Characterizing Deterministic- Prover Zero Knowledge Nir Bitansky Arka Rai Choudhuri Tel Aviv University Johns Hopkins University
Zero Knowledge [Goldwasser-Micali- Rackoffβ85] $ $ $ $ $ $ Prover (π¦, π₯) Verifier (π¦)
Zero Knowledge [Goldwasser-Micali- Rackoffβ85] $ $ $ $ $ $ Prover (π¦, π₯) Verifier (π¦) Completeness: βπ¦ β β , verifier accepts. (Computational) Soundness Zero Knowledge
Zero Knowledge [Goldwasser-Micali- Rackoffβ85] $ $ $ $ $ $ Prover (π¦, π₯) Verifier (π¦) Completeness (Computational) Soundness: βπ¦ β β , no PPT prover can make the verifier accept. Zero Knowledge
Zero Knowledge [Goldwasser-Micali- Rackoffβ85] $ $ $ $ $ $ Prover (π¦, π₯) Verifier (π¦) Completeness (Computational) Soundness Zero Knowledge: β Verifiers β Simulator
Zero Knowledge [Goldwasser-Micali- Rackoffβ85] $ $ $ $ $ $ Prover (π¦, π₯) Verifier (π¦) Completeness (Computational) Soundness Zero Knowledge: β Verifiers β Simulator $ $ $ $ $ $ Prover (π¦, π₯) Verifierβs view in an execution with the prover
Zero Knowledge [Goldwasser-Micali- Rackoffβ85] $ $ $ $ $ $ Prover (π¦, π₯) Verifier (π¦) Completeness (Computational) Soundness Zero Knowledge: β Verifiers β Simulator $ $ $ $ $ $ Verifierβs view in an execution with the prover
Zero Knowledge [Goldwasser-Micali- Rackoffβ85] $ $ $ $ $ $ Prover (π¦, π₯) Verifier (π¦) Completeness (Computational) Soundness Zero Knowledge: β Verifiers β Simulator $ $ $ $ $ $ $ $ $ $ $ $ β Verifierβs view in an execution with the prover Simulatorβs output on input π¦
Many Flavors of Zero-Knowledge (ZK) β Verifier β Simulator β View (π¦) GMR ZK
Many Flavors of Zero-Knowledge (ZK) β Verifier β Verifier β Simulator β Simulator β aux-IP π¨ β 0,1 β β β View View (π¦, π¨) (π¦) GMR ZK Auxiliary-input ZK
Many Flavors of Zero-Knowledge (ZK) β Verifier β Verifier β Simulator β Simulator β Simulator β Verifier β aux-IP π¨ β 0,1 β β β β View View View (π¦, π¨) (π¦) (π¦) GMR ZK Auxiliary-input ZK Black-box ZK
Deterministic Prover Zero Knowledge (DPZK) Deterministic Prover (π¦, π₯) Verifier (π¦)
Deterministic Prover Zero Knowledge (DPZK) Deterministic Prover (π¦, π₯) Verifier (π¦) Is prover randomness essential for zero knowledge?
Limitations of DPZK [Golreich- Orenβ94] β Verifier β Verifier β Simulator β Simulator β Simulator β Verifier β aux-IP π¨ β 0,1 β β β β View View View (π¦, π¨) (π¦) (π¦) GMR ZK Auxiliary-input ZK Black-box ZK
Limitations of DPZK [Golreich- Orenβ94] β Verifier β Verifier β Simulator β Simulator β Simulator β Verifier β aux-IP π¨ β 0,1 β β β β View View View (π¦, π¨) (π¦) (π¦) GMR ZK Auxiliary-input ZK Black-box ZK Impossible for non-trivial languages.
Prior Work [Faonio-Nielsen- Venturiβ17] Witness encryption for β βΉ Honest-verifier DPZK for β Hash proof system for β βΉ Honest-verifier DPZK proofs for β [Dahari- Lindellβ20] Doubly enhanced injective OWFs βΉ Honest-verifier DPZK proofs for NP Inefficient honest prover. Malicious-verifier DPZK for languages that have an entropy guarantee from witnesses.
Prior Work [Faonio-Nielsen- Venturiβ17] Witness encryption for β βΉ Honest-verifier DPZK for β Hash proof system for β βΉ Honest-verifier DPZK proofs for β [Dahari- Lindellβ20] Doubly enhanced injective OWFs βΉ Honest-verifier DPZK proofs for NP Inefficient honest prover. Malicious-verifier DPZK for languages that have an entropy guarantee from witnesses.
Our Results β Verifier β Verifier β Simulator β Simulator β Simulator β Verifier β aux-IP π¨ β 0,1 β β β β View View View (π¦, π¨) (π¦) (π¦) GMR ZK Auxiliary-input ZK Black-box ZK Impossible for non-trivial languages.
Our Results β Verifier β Verifier β Verifier β Simulator β Simulator β Simulator β Simulator β Verifier β aux-IP π¨ β 0,1 π β aux-IP π¨ β 0,1 β β β β β View View View (π¦, π¨) (π¦, π¨) View (π¦) (π¦) GMR ZK π -Bounded auxiliary-input ZK Auxiliary-input ZK Black-box ZK Impossible for non-trivial languages.
