on the composition of public on the composition of public
play

On the Composition of Public- - On the Composition of Public Coin - PowerPoint PPT Presentation

Mar 04, 2023 •385 likes •613 views

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols Knowledge Protocols Coin Zero Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktrm (KTH) 1 Zero Knowledge [GMR85] Zero

  1. On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols Knowledge Protocols Coin Zero Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1

  2. Zero Knowledge [GMR85] Zero Knowledge [GMR85] • Interactive protocol between a Prover and a Verifier where the Verifier learns nothing except the proof statement Prover Verifier • Fundamental construct of cryptography • Used in secure MPC, authentication, etc, etc 2

  3. Zero Knowledge [GMR85] Zero Knowledge [GMR85] • For every PPT V* (adversary) there is a PPT simulator S: Verifier V* Simulator S Prover ≈ View of V* with Prover View generated by S Indistinguishable 3

  4. Black- -Box Zero Knowledge [GO90] Box Zero Knowledge [GO90] Black • Universal S interacts with and rewinds V* Equivalently: Output View Output View – Most known and all practical ZK are BB – This talk: Focus on BB ZK 4

  5. Composition of ZK [GKr90] Composition of ZK [GKr90] Parallel [FS90, GKr90] Concurrent [FS90, DNS04] • Do ZK protocols stay ZK when composed? 5

  6. Composition of ZK [GKr90] Composition of ZK [GKr90] • In general : ZK breaks even under 2 parallel executions [FS90, GKr90] • Specific protocols : – Secure under both parallel and concurrent composition (e.g., [GKa96, FS90, RK99, KP01, PRS02]) – But these protocols use something new: Private Coins 6

  7. Public vs. Private Coins Public vs. Private Coins Prover Verifier • Public-coin: Private-coin: • The original ZK protocols are all public-coin [GMR85,GMW91, Blum87] • Why care about public-coin protocols? • Understand original protocols – Theory: • e.g. “IP(Poly) = AM(Poly)” [GS86] • Simpler to implement – Practice: • V resilient to leakage and side channel attacks 7

  8. The Question: The Question: Are private coins necessary for composing ZK (even just) in parallel? • First studied by Goldreich-Krawczyk in 1990 • Partial result: No constant round public-coin BB ZK w/ neg. soundness error (L ∉ BPP) – Known O(1) round public-coin BB ZK (with big soundness error) not secure in parallel 8

  9. Our Results Our Results 1. Any public-coin protocol is not BBZK if 1. Any public-coin protocol is not BBZK if repeated sufficiently in parallel (L ∉ BPP). repeated sufficiently in parallel (L ∉ BPP). 2. For every m , there is a public-coin proof 2. For every m , there is a public-coin proof for NP that is BBZK up to m concurrent for NP that is BBZK up to m concurrent sessions , assuming OWF. sessions , assuming OWF. [Bar01]: Public-coin constant round bounded- [Bar01]: Public-coin constant round bounded- concurrent non-BB ZK argument assuming CRH . concurrent non-BB ZK argument assuming CRH . 9

  10. The Goldreich Goldreich- -Krawczyk Krawczyk framework framework The [GKr90]: If the verifier uses PRF to generate its messages in a constant round public-coin protocol → Protocol is resettably-sound [BGGL01] α Prover Verifier PRF( α ) + PRF 10

  11. The Goldreich Goldreich- -Krawczyk Krawczyk framework framework The [GKr90]: If the verifier uses PRF to generates it messages in a constant round public-coin protocol → Protocol is resettably-sound [BGGL01] Resetting P* Verifier V + PRF Goal: Accepting execution for x Goal: Accepting execution for x ∉ L ∉ L 11

  12. The Goldreich Goldreich- -Krawczyk Krawczyk framework framework The [GKr90]: If the verifier uses PRF to generates it messages in a constant round public-coin protocol → Protocol is resettably-sound [BGGL01] • If protocol is resettably-sound and BB ZK for L → L ∈ BPP (decided by S) [GK90, BGGL01]: x ∈ L → S(x) gives accepting view (ZK) x ∉ L → S(x) gives rejecting view (resettable-sound) 12

  13. Main Lemma Main Lemma Any public-coin protocol (where V uses PRF for Any public-coin protocol (where V uses PRF for its messages) is resettably-sound when its messages) is resettably-sound when repeated sufficiently in parallel. repeated sufficiently in parallel. • Compare with soundness amplification – Recent work: Parallel repetition amplifies sound- ness of public-coin arguments [PV07, HPPW08]: • From ε → ε poly(n) – Our work: “Quality” of soundness also improves • From “standard sound” → “resettably sound” – Can use soundness amplification techniques 13

