1 / 47

How to Go Beyond the Black-Box Simulation Barrier

How to Go Beyond the Black-Box Simulation Barrier. Boaz Barak. Summery of the previous classes. Every language in NP has ZK protocol. ZK is not closed under parallel composition. Last week we saw w(logn) – round BBCZK for all languages in NP. It follows that the protocol cannot be BBZK.

tevy
Télécharger la présentation

How to Go Beyond the Black-Box Simulation Barrier

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Go Beyond theBlack-BoxSimulation Barrier Boaz Barak

  2. Summery of the previous classes • Every language in NP has ZK protocol. • ZK is not closed under parallel composition. • Last week we saw w(logn) – round BBCZK for all languages in NP.

  3. It follows that the protocol cannot be BBZK. (Unless the language is in BPP.) Paper Main Results There exists a zero-knowledge proof for any language in NP that satisfies the following properties. It is a zero knowledge with respect to non-uniform adversaries with auxiliary information. It has a constant number of rounds and negligible sounds error. It is an Arthur-Merlin (public coins) protocol.

  4. Paper Main Results It is bounded concurrent zero knowledge – It remains zero knowledge if executed concurrently n times, where n is the security parameter. “Only” computationally sound proof. The idea is to use the fact that the simulator has access to the code of the verifier. This will come instead of the trick of rewinding.

  5. Witness Indistinguishable (WI) Proofs [FeiSha] Prover (Alice) knows worw’ Verifier (Bob) knows only x Let L∈NP, x∈L, w,w’ witnesses to x∈L.Regardless of efficient strategy Verifier uses, he can not tell if prover used w or w’ Relaxation of ZK.Instead of requiring “Verifier learns nothing” only require that the verifier doesn't learn if Alice (prover) used w or w'.

  6. Witness Indistinguishable (WI) Proofs[FeiSha] Prover (Alice) knows worw’ Verifier (Bob) knows only x Let L∈NP, x∈L, w,w’ witnesses to x∈L.Regardless of efficient strategy Verifier uses, he can not tell if prover used w or w’ Weaker property than ZK. Every ZK proof is also WI proof. Closed under parallel (even concurrent) composition. => We can take BLUM protocol and compose it parallel and get a WI proof.

  7. Protocol outline • The verifier chooses a secret s and send to the prover some information I(s). No prover can recover s from interacting with the verifier. The simulator can recover s by using the verifier code. • The prover provides WI proof that either x∈L or I know s from I(s).

  8. Protocol outline • Analyses: • Completeness: OK – if x∈L then the prover will prove it to the verifier. • Computationally soundness – since the prover cannot recover s in step q it must prove use that x∈L • ZK – the simulator extracts s and proves step 2 using s. Works since step 2 is WI.

  9. Problem: Doesn't work, since r depends on c and the simulator can't predict r (Due to the binding property of the commitment scheme). c=Comm(0)‏ WIP either x∈ L or c = comm(r)‏ Naive implementation • Public Input: • x∈{0,1}n (need to prove x∈L)‏ r ∈ {0,1}n

  10. c=Comm(π)‏ Problem: Soundness - How can we make sure that the prover won't commit on program that on input c output r. WIP either x∈ L or c is a commitment to program  s.t. ()=r and c=comm() Better implementation • Public Input: • x∈{0,1}n (need to prove x∈L)‏ Prover uses 1st case and Simulator 2nd case (w/ witness=V*) WI ensures indistinguishably ZK seems to work: The simulator will commit on c=comm(V).The verifier won't be able to distinguish between the real and the simulated proof. r ∈ {0,1}n

  11. c=Comm(0,s)‏ Problem: Soundness - How can we make sure that the prover won't commit on program that on input c output r. WIP either x∈ L or c is a commitment to program  s.t. ()=r and comm() = comm(0)‏ Better implementation • Public Input: • x∈{0,1}n (need to prove x∈L)‏ ZK seems to work: The simulator will commit on c=comm(V).The verifier won't be able to distinguish between the real and the simulated proof. Prover uses 1st case and Simulator 2nd case (w/ witness=V*) WI ensures indistinguishably Make r much longer than c. This way, since c is fixed before r, there is negligible probability that c will open to something that encodes r. r ∈ {0,1}

  12. Problem: In order to insure the binding property of the commitment scheme. The size of c can be at any polynomial length, with respect to the size of V*. And might be larger than the communicationcomplexity of the protocol. c=Comm(0n,s) s- add randomness for commitment WIP either x∈ L or (c,r,v,s) ∈RP I.E c=comm(V,s) and r=V(c)‏ First attempt • Public Input: • x∈{0,1}n (need to prove x∈L)‏ Prover uses 1st case and Simulator 2nd case (w/ witness=V*) WI ensures indistinguishably r ∈ {0,1}(|c| +m)‏

