On the Existence of Three Round Zero-Knowledge Proofs Nils - PowerPoint PPT Presentation

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018

Round-Complexity of ZK-Proofs for NP 2

Round-Complexity of ZK-Proofs for NP 2

Round-Complexity of ZK-Proofs for NP [GO94] 2

Round-Complexity of ZK-Proofs for NP � [GO94] [GK96] 2

Round-Complexity of ZK-Proofs for NP � [GO94] [GK96] 2

Round-Complexity of ZK-Proofs for NP � [GO94] [GK96] [Katz08] black box simulation 2

Round-Complexity of ZK-Proofs for NP � [GO94] [GK96] [Katz08] black box simulation [KRR17] public coin 2

Round-Complexity of ZK-Proofs for NP � [GO94] [GK96] [Katz08] black box simulation [KRR17] public coin 2

The Result Assuming sub-exponentially secure iO and sub-exponentially secure PRFs as well as exponentially secure input-hiding obfuscation for multi-bit point functions, even private coin three round zero-knowledge proofs can only exist for languages in BPP. 3

What About Four Rounds? ◮ We do not expect our technique to easily extend to four rounds. ◮ Our result extends to a weaker notion of ǫ -ZK. ◮ For ǫ -ZK, four round private coin protocols exist based on keyless multi-collision resistant hash functions (MCRH). [BKP17] 4

Compressing Proofs 5

Compressing Proofs 5

Compressing Proofs 5

Compressing Proofs Sadly, it’s not that simple. 5

Proofs vs. Arguments Π ′ Π We lose statistical soundness. Π ′ is only an argument. Π ′ Sound Π Sound Π not ZK 6

How to Compress Proofs α ← P 1 ( x, w ) α β ← V 1 ( x, α ) β γ ← P 2 ( x, w ) γ 7

How to Compress Proofs α ← P 1 ( x, w ) α β ← V 1 ( x, α ) β γ ← P 2 ( x, w ) γ 7

How to Compress Proofs α ← P 1 ( x, w ) α β ← V 1 ( x, α ) β γ ← P 2 ( x, w ) γ 7

How to Compress Proofs α ← P 1 ( x, w ) α β ← V 1 ( x, α ) β β ← $ { 0 , 1 } n γ ← P 2 ( x, w ) γ 7

The Public Coin Case α ← P 1 ( x, w ) α β ← $ { 0 , 1 } n β γ ← P 2 ( x, w ) γ 8

The Public Coin Case α ← P 1 ( x, w ) α β ← $ { 0 , 1 } n β γ ← P 2 ( x, w ) γ 8

The Public Coin Case α ← P 1 ( x, w ) α β ← $ { 0 , 1 } n β H ← $ H γ ← P 2 ( x, w ) γ 8

The Public Coin Case α ← P 1 ( x, w ) α β ← $ { 0 , 1 } n β := H ( x, α ) β H H ← $ H γ ← P 2 ( x, w ) γ 8

The Public Coin Case α ← P 1 ( x, w ) α β ← $ { 0 , 1 } n β := H ( x, α ) β H H ← $ H γ ← P 2 ( x, w ) γ ( α, ) 8

The Public Coin Case α ← P 1 ( x, w ) α β ← $ { 0 , 1 } n β := H ( x, α ) β H H ← $ H γ ← P 2 ( x, w ) γ ( α, ) [KRR17]: H := iO ( PRF k ( · )) 8

But What About Private Coin? α ← P 1 ( x, w ) α β ← V 1 ( x, α ) β γ ← P 2 ( x, w ) γ 9

But What About Private Coin? C V [ k, x ]( α ) s := PRF k ( α ) β := V 1 ( x, α ; s ) return β α ← P 1 ( x, w ) α β ← V 1 ( x, α ) β γ ← P 2 ( x, w ) γ 9

But What About Private Coin? C V [ k, x ]( α ) s := PRF k ( α ) β := V 1 ( x, α ; s ) return β α ← P 1 ( x, w ) α β ← V 1 ( x, α ) β γ ← P 2 ( x, w ) γ 9

But What About Private Coin? C V [ k, x ]( α ) s := PRF k ( α ) β := V 1 ( x, α ; s ) return β α ← P 1 ( x, w ) α β := B ( α ) β ← V 1 ( x, α ) β B B ← iO ( C V [ k, x ]) γ ← P 2 ( x, w ) γ ( α, ) 9

How to Prove it. Π ′ Π We need to prove two things: 1. If Π ′ is sound then Π is not zero knowledge. 2. The compression preserves soundness. I.e., if Π is sound then Π ′ is also sound. 10

Π ′ sound = ⇒ Π ′ not ZK [GO94] aux α β ← aux ( α ) β γ ( α, β, γ ) 11

Π ′ sound = ⇒ Π ′ not ZK [GO94] aux aux α Sim β ← aux ( α ) β γ ( α ′ , β ′ , γ ′ ) ( α, β, γ ) 11

Π ′ sound = ⇒ Π ′ not ZK [GO94] aux aux α Sim β ← aux ( α ) β γ ≈ c ( α ′ , β ′ , γ ′ ) ( α, β, γ ) 11

Π ′ sound = ⇒ Π ′ not ZK B ( α, β, γ ) ← Sim ( B ) ( α, γ ) � ( x ∗ ∈ L ) ≈ c ( x ∗ �∈ L ) unless L ∈ BPP 12

