Download presentation

Presentation is loading. Please wait.

Published byJordyn Gumm Modified over 3 years ago

1
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1

2
Interactive Proofs Let (P,V) be a proof system for L 2 NP Completeness: for every x 2 L and a w 2 R L (x) Pr[P(w),V)(x) = 1] = 1 Soundness: for every x 2 L and (even unbounded) P * Pr[(P *,V)(x) = 1] < ε Provers privacy: what information leaks through the interaction to a cheating V * ? 2

3
Provers Privacy Zero knowledge (ZK) [GMR]: the only information that V * obtains from interaction is that x 2 L – strong privacy, sometimes hard to achieve (e.g., in public-coins constant-round protocols) Witness Hiding (WH) [FS]: the witness remains hidden Let D be a samplable distribution over R L, Pr (x,w) ÃD [A(x) = w] = neg for every efficient A Pr (x,w) ÃD [(P(w),V * ) (x) = w] = neg for every efficient V * Witness Indistinguishability (WI) [FS]: V * cannot distinguish between (P(w),V * )(x) and (P(w),V * )(x), for any w,w 2 R L (x) = {w: w is a witness for x 2 L} – much weaker privacy, easier to achieve – meaningless in case of a single witness 3

4
Motivation Consider ``atomic ZK protocols such as 3-Colorbility [GMW] and Hamiltonicity [Blum] that have constant soundness. Parallel repetition of these protocols: Negligible soundness error Known to be WI Not ZK via black-box simulator [Goldreich-Krawczyk] Are they WH? For some distributions WI ) WH [Feige-Shamir] (each x has two independent witnesses) – In these settings the WH has black-box proof. In which settings these protocols are WH with black-box proof? 4

5
Our Result (informally) If each x 2 L has a unique witness, i.e., |R L (x)|=1, then 9 black-box Arthur-Merlin WH protocol with negligible soundness error. Under natural definition of black box Corollary: Parallel repetition of 3-Corolability/Hamiltonicty ZAPS [Dwork-Naor] Conceptually matches the upper bound of [Feige-Shamir] (for languages with two independent witnesses) 5 constant-round public-coin

6
The Rest of the Talk Defining fully black-box WH reduction – In the paper, we consider additional types of black-box reductions Develop techniques to prove impossibility results for such reductions – Starting point is the technique developed by [Goldreich- Krawczyk] for showing impossibility results of ZK with black-box simulators – Need new ideas to overcome the new difficulties that come up in the setup of WH. In the following we fix (P,V), L and D – L has a unique witness – (P,V) has negligible soundness error 6

7
Fully Black-box Reductions We like to come up with a definition that is 1.Natural 2.Agrees with known reductions 3.Possible to rule out… Black-box construction: We only consider constructions that Use commitment scheme Com as a black box The hiding of Com does not hold ) extracting the witness from an accepting transcript is easy (w.h.p) Agrees with all (generic) Arthur-Merlin WH protocols 7

8
Fully Black-box Reduction cont. Proof of security: If an efficient V * breaks the WH of (P,V) over D, then computing the witness over D is easy (assuming that Com is hiding) Black-box proof: 9 efficient A () that for every V * breaking the WH of (P,V) over D, – Pr[A V * (x) = w] > neg (i.e., D is easy given V * ), or – A V * violates the hiding of Com -Agrees with all known Arthur-Merlin WH (proofs) reductions -More restricted than [Pass 06] Thm: 9 fully-black-box reduction of Arthur-Merlin WH for D ) computing the witness over D is easy. 8 or, Com is not hiding

9
Starting Point Let (P,V) be an Arthur-Merlin protocol (with neg. soundness error). [Goldreich-Krawczyk] – the protocol remains sound even when a cheating prover can rewind the verifier More accurately, for every efficient A there exists an efficient V A s.t. Pr[(A,V A )(x) = 1] > neg when A can rewind V A Pr[(A,V) (x)= 1] > neg in the interactive settings [GK] Black-box simulator for L ) distinguisher for L 9

10
Applying [GK] Idea to WH Assume that (P,V) is an Arthur-Merlin WH protocol with a fully-black- box reduction, and let A () be the reduction guaranteed by the black-box proof. Consider the inefficient V * that behaves as V A, where if convinced to accept x, it returns w 2 R L (x) (using brute force) Therefore, Pr (x,w) ÃD [(P(w),V * )(x) = w] = 1 A V * computes well the witness over D, or A V * violates the hiding of Com We show next how to emulate the execution of A V * efficiently 10

11
11 A A V*V* V*V* Assume that (A,V * )(x 1 ) =1 w 2 R L (x 1 ) can be extracted from the transcript Since x 1 has unique witness, w is the right answer A V * can be efficiently emulated ) computing the witness over D is easy A V * finds the witness or A V * breaks Com Com with trapdoor Random permutation that we compute on the fly Random permutation Com X2X2 … w 2 R L (x 2 ) if accepts/ o,w ? X3X3 … X1X1 q1q1 a1a1 … amam qmqm w 2 R L (x 1 ) if accepts/o.w ?

12
Further issues Extensions: Unique feature function: for every w,w 2 R L (x) ) g(w) = g(w) Strong Witness Indistinguishability Further research: Consider relaxed definitions of black-box reduction. Implication to [Pass] approach for proving NP P OWF Bottom line: WH is a useful relaxation of ZK Is WH easy to achieve? In many cases, not easier than ZK 12

13
Ruling-out (weakly) Black-box Proofs Def (WH weakly black-box proof): 9 efficient A () that for every V * breaking the WH of (P,V) wrt D, – A V * computes well the witness over D, or – A V * breaks some underlying assumption Thm 2: Non-embedding weakly black-box reduction of Arthur- Merlin WH for distribution D, that is also POK (proof of knowledge) ) Computing the witness over D (with non-neg. prob.) is easy. - 3-color and Hamiltonicity are POK 13

14
14 A(x) V*V* V*V* Assume that Pr[(A,V * )(X 1 ) =1] > neg ) Pr[(A,V)(X 1 ) =1] > neg in the interactive settings Since (P,V) is POK, w 1 2 R L (x 1 ) can be extracted from A Since x 1 has unique witness, w 1 is the right answer Holds also for x 2 wrt A hist Hence, A V * (x) can be efficiently emulated, assuming that there are no embeddings A V * finds the witness or A V * violates the hardness X1X1 q1q1 a1a1 … amam qmqm w 2 RL(x 1 ) if accepts/ o.w ? X2X2 … w 2 R L (x 2 ) if accepts/ o.w ? X3X3 …

Similar presentations

OK

Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)

Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on waste management in india Ppt on time management for nurses Ppt on chapter 12 electricity calculator Ppt on waves tides and ocean currents diagram Ppt on earthquake free download Ppt on power sharing in democracy the will of the majority Ppt on object oriented programming Ppt on 2nd world war planes Ppt on save tigers in india free download Ppt on virtual laser keyboard