Statistical WI (and more) in Two-Messages Yael Tauman Kalai Joint - PowerPoint PPT Presentation

Statistical WI (and more) in Two-Messages Yael Tauman Kalai Joint work with: Dakshita Khurana and Amit Sahai

Interactive Proofs [Goldwasser-Micali-Rackoff85, Babai85] Zero-knowledge proofs for all 𝑶𝑸! [Goldreich-Micali-Wigderson87 ] 𝑦 ∈ ℒ? 𝑦 ∉ ℒ? 𝑦 ∈ ℒ? 𝑥 𝑥 ∗ P V P V P Statistical zero-knowledge accept arguments for all 𝑶𝑸! [Brassard-Chaum-Crepeau88] Preserve Secrecy? Proof : Sound against unbounded 𝑄 ∗ Argument : Sound against non-uniform PPT 𝑄 ∗

Computational Secrecy [Jain-Kalai-Khurana-Rothblum17, Badrinarayanan-Garg-Ishai-Sahai-Wadia17] 2-msg 𝑃𝑈 scheme 𝑦 ∈ ℒ? 𝑦 ∈ ℒ? 𝑥 𝑥 𝑑𝑝𝑛 𝑓 [Biel-Meyer-Wetzel99] [Kalai-Raz09] 𝑓 ← {0,1} PIR Heuristic P V P V 𝑨 𝑑𝑝𝑛 𝑨 Soundness: Against poly-size 𝑄 ∗ , 3-Round Zero-Knowledge Proof for Graph assuming 𝑃𝑈 is “more secure” than 𝑑𝑝𝑛. Hamiltonicity [Kalai-Raz09] (with soundness ½) Secrecy: Witness Indistinguishable (and more) [JKKR17, BGISW17]

This Work: Statistical Secrecy Statistically 2-msg hiding 𝑃𝑈 scheme commitment 𝑦 ∈ ℒ? 𝑦 ∈ ℒ? 𝑥 𝑥 𝑑𝑝𝑛 1 𝑓 𝑑𝑝𝑛 1 𝑑𝑝𝑛 2 P V 𝑓 ← {0,1} P V 𝑨 𝑑𝑝𝑛 2 𝑨 4-Round Soundness: ?? Statistical Zero-Knowledge argument (with soundness ½) Secrecy: ?? “Theorem”: Resulting 2-msg protocol is statistically witness indistinguishable (and more)

2-Message OT [Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01] 𝑁𝑓𝑡𝑡𝑏𝑕𝑓𝑡 (𝑛 0 , 𝑛 1 ) 𝐷ℎ𝑝𝑗𝑑𝑓 𝑐𝑗𝑢 𝑐 𝑐 R S 𝑛 0 , 𝑛 1 𝑛 𝑐

2-Message OT [Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01] 𝑁𝑓𝑡𝑡𝑏𝑕𝑓𝑡 (𝑛 0 , 𝑛 1 ) 𝐷ℎ𝑝𝑗𝑑𝑓 𝑐𝑗𝑢 𝑐 𝑐 S ∗ R 𝑛 0 , 𝑛 1 𝑛 𝑐 ∀ 𝑄𝑄𝑈 𝑇 ∗ cannot guess b -

2-Message OT [Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01] 𝑁𝑓𝑡𝑡𝑏𝑕𝑓𝑡 (𝑛 0 , 𝑛 1 ) 𝐷ℎ𝑝𝑗𝑑𝑓 𝑐𝑗𝑢 𝑐 𝑐 R ∗ S 𝑛 0 , 𝑛 1 Super- poly 𝑛 𝑐 ∀ 𝑄𝑄𝑈 𝑇 ∗ cannot guess b - ∀ unbounded 𝑆 ∗ : 𝑆 ∗ does not learn anything about 𝑛 1−𝑐 - [Naor-Pinkas01]: construction from DDH [Halevi-Kalai05]: Quadratic Residuosity or N th Residuosity

