foundation of cryptography lecture 7 non interactive zk
play

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof - PowerPoint PPT Presentation

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 1 / 33 Part I


  1. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  2. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  3. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Verifier only sees the bits in c H that are indexed by I . 2 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  4. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Verifier only sees the bits in c H that are indexed by I . 2 Simulator outputs a proof π , a set of indices I and a partially hidden 3 CRS c H . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  5. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Verifier only sees the bits in c H that are indexed by I . 2 Simulator outputs a proof π , a set of indices I and a partially hidden 3 CRS c H . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  6. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Verifier only sees the bits in c H that are indexed by I . 2 Simulator outputs a proof π , a set of indices I and a partially hidden 3 CRS c H . Soundness, completeness and ZK are naturally defined. We give a NIZK for HC , Directed Graph Hamiltonicity, in the HBM, and then transfer it into a NIZK for HC in the standard model. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  7. Hidden Bits Model (HBM) A CRS is chosen at random, but only the prover can see it. The prover chooses which bits to reveal as part of the proof. Let c H be the “hidden" CRS: Prover sees c H , and outputs a proof π and a set of indices I . 1 Verifier only sees the bits in c H that are indexed by I . 2 Simulator outputs a proof π , a set of indices I and a partially hidden 3 CRS c H . Soundness, completeness and ZK are naturally defined. We give a NIZK for HC , Directed Graph Hamiltonicity, in the HBM, and then transfer it into a NIZK for HC in the standard model. The latter implies a NIZK for all NP . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 6 / 33

  8. Useful Matrix Permutation matrix: an n × n Boolean matrix, where each row/column contains a single 1 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 7 / 33

  9. Useful Matrix Permutation matrix: an n × n Boolean matrix, where each row/column contains a single 1 Hamiltonian matrix: an n × n adjacency matrix of a directed graph that is an Hamiltonian cycle of all nodes (note that Hamiltonian matrix is also a permutation matrix)/ Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 7 / 33

  10. Useful Matrix Permutation matrix: an n × n Boolean matrix, where each row/column contains a single 1 Hamiltonian matrix: an n × n adjacency matrix of a directed graph that is an Hamiltonian cycle of all nodes (note that Hamiltonian matrix is also a permutation matrix)/ An n 3 × n 3 Boolean matrix is useful: if it contains an Hamiltonian generalized n × n sub-matrix, and all its other entries are zeros. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 7 / 33

  11. Useful Matrix Permutation matrix: an n × n Boolean matrix, where each row/column contains a single 1 Hamiltonian matrix: an n × n adjacency matrix of a directed graph that is an Hamiltonian cycle of all nodes (note that Hamiltonian matrix is also a permutation matrix)/ An n 3 × n 3 Boolean matrix is useful: if it contains an Hamiltonian generalized n × n sub-matrix, and all its other entries are zeros. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 7 / 33

  12. Useful Matrix Permutation matrix: an n × n Boolean matrix, where each row/column contains a single 1 Hamiltonian matrix: an n × n adjacency matrix of a directed graph that is an Hamiltonian cycle of all nodes (note that Hamiltonian matrix is also a permutation matrix)/ An n 3 × n 3 Boolean matrix is useful: if it contains an Hamiltonian generalized n × n sub-matrix, and all its other entries are zeros. Claim 3 Let T be a random n 3 × n 3 Boolean matrix where each entry is 1 w.p n − 5 . Then, Pr [ T is useful ] ∈ Ω( n − 3 / 2 ) . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 7 / 33

  13. Proving Claim 3 The expected # of ones (entries) in T is n 6 · n − 5 = n . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 8 / 33

  14. Proving Claim 3 The expected # of ones (entries) in T is n 6 · n − 5 = n . By (extended) Chernoff bound, T contains exactly n ones w.p. θ ( 1 / √ n ) . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 8 / 33

