SLIDE 1
- PAVEL HUBรฤEK (CUNI)
- ALON ROSEN (IDC)
- MARGARITA VALD (TAU)
EUROCRYPT 2018 TEL AVIV, ISRAEL
ALON ROSEN (IDC) MARGARITA VALD (TAU) EUROCRYPT 2018 - - PowerPoint PPT Presentation
ALON ROSEN (IDC) MARGARITA VALD (TAU) EUROCRYPT 2018 - - PowerPoint PPT Presentation
An Efficiency-Preserving Transformation from Honest-Verifier Statistical Zero-Knowledge to Statistical Zero-Knowledge PAVEL HUBEK (CUNI) ALON ROSEN (IDC) MARGARITA VALD (TAU) EUROCRYPT 2018 TEL AVIV, ISRAEL
SLIDE 2
SLIDE 3
Statistical Zero-Knowledge
๐ฆ โ ฮ ๐?
ฮ =(ฮ ๐, ฮ ๐)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 4
Statistical Zero-Knowledge
๐ฆ โ ฮ ๐?
โฎ
ฮ =(ฮ ๐, ฮ ๐)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 5
Statistical Zero-Knowledge
๐ฆ โ ฮ ๐?
Outputs: Accept/Reject
โฎ
ฮ =(ฮ ๐, ฮ ๐)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 6
Statistical Zero-Knowledge
๐ฆ โ ฮ ๐?
Outputs: Accept/Reject
- Completeness (๐ฆ โ ฮ ๐).
- Soundness (๐ฆ โ ฮ ๐):
- Zero-Knowledge (๐ฆ โ ฮ ๐):
Unbounded prover Malicious verifier Statistical efficient simulation
โฎ
ฮ =(ฮ ๐, ฮ ๐)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 7
1. minimal interaction 2. minimal proverโs overhead Goal: Efficient statistical zero-knowledge proofs
Via efficient transformation Via direct construction
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 8
Transformation from Honest Verifier SZK to SZK
- Transformations under computational assumptions
[BMO90, OVY93, Oka96]
- Transformations via public-coin with poly number of rounds
[GSV98, Oka96, GV99]
- Transformation to AM โ constant round [OngVadhan08]
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 9
Transformation from Honest Verifier SZK to SZK
- Transformations under computational assumptions
[BMO90, OVY93, Oka96]
- Transformations via public-coin with poly number of rounds
[GSV98, Oka96, GV99]
- Transformation to AM โ constant round [OngVadhan08]
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 10
Our result (1): โฮ โHVSZK, โStatistical Zero-Knowledge proof that is as efficient as the best honest-verifier Statistical Zero-Knowledge proof for ฮ in terms of:
- proverโs and verifierโs complexity
- round complexity
unconditional
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 11
Concrete Construction for SZK-complete problem
- Honest Verifier constant-round statistical zero-knowledge
proof for Statistical-Difference [SahaiVadhan03] Our result (2): โconstant-round malicious verifier statistical zero- knowledge proof for Statistical-Difference. unconditional
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 12
Concrete Construction for SZK-complete problem
- Honest Verifier constant-round statistical zero-knowledge
proof for Statistical-Difference [SahaiVadhan03] Our result (2): โconstant-round malicious verifier statistical zero- knowledge proof for Statistical-Difference.
โฮ โ SZK
unconditional
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 13
Efficient Statistical Zero-Knowledge Proofs
SLIDE 14
High-Level Approach
[HVSZK]
ฮ โHVSZK
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 15
High-Level Approach
[HVSZK]
ฮ โHVSZK
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 16
High-Level Approach
Coin-toss
[HVSZK] Verifierโs coins
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 17
High-Level Approach
Coin-toss Proof of correct behavior
[HVSZK] Verifierโs coins
Pโ Vโ
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 18
- Tossing result is random
and binding.
- Correctness proof is
sound.
High-Level Approach
Coin-toss Proof of correct behavior
[HVSZK] Verifierโs coins
Pโ Vโ
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 19
- Coins are statistically
hidden.
- Proof is statistical zero-
knowledge (against unbounded verifier).
High-Level Approach
Coin-toss Proof of correct behavior
[HVSZK] Verifierโs coins
Pโ Vโ
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 20
- Tossing result is random
and binding.
- Coins statistically
hidden.
Verifierโs Randomness
Coin-toss
[HVSZK] Verifierโs coins
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 21
- Tossing result is random
and binding.
- Coins statistically
hidden.
Verifierโs Randomness
Coin-toss
[HVSZK]
๐ 2 ๐ท๐๐(๐
1)
๐
๐ค = ๐ 1โจ๐ 2
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 22
- COM is binding.
- COM statistically hiding.
