Presentation is loading. Please wait.

Presentation is loading. Please wait.

Our Current Knowledge of Knowledge Assumptions

Published byBruce Webster Modified over 5 years ago

Similar presentations

Presentation on theme: "Our Current Knowledge of Knowledge Assumptions"β€” Presentation transcript:

1 Our Current Knowledge of Knowledge Assumptions
Nir Bitansky Survey talk Technically light The tree of knowledge discovers where paper comes from

2 A (Somewhat) True Story
\ Galileo (circa 1610) β€œI have observed saturn 3-formed” πœ‹ β€œI formed the 3-nosed verb suvara ”

3 β€œI am an uber soft 3-d horsed verve”
Kepler’s Discovery \ Kepler β€œI am an uber soft 3-d horsed verve”

4 What a Coincidence… πœ‹ βˆ’1 𝜎 βˆ’1 β€œI have observed saturn 3-formed”
β€œI formed the 3-nosed verb suvara ” πœ‹ βˆ’1 β€œI have observed saturn 3-formed” \ 𝜎 βˆ’1 β€œI am an uber soft 3-d horsed verve”

5 Explanations Challenge: demonstrate knowledge w/o revealing it
β€œconcurrent and independent work” β€œK didn't know what he’s committing to” \ Challenge: demonstrate knowledge w/o revealing it

6 ZK Proofs of Knowledge [Gloldwasser-Micali-Rackoff, Feige-Shamir, Goldreich-Bellare]
π‘₯βˆˆβ„’ Hide the Witness Efficient Extraction 𝑃 𝑉 Witness We say that an interactive proof is a proof of knowledge if every prover that can convince the verifier of some NP statement, must know a witness. Witness is hidden makes it non-trivial And the way that this is formalize is by requiring an efficient extractor.

7 Knowledge β‰ˆ efficiently extractable from adversary
The Extraction Paradigm Adversary Reduction/Sim Knowledge β‰ˆ efficiently extractable from adversary Extractor So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out. Such knowledge extraction doesn’t only stand on its own, but it’s commonly used in our security analysis: reduction or simulator. Knowledge

8 Extraction in Cryptographic Analysis
CCA2 encryption ZK simulation . . . . . . Extraction Owner of sk also generates proof of correctness What does correctness mean. The function is generated with a vk. Correctness is consistency input independence In MPC composition

9 How is Knowledge Extracted?
Adversary ? So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out. Knowledge

10 β€œfake” public parameters
Black-Box Extraction β€œfake” public parameters Adversary + trapdoor Adversary Extractor ? So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out. Knowledge by rewinding

11 Black-box reductions/simulators have barriers Non-Black-Box Techniques
Limits of Black-Box Extraction Black-box reductions/simulators have barriers […, Goldreich-Krawczyk, …,Gentry-Wichs, …] Adversary Non-Black-Box Techniques [Barak, … ,B-Kalai-Paneth] ? constant-round public-coin ZK 3-message ZK SNARGs for NP . . . So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out. Knowledge

12 Knowledge Assumptions
So now I want to get to our main topic which is knowledge assumptions and extractable functions and see how they fit into this picture The tree of knowledge discovers knowledge assumptions (and where violins come from)

13 non-black-box extractor
Knowledge of Exponent Assumption [DamgΓ₯rd] 𝐺∼ 𝑍 𝑝 Adversary 𝑔 𝒗 𝑔 𝛼𝒗 𝑍 𝑝 non-black-box extractor meaningful assuming DLOG! 𝒗 Note that this is meaningful only assuming DLOG, or trivial. And this hardness is also why such an extractor must be non-BB. 𝑍 𝑝 𝛼 βˆ€π΄ βˆƒπΈ : 𝑖𝑓 𝐴 𝑔, 𝑔 𝒗 = 𝑔 𝛼𝒗 π‘‘β„Žπ‘’π‘› 𝐸 𝑔, 𝑔 𝒗 =𝛼

14 non-black-box extractor
Abstracting: Extractable Primitives [Canetti-Dakdouk,…] Adversary π‘˜ 𝑓 π‘˜ π‘₯ non-black-box extractor meaningful assuming Hardness! So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out. EWOF, ECRH, ENC,… π‘₯ βˆ€π΄ βˆƒπΈ : 𝑖𝑓 𝐴 π‘˜ = 𝑓 π‘˜ (π‘₯) π‘‘β„Žπ‘’π‘› 𝐸 π‘˜ =π‘₯