  15. Proving Claim 3 The expected # of ones (entries) in T is n 6 · n − 5 = n . By (extended) Chernoff bound, T contains exactly n ones w.p. θ ( 1 / √ n ) . Each row/colomn of T contain more than a single one entry with � n 3 · n − 10 < n − 4 . � probability at most 2 Hence, wp at least 1 − 2 · n 3 · n − 4 = 1 − O ( n − 1 ) , no raw or column of T contains more than a single one entry. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 8 / 33

  16. Proving Claim 3 The expected # of ones (entries) in T is n 6 · n − 5 = n . By (extended) Chernoff bound, T contains exactly n ones w.p. θ ( 1 / √ n ) . Each row/colomn of T contain more than a single one entry with � n 3 · n − 10 < n − 4 . � probability at most 2 Hence, wp at least 1 − 2 · n 3 · n − 4 = 1 − O ( n − 1 ) , no raw or column of T contains more than a single one entry. Hence, wp θ ( 1 / √ n ) the matrix T contains a permutation matrix and all its other entries are zero. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 8 / 33

  17. Proving Claim 3 The expected # of ones (entries) in T is n 6 · n − 5 = n . By (extended) Chernoff bound, T contains exactly n ones w.p. θ ( 1 / √ n ) . Each row/colomn of T contain more than a single one entry with � n 3 · n − 10 < n − 4 . � probability at most 2 Hence, wp at least 1 − 2 · n 3 · n − 4 = 1 − O ( n − 1 ) , no raw or column of T contains more than a single one entry. Hence, wp θ ( 1 / √ n ) the matrix T contains a permutation matrix and all its other entries are zero. A random permutation matrix forms a cycle wp 1 / n (there are n ! permutation matrices and ( n − 1 )! of them form a cycle) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 8 / 33

  18. NIZK for Hamiltonicity in HBM Common input: a directed graph G = ([ n ] , E ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 9 / 33

  19. NIZK for Hamiltonicity in HBM Common input: a directed graph G = ([ n ] , E ) we assume wlg. that n is a power of 2 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 9 / 33

  20. NIZK for Hamiltonicity in HBM Common input: a directed graph G = ([ n ] , E ) we assume wlg. that n is a power of 2 Common reference string T viewed as a n 3 × n 3 Boolean matrix, where each entry is 1 w.p n − 5 (?) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 9 / 33

  21. NIZK for Hamiltonicity in HBM Common input: a directed graph G = ([ n ] , E ) we assume wlg. that n is a power of 2 Common reference string T viewed as a n 3 × n 3 Boolean matrix, where each entry is 1 w.p n − 5 (?) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 9 / 33

  22. NIZK for Hamiltonicity in HBM Common input: a directed graph G = ([ n ] , E ) we assume wlg. that n is a power of 2 Common reference string T viewed as a n 3 × n 3 Boolean matrix, where each entry is 1 w.p n − 5 (?) Algorithm 4 ( P ) Input: n -node graph G and a cycle C in G. CRS: T ∈ { 0 , 1 } n 3 × n 3 . If T not useful, set I = n 3 × n 3 (i.e., reveal all T ) and φ = ⊥ . 1 Otherwise, let H be the (generalized) n × n sub-matrix containing the 2 hamiltonian cycle in T . Set I = T \ H (i.e., reveal the bits of T outside of H ). 1 Choose φ ← Π n s.t. C is mapped to the cycle in H . 2 Add the entries in H corresponding to non edges in G (wrt. φ ) to I . 3 Output π = ( I , φ ) . 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 9 / 33

  23. NIZK for Hamiltonicity in HBM cont. Algorithm 5 ( V ) Input: a graph G, index set I ⊆ [ n 3 ] × [ n 3 ] , ordered set { T i } i ∈I , a mapping φ . Accept if all the bits of T are revealed and T is not useful. Otherwise, Verify that ∃ n × n submatrix H ⊆ T with all entries in T \ H are zeros. 1 Verify that φ ∈ Π n , and that all entries of H not corresponding to edges of 2 G (according to φ ) are zeros. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 10 / 33

