Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Non-Black-Box Proofs of Security Boaz Barak Princeton.

Similar presentations


Presentation on theme: "On Non-Black-Box Proofs of Security Boaz Barak Princeton."— Presentation transcript:

1 On Non-Black-Box Proofs of Security Boaz Barak Princeton

2 9 OWF ) 9 signature schemes [NaorYung,Rompel] Prototypical Crypto Thm: If problem X is hard then scheme Y is secure. Examples: DDH hard ) 9 CCA-secure encryption [CramerShoup98] Contrapositive: 9 poly-alg A breaking Y ) 9 poly-alg B for X Typical proof: Show generic B using A as subroutine. B A x: instance of Xsolution for x We call this a black-box proof of security. In a non-black-box proof, B can use the code of A (not to be confused w/ black-box vs. non-black-box constructions)

3 More Formally: (Strongly) Black-Box Reductions (for OWF KA ) eff. (Alice, Bob), eff. Adv s.t. f and Eve [ Eve breaks (Alice f,Bob f ) ) Adv f, Eve inverts f ] f (Alice, Bob) Eve Adv f Security proof Underlying primitive. Adversary Non-black-box proofs of security: 1. Security proof may use code of underlying primitive (i.e., f) (examples: using specific assumptions, Cook-Levin) 2. Security proof may use code of adversary (this talk)

4 Non-Black-Box Security Proofs Advantages: More general proof technique, can prove more thms. Bypass proven limitations of black-box proofs. Disadvantages: Less robust proofs, more dependence on model. E.g.: Uniform TMs vs. circuits, quantum algorithms. Seem to come at steep cost in efficiency. (Somewhat surprisingly, without real understanding of computation.)

5 Applications of Non-BB Proofs: O(1)-round bounded concurrent zero-knowledge (ZK) Resettable ZK proof of knowledge [B.GoldwasserGoldreichLindell01] ZK with strict poly-time simulation & extraction [B.Lindell02] [B.01] [B.02], [PassRosen05a], [PassRosen05b] O(1)-round general multiparty computation [KatzOstrovskySmith03],[Pass04] [Lindell03],[PassRosen03],[Pass04], [B.Sahai05] O(1)-round concurrent, non-malleable commitments Concurrent, non-malleable general computation Composable protocols: Strong Forms of Zero Knowledge: Resettably-sound ZK

6 Plan I Basic Non-BB ZK Protocol [B.01] II Making it bounded-concurrent [B.01] III Making it bounded non-malleable. IV Unbounded concurrency and non-malleability using super-polynomial simulation. [Pass.04] [B.Sahai.04] V Limitations and open questions.

7 I Non-Black-Box Zero Knowledge P proves to V that stmt x is true.Zero Knowledge Proof: (e.g., x = string y is encryption of 0 x = graph G is 3-colorable ) P Stmt: x 2 {0,1} n V Witness: c:[n] {R,G,B} accept/reject

8 I Non-Black-Box Zero Knowledge P proves to V that stmt x is true.Zero Knowledge Proof: (e.g., x = string y is encryption of 0 x = graph G is 3-colorable ) P runs in poly-time given witness w for x. Completeness: Soundness:If x false, V accepts w.p. < negl(n)=n - (1) 8 (possibly cheating) V *, 9 S s.t. S(x) » V * s view in exec with P(w) Zero Knowledge: PV*V* » S( )

9 I Non-Black-Box Zero Knowledge P proves to V that stmt x is true.Zero Knowledge Proof: (e.g., x = string y is encryption of 0 x = graph G is 3-colorable ) 8 (possibly cheating) V *, 9 S s.t. S(x) » V * s view in exec with P(w) Zero Knowledge: PV*V* » S( ) V*V* Non-BB ZK:S uses the code of V * Black-Box ZK:S uses V * as a black-box subroutine. (i.e. uses subroutine for V * s next-message function),

10 x Some Tools Commitments: Efficient func Com:{0,1} k £ {0,1} n {0,1} m Hiding: 8 x,x Com(x,U n ) » Com(x,U n ) Binding: x x Com(x,{0,1} n ), Com(x,{0,1} n ) disjoint (Notation: Com(x) = Com(x,U n ) ) [Blum84],[Naor91] Collision Resistant Hash (CRH): Collection H of efficient functions {0,1} * {0,1} n s.t. for random h 2H hard to find x x w/ h(x)=h(x) (implies CRH from {0,1} 2n to {0,1} n ) [GoldwasserMicaliRivest84], SHA1,AES,… Witness Indistinguishable Proofs (WI): [FeigeShamir90] When proving x 1 Ç x 2, verifier cant tell witness used. Implied by zero knowledge. Closed under concurrent composition.

