Download presentation

Presentation is loading. Please wait.

Published byMackenzie Wallace Modified over 3 years ago

1
On Non-Black-Box Proofs of Security Boaz Barak Princeton

2
9 OWF ) 9 signature schemes [NaorYung,Rompel] Prototypical Crypto Thm: If problem X is hard then scheme Y is secure. Examples: DDH hard ) 9 CCA-secure encryption [CramerShoup98] Contrapositive: 9 poly-alg A breaking Y ) 9 poly-alg B for X Typical proof: Show generic B using A as subroutine. B A x: instance of Xsolution for x We call this a black-box proof of security. In a non-black-box proof, B can use the code of A (not to be confused w/ black-box vs. non-black-box constructions)

3
More Formally: (Strongly) Black-Box Reductions (for OWF KA ) eff. (Alice, Bob), eff. Adv s.t. f and Eve [ Eve breaks (Alice f,Bob f ) ) Adv f, Eve inverts f ] f (Alice, Bob) Eve Adv f Security proof Underlying primitive. Adversary Non-black-box proofs of security: 1. Security proof may use code of underlying primitive (i.e., f) (examples: using specific assumptions, Cook-Levin) 2. Security proof may use code of adversary (this talk)

4
Non-Black-Box Security Proofs Advantages: More general proof technique, can prove more thms. Bypass proven limitations of black-box proofs. Disadvantages: Less robust proofs, more dependence on model. E.g.: Uniform TMs vs. circuits, quantum algorithms. Seem to come at steep cost in efficiency. (Somewhat surprisingly, without real understanding of computation.)

5
Applications of Non-BB Proofs: O(1)-round bounded concurrent zero-knowledge (ZK) Resettable ZK proof of knowledge [B.GoldwasserGoldreichLindell01] ZK with strict poly-time simulation & extraction [B.Lindell02] [B.01] [B.02], [PassRosen05a], [PassRosen05b] O(1)-round general multiparty computation [KatzOstrovskySmith03],[Pass04] [Lindell03],[PassRosen03],[Pass04], [B.Sahai05] O(1)-round concurrent, non-malleable commitments Concurrent, non-malleable general computation Composable protocols: Strong Forms of Zero Knowledge: Resettably-sound ZK

6
Plan I Basic Non-BB ZK Protocol [B.01] II Making it bounded-concurrent [B.01] III Making it bounded non-malleable. IV Unbounded concurrency and non-malleability using super-polynomial simulation. [Pass.04] [B.Sahai.04] V Limitations and open questions.

7
I Non-Black-Box Zero Knowledge P proves to V that stmt x is true.Zero Knowledge Proof: (e.g., x = string y is encryption of 0 x = graph G is 3-colorable ) P Stmt: x 2 {0,1} n V Witness: c:[n] {R,G,B} accept/reject

8
I Non-Black-Box Zero Knowledge P proves to V that stmt x is true.Zero Knowledge Proof: (e.g., x = string y is encryption of 0 x = graph G is 3-colorable ) P runs in poly-time given witness w for x. Completeness: Soundness:If x false, V accepts w.p. < negl(n)=n - (1) 8 (possibly cheating) V *, 9 S s.t. S(x) » V * s view in exec with P(w) Zero Knowledge: PV*V* » S( )

9
I Non-Black-Box Zero Knowledge P proves to V that stmt x is true.Zero Knowledge Proof: (e.g., x = string y is encryption of 0 x = graph G is 3-colorable ) 8 (possibly cheating) V *, 9 S s.t. S(x) » V * s view in exec with P(w) Zero Knowledge: PV*V* » S( ) V*V* Non-BB ZK:S uses the code of V * Black-Box ZK:S uses V * as a black-box subroutine. (i.e. uses subroutine for V * s next-message function),

10
x Some Tools Commitments: Efficient func Com:{0,1} k £ {0,1} n {0,1} m Hiding: 8 x,x Com(x,U n ) » Com(x,U n ) Binding: x x Com(x,{0,1} n ), Com(x,{0,1} n ) disjoint (Notation: Com(x) = Com(x,U n ) ) [Blum84],[Naor91] Collision Resistant Hash (CRH): Collection H of efficient functions {0,1} * {0,1} n s.t. for random h 2H hard to find x x w/ h(x)=h(x) (implies CRH from {0,1} 2n to {0,1} n ) [GoldwasserMicaliRivest84], SHA1,AES,… Witness Indistinguishable Proofs (WI): [FeigeShamir90] When proving x 1 Ç x 2, verifier cant tell witness used. Implied by zero knowledge. Closed under concurrent composition.

