Download presentation

Presentation is loading. Please wait.

Published byAmanda Hodgens Modified over 4 years ago

1
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

2
Assumptions for Cryptography One-way functions ) –Pseudorandom generators [Hastad-Impagliazzo-Levin-Luby]. –Pseudorandom functions & private-key cryptography [Goldreich-Goldwasser-Micali] –Commitment schemes [Naor]. –Zero-knowledge proofs for NP [Goldreich-Micali-Wigderson]. –Digital signatures [Rompel]. Almost all cryptographic tasks ) one-way functions. [Impagliazzo-Luby, Ostrovsky-Wigderson] Some tasks not “black-box reducible” to one-way fns. –Public-key encryption [Impagliazzo-Rudich] –Collision-resistant hashing [Simon]

3
Main Result One-Way Functions ) Statistical Zero-Knowledge Arguments for NP –Resolves an open problem posed by [Naor-Ostrovsky-Venkatesan-Yung92]. –OWF is essentially the minimal complexity assumption for ZK [Ostrovsky-Wigderson].

4
Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] Completeness [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements

5
Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [Fortnow,Aiello-Hastad]: Only languages in AM Å co-AM have statistical ZK proofs.

6
Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [1980’s]: one-way functions ) all of NP has computational ZK proofs.

7
Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [today]: one-way functions ) all of NP has statistical ZK arguments.

8
Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Goldreich- Micali- Wigderson] [Hastad- Impagliazzo- Levin-Luby], [Naor] computational zero-knowledge proofs

9
Commitment Schemes Polynomial time algorithm Com(b; K) s.t. –Hiding For random K, Com(0; K) ¼ Com(1; K) –Binding Com(b; K) cannot be opened to b’, where b’ b. SR Commit: c = Com(b;K) Reveal: (b,K) K Ã {0,1}* b 2 {0,1}

10
Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] 1 2 3 4 5 6 PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Completeness: Graph 3-colorable ) V always accepts.

11
Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] 1 2 3 4 5 6 PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Soundness: Graph not 3-colorable ) V rejects w.p. ¸ 1/(# edges) because commitment binding

12
Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] 1 2 3 4 5 6 PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Zero knowledge: Graph 3-colorable ) Verifier learns nothing because commitment hiding

13
Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Goldreich- Micali- Wigderson] [Hastad- Impagliazzo- Levin-Luby], [Naor] computational zero-knowledge proofs computationally hiding, statistically binding

14
Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Brassard- Chaum- Crepeau] statistical zero-knowledge arguments statistically hiding, computationally binding ???

15
Complexity of SZK Arguments for NP number-theoretic assumptions claw-free perm SZK arguments stat. hiding comp. binding commitments [BCC] [GMR,BKK] [NY] collision-resistant hash functions [GMR, Damgard] [GK]

16
Complexity of SZK arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF SZK arguments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [GMR,BKK] [NY] collision-resistant hash functions [GK]

17
Complexity of SZK arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF one-way function SZK arguments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [NY] collision-resistant hash functions [GMR,BKK] [GK]

18
Complexity of SZK Arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF one-way function SZK arguments stat. hiding 1-out-of-2 comp. binding commitments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [NY] collision-resistant hash functions [GMR,BKK] [GK]

19
1-out-of-2 binding commitments Commitment in 2 phases. Statistically hiding in both phases. Computational binding in at least one phase. [Nguyen-Vadhan06] SR Phase 1 commit: c = Com (1) (b;K) Phase 1 reveal: (b,K) Phase 2 commit: c’ = Com (2) (b’;K’) Phase 2 reveal: (b’,K’)

20
1-out-of-2 binding commitments suffice for SZK arguments Commitment in 2 phases. Statistically hiding in both phases. Computational binding in at least one phase. [Nguyen-Vadhan06] PV Com (1) (coloring) Query an edge Reveal color of nodes Com (2) (coloring) Query an edge Reveal color of nodes Phase 1 Phase 2 ZK since Prover does not reveal knowledge in both phases

21
1-out-of-2 binding commitments suffice for SZK arguments Commitment in 2 phases. Statistically hiding in both phases. Computational binding in at least one phase. [Nguyen-Vadhan06] PV Com (1) (coloring) Query an edge Reveal color of nodes Com (2) (coloring) Query an edge Reveal color of nodes Phase 1 Phase 2 Sound since Verifier checks valid colorings in both phases.

22
Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Nguyen- Vadhan06] statistical zero-knowledge arguments statistically hiding, 1-out-of-2 binding Main Thm

23
Overview of our construction from one-way functions One-way function (1/n)-hiding 1-out-of-2 binding 1)-hiding 1-out-of-2 binding stat hiding 1-out-of-2 binding Statistical ZK argument for NP

24
OWF ) (1/n)-hiding Starting Point: OWF w/ “approximable preimage size” ) stat. hiding commitments [HHK+05] Idea: sender “guess” preimage size ) hiding w.p. 1/n Problem: sender sends overestimate. Solution: use second phase to “prove” estimate correct [NV06] – Main tool: interactive hashing [OVY]

25
(1/n)-hiding ) (1)-hiding Amplify in O(log n) stages –Each time -hiding 2 -hiding –Inspired by [Reingold05,Dinur06] Each Stage –O(1) repetitions of basic protocol –Combine using interactive hashing [OVY] –Analyze with nonstandard measures.

26
Future Work Standard statistically hiding commitments from OWF. –Useful for verifier commitments. –Many applications beyond ZK. Better (sub-polynomial) round complexity –Open even for one-way permutations [NOVY]. Simplify the construction.

Similar presentations

OK

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google