Characterizing Deterministic- Prover Zero Knowledge Nir Bitansky - - PowerPoint PPT Presentation

Characterizing Deterministic- Prover Zero Knowledge

Nir Bitansky

Tel Aviv University

Arka Rai Choudhuri

Johns Hopkins University

Zero Knowledge [Goldwasser-Micali-Rackoff’85]

Prover (𝑦, 𝑥) Verifier (𝑦)

$ $ $ $ $ $

Zero Knowledge [Goldwasser-Micali-Rackoff’85]

Prover (𝑦, 𝑥) Verifier (𝑦)

$ $ $ $ $ $

Completeness: ∀𝑦 ∈ ℒ, verifier accepts. (Computational) Soundness Zero Knowledge

Zero Knowledge [Goldwasser-Micali-Rackoff’85]

Prover (𝑦, 𝑥) Verifier (𝑦)

$ $ $ $ $ $

Completeness (Computational) Soundness: ∀𝑦 ∉ ℒ, no PPT prover can make the verifier accept. Zero Knowledge

Zero Knowledge [Goldwasser-Micali-Rackoff’85]

Prover (𝑦, 𝑥) Verifier (𝑦)

$ $ $ $ $ $

Completeness (Computational) Soundness Zero Knowledge: ∀ Verifiers ∃ Simulator

Zero Knowledge [Goldwasser-Micali-Rackoff’85]

Prover (𝑦, 𝑥) Verifier (𝑦)

$ $ $ $ $ $

$ $ $ $ $ $

Prover (𝑦, 𝑥)

Verifier’s view in an execution with the prover

Completeness (Computational) Soundness Zero Knowledge: ∀ Verifiers ∃ Simulator

Zero Knowledge [Goldwasser-Micali-Rackoff’85]

Prover (𝑦, 𝑥) Verifier (𝑦)

$ $ $ $ $ $

Completeness (Computational) Soundness Zero Knowledge: ∀ Verifiers ∃ Simulator

$ $ $ $ $ $

Verifier’s view in an execution with the prover

Zero Knowledge [Goldwasser-Micali-Rackoff’85]

Prover (𝑦, 𝑥) Verifier (𝑦)

$ $ $ $ $ $

Completeness (Computational) Soundness Zero Knowledge: ∀ Verifiers ∃ Simulator

$ $ $ $ $ $ $ $ $ $ $ $

Verifier’s view in an execution with the prover Simulator’s output on input 𝑦

≈

Many Flavors of Zero-Knowledge (ZK)

∀ Verifier ∃ Simulator GMR ZK

View (𝑦)

≈

Many Flavors of Zero-Knowledge (ZK)

∀ Verifier ∃ Simulator GMR ZK Auxiliary-input ZK

View (𝑦)

≈

∀ Verifier ∃ Simulator ∀ aux-IP 𝑨 ∈ 0,1 ∗

View (𝑦, 𝑨)

≈

Many Flavors of Zero-Knowledge (ZK)

∀ Verifier ∃ Simulator GMR ZK Auxiliary-input ZK Black-box ZK

View (𝑦)

≈

∀ Verifier ∃ Simulator ∀ aux-IP 𝑨 ∈ 0,1 ∗

View (𝑦, 𝑨)

≈

∃ Simulator ∀ Verifier

View (𝑦)

≈

Deterministic Prover Zero Knowledge (DPZK)

Deterministic Prover (𝑦, 𝑥) Verifier (𝑦)

Deterministic Prover Zero Knowledge (DPZK)

Deterministic Prover (𝑦, 𝑥) Verifier (𝑦)

Is prover randomness essential for zero knowledge?

Limitations of DPZK [Golreich-Oren’94]

∀ Verifier ∃ Simulator GMR ZK Auxiliary-input ZK Black-box ZK

View (𝑦)

≈

∀ Verifier ∃ Simulator ∀ aux-IP 𝑨 ∈ 0,1 ∗

View (𝑦, 𝑨)

≈

∃ Simulator ∀ Verifier

View (𝑦)

≈

Limitations of DPZK [Golreich-Oren’94]

Impossible for non-trivial languages.

∀ Verifier ∃ Simulator GMR ZK Auxiliary-input ZK Black-box ZK

View (𝑦)

≈

∀ Verifier ∃ Simulator ∀ aux-IP 𝑨 ∈ 0,1 ∗

View (𝑦, 𝑨)

≈

∃ Simulator ∀ Verifier

View (𝑦)

≈

Prior Work

[Faonio-Nielsen-Venturi’17]

Witness encryption for ℒ ⟹ Honest-verifier DPZK for ℒ Hash proof system for ℒ ⟹ Honest-verifier DPZK proofs for ℒ

[Dahari-Lindell’20]

Doubly enhanced injective OWFs ⟹ Honest-verifier DPZK proofs for NP

Inefficient honest prover.

Malicious-verifier DPZK for languages that have an entropy guarantee from witnesses.