  24. NIZK for Hamiltonicity in HBM cont. Algorithm 5 ( V ) Input: a graph G, index set I ⊆ [ n 3 ] × [ n 3 ] , ordered set { T i } i ∈I , a mapping φ . Accept if all the bits of T are revealed and T is not useful. Otherwise, Verify that ∃ n × n submatrix H ⊆ T with all entries in T \ H are zeros. 1 Verify that φ ∈ Π n , and that all entries of H not corresponding to edges of 2 G (according to φ ) are zeros. Claim 6 The above protocol is a perfect NIZK for HC in the HBM, with perfect completeness and soundness error 1 − Ω( n − 3 / 2 ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 10 / 33

  25. Proving Claim 6 Completeness: Clear. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 11 / 33

  26. Proving Claim 6 Completeness: Clear. Soundness: Assume T is useful and V accepts. Then φ − 1 maps the unrevealed “edges" of H to the edges of G. Hence, φ − 1 maps the cycle in H to an Hamiltonian cycle in G. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 11 / 33

  27. Proving Claim 6 Completeness: Clear. Soundness: Assume T is useful and V accepts. Then φ − 1 maps the unrevealed “edges" of H to the edges of G. Hence, φ − 1 maps the cycle in H to an Hamiltonian cycle in G. Zero knowledge? Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 11 / 33

  28. Algorithm 7 ( S ) Input: G Choose T at random (i.e., each entry is one wp n − 5 ). 1 If T is not useful, set I = n 3 × n 3 and φ = ⊥ . 2 Otherwise, 3 Set I = T \ H (where H is the hamiltonian sub-matrix in T ). 1 Let φ ← Π n . Replace all entries of H with zeros. 2 Add the entries in H corresponding to non edges in G to I . 3 Output π = ( T , I , φ ) . 4 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 12 / 33

  29. Algorithm 7 ( S ) Input: G Choose T at random (i.e., each entry is one wp n − 5 ). 1 If T is not useful, set I = n 3 × n 3 and φ = ⊥ . 2 Otherwise, 3 Set I = T \ H (where H is the hamiltonian sub-matrix in T ). 1 Let φ ← Π n . Replace all entries of H with zeros. 2 Add the entries in H corresponding to non edges in G to I . 3 Output π = ( T , I , φ ) . 4 Perfect simulation for non-useful T ’s. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 12 / 33

  30. Algorithm 7 ( S ) Input: G Choose T at random (i.e., each entry is one wp n − 5 ). 1 If T is not useful, set I = n 3 × n 3 and φ = ⊥ . 2 Otherwise, 3 Set I = T \ H (where H is the hamiltonian sub-matrix in T ). 1 Let φ ← Π n . Replace all entries of H with zeros. 2 Add the entries in H corresponding to non edges in G to I . 3 Output π = ( T , I , φ ) . 4 Perfect simulation for non-useful T ’s. For useful T , the location of H is uniform in the real and simulated case. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 12 / 33

  31. Algorithm 7 ( S ) Input: G Choose T at random (i.e., each entry is one wp n − 5 ). 1 If T is not useful, set I = n 3 × n 3 and φ = ⊥ . 2 Otherwise, 3 Set I = T \ H (where H is the hamiltonian sub-matrix in T ). 1 Let φ ← Π n . Replace all entries of H with zeros. 2 Add the entries in H corresponding to non edges in G to I . 3 Output π = ( T , I , φ ) . 4 Perfect simulation for non-useful T ’s. For useful T , the location of H is uniform in the real and simulated case. φ is a random element in Π n in both (real and simulated) cases Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 12 / 33

  32. Algorithm 7 ( S ) Input: G Choose T at random (i.e., each entry is one wp n − 5 ). 1 If T is not useful, set I = n 3 × n 3 and φ = ⊥ . 2 Otherwise, 3 Set I = T \ H (where H is the hamiltonian sub-matrix in T ). 1 Let φ ← Π n . Replace all entries of H with zeros. 2 Add the entries in H corresponding to non edges in G to I . 3 Output π = ( T , I , φ ) . 4 Perfect simulation for non-useful T ’s. For useful T , the location of H is uniform in the real and simulated case. φ is a random element in Π n in both (real and simulated) cases Hence, the simulation is perfect! Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 12 / 33

