Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and Ron Rothblum
Interactive Proofs for NP Interactive Proof (GMR85, Babai85) π¦ β β? π¦, π₯ P V accept
Security Against Malicious Provers Soundness π¦ β β? π¦ β P V reject
Security Against Malicious Verifiers Shouldnβt learn witness w ο΄ Zero-Knowledge (GMR85) ο΄ Distributional Zero-Knowledge (Goldreich93) ο΄ Weak Zero-Knowledge (DNRS99) ο΄ Witness Hiding (FS90) ο΄ Witness Indistinguishability (FS90) ο΄ Strong Witness Indistinguishability (Goldreich93)
Zero-Knowledge β π¦, π¦, π₯ π¦ β β β Sim P V V
Distributional Zero-Knowledge Can sample other π¦ β² , π₯β² β efficiently sampleable (π, π) but must simulate proof for external π¦ without π₯ π¦, π₯ βΌ π¦ βΌ π (π, π) β β Sim β V P V Over the randomness of π¦
Weak Zero-Knowledge Gets to observe the output of the distinguisher β β P V β V Sim 0/1 0/1 D D ππ πΈ = 1 π πππ β Pr πΈ = 1 πππ β€ ππππ
Witness Hiding β efficiently sampleable π, π with hard to find witnesses, π¦, π₯ βΌ (π, π) β P V π₯ π¦
Witness Indistinguishability π¦, π₯ 1 π¦, π₯ 2 β β β P P V V
Strong Witness Indistinguishability π¦ 1 , π₯ 1 π¦ 2 , π₯ 2 β β β P P V V when π¦ 1 β π¦ 2
Round Complexity Timeline Impossibilities (GO94): - 2 round weak ZK - 2 round distributional ZK Can we do better than WI in Impossibilities: Impossibility: - 2 round ZK (GO94) - 3 round BB public-coin 2 rounds? Or even 3 rounds? - 3 round BB ZK (GK92) Witness Hiding (HRS09) Strong WI, witness hiding: β¦ β¦ β¦ Round complexity open 3 round Witness Indistinguishability 1 & 2 round WI (DN00, 5 round ZK (GMR85, Blum86, FS90), BOV03, GOS06, BP15) proofs (GK96) 4 round Witness Hiding (FS90) 3 round ZK via non-standard 4 round ZK arguments (FS90, BJY97) assumptions (HT98, LM01, BP04, CD08, GLR12, BP13, BBKPV16, BKP17)
Overcoming Barriers
Distributional Protocols ο΄ Prover samples instance π¦ from some distribution P V π¦ π¦, π₯ βΌ (π, π) Why should we care? ο΄ ZK proofs used to prove correctness of cryptographic computation ο΄ Almost always, instances are chosen from some distribution ο΄ Strong WI, WH by definition are distributional notions
Distributional Protocols ο΄ Prover samples instance π¦ from some distribution P V Useful in secure computation: β’ [KO05, GLOV14, COSV16] Our paper: extractable β’ π¦ π¦, π₯ βΌ commitments, 3 round 2pc (π, π) Specific 2 & 3 round protocols: β’ [KS17, K17, ACJ17] ο΄ In 2 round protocols, P sends π¦ together with proof ο΄ Adaptive soundness: P* samples π¦ after Vβs message ο΄ We will restrict to: delayed-input protocols ο΄ Cheating verifier cannot choose first message depending on π¦
Distributional Protocols , Delayed-Input ο΄ Prover samples instance π¦ from some distribution P V π¦ π¦, π₯ βΌ (π, π) ο΄ Simulate the view of malicious V*, when V* is committed to 1 st message, before P reveals instance π¦ ? ο΄ Distributional privacy for delayed-input statements . ο΄ Get around negative results!
Our Results Assuming quasi-polynomial DDH, QR or N th residuosity, we get ο΄ 2 Round arguments in the delayed-input setting Sim depends on ο§ Distributional weak ZK distinguisher ο§ Witness Hiding ο§ Strong Witness Indistinguishability ο΄ 2 Round WI arguments [concurrent work: BGISW17] ο§ Previously, trapdoor perm (DN00), b-maps (GOS06), or iO (BP15) ο΄ 3 Round protocols from polynomial hardness + applications
New Technique: Black-box Simulation in 2 Rounds
Kalai-Raz (KR09) Transform PIR scheme (1) Interactive Proof (2) 2-Message Argument π 0 π 1 , (π 1 , π 2 ) π 1 β β π 1 P * P V V π 2 π 2 π 0 , π 1 , π 2 - KR09: Assuming quasi-polynomially secure PIR, (2) is sound against adaptive PPT P*. - Our goal: 2 message arguments for NP with privacy. - Apply KR09 transform to three round proof of Blum86.