  14. Proof Idea Proof Idea • Reduction R: Resettable P* → normal P Reduction R Resetting P* Verifier V • R tries to forward messages that P* utilize for an accepting execution – Possible to continue simulation due to public-coin 14

  15. Which Message to Forward? Which Message to Forward? • [GKr90] For constant round protocols, choose random messages to forward – Guess correctly w.p. 1/poly each round – Doesn’t work when there are more rounds • Our approach: – Do a test run to see which msg “should’ve been” forwarded. Forward it and continue simulation – If P* doesn’t use forwarded msg, rewind P* until it does 15

  16. Example Example Start: Two rounds are already forwarded Reduction R Resetting P* Verifier V Acc. FAIL Acc. Acc. FAIL Acc. Repeat Process Repeat Process Case: Forwarded msg is in accepting view Case: S fails to produce accepting view. Case: Forwarded msg not in accepting view → Rewind! → Rewind! → Found next message to forward 16

  17. The Reduction Again The Reduction Again 1. In a test run of P*, find the msg used by P* to form an accepting view. 2. Forward the msg to V and receive a fixed reply. 3. Keep rewinding P* until the forwarded msg is used in an accepting view The next msg in view gets forwarded. Repeat. • Reduction idea analogous to [HPPW08] Reduction always works! Is it poly time? 17

  18. Analysis Sketch Analysis Sketch • If we can rewind external V: – Case: P* chooses which branch to use in view randomly. → Then poly rewinds are enough – This is actually the worst case • But we can’t rewind external V: – Forwarded messages are fixed . Might fix a BAD message – Reduction: Resettable parallel P* → normal standalone P standalone – New picture! 18

  19. Analysis Sketch Analysis Sketch • Can almost rewind the Verifier • Results in a statistically close distribution! – Technically shown by relying on Raz’s Lemma – Technique used in soundness amplification of 2-prover games [Raz98] and public-coin arguments [HPPW08] Reduction R Resetting P* Verifier V 19

  20. Conclusion Conclusion • Any public-coin protocol, with enough parallel repetitions, is resettably-sound → so not BB ZK unless L ∈ BPP • Elucidate connection between hardness amplification and BB ZK lower bounds – New set of techniques for BB lower bounds 20

  21. Corollary Corollary • Bare Public-Key setup – More efficient (private-coin) concurrent ZK – Model studied in the soundness amplification literature [IW97, BIN97, HPPW08] • Using [BIN97, HPPW08] techniques, we can extend our impossibility result to BPK too 21

  22. Thank You! Thank You! 22

Recommend

Automated Web Service Composition in Practice: from Composition Requirements Specification to

Automated Web Service Composition in Practice: from Composition Requirements Specification to

Outline Automated Web Service Composition The Amazon-MPS Case study Conclusions and Future Works Automated Web Service Composition in Practice: from Composition Requirements Specification to Process Run. Annapaola Marconi , Marco Pistore and

730 views • 59 slides
Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al

Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al

Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al Morton + many others M March, 2008 h 2008 draft-ietf-ippm-framework-compagg-06.txt Overall Framework (includes common concepts and concepts and

257 views • 9 slides
PUBLIC SECTOR DEBT COMPOSITION Public Debt Office Ministry of Finance October 2019 EVOLUTION OF

PUBLIC SECTOR DEBT COMPOSITION Public Debt Office Ministry of Finance October 2019 EVOLUTION OF

PUBLIC SECTOR DEBT COMPOSITION Public Debt Office Ministry of Finance October 2019 EVOLUTION OF THE NFPS DEBT As of August 31st, 2019, the NFPS debt (including debt with the Central Bank) amounted US$34,399.1 million, representing the 39.1% of

443 views • 18 slides
JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave & Piano

JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave & Piano

JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave & Piano Ay Olrnt Music Composition & Theory University of Pittsburgh USA A Symposium & Festival Bridging Musicology & Composition:

553 views • 16 slides
AP VS DE ENGLISH 11 th : AP Language and Composition or DE 111 and 112 12 th : AP Literature and

AP VS DE ENGLISH 11 th : AP Language and Composition or DE 111 and 112 12 th : AP Literature and

