# Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

## Presentation on theme: "Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell."— Presentation transcript:

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell

Interactive Proofs/Arguments L=L(R) 2 NP PV w 2 R(x) x (x 2 L) 9 efficient S s.t. 8 efficient V* 8 x 2 L S(V*,x) (x) Everything an efficient verifier can learn after a ZK interaction can be learned by applying an efficient algorithm (i.e., simulator) to the public input. Zero-Knowledge:

Interactive Proofs/Arguments L=L(R) 2 NP 9 efficient E s.t. 8 efficient P* 8 x Pr[ E(P*,x) 2 R(X)] » Pr[ (x)=1] Proof of Knowledge (POK): If an efficient prover can convince the honest verifier that x 2 L then there exists an efficient algorithm (knowledge extractor) to extract a witness for x from the provers strategy. PV w 2 R(x) x (x 2 L)

Definition of Zero-Knowledge: Everything an efficient verifier can learn after a ZK interaction can be learned by applying an efficient algorithm to the public input. Popular formal interpretation: efficient = probabilistic polynomial-time efficient = probabilistic expected polynomial-time 9 efficient S s.t. 8 efficient V* 8 x 2 L S(V*,x) (x)

Definition of Proofs of Knowledge (POK): Popular formal interpretation: efficient = probabilistic polynomial-time efficient = probabilistic expected polynomial-time If an efficient prover can convince the honest verifier that x 2 L then there exists an efficient algorithm (knowledge extractor) to extract a witness for x from the provers strategy. 9 efficient E s.t. 8 efficient P* 8 x Pr[ E(P*,x) 2 R(X)] » Pr[ (x)=1]

Efficient Verifier/ Prover Efficient Simulator/ Extractor ProsCons Def 1Strict Strict=Efficient Computation No Gap No Constant- round prot* Def 2StrictExpected 9 constant- round protocols Expected Efficient Gap Def 3Expected 9 constant- round protocols** Expected Efficient Problem w/def [Feige] Possible Defs for Zero-Knowledge

Efficient Verifier/ Prover Efficient Simulator/ Extractor ProsCons Def 1Strict Strict=Efficient Computation No gap No constant-round prot* Def 2StrictExpected 9 constant- round protocols Expected Efficient Gap Def 3Expected 9 constant- round prot** No gap Expected Efficient Problem w/def [Feige] Possible Defs for Zero-Knowledge / POK

Efficient Verifier/ Prover Efficient Simulator/ Extractor ProsCons Def 1Strict Strict=Efficient Computation No gap No constant-round prot* Def 2StrictExpected 9 constant- round protocols Expected Efficient Gap Def 3Expected 9 constant- round prot** No gap Expected Efficient Problem w/def [Feige] Possible Defs for Zero-Knowledge Summary: Def 1 is best if it can be met.

Efficient Verifier/ Prover Efficient Simulator/ Extractor Def 1Strict Def 2StrictExpected Def 3Expected Summary: Def 1 is best if it can be met. [B,BG]: For Zero-Knowledge Def 1 can be met by a constant- round prot. w/ a non-black-box simulator (assuming CRH) Our Results: 1. In both cases Def 1 can not be met in constant-rounds by a black-box simulator/extractor. 2. In case of POK Def 1 can be met by a constant-round prot. w/ a non-black-box extractor (assuming CRH&TDP)

Impossibility of strict poly-time black-box simulation Motivation: Look at how known expected poly-time black-box simulators work (e.g. [FS]) PV V1 P1 V2 P2

SV* V1 P1 V2 P2 V2 P1 Suppose that V* only sends message v2 w.p. Using (v1,v2) and (v1,v2) can simulate proof! No clue how to continue

SV* V1 P1 ? w.p. 1- : Output (v1,p1, ? ) Suppose that V* only sends message v2 w.p. - n 2 work

Suppose that V* only sends message v2 w.p. w.p. 1- : Output (v1,p1, ? ) - n 2 work SV* V1 P1 V2 P2 V2 P1 ? V2 w.p. : Output (v1,p1,v2,p2)- (1/ ) ¢ n 2 work Ex[work] = (1- )n 2 + ¢ (1/ ) ¢ n 2 · O(n 2 ) 1/ times…

Suppose that V* only sends message v2 w.p. w.p. 1- : Output (v1,p1, ? ) - n 2 work SV* V1 P1 V2 P2 V2 P1 ? ? V2 w.p. : Output (v1,p1,v2,p2)- (1/ ) ¢ n 2 work Ex[work] = (1- )n 2 + ¢ (1/ ) ¢ n 2 · O(n 2 ) If we stop simulator after less than 1/ steps then simulation fails! Note that may be any non-negligible value (e.g., 1/ >> n 2 )

Impossibility of strict black-box simulation for constant-round protocols. Let be ZK proof for L with c verifier messages and strict t(n)-time black-box simulator S Let V* be s.t. V* aborts in any round w.p. 1- where is chosen s.t. 8 x 2 L 1. Pr[ (x)=1] = c > 1/p(n) 2. Pr[ S V* (x) sees more than c messages ] << 1/p(n) Choose = ¼ ( c ) t(n) · ( c ) c+1 t(n)

Our Results: 1. In both cases Def 1 can not be met in constant-rounds by a black-box simulator/extractor. 2. In case of POK Def 1 can be met by a constant-round prot. w/ a non-black-box extractor (assuming CRH&TDP)

Obtaining POK with strict poly-time extractor Trapdoor Permutations ZK membership proof* w/ strict simulation [B,BG] constant-round Commit With Extract Scheme = = + + Commit-With-Extract: Secure commitment scheme s.t. using senders code can extract committed value in strict polynomial-time. Can be used to obtain a ZKPOK for NP

Conclusion: Non-Black-Box techniques are both necessary and sufficient to obtain strict polynomial-time simulation and extraction.

Obtaining POK with strict poly-time extractor Proof Outline: Let L 2 NP, a ZKPOK will be PV y=Comm(w) x2Lx2L w 2 W(x) ZKP Comm -1 (y) 2 W(x) Commit-With-Extract Need constant-round commitment scheme s.t. can extract committed value in strict poly-time using senders code.

Proof Sketch: Assume is c-round ZK proof for L Suppose S is strict t(n)-time black-box simulator Lemma: If V* is honest+abort verifier and 8 x 2 L Pr[ S V* (x) is accepting and S saw · c responds ] > 1/p(n) Then L 2 BPP Why? For x L Pr[ S V* (x) is accepting and S saw · c responds ] = negl(n)

Fix V* s.t. in any round independently Thus 8 x 2 L Pr [ S V* (x) is accepting proof for x] » c Clearly, 8 x 2 L Pr[ =1 ] = c But Pr [ S V* (x) gets > c non- ? responds ] · ( c ) c+1 t(n) Pr[ S V* (x) accepting and S saw · c responds] ¸ c - ( c ) c+1 t(n) w.p. 1- : V* aborts w.p. : V* behaves like honest verifier And so For ½ c = 1/p(n) t(n) -1

Obtaining POK with strict poly-time extractor Thm: Suppose that 1. 9 Trapdoor Permutations 2. 9 constant-round ZK argument for NP w/ strict poly-time simulator Then, 9 constant-round ZK argument of knowledge w/ strict poly-time knowledge-extractor. Trapdoor Permutations ZK membership proof* w/ strict simulation [B,BG] ZK proof* of knowledge w/ strict extraction = = + +

Download ppt "Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell."

Similar presentations