Prior Work

[Faonio-Nielsen-Venturi’17]

Witness encryption for ℒ ⟹ Honest-verifier DPZK for ℒ Hash proof system for ℒ ⟹ Honest-verifier DPZK proofs for ℒ

[Dahari-Lindell’20]

Doubly enhanced injective OWFs ⟹ Honest-verifier DPZK proofs for NP

Inefficient honest prover.

Malicious-verifier DPZK for languages that have an entropy guarantee from witnesses.

Our Results

Impossible for non-trivial languages.

∀ Verifier ∃ Simulator GMR ZK Auxiliary-input ZK Black-box ZK

View (𝑦)

≈

∀ Verifier ∃ Simulator ∀ aux-IP 𝑨 ∈ 0,1 ∗

View (𝑦, 𝑨)

≈

∃ Simulator ∀ Verifier

View (𝑦)

≈

Our Results

Impossible for non-trivial languages.

∀ Verifier ∃ Simulator GMR ZK Auxiliary-input ZK Black-box ZK

View (𝑦)

≈

∀ Verifier ∃ Simulator ∀ aux-IP 𝑨 ∈ 0,1 ∗

View (𝑦, 𝑨)

≈

∃ Simulator ∀ Verifier

View (𝑦)

≈

𝑐-Bounded auxiliary-input ZK ∀ Verifier ∃ Simulator ∀ aux-IP 𝑨 ∈ 0,1 𝑐

View (𝑦, 𝑨)

≈

Our Results

Impossible for non-trivial languages.

∀ Verifier ∃ Simulator GMR ZK Auxiliary-input ZK Black-box ZK

View (𝑦)

≈

∀ Verifier ∃ Simulator ∀ aux-IP 𝑨 ∈ 0,1 ∗

View (𝑦, 𝑨)

≈

∃ Simulator ∀ Verifier

View (𝑦)

≈

𝑐-Bounded auxiliary-input ZK ∀ Verifier ∃ Simulator ∀ aux-IP 𝑨 ∈ 0,1 𝑐

View (𝑦, 𝑨)

≈

Our Results

Assuming NIWIs + sub-exponentially secure iO + OWF, there exist two message DPZK arguments for NP ∩ coNP against bounded auxiliary-input verifiers. Also assuming sub-exponentially secure keyless CRHF, there exist two message DPZK arguments for all of NP against bounded auxiliary-input verifiers.

Our Results

Assuming NIWIs + sub-exponentially secure iO + OWF, there exist two message DPZK arguments for NP ∩ coNP against bounded auxiliary-input verifiers. Also assuming sub-exponentially secure keyless CRHF, there exist two message DPZK arguments for all of NP against bounded auxiliary-input verifiers. Any DPZK argument for a language ℒ implies a witness encryption for ℒ.

Two Message DPZK Arguments

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Witness Encryption for ℒ

WE.Enc

𝑦 𝑛 ct𝑦,𝑛

WE.Dec

𝑥 𝑛/⊥ ct𝑦,𝑛 Deterministic Decryption

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Witness Encryption for ℒ

WE.Enc

𝑦 𝑛 ct𝑦,𝑛

WE.Dec

𝑥 𝑛/⊥ ct𝑦,𝑛

For 𝑦, 𝑥 ∈ Relℒ

WE.Dec

𝑥 𝑛 ct𝑦,𝑛

Correctness

Deterministic Decryption

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Witness Encryption for ℒ

WE.Enc

𝑦 𝑛 ct𝑦,𝑛

WE.Dec

𝑥 𝑛/⊥ ct𝑦,𝑛

For 𝑦, 𝑥 ∈ Relℒ For 𝑦 ∉ ℒ

ct𝑦,0 ct𝑦,1

≈

WE.Dec

𝑥 𝑛 ct𝑦,𝑛

Correctness Security

Deterministic Decryption

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Deterministic Prover (𝑦, 𝑥) Verifier (𝑦)

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣)

ct𝑦,𝑣

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Deterministic Prover (𝑦, 𝑥) Verifier (𝑦)

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣) ෤ 𝑣 ≔ WE.Dec(ct𝑦,𝑣, 𝑥)

ct𝑦,𝑣 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Deterministic Prover (𝑦, 𝑥) Verifier (𝑦)

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣) ෤ 𝑣 ≔ WE.Dec(ct𝑦,𝑣, 𝑥)

ct𝑦,𝑣 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

Completeness: From correctness of WE.

Cheating Prover (𝑦) Verifier (𝑦) ct𝑦,𝑣 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Completeness Soundness: From WE security when 𝑦 ∉ ℒ

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣)

Cheating Prover (𝑦) Verifier (𝑦) ct𝑦,0 ?

