Statistical WI (and more) in Two-Messages Yael Tauman Kalai Joint work with: Dakshita Khurana and Amit Sahai
Interactive Proofs [Goldwasser-Micali-Rackoff85, Babai85] Zero-knowledge proofs for all πΆπΈ! [Goldreich-Micali-Wigderson87 ] π¦ β β? π¦ β β? π¦ β β? π₯ π₯ β P V P V P Statistical zero-knowledge accept arguments for all πΆπΈ! [Brassard-Chaum-Crepeau88] Preserve Secrecy? Proof : Sound against unbounded π β Argument : Sound against non-uniform PPT π β
Computational Secrecy [Jain-Kalai-Khurana-Rothblum17, Badrinarayanan-Garg-Ishai-Sahai-Wadia17] 2-msg ππ scheme π¦ β β? π¦ β β? π₯ π₯ πππ π [Biel-Meyer-Wetzel99] [Kalai-Raz09] π β {0,1} PIR Heuristic P V P V π¨ πππ π¨ Soundness: Against poly-size π β , 3-Round Zero-Knowledge Proof for Graph assuming ππ is βmore secureβ than πππ. Hamiltonicity [Kalai-Raz09] (with soundness Β½) Secrecy: Witness Indistinguishable (and more) [JKKR17, BGISW17]
This Work: Statistical Secrecy Statistically 2-msg hiding ππ scheme commitment π¦ β β? π¦ β β? π₯ π₯ πππ 1 π πππ 1 πππ 2 P V π β {0,1} P V π¨ πππ 2 π¨ 4-Round Soundness: ?? Statistical Zero-Knowledge argument (with soundness Β½) Secrecy: ?? βTheoremβ: Resulting 2-msg protocol is statistically witness indistinguishable (and more)
2-Message OT [Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01] πππ‘π‘ππππ‘ (π 0 , π 1 ) π·βππππ πππ’ π π R S π 0 , π 1 π π
2-Message OT [Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01] πππ‘π‘ππππ‘ (π 0 , π 1 ) π·βππππ πππ’ π π S β R π 0 , π 1 π π β πππ π β cannot guess b -
2-Message OT [Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01] πππ‘π‘ππππ‘ (π 0 , π 1 ) π·βππππ πππ’ π π R β S π 0 , π 1 Super- poly π π β πππ π β cannot guess b - β unbounded π β : π β does not learn anything about π 1βπ - [Naor-Pinkas01]: construction from DDH [Halevi-Kalai05]: Quadratic Residuosity or N th Residuosity
This Work: Statistical Secrecy Statistically 2-msg hiding ππ scheme commitment π¦ β β? π¦ β β? π₯ π₯ πππ 1 π πππ 1 πππ 2 P V π β {0,1} P V π¨ πππ 2 π¨ 4-Round Soundness: Statistical Zero-Knowledge argument (with soundness Β½) Secrecy: Theorem 1: Resulting 2-msg protocol is statistically witness indistinguishable (and more)
Round Reduction for Interactive Proofs Fiat-Shamir heuristic ο§ Secure when applied to proofs [Kalai-Rothblum-Rothblum17, Canetti-Chen-Reyzin-Rothblum18] ο§ Insecure when applied to arguments [Barak01, Goldwasser-Kalai03] PIR heuristic ο§ Secure when applied to proofs [Kalai-Raz09] ο§ Seems to be insecure when applied to arguments [Gentry-Wichs11, Dodis-Halevi-Rothblum-Wichs16, Brakerski-Kalai-Perlman17]
This Work: Statistical Secrecy Statistically hiding commitment π¦ β β? π¦ β β? π₯ π₯ πππ 1 π πππ 1 πππ 2 P V π β {0,1} P V π¨ πππ 2 π¨ 4-Round Statistical Zero-Knowledge argument (with soundness Β½)
This Work: Statistical Secrecy Statistically hiding commitment π¦ β β? π¦ β β? π₯ π₯ πππ 1 π πππ 1 πππ 2 P V π β {0,1} P V π¨ πππ 2 π¨ Special Commitment Scheme! ο§ extractable Almost always statistically hiding Statistical ZK ο§ ο§ With small probability statistically binding Sound ο§ Hard to distinguish between these two modes
Statistically-Hiding Extractable Commitments Say what?
Statistically-Hiding Extractable Commitments Inspired by [Khurana-Sahai17] C R Statistically hiding Computational binding β’ With small probability, switches to statistical (extractable) binding mode β’ Committer cannot tell whether statistically binding or hiding
Statistically-Hiding Extractable Commitments (basic protocol) Inspired by [Khurana-Sahai17] π β {0,1} π π·(π) π Sample random r β 0,1 π 0 , π 1 π Set π π = π Set π 1βπ = π W.p. Β½: Statistically hiding ( π β π) W.p. Β½: Extractable (π = π)
Additional Results: Statistically hiding commitment π¦ β β? π¦ β β? π₯ π₯ πππ 1 π πππ 1 πππ 2 P V P V π¨ π β {0,1} πππ 2 π¨ 4-Round Similar to 1. Statistical WI [JKKR17] Statistical Zero-Knowledge argument (with soundness Β½) 2. Adaptive soundness 3. In delayed input setting: Statistical distributional weak ZK Strong statistical WI
Summary ry Thm: β 2-msg statistical WI argument for NP, assuming quasi-poly secure OT π¦ β β? π¦ β β? πππ 1 [Biel-Meyer-Wetzel99] π πππ 1 [Kalai-Raz09] πππ 2 PIR Heuristic P V P V π π¨ πππ 2 π¨ Reducing interaction from interactive arguments via PIR heuristic can be sound! By constructing statistical and extractable commitments!
Recommend
More recommend
