Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Slides:



Advertisements
Similar presentations
Merkle Puzzles Are Optimal
Advertisements

On Non-Black-Box Proofs of Security Boaz Barak Princeton.
Perfect Non-interactive Zero-Knowledge for NP
Short Non-interactive Zero-Knowledge Proofs
Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
IP=PSPACE Nikhil Srivastava CPSC 468/568. Outline IP Warmup: coNP  IP by arithmetization PSPACE (wrong) attempt at PSPACE  IP (revised) PSPACE  IP.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Nir Bitansky and Omer Paneth. Interactive Proofs.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
1 Adapted from Oded Goldreich’s course lecture notes.
Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes.
–Def: A language L is in BPP c,s ( 0  s(n)  c(n)  1,  n  N) if there exists a probabilistic poly-time TM M s.t. : 1.  w  L, Pr[M accepts w]  c(|w|),
1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.
Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak.
Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
Interactive proof systems Section 10.4 Giorgi Japaridze Theory of Computability.
Statistical Zero-Knowledge:
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
6.897: Selected Topics in Cryptography Lecturers: Ran Canetti, Ron Rivest Scribe?
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
NP ⊆ PCP(n 3, 1) Theory of Computation. NP ⊆ PCP(n 3,1) What is that? NP ⊆ PCP(n 3,1) What is that?
Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.
Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.
Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Yi Deng IIE,Chinese Academy of Sciences (Beijing) Joint work with
Probabilistic Algorithms
On the Size of Pairing-based Non-interactive Arguments
Zero Knowledge Anupam Datta CMU Fall 2017
Cryptographic protocols 2016, Lecture 12 Sigma protocols
Zero Knowledge Proofs. 20 Years after its Invention
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Start by talking about lattice assumption on which protocol is based
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
CS21 Decidability and Tractability
Post-Quantum Security of Fiat-Shamir
Impossibility of SNARGs
Jens Groth and Mary Maller University College London
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell

Interactive Proofs/Arguments L=L(R) 2 NP PV w 2 R(x) x (x 2 L) 9 efficient S s.t. 8 efficient V* 8 x 2 L S(V*,x) (x) Everything an efficient verifier can learn after a ZK interaction can be learned by applying an efficient algorithm (i.e., simulator) to the public input. Zero-Knowledge:

Interactive Proofs/Arguments L=L(R) 2 NP 9 efficient E s.t. 8 efficient P* 8 x Pr[ E(P*,x) 2 R(X)] » Pr[ (x)=1] Proof of Knowledge (POK): If an efficient prover can convince the honest verifier that x 2 L then there exists an efficient algorithm (knowledge extractor) to extract a witness for x from the provers strategy. PV w 2 R(x) x (x 2 L)

Definition of Zero-Knowledge: Everything an efficient verifier can learn after a ZK interaction can be learned by applying an efficient algorithm to the public input. Popular formal interpretation: efficient = probabilistic polynomial-time efficient = probabilistic expected polynomial-time 9 efficient S s.t. 8 efficient V* 8 x 2 L S(V*,x) (x)

Definition of Proofs of Knowledge (POK): Popular formal interpretation: efficient = probabilistic polynomial-time efficient = probabilistic expected polynomial-time If an efficient prover can convince the honest verifier that x 2 L then there exists an efficient algorithm (knowledge extractor) to extract a witness for x from the provers strategy. 9 efficient E s.t. 8 efficient P* 8 x Pr[ E(P*,x) 2 R(X)] » Pr[ (x)=1]

Efficient Verifier/ Prover Efficient Simulator/ Extractor ProsCons Def 1Strict Strict=Efficient Computation No Gap No Constant- round prot* Def 2StrictExpected 9 constant- round protocols Expected Efficient Gap Def 3Expected 9 constant- round protocols** Expected Efficient Problem w/def [Feige] Possible Defs for Zero-Knowledge

Efficient Verifier/ Prover Efficient Simulator/ Extractor ProsCons Def 1Strict Strict=Efficient Computation No gap No constant-round prot* Def 2StrictExpected 9 constant- round protocols Expected Efficient Gap Def 3Expected 9 constant- round prot** No gap Expected Efficient Problem w/def [Feige] Possible Defs for Zero-Knowledge / POK

Efficient Verifier/ Prover Efficient Simulator/ Extractor ProsCons Def 1Strict Strict=Efficient Computation No gap No constant-round prot* Def 2StrictExpected 9 constant- round protocols Expected Efficient Gap Def 3Expected 9 constant- round prot** No gap Expected Efficient Problem w/def [Feige] Possible Defs for Zero-Knowledge Summary: Def 1 is best if it can be met.