Verifierโs Randomness
๐ 2 ๐ท๐๐(๐
1)
[HVSZK] ๐
๐ค = ๐ 1โจ๐ 2
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 23
- COM is binding.
- COM statistically hiding.
Verifierโs Randomness
๐ 2 ๐ท๐๐(๐
1)
[HVSZK] ๐
๐ค = ๐ 1โจ๐ 2
Unconditional?
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 24
- COM is binding.
- COM statistically hiding.
Verifierโs Randomness
๐ 2 ๐ท๐๐(๐
1)
[HVSZK] ๐
๐ค = ๐ 1โจ๐ 2
Unconditional?
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 25
- COM statistically hiding.
Verifierโs Randomness
๐ 2 ๐ท๐๐(๐
1)
[HVSZK] ๐
๐ค = ๐ 1โจ๐ 2
Unconditional?
๐ฆ โ ฮ ๐
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 26
- COM is binding.
Verifierโs Randomness
๐ 2 ๐ท๐๐(๐
1)
[HVSZK] ๐
๐ค = ๐ 1โจ๐ 2
Unconditional?
๐ฆ โ ฮ ๐
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 27
Verifierโs Randomness
๐ 2 ๐ท๐๐(๐
1)
[HVSZK] ๐
๐ค = ๐ 1โจ๐ 2
Unconditional?
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 28
Instance-Dependent Commitments [BMO90,IOS97]
Definition: For a promise problem ฮ = (ฮ ๐, ฮ ๐), an Instance- Dependent commitment scheme is a family {COM๐ฆ}๐ฆโฮ of commitment schemes such that:
- if x โ ฮ ๐ then COM๐ฆ is statistically hiding.
- if x โ ฮ ๐ then COM๐ฆ is statistically binding.
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 29
Constructing Instance-Dependent Commitments
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 30
Constructing Instance-Dependent Commitments
- For specific problems in HVSZK [BMO90, IOS97]
- For all HVSZK with inefficient committer [Vadhan03]
- For all HVSZK with relaxed binding [NguyenVadhan06]
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 31
Constructing Instance-Dependent Commitments
Theorem**[OngVadhan08]: โฮ โ HVSZK, โInstance-Dependent commitment scheme that is public-coin and constant-round.
- For specific problems in HVSZK [BMO90, IOS97]
- For all HVSZK with inefficient committer [Vadhan03]
- For all HVSZK with relaxed binding [NguyenVadhan06]
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 32
- Correctness proof is
sound.
- Proof is statistical zero-
knowledge (against unbounded verifier).
Proof of Correct Behavior
Coin-toss Proof of correct behavior
[HVSZK]
Pโ Vโ
Verifierโs coins
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 33
- Correctness proof is
sound.
- Proof is statistical zero-
knowledge (against unbounded verifier).
Proof of Correct Behavior
Coin-toss Proof of correct behavior
[HVSZK]
Pโ Vโ
Verifierโs coins Unconditional??
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 34
- Proof is statistical zero-
knowledge (against unbounded verifier).
Proof of Correct Behavior
Coin-toss Proof of correct behavior
[HVSZK]
Pโ Vโ
Verifierโs coins Unconditional??
๐ฆ โ ฮ ๐
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 35
- Correctness proof is
sound.
Proof of Correct Behavior
Coin-toss Proof of correct behavior
[HVSZK]
Pโ Vโ
Verifierโs coins Unconditional??
๐ฆ โ ฮ ๐
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 36
Proof of Correct Behavior
Coin-toss Proof of correct behavior
[HVSZK]
Pโ Vโ
Verifierโs coins Unconditional??
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 37
New Primitive: ID Statistical Zero-Knowledge
Definition: An Instance-Dependent statistical zero-knowledge proof for language L with respect to a promise problem ฮ =(ฮ ๐, ฮ ๐), is a family of protocols {(P
๐ฆ, V๐ฆ)}๐ฆโฮ such that:
- If ๐ฆ โ ฮ ๐ โช ฮ ๐ then (P๐ฆ, V๐ฆ) is complete for L.
- If ๐ฆ โ ฮ ๐ then (P๐ฆ, V๐ฆ) is sound for L.
- If ๐ฆ โ ฮ ๐ then (P๐ฆ, V๐ฆ) is statistical zero-knowledge for L.
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 38
Constructing ID Statistical Zero-Knowledge
Theorem**: โL โ NP and โฮ โ HVSZK, โID statistical zero- knowledge proof for L with respect to ฮ that is:
- constant-round
- Proof of Knowledge (efficient witness extractor)
- statistical zero-knowledge even if the verifier is unbounded
Proof: Blumโs Hamiltonicity protocol in parallel with mutual coin-tossing to generate the challenge.