AP VS DE ENGLISH 11 th : AP Language and Composition or DE 111 and 112 12 th : AP Literature and Composition or DE 243 and 244 11 th grade AP English Language and DE 111 and 112: Composition Composition Credit: 1 Unit; GPA bump

620 views • 7 slides
Opportunistic Composition of Human- Opportunistic composition Computer Interactions in Ambient

Opportunistic Composition of Human- Opportunistic composition Computer Interactions in Ambient

Opportunistic Composition of Human- Opportunistic composition Computer Interactions in Ambient Spaces Ambient env. Our approach Plastic HCI Augustin Degas Requirements Ergonomic criteria Sylvie Trouilhet - Jean-Paul Arcangeli, IRIT

379 views • 21 slides
Updates We are working to change our ESL composition sequence to better align with the

Updates We are working to change our ESL composition sequence to better align with the

Updates We are working to change our ESL composition sequence to better align with the English composition sequence. Why? We want to: Attract and support more multilingual students at UWM Reduce confusion about ESL composition

384 views • 10 slides
The Economics of IT Three Perspectives on IT Economics Todays Topics 1) Economic Composition

The Economics of IT Three Perspectives on IT Economics Todays Topics 1) Economic Composition

The Economics of IT Three Perspectives on IT Economics Todays Topics 1) Economic Composition 2) Industry Composition 3) Labor Supply Economic Composition What kind of work do we do? Staffing Patterns for IT Share of IT Employment in Idaho

414 views • 23 slides
Blood Chapter 17 Overview: Blood Composition and Function Describe the composition and

Blood Chapter 17 Overview: Blood Composition and Function Describe the composition and

The River of Life Blood Chapter 17 Overview: Blood Composition and Function Describe the composition and physical characteristics of whole blood. Explain why it is classified as a connective tissue. List and describe eight functions

740 views • 31 slides
A Formal Interpretation of Frame Composition Wiebke Petersen & Tanja Osswald

A Formal Interpretation of Frame Composition Wiebke Petersen & Tanja Osswald

Frames Classification of concepts Frame Composition Composition and Language A Formal Interpretation of Frame Composition Wiebke Petersen & Tanja Osswald Heinrich-Heine-Universit at D usseldorf Research group on Functional

1.11k views • 86 slides
FATTY ACID COMPOSITION OF EDIBLE OILS AND FATTY ACID COMPOSITION OF EDIBLE OILS AND FATS FATS

FATTY ACID COMPOSITION OF EDIBLE OILS AND FATTY ACID COMPOSITION OF EDIBLE OILS AND FATS FATS

FATTY ACID COMPOSITION OF EDIBLE OILS AND FATTY ACID COMPOSITION OF EDIBLE OILS AND FATS FATS Vesna Kostik Vesna Kostik 1* 1* , Shaban Memeti , Shaban Memeti 1 , Biljana Bauer , Biljana Bauer 2 1* Institute of Public Heal Institute of Public

598 views • 11 slides
SURVEY TOOL To investigate teachers beliefs about compositional experiences in the elementary

SURVEY TOOL To investigate teachers beliefs about compositional experiences in the elementary

TEACHERS BELIEFS REGARDING COMPOSITION IN ELEMENTARY GENERAL MUSIC: DEFINITIONS, VALUE, AND IMPEDIMENTS Teachers tend to devote very little class time to composition. (Orman, 2002; Schmidt, Baker, Hayes, & Kwan, 2006) Composition

452 views • 8 slides
VU Composition 101 I N T E R P R E T I N G T H E E X C E S S I V E L Y L O N G S Y L L A B U S

VU Composition 101 I N T E R P R E T I N G T H E E X C E S S I V E L Y L O N G S Y L L A B U S

VU Composition 101 I N T E R P R E T I N G T H E E X C E S S I V E L Y L O N G S Y L L A B U S Upon completion of Comp 101, you will be able to understand how writing is a process of working through multiple reflective and refining steps.

