1 / 17

How to Go Beyond the Black-Box Simulation Barrier

How to Go Beyond the Black-Box Simulation Barrier. Boaz Barak Weizmann Institute. Alice wants to convince Bob that x 2 L. But, without him gaining any knowledge about w ! Thus, she can not simply send w to Bob! We need a more complicated, interactive protocol.

malia
Télécharger la présentation

How to Go Beyond the Black-Box Simulation Barrier

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Go Beyond theBlack-BoxSimulation Barrier Boaz Barak Weizmann Institute

  2. Alice wants to convince Bob that x2 L.But, without him gaining any knowledge about w! Thus, she can not simply send w to Bob! We need a more complicated, interactive protocol. Zero Knowledge Proofs [GMR] L 2 NP e.g. L = { x | x is a 3-colorable graph } x 2 L e.g. x is a 3-colorable graph w 2 Wit(x) e.g. w is a 3-coloring of x Prover (Alice) knows w Verifier (Bob) knows only x m1 m2 m2

  3. Def of Interactive Proofs Prover (Alice) knows w Verifier (Bob) knows only x m1 m2 m2 Completeness: Given w, Prover can convince the Verifier that x2L Comp. Soundness: If xL, then, regardless of Prover’s (efficient) strategy, the verifier will reject with very high prob.

  4. This is called Black-Box simulation. Zero Knowledge Property Prover (Alice) knows w Verifier (Bob) knows only x Informal Definition of ZK: Regardless of efficient strategy Verifier uses, he can not gain new knowledge on the witness Statistically Indistinguishable Computationally Indistinguishable Formal Def: 8efficient verifier V*9S* s.t. ~ ~ V*’s view in interaction w/ P(x,w)  S*(x) Usual way to show ZK: Show universal S s.t. 8V* V*’s view  SV*(x)

  5. Our main result: Conjecture is false. (Under standard assumptions) Black-Box Simulation Formal Def: 8efficient verifier V*9S* s.t. V*’s view in interaction w/ P(x,w)  S*(x) Black-Box Simulation: Show alg S s.t. 8V* V*’s view  SV*(x) All previously known ZK protocols used black-box simulators [GMR,GMW,BCC,FS,GKa,RK,…] Conjecture: If a protocol is ZK, then it has a black-box simulator. Implication: Black-box ZK limitations ) ZK limitations

  6. Rest of the talk: Proof of Thm 2 The Main Result Main Thm: If CRH* exist then there exists a ZK argument that does nothave a black-box simulator. With negligible soundness error. Proof:Combine the following two theorems: Thm 1 [GolKra89]:If LBPP then every constant-round Arthur-Merlinargument for L does not have a black-box simulator. Thm 2:If CRH exist then every L2NP has a constant-round Arthur-Merlin ZK argument. Remark:Protocol of Thm 2 has other useful properties impossible to obtain w/ black-box simulation. More details later. *CRH – Collision Resistent Hash functions

  7. Intuition of Construction:To prove x2L , prove thateitherx2L orprover knows the verifier’s programSuch that verifier can’t distinguish between 1st case & 2nd case. Proof of Thm 2 – High Level View Thm 2:If CRH exist then every L2NP has a constant-round Arthur-Merlin ZK argument. We construct a protocol withnon-black-box simulation:We show universal S s.t. 8V* V*’s view  S(desc of V*’s code, x) Protocol will be Sound because honest verifier will use a program chosen at random (from some collection). Protocol will be ZK because non-black-box simulator knows the verifier program.

  8. Proof of Thm 2 Thm 2:If CRH exist then every L2NP has a constant-round Arthur-Merlin ZK argument. • Commitment Schemes (“digital envelopes”) [Blum,Naor] • Witness Indistinguishable (WI) proofs [FeiSha] • Universal Arguments [Mic,Kil,BGol] We’ll first describe 3 tools we need: We then show for every L2NP, the construction of a protocol with desired properties.

