Download presentation

Presentation is loading. Please wait.

Published byAmanda Hodgens Modified over 2 years ago

1
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

2
Assumptions for Cryptography One-way functions ) –Pseudorandom generators [Hastad-Impagliazzo-Levin-Luby]. –Pseudorandom functions & private-key cryptography [Goldreich-Goldwasser-Micali] –Commitment schemes [Naor]. –Zero-knowledge proofs for NP [Goldreich-Micali-Wigderson]. –Digital signatures [Rompel]. Almost all cryptographic tasks ) one-way functions. [Impagliazzo-Luby, Ostrovsky-Wigderson] Some tasks not “black-box reducible” to one-way fns. –Public-key encryption [Impagliazzo-Rudich] –Collision-resistant hashing [Simon]

3
Main Result One-Way Functions ) Statistical Zero-Knowledge Arguments for NP –Resolves an open problem posed by [Naor-Ostrovsky-Venkatesan-Yung92]. –OWF is essentially the minimal complexity assumption for ZK [Ostrovsky-Wigderson].

4
Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] Completeness [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements

5
Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [Fortnow,Aiello-Hastad]: Only languages in AM Å co-AM have statistical ZK proofs.

6
Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [1980’s]: one-way functions ) all of NP has computational ZK proofs.

7
Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [today]: one-way functions ) all of NP has statistical ZK arguments.

8
Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Goldreich- Micali- Wigderson] [Hastad- Impagliazzo- Levin-Luby], [Naor] computational zero-knowledge proofs

9
Commitment Schemes Polynomial time algorithm Com(b; K) s.t. –Hiding For random K, Com(0; K) ¼ Com(1; K) –Binding Com(b; K) cannot be opened to b’, where b’ b. SR Commit: c = Com(b;K) Reveal: (b,K) K Ã {0,1}* b 2 {0,1}

10
Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Completeness: Graph 3-colorable ) V always accepts.

11
Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Soundness: Graph not 3-colorable ) V rejects w.p. ¸ 1/(# edges) because commitment binding

12
Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Zero knowledge: Graph 3-colorable ) Verifier learns nothing because commitment hiding

13
Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Goldreich- Micali- Wigderson] [Hastad- Impagliazzo- Levin-Luby], [Naor] computational zero-knowledge proofs computationally hiding, statistically binding

14
Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Brassard- Chaum- Crepeau] statistical zero-knowledge arguments statistically hiding, computationally binding ???

15
Complexity of SZK Arguments for NP number-theoretic assumptions claw-free perm SZK arguments stat. hiding comp. binding commitments [BCC] [GMR,BKK] [NY] collision-resistant hash functions [GMR, Damgard] [GK]

16
Complexity of SZK arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF SZK arguments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [GMR,BKK] [NY] collision-resistant hash functions [GK]

17
Complexity of SZK arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF one-way function SZK arguments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [NY] collision-resistant hash functions [GMR,BKK] [GK]

18
Complexity of SZK Arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF one-way function SZK arguments stat. hiding 1-out-of-2 comp. binding commitments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [NY] collision-resistant hash functions [GMR,BKK] [GK]

19
1-out-of-2 binding commitments Commitment in 2 phases. Statistically hiding in both phases. Computational binding in at least one phase. [Nguyen-Vadhan06] SR Phase 1 commit: c = Com (1) (b;K) Phase 1 reveal: (b,K) Phase 2 commit: c’ = Com (2) (b’;K’) Phase 2 reveal: (b’,K’)

20
1-out-of-2 binding commitments suffice for SZK arguments Commitment in 2 phases. Statistically hiding in both phases. Computational binding in at least one phase. [Nguyen-Vadhan06] PV Com (1) (coloring) Query an edge Reveal color of nodes Com (2) (coloring) Query an edge Reveal color of nodes Phase 1 Phase 2 ZK since Prover does not reveal knowledge in both phases

21
1-out-of-2 binding commitments suffice for SZK arguments Commitment in 2 phases. Statistically hiding in both phases. Computational binding in at least one phase. [Nguyen-Vadhan06] PV Com (1) (coloring) Query an edge Reveal color of nodes Com (2) (coloring) Query an edge Reveal color of nodes Phase 1 Phase 2 Sound since Verifier checks valid colorings in both phases.

22
Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Nguyen- Vadhan06] statistical zero-knowledge arguments statistically hiding, 1-out-of-2 binding Main Thm

23
Overview of our construction from one-way functions One-way function (1/n)-hiding 1-out-of-2 binding 1)-hiding 1-out-of-2 binding stat hiding 1-out-of-2 binding Statistical ZK argument for NP

24
OWF ) (1/n)-hiding Starting Point: OWF w/ “approximable preimage size” ) stat. hiding commitments [HHK+05] Idea: sender “guess” preimage size ) hiding w.p. 1/n Problem: sender sends overestimate. Solution: use second phase to “prove” estimate correct [NV06] – Main tool: interactive hashing [OVY]

25
(1/n)-hiding ) (1)-hiding Amplify in O(log n) stages –Each time -hiding 2 -hiding –Inspired by [Reingold05,Dinur06] Each Stage –O(1) repetitions of basic protocol –Combine using interactive hashing [OVY] –Analyze with nonstandard measures.

26
Future Work Standard statistically hiding commitments from OWF. –Useful for verifier commitments. –Many applications beyond ZK. Better (sub-polynomial) round complexity –Open even for one-way permutations [NOVY]. Simplify the construction.

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google