1 / 16

Universal Arguments and Their Applications

Universal Arguments and Their Applications. Boaz Barak & Oded Goldreich. Interactive Proofs for NP. [GMW] gave ZK proof w/ n 2 complexity for 3-Coloring. Corollary: ZK proof w/ t(n) 4 complexity for any Ntime(t) language L . (Since L is t(n) 2 -time reducible to 3-Coloring).

zanna
Télécharger la présentation

Universal Arguments and Their Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Universal Arguments and Their Applications Boaz Barak & Oded Goldreich

  2. Interactive Proofs for NP [GMW] gave ZK proof w/ n2 complexity for 3-Coloring Corollary: ZK proof w/ t(n)4 complexity for any Ntime(t) language L. (Since L is t(n)2-time reducible to 3-Coloring) Corollary:8 NP language L9 ZK proof for L w/ polynomial complexity. Note order of quantifiers! What about a single universal proof system for all NP languages? Note: This is interesting even without the ZK property n = input size

  3. CS Proofs [M] : Informal Description A CS proof system is a system for proving* membership in the (N)EXP-complete language U where <M,x,t> 2U iff M(x) outputs 1 within t steps ( t is binary number, M is non-deterministic machine) Verifier’s complexity is fixed polynomial (e.g. n3) in |M|+|x|+|t| Any NP language L is reducible to U by a O(n)-time reduction. (e.g., even if L 2 Ntime(n12) !) Thus a CS proof system yields a single protocol for proving membership for all L2NP. (even NE)

  4. Thm [K,M]: If there exists hash functions that are collision resistant for 2n-sized circuits then there exists a CS proof system.  CS Proofs [M] : Informal Description A CS proof system is a system for proving* membership in the (N)EXP-complete language U where <M,x,t> 2U iff M(x) outputs 1 within t steps ( t is binary number, M is non-deterministic machine) Our Goal: Obtain a single (universal) argument for NP under a standard assumption (i.e., hardness for poly-size circuits).

  5. Seems to inherently require subexponential hardness assumption. CS Proofs: Formal Def Def: <P,V> is a CS proof system for U if it satisfies: [complexity] V runs in probabilistic polynomial time [completeness] 8 <M,x,t> 2U <P(w), V>(M,x,t)=1 where P(M,x,t) runs for tO(1) (possibly 2O(n)) steps [soundness] 8 2O(n)-sized P* and 8 <M,x,t>U Pr[ <P*,V>(M,x,t) = 1] = negl(n) Note: Max running time of P< Allowed running time for P*

  6. CS Proofs: Formal Def Universal Argument Def: <P,V> is a CS proof system for U if it satisfies: [complexity] V runs in probabilistic polynomial time [completeness] 8 <M,x,t> 2U <P(w), V>(M,x,t)=1 where P(M,x,t) runs for tO(1) (possibly 2O(n)) steps [soundness] 8 2O(n)-sized P* and 8 <M,x,t>U Pr[ <P*,V>(M,x,t) = 1] = negl(n) polynomial size [proof of knowledge]There is a polynomial-time weak knowledge extractor. Note: Max running time of P< Allowed running time for P*

  7. Our Results: Thm 1: If standard collision-resistant hash functions exist then there exists a universal argument system. Corollary 2: If standard collision resistent hash functions exist then there exists a ZK argument satisfying (as in [B]) - Non-black-box simulation- Constant-round - Arthur-Merlin (public coin)-Strict polynomial-time simulator- Bounded concurrent zero-knowledge Same conclusion as [B] under weaker hypothesis

  8. Collision Resistant Hash Functions Def: A family H = {Hn} of functions from {0,1}2n to {0,1}n is called collision resistent if for any poly-size A Prh2H[ A(h) = (x,y) s.t. h(x)=h(y) ] = negl(n)

  9. Vpcp(M,x,t) The Construction (following [K]) Thm [BFL]:NEXP=PCP[poly,poly] ||=tO(1) (possibly 2O(n)) <M,x,t>  Ppcp(M,x,t,w)

  10. PCP Properties [completeness] 9P s.t. 8 <M,x,t> 2U (and witness w)Pr[VP(M,x,t,w) (M,x,t)=1] =1where P(M,x,t) runs in time tO(1) [soundness] If <M,x,t> U then 8 Pr[ Vpcp(M,x,t)=1] < 2-n [non-adaptive verifier] Verifier’s queries are non-adaptive [efficient reverse-sampling] Given i,q can sample random verifier tape conditioned on ith query being q. [proof of knowledge] 9 poly-time E s.t. If Vpcp(M,x,t) > 2-|x| then 9 witness w s.t. 8 i Pr[ E(<M,x,t>,i) = wi ] > 2/3

  11. q h rpcp path1,…,pathk <M,x,t>  Pua Vua h 2RH pathq, is called a certificate that q =  Preliminary Observations: 1. Verifier complexity and communication is polynomial 2. Completeness follows from completeness of PCP

  12. q 4 h 3 2 1 <M,x,t>  P* Vua h 2RH Soundness: If poly-sizeP* convinces Vua that <M,x,t> 2Uw.p.  then 9pcp proof * for <M,x,t> that convinces Vpcp w.p. 2 – negl(n). Fix “typical” choice of h. Assume w.l.o.g P* deterministic and so root is also fixed.We treat P* as a function that gets a random pcp-verifier tape and returns a list of paths. Observation: For any q, given two inconsistentpaths pathq,0and pathq,1 can obtain x,y s.t. h(x)=h(y)

  13. h 1 p_q(1) > p_q(0) 0 otherwise *q = <M,x,t> P* Vua h 2RH Define:pq() = Pr[ P* sends pathq, | q is asked ] Define Claim: * is a convincing pcp proof.

  14. 1 p_q(1) > p_q(0) 0 otherwise *q = Define:pq() = Pr[ P* sends pathq, | q is asked ] Define Claim: * is a convincing pcp proof. LetA – ambigous locations k - length of verifier’s random tape Previous Analysis[K,M,B]: If h is 2k secure then A=;

  15. 1 p_q(1) > p_q(0) 0 otherwise *q = Define:pq() = Pr[ P* sends pathq, | q is asked ] Define Claim: * is a convincing pcp proof. LetA – ambigous locations k - length of verifier’s random tape Our Analysis: Define A’µA to be locations that are ambigous with non-negligible probability.If h is poly-size secure then Pr[ Verifier’s query hits A’ ] = negl(n) Why? Otherwise could find collision by reverse-sampling.

  16. Proof of Knowledge Property 9E s.t. if P* convinces Vuaw.p.  that <M,x,t> 2U then9witnessw s.t. w.p. Pr[8 i EP*(M,x,t,i) = wi ] > (1) where E runs in poly(1/,n) time Follows from analogous property of the pcp system.

More Related