11 A Flawed Zero Knowledge Protocol PV Stmt: x 2 {0,1} n z=Com(r) r 2 R {0,1} n UAWI either 1) x is true. 2) r=r or Completeness: Prover has efficient strategy using witness for x Soundness: Suppose x is false. Let z be provers message. Denote r =Com -1 (z) Pr[ r = r ] = 2 -n Zero Knowledge: V*V* Let V * be possibly cheating ver. Assume w.l.o.g V * deterministic r=V * (z) Sims goal: z=Com(r) Problem: could take 2 n guesses. Find r s.t. r=V*(Com(r))

12 Flawed Protocol – High Level View PV Stmt: x 2 {0,1} n z=Com(r) r 2 R {0,1} n UAWI either 1) x is true. 2) r=r or r=V * (z) PV Stmt: x 2 {0,1} n guess r r 2 R {0,1} n Stmt true or I guessed r

13 Main Tool – Universal Arguments Interactive proof system for super-polynomial languages. [Kilian92],[Micali94],[B.Goldreich02] Based on following variant of PCP thm: [BabaiFortnowLevinSzegedy91] Verifier c queries 2 - (c) error Mx n bits description T running time T O(1) long proof c ¢ polylog(T) time Statement: M(x)=1 ( M can be deterministic/non-det) Every statement verifiable in T time deterministically, can be proven in polylog(T) time in prob. proof in sky (PCP) model.

14 [Merkle] Universal Arguments Mx n bits description T running time PV T O(1) long proof h col-res hash h:{0,1} 2k {0,1} k = root of hash tree of invoke h root … = q 1,…,q c PCP ver queries Answers + paths in tree Prover time: poly(T) Soundness: negl(k) Communication: k ¢ polylog(T) Verifier time:k ¢ polylog(T)+poly(n) [Kilian92,Micali94],… Using commitments and ZK/WI proofs for NP can get UAZK/UAWI w/ same parameters. Is proof of knowledge [B.Goldreich02]

15 Basic Non-BB Zero Knowledge PV CRH h:{0,1} * {0,1} n Stmt: x 2 {0,1} n z=Com(h(M)) r 2 R {0,1} n UAWI either 1) x is true. 2) M(z)=r (in · n log n steps) or Completeness: Prover has efficient strategy using witness for x Soundness: Suppose x is false. Let z be provers message. Assume it binds to a single TM M. Denote r =M(z) Pr[ r = r ] = 2 -n Zero Knowledge: M: Turing machine. Honest prover uses junk TM: always outputs 0 V*V* Let V * be possibly cheating ver. Assume w.l.o.g V * deterministic r=V * (z) z=Com(h(V * )) Sim uses z=Com(h(V * )) Inherently non-BB simulator. Note use of UA property. [GoldreichKrawczyck86] [B.01]

16 High Level View: Basic Non-BB ZK PV CRH h:{0,1} * {0,1} n Stmt: x 2 {0,1} n z=Com(h(M)) r 2 R {0,1} n UAWI either 1) x is true. 2) M(z)=r (in · n log n steps) or [B.01] PV Stmt: x 2 {0,1} n implicitly guess r r 2 R {0,1} n Stmt true I guessed r or

17 II Bounded-Concurrent ZK Concurrent ZK: [DworkNaorSahai98],[RichardsonKilian99],… Coordinated attack of several verifiers against concurrently scheduled ZK proofs. Bounded Concurrent: P1P1 V1V1 P2P2 V2V2 P3P3 V3V3 t sessions. Protocol communication and time poly(t,n). V*V* Challenging because typical rewinding technique blows up simulation time. Requires ~ (log n) rounds for BB ZK. [CanettiKilianPetrankRosen01] …,[PrabhakaranRosenSahai03]

18 P1P1 h Stmt: x 2 {0,1} n UAWI either 1) x is true. 2) M(z)=r V*V* r=V * (z) z=Com(h(V * )) Is Basic Protocol Concurrent ZK? P2P2 Stmt: x 2 {0,1} n h V*V* z=Com(h(V * )) trans r=V * (z,trans) UAWI either 1) x is true. 2) M(z)=r ?