11
A Flawed Zero Knowledge Protocol PV Stmt: x 2 {0,1} n z=Com(r) r 2 R {0,1} n UAWI either 1) x is true. 2) r=r or Completeness: Prover has efficient strategy using witness for x Soundness: Suppose x is false. Let z be provers message. Denote r =Com -1 (z) Pr[ r = r ] = 2 -n Zero Knowledge: V*V* Let V * be possibly cheating ver. Assume w.l.o.g V * deterministic r=V * (z) Sims goal: z=Com(r) Problem: could take 2 n guesses. Find r s.t. r=V*(Com(r))

12
Flawed Protocol – High Level View PV Stmt: x 2 {0,1} n z=Com(r) r 2 R {0,1} n UAWI either 1) x is true. 2) r=r or r=V * (z) PV Stmt: x 2 {0,1} n guess r r 2 R {0,1} n Stmt true or I guessed r

13
Main Tool – Universal Arguments Interactive proof system for super-polynomial languages. [Kilian92],[Micali94],[B.Goldreich02] Based on following variant of PCP thm: [BabaiFortnowLevinSzegedy91] Verifier c queries 2 - (c) error Mx n bits description T running time T O(1) long proof c ¢ polylog(T) time Statement: M(x)=1 ( M can be deterministic/non-det) Every statement verifiable in T time deterministically, can be proven in polylog(T) time in prob. proof in sky (PCP) model.

14
[Merkle] Universal Arguments Mx n bits description T running time PV T O(1) long proof h col-res hash h:{0,1} 2k {0,1} k = root of hash tree of invoke h root … = q 1,…,q c PCP ver queries Answers + paths in tree Prover time: poly(T) Soundness: negl(k) Communication: k ¢ polylog(T) Verifier time:k ¢ polylog(T)+poly(n) [Kilian92,Micali94],… Using commitments and ZK/WI proofs for NP can get UAZK/UAWI w/ same parameters. Is proof of knowledge [B.Goldreich02]

15
Basic Non-BB Zero Knowledge PV CRH h:{0,1} * {0,1} n Stmt: x 2 {0,1} n z=Com(h(M)) r 2 R {0,1} n UAWI either 1) x is true. 2) M(z)=r (in · n log n steps) or Completeness: Prover has efficient strategy using witness for x Soundness: Suppose x is false. Let z be provers message. Assume it binds to a single TM M. Denote r =M(z) Pr[ r = r ] = 2 -n Zero Knowledge: M: Turing machine. Honest prover uses junk TM: always outputs 0 V*V* Let V * be possibly cheating ver. Assume w.l.o.g V * deterministic r=V * (z) z=Com(h(V * )) Sim uses z=Com(h(V * )) Inherently non-BB simulator. Note use of UA property. [GoldreichKrawczyck86] [B.01]

16
High Level View: Basic Non-BB ZK PV CRH h:{0,1} * {0,1} n Stmt: x 2 {0,1} n z=Com(h(M)) r 2 R {0,1} n UAWI either 1) x is true. 2) M(z)=r (in · n log n steps) or [B.01] PV Stmt: x 2 {0,1} n implicitly guess r r 2 R {0,1} n Stmt true I guessed r or

17
II Bounded-Concurrent ZK Concurrent ZK: [DworkNaorSahai98],[RichardsonKilian99],… Coordinated attack of several verifiers against concurrently scheduled ZK proofs. Bounded Concurrent: P1P1 V1V1 P2P2 V2V2 P3P3 V3V3 t sessions. Protocol communication and time poly(t,n). V*V* Challenging because typical rewinding technique blows up simulation time. Requires ~ (log n) rounds for BB ZK. [CanettiKilianPetrankRosen01] …,[PrabhakaranRosenSahai03]

18
P1P1 h Stmt: x 2 {0,1} n UAWI either 1) x is true. 2) M(z)=r V*V* r=V * (z) z=Com(h(V * )) Is Basic Protocol Concurrent ZK? P2P2 Stmt: x 2 {0,1} n h V*V* z=Com(h(V * )) trans r=V * (z,trans) UAWI either 1) x is true. 2) M(z)=r ?