This Work: Statistical Secrecy Statistically 2-msg hiding 𝑃𝑈 scheme commitment 𝑦 ∈ ℒ? 𝑦 ∈ ℒ? 𝑥 𝑥 𝑑𝑝𝑛 1 𝑓 𝑑𝑝𝑛 1 𝑑𝑝𝑛 2 P V 𝑓 ← {0,1} P V 𝑨 𝑑𝑝𝑛 2 𝑨 4-Round Soundness: Statistical Zero-Knowledge argument (with soundness ½) Secrecy: Theorem 1: Resulting 2-msg protocol is statistically witness indistinguishable (and more)

Round Reduction for Interactive Proofs Fiat-Shamir heuristic  Secure when applied to proofs [Kalai-Rothblum-Rothblum17, Canetti-Chen-Reyzin-Rothblum18]  Insecure when applied to arguments [Barak01, Goldwasser-Kalai03] PIR heuristic  Secure when applied to proofs [Kalai-Raz09]  Seems to be insecure when applied to arguments [Gentry-Wichs11, Dodis-Halevi-Rothblum-Wichs16, Brakerski-Kalai-Perlman17]

This Work: Statistical Secrecy Statistically hiding commitment 𝑦 ∈ ℒ? 𝑦 ∈ ℒ? 𝑥 𝑥 𝑑𝑝𝑛 1 𝑓 𝑑𝑝𝑛 1 𝑑𝑝𝑛 2 P V 𝑓 ← {0,1} P V 𝑨 𝑑𝑝𝑛 2 𝑨 4-Round Statistical Zero-Knowledge argument (with soundness ½)

This Work: Statistical Secrecy Statistically hiding commitment 𝑦 ∈ ℒ? 𝑦 ∈ ℒ? 𝑥 𝑥 𝑑𝑝𝑛 1 𝑓 𝑑𝑝𝑛 1 𝑑𝑝𝑛 2 P V 𝑓 ← {0,1} P V 𝑨 𝑑𝑝𝑛 2 𝑨 Special Commitment Scheme!  extractable Almost always statistically hiding Statistical ZK   With small probability statistically binding Sound  Hard to distinguish between these two modes

Statistically-Hiding Extractable Commitments Say what?

Statistically-Hiding Extractable Commitments Inspired by [Khurana-Sahai17] C R Statistically hiding Computational binding • With small probability, switches to statistical (extractable) binding mode • Committer cannot tell whether statistically binding or hiding

Statistically-Hiding Extractable Commitments (basic protocol) Inspired by [Khurana-Sahai17] 𝑐 ← {0,1} 𝑐 𝐷(𝑁) 𝑆 Sample random r ← 0,1 𝑁 0 , 𝑁 1 𝑠 Set 𝑁 𝑠 = 𝑁 Set 𝑁 1−𝑠 = 𝑉 W.p. ½: Statistically hiding ( 𝑠 ≠ 𝑐) W.p. ½: Extractable (𝑠 = 𝑐)

Additional Results: Statistically hiding commitment 𝑦 ∈ ℒ? 𝑦 ∈ ℒ? 𝑥 𝑥 𝑑𝑝𝑛 1 𝑓 𝑑𝑝𝑛 1 𝑑𝑝𝑛 2 P V P V 𝑨 𝑓 ← {0,1} 𝑑𝑝𝑛 2 𝑨 4-Round Similar to 1. Statistical WI [JKKR17] Statistical Zero-Knowledge argument (with soundness ½) 2. Adaptive soundness 3. In delayed input setting: Statistical distributional weak ZK Strong statistical WI

Summary ry Thm: ∃ 2-msg statistical WI argument for NP, assuming quasi-poly secure OT 𝑦 ∈ ℒ? 𝑦 ∈ ℒ? 𝑑𝑝𝑛 1 [Biel-Meyer-Wetzel99] 𝑓 𝑑𝑝𝑛 1 [Kalai-Raz09] 𝑑𝑝𝑛 2 PIR Heuristic P V P V 𝑓 𝑨 𝑑𝑝𝑛 2 𝑨 Reducing interaction from interactive arguments via PIR heuristic can be sound! By constructing statistical and extractable commitments!