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 39
Putting Things Together
๐ฆ โ ฮ ๐? ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 40
Putting Things Together
๐ฆ โ ฮ ๐? ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐
1 โ ๐๐
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 41
Putting Things Together
๐ฆ โ ฮ ๐? ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐
1 โ ๐๐
๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 42
Putting Things Together
๐ฆ โ ฮ ๐? ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐
1 โ ๐๐
๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 43
Putting Things Together
๐ฆ โ ฮ ๐? ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐
1 โ ๐๐
๐ 2 โ ๐๐ ๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 44
Putting Things Together
๐ฆ โ ฮ ๐? ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐
1 โ ๐๐
๐ 2 โ ๐๐ ๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐ 2
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 45
Putting Things Together
๐ฆ โ ฮ ๐? ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐
๐ค = ๐ 1โจ๐ 2
๐
1 โ ๐๐
๐ 2 โ ๐๐ ๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐ 2
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 46
Putting Things Together
๐ฆ โ ฮ ๐? ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐
๐ค = ๐ 1โจ๐ 2
๐
1 โ ๐๐
๐ 2 โ ๐๐ ๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐ 2 ๐=(๐๐ผ, ๐
๐ผ(๐ ๐ค))(๐ฆ)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 47
Putting Things Together
๐ฆ โ ฮ ๐? ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐
๐ค = ๐ 1โจ๐ 2
๐
1 โ ๐๐
๐ 2 โ ๐๐ ๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐๐๐ฟ๐
๐ฆ for ๐
๐ 2 ๐=(๐๐ผ, ๐
๐ผ(๐ ๐ค))(๐ฆ)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 48
Putting Things Together
๐ฆ โ ฮ ๐? ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐
๐ค = ๐ 1โจ๐ 2
๐
1 โ ๐๐
๐ 2 โ ๐๐ ๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐๐๐ฟ๐
๐ฆ for ๐
๐ 2 ๐=(๐๐ผ, ๐
๐ผ(๐ ๐ค))(๐ฆ)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 49
Proof Idea
ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐๐๐ฟ๐
๐ฆ for ๐
๐ 2 ๐=(๐๐ผ, ๐
๐ผ(๐ ๐ค))(๐ฆ)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 50
Proof Idea
ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐๐๐ฟ๐
๐ฆ for ๐
๐ 2 ๐=(๐๐ผ, ๐
๐ผ(๐ ๐ค))(๐ฆ)
- ๐ท๐๐๐ฆ is statistically
hiding.
- All Proofs are statistical
zero-knowledge (against unbounded verifier). ๐ฆ โ ฮ ๐
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 51
Proof Idea
ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐๐๐ฟ๐
๐ฆ for ๐
๐ 2 ๐=(๐๐ผ, ๐
๐ผ(๐ ๐ค))(๐ฆ)
- ๐ท๐๐๐ฆ is statistically
hiding.
- All Proofs are statistical
zero-knowledge (against unbounded verifier). ๐ฆ โ ฮ ๐ Indistinguishable from:
- ๐ท๐๐๐ฆ(0).
- simulated proofs.
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 52
Proof Idea
ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐๐๐ฟ๐
๐ฆ for ๐
๐ 2 ๐=(๐๐ผ, ๐
๐ผ(๐ ๐ค))(๐ฆ)
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 53
Proof Idea
ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐๐๐ฟ๐
๐ฆ for ๐
๐ 2 ๐=(๐๐ผ, ๐
๐ผ(๐ ๐ค))(๐ฆ)
- ๐ท๐๐๐ฆ is binding.
- All Proofs are sound.
๐ฆ โ ฮ ๐
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 54
Proof Idea
ฮ =(ฮ ๐, ฮ ๐) โ HVSZK
๐๐๐ฟ๐๐๐ฟ๐ฆ for ๐ท๐ฆ ๐ท๐ฆ = ๐ท๐๐๐ฆ(๐
1)
๐๐๐ฟ๐
๐ฆ for ๐
๐ 2 ๐=(๐๐ผ, ๐
๐ผ(๐ ๐ค))(๐ฆ)
- ๐ท๐๐๐ฆ is binding.
- All Proofs are sound.
๐ฆ โ ฮ ๐ Simulator:
- Sample honest transcript.
- Extract ๐
1.
- Force honest transcript on เทฐ
๐ wrt to ๐
1.
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 55
Conclusion & Open Problems
- Additional applications of ID SZK?
- Better concrete efficiency?
Can we use weaker ID commitments? Our transformation allows to focus on constructing efficient Honest Verifier SZK protocols.
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD
SLIDE 56
Conclusion & Open Problems
- Additional applications of ID SZK?
- Better concrete efficiency?
Can we use weaker ID commitments? Our transformation allows to focus on constructing efficient Honest Verifier SZK protocols.
EFFICIENT STATISTICAL ZERO-KNOWLEDGE
- P. HUBรฤEK, A. ROSEN, M. VALD