Π ′ sound = ⇒ Π ′ not ZK B ( α, β, γ ) ← Sim ( B ) ( α, γ ) � ( x ∗ ∈ L ) ≈ c ( x ∗ �∈ L ) unless L ∈ BPP But is it sound? 12

How Can a Prover Cheat? Defining Bad Alphas. α 13

How Can a Prover Cheat? Defining Bad Alphas. α Bad 1. Specify a set of bad α ’s. 13

How Can a Prover Cheat? Defining Bad Alphas. α Bad 1. Specify a set of bad α ’s. 2. Prove that a cheating prover must use a bad α to cheat. 13

How Can a Prover Cheat? Defining Bad Alphas. ??? α Bad 1. Specify a set of bad α ’s. 2. Prove that a cheating prover must use a bad α to cheat. 3. Prove that bad α ’s remain hidden by the obfuscation. 13

How Can a Prover Cheat? Defining Bad Alphas. α Bad 14

How Can a Prover Cheat? Defining Bad Alphas. α Bad ◮ In the public coin case, defining bad α ’s is trivial: Any α , such that for β := PRF k ( α ) there exists an accepting γ . 14

How Can a Prover Cheat? Defining Bad Alphas. α Bad ◮ In the public coin case, defining bad α ’s is trivial: Any α , such that for β := PRF k ( α ) there exists an accepting γ . ◮ In the private coin case, however there may always be accepting γ ’s. 14

How Can a Prover Cheat? Defining Bad Alphas. α Bad ◮ In the public coin case, defining bad α ’s is trivial: Any α , such that for β := PRF k ( α ) there exists an accepting γ . ◮ In the private coin case, however there may always be accepting γ ’s. ◮ But, those γ ’s depend on which consistent random tape was used. 14

How Can a Prover Cheat? Defining Bad Alphas. α Bad ◮ In the public coin case, defining bad α ’s is trivial: Any α , such that for β := PRF k ( α ) there exists an accepting γ . ◮ In the private coin case, however there may always be accepting γ ’s. ◮ But, those γ ’s depend on which consistent random tape was used. ◮ Security of iO and puncturable PRF hide which random tape was used. 14

Bad Alphas in the Private Coin Case. α Bad ◮ An α is bad if the random tape s := PRF k ( α ) leads to a β such that for ( α, β ) there exists γ that will be accepted by the verifier with high probability over all consistent random tapes. 15

Hiding Bad Alphas. ◮ A cheating prover will output a bad α with high probability. 16

Hiding Bad Alphas. ◮ A cheating prover will output a bad α with high probability. ◮ This can be lead to a direct contradiction with the soundness of Π but incurs an exponential loss. 16

Hiding Bad Alphas. ◮ A cheating prover will output a bad α with high probability. ◮ This can be lead to a direct contradiction with the soundness of Π but incurs an exponential loss. ◮ We follow the approach of [KRR17] and “transfer” the loss to a seperate primitive. 16

Input Hiding Obfuscation of Multi-Bit Point Functions α ∗ , s ∗ Correctness: B ( α ∗ ) = s ∗ ∀ α � = α ∗ : B ( α ) = ⊥ hideO Security: Pr[ A ( B , 1 n ) = α ∗ ] ≤ 2 − n B 17

Input Hiding Obfuscation of Multi-Bit Point Functions α ∗ , s ∗ Correctness: B ( α ∗ ) = s ∗ ∀ α � = α ∗ : B ( α ) = ⊥ hideO Security: Pr[ A ( B , 1 n ) = α ∗ ] ≤ 2 − n B Can be instantiated in the generic group model by [CD08] as shown in [BC10] based on a strong variant of DDH. 17

Transferring the Loss 18

Transferring the Loss C pct [ k, α ∗ , β ∗ ]( α ) ? if α = α ∗ β := β ∗ else s := PRF k ( α ) β := V 1 ( x, α ; s ) return β 18

Transferring the Loss C pct [ k, α ∗ , β ∗ ]( α ) ? if α = α ∗ β := β ∗ else s := PRF k ( α ) β := V 1 ( x, α ; s ) return β Conditioned on α ∗ being bad we get that � P ∗ � �� � C pct [ k { α ∗ } , α ∗ , V 1 ( x ∗ , α ; s ∗ )] = ( α ∗ , γ ) � Pr iO k,α ∗ ,s ∗ , iO , A is slightly higher than random chance. 18

Transferring the Loss C pct [ k, α ∗ , β ∗ ]( α ) C hide [ k, B ]( α ) ? if α = α ∗ s := B ( α ) β := β ∗ if s = ⊥ else s := PRF k ( α ) s := PRF k ( α ) β := V 1 ( x ∗ , α ; s ) β := V 1 ( x, α ; s ) return β return β Conditioned on α ∗ being bad we get that � P ∗ � �� � C pct [ k { α ∗ } , α ∗ , V 1 ( x ∗ , α ; s ∗ )] = ( α ∗ , γ ) � Pr iO k,α ∗ ,s ∗ , iO , A is slightly higher than random chance. 18

Conclusion Assuming sub-exponentially secure iO and sub-exponentially secure PRFs as well as exponentially secure input-hiding obfuscation for multi-bit point functions, three round zero-knowledge proofs can only exist for languages in BPP. Thanks! ia.cr/2018/167 19