1 / 35

On Non-Black-Box Proofs of Security

On Non-Black-Box Proofs of Security. Boaz Barak Princeton. B. x : instance of X. solution for x. Prototypical Crypto Thm : If problem X is hard then scheme Y is secure. Examples:. 9 OWF ) 9 signature schemes [NaorYung,Rompel].

isleen
Télécharger la présentation

On Non-Black-Box Proofs of Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Non-Black-Box Proofs of Security Boaz BarakPrinceton

  2. B x: instance of X solution for x Prototypical Crypto Thm: If problem X is hard then scheme Y is secure. Examples: • 9 OWF )9 signature schemes [NaorYung,Rompel] • DDH hard )9 CCA-secure encryption [CramerShoup98] Contrapositive: 9 poly-alg A breaking Y)9 poly-alg B for X Typical proof: Show generic B using A as subroutine. A We call this a black-box proof of security. In a non-black-box proof, B can use the code of A (not to be confused w/ black-box vs. non-black-box constructions)

  3. f (Alice, Bob) Underlying primitive. f Security proof Adversary Eve Adv Non-black-box proofs of security:1. Security proof may use code of underlying primitive (i.e., f)(examples: using specific assumptions, Cook-Levin) 2. Security proof may use code of adversary(this talk) More Formally: (Strongly) Black-Box Reductions (for OWF KA)  eff. (Alice, Bob), eff. Adv s.t. fand Eve[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f]

  4. Non-Black-Box Security Proofs Advantages: • More general proof technique, can prove more thms. • Bypass proven limitations of black-box proofs. (Somewhat surprisingly, without “real” understanding of computation.) Disadvantages: • Less robust proofs, more dependence on model. • E.g.: Uniform TMs vs. circuits, quantum algorithms. • Seem to come at steep cost in efficiency.

  5. Applications of Non-BB Proofs: Composable protocols: • O(1)-round bounded concurrent zero-knowledge (ZK) [B.01] • O(1)-round concurrent, non-malleable commitments [B.02], [PassRosen05a], [PassRosen05b] • Concurrent, non-malleable general computation [Lindell03],[PassRosen03],[Pass04], [B.Sahai05] Strong Forms of Zero Knowledge: • Resettable ZK proof of knowledge [B.GoldwasserGoldreichLindell01] • Resettably-sound ZK • ZK with strict poly-time simulation & extraction [B.Lindell02] O(1)-round general multiparty computation [KatzOstrovskySmith03],[Pass04]

  6. Plan I Basic Non-BB ZK Protocol [B.01] II Making it bounded-concurrent [B.01] III Making it bounded non-malleable. [Pass.04] IV Unbounded concurrency and non-malleability using super-polynomial simulation. [B.Sahai.04] V Limitations and open questions.

  7. I Non-Black-Box Zero Knowledge Zero Knowledge Proof: P proves to V that stmt x is true. (e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” ) Stmt: x 2 {0,1}n Witness: c:[n]{R,G,B} P V “accept”/”reject”

  8. Zero Knowledge: 8 (possibly cheating) V*, 9S s.t. S(x)»V*’s view in exec with P(w) S( ) P V* » I Non-Black-Box Zero Knowledge Zero Knowledge Proof: P proves to V that stmt x is true. (e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” ) Completeness: P runs in poly-time given witnessw for x. Soundness: If x false, V accepts w.p. < negl(n)=n-(1)

  9. Black-Box ZK: S uses V* as a black-box subroutine. (i.e. uses subroutine for V*’s next-message function) Non-BB ZK: S uses the code of V* I Non-Black-Box Zero Knowledge Zero Knowledge Proof: P proves to V that stmt x is true. (e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” ) Zero Knowledge: 8 (possibly cheating) V*, 9S s.t. S(x)»V*’s view in exec with P(w) V* S( ) , P V* »

