690 likes | 838 Vues
From the Impossibility of Obfuscation to a New Non-Black-Box Simulation Technique. Nir Bitansky and Omer Paneth. The Result. Assuming OT there exist a resettably -sound ZK protocol. (Previous constructions of resettably -sound ZK relied on CRHF). Zero-Knowledge Proofs . Zero
E N D
From the Impossibility of Obfuscation toa New Non-Black-Box Simulation Technique Nir Bitansky and Omer Paneth
The Result Assuming OT there exist a resettably-sound ZK protocol (Previous constructions of resettably-sound ZK relied on CRHF)
Zero-Knowledge Proofs Zero Knowledge Soundness
Zero-Knowledge Proofs Soundness
Zero-Knowledge Proofs Zero Knowledge
Intuition: “knows” how to generate a proof itself! We can efficiently extract a proof from
The Simulator Accepting transcript: Simulator
The Simulator Simulator
Black-Box Simulator Black BoxSimulator
Non-Black-Box Simulator Non Black Box Simulator
Black-Box vs. Non-Black-Box Can Non-Black-BoxSimulation really achieve more than Black-Box Simulation?
Black-Box vs. Non-Black-Box Constant-round public-coin ZK (for NP, with negligible soundness error) Not considering 3-round ZK from KEA [Hada-Tanaka 98, Bellare-Palacio 04] Black BoxSimulator Non Black BoxSimulator CRHF + PCP Argument [Goldreich-Krawczyk 90] [Barak 01]
Black-Box vs. Non-Black-Box Black BoxSimulator Non Black BoxSimulator
Non-Black-Box Simulation BGGL01,B01,PR03,BL02,DGS9,GS09, GM11,GJ10,PRT11,COSV12… Barak 01 Barak 01
Non-Black-Box Simulation BGGL01,B01,PR03,BL02,DGS9,GS09, GM11,GJ10,PRT11,COSV12… Barak 01 CRHF + PCP
Barak’s ZK Protocol The FLS paradigm:[Feige-Lapidot-Shamir 99] Generation protocol for trapdoor Witness indistinguishable proof that or “knows”
Barak’s ZK Protocol The FLS paradigm:[Feige-Lapidot-Shamir 99] A proof generated using a witness for and a proof generated using the trapdoor are indistinguishable Generation protocol for trapdoor Witness indistinguishable proof that or“knows”
Barak’s ZK Protocol Q: Can we have a trapdoor generation protocol where is public-coin? A: Not using black-box simulation.
Barak’s ZK Protocol Q: Can we have a trapdoor generation protocol where is public-coin? A: (Barak 01) Yes! Trapdoor is the entire code of
Problem of “Long” Trapdoor (Or: problem of “short” messages) Witness indistinguishable proof that or “knows” is an arbitrary polynomial
Barak’s ZK Protocol Fixing the problem: • Use a Universal Argument – a succinct witness indistinguishable proofbased on PCPs [kilian 92, Barak-Goldreich 08] • Use a collision-resistant hash function to give a shrinking commitment to trapdoor.
Non-Black-Box Simulation BGGL01,B01,PR03,BL02,DGS9,GS09, GM11,GJ10,PRT11,COSV12… Barak 01 CRHF + UA\PCP
Are Barak’s techniques inherent in non-black-box simulation? Can its applications be achieved without collision-resistant hashing and universal arguments? No! Yes!
Resettable ZK [Canetti-Goldreich-Goldwasser-Micali 00]
Resettably-Sound ZK [Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]
Resettably-Sound ZK [Barak-Goldreich-Goldwasser-Lindell01, Goldreich-Krawczyk90] Black BoxSimulator
Resettably-Sound ZK Black BoxSimulator Black BoxSimulator
Resettably-Sound ZK [Barak-Goldreich-Goldwasser-Lindell 01] Non Black BoxSimulator Using CRHF and UA
The Result Assuming only OT there exist a constant-round resettably-sound ZK protocol that does not make use of UA. The Technique A new non-black-box simulation technique from the Impossibility of Obfuscation
Program Obfuscation is an obfuscation of a function family :
Obfuscation and ZK If we can obfuscate : Non Black BoxSimulator Black BoxSimulator Resettably-Sound ZK
Obfuscation and ZK Assuming OWFs, there exist a family of functions that can not be obfuscated. [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Resettably-Sound ZK “Easy” Impossibility of obfuscation
Obfuscation and ZK Assuming OWFs, there exist a family of functions that can not be obfuscated. [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Resettably-Sound ZK “Hard” Impossibility of obfuscation + OT
The Protocol Secure function evaluation of where Witness Indistinguishable proof that or “knows”
Proof Idea – Zero Knowledge Non Black Box Simulator
Proof Idea – Zero Knowledge Non Black Box Simulator SFE of
Proof Idea – Zero Knowledge SFE of
Proof Idea – Zero Knowledge Non Black Box Simulator SFE of Witness Indistinguishable proof that or “knows”
The SFE Protocol SFE of How to instantiate this box? How to instantiate this box? SFE of
The SFE Protocol Semi-honest SFE of ZK proof of knowledge ZK proof of knowledge
The SFE Protocol Semi-honest SFE of ZK proof of knowledge ZK proof of knowledge
The SFE Protocol Semi-honest SFE of Based on resettably-sound ZK[BGGL01,GS09] Resettably-sound ZK POK Resettable ZK POK
The SFE Protocol SFE of SFE of
Instance-dependent SFE of ZK Resettable POK Resettable ZK POK + Strongly unobfuscatablefunctions