182 views • 16 slides
Real Composition Algebras Steven Clanton Harriet L. Wilkes Honors College Florida Atlantic

Real Composition Algebras Steven Clanton Harriet L. Wilkes Honors College Florida Atlantic

What is a Composition Algebra? Vector Multiplication for a Composition Algebra Enumerating the Real Composition Algerbas Real Composition Algebras Steven Clanton Harriet L. Wilkes Honors College Florida Atlantic University Jupiter, FL

346 views • 24 slides
Environmental Communiucation 9/5/2017 Photogprahy Crash Course Composition 1 Work Composition:

Environmental Communiucation 9/5/2017 Photogprahy Crash Course Composition 1 Work Composition:

Environmental Communiucation 9/5/2017 Photogprahy Crash Course Composition 1 Work Composition: Tips and Guidelines Framing Rule of Thirds Supporting the frame Get closer Exposure: Tips and Guidelines

248 views • 7 slides
Policy Composition Policy Composition Jason M. Coposky June 9-12, 2020 @jason_coposky iRODS

Policy Composition Policy Composition Jason M. Coposky June 9-12, 2020 @jason_coposky iRODS

Policy Composition Policy Composition Jason M. Coposky June 9-12, 2020 @jason_coposky iRODS User Group Meeting 2020 Executive Director, iRODS Consortium Virtual Event 1 Motivation How can we help new users get started? How can we make

679 views • 53 slides
Outline I. Composition Photography Concepts II. Tips and technologies The sequel Slides by Perry

Outline I. Composition Photography Concepts II. Tips and technologies The sequel Slides by Perry

1/26/2011 Outline I. Composition Photography Concepts II. Tips and technologies The sequel Slides by Perry Kivolowitz Composition: Composition: Terms Composing: How your picture is put together Any given pictures wants to be

452 views • 7 slides
AP LITERATURE AND COMPOSITION EXAM REVIEW AP LITERATURE AND COMPOSITION STUDENT PREPARATION

AP LITERATURE AND COMPOSITION EXAM REVIEW AP LITERATURE AND COMPOSITION STUDENT PREPARATION

AP LITERATURE AND COMPOSITION EXAM REVIEW AP LITERATURE AND COMPOSITION STUDENT PREPARATION SESSION IRVING, TEXAS April 5, 2014 JERRY BROWN www.jerrywbrown.com AP Lit Exam Review Jerry W. Brown 1 How to read Difficult Texts A

458 views • 27 slides
The Hidden Matching-Structure of the Composition of Strips: a Polyhedral Perspective Yuri Faenza 1

The Hidden Matching-Structure of the Composition of Strips: a Polyhedral Perspective Yuri Faenza 1

Definitions and known results Testing membership for SSP of composition of strips Extended formulation, projection and separation Consequences for claw-free graphs The Hidden Matching-Structure of the Composition of Strips: a Polyhedral

226 views • 21 slides
AS Music: Composition (SMU21) Agenda Welcome & Introduction Unit Overview The

AS Music: Composition (SMU21) Agenda Welcome & Introduction Unit Overview The

Agreement Trial AS Music: Composition (SMU21) Agenda Welcome & Introduction Unit Overview The moderation process General feedback on Composition Chief Examiner / Principal Moderator Report Table Marking Questions

438 views • 14 slides
Lecture #16 Composition Nondeducibility Generalized Noninterference Restrictiveness

Lecture #16 Composition Nondeducibility Generalized Noninterference Restrictiveness

Lecture #16 Composition Nondeducibility Generalized Noninterference Restrictiveness February 25, 2009 ECS 235B, Winter Quarter 2009 Slide #16-1 Matt Bishop, UC Davis Policy Composition I Assumed: Output function of input

761 views • 45 slides
Towards Abstractions for Web Services Composition Manuel Mazzara Manuel Mazzara Towards

Towards Abstractions for Web Services Composition Manuel Mazzara Manuel Mazzara Towards

Background Composition Foundations Goals Theory Translation Time Towards Abstractions for Web Services Composition Manuel Mazzara Manuel Mazzara Towards Abstractions for Web Services Composition Background Composition Foundations

536 views • 53 slides
Accurate Polymorphism Detection Nevena Milojkovi Software Composition Group University of

Accurate Polymorphism Detection Nevena Milojkovi Software Composition Group University of

Accurate Polymorphism Detection Nevena Milojkovi Software Composition Group University of Bern Problem public static void main(String[] args){ AttributeFigure figure = new ComponentFigure(); figure.basicDisplayBox( point1, point2); }

292 views • 14 slides
Composition operators on Sobolev spaces* A. Ukhlov Ben-Gurion University of the Negev, Israel

Composition operators on Sobolev spaces* A. Ukhlov Ben-Gurion University of the Negev, Israel

Composition operators on Sobolev spaces* A. Ukhlov Ben-Gurion University of the Negev, Israel (*joint works with V. Goldshtein and S. K. Vodopyanov) The Dirichlet problem and composition operators We study composition operators on Sobolev

386 views • 27 slides

More recommend