Presentation is loading. Please wait.

Presentation is loading. Please wait.

Impossibility of SNARGs

Published byLaura Nieminen Modified over 5 years ago

Similar presentations

Presentation on theme: "Impossibility of SNARGs"— Presentation transcript:

1 Impossibility of SNARGs
Research Seminar In Cryptography 2017/2018 Fall Impossibility of SNARGs Separating Succinct Non-Interactive Arguments From All Falsifiable Assumptions 28 Nov 2017 [C. Gentry, D. Wichsy 2011] Presentation: Karim Baghery Supervisor: Michal Zajac Coordinator: Dr. Vitaly Skachek

2 Contents: Motivation and Problem Statement Preliminary
Succinct Non-Interactive Arguments (SNARGs) Falsifiable Assumptions (FAs) Black-Box (BB) Analysis Hard Subset Membership Problems Contributions of the Paper No Black-Box Reduction Security Proof for any SNARG under Falsifiable Assumptions Main Theorem Main Idea: Simulatable Adversary Existence of a Simulatable Adversary Lemma

3 We are interested to make them succinct
Problem Statement: What is an argument? Interactive Non-Interactive ‼! ‼! ‼! We are interested to make them succinct as much as possible.

4 Problem Statement: Proof OK, xL
Witness w (x,w)  RL OK, xL Proof Arguments = Comp. Sound Proofs. [Kilian 92, Micali 94] Cannot prove false statements 𝒙 efficiently (in Poly time). Can prove true statements 𝒙 efficiently given witness w Succinct: the size of argument (proof) is sublinear and short What we know? Interactive: Assuming CRHFs [Kilian92] Non-Interactive: Random Oracle Model [Micali 94]

5 No, We Cannot! ≡ Problem Statement: A Question… This work
Can we get Succinct Non-Interactive Arguments (SNARGs) in the Standard Model? Can we prove any SNARG construction secure under OWFs, CDH, DDH, RSA, LWE, …? This work No, We Cannot!

6 Main Result: This work No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption (OWFs, DDH, RSA, LWE, …).

7 SNARGs: Structure and Correctness
Completeness: Correctly generated proofs verify with overwhelming probability, equivalently honest verifier accepts honest prover. Public Verifier: Given CRS, any party can verifiy the proof. Designated Verifier: Only verifier that knows Priv can verify.

8 SNARGs: Security Soundness: For efficient Adv if 𝐱, 𝝅 ←𝐀𝐝𝐯(𝐂𝐑𝐒),
Succinct: the size of proof is 𝑷𝒐𝒍𝒚 𝒏 𝒙 + 𝒘 𝒐(𝟏) Zero-knowledge (ZK): Proof 𝝅 reveals nothing (except truth of the statement 𝐱)

9 Main Result: This work No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption (OWFs, DDH, RSA, LWE, …).

10 For PPT Adv: 𝐏𝐫 𝐀𝐝𝐯 𝐰𝐢𝐧𝐬 ≤𝐧𝐞𝐠𝐥𝐢𝐠𝐢𝐛𝐥𝐞(𝒏).
Falsifiable Assumptions (FAs) [Naor 03]: Interactive game between an efficient challenger and Adversary; Challenger decides if Adversary wins. For PPT Adv: 𝐏𝐫 𝐀𝐝𝐯 𝐰𝐢𝐧𝐬 ≤𝐧𝐞𝐠𝐥𝐢𝐠𝐢𝐛𝐥𝐞(𝒏). Examples: CDH, RSA, LWE, … DL Assumption Adversary Challenger 𝑔 𝑥 Picks random 𝑥 Computes 𝑔 𝑥 𝑥′ Checks 𝑥′ = ? 𝑥 Not Falsifiable: “This proof system is ZK.” (Not a game, requires Simulator) “This SNARG Construction is Secure”. “Knowledge-of-Exponent” (KoE) Assumptions [Dam91, HT98].