19
Is Basic Protocol Concurrent ZK? P1P1 h Stmt: x 2 {0,1} n UAWI either 1) x is true. 2) M(z)=r V*V* r=V * (z) z=Com(h(V * )) P2P2 Stmt: x 2 {0,1} n h V*V* z=Com(h(V * )) trans r=V * (z,trans) UAWI either 1) x is true. 2) M(z)=r ?

20
Is Basic Protocol Concurrent ZK? P1P1 h Stmt: x 2 {0,1} n UAWI either 1) x is true. 2) M(z)=r V*V* r=V * (z) z=Com(h(V * )) P2P2 Stmt: x 2 {0,1} n h V*V* z=Com(h(V * )) trans r=V * (z,trans) UAWI either 1) x is true. 2) M(z)=r ? Idea: relax the definition of guessing r Change (2) to M(z,trans)=r for some |trans| < |r|/2 That is: z is implicit guess for 2 |trans| possibilities for r. (notation: guess |trans| r ) Crucial point: can ensure all prover verifier msgs have length << |r| Corollary: O(1)-round bounded ZK (bcZK) for all NP. [B.01]

21
III Non-Malleable ZK [DworkDolevNaor90] Adversary is man-in-middle between prover & verifier. PV1V1 P2P2 V V*V* Bounded non-malleability:ids come from set of size t, protocol communication and time poly(t,n) [DDN] : O(logn)-rounds [B.02] : O(1)-rounds [Pass04] : O(1)-rounds bounded non-mal [PassRosen05a] : make [Pass04] unbounded NM (simpler, weaker assump) A bit different non-BB technique. Security goal:Ensure proof to honest verifiers is sound even when simulating honest prover – simulation soundness. [Sahai00] 2 sessions with unique id. Arbitrary scheduling. (synchronized is hardest)

22
Is Simulation Soundness Trivial? x,id P V1V1 P2P2 V V*V* To simulate – consider V and V * as one standalone verifier V, and use simulator for V. First, note that in real MIM interaction, right session is sound. (otherwise combine V * and P to prover contradicting standalone soundness) But, since simulators output ~ real interaction, how can simulation differ? Note: known not to hold for some protocols, but why does naïve proof fail? Naive attempt to prove that every ZK protocol is simulation sound: The event that x is true is not efficiently observable. Simulator uses coins of V, so right session not necessarily sound.

23
Passs Bounded-NMZK Protocol PV1V1 imp. guess r 1 r 1 2 R {0,1} Stmt true or guessed m1 r 1 m1m1 [Pass04] Crucial observation: use bcZK to get one-directional simulation soundness. P2P2 V imp. guess r 2 r 2 2 R {0,1} Stmt true or guessed m2 r 2 m2m2 If m 1 >> |right session| then can simulate left w/o right verifiers coins! Passs Protocol: 1. Use |r| = id*B (B bound on all other comm in all sessions, note ids bounded) 2. Run another iteration w/ id = max{id} - id 3. Prove in WI that at least one of the iterations succeeded.

24
IV Concurrent+Non-Malleable ZK Many concurrent executions. Adversary corrupts both verifiers and provers. Bad News:[PS] construction uses non-standard tailored assumptions. V*V* P1P1 P2P2 P3P3 V1V1 V2V2 V3V3 Goal: simulation soundness: proofs to honest verifiers valid even in simulation. Sufficient for concurrent secure computation of any task.Good News: [CanettiLindellOstrovskySahai02],[GoldreichMicaliWigderson87] Impossible to achieve natural definition (UC). Bad News: [Lindell03],[Lindell04] Good News:Maybe can achieve relaxed def: quasi-polynomial simulation. Implies: securely computing any task w/ qpoly simulation. [PrabhakaranSahai04] Good News:Using non-BB obtain same result under standard assumptions (i.e., implied by factoring is subexp hard) [B.Sahai05]

25
Isnt qpoly simulation trivial? PV Stmt: x 2 {0,1} n N = pretty large random composite WI proof either 1) x is true. Completeness: As always. Soundness: From hardness of factoring Com(p) Concurrent ZK: 2) p prime factor of N Straight-line simulation. [Pass03] Simulation soundness?? V1V1 P2P2 V*V* PV Nsame N z=Com(p)same z x true or p|N Stmt: x 2 {0,1} n x true or p|N In simulation V * can ensure 2 nd condition is true. No reason for right session to be sound! Brute Force Op Broke BFOP