  10. Some Tools Commitments: Efficient func Com:{0,1}k£{0,1}n{0,1}m [Blum84],[Naor91] Hiding: 8 x,x’ Com(x,Un) » Com(x’,Un) Binding:x x’ Com(x,{0,1}n), Com(x’,{0,1}n) disjoint x (Notation:Com(x) = Com(x,Un) ) Collision Resistant Hash (CRH): Collection H of efficient functions {0,1}*{0,1}n s.t. for random h2H hard to find xx’ w/ h(x)=h(x’) (implies CRH from {0,1}2n to {0,1}n) [GoldwasserMicaliRivest84], SHA1,AES,… When proving x1Çx2, verifier can’t tell witness used. Witness Indistinguishable Proofs (WI): • Implied by zero knowledge. • Closed under concurrent composition. [FeigeShamir90]

  11. z=Com(r’) r=V*(z) r 2R {0,1}n UAWI either 1) x is true. or 2) r’=r A Flawed Zero Knowledge Protocol Completeness: Stmt: x 2 {0,1}n P V* V Prover has efficient strategy using witness for x Soundness: Suppose x is false. Let z be prover’s message.Denote r’=Com-1(z) Pr[ r = r’ ] = 2-n Zero Knowledge: Let V* be possibly cheating ver. Assume w.l.o.g V* deterministic Sim’s goal: z=Com(r) Find r s.t. r=V*(Com(r)) Problem: could take 2n guesses.

  12. Stmt: x 2 {0,1}n P V guess r z=Com(r’) r=V*(z) Stmt true r 2R {0,1}n r 2R {0,1}n or I guessed r UAWI either 1) x is true. or 2) r’=r Flawed Protocol – High Level View Stmt: x 2 {0,1}n P V

  13. n bits description TO(1) long proof M x  T running time Main Tool – Universal Arguments Interactive proof system for super-polynomial languages. [Kilian92],[Micali94],[B.Goldreich02] Based on following variant of PCP thm: [BabaiFortnowLevinSzegedy91] Every statement verifiable in T time deterministically, can be proven in polylog(T) time in “prob. proof in sky” (PCP) model. c queries Statement: “M(x)=1” 2-(c) error Verifier (Mcan be deterministic/non-det) c¢polylog(T) time

  14. n bits description TO(1) long proof M x Using commitments and ZK/WI proofs for NP can get UAZK/UAWIw/ same parameters.  T running time h:{0,1}2k{0,1}k Is proof of knowledge h col-res hash [B.Goldreich02] root = root of hash tree of   = q1,…,qc PCP ver queries Answers + paths in tree Universal Arguments [Kilian92,Micali94],… invoke h … P V [Merkle] Prover time: poly(T) Soundness: negl(k) Communication: k¢polylog(T) Verifier time:k¢polylog(T)+poly(n)

  15. M: Turing machine. Honest prover uses “junk” TM: always outputs 0 CRH h:{0,1}*{0,1}n z=Com(h(V*)) z=Com(h(M)) r=V*(z) Inherently non-BB simulator. r 2R {0,1}n [GoldreichKrawczyck86] Note use of UA property. UAWI either 1) x is true. or 2) M(z)=r (in ·nlog n steps) Basic Non-BB Zero Knowledge [B.01] Completeness: Stmt: x 2 {0,1}n P V* V Prover has efficient strategy using witness for x Soundness: Suppose x is false. Let z be prover’s message.Assume it binds to a single TM M.Denote r’=M(z) Pr[ r = r’ ] = 2-n Zero Knowledge: Let V* be possibly cheating ver. Assume w.l.o.g V* deterministic Sim uses z=Com(h(V*))

  16. Stmt: x 2 {0,1}n P V CRH h:{0,1}*{0,1}n z=Com(h(M)) implicitly guess r r 2R {0,1}n r 2R {0,1}n UAWI either Stmt true or 1) x is true. or I guessed r 2) M(z)=r (in ·nlog n steps) High Level View: Basic Non-BB ZK [B.01] Stmt: x 2 {0,1}n P V

  17. [CanettiKilianPetrankRosen01] Requires ~(log n) rounds for BB ZK. …,[PrabhakaranRosenSahai03] II Bounded-Concurrent ZK Concurrent ZK: Coordinated attack of several verifiers against concurrently scheduled ZK proofs. [DworkNaorSahai98],[RichardsonKilian99],… V* P1 V1 P2 V2 P3 V3 Bounded Concurrent: t sessions. Protocol communication and time poly(t,n). Challenging because typical “rewinding” technique blows up simulation time.