  33. Section 2 From HBM to Standard NIZK Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 13 / 33

  34. Trapdoor permutations Definition 8 (trapdoor permutations) A triplet ( G , f , Inv ) , where G is a PPTM , and f and Inv are poly-time computable, is a family of trapdoor permutation (TDP), if: On input 1 n , G ( 1 n ) outputs a pair ( sk , pk ) . 1 f pk = f ( pk , · ) is a permutation over { 0 , 1 } n , for every n ∈ N and 2 pk ∈ Supp ( G ( 1 n ) 2 ) . Inv sk = Inv ( sk , · ) ≡ f − 1 pk for every ( sk , pk ) ∈ Supp ( G ( 1 n )) 3 For any PPTM A, 4 � � A ( pk , x ) = f − 1 Pr x ←{ 0 , 1 } n , pk ← G ( 1 n ) 2 pk ( x ) = neg ( n ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 14 / 33

  35. Hardcore Predicates for Trapdoor Permutations Definition 9 (hardcore predicates for TDP) A polynomial-time computable b : { 0 , 1 } n �→ { 0 , 1 } is a hardcore predicate of a TDP ( G , f , Inv ) , if pk ← G ( 1 n ) 2 , x ←{ 0 , 1 } n [ P ( pk , f pk ( x )) = b ( x )] ≤ 1 Pr 2 + neg ( n ) , for any PPTM P. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 15 / 33

  36. Hardcore Predicates for Trapdoor Permutations Definition 9 (hardcore predicates for TDP) A polynomial-time computable b : { 0 , 1 } n �→ { 0 , 1 } is a hardcore predicate of a TDP ( G , f , Inv ) , if pk ← G ( 1 n ) 2 , x ←{ 0 , 1 } n [ P ( pk , f pk ( x )) = b ( x )] ≤ 1 Pr 2 + neg ( n ) , for any PPTM P. Goldreich-Levin: any TDP has an hardcore predicate (ignoring padding issues) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 15 / 33

  37. Example, RSA In the following n ∈ N and all operations are modulo n . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  38. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  39. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  40. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) φ ( n ) , the function f ( x ) ≡ x e mod n is a permutation over For every e ∈ Z ∗ Z ∗ n . In particular, ( x e ) d ≡ x mod n , for every x ∈ Z ∗ n , where d ≡ e − 1 mod φ ( n ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  41. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) φ ( n ) , the function f ( x ) ≡ x e mod n is a permutation over For every e ∈ Z ∗ Z ∗ n . In particular, ( x e ) d ≡ x mod n , for every x ∈ Z ∗ n , where d ≡ e − 1 mod φ ( n ) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  42. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) φ ( n ) , the function f ( x ) ≡ x e mod n is a permutation over For every e ∈ Z ∗ Z ∗ n . In particular, ( x e ) d ≡ x mod n , for every x ∈ Z ∗ n , where d ≡ e − 1 mod φ ( n ) Definition 10 (RSA) G ( p , q ) sets pk = ( n = pq , e ) for some e ∈ Z ∗ φ ( n ) , and sk = ( n , d ≡ e − 1 mod φ ( n )) f ( pk , x ) = x e mod n Inv ( sk , x ) = x d mod n Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  43. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) φ ( n ) , the function f ( x ) ≡ x e mod n is a permutation over For every e ∈ Z ∗ Z ∗ n . In particular, ( x e ) d ≡ x mod n , for every x ∈ Z ∗ n , where d ≡ e − 1 mod φ ( n ) Definition 10 (RSA) G ( p , q ) sets pk = ( n = pq , e ) for some e ∈ Z ∗ φ ( n ) , and sk = ( n , d ≡ e − 1 mod φ ( n )) f ( pk , x ) = x e mod n Inv ( sk , x ) = x d mod n ⇒ RSA is easy. Factoring is easy = Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  44. Example, RSA In the following n ∈ N and all operations are modulo n . Z n = [ n ] and Z ∗ n = { x ∈ [ n ]: gcd ( x , n ) = 1 } φ ( n ) = | Z ∗ n | (equals ( p − 1 )( q − 1 ) for n = pq with p , q ∈ P ) φ ( n ) , the function f ( x ) ≡ x e mod n is a permutation over For every e ∈ Z ∗ Z ∗ n . In particular, ( x e ) d ≡ x mod n , for every x ∈ Z ∗ n , where d ≡ e − 1 mod φ ( n ) Definition 10 (RSA) G ( p , q ) sets pk = ( n = pq , e ) for some e ∈ Z ∗ φ ( n ) , and sk = ( n , d ≡ e − 1 mod φ ( n )) f ( pk , x ) = x e mod n Inv ( sk , x ) = x d mod n ⇒ RSA is easy. The other direction? Factoring is easy = Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 16 / 33