Blum Protocol for Graph Hamiltonicity π»π ππβ π», πΌπππππ’πππππ πΌ π·ππ Ο π» , π·ππ(Ο ) π = 0 or e = 1 P V πΈππππ Ο π» , πΈππππ(Ο ), OR πΈππππ πππππ‘ ππ πΌ ππ Ο π» - Honest verifier zero-knowledge: Sim that knows π can simulate. - Repeat in parallel to amplify soundness. Preserves honest verifier ZK.
KR09 transform on Blum π»π ππβ π», πΌπππππ’πππππ πΌ π = 0 or e = 1 β π·ππ Ο π» , π·ππ(Ο ) P V πΈππππ Ο π» , πΈππππ(Ο ), OR πΈππππ πππππ‘ ππ πΌ ππ Ο π» - Remains honest verifier zero-knowledge. - What if malicious V* sends malformed query that doesnβt encode any bit? - Prevent this by using a special PIR scheme.
2-Message Oblivious Transfer π·βππππ πππ’ π πππ‘π‘ππππ‘ (π 0 , π 1 ) π = ππ 1 (π) Known constructions from S R DDH (NP01), ππ 2 (π, π 0 , π 1 ) Quadratic Residuosity and N th Residuosity (HK05) π π - S cannot guess b - R cannot distinguish OT 2 π 0 , π 1 from : β’ OT 2 π 0 , π 0 when b = 0 , OR β’ OT 2 π 1 , π 1 when b = 1 . - Every string π corresponds to ππ 1 (π) for some bit π
Kalai-Raz Transform on Blum using OT Blum Proof (1) Argument (2) { π i } i β [N] (π i ) i β [N] β P P V V {π i } i β [N] { π i } i β [N] , (π¨ π0 , π¨ i 1 ) i β [N] { π¨ i, e } i β [N] - KR09: (2) remains sound against PPT provers, even if they choose π¦ adaptively - What about privacy?
Kalai-Raz Transform on Blum Real World (π i ) i β [N] (π i ) i β [N] β β Sim P V V { π i } i β [N] , (π¨ π0, π¨ i 1 ) i β [N] (π¨ π0, π¨ i 1 ) i β [N] { π i } i β [N] - Every message sent by V* corresponds to an encryption of some {π i } i β [N] Polynomial - If Sim knew {π i } i β [N] , then easy to simulate (by HVZK). Simulation?? - Privacy via super-poly simulation: Sim breaks encryption to find π π [BGISW17]
Rely on the Distinguisher to find e Real World Ideal World (π i ) i β [N] (π i ) i β [N] β β Sim P V V { π i } i β [N] , (π¨ π0, π¨ i 1 ) i β [N] D D
Simplify: single parallel execution Unclear how to simulate! Real World Ideal World π π β β Sim P V V π, (π¨ 0 , π¨ 1 ) D D
Simplify: single parallel execution Real World Ideal World π π β β Sim P V V π, (π¨ 0 , π¨ 1 ) π, ππ£ππ! D D Can D tell the difference? - Suppose NOT : eg , D doesnβt know randomness for π - π is already computationally hiding, Sim can easily sample ππ£ππ! π,
Simplify: Single parallel execution Real World Ideal World π π β β Sim P V V π, (π¨ 0 , π¨ 1 ) π, ππ£ππ! D D Can D tell the difference? Sim will use D - Suppose YES : eg, D knows randomness for π to extract π ! - Sim canβt just sample : will be distinguishable! ππ£ππ! π,
Recall: Distributional Simulation Ideal World π β Sim V (π¨ 0 , π¨ 1 ) π¦β², π D - Recall: want a simulator for π¦ βΌ π , which generates a proof without witness. - However, Sim can sample other ( π¦ β, π₯ β) βΌ ( π , π ) from the same distribution. - Sim can also sample proofs for these other ( π¦ β, π₯ β) βΌ ( π , π ).
Main Simulation Technique (π) π β Sim V (ππ ππππ) (π π , π π ) π¦β², π D π β Sim V OR π¦β², π (π π , π π ) (π) D π β Sim V (π π , π π ) π¦β², π Checks if ππ ππππ β (π) Or, if ππ ππππ β (π) D Use this to extract e.
Polynomial Simulation Simulate proof for external π¦ without π₯ π β Sim V (π π , π π ) π¦β², π (π π , π π ) (π π , π π ) D 1 0 Simulator rewinds the distinguisher to learn the OT challenge π . - Technique extends to extracting {π i } i β [N] from parallel repetition. -
Perspective: Extraction in Cryptography - Black-box polynomial simulation strategy that requires only 2 messages. - Previously, rewinding took more rounds β β Sim Sim V V D - Towards resolving open problems on round complexity of WH, strong WI. - Applications to multiple 2-round, 3-round protocols, beyond proofs.
Conclusion & Open Problems
Recommend
More recommend
