Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nir Bitansky and Omer Paneth. Interactive Proofs.

Published byAgatha Harrison Modified over 9 years ago

Similar presentations

Presentation on theme: "Nir Bitansky and Omer Paneth. Interactive Proofs."— Presentation transcript:

1 Nir Bitansky and Omer Paneth

2 Interactive Proofs

3 Negligible soundness error

4 Prover’s security Zero-Knowledge [Goldwasser-Micali-Rackoff-85] Weak Zero-Knowlage [Dwork-Naor-Reingold-Stockmeyer-99] Witness Hiding [Feige-Shamir-90] Witness Indistinguishability [Feige-Shamir-90]

5 Prover’s security Zero-Knowledge (ZK) Weak Zero-Knowlage Witness Hiding (WI) Witness Indistinguishability (WH)

6 Prover’s security Zero-Knowledge (ZK) Weak Zero-Knowlage Witness Hiding (WI) Witness Indistinguishability (WH)

7 Prover’s security Zero-Knowledge (ZK) Weak Zero-Knowlage Witness Hiding (WI) Witness Indistinguishability (WH)

8 Prover’s security Zero-Knowledge (ZK) Weak Zero-Knowlage Witness Hiding (WI) Witness Indistinguishability (WH)

9 Relation Between Notions Zero-Knowledge Weak ZK WI WH Only if every instance hes two independent witnesses [FS90]

10 The Round-Complexity of ZK Proofs [Goldreich- Kahan-96] Impossible [Goldreich-Oren-94] ? # rounds Arguments [Feige-Shamir-90] [Bellare-Jakobsson- Yung-97]

11 Black-Box vs. Non-Black-Box Simulation Black-box simulationNon-black-box simulation

12 Theorem: 3-round ZK protocols with black-box simulator exist only for trivial languages Getting 3-Round ZK – The Challenge [ GK96 ]:

13 Relaxations of ZK Black-box reduction \ simulation is impossible Black-box reduction \ simulation exist Notion (3-round) [GK96]ZK [GK96]Weak ZK [FS90]WI [HRS09] (One witness case) [FS90] (Two witnesses case) WH

14 Barak’s Non-black-box ZK protocol [B01]: -Overcomes black-box impossibilities -But: too many rounds Non-Black-Box Techniques

15 Example: Assume parallel repetition of some basic ZK protocol is also ZK. [GMW91,B86]. An Alternative: Assumptions Non-Black-Box Transformation S For every:There exists:

16 Under what assumptions do 3-round ZK protocols exist?

17 3-Round ZK from Other Assumptions WorkAssumptionResult [Hada-Tanaka-98] [Bellare-Palacio-04] Knowledge of Exponent [D91] 3-round ZK argument [Lepinski-Micali-01] A specific number theoretic protocol is a POK 3-round ZK Proof [Canetti-Dakdouk-08] [Goldwasser-Lin- Rubinstein-12] Extractable 1-to-1 OWF 3-round ZK argument

18 3-Round ZK from Non-Standard Assumptions All of the assumptions used imply the existence of Extractable OWFs Extractable OWF [D91] [HT98] [LM01] [BP04] [CD08] [GLR12]

19 Are extractable OWFs necessary? - We do not know. Can we get 3-round ZK from different assumptions?

20 Our Results: Auxiliary Input Point Obfuscation Relaxations of ZK From: To:

21 Our Results: Auxiliary Input Point Obfuscation Indistinguishability definition (weaker) 3-Round Witness hiding

22 Our Results: Auxiliary Input Point Obfuscation Indistinguishability definition (weaker) 3-Round Witness hiding Simulation definition (stronger) 3-Round Weak ZK

23 Point Obfuscation Witness Hiding Definitions

24 Point Obfuscation

25 Virtual Black-Box [BGI+01]

26 Indistinguishability Definition

27 Constructions: [Canetti97], extensions of [Wee05]

28 Witness Hiding

29

30

31 Our Witness Hiding Protocol

32 2-party computation

33 3-Round Witness Hiding (1)

34

35 3-Round Witness Hiding (2)

36 Attack on Witness Hiding

37 The Final Protocol

38 Fixing the Attack

39 Given

40 Fixing the Attack

41

42 Properties of the Protocol Protocol is not zero-knowledge. Protocol is a proof-of-knowledge. Unconditional soundness (proof). Attack on ZK:

43 What is the non-black-box component in our reduction?

44 Auxiliary Input Point Obfuscation

45 For every distinguisher there exists a predictor Non-Black-Box Transformation Distinguisher Predictor Auxiliary Input Point Obfuscation

46 The Non-Black-Box Component

47

48 Predictor

49 Some assumptions give us a non-black-box transformation: Some 3-round protocol is indeed ZK Extructable OWF \ Knowledge of Exponent Auxiliary Input Point Obfuscation Conclusion Distinguisher Predictor Non-Black-Box Transformations S

50 Given such assumptions we can get 3-round ZK. How to compare these assumptions? What type of non-black-box transformation is required for 3-round ZK? Conclusion

51  ?

Download ppt "Nir Bitansky and Omer Paneth. Interactive Proofs."

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.

OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,

Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.

1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.

Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.

Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Similar presentations

Ads by Google