Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar (MIT)
Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] pk sk Public Key Encryption Public Key Encryption ct = Enc pk (m) GOAL: Construct “different” public-key encryption schemes public-key encryption schemes Lattices Number Theory
What What structure+hardness implies public-key crypto? public-key crypto?
Possible answers: NP-hardness No Crypto Known Some impossibility results [Brassard79, Feigenbaum-Fortnow93, Bogdanov- Some impossibility results [Brassard79, Feigenbaum-Fortnow93, Bogdanov- Trevisan03, Goldreich-Goldwasser98, AkaviaGoldreichGoldwasserMoshkovitz06] One-Way Functions Some barriers [Impagliazzo-Rudich89, Brakerski-Katz-Segev-Yerukhimovich11, Dachman-Soled16, Garg-Hajiabadi-Mahmoody-Mohammed18] SZK-hardness (SZK = Statistical Zero Knowledge) SZK-hardness (SZK = Statistical Zero Knowledge) Implies OWFs [Ostrovsky91] Many problems in SZK imply PKE
Statistical Zero Knowledge (SZK) [ Goldwasser-Micali-Rackoff85 ] Completeness: Completeness: P * P V Soundness: Proof : All powerful P * Argument : Efficient P *
Honest-Verifier Statistical Zero Knowledge: [ Goldwasser-Micali-Rackoff85 ] P V Simulator:
Statistical Zero Knowledge NP PKE from SZK-Hardness? Seems Challenging : Discrete Log, Graph Iso have SZK proofs but no PKE known. SZK DLog DLog Need more Structure? Need more Structure? Graph Iso. Factoring LWE QR
Example: Quadratic Non-Residuosity (Or: From GMR to GM) Can sample [Goldwasser-Micali82, Goldwasser-Micali-Rackoff85] hard instances (Honest-Verifier) (Honest-Verifier) w/ witnesses w/ witnesses Statistical Zero-Knowledge Proof Efficient Efficient Prover Prover talks very little
Our Results: These Properties are Sufficient! ZK PROOF SYSTEM Public-Key Encryption + CRYPTO HARD LANGUAGE CRYPTO HARD LANGUAGE Implies One-Way Functions
Instantiations QR DDH Our Our PKE PKE Assumption LWE Low noise LPN ABW Factoring CDH
Perspective: Relaxing the Assumption ZK PROOF SYSTEM [Sahai-Vadhan03] [Sahai-Vadhan03] [HaitnerNguyenOng ReingoldVadhan03] + CRYPTO HARD LANGUAGE CRYPTO HARD LANGUAGE
Characterization WEAK WEAK : soundness, completeness hold on average ZK PROOF SYSTEM Public-Key Encryption + + DISTRIBUTIONS DISTRIBUTIONS CRYPTO HARD LANGUAGE
Summary Laconic, Efficient Prover, Laconic, Efficient Prover, HVSZK ARGUMENT Public Key + Encryption CRYPTO HARD LANGUAGE
Techniques
Warmup: 2-Msg, Deterministic Prover * V * a.k.a Hash Proof System [Cramer-Shoup02]
Weak Key Agreement Correctness: Every verifier challenge has Every verifier challenge has unique prover response
D Break average-case hardness V V 0/1 0/1 Adv = Cheating Prover Adv = Cheating Prover soundness soundness Contradiction. D breaks average-case hardness. Amplify from weak PKE to PKE using HolensteinRenner05
We saw: PKE from deterministic, 2-msg SZK Proof System. Challenges: Randomized Prover Multi-round Proof System Stateful Prover Lesser Challenges: Relaxing perfect ZK, perfect completeness Lesser Challenges: Relaxing perfect ZK, perfect completeness
Coping with Randomized Provers Correctness: Weak Security: Weak Security: Trapdoor Our Pseudoentropy PKE Assumption Generator
Trapdoor Our Pseudoentropy PKE Assumption Generator Security : Adv can only sample from “bigger” dist. Formalized using pseudoentropy [HILL99]
Trapdoor Our Pseudoentropy PKE Assumption Generator Challenges: Many rounds Stateful Prover [Ostrovsky 91] Terminate at Laconic. Rejection Sampling random round.
Trapdoor Our Pseudoentropy PKE Assumption Generator Amplification Theorem Technically difficult half Uses connections between Pseudorandomness & Unpredictability Ingredients from: OWFs => PRG (HILL99, VadhanZheng12)
Conclusion and Open Problems Laconic, Efficient Prover, HVSZK ARGUMENT Public Key + + Encryption CRYPTO HARD LANGUAGE Big Open Q: Big Open Q: Design new PKE schemes
Thank You!
Trapdoor Pseudoentropy Public Key Encryption Generator Security : Gap between Decode & adversary Formalized using pseudoentropy [HILL99]
Recommend
More recommend
