Download presentation

Presentation is loading. Please wait.

Published byJordyn Gumm Modified over 3 years ago

1
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1

2
Interactive Proofs Let (P,V) be a proof system for L 2 NP Completeness: for every x 2 L and a w 2 R L (x) Pr[P(w),V)(x) = 1] = 1 Soundness: for every x 2 L and (even unbounded) P * Pr[(P *,V)(x) = 1] < ε Provers privacy: what information leaks through the interaction to a cheating V * ? 2

3
Provers Privacy Zero knowledge (ZK) [GMR]: the only information that V * obtains from interaction is that x 2 L – strong privacy, sometimes hard to achieve (e.g., in public-coins constant-round protocols) Witness Hiding (WH) [FS]: the witness remains hidden Let D be a samplable distribution over R L, Pr (x,w) ÃD [A(x) = w] = neg for every efficient A Pr (x,w) ÃD [(P(w),V * ) (x) = w] = neg for every efficient V * Witness Indistinguishability (WI) [FS]: V * cannot distinguish between (P(w),V * )(x) and (P(w),V * )(x), for any w,w 2 R L (x) = {w: w is a witness for x 2 L} – much weaker privacy, easier to achieve – meaningless in case of a single witness 3

4
Motivation Consider ``atomic ZK protocols such as 3-Colorbility [GMW] and Hamiltonicity [Blum] that have constant soundness. Parallel repetition of these protocols: Negligible soundness error Known to be WI Not ZK via black-box simulator [Goldreich-Krawczyk] Are they WH? For some distributions WI ) WH [Feige-Shamir] (each x has two independent witnesses) – In these settings the WH has black-box proof. In which settings these protocols are WH with black-box proof? 4

5
Our Result (informally) If each x 2 L has a unique witness, i.e., |R L (x)|=1, then 9 black-box Arthur-Merlin WH protocol with negligible soundness error. Under natural definition of black box Corollary: Parallel repetition of 3-Corolability/Hamiltonicty ZAPS [Dwork-Naor] Conceptually matches the upper bound of [Feige-Shamir] (for languages with two independent witnesses) 5 constant-round public-coin

6
The Rest of the Talk Defining fully black-box WH reduction – In the paper, we consider additional types of black-box reductions Develop techniques to prove impossibility results for such reductions – Starting point is the technique developed by [Goldreich- Krawczyk] for showing impossibility results of ZK with black-box simulators – Need new ideas to overcome the new difficulties that come up in the setup of WH. In the following we fix (P,V), L and D – L has a unique witness – (P,V) has negligible soundness error 6

7
Fully Black-box Reductions We like to come up with a definition that is 1.Natural 2.Agrees with known reductions 3.Possible to rule out… Black-box construction: We only consider constructions that Use commitment scheme Com as a black box The hiding of Com does not hold ) extracting the witness from an accepting transcript is easy (w.h.p) Agrees with all (generic) Arthur-Merlin WH protocols 7

8
Fully Black-box Reduction cont. Proof of security: If an efficient V * breaks the WH of (P,V) over D, then computing the witness over D is easy (assuming that Com is hiding) Black-box proof: 9 efficient A () that for every V * breaking the WH of (P,V) over D, – Pr[A V * (x) = w] > neg (i.e., D is easy given V * ), or – A V * violates the hiding of Com -Agrees with all known Arthur-Merlin WH (proofs) reductions -More restricted than [Pass 06] Thm: 9 fully-black-box reduction of Arthur-Merlin WH for D ) computing the witness over D is easy. 8 or, Com is not hiding

9
Starting Point Let (P,V) be an Arthur-Merlin protocol (with neg. soundness error). [Goldreich-Krawczyk] – the protocol remains sound even when a cheating prover can rewind the verifier More accurately, for every efficient A there exists an efficient V A s.t. Pr[(A,V A )(x) = 1] > neg when A can rewind V A Pr[(A,V) (x)= 1] > neg in the interactive settings [GK] Black-box simulator for L ) distinguisher for L 9

10
Applying [GK] Idea to WH Assume that (P,V) is an Arthur-Merlin WH protocol with a fully-black- box reduction, and let A () be the reduction guaranteed by the black-box proof. Consider the inefficient V * that behaves as V A, where if convinced to accept x, it returns w 2 R L (x) (using brute force) Therefore, Pr (x,w) ÃD [(P(w),V * )(x) = w] = 1 A V * computes well the witness over D, or A V * violates the hiding of Com We show next how to emulate the execution of A V * efficiently 10

11
11 A A V*V* V*V* Assume that (A,V * )(x 1 ) =1 w 2 R L (x 1 ) can be extracted from the transcript Since x 1 has unique witness, w is the right answer A V * can be efficiently emulated ) computing the witness over D is easy A V * finds the witness or A V * breaks Com Com with trapdoor Random permutation that we compute on the fly Random permutation Com X2X2 … w 2 R L (x 2 ) if accepts/ o,w ? X3X3 … X1X1 q1q1 a1a1 … amam qmqm w 2 R L (x 1 ) if accepts/o.w ?

12
Further issues Extensions: Unique feature function: for every w,w 2 R L (x) ) g(w) = g(w) Strong Witness Indistinguishability Further research: Consider relaxed definitions of black-box reduction. Implication to [Pass] approach for proving NP P OWF Bottom line: WH is a useful relaxation of ZK Is WH easy to achieve? In many cases, not easier than ZK 12

13
Ruling-out (weakly) Black-box Proofs Def (WH weakly black-box proof): 9 efficient A () that for every V * breaking the WH of (P,V) wrt D, – A V * computes well the witness over D, or – A V * breaks some underlying assumption Thm 2: Non-embedding weakly black-box reduction of Arthur- Merlin WH for distribution D, that is also POK (proof of knowledge) ) Computing the witness over D (with non-neg. prob.) is easy. - 3-color and Hamiltonicity are POK 13

14
14 A(x) V*V* V*V* Assume that Pr[(A,V * )(X 1 ) =1] > neg ) Pr[(A,V)(X 1 ) =1] > neg in the interactive settings Since (P,V) is POK, w 1 2 R L (x 1 ) can be extracted from A Since x 1 has unique witness, w 1 is the right answer Holds also for x 2 wrt A hist Hence, A V * (x) can be efficiently emulated, assuming that there are no embeddings A V * finds the witness or A V * violates the hardness X1X1 q1q1 a1a1 … amam qmqm w 2 RL(x 1 ) if accepts/ o.w ? X2X2 … w 2 R L (x 2 ) if accepts/ o.w ? X3X3 …

Similar presentations

OK

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google