  18. h h z=Com(h(V*)) z=Com(h(V*)) r=V*(z) UAWI either UAWI either 1) x is true. 1) x is true. 2) M(z)=r 2) M(z)=r r=V*(z,trans) Is Basic Protocol Concurrent ZK? Stmt: x 2 {0,1}n Stmt: x 2 {0,1}n P1 V* P2 V* trans ?

  19. Stmt: x 2 {0,1}n Stmt: x 2 {0,1}n P1 V* P2 V* h h z=Com(h(V*)) z=Com(h(V*)) r=V*(z) UAWI either UAWI either 1) x is true. 1) x is true. trans 2) M(z)=r 2) M(z)=r r=V*(z,trans) ? Is Basic Protocol Concurrent ZK?

  20. Stmt: x 2 {0,1}n Stmt: x 2 {0,1}n P1 V* P2 V* h h z=Com(h(V*)) z=Com(h(V*)) r=V*(z) UAWI either UAWI either 1) x is true. 1) x is true. trans 2) M(z)=r 2) M(z)=r r=V*(z,trans) ? Corollary:O(1)-round bounded ZK (bcZK) for all NP. [B.01] Is Basic Protocol Concurrent ZK? Idea:relax the definition of “guessing” r Change (2) to M(z,trans)=r for some |trans| < |r|/2 That is:z is implicit guess for 2|trans| possibilities for r. (notation: guess|trans| r ) Crucial point: can ensure all proververifier msgs have length << |r|

  21. Security goal: Ensure proof to honest verifiers is sound even when simulating honest prover – simulation soundness. [Sahai00] • 2 sessions with unique id. • Arbitrary scheduling. (synchronized is hardest) Bounded non-malleability: id’s come from set of size t,protocol communication and time poly(t,n) III Non-Malleable ZK Adversary is “man-in-middle” between prover & verifier. [DworkDolevNaor90] V* P V1 P2 V [DDN]: O(logn)-rounds [B.02]: O(1)-rounds A bit different non-BB technique. [Pass04]: O(1)-rounds bounded non-mal (simpler, weaker assump) [PassRosen05a]: make [Pass04]unbounded NM

  22. Is Simulation Soundness Trivial? V* P V1 P2 V x,id x’,id’ Note: known not to hold for some protocols, but why does naïve “proof” fail? Naive attempt to prove that every ZK protocol is simulation sound: First, note that in real MIM interaction, right session is sound. (otherwise combine V* and P to prover contradicting standalone soundness) To simulate – consider V and V* as one standalone verifier V’, and use simulator forV’. Simulator uses coins of V, so right session not necessarily sound. But, since simulator’s output ~ real interaction, how can simulation differ? The event that x’ is true is not efficiently observable.

  23. P imp. guess r1 V1 P2 V imp. guess r2 m1 r12R{0,1} m2 r22R{0,1} Stmt true or Stmt true or guessedm1r1 guessedm2r2 Pass’s Bounded-NMZK Protocol [Pass04] Crucial observation: use bcZK to get one-directional simulation soundness. If m1 >> |right session| then can simulate left w/o right verifier’s coins! Pass’s Protocol: 1. Use |r| = id*B(B bound on all other comm in all sessions, note id’s bounded) 2. Run another iteration w/ id = max{id} - id 3. Prove in WI that at least one of the iterations succeeded.

