1 / 69

From the Impossibility of Obfuscation to a New Non-Black-Box Simulation Technique

From the Impossibility of Obfuscation to a New Non-Black-Box Simulation Technique. Nir Bitansky and Omer Paneth. The Result. Assuming OT there exist a resettably -sound ZK protocol. (Previous constructions of resettably -sound ZK relied on CRHF). Zero-Knowledge Proofs . Zero

yamal
Télécharger la présentation

From the Impossibility of Obfuscation to a New Non-Black-Box Simulation Technique

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. From the Impossibility of Obfuscation toa New Non-Black-Box Simulation Technique Nir Bitansky and Omer Paneth

  2. The Result Assuming OT there exist a resettably-sound ZK protocol (Previous constructions of resettably-sound ZK relied on CRHF)

  3. Zero-Knowledge Proofs Zero Knowledge Soundness

  4. Zero-Knowledge Proofs Soundness

  5. Zero-Knowledge Proofs Zero Knowledge

  6. Intuition: “knows” how to generate a proof itself! We can efficiently extract a proof from

  7. The Simulator Accepting transcript: Simulator

  8. The Simulator Simulator

  9. Black-Box Simulator Black BoxSimulator

  10. Non-Black-Box Simulator Non Black Box Simulator

  11. Black-Box vs. Non-Black-Box Can Non-Black-BoxSimulation really achieve more than Black-Box Simulation?

  12. Black-Box vs. Non-Black-Box Constant-round public-coin ZK (for NP, with negligible soundness error) Not considering 3-round ZK from KEA [Hada-Tanaka 98, Bellare-Palacio 04] Black BoxSimulator Non Black BoxSimulator CRHF + PCP Argument [Goldreich-Krawczyk 90] [Barak 01]

  13. Black-Box vs. Non-Black-Box Black BoxSimulator Non Black BoxSimulator

  14. Non-Black-Box Simulation BGGL01,B01,PR03,BL02,DGS9,GS09, GM11,GJ10,PRT11,COSV12… Barak 01 Barak 01

  15. Non-Black-Box Simulation BGGL01,B01,PR03,BL02,DGS9,GS09, GM11,GJ10,PRT11,COSV12… Barak 01 CRHF + PCP

  16. Barak’s ZK Protocol The FLS paradigm:[Feige-Lapidot-Shamir 99] Generation protocol for trapdoor Witness indistinguishable proof that or “knows”

  17. Barak’s ZK Protocol The FLS paradigm:[Feige-Lapidot-Shamir 99] A proof generated using a witness for and a proof generated using the trapdoor are indistinguishable Generation protocol for trapdoor Witness indistinguishable proof that or“knows”

  18. Barak’s ZK Protocol Q: Can we have a trapdoor generation protocol where is public-coin? A: Not using black-box simulation.

  19. Barak’s ZK Protocol Q: Can we have a trapdoor generation protocol where is public-coin? A: (Barak 01) Yes! Trapdoor is the entire code of

  20. Problem of “Long” Trapdoor (Or: problem of “short” messages) Witness indistinguishable proof that or “knows” is an arbitrary polynomial

  21. Barak’s ZK Protocol Fixing the problem: • Use a Universal Argument – a succinct witness indistinguishable proofbased on PCPs [kilian 92, Barak-Goldreich 08] • Use a collision-resistant hash function to give a shrinking commitment to trapdoor.

  22. Non-Black-Box Simulation BGGL01,B01,PR03,BL02,DGS9,GS09, GM11,GJ10,PRT11,COSV12… Barak 01 CRHF + UA\PCP

  23. Are Barak’s techniques inherent in non-black-box simulation? Can its applications be achieved without collision-resistant hashing and universal arguments? No! Yes!

  24. Resettable Protocols

  25. Resettable Protocols

  26. Resettable Protocols

  27. Resettable ZK [Canetti-Goldreich-Goldwasser-Micali 00]

  28. Resettably-Sound ZK [Micali-Reyzin 01, Barak-Goldreich-Goldwasser-Lindell 01]

  29. Resettably-Sound ZK [Barak-Goldreich-Goldwasser-Lindell01, Goldreich-Krawczyk90] Black BoxSimulator

  30. Resettably-Sound ZK Black BoxSimulator Black BoxSimulator

  31. Resettably-Sound ZK [Barak-Goldreich-Goldwasser-Lindell 01] Non Black BoxSimulator Using CRHF and UA

  32. The Result Assuming only OT there exist a constant-round resettably-sound ZK protocol that does not make use of UA. The Technique A new non-black-box simulation technique from the Impossibility of Obfuscation

  33. Program Obfuscation is an obfuscation of a function family :

  34. Obfuscation and ZK If we can obfuscate : Non Black BoxSimulator Black BoxSimulator Resettably-Sound ZK

  35. Obfuscation and ZK Assuming OWFs, there exist a family of functions that can not be obfuscated. [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Resettably-Sound ZK “Easy” Impossibility of obfuscation

  36. Obfuscation and ZK Assuming OWFs, there exist a family of functions that can not be obfuscated. [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Resettably-Sound ZK “Hard” Impossibility of obfuscation + OT

  37. Unobfuscatable functions : :

  38. The Protocol Secure function evaluation of where Witness Indistinguishable proof that or “knows”

  39. Proof Idea - Resettable Soundness SFE of

  40. Proof Idea – Zero Knowledge Non Black Box Simulator

  41. Proof Idea – Zero Knowledge Non Black Box Simulator SFE of

  42. Proof Idea – Zero Knowledge SFE of

  43. Proof Idea – Zero Knowledge

  44. Proof Idea – Zero Knowledge Non Black Box Simulator SFE of Witness Indistinguishable proof that or “knows”

  45. The SFE Protocol SFE of How to instantiate this box? How to instantiate this box? SFE of

  46. The SFE Protocol Semi-honest SFE of ZK proof of knowledge ZK proof of knowledge

  47. The SFE Protocol Semi-honest SFE of ZK proof of knowledge ZK proof of knowledge

  48. The SFE Protocol Semi-honest SFE of Based on resettably-sound ZK[BGGL01,GS09] Resettably-sound ZK POK Resettable ZK POK

  49. The SFE Protocol SFE of SFE of

  50. Instance-dependent SFE of ZK Resettable POK Resettable ZK POK + Strongly unobfuscatablefunctions

More Related