Our Results β Verifier β Verifier β Verifier β Simulator β Simulator β Simulator β Simulator β Verifier β aux-IP π¨ β 0,1 π β aux-IP π¨ β 0,1 β β β β β View View View (π¦, π¨) (π¦, π¨) View (π¦) (π¦) GMR ZK π -Bounded auxiliary-input ZK Auxiliary-input ZK Black-box ZK Impossible for non-trivial languages.
Our Results Assuming NIWIs + sub-exponentially secure iO + OWF, there exist two message DPZK arguments for NP β© coNP against bounded auxiliary-input verifiers. Also assuming sub-exponentially secure keyless CRHF, there exist two message DPZK arguments for all of NP against bounded auxiliary-input verifiers.
Our Results Assuming NIWIs + sub-exponentially secure iO + OWF, there exist two message DPZK arguments for NP β© coNP against bounded auxiliary-input verifiers. Also assuming sub-exponentially secure keyless CRHF, there exist two message DPZK arguments for all of NP against bounded auxiliary-input verifiers. Any DPZK argument for a language β implies a witness encryption for β .
Two Message DPZK Arguments
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17]
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17] Witness Encryption for β Deterministic Decryption π¦ π₯ WE.Enc WE.Dec π/β₯ ct π¦,π π ct π¦,π
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17] Witness Encryption for β Deterministic Decryption π¦ π₯ WE.Enc WE.Dec π/β₯ ct π¦,π π ct π¦,π For π¦, π₯ β Rel β π₯ WE.Dec π ct π¦,π Correctness
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17] Witness Encryption for β Deterministic Decryption π¦ π₯ WE.Enc WE.Dec π/β₯ ct π¦,π π ct π¦,π For π¦, π₯ β Rel β For π¦ β β π₯ β WE.Dec π ct π¦,0 ct π¦,1 ct π¦,π Correctness Security
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17]
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17] Deterministic Prover (π¦, π₯) Verifier (π¦) π£ β΅ 0,1 π ct π¦,π£ β΅ WE.Enc π¦ (π£) ct π¦,π£
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17] Deterministic Prover (π¦, π₯) Verifier (π¦) π£ β΅ 0,1 π ct π¦,π£ β΅ WE.Enc π¦ (π£) ct π¦,π£ π£ β WE.Dec (ct π¦,π£ , π₯) ΰ·€ π£ ΰ·€ Output 1 iff π£ = ΰ·€ π£
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17] Deterministic Prover (π¦, π₯) Verifier (π¦) π£ β΅ 0,1 π ct π¦,π£ β΅ WE.Enc π¦ (π£) ct π¦,π£ π£ β WE.Dec (ct π¦,π£ , π₯) ΰ·€ π£ ΰ·€ Output 1 iff π£ = ΰ·€ π£ Completeness: From correctness of WE.
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17] Cheating Prover (π¦) Verifier (π¦) π£ β΅ 0,1 π ct π¦,π£ β΅ WE.Enc π¦ (π£) ct π¦,π£ π£ ΰ·€ Output 1 iff π£ = ΰ·€ π£ Completeness Soundness: From WE security when π¦ β β
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17] Cheating Prover (π¦) Verifier (π¦) π£ β΅ 0,1 π ct π¦,π£ β΅ WE.Enc π¦ (π£) ct π¦,0 ? Output 1 iff π£ = ΰ·€ π£ Completeness Soundness: From WE security when π¦ β β
Honest Verifier DPZK [Faonio-Nielsen- Venturiβ17] Simulator (π¦) Verifier (π¦) π£ β΅ 0,1 π ct π¦,π£ β΅ WE.Enc π¦ (π£) ct π¦,π£ π£ ΰ·€ Output 1 iff π£ = ΰ·€ π£ Completeness Soundness Honest Verifier Zero Knowledge: Simulator knows π£
Explainable Verifier DPZK There exist honest verifier coins that explains verifier messages as honest messages. Explainable Verifier Unlike related notion of semi-malicious adversaries, these coins may be hard to find.
Explainable Verifier DPZK There exist honest verifier coins that explains verifier messages as honest messages. Explainable Verifier Unlike related notion of semi-malicious adversaries, these coins may be hard to find. Simulator no longer βknowsββ the message that an explainable verifier encrypts via the Witness Encryption. Aux-I/P DPZK for explainable verifiers also ruled out by [Goldreich- Orenβ94]
Explainable Verifier DPZK There exist honest verifier coins that explains verifier messages as honest messages. Explainable Verifier Unlike related notion of semi-malicious adversaries, these coins may be hard to find. Simulator no longer βknowsββ the message that an explainable verifier encrypts via the Witness Encryption. Aux-I/P DPZK for explainable verifiers also ruled out by [Goldreich- Orenβ94] Idea: Use additional trapdoor statement that only the simulator can use.
Explainable Verifier DPZK size β€ π includes auxiliary input Deterministic Prover (π¦, π₯) Verifier (π¦) π£ β΅ 0,1 π ct π¦,π£ β΅ WE.Enc π¦ (π£) ΰ·₯ ct π¦,π£ ct π,π£ π π£ β WE.Dec (ct π¦,π£ , π₯) ΰ·€ π£ ΰ·€ Output 1 iff π£ = ΰ·€ π£
Recommend
More recommend