  13. Computationally binding commitment scheme Statisticallybindingcommitmentscheme Collision resistant hash function Commitment length - solution • Instead of using statistically binding commitment scheme, we will use a computationally binding commitment scheme. • A computationally binding commitment scheme for large messages can be constructed by composing a standard, statistically binding commitment scheme with collision resistant hash function. Note:Once we use a commitment scheme that is computationally binding we will only be able to prove that our protocol is computationally sound.

  14. K – key for the hash c=Comm(Hk(0n),s) s- add randomness for commitment r ∈ {0,1}(|c| +m)‏ WIP either x∈ L or (k,c,r,V,z,s) ∈RP I.E c=Comm(Hk(V),s)and r=V(z,c)‏ Second attempt • Public Input: • x∈{0,1}n (need to prove x∈L)‏ Prover uses 1st case and Simulator 2nd case (w/ witness=V*) WI ensures indistinguishably

  15. Reminder PoK: For any P* there exists an extractor E that succeeds to extract whenever P convinces the verifier, i.e for any x,z: Prob[(P*(z),V(x)) = 1,E(z)=w : (x,w)∉RL] <negl Second attempt - How to prove that the protocol is computational sound? • We will do a reduction to the computational binding property of the commitment scheme. • We need to generate a commitment with two different openings. • We will use WI proofs that are also PoK.Then use the extractor to break the binding of the commitment.

  16. Second attempt - How to prove that the protocol is computational sound? • Proof Outline: • Assume V get convinced when x∉L.This means that the WI extractor will extract a witness <V,z,s> to RP. • This witness is an opening of the commitment c. • Now rewind the prover to step 1, give it a different r (resulted from different z) and obtain an opening on the same commitment. • We got two witnesses with the same commitment.

  17. Problem: How much time does it take for S to run V*? Is RP a polytime relation? No, since V can have an arbitrary polynomial running it. Second attempt - How to prove that the protocol is computational sound? • Why is it guaranteed that in the second time around (with a new r) we'll get a different opening of the commitment? • This is because V(z,c) is a deterministic function of c (for a givenz), so a different r will have to result from a different <V,z>.

  18. Universal Arguments • Universal language: • Lu= {(M,x,t) | M is a non-deterministic machine that accepts x within t steps}. • Luis in NEXP-complete. • Ru = {((M,x,t),w) | M accepts w within t steps}.

  19. Universal Arguments • Universal argument system for Lu is a two party protocol (P,V), for common input (M,x,t), w (witness for the prover) that satisfies the following: • Efficient verification:There exists a polynomial p such that for any input y=(M,x,t), the run time of V, is at p(|y|). • Completeness by relatively-efficient prover:For every ((M,x,t),w) in Ru, Prob[(P(w),V)(m,x,t) = 1] = 1,The running time of P is ≤ p(TM(x,w)) ≤ p(t).

  20. Universal Arguments • Computational soundness:For every P* and every (M,x,t) ∉ Lu. Prob[(P*,V)(M,x,t)=1]<u(n) • Weak proof of knowledge property:For every P*, if Prob[(P*,V)(y)=1]>1/p(|y|)=> Prob[∃ w=w1,w2,…wn∈ Ru(y), ∀i∈ {1…t}, E(y,i)=wi] > 1/p’(|y|)

  21. Universal Arguments Construction of Universal argument for Lu Construct an universal argument that is witness indistinguishable for Lu

  22. PCP – Probabilistic checkable proofs. • A PCP system is a system were the verifier has access to oracle which represents a proof. The verifier hash access to only few bits of the oracle bits according to the verifier coin tosses. • Completeness:For every x∈ L there exist an oracle π, such that V, on input x and access to oracle π always accepts x. • Soundness:For every x∉ L and every oracle π, such that V, on input x and access to oracle π, rejects x with probability 1-ε|x|.

  23. PCP – auxiliary properties.(will be useful for our construction) Let V be a PCP verifier, with an error ε for a language L∈ NEXP, let R(x,w) be the corresponding witness relation. Relativity-efficient oracle-construction:There exists a prover P such that for given (x,w) ∈R, it outputs an oracle π that make V always accept. Non-adaptive verifier:The verifier queries will be determined only on the external input and its coin tosses, and not on previous queries.