  45. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  46. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Let ( G , f , Inv ) be a TDP and let b be an hardcore bit for it. For simplicity, assume that G ( 1 n ) chooses ( sk , pk ) as follows: where PK : { 0 , 1 } n �→ { 0 , 1 } n is a polynomial-time computable function. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  47. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Let ( G , f , Inv ) be a TDP and let b be an hardcore bit for it. For simplicity, assume that G ( 1 n ) chooses ( sk , pk ) as follows: sk ← { 0 , 1 } n 1 where PK : { 0 , 1 } n �→ { 0 , 1 } n is a polynomial-time computable function. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  48. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Let ( G , f , Inv ) be a TDP and let b be an hardcore bit for it. For simplicity, assume that G ( 1 n ) chooses ( sk , pk ) as follows: sk ← { 0 , 1 } n 1 pk = PK ( sk ) 2 where PK : { 0 , 1 } n �→ { 0 , 1 } n is a polynomial-time computable function. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  49. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Let ( G , f , Inv ) be a TDP and let b be an hardcore bit for it. For simplicity, assume that G ( 1 n ) chooses ( sk , pk ) as follows: sk ← { 0 , 1 } n 1 pk = PK ( sk ) 2 where PK : { 0 , 1 } n �→ { 0 , 1 } n is a polynomial-time computable function. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  50. The transformation Let ( P H , V H ) be a HBM NIZK for L , and let ℓ ( n ) be the length of the CRS used for x ∈ { 0 , 1 } n . Let ( G , f , Inv ) be a TDP and let b be an hardcore bit for it. For simplicity, assume that G ( 1 n ) chooses ( sk , pk ) as follows: sk ← { 0 , 1 } n 1 pk = PK ( sk ) 2 where PK : { 0 , 1 } n �→ { 0 , 1 } n is a polynomial-time computable function. We construct a NIZK ( P , V ) for L , with the same completeness and “not too large" soundness error. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 17 / 33

  51. The protocol Algorithm 11 ( P ) Input: x ∈ L , w ∈ R L ( x ) and CRS c = ( c 1 , . . . , c ℓ ) ∈ { 0 , 1 } n ℓ , where n = | x | and ℓ = ℓ ( n ) . Choose ( sk , pk ) ← G ( sk ) and compute 1 c H = ( b ( z 1 = f − 1 pk ( c 1 )) , . . . , b ( z ℓ ( n ) = f − 1 pk ( c ℓ ))) Let ( π H , I ) ← P H ( x , w , c H ) and output ( π H , I , pk , { z i } i ∈I ) 2 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 18 / 33

