statistical wi and more
play

Statistical WI (and more) in Two-Messages Yael Tauman Kalai Joint - PowerPoint PPT Presentation

Statistical WI (and more) in Two-Messages Yael Tauman Kalai Joint work with: Dakshita Khurana and Amit Sahai Interactive Proofs [Goldwasser-Micali-Rackoff85, Babai85] Zero-knowledge proofs for all ! [Goldreich-Micali-Wigderson87 ]


  1. Statistical WI (and more) in Two-Messages Yael Tauman Kalai Joint work with: Dakshita Khurana and Amit Sahai

  2. Interactive Proofs [Goldwasser-Micali-Rackoff85, Babai85] Zero-knowledge proofs for all 𝑢𝑸! [Goldreich-Micali-Wigderson87 ] 𝑦 ∈ β„’? 𝑦 βˆ‰ β„’? 𝑦 ∈ β„’? π‘₯ π‘₯ βˆ— P V P V P Statistical zero-knowledge accept arguments for all 𝑢𝑸! [Brassard-Chaum-Crepeau88] Preserve Secrecy? Proof : Sound against unbounded 𝑄 βˆ— Argument : Sound against non-uniform PPT 𝑄 βˆ—

  3. Computational Secrecy [Jain-Kalai-Khurana-Rothblum17, Badrinarayanan-Garg-Ishai-Sahai-Wadia17] 2-msg π‘ƒπ‘ˆ scheme 𝑦 ∈ β„’? 𝑦 ∈ β„’? π‘₯ π‘₯ 𝑑𝑝𝑛 𝑓 [Biel-Meyer-Wetzel99] [Kalai-Raz09] 𝑓 ← {0,1} PIR Heuristic P V P V 𝑨 𝑑𝑝𝑛 𝑨 Soundness: Against poly-size 𝑄 βˆ— , 3-Round Zero-Knowledge Proof for Graph assuming π‘ƒπ‘ˆ is β€œmore secure” than 𝑑𝑝𝑛. Hamiltonicity [Kalai-Raz09] (with soundness Β½) Secrecy: Witness Indistinguishable (and more) [JKKR17, BGISW17]

  4. This Work: Statistical Secrecy Statistically 2-msg hiding π‘ƒπ‘ˆ scheme commitment 𝑦 ∈ β„’? 𝑦 ∈ β„’? π‘₯ π‘₯ 𝑑𝑝𝑛 1 𝑓 𝑑𝑝𝑛 1 𝑑𝑝𝑛 2 P V 𝑓 ← {0,1} P V 𝑨 𝑑𝑝𝑛 2 𝑨 4-Round Soundness: ?? Statistical Zero-Knowledge argument (with soundness Β½) Secrecy: ?? β€œTheorem”: Resulting 2-msg protocol is statistically witness indistinguishable (and more)

  5. 2-Message OT [Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01] 𝑁𝑓𝑑𝑑𝑏𝑕𝑓𝑑 (𝑛 0 , 𝑛 1 ) π·β„Žπ‘π‘—π‘‘π‘“ 𝑐𝑗𝑒 𝑐 𝑐 R S 𝑛 0 , 𝑛 1 𝑛 𝑐

  6. 2-Message OT [Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01] 𝑁𝑓𝑑𝑑𝑏𝑕𝑓𝑑 (𝑛 0 , 𝑛 1 ) π·β„Žπ‘π‘—π‘‘π‘“ 𝑐𝑗𝑒 𝑐 𝑐 S βˆ— R 𝑛 0 , 𝑛 1 𝑛 𝑐 βˆ€ π‘„π‘„π‘ˆ 𝑇 βˆ— cannot guess b -

  7. 2-Message OT [Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01] 𝑁𝑓𝑑𝑑𝑏𝑕𝑓𝑑 (𝑛 0 , 𝑛 1 ) π·β„Žπ‘π‘—π‘‘π‘“ 𝑐𝑗𝑒 𝑐 𝑐 R βˆ— S 𝑛 0 , 𝑛 1 Super- poly 𝑛 𝑐 βˆ€ π‘„π‘„π‘ˆ 𝑇 βˆ— cannot guess b - βˆ€ unbounded 𝑆 βˆ— : 𝑆 βˆ— does not learn anything about 𝑛 1βˆ’π‘ - [Naor-Pinkas01]: construction from DDH [Halevi-Kalai05]: Quadratic Residuosity or N th Residuosity