19 Is Basic Protocol Concurrent ZK? P1P1 h Stmt: x 2 {0,1} n UAWI either 1) x is true. 2) M(z)=r V*V* r=V * (z) z=Com(h(V * )) P2P2 Stmt: x 2 {0,1} n h V*V* z=Com(h(V * )) trans r=V * (z,trans) UAWI either 1) x is true. 2) M(z)=r ?

20 Is Basic Protocol Concurrent ZK? P1P1 h Stmt: x 2 {0,1} n UAWI either 1) x is true. 2) M(z)=r V*V* r=V * (z) z=Com(h(V * )) P2P2 Stmt: x 2 {0,1} n h V*V* z=Com(h(V * )) trans r=V * (z,trans) UAWI either 1) x is true. 2) M(z)=r ? Idea: relax the definition of guessing r Change (2) to M(z,trans)=r for some |trans| < |r|/2 That is: z is implicit guess for 2 |trans| possibilities for r. (notation: guess |trans| r ) Crucial point: can ensure all prover verifier msgs have length << |r| Corollary: O(1)-round bounded ZK (bcZK) for all NP. [B.01]

21 III Non-Malleable ZK [DworkDolevNaor90] Adversary is man-in-middle between prover & verifier. PV1V1 P2P2 V V*V* Bounded non-malleability:ids come from set of size t, protocol communication and time poly(t,n) [DDN] : O(logn)-rounds [B.02] : O(1)-rounds [Pass04] : O(1)-rounds bounded non-mal [PassRosen05a] : make [Pass04] unbounded NM (simpler, weaker assump) A bit different non-BB technique. Security goal:Ensure proof to honest verifiers is sound even when simulating honest prover – simulation soundness. [Sahai00] 2 sessions with unique id. Arbitrary scheduling. (synchronized is hardest)

22 Is Simulation Soundness Trivial? x,id P V1V1 P2P2 V V*V* To simulate – consider V and V * as one standalone verifier V, and use simulator for V. First, note that in real MIM interaction, right session is sound. (otherwise combine V * and P to prover contradicting standalone soundness) But, since simulators output ~ real interaction, how can simulation differ? Note: known not to hold for some protocols, but why does naïve proof fail? Naive attempt to prove that every ZK protocol is simulation sound: The event that x is true is not efficiently observable. Simulator uses coins of V, so right session not necessarily sound.

23 Passs Bounded-NMZK Protocol PV1V1 imp. guess r 1 r 1 2 R {0,1} Stmt true or guessed m1 r 1 m1m1 [Pass04] Crucial observation: use bcZK to get one-directional simulation soundness. P2P2 V imp. guess r 2 r 2 2 R {0,1} Stmt true or guessed m2 r 2 m2m2 If m 1 >> |right session| then can simulate left w/o right verifiers coins! Passs Protocol: 1. Use |r| = id*B (B bound on all other comm in all sessions, note ids bounded) 2. Run another iteration w/ id = max{id} - id 3. Prove in WI that at least one of the iterations succeeded.

24 IV Concurrent+Non-Malleable ZK Many concurrent executions. Adversary corrupts both verifiers and provers. Bad News:[PS] construction uses non-standard tailored assumptions. V*V* P1P1 P2P2 P3P3 V1V1 V2V2 V3V3 Goal: simulation soundness: proofs to honest verifiers valid even in simulation. Sufficient for concurrent secure computation of any task.Good News: [CanettiLindellOstrovskySahai02],[GoldreichMicaliWigderson87] Impossible to achieve natural definition (UC). Bad News: [Lindell03],[Lindell04] Good News:Maybe can achieve relaxed def: quasi-polynomial simulation. Implies: securely computing any task w/ qpoly simulation. [PrabhakaranSahai04] Good News:Using non-BB obtain same result under standard assumptions (i.e., implied by factoring is subexp hard) [B.Sahai05]