  52. The protocol Algorithm 11 ( P ) Input: x ∈ L , w ∈ R L ( x ) and CRS c = ( c 1 , . . . , c ℓ ) ∈ { 0 , 1 } n ℓ , where n = | x | and ℓ = ℓ ( n ) . Choose ( sk , pk ) ← G ( sk ) and compute 1 c H = ( b ( z 1 = f − 1 pk ( c 1 )) , . . . , b ( z ℓ ( n ) = f − 1 pk ( c ℓ ))) Let ( π H , I ) ← P H ( x , w , c H ) and output ( π H , I , pk , { z i } i ∈I ) 2 Algorithm 12 ( V ) Input: x ∈ L , CRS c = ( c 1 , . . . , c ℓ ) ∈ { 0 , 1 } np , and ( π H , I , pk , { z i } i ∈I ) , where n = | x | and ℓ = ℓ ( n ) . Verify that pk ∈ { 0 , 1 } n and that f pk ( z i ) = c i for every i ∈ I 1 Return V H ( x , π H , I , c H ) , where c H i = b ( z i ) for every i ∈ I . 2 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 18 / 33

  53. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  54. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Proof : Assume for simplicity that b is unbiased (i.e., Pr [ b ( U n ) = 1 ] = 1 2 ). Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  55. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Proof : Assume for simplicity that b is unbiased (i.e., Pr [ b ( U n ) = 1 ] = 1 2 ). � � For every pk ∈ { 0 , 1 } n : b ( f − 1 pk ( c 1 )) , . . . , b ( f − 1 pk ( c ℓ )) c ←{ 0 , 1 } np is uniformly distributed in { 0 , 1 } ℓ . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  56. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Proof : Assume for simplicity that b is unbiased (i.e., Pr [ b ( U n ) = 1 ] = 1 2 ). � � For every pk ∈ { 0 , 1 } n : b ( f − 1 pk ( c 1 )) , . . . , b ( f − 1 pk ( c ℓ )) c ←{ 0 , 1 } np is uniformly distributed in { 0 , 1 } ℓ . Completeness: clear Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  57. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Proof : Assume for simplicity that b is unbiased (i.e., Pr [ b ( U n ) = 1 ] = 1 2 ). � � For every pk ∈ { 0 , 1 } n : b ( f − 1 pk ( c 1 )) , . . . , b ( f − 1 pk ( c ℓ )) c ←{ 0 , 1 } np is uniformly distributed in { 0 , 1 } ℓ . Completeness: clear Soundness: follows by a union bound over all possible choice of pk ∈ { 0 , 1 } n . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  58. Claim 13 Assuming that ( P H , V H ) is a NIZK for L in the HBM with soundness error 2 − n · α , then ( P , V ) is a NIZK for L with the same completeness, and soundness error α . Proof : Assume for simplicity that b is unbiased (i.e., Pr [ b ( U n ) = 1 ] = 1 2 ). � � For every pk ∈ { 0 , 1 } n : b ( f − 1 pk ( c 1 )) , . . . , b ( f − 1 pk ( c ℓ )) c ←{ 0 , 1 } np is uniformly distributed in { 0 , 1 } ℓ . Completeness: clear Soundness: follows by a union bound over all possible choice of pk ∈ { 0 , 1 } n . Zero knowledge:? Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 19 / 33

  59. Proving zero knowledge Algorithm 14 ( S ) Input: x ∈ { 0 , 1 } n of length n . Let ( π H , I , c H ) = S H ( x ) , where S H is the simulator of ( P H , V H ) Output ( c , ( π H , I , pk , { z i } i ∈I )) , where ◮ pk ← G ( U n ) ◮ Each z i is chosen at random in { 0 , 1 } n such that b ( z i ) = c H i ◮ c i = f pk ( z i ) for i ∈ I , and a random value in { 0 , 1 } n otherwise. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 20 / 33

  60. Proving zero knowledge Algorithm 14 ( S ) Input: x ∈ { 0 , 1 } n of length n . Let ( π H , I , c H ) = S H ( x ) , where S H is the simulator of ( P H , V H ) Output ( c , ( π H , I , pk , { z i } i ∈I )) , where ◮ pk ← G ( U n ) ◮ Each z i is chosen at random in { 0 , 1 } n such that b ( z i ) = c H i ◮ c i = f pk ( z i ) for i ∈ I , and a random value in { 0 , 1 } n otherwise. The above implicitly describes an efficient M s.t. M ( S H ( x )) ≡ S ( x ) and M ( P H ( x , w ( x ))) ≈ c P ( x , w ( x )) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 20 / 33

