Presentation is loading. Please wait.

Presentation is loading. Please wait.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Similar presentations


Presentation on theme: "Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University."— Presentation transcript:

1 Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

2 Assumptions for Cryptography  One-way functions ) –Pseudorandom generators [Hastad-Impagliazzo-Levin-Luby]. –Pseudorandom functions & private-key cryptography [Goldreich-Goldwasser-Micali] –Commitment schemes [Naor]. –Zero-knowledge proofs for NP [Goldreich-Micali-Wigderson]. –Digital signatures [Rompel].  Almost all cryptographic tasks ) one-way functions. [Impagliazzo-Luby, Ostrovsky-Wigderson]  Some tasks not “black-box reducible” to one-way fns. –Public-key encryption [Impagliazzo-Rudich] –Collision-resistant hashing [Simon]

3 Main Result One-Way Functions ) Statistical Zero-Knowledge Arguments for NP –Resolves an open problem posed by [Naor-Ostrovsky-Venkatesan-Yung92]. –OWF is essentially the minimal complexity assumption for ZK [Ostrovsky-Wigderson].

4 Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] Completeness [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements

5 Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [Fortnow,Aiello-Hastad]: Only languages in AM Å co-AM have statistical ZK proofs.

6 Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [1980’s]: one-way functions ) all of NP has computational ZK proofs.

7 Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [today]: one-way functions ) all of NP has statistical ZK arguments.

8 Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Goldreich- Micali- Wigderson] [Hastad- Impagliazzo- Levin-Luby], [Naor] computational zero-knowledge proofs

9 Commitment Schemes Polynomial time algorithm Com(b; K) s.t. –Hiding For random K, Com(0; K) ¼ Com(1; K) –Binding Com(b; K) cannot be opened to b’, where b’  b. SR Commit: c = Com(b;K) Reveal: (b,K) K Ã {0,1}* b 2 {0,1}

10 Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Completeness: Graph 3-colorable ) V always accepts.

11 Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Soundness: Graph not 3-colorable ) V rejects w.p. ¸ 1/(# edges) because commitment binding

12 Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Zero knowledge: Graph 3-colorable ) Verifier learns nothing because commitment hiding

13 Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Goldreich- Micali- Wigderson] [Hastad- Impagliazzo- Levin-Luby], [Naor] computational zero-knowledge proofs computationally hiding, statistically binding

14 Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Brassard- Chaum- Crepeau] statistical zero-knowledge arguments statistically hiding, computationally binding ???

15 Complexity of SZK Arguments for NP number-theoretic assumptions claw-free perm SZK arguments stat. hiding comp. binding commitments [BCC] [GMR,BKK] [NY] collision-resistant hash functions [GMR, Damgard] [GK]

16 Complexity of SZK arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF SZK arguments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [GMR,BKK] [NY] collision-resistant hash functions [GK]

17 Complexity of SZK arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF one-way function SZK arguments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [NY] collision-resistant hash functions [GMR,BKK] [GK]

18 Complexity of SZK Arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF one-way function SZK arguments stat. hiding 1-out-of-2 comp. binding commitments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [NY] collision-resistant hash functions [GMR,BKK] [GK]

19 1-out-of-2 binding commitments  Commitment in 2 phases.  Statistically hiding in both phases.  Computational binding in at least one phase. [Nguyen-Vadhan06] SR Phase 1 commit: c = Com (1) (b;K) Phase 1 reveal: (b,K) Phase 2 commit: c’ = Com (2) (b’;K’) Phase 2 reveal: (b’,K’)

20 1-out-of-2 binding commitments suffice for SZK arguments  Commitment in 2 phases.  Statistically hiding in both phases.  Computational binding in at least one phase. [Nguyen-Vadhan06] PV Com (1) (coloring) Query an edge Reveal color of nodes Com (2) (coloring) Query an edge Reveal color of nodes Phase 1 Phase 2 ZK since Prover does not reveal knowledge in both phases

21 1-out-of-2 binding commitments suffice for SZK arguments  Commitment in 2 phases.  Statistically hiding in both phases.  Computational binding in at least one phase. [Nguyen-Vadhan06] PV Com (1) (coloring) Query an edge Reveal color of nodes Com (2) (coloring) Query an edge Reveal color of nodes Phase 1 Phase 2 Sound since Verifier checks valid colorings in both phases.

22 Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Nguyen- Vadhan06] statistical zero-knowledge arguments statistically hiding, 1-out-of-2 binding Main Thm

23 Overview of our construction from one-way functions One-way function (1/n)-hiding 1-out-of-2 binding  1)-hiding 1-out-of-2 binding stat hiding 1-out-of-2 binding Statistical ZK argument for NP

24 OWF ) (1/n)-hiding  Starting Point: OWF w/ “approximable preimage size” ) stat. hiding commitments [HHK+05]  Idea: sender “guess” preimage size ) hiding w.p. 1/n  Problem: sender sends overestimate.  Solution: use second phase to “prove” estimate correct [NV06] – Main tool: interactive hashing [OVY]

25 (1/n)-hiding )  (1)-hiding  Amplify in O(log n) stages –Each time  -hiding  2  -hiding –Inspired by [Reingold05,Dinur06]  Each Stage –O(1) repetitions of basic protocol –Combine using interactive hashing [OVY] –Analyze with nonstandard measures.

26 Future Work  Standard statistically hiding commitments from OWF. –Useful for verifier commitments. –Many applications beyond ZK.  Better (sub-polynomial) round complexity –Open even for one-way permutations [NOVY].  Simplify the construction.


Download ppt "Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University."

Similar presentations


Ads by Google