  24. Good News: Sufficient for concurrent secure computation of any task. [CanettiLindellOstrovskySahai02],[GoldreichMicaliWigderson87] Bad News: Impossible to achieve natural definition (UC). [Lindell03],[Lindell04] Good News: Maybe can achieve relaxed def: quasi-polynomial simulation. Implies: securely computing any task w/ qpoly simulation. [PrabhakaranSahai04] Bad News: [PS] construction uses non-standard “tailored” assumptions. Good News: Using non-BB obtain same result under standard assumptions (i.e., implied by factoring is subexp hard) [B.Sahai05] IV Concurrent+Non-Malleable ZK Many concurrent executions. Adversary corrupts both verifiers and provers. P1 V1 P2 V* V2 P3 V3 Goal:simulation soundness: proofs to honest verifiers valid even in simulation.

  25. Brute Force Op In simulation V* can ensure 2nd condition is true. No reason for right session to be sound! Broke BFOP same N N z=Com(p) same z x true or p|N x’ true or p|N Isn’t qpoly simulation trivial? Stmt: x 2 {0,1}n P V Completeness: N = pretty large random composite As always. Soundness: Com(p) From hardness of factoring Concurrent ZK: [Pass03] WI proof either Straight-line simulation. 1) x is true. 2) p prime factor of N Simulation soundness?? Stmt: x 2 {0,1}n Stmt: x’ 2 {0,1}n V* V1 P2 P V

  26. m1 r12R{0,1} Com(h(r1)) m1 r12R{0,1} Implicitly send r1 If proof succssesful, have qpoly-time knowledge extractor can obtain r1 by rewinding UAZK Know r1 Concurrent Non-Mal qZK Protocol [B.Sahai05] Starting point: Pass’s protocol for bounded-NM zero knowledge 1st Step: Change it to handle #id’s to t=nlog n Problem: In Pass’s protocol communication>t Solution: “Compress” the long messages. r1=0n Is it (stand-alone) sound? Is it (stand-alone) zero knowledge?

  27. Stmt: x 2 {0,1}n id2[t] P V imp guess r1 Completeness: As before. imp send r1 Soundness: Will follow from simulation soundness. BFOP imp guess r2 imp send r2 UAWI either 1) stmt true 2) guessedm1r1 3) guessedm2r2 4) broke BFOP m1 = nlognid , m2 = nlogn(t-id) Concurrent Non-Mal qZK Protocol* [B.Sahai05] ZK+Simulation Soundness: Straightline simulator breaking BFOP (4). Why is that simulation sound??

  28. Stmt: x 2 {0,1}n id2[t] P V imp guess r1 imp send r1 BFOP imp guess r2 imp send r2 UAWI either 1) stmt true 2) guessedm1r1 3) guessedm2r2 4) broke BFOP m1 = nlognid , m2 = nlogn(t-id) Concurrent Non-Mal qZK Protocol* [B.Sahai05] ZK+Simulation Soundness: Straightline simulator breaking BFOP (4) Change: Make option (1) weakly indist – observable in qpoly time. Not an immediate solution: simulator now only weakly indist from real prover. Idea: build auxiliary simulator that: 1) Strongly indist from “real” simulator. 2) Satisfies simulation soundness. Why we need the “real” simulator? Auxiliary simulator uses the witness.

  29. Stmt: x 2 {0,1}n id2[t] P V imp guess r1 Real Prover: Uses:witness(1) imp send r1 Sim-sound: yes BFOP imp guess r2 Real Simulator: Uses: time (4) Sim-sound: ? Yes! imp send r2 UAWI either Aux Simulator: 1) stmt true Uses: witness,non-BB (2,3) 2) guessedm1r1 Sim-sound: yes 3) guessedm2r2 4) broke BFOP m1 = nlognid , m2 = nlogn(t-id) Concurrent Non-Mal qZK Protocol* [B.Sahai05] ZK+Simulation Soundness: ~ (weak) ~ ~ (strong)