  61. Proving zero knowledge Algorithm 14 ( S ) Input: x ∈ { 0 , 1 } n of length n . Let ( π H , I , c H ) = S H ( x ) , where S H is the simulator of ( P H , V H ) Output ( c , ( π H , I , pk , { z i } i ∈I )) , where ◮ pk ← G ( U n ) ◮ Each z i is chosen at random in { 0 , 1 } n such that b ( z i ) = c H i ◮ c i = f pk ( z i ) for i ∈ I , and a random value in { 0 , 1 } n otherwise. The above implicitly describes an efficient M s.t. M ( S H ( x )) ≡ S ( x ) and M ( P H ( x , w ( x ))) ≈ c P ( x , w ( x )) Hence, distinguishing P ( x , w ( x )) from S ( x ) is hard Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 20 / 33

  62. Proving zero knowledge Algorithm 14 ( S ) Input: x ∈ { 0 , 1 } n of length n . Let ( π H , I , c H ) = S H ( x ) , where S H is the simulator of ( P H , V H ) Output ( c , ( π H , I , pk , { z i } i ∈I )) , where ◮ pk ← G ( U n ) ◮ Each z i is chosen at random in { 0 , 1 } n such that b ( z i ) = c H i ◮ c i = f pk ( z i ) for i ∈ I , and a random value in { 0 , 1 } n otherwise. The above implicitly describes an efficient M s.t. M ( S H ( x )) ≡ S ( x ) and M ( P H ( x , w ( x ))) ≈ c P ( x , w ( x )) Hence, distinguishing P ( x , w ( x )) from S ( x ) is hard Direct solution for our NIZK Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 20 / 33

  63. Proving zero knowledge Algorithm 14 ( S ) Input: x ∈ { 0 , 1 } n of length n . Let ( π H , I , c H ) = S H ( x ) , where S H is the simulator of ( P H , V H ) Output ( c , ( π H , I , pk , { z i } i ∈I )) , where ◮ pk ← G ( U n ) ◮ Each z i is chosen at random in { 0 , 1 } n such that b ( z i ) = c H i ◮ c i = f pk ( z i ) for i ∈ I , and a random value in { 0 , 1 } n otherwise. The above implicitly describes an efficient M s.t. M ( S H ( x )) ≡ S ( x ) and M ( P H ( x , w ( x ))) ≈ c P ( x , w ( x )) Hence, distinguishing P ( x , w ( x )) from S ( x ) is hard Direct solution for our NIZK An “adaptive" NIZK Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 20 / 33

  64. Section 3 Adaptive NIZK Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 21 / 33

  65. Adaptive NIZK x is chosen after the CRS. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  66. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  67. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  68. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  69. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  70. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process ( c , s ) ← S 1 ( 1 n ) 1 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  71. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process ( c , s ) ← S 1 ( 1 n ) 1 x = f ( c ) 2 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  72. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process ( c , s ) ← S 1 ( 1 n ) 1 x = f ( c ) 2 Output ( c , x , S 2 ( x , c , s )) 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  73. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process ( c , s ) ← S 1 ( 1 n ) 1 x = f ( c ) 2 Output ( c , x , S 2 ( x , c , s )) 3 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  74. Adaptive NIZK x is chosen after the CRS. Completeness: ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n and w ( x ) ∈ R L ( x ) : Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ( x , w ( x ) , c )) = 1 ] ≥ 2 / 3 Soundness: ∀ f : { 0 , 1 } ℓ ( n ) �→ { 0 , 1 } n and P ∗ Pr c ←{ 0 , 1 } ℓ ( n ) ; x = f ( c ) [ V ( x , c , P ∗ ( c )) = 1 ∧ x / ∈ L ] ≤ 1 / 3 ZK : ∃ pair of PPTM ’s ( S 1 , S 2 ) s.t. ∀ f : { 0 , 1 } ℓ ( n ) �→ L ∩ { 0 , 1 } n { ( c ← { 0 , 1 } ℓ ( n ) , x = f ( c ) , P ( x , w ( x ))) } n ∈ N ≈ c { S f ( n ) } n ∈ N . where S f ( n ) is the output of the following process ( c , s ) ← S 1 ( 1 n ) 1 x = f ( c ) 2 Output ( c , x , S 2 ( x , c , s )) 3 Why do we need s ? Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 22 / 33