  24. PCP – auxiliary properties.(will be useful for our construction) Efficient reverse sampling:There exists a polynomial time algorithm S, that given x, query number i, query output j outputs the coin tosses r of the verifier.Q(x,r,i) = j. Proof of knowledge:There exists a polynomial time extractor E such that for every x and π:If Prob[Vπ(x) = 1] > ε|x|, thenthere exists w=w1,w2,…wt such that Prob[Eπ(x,i) = wi] > 2/3, for every i.

  25. Universal Arguments • Theorem:For every L∈ NEXP and for every ε(n)>2-poly(n) , there exists a PCP system with error ε that satisfies all the auxiliary properties. • Lu has such a PCP system. • Theorem:The existence if collision free hash functions implies the existence of universal arguments that are public coins (Arthur-Merlin) and use constant number of Rounds.

  26. Vau Pau K – key for the hash Root of the tree. Universal Arguments for Lu– construction • Public Input: • y = (M,x,t)‏ • Private Input for P: • w such that (y,w)∈Ru.‏ Prover steps: Creates a PCP oracle  on (y,w). Construct a hash tree. Sends the root of the tree to the verifier.

  27. Query  L000 L001 L010 L011 L100 L101 L110 L111 Hash(L000, L001) Hash(L010, L011) Hash(L100, L101) Hash(L100, L101) L0 L1 ROOT Universal Arguments for Lu– construction of the hash tree. d- height of the tree The leafs of the tree are the oracle answers for the queries. For example leaf Lq holds the oracle answer to query q.

  28. Query   Root of the tree. PCP answers with the path of the tree to the root. Root Root Universal Arguments for Lu– construction • Public Input: • y = (M,x,t)‏ The prover determines thesequence of m queries forthe PCP oracle, with the random input r. • Private Input for P: • w such that (y,w)∈Ru.‏ Vau Pau K – key for the hash R – coins for the PCP Preliminary Observations: 1. Verifier complexity and communication is polynomial 2. Completeness follows from completeness of PCP

  29. Universal Arguments • Still we have to establish the last two properties of universal arguments: • Computational soundness:For every P* and every (M,x,t) ∉ Lu. Prob[(P*,V)(M,x,t)=1]<u(n) • Weak proof of knowledge propery:For every P*, if Prob[(P*,V)(y)=1]>1/p(|y|)=> Prob[∃ w=w1,w2,…wn∈ Ru(y), ∀i∈ {1…t}, E(y,i)=wi] > 1/p’(|y|)

  30. Universal Arguments • Computational soundness follows from the week proof of knowledge property.Because whenever some adversary can convince the verifier to accept with non-negligible probability the extractor outputs a valid witness for membership in Lu. • => If x∉L and P* will convince V that x∈ L and the extractor will output a valid witness with non-negligible probability, and we will get a contradiction to the weak proof of knowledge property.

  31. Universal Arguments – Computational soundness. • We will prove the computational soundness using a reduction to the PCP. • Assume there is a malicious prover P*authat <M,x,t> will convince V that M accepts x for the universal argument. We will build an oracle * for the PCP machine. Hash key P*au * Vpcp Root r -coins Give me  (ask all possible queries)

  32. Universal Arguments – Computational soundness. • Some of the queries won’t be “proper” for the proof and P*au will have to find a collision at the hash tree.Otherwise if all the queries are correct we will get a PCP proof that M accepts X. Hash key P*au * Vpcp Root r -coins Give me  (ask all possible queries)

  33. Universal Arguments –proof of knowledge property. • Weak proof of knowledge property:For every P*, if Prob[(P*,V)(y)=1]>1/p(|y|)=> Prob[∃ w=w1,w2,…wn∈ Ru(y), ∀i∈ {1…t}, E(y,i)=wi] > 1/p’(|y|) • In order to prove that proof of knowledge property we will use the extractor of the PCP (The PCP is also weak PoK). • The extractor of the PCP will run P* and V and will rewind the protocol to the “root phase” until it will get enough queries to find a witness for the PCP proof.Since the proof is the same it is the same withness.

  34. Universal Arguments Construction of Universal argument for Lu Construct an universal argument that is witness indistinguishable for Lu

  35. Witness Indistinguishable Universal Arguments • Our starting point is any constant round, pubic-coins universal argument for Lu – (Pua,Vua). • Next we will use a witness indistinguishable proof of knowledge for NP-complete language (Pwi,Uwi).Every ZK proof is also WI proof => BLUM for example is WI-proof. • Finally we will use commitment scheme C.