Output 1 iff 𝑣 = ෤ 𝑣

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Completeness Soundness: From WE security when 𝑦 ∉ ℒ

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣)

Simulator (𝑦)

Honest Verifier DPZK [Faonio-Nielsen-Venturi’17]

Verifier (𝑦) ct𝑦,𝑣 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

Completeness Soundness Honest Verifier Zero Knowledge: Simulator knows 𝑣

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣)

Explainable Verifier DPZK

Explainable Verifier There exist honest verifier coins that explains verifier messages as honest messages.

Unlike related notion of semi-malicious adversaries, these coins may be hard to find.

Explainable Verifier DPZK

Explainable Verifier There exist honest verifier coins that explains verifier messages as honest messages.

Simulator no longer “knows’’ the message that an explainable verifier encrypts via the Witness Encryption.

Aux-I/P DPZK for explainable verifiers also ruled out by [Goldreich-Oren’94]

Unlike related notion of semi-malicious adversaries, these coins may be hard to find.

Explainable Verifier DPZK

Explainable Verifier There exist honest verifier coins that explains verifier messages as honest messages.

Simulator no longer “knows’’ the message that an explainable verifier encrypts via the Witness Encryption.

Aux-I/P DPZK for explainable verifiers also ruled out by [Goldreich-Oren’94]

Idea: Use additional trapdoor statement that only the simulator can use.

Unlike related notion of semi-malicious adversaries, these coins may be hard to find.

Explainable Verifier DPZK

Deterministic Prover (𝑦, 𝑥) Verifier (𝑦)

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣) ෤ 𝑣 ≔ WE.Dec(ct𝑦,𝑣, 𝑥)

ct𝑦,𝑣 ෥ ct𝑆,𝑣 𝑆 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

size ≤ 𝑐

includes auxiliary input

Explainable Verifier DPZK

Deterministic Prover (𝑦, 𝑥) Verifier (𝑦)

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣) ෤ 𝑣 ≔ WE.Dec(ct𝑦,𝑣, 𝑥)

ct𝑦,𝑣 ෥ ct𝑆,𝑣 𝑆 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

size ≤ 𝑐

includes auxiliary input

𝑆 ⟵ 0,1 𝑂 ෥ ct𝑆,𝑣 ⟵ ෫ WE.Enc𝑆(𝑣)

𝑂 ≫ 𝑐 𝑆, M ∈ Rel ሚ

ℒ if

1) M is a Turing Machine that outputs 𝑆. 2) Size of M is 𝑐 + 𝜇

Explainable Verifier DPZK

Deterministic Prover (𝑦, 𝑥) Verifier (𝑦)

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣) ෤ 𝑣 ≔ WE.Dec(ct𝑦,𝑣, 𝑥)

ct𝑦,𝑣 ෥ ct𝑆,𝑣 𝑆 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

size ≤ 𝑐

includes auxiliary input

𝑆 ⟵ 0,1 𝑂 ෥ ct𝑆,𝑣 ⟵ ෫ WE.Enc𝑆(𝑣)

𝑂 ≫ 𝑐 𝑆, M ∈ Rel ሚ

ℒ if

1) M is a Turing Machine that outputs 𝑆. 2) Size of M is 𝑐 + 𝜇

Explainable Verifier DPZK

Deterministic Prover (𝑦, 𝑥) Verifier (𝑦)

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣) ෤ 𝑣 ≔ WE.Dec(ct𝑦,𝑣, 𝑥)

ct𝑦,𝑣 ෥ ct𝑆,𝑣 𝑆 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

size ≤ 𝑐

includes auxiliary input

𝑆 ⟵ 0,1 𝑂 ෥ ct𝑆,𝑣 ⟵ ෫ WE.Enc𝑆(𝑣)

𝑂 ≫ 𝑐 𝑆, M ∈ Rel ሚ

ℒ if

1) M is a Turing Machine that outputs 𝑆. 2) Size of M is 𝑐 + 𝜇

Completeness: Same as HVZK

Explainable Verifier DPZK

Cheating Prover (𝑦, 𝑥) Verifier (𝑦)

෤ 𝑣 ≔ WE.Dec(ct𝑦,𝑣, 𝑥)

ct𝑦,𝑣 ෥ ct𝑆,𝑣 𝑆 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

size ≤ 𝑐

includes auxiliary input 𝑂 ≫ 𝑐 𝑆, M ∈ Rel ሚ

ℒ if

1) M is a Turing Machine that outputs 𝑆. 2) Size of M is 𝑐 + 𝜇

Completeness Soundness: w.h.p. no short machine exists to satisfy Rel ሚ

ℒ

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣) 𝑆 ⟵ 0,1 𝑂 ෥ ct𝑆,𝑣 ⟵ ෫ WE.Enc𝑆(𝑣)

Explainable Verifier DPZK

Simulator (𝑦) Verifier (𝑦)

෤ 𝑣 ≔ ෫ WE.Dec(෥ ct𝑆,𝑣 , )

ct𝑦,𝑣 ෥ ct𝑆,𝑣 𝑆 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

size ≤ 𝑐

includes auxiliary input 