26
Starting point: Passs protocol for bounded-NM zero knowledge 1 st Step: Change it to handle #ids to t=n log n Problem: In Passs protocol communication>t Solution: Compress the long messages. r 1 2 R {0,1} m1m1 m1m1 Com(h(r 1 )) Know r 1 UAZK r 1 =0 n Is it (stand-alone) sound? Is it (stand-alone) zero knowledge? Concurrent Non-Mal qZK Protocol [B.Sahai05] If proof succssesful, have qpoly-time knowledge extractor can obtain r 1 by rewinding Implicitly send r 1

27
Completeness: As before. Soundness: Will follow from simulation soundness. ZK+Simulation Soundness: Straightline simulator breaking BFOP (4). Why is that simulation sound?? P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP m 1 = n logn id, m 2 = n logn (t-id) imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05]

28
ZK+Simulation Soundness: Straightline simulator breaking BFOP (4) Change: Make option (1) weakly indist – observable in qpoly time. Not an immediate solution: simulator now only weakly indist from real prover. Idea: build auxiliary simulator that: 1) Strongly indist from real simulator. 2) Satisfies simulation soundness. Why we need the real simulator? Auxiliary simulator uses the witness. P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP m 1 = n logn id, m 2 = n logn (t-id) imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05]

29
ZK+Simulation Soundness: Real Prover: Uses:witness(1) Sim-sound: yes Real Simulator: Uses: time (4) Sim-sound: ? ~ (weak) ~~ (strong) Aux Simulator: Uses: witness,non-BB (2,3) Sim-sound: yes P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP m 1 = n logn id, m 2 = n logn (t-id) imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05] Yes!

30
ZK+Simulation Soundness: Constructing the auxiliary simulator. Execution we need to simulate: V1V1 V3V3 V*V* P1P1 P2P2 P3P3 V2V2 Useful observation: Can assume only one honest verifier. m 1 = n logn id, m 2 = n logn (t-id) P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05] Aux Simulator: Uses: witness,non-BB (2,3) Sim-sound: yes

31
The auxiliary simulator: P*V imp guess r 1 imp send r 1 2) guessed m1 r 1 BFOP UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 V* imp guess r 1 imp send r 1 BFOP 2) guessed m1 r 1 UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 P Honest ver uses r 1 =0 n Well use r 1 2 R {0,1} m1 Need program s.t. ( )=r 1 for | 1 |<< r 1 Can now simulate this part w/o access to vers coins. Build using V* + r 1 + UA knowledge extractor

32
P2P2 P3P3 PmPm … The auxiliary simulator: P*V imp guess r 1 imp send r 1 2) guessed m1 r 1 BFOP UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 V* imp guess r 1 imp send r 1 BFOP 2) guessed m1 r 1 UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 P Build using V* + r 1 + UA knowledge extractor To run extractor need to simulate other sessions. To simulate other sessions, need to run extractor. When building use witness to sim other sessions! never sent in clear – still strongly indist!

33
Questions: All these use universal args. Are there different non-BB techniques? Random oracle model also used to achieve non-malleability and concurrent security. Can we justify this? (so far mostly negative results [CanettiGoldreichHalevi98],[GoldwasserTa03] ) Is there ZK system w/ O(1)-rounds and public coin verifier? Related to both these questions. Are these non-BB techniques inherently unpractical? Two problematic components: general ZK and PCP theorem. On other hand:PCP get simpler, more efficient Maybe can push complexity to simulation? [BenSassonSudan05],[Dinur05] Handling quantum adversaries? [B.Sahai05]

34
V*V* V h Stmt: x 2 {0,1} n z 1 =Com(h(M 1 )) UACom(r 1 ) UAWI either 1) x is true. 2) 9 |t 1 |

35
V*V* V h Stmt: x 2 {0,1} n z 1 =Com(h(M 1 )) UACom(r 1 ) UAWI either 1) x is true. 2) 9 |t 1 |

Similar presentations

OK

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on satellite orbits Ppt on life in prehistoric times Ppt on history of atomic models Ppt on energy conservation Ppt on area of trapezium rectangle Full ppt on electron beam machining videos Ppt on hepatitis b vaccine Ppt on steve jobs download Presentations open ppt on mac Ppt on high voltage engineering applications