  8. This Work: Statistical Secrecy Statistically 2-msg hiding π‘ƒπ‘ˆ scheme commitment 𝑦 ∈ β„’? 𝑦 ∈ β„’? π‘₯ π‘₯ 𝑑𝑝𝑛 1 𝑓 𝑑𝑝𝑛 1 𝑑𝑝𝑛 2 P V 𝑓 ← {0,1} P V 𝑨 𝑑𝑝𝑛 2 𝑨 4-Round Soundness: Statistical Zero-Knowledge argument (with soundness Β½) Secrecy: Theorem 1: Resulting 2-msg protocol is statistically witness indistinguishable (and more)

  9. Round Reduction for Interactive Proofs Fiat-Shamir heuristic  Secure when applied to proofs [Kalai-Rothblum-Rothblum17, Canetti-Chen-Reyzin-Rothblum18]  Insecure when applied to arguments [Barak01, Goldwasser-Kalai03] PIR heuristic  Secure when applied to proofs [Kalai-Raz09]  Seems to be insecure when applied to arguments [Gentry-Wichs11, Dodis-Halevi-Rothblum-Wichs16, Brakerski-Kalai-Perlman17]

  10. This Work: Statistical Secrecy Statistically hiding commitment 𝑦 ∈ β„’? 𝑦 ∈ β„’? π‘₯ π‘₯ 𝑑𝑝𝑛 1 𝑓 𝑑𝑝𝑛 1 𝑑𝑝𝑛 2 P V 𝑓 ← {0,1} P V 𝑨 𝑑𝑝𝑛 2 𝑨 4-Round Statistical Zero-Knowledge argument (with soundness Β½)

  11. This Work: Statistical Secrecy Statistically hiding commitment 𝑦 ∈ β„’? 𝑦 ∈ β„’? π‘₯ π‘₯ 𝑑𝑝𝑛 1 𝑓 𝑑𝑝𝑛 1 𝑑𝑝𝑛 2 P V 𝑓 ← {0,1} P V 𝑨 𝑑𝑝𝑛 2 𝑨 Special Commitment Scheme!  extractable Almost always statistically hiding Statistical ZK   With small probability statistically binding Sound  Hard to distinguish between these two modes

  12. Statistically-Hiding Extractable Commitments Say what?

  13. Statistically-Hiding Extractable Commitments Inspired by [Khurana-Sahai17] C R Statistically hiding Computational binding β€’ With small probability, switches to statistical (extractable) binding mode β€’ Committer cannot tell whether statistically binding or hiding

  14. Statistically-Hiding Extractable Commitments (basic protocol) Inspired by [Khurana-Sahai17] 𝑐 ← {0,1} 𝑐 𝐷(𝑁) 𝑆 Sample random r ← 0,1 𝑁 0 , 𝑁 1 𝑠 Set 𝑁 𝑠 = 𝑁 Set 𝑁 1βˆ’π‘  = 𝑉 W.p. Β½: Statistically hiding ( 𝑠 β‰  𝑐) W.p. Β½: Extractable (𝑠 = 𝑐)

  15. Additional Results: Statistically hiding commitment 𝑦 ∈ β„’? 𝑦 ∈ β„’? π‘₯ π‘₯ 𝑑𝑝𝑛 1 𝑓 𝑑𝑝𝑛 1 𝑑𝑝𝑛 2 P V P V 𝑨 𝑓 ← {0,1} 𝑑𝑝𝑛 2 𝑨 4-Round Similar to 1. Statistical WI [JKKR17] Statistical Zero-Knowledge argument (with soundness Β½) 2. Adaptive soundness 3. In delayed input setting: Statistical distributional weak ZK Strong statistical WI

  16. Summary ry Thm: βˆƒ 2-msg statistical WI argument for NP, assuming quasi-poly secure OT 𝑦 ∈ β„’? 𝑦 ∈ β„’? 𝑑𝑝𝑛 1 [Biel-Meyer-Wetzel99] 𝑓 𝑑𝑝𝑛 1 [Kalai-Raz09] 𝑑𝑝𝑛 2 PIR Heuristic P V P V 𝑓 𝑨 𝑑𝑝𝑛 2 𝑨 Reducing interaction from interactive arguments via PIR heuristic can be sound! By constructing statistical and extractable commitments!

Recommend


More recommend