  30. Stmt: x 2 {0,1}n id2[t] P V imp guess r1 imp send r1 P1 P2 V* V2 BFOP P3 imp guess r2 imp send r2 UAWI either Aux Simulator: 1) stmt true Uses: witness,non-BB (2,3) 2) guessedm1r1 Sim-sound: yes 3) guessedm2r2 4) broke BFOP Concurrent Non-Mal qZK Protocol* [B.Sahai05] ZK+Simulation Soundness: Constructing the auxiliary simulator. Execution we need to simulate: V1 V3 Useful observation: Can assume only one honest verifier. m1 = nlognid , m2 = nlogn(t-id)

  31. The auxiliary simulator: P V* P* V imp guess r1 imp guess r1 Need program s.t. ()=r’1 for |1|<< r’1 imp send r’1 imp send r1 Build  using V* + r1 + UA knowledge extractor BFOP BFOP imp guess r’2 imp guess r2 imp send r’2 imp send r2 Can now simulate this part w/o access to ver’s coins. UAWI either UAWI either 1) stmt true 1) stmt true 2) guessedm1r1 2) guessedm1r1 3) guessedm2r2 3) guessedm2r2 4) broke BFOP 4) broke BFOP Honest ver uses r1=0n We’ll user12R {0,1}m1

  32. The auxiliary simulator: … Pm P3 P2 imp guess r1 imp send r’1 BFOP BFOP imp guess r’2 imp send r’2 When building  use witness to sim other sessions! UAWI either 1) stmt true 2) guessedm1r1  never sent in clear – still strongly indist! 3) guessedm2r2 4) broke BFOP P V* P* V imp guess r1 imp send r1 • To run extractor need to simulate other sessions. Build  using V* + r1 + UA knowledge extractor imp guess r2 • To simulate other sessions, need to run extractor. imp send r2 UAWI either 1) stmt true 2) guessedm1r1 3) guessedm2r2 4) broke BFOP

  33. Questions: • Random oracle model also used to achieve non-malleability and concurrent security. Can we justify this? (so far mostly negative results[CanettiGoldreichHalevi98],[GoldwasserTa03]) • All these use universal args. Are there different non-BB techniques? • Is there ZK system w/ O(1)-rounds and public coin verifier? Related to both these questions. • Are these non-BB techniques inherently unpractical? Two problematic components: general ZK and PCP theorem. On other hand: PCP get simpler, more efficient [BenSassonSudan05],[Dinur05] Maybe can push complexity to simulation? [B.Sahai05] • Handling quantum adversaries?

  34. Stmt: x 2 {0,1}n id2[t] Use random r1of length k1 Use M1 = V* program + r1 + extractor for UA BFOP To rewind, M1 uses witness! Rules of engagement: Simulate execution s.t.: 1) Never use option #1 in UAWI 2) No use of time between dotted lines. 2) No use of ver. coins after green line. P1 P2 V* V h z1=Com(h(M1)) UACom(r1) z2=Com(h(M1)) UACom(r2) UAWI either 1) x is true. 2) 9 |t1|<k1-n s.t.M1(z1,t1)=r1 3) 9 |t2|<k2-n s.t.M2(z2,t2)=r2 4) Broke BFOP. k1 = nlognid , k2 = nlogn(t-id)

  35. Stmt: x 2 {0,1}n id2[t] Use random r1of length k1 Use M1 = V* program + r1 + extractor for UA BFOP To rewind, M1 uses witness! Rules of engagement: Simulate execution s.t.: 1) Never use option #1 in UAWI 2) No use of time between dotted lines. 2) No use of ver. coins after green line. P1 P2 V* V h z1=Com(h(M1)) UACom(r1) z2=Com(h(M1)) UACom(r2) UAWI either 1) x is true. 2) 9 |t1|<k1-n s.t.M1(z1,t1)=r1 3) 9 |t2|<k2-n s.t.M2(z2,t2)=r2 4) Broke BFOP. k1 = nlognid , k2 = nlogn(t-id)

More Related