15 Other Extraction Beasts
Concurrently extractable OWFs [B-Canetti-Chiesa-Goldwasser-Lin-Rubinstein-Tromer, Gupta-Sahai] Extractable IO (aka differing-input obfuscation) [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang, Boyle-Chung-Pass, Ananth-Boneh-Garg-Sahai-Zhandry, Ishai-Pandey-Sahai] Auxiliary-input point obfuscation [Canetti, B-Paneth,…] So what we show is that you can combine SKFE with plain PKE to go all the way to PKFE. Not today…

16 Applications Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior.

17 Damgard CCA KEA Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior.

18 KEA CCA EOWF 3-ZK Canetti-Dakdouk B-Canetti-Chiesa-Goldwasser-
Lin-Rubinstein-Tromer KEA 3-ZK Hada-Tanaka, Bellare-Palacio Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior.

19 Gennaro-Gentry-Parno-Raykova
linear encryption (lattices, factoring) CCA KEA EOWF linear-only encryption ECRH B-Canetti- Chiesa-Tromer 3-ZK B-Chiesa-Ishai- Paneth-Ostrovsky Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. SNARKs (NP) Mie, Groth, Lipmaa, Gennaro-Gentry-Parno-Raykova

20 KEA linear encryption (lattices, factoring) CCA EOWF linear-only ECRH
3-ZK Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. SNARKs (NP)

21 Applications SNARKs (NP)
Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. SNARKs (NP)

22 [Boneh-Ishai-Sahai-Wu]
The Power of SNARKs delegating computation proof-carrying data [Chiesa-Tromer] . . . . . . SNARKs Owner of sk also generates proof of correctness What does correctness mean. The function is generated with a vk. Correctness is consistency efficient obfuscation image authentication crypto currency [ZCash] [Boneh-Ishai-Sahai-Wu] [Tromer-Naveh]

23 Succinct Non-Interactive Argument of Knowledge computationally sound
What’s a SNARK? Succinct Non-Interactive Argument of Knowledge π‘π‘Ÿπ‘  𝑃(π‘₯,𝑀) (reusable) 𝑉(π‘₯) πœ‹ computationally sound fast verification |πœ‹|β‰ͺ|𝑀| Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior.

24 Succinct Non-Interactive Argument of Knowledge non-black-box extractor
What’s a SNARK? Succinct Non-Interactive Argument of Knowledge π‘π‘Ÿπ‘  𝑃(π‘₯,𝑀) (reusable) 𝑉(π‘₯) πœ‹ fast verification |πœ‹|β‰ͺ|𝑀| non-black-box extractor Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. 𝑀 Variants: short/long crs, privately/publicly verifiable

25 Approach for SNARKs (Oversimplified)
[IKOS,…,BCIOP, GGPR,…] Linear PCP + So to demonstrate how we could use knowledge to get SNARKs. I want to briefly tell you about a simple paradigm to do this (and this will be somewhat sketchy and oversimplified) Linear-Only Encryption

26 Linear PCP βˆƒLPCP w/ quasi-optimal 𝑃, β€œvery simple” 𝑉 𝑃(π‘₯,𝑀) 𝑉(π‘₯)
π…βˆˆ 𝔽 𝑛 π’’βˆˆ 𝔽 𝑛 βŒ©π’’,𝝅βŒͺ 𝑃(π‘₯,𝑀) this talk: 1 query 𝑉(π‘₯) Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. βˆƒLPCP w/ quasi-optimal 𝑃, β€œvery simple” 𝑉 [QSPs: Gentry-Gennaro-Parno-Raykova]

27 Linear-Only Encryption
[Boneh-Segev-Waters] 𝐸 π‘₯ 1 ⋯𝐸( π‘₯ 𝑛 ) 𝐴 linearly-homomorphic, semantic-secure 𝐸(𝑧) β€œvalid” non-black-box extractor Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. π’šβˆˆ 𝔽 𝑛 :𝑧=βŒ©π’™,π’šβŒͺ candidates from linear schemes + KEA* (also some relaxed formulations)

28 Putting Them Together 𝑃(π‘₯,𝑀) 𝑉(π‘₯) 𝐸(π‘ž 1 ),…, 𝐸(π‘ž π‘š )βˆˆπ”½ 𝐸( 𝝅,𝒒 )
Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior.

