝑦

𝑓 𝑘(𝑦)

Semi-honest SFE of 𝒫 𝒱Resettably-sound ZK POK

Resettable ZK POK

Based on resettably-sound ZK [BGGL01,GS09]

𝑘

The SFE Protocol

𝐶≡ 𝑓 𝑘𝑐=𝐶𝑜𝑚(𝑘)

𝑘𝑦𝑓 𝑘(𝑦) SFE of 𝒱∗

𝒫∗ 𝑐=𝐶𝑜𝑚(𝑘)

𝑦𝑓 𝑘(𝑦) SFE of

𝒱 𝒫∗𝑓 𝑘

𝑥∉ℒ𝑥∈ℒ

Instance-dependent

SFEof

ZK

𝑥∉ℒ𝑥∈ℒ

Resettable POK

POK Resettable ZK

+ Strongly unobfuscatable functions

Instance-dependent

SFE

𝑥∉ℒ𝑥∈ℒPOK Resettable ZK

𝐵1

𝐵3𝑟 𝒱𝒫 𝒫𝑊𝐼𝒱𝑊𝐼

WI

Instance-dependent

SFE

𝑥∉ℒ𝑥∈ℒPOK Resettable ZK

Com(𝑟 )𝐵1

𝐵3𝑟 𝒱𝒫 𝒫𝑊𝐼𝒱𝑊𝐼

Instance-dependent

SFE

𝑥∉ℒ𝑥∈ℒPOK Resettable ZK

Com𝑥(𝑟 )

𝒱𝒫 𝐵1𝐵3𝑟 𝒫𝑊𝐼𝒱𝑊𝐼

Simulation Running Time

𝒱∗Non Black Box Simulator

𝐶≡ 𝑓 𝑘 𝐸 𝑘

Simulation Running Time

𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿𝑦 𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿

…𝒱∗𝐶 ′ ≡ 𝑓 𝑘¿

𝑓 𝑘(𝑦)⊥

⊥

𝑓 𝑘(𝑦)

𝐶≡ 𝑓 𝑘

1𝑝 |𝐶|=poly (𝑛)

𝑝

Proof Idea – Zero Knowledge

𝑘←𝑈𝑛

𝑐=𝐶𝑜𝑚(𝑘)

𝑘𝑦=0𝑓 𝑘(𝑦)

Witness Indistinguishable proof

that or “knows”

SFE of 𝒱∗Non Black Box Simulator

𝑘

𝐶≡ 𝑓 𝑘 𝐸 𝑘𝒱∗

Simulation Running Time𝒱∗

Non Black Box Simulator

𝐶≡ 𝑓 𝑘 𝐸 𝑘

Simulation Running Time𝒱∗

Non Black Box Simulator

𝐶≡ 𝑓 𝑘 𝐸 𝑘

𝒫 𝒱𝑘←𝑈𝑛𝑐=𝐶𝑜𝑚(𝑘)

𝑘𝑦=0𝑓 𝑘(𝑦)

Witness Indistinguishable proof

that or “knows”

SFE of

Simulation Running Time

𝒫 𝒱𝑘←𝑈𝑛𝑐=𝐶𝑜𝑚(𝑘)

𝑘𝑦=0𝑓 𝑘(𝑦)

Witness Indistinguishable proof

that or “knows”

SFE of

Simulation Running Time

𝑘𝑦=0𝑓 𝑘(𝑦) SFE of

𝒱∗Non Black Box Simulator

𝐶≡ 𝑓 𝑘 𝐸 𝑘

Simulation Running Time

Comparison to [Barak 01]

# rounds

Assumptions

UsesPCP\UA

Trapdoor

Length

Public- Coin

Barak 01 O(1) CRHF Yes Long YesThis work

O(1) OT No Short No

One More Application

Simultaneously resettable ZK 𝒱∗

𝑥∈ℒ

𝒫𝒱𝒫∗𝑥∉ℒ

[BGGL 01]: Can a protocol be resettable ZK and resettably-sound simultaneously?

Simultaneously resettable ZK 𝒱∗

𝑥∈ℒ

𝒫𝒱𝒫∗𝑥∉ℒ

[Deng-Goyal-Sahai 09]: Yes!

Simultaneously resettable ZK

Resettably-sound ZK

Non-black-box simulation

Long trapdoor

Bounded concurrent ZK

Short trapdoor

Black-box simulation

Concurrent ZK

Resettable ZK

Simultaneously resettable ZK

Resettably-sound ZK

Non-black-box simulation

Short trapdoor

Black-box simulation

Concurrent ZK

Resettable ZK

𝒫 𝒱𝑘←𝑈𝑛𝑐=𝐶𝑜𝑚(𝑘)

𝑘𝑦=0𝑓 𝑘(𝑦)

Simultaneously Resettable Witness

Indistinguishable proof that or

“knows”

SFE of

Simultaneously resettable ZK

×𝑛 [Cho-Ostrovsky-Scafuro-Visconti 12]

?