Download
1 / 16
160 likes | 286 Vues
This work discusses the construction of a universal argument system for all NP languages under standard assumptions, focusing specifically on zero-knowledge (ZK) proofs. Building on the framework established by Goldwasser, Micali, and Wigderson, we present results that demonstrate the existence of ZK proofs with polynomial complexity for any NP language reducible to 3-Coloring. Furthermore, we explore a single CS proof system that can prove membership in NP languages efficiently. These findings may offer insights into the complexity of cryptographic systems and the nature of NP-completeness.
E N D
Universal Arguments and Their Applications Boaz Barak & Oded Goldreich
Interactive Proofs for NP [GMW] gave ZK proof w/ n2 complexity for 3-Coloring Corollary: ZK proof w/ t(n)4 complexity for any Ntime(t) language L. (Since L is t(n)2-time reducible to 3-Coloring) Corollary:8 NP language L9 ZK proof for L w/ polynomial complexity. Note order of quantifiers! What about a single universal proof system for all NP languages? Note: This is interesting even without the ZK property n = input size
CS Proofs [M] : Informal Description A CS proof system is a system for proving* membership in the (N)EXP-complete language U where <M,x,t> 2U iff M(x) outputs 1 within t steps ( t is binary number, M is non-deterministic machine) Verifier’s complexity is fixed polynomial (e.g. n3) in |M|+|x|+|t| Any NP language L is reducible to U by a O(n)-time reduction. (e.g., even if L 2 Ntime(n12) !) Thus a CS proof system yields a single protocol for proving membership for all L2NP. (even NE)
Thm [K,M]: If there exists hash functions that are collision resistant for 2n-sized circuits then there exists a CS proof system. CS Proofs [M] : Informal Description A CS proof system is a system for proving* membership in the (N)EXP-complete language U where <M,x,t> 2U iff M(x) outputs 1 within t steps ( t is binary number, M is non-deterministic machine) Our Goal: Obtain a single (universal) argument for NP under a standard assumption (i.e., hardness for poly-size circuits).
Seems to inherently require subexponential hardness assumption. CS Proofs: Formal Def Def: <P,V> is a CS proof system for U if it satisfies: [complexity] V runs in probabilistic polynomial time [completeness] 8 <M,x,t> 2U <P(w), V>(M,x,t)=1 where P(M,x,t) runs for tO(1) (possibly 2O(n)) steps [soundness] 8 2O(n)-sized P* and 8 <M,x,t>U Pr[ <P*,V>(M,x,t) = 1] = negl(n) Note: Max running time of P< Allowed running time for P*
CS Proofs: Formal Def Universal Argument Def: <P,V> is a CS proof system for U if it satisfies: [complexity] V runs in probabilistic polynomial time [completeness] 8 <M,x,t> 2U <P(w), V>(M,x,t)=1 where P(M,x,t) runs for tO(1) (possibly 2O(n)) steps [soundness] 8 2O(n)-sized P* and 8 <M,x,t>U Pr[ <P*,V>(M,x,t) = 1] = negl(n) polynomial size [proof of knowledge]There is a polynomial-time weak knowledge extractor. Note: Max running time of P< Allowed running time for P*
Our Results: Thm 1: If standard collision-resistant hash functions exist then there exists a universal argument system. Corollary 2: If standard collision resistent hash functions exist then there exists a ZK argument satisfying (as in [B]) - Non-black-box simulation- Constant-round - Arthur-Merlin (public coin)-Strict polynomial-time simulator- Bounded concurrent zero-knowledge Same conclusion as [B] under weaker hypothesis
Collision Resistant Hash Functions Def: A family H = {Hn} of functions from {0,1}2n to {0,1}n is called collision resistent if for any poly-size A Prh2H[ A(h) = (x,y) s.t. h(x)=h(y) ] = negl(n)
Vpcp(M,x,t) The Construction (following [K]) Thm [BFL]:NEXP=PCP[poly,poly] ||=tO(1) (possibly 2O(n)) <M,x,t> Ppcp(M,x,t,w)
PCP Properties [completeness] 9P s.t. 8 <M,x,t> 2U (and witness w)Pr[VP(M,x,t,w) (M,x,t)=1] =1where P(M,x,t) runs in time tO(1) [soundness] If <M,x,t> U then 8 Pr[ Vpcp(M,x,t)=1] < 2-n [non-adaptive verifier] Verifier’s queries are non-adaptive [efficient reverse-sampling] Given i,q can sample random verifier tape conditioned on ith query being q. [proof of knowledge] 9 poly-time E s.t. If Vpcp(M,x,t) > 2-|x| then 9 witness w s.t. 8 i Pr[ E(<M,x,t>,i) = wi ] > 2/3
q h rpcp path1,…,pathk <M,x,t> Pua Vua h 2RH pathq, is called a certificate that q = Preliminary Observations: 1. Verifier complexity and communication is polynomial 2. Completeness follows from completeness of PCP
q 4 h 3 2 1 <M,x,t> P* Vua h 2RH Soundness: If poly-sizeP* convinces Vua that <M,x,t> 2Uw.p. then 9pcp proof * for <M,x,t> that convinces Vpcp w.p. 2 – negl(n). Fix “typical” choice of h. Assume w.l.o.g P* deterministic and so root is also fixed.We treat P* as a function that gets a random pcp-verifier tape and returns a list of paths. Observation: For any q, given two inconsistentpaths pathq,0and pathq,1 can obtain x,y s.t. h(x)=h(y)
h 1 p_q(1) > p_q(0) 0 otherwise *q = <M,x,t> P* Vua h 2RH Define:pq() = Pr[ P* sends pathq, | q is asked ] Define Claim: * is a convincing pcp proof.
1 p_q(1) > p_q(0) 0 otherwise *q = Define:pq() = Pr[ P* sends pathq, | q is asked ] Define Claim: * is a convincing pcp proof. LetA – ambigous locations k - length of verifier’s random tape Previous Analysis[K,M,B]: If h is 2k secure then A=;
1 p_q(1) > p_q(0) 0 otherwise *q = Define:pq() = Pr[ P* sends pathq, | q is asked ] Define Claim: * is a convincing pcp proof. LetA – ambigous locations k - length of verifier’s random tape Our Analysis: Define A’µA to be locations that are ambigous with non-negligible probability.If h is poly-size secure then Pr[ Verifier’s query hits A’ ] = negl(n) Why? Otherwise could find collision by reverse-sampling.
Proof of Knowledge Property 9E s.t. if P* convinces Vuaw.p. that <M,x,t> 2U then9witnessw s.t. w.p. Pr[8 i EP*(M,x,t,i) = wi ] > (1) where E runs in poly(1/,n) time Follows from analogous property of the pcp system.