29 Soundness (Knowledge) Intuition
𝐸(π‘ž 1 ),…, 𝐸(π‘ž π‘š )βˆˆπ”½ 𝑃 βˆ— 𝑉(π‘₯) 𝐸( 𝑧 βˆ— ) accepts! non-black-box extractor Which is really why extractable functions succeed in achieving applications, where there is not enough interaction to commit the adversary to some normal behavior. 𝑧 βˆ— valid PCP answer semantic-security 𝝅 βˆ— ∈ 𝔽 𝑛 : 𝑧 βˆ— =〈 𝝅 βˆ— ,𝒒βŒͺ decode 𝑀 〈 𝝅 βˆ— ,𝒒′←$βŒͺ valid w.h.p

30 Was Knowledge So Important Here?
Relaxed β€œlinear-only” β‡’ soundness (SNARG) But, knowledge is crucial when composing! β€œI know a hash preimage” β€œI also know a SNARK of previous preimage ” Often needed in applications…. bootstrapping SNARKs

31 Knowledge Assumptions?
So Why Don’t We Like Knowledge Assumptions? candidates intuition applications What’s missing? So how do we typically capture knowledge? The common paradigm is that a given (perhaps adversarial) entity knows something if we can efficiently extract it out.

32 Hope for explicit non-black-box extractor?
A Hole in the Reduction ZCash Adversary Reduction Extractor collision in SHA βˆ€π΄ βˆƒπΈ : 𝑖𝑓 𝐴 π‘˜ = 𝑓 π‘˜ (π‘₯) π‘‘β„Žπ‘’π‘› 𝐸 π‘˜ =π‘₯ Hope for explicit non-black-box extractor?

33 Hope for Explicit Extractor?

34 Hope for Explicit Extractor?
βˆƒπΈ βˆ€π΄: 𝑖𝑓 𝐴 π‘˜ = 𝑓 π‘˜ (π‘₯) π‘‘β„Žπ‘’π‘› 𝐸 π‘˜ =π‘₯ βˆ€π΄ βˆƒπΈ Adversary π‘˜ 𝑓 π‘˜ π‘₯ Universal Extractor π‘₯

35 Adversary’s code may be obfuscated… Made formal assuming IO
Limitation [Hada-Tanak, Goldreich] Adversary’s code may be obfuscated… Adversary π‘˜ 𝑓 π‘˜ π‘₯ Universal Extractor π‘₯ Made formal assuming IO [B-Canetti-Paneh-Rosen]

36 Food for Thought

37 Something We Can Do (std. assumptions)
[B-Canetti-Paneth-Rosen] Uniform Adversary π‘˜ 𝑓 π‘˜ π‘₯ Universal Extractor π‘₯ unsatisfying! Q1: Other extractable primitives?

38 Relax the Definition π‘˜β‰ˆ π‘˜ 𝑓 π‘˜ π‘₯ π‘₯
Adversary π‘˜β‰ˆ π‘˜ 𝑓 π‘˜ π‘₯ Universal Extractor π‘₯ Sufficient for 3ZK if one-way for all π’Œ … Q2: Sufficient for SNARKs? Constructions?

39 Non-Uniform Techniques?
βˆƒπΈ βˆ€π΄: 𝑖𝑓 𝐴 π‘˜ = 𝑓 π‘˜ (π‘₯) π‘‘β„Žπ‘’π‘› 𝐸 π‘˜ =π‘₯ βˆ€π΄ βˆƒπΈ Adversary π‘˜ 𝑓 π‘˜ π‘₯ Extractor π‘₯ Q3: Prove existence (under better assumption)

40 Non-Uniform Techniques?
βˆƒπΈ βˆ€π΄: 𝑖𝑓 𝐴 π‘˜ = 𝑓 π‘˜ (π‘₯) π‘‘β„Žπ‘’π‘› 𝐸 π‘˜ =π‘₯ βˆ€π΄ βˆƒπΈ Adversary π‘˜ 𝑓 π‘˜ π‘₯ Extractor π‘₯ Q4: Disprove existence!

41 Thanks! Recall what is FE In plain, say public-key, encryption
Those w/ the key, others can’t tell one encrypted message from the other

Download ppt "Our Current Knowledge of Knowledge Assumptions"

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.

Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan DamgΓ₯rd, Γ…rhus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan DamgΓ₯rd, Γ…rhus University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.

OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day β€˜12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day β€˜12)
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.

Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.
How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.

How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas WiktrΓΆm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas WiktrΓΆm (KTH) 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Nir Bitansky and Omer Paneth. Interactive Proofs.

Nir Bitansky and Omer Paneth. Interactive Proofs.

Similar presentations

Ads by Google