Efficient Verifier/ Prover Efficient Simulator/ Extractor Def 1Strict Def 2StrictExpected Def 3Expected Summary: Def 1 is best if it can be met. [B,BG]: For Zero-Knowledge Def 1 can be met by a constant- round prot. w/ a non-black-box simulator (assuming CRH) Our Results: 1. In both cases Def 1 can not be met in constant-rounds by a black-box simulator/extractor. 2. In case of POK Def 1 can be met by a constant-round prot. w/ a non-black-box extractor (assuming CRH&TDP)

Impossibility of strict poly-time black-box simulation Motivation: Look at how known expected poly-time black-box simulators work (e.g. [FS]) PV V1 P1 V2 P2

SV* V1 P1 V2 P2 V2 P1 Suppose that V* only sends message v2 w.p. Using (v1,v2) and (v1,v2) can simulate proof! No clue how to continue

SV* V1 P1 ? w.p. 1- : Output (v1,p1, ? ) Suppose that V* only sends message v2 w.p. - n 2 work

Suppose that V* only sends message v2 w.p. w.p. 1- : Output (v1,p1, ? ) - n 2 work SV* V1 P1 V2 P2 V2 P1 ? V2 w.p. : Output (v1,p1,v2,p2)- (1/ ) ¢ n 2 work Ex[work] = (1- )n 2 + ¢ (1/ ) ¢ n 2 · O(n 2 ) 1/ times…

Suppose that V* only sends message v2 w.p. w.p. 1- : Output (v1,p1, ? ) - n 2 work SV* V1 P1 V2 P2 V2 P1 ? ? V2 w.p. : Output (v1,p1,v2,p2)- (1/ ) ¢ n 2 work Ex[work] = (1- )n 2 + ¢ (1/ ) ¢ n 2 · O(n 2 ) If we stop simulator after less than 1/ steps then simulation fails! Note that may be any non-negligible value (e.g., 1/ >> n 2 )

Impossibility of strict black-box simulation for constant-round protocols. Let be ZK proof for L with c verifier messages and strict t(n)-time black-box simulator S Let V* be s.t. V* aborts in any round w.p. 1- where is chosen s.t. 8 x 2 L 1. Pr[ (x)=1] = c > 1/p(n) 2. Pr[ S V* (x) sees more than c messages ] << 1/p(n) Choose = ¼ ( c ) t(n) · ( c ) c+1 t(n)

Our Results: 1. In both cases Def 1 can not be met in constant-rounds by a black-box simulator/extractor. 2. In case of POK Def 1 can be met by a constant-round prot. w/ a non-black-box extractor (assuming CRH&TDP)

Obtaining POK with strict poly-time extractor Trapdoor Permutations ZK membership proof* w/ strict simulation [B,BG] constant-round Commit With Extract Scheme = = + + Commit-With-Extract: Secure commitment scheme s.t. using senders code can extract committed value in strict polynomial-time. Can be used to obtain a ZKPOK for NP

Conclusion: Non-Black-Box techniques are both necessary and sufficient to obtain strict polynomial-time simulation and extraction.

Obtaining POK with strict poly-time extractor Proof Outline: Let L 2 NP, a ZKPOK will be PV y=Comm(w) x2Lx2L w 2 W(x) ZKP Comm -1 (y) 2 W(x) Commit-With-Extract Need constant-round commitment scheme s.t. can extract committed value in strict poly-time using senders code.

Proof Sketch: Assume is c-round ZK proof for L Suppose S is strict t(n)-time black-box simulator Lemma: If V* is honest+abort verifier and 8 x 2 L Pr[ S V* (x) is accepting and S saw · c responds ] > 1/p(n) Then L 2 BPP Why? For x L Pr[ S V* (x) is accepting and S saw · c responds ] = negl(n)

Fix V* s.t. in any round independently Thus 8 x 2 L Pr [ S V* (x) is accepting proof for x] » c Clearly, 8 x 2 L Pr[ =1 ] = c But Pr [ S V* (x) gets > c non- ? responds ] · ( c ) c+1 t(n) Pr[ S V* (x) accepting and S saw · c responds] ¸ c - ( c ) c+1 t(n) w.p. 1- : V* aborts w.p. : V* behaves like honest verifier And so For ½ c = 1/p(n) t(n) -1

Obtaining POK with strict poly-time extractor Thm: Suppose that 1. 9 Trapdoor Permutations 2. 9 constant-round ZK argument for NP w/ strict poly-time simulator Then, 9 constant-round ZK argument of knowledge w/ strict poly-time knowledge-extractor. Trapdoor Permutations ZK membership proof* w/ strict simulation [B,BG] ZK proof* of knowledge w/ strict extraction = = + +

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.