11 Main Result: This work No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption (OWFs, DDH, RSA, LWE, …).

12 Black-Box (BB) Analysis:
A proof technique We take an Assumption Prove Security of SNARG To do the proof Attack on SNARG Implies an attack on the Assumption Black-Bock Reduction: A construction to this proof Build An Efficient Reduction Algorithm: given BB access to any SNARG adversary, becomes an Assumption Adversary. Assumption Attack Challenger Reduction SNARG Adv

13 Black-Box (BB) Analysis:
Black-Bock Reduction: A construction to this proof Efficient Reduction Algorithm: given BB access to any SNARG Adv, becomes an Assumption Adversary. Assumption Attack Challenger Reduction SNARG Adv It should work, even if SNARG Adv is inefficient. Efficient SNARG Adv Reduction Efficient All together Efficient

14 They need two assumptions
Main Result: Main Theorem This work No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption (OWFs, DDH, RSA, LWE, …). They need two assumptions The falsifiable assumption is not false. Sub-exponentially hard OWFs exists

15 No Efficient Distinguisher Can Distinguish Between them.
Main Idea of Proof: Simulatable Attack Simulatable Attack: is a special type of attack against SNARGs Inefficient Adversary Efficient Simulator Outputs false statements with valid proofs Outputs true statements with valid proofs Inefficient SNARG Adversary Efficient Simulator D can not distinguishe, because it cannot say weather statement is true of false. No Efficient Distinguisher Can Distinguish Between them.

16 Separation with Simulatable Attack:
To prove the theorem they needed to show… 1. Existence of Simulatable Attack for Any SNARG. 2. Simulatable Attack implies Black-Box Separation. Suppose that there is a simulatable attack Inefficient SNARG Adv Reduction Challenger BB Separation means you wont be able to proof security in BB reduction. Assumption Attack b. Given access to the Inefficient “Simulatable Adversary” Reduction breaks the assumption.

17 Separation with Simulatable Attack:
2. Simulatable Attack implies Black-Box Separation. Suppose that there is a simulatable attack b. Given access to the Inefficient “Simulatable Adversary” Reduction breaks assumption. c. Replace "Simulatable Adversary" with the Efficient Simulator. Inefficient SNARG Adv Reduction Assumption Attack Challenger After changing adversary with an efficiemt simulator we get the same outcome. Efficient Simulator Reduction Efficient Assumption Attack Assumption if False!

18 Separation with Simulatable Attack:
To prove the theorem they needed to show… 1. Existence of Simulatable Attack for Any SNARG. 2. Simulatable Attack implies Black-Box Separation. If there is BB Reduction to the Assumption and We have a Simulatable SNARG Attack Assumption if False! BB Separation means you wont be able to proof security in BB reduction.

19 Existence of Sim. Attack for all SNARGs:
Assumption: Sub-exponentially-hard subset-membership problem in 𝒩𝒫. There exists an 𝒩𝒫 language L. Two IND distributions: ℒ 𝑜𝑣𝑒𝑟 L, ℒ 𝑜𝑣𝑒𝑟 0,1 ∗ \L. Can efficiently sample 𝑥←ℒ along with a witness 𝑤 Cannot distinguish ℒ from ℒ in size 2 n 𝛿 with prob. 2 −n 𝛿 . This could be implied by sub-exponentially secure PRGs, OWFs. BB Separation means you wont be able to proof security in BB reduction. Note (Sub-exponentially-hard): A subset-membership problem over the 𝒩𝒫 is sub-exponentially hard if there exists some constant 𝛿>0 such that the problem is (𝑠 𝑛 ,𝜖(𝑛))–IND, where s 𝑛 = 2 Ω( n 𝛿 ) and 𝜖 𝑛 = 2 −Ω( n 𝛿 ) .