  9. Witness Indistinguishable (WI) Proofs[FeiSha] L 2 NP x 2 L w,w’ 2 Wit(x) Prover (Alice) knows worw’ Verifier (Bob) knows only x Regardless of efficient strategy Verifier uses, he can not tell if prover used w or w’ • Weaker property than ZK. • Trivial for languages with unique witnesses. • Closed under parallel (even concurrent) composition. • If OWF exist then 9 3-round Arthur-Merlin WI proof for all L2NP

  10. Thm [Kil,Mic,B,BGol]:Suppose that CRH exist. Then, 9 a constant-round Arthur-Merlin Universal Argument system. Furthermore, there exists such a system that is WI. Next:Our Protocol Universal Arguments [Mic,BGol] Let M : Ntime(T(n)) machine (T(¢) polynomial), x 2 {0,1}n Suppose Alice knows non-det choice w 2 {0,1}T(n) s.t. M(x;w)=1and wants to prove this to Bob. In standard NP proof systems: Comm. Complexity = Bob’s running time = poly(T(n)) A Universal Arguments System allows to prove statement with Comm. Complexity = Bob’s running time = nfor every polynomial T(¢). Actually, for every function T(¢)complexity = T(n)o(1)(e.g. complexity = polylog(T(n)) ) (Proof uses NEXP=PCP(poly,poly) [BabForLun] & Merkle hash-trees)

  11. WIP either x2 L or9 s.t. ()=r Intuition of Construction:Prove in WI thateitherx2L orprover knows the verifier’s program. A First Attempt Honest Verifier chooses r at random. For general verifier V* we have r=V*( ) r 2R {0,1}n Idea:Prove that you knew before seeing r Idea: Prover uses 1st case and Simulator 2nd case (w/ witness=V*) WI ensures indistinguishability. Problem: Not sound! Cheating prover can choose  after seeing r!

  12. WIP either x2 L or()=r A Second Attempt Not sound! Cheating prover can choose  after seeing r! Old Problem:  r 2R {0,1}n Why use () and not ( )?? Use C() instead of ! Sound! Let r’=() , then Pr[ r=r’] · 2-n Problem: Simulator will send = code of V*’s strategyWhat will honest prover use for  ?

  13. Protocol UZK z=C(;s) C(;s) denotes commit. to  w/ coins s r 2R {0,1}n WIP either x2 L or 9,s s.t. z=C(,s) & (z)=r Sound! Let =C-1(z) and let r’=(z) , then Pr[ r=r’] · 2-n ZK! Prover sends z=C(0n)Simulator sends z=C(V*’s strategy)Indistinguishability follows from commit security + WI Problem: No fixed polynomial bound on V*’s running time Use a WI Universal Argument

  14. Note: Only showed simulator for verifiers w/ bounded non-uniformity Protocol UZK z=C(;s) r 2R {0,1}n WIP either x2 L or 9,s s.t. z=C(,s) & (z)=r Thm: Prot UZK is a constant-round Arthur-Merlin ZK arg. for L. Cor: Prot UZK does not have a black-box simulator

  15. More Results • Prot UZK can be modified to obtain ZK against non-uniform verifiers. • Prot UZK has simulator with strict prob. poly-time:Impossible w/ black-box simulation [BL] • Modified version of Prot UZK remains ZK under bounded-concurrent compositionImpossible w/ black-box simulation [CKPR] • Instantiating Prot UZK in crypto schemes (e.g. identification, voting) yields schemes with non-black-box proof of security.

  16. Corollary of this work: Yes! Black-Box Reductions in Crypto Typical Crypto Thm:Scheme X (e.g. voting) is as secure as Problem Y (e.g. factoring). This is called a Black-Box proof of security. Typical Proof:By contrapositive. Show that if 9 efficient alg A to break Scheme X, then 9 efficient alg B to solve Problem Y. Almost always: show a universal B such that 8 efficient Aif A breaks Scheme Xthen BA(¢) solves Problem Y Question: Is it possible to gain something by using a non-black-box proof of security?

  17. The End

More Related