  75. Adaptive NIZK , cont. Adaptive completeness and soundness are easy to achieve from any non-adaptive NIZK .(?) Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 23 / 33

  76. Adaptive NIZK , cont. Adaptive completeness and soundness are easy to achieve from any non-adaptive NIZK .(?) Not every NIZK is adaptive ZK . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 23 / 33

  77. Adaptive NIZK , cont. Adaptive completeness and soundness are easy to achieve from any non-adaptive NIZK .(?) Not every NIZK is adaptive ZK . Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 23 / 33

  78. Adaptive NIZK , cont. Adaptive completeness and soundness are easy to achieve from any non-adaptive NIZK .(?) Not every NIZK is adaptive ZK . Theorem 15 Assume TDP exist, then every NP language has an adaptive NIZK with perfect completeness and negligible soundness error. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 23 / 33

  79. Adaptive NIZK , cont. Adaptive completeness and soundness are easy to achieve from any non-adaptive NIZK .(?) Not every NIZK is adaptive ZK . Theorem 15 Assume TDP exist, then every NP language has an adaptive NIZK with perfect completeness and negligible soundness error. In the following, when saying adaptive NIZK , we mean negligible completeness and soundness error. Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 23 / 33

  80. Section 4 Simulation-Sound NIZK Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 24 / 33

  81. Simulation soundness A NIZK system ( P , V ) for L has (one-time) simulation soundness, if ∃ a pair of PPTM ’s S = ( S 1 , S 2 ) that satisfies the ZK property of P with respect to L , and in addition Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 25 / 33

  82. Simulation soundness A NIZK system ( P , V ) for L has (one-time) simulation soundness, if ∃ a pair of PPTM ’s S = ( S 1 , S 2 ) that satisfies the ZK property of P with respect to L , and in addition [ x ′ / ∈ L ∧ V ( x ′ , π ′ , c ) = 1 ∧ ( x ′ , π ′ ) � = ( x , π )] = neg ( n ) Pr ( c , x ,π, x ′ ,π ′ ) ← Exp n V , S , P ∗ for any pair of PPTM ’s P ∗ = ( P ∗ 1 , P ∗ 2 ) . Experiment 16 ( Exp n V , S , P ∗ ) ( c , s ) ← S 1 ( 1 n ) 1 ( x , p ) ← P ∗ 1 ( 1 n , c ) 2 π ← S 2 ( x , c , s ) 3 ( x ′ , π ′ ) ← P ∗ 2 ( p , π ) 4 Output ( c , x , π, x ′ , π ′ ) 5 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 25 / 33

  83. Simulation soundness A NIZK system ( P , V ) for L has (one-time) simulation soundness, if ∃ a pair of PPTM ’s S = ( S 1 , S 2 ) that satisfies the ZK property of P with respect to L , and in addition [ x ′ / ∈ L ∧ V ( x ′ , π ′ , c ) = 1 ∧ ( x ′ , π ′ ) � = ( x , π )] = neg ( n ) Pr ( c , x ,π, x ′ ,π ′ ) ← Exp n V , S , P ∗ for any pair of PPTM ’s P ∗ = ( P ∗ 1 , P ∗ 2 ) . Experiment 16 ( Exp n V , S , P ∗ ) ( c , s ) ← S 1 ( 1 n ) 1 ( x , p ) ← P ∗ 1 ( 1 n , c ) 2 π ← S 2 ( x , c , s ) 3 ( x ′ , π ′ ) ← P ∗ 2 ( p , π ) 4 Output ( c , x , π, x ′ , π ′ ) 5 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 25 / 33

Recommend


More recommend