20 Existence of Sim. Attack for all SNARGs:
Inefficient SNARG Adv Efficient Simulator 𝑥 ← ℒ 𝑪𝑹𝑺 (𝒙,𝝅) 𝑥←ℒ with a witness 𝑤 How to sample 𝜋 ? 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) Naïve idea: try all 𝜋 until one verifies. - Might not look at all like correct distribution. BB Separation means you wont be able to proof security in BB reduction. Show: A way to sample “correct looking” 𝜋 for 𝑥 ← ℒ

21 Existence of Sim. Attack for all SNARGs:
The statement which needs to be shown - ∀ efficient Prov with short output (𝜋), ∃ inefficient function Prov* : 𝑥 ← ℒ 𝑥←ℒ with a witness 𝑤 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 ) 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) BB Separation means you wont be able to proof security in BB reduction. Proving algorithm can just sample on its own. x , 𝜋 ≈ (x,𝜋)

22 Proof is described with details in the report.
Indistinguishability with Aux. Info: ∀ inefficient Prov with short output (𝜋), ∃ inefficient function Prov* : 𝑥 ← ℒ 𝑥←ℒ x , 𝜋 ≈(x,𝜋) 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 ) 𝜋←Prov(𝐶𝑅𝑆, 𝑥) Lemma 1: They show that for any two distributions (ℒ and ℒ ) that are IND, if we are given some short extra Aux. information (𝜋) about the sample taken from first distribution (𝑥←ℒ), there exists a way of lying ( 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 )) about samples from the other distribution that the joint distribution still looking IND. BB Separation means you wont be able to proof security in BB reduction. Proof is described with details in the report. Assuming the lemma…

23 Existence of Sim. Attack for all SNARGs:
Inefficient SNARG Adv 𝑥 ← ℒ Efficient Simulator 𝑥←ℒ with 𝑤 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 ) 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) Lemma 2: Let L be a language with a sub-exponentially hard subset- membership problem. Let Π be a non-interactive proof system for L that satisfies the completeness and succinctness properties. Then, there is a machine 𝐴𝑑𝑣, called a simulatable Π- 𝐴𝑑𝑣 satisfying the following, Adv is a stateless and computationally unbounded Π- 𝐴𝑑𝑣. On input ( 1 m ,CRS) it always outputs some (𝑥,𝜋) with 𝑥∉𝐿 of size 𝑙 𝑠𝑡 𝑚 , for sum polynomial 𝑙 𝑠𝑡 . , 𝑎𝑛𝑑: BB Separation means you wont be able to proof security in BB reduction. Adv is poly-time simulatable. That means, for every efficient distinguisher D there exists some efficient simulator S such that:

24 Modify the simulator to use a table of hard-coded responses
Existence of Sim. Attack for all SNARGs: SNARG Adv Inefficient Simulator Efficient 𝑥 ← ℒ ( 𝟏 𝒏 ,𝑪𝑹𝑺) (𝒙,𝝅) 𝑥←ℒ with witness 𝑤 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 ) 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) Proof Intuition: Given Lemma 1 on IND with Aux. information, Given 1 𝑚 , 𝐶𝑅𝑆 , Sim. and Adv. act as the following, Simulator efficiently samples 𝑥,𝑤 ←Sam( 1 𝑚 ), and computes 𝜋 honestly using the SNARG. 𝐴𝑑𝑣 generates 𝑥 , 𝜋 using the manner given in the Lemma 1. BB Separation means you wont be able to proof security in BB reduction. If 𝑚 small enough compared to 𝑛: Answers of S and 𝐴𝑑𝑣 are Dis. Modify the simulator to use a table of hard-coded responses

25 Detailed Proof: 𝑥 , 𝜋 ← ℒ 𝑚 ∗ Proof:
Note that, Π is succinct, they assume, exists 𝑑: 𝐶𝑅𝑆 <𝑂( 𝑛 𝑑 ) The size of proof is bounded: 𝜋 <𝑂 𝑛 𝑑 𝑥 + 𝑤 𝑜(1) . Sub-exponentially hard subset-membership problems implies (𝑠 𝑛 ,𝜖 𝑛 ) -hard subset-membership problem, 𝑠 𝑛 = 2 𝑛 𝑑+2 = 𝜖 −1 (𝑛) Adv and Simulator description: Adv: Adversary outputs a sample x , 𝜋 ← ℒ 𝑚 ∗ which is ( 𝑠 ∗ 𝑛 , 𝜖 ∗ 𝑛 )-IND from ℒ 𝑚 ∗ , where 𝑠 𝑛 ∗ = 2 Ω( 𝑛 𝑑+2 ) & 𝜖 ∗ 𝑛 = 2 −Ω( 𝑛 𝑑+2 ) - (More details in proof of Lemma 1, in the report) BB Separation means you wont be able to proof security in BB reduction. Adv (Inefficient): 𝑥 , 𝜋 ← ℒ 𝑚 ∗