25 Isnt qpoly simulation trivial? PV Stmt: x 2 {0,1} n N = pretty large random composite WI proof either 1) x is true. Completeness: As always. Soundness: From hardness of factoring Com(p) Concurrent ZK: 2) p prime factor of N Straight-line simulation. [Pass03] Simulation soundness?? V1V1 P2P2 V*V* PV Nsame N z=Com(p)same z x true or p|N Stmt: x 2 {0,1} n x true or p|N In simulation V * can ensure 2 nd condition is true. No reason for right session to be sound! Brute Force Op Broke BFOP

26 Starting point: Passs protocol for bounded-NM zero knowledge 1 st Step: Change it to handle #ids to t=n log n Problem: In Passs protocol communication>t Solution: Compress the long messages. r 1 2 R {0,1} m1m1 m1m1 Com(h(r 1 )) Know r 1 UAZK r 1 =0 n Is it (stand-alone) sound? Is it (stand-alone) zero knowledge? Concurrent Non-Mal qZK Protocol [B.Sahai05] If proof succssesful, have qpoly-time knowledge extractor can obtain r 1 by rewinding Implicitly send r 1

27 Completeness: As before. Soundness: Will follow from simulation soundness. ZK+Simulation Soundness: Straightline simulator breaking BFOP (4). Why is that simulation sound?? P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP m 1 = n logn id, m 2 = n logn (t-id) imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05]

28 ZK+Simulation Soundness: Straightline simulator breaking BFOP (4) Change: Make option (1) weakly indist – observable in qpoly time. Not an immediate solution: simulator now only weakly indist from real prover. Idea: build auxiliary simulator that: 1) Strongly indist from real simulator. 2) Satisfies simulation soundness. Why we need the real simulator? Auxiliary simulator uses the witness. P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP m 1 = n logn id, m 2 = n logn (t-id) imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05]

29 ZK+Simulation Soundness: Real Prover: Uses:witness(1) Sim-sound: yes Real Simulator: Uses: time (4) Sim-sound: ? ~ (weak) ~~ (strong) Aux Simulator: Uses: witness,non-BB (2,3) Sim-sound: yes P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP m 1 = n logn id, m 2 = n logn (t-id) imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05] Yes!

30 ZK+Simulation Soundness: Constructing the auxiliary simulator. Execution we need to simulate: V1V1 V3V3 V*V* P1P1 P2P2 P3P3 V2V2 Useful observation: Can assume only one honest verifier. m 1 = n logn id, m 2 = n logn (t-id) P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05] Aux Simulator: Uses: witness,non-BB (2,3) Sim-sound: yes

31 The auxiliary simulator: P*V imp guess r 1 imp send r 1 2) guessed m1 r 1 BFOP UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 V* imp guess r 1 imp send r 1 BFOP 2) guessed m1 r 1 UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 P Honest ver uses r 1 =0 n Well use r 1 2 R {0,1} m1 Need program s.t. ( )=r 1 for | 1 |<< r 1 Can now simulate this part w/o access to vers coins. Build using V* + r 1 + UA knowledge extractor

32 P2P2 P3P3 PmPm … The auxiliary simulator: P*V imp guess r 1 imp send r 1 2) guessed m1 r 1 BFOP UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 V* imp guess r 1 imp send r 1 BFOP 2) guessed m1 r 1 UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 P Build using V* + r 1 + UA knowledge extractor To run extractor need to simulate other sessions. To simulate other sessions, need to run extractor. When building use witness to sim other sessions! never sent in clear – still strongly indist!

33 Questions: All these use universal args. Are there different non-BB techniques? Random oracle model also used to achieve non-malleability and concurrent security. Can we justify this? (so far mostly negative results [CanettiGoldreichHalevi98],[GoldwasserTa03] ) Is there ZK system w/ O(1)-rounds and public coin verifier? Related to both these questions. Are these non-BB techniques inherently unpractical? Two problematic components: general ZK and PCP theorem. On other hand:PCP get simpler, more efficient Maybe can push complexity to simulation? [BenSassonSudan05],[Dinur05] Handling quantum adversaries? [B.Sahai05]

34 V*V* V h Stmt: x 2 {0,1} n z 1 =Com(h(M 1 )) UACom(r 1 ) UAWI either 1) x is true. 2) 9 |t 1 |

35 V*V* V h Stmt: x 2 {0,1} n z 1 =Com(h(M 1 )) UACom(r 1 ) UAWI either 1) x is true. 2) 9 |t 1 |


Download ppt "On Non-Black-Box Proofs of Security Boaz Barak Princeton."

Similar presentations


Ads by Google