  36. Root of the tree. Csi(ai), ai = Pau(y,ri) Witness Indistinguishable Universal Arguments • Public Input: • y = (M,x,t)‏ • Private Input for P: • w such that (y,w)∈Ru.‏ Vau-wi Pau-wi K – key for the hash Prover steps: Creates a PCP oracle . Construct a hash tree. Sends the root of the tree to the verifier. Sends commitments on the queries answers of the PCP oracle and the corresponding nodes at the tree. ri – random input WI proof that DC(Csi(ai)) = ai

  37. Witness Indistinguishable Universal Arguments • Clearly the construction is constant round and public coins, also as in the universal argument construction the verifier and prover run time is probabilistic polynomial time. • We still need to prove: • The weak proof of knowledge property, which implies the computational soundness property. • The witness indistinguishable property.

  38. WI-UA –weak proof of knowledge. • Let P*ua-wi be a prover for an input y such that Prob[(P*ua-wi,V) =1] = Py. • We will construct a prover P*ua that makes Vua accepts y w.p > poly(Py). • The strategy P*ua operates in c iterations, where in each iteration it obtains from P*ua-wi a commitment, and using the knowledge extractor of (Pua-wi,Vua-wi) it extracts a witness.

  39. WI-UA –weak proof of knowledge. Since Ewi succeed to extract w.p > poly(Py) then it will succeed to extract all c messages w.p > poly(Py)c, and we got an extractorfor (Pua,Vua) – contradiction. Hash key V*ua P*ua-wi Hash key P*ua Root Root r,p2,p3,…pc r Comm e1e2,..,ec a Comm e1e2,..,ec Ewi a

  40. WI-UA –Witness Indistinguishable. • In order to see that the construction is WI we need to show that when using 2 different witnesses: • The 2 commitments (y,r,c(a’1),…c(a’c)) and (y,r,c(a’’1),…c(a’’c))for 2 witnesses w’,w’’ are computationally indistinguishable.Follows from the computational hiding property of the commitment scheme. • The WI proof used is witness indistinguishable - follows immediately.

  41. Universal Arguments Construction of Universal argument for Lu Construct an universal argument that is witness indistinguishable for Lu

  42. K – key for the hash c=Comm(Hk(0n),s) s- add randomness for commitment r ∈ {0,1}(|c| +m)‏ WIP either x∈ L or (k,c,r,V,z,s) ∈RP I.E c=Comm(Hk(V),s)and r=V(z,c)‏ Second attempt -reminder • Public Input: • x∈{0,1}n (need to prove x∈L)‏ Prover uses 1st case and Simulator 2nd case (w/ witness=V*) WI ensures indistinguishably We will use the WI universal argument at the triplet y= (ML’ ,(x,k,c,r),2n), y ∈ Lu. machine ML’ that accepts the language L’ if: x∈L . V*(x,k,c) = r. WI universal argument

  43. Concurrent execution • Let (P,V) be a two party protocol, V* an interactive machine.Let {(ai,bi)}i=1..t be a set of t inputs to the protocol (P,V). • A t-times concurrent execution of (P,V) is the following experiment: • Run t independent copies of P with the ith copy getting ai as input. • Provide V* with b1,…,bt. • At each step V* outputs a message (I,m). The ith copy of P is getting message m, The verifier V* is getting the response.

  44. Concurrent execution P1 P2 V* Pt

  45. Concurrent ZK - Naïve simulator • We will invoke the simulator we used n times independently. • At first look the protocol seems readily CZK, since there are no rewinds. • Why this naïve simulator will fail? The problem is that the verifier V gets additional information between getting the second message and sending the third message. So the challenge r is computed based on some other information.

  46. But yet there is a Problem: The soundness isn’t holds: Since the relation RP allows the plover to choose y after seeing the challenge r, and we get that r isn’t a deterministic function of <V,z> and we can choose y such that <V,y,z> = r . c=Comm(Hk(0n),s) s- add randomness for commitment WIP either x∈ L or (<k,c,r>,<V,z,y,s) ∈RP I.E c=Comm(Hk(V),s)and r=V(z,y,c)‏ Concurrent ZK • The relation RP will be changed to account for that extra information. We denote by y this extra information i.e y= all of the messages previously sent. (we will keep a table with all of these messages). K – key for the hash r ∈ {0,1}(|c| +k)‏

  47. Bounded Concurrent ZK • The solution will be to choose y that is shorter then r.This will guarantee that the probability that there exists a y that allows the adversary to ambiguity the commitment is 2(|r|-|y|) • Bounding the size of y corresponds to bounding the number of sessions the protocol can run concurrently with.

More Related