26 Detailed Proof: Structure of Simulator
Simulator: Simulator has a threshold value 𝑚 ∗ 𝑛 ≅ log 𝑛 , On input m> 𝑚 ∗ 𝑛 it acts as usual and sample 𝑥,𝑤 and 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) and returns 𝑥,𝜋 . On input m≤ 𝑚 ∗ 𝑛 : Simulator is given an advice table T with tuples (𝑖, 𝑚, 𝐶𝑅𝑆, 𝑥,𝜋). In 𝑖th query, for input ( 𝑖 𝑚 , 𝐶𝑅𝑆) it returns a tupple. Hard-coded table T (𝑖, 𝑐𝑟𝑠, 𝑚) Its size is

27 Detailed Proof: Structure of Simulator
Efficient Simulator m> 𝑚 ∗ 𝑛 : samples 𝑥,𝑤 and 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) m≤ 𝑚 ∗ 𝑛 : Uses the following table (𝑖, 𝑐𝑟𝑠, 𝑚) - returns 𝒙,𝝅 .

28 Detailed Proof: Structure of Simulator
To prove the first part of the lemma which was as, 1. In the Lemma 1 it is shown that, 2. Which could be written as follows, The second inequality follows by completeness.

29 Detailed Proof: Structure of Simulator
To prove the second part of the lemma which was as, Assumption Challenger First, change the machine Adv with Adv(T) ( 1 𝑚 ,𝐶𝑅𝑆)

30 Detailed Proof: Structure of Simulator
First, change the machine Adv with Adv(T) Assumption Challenger ( 1 𝑚 ,𝐶𝑅𝑆) 2.

31 Thank You! Institute of Computer Science Cryptology Research Group

32 BACKUP SLIDES

33 Indistinguishability Auxiliary Information
Returning to… Lemma 1: Indistinguishability with Auxiliary Information BB Separation means you wont be able to proof security in BB reduction.

34 Main intuition: x , 𝜋 ≈(x,𝜋) 𝑥 ← ℒ 𝑥←ℒ 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 )
∀ inefficient Prov with short output ∃ inefficient function Prov* : 𝑥 ← ℒ 𝑥←ℒ 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 ) 𝜋←Prov(𝐶𝑅𝑆, 𝑥) x , 𝜋 ≈(x,𝜋)

35 Proof: Note on proof: The proof does not give a simple description of the distribution ℒ 𝑛 ∗ , and instead shows its existence non-constructively. Define size(m) be the set of all circuits of size m and let dist(m) be the set of all distributions over size(m). Fix the distributions ℒ 𝑛 , ℒ 𝒏 and some joint-distribution ℒ 𝑛 ∗ over tuples (𝑥,𝜋). Define 𝑑𝑖𝑠𝑡 ℒ 𝒏 be the set of all joint-distributions on tuples ( 𝒙 , 𝝅 ). the component 𝒙 distributed according to ℒ 𝒏 . BB Separation means you wont be able to proof security in BB reduction. Now by contradiction assume that there does not exists,

36 Proof: Follows by von Neumann's min-max theorem
BB Separation means you wont be able to proof security in BB reduction. Follows by von Neumann's min-max theorem

37 Proof: Then, for each pair (𝒙,𝝅) they define
BB Separation means you wont be able to proof security in BB reduction.

Download ppt "Impossibility of SNARGs"

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
The Equivalence of Sampling and Searching Scott Aaronson MIT.

The Equivalence of Sampling and Searching Scott Aaronson MIT.
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.

Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.
PROOF BY CONTRADICTION

PROOF BY CONTRADICTION
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.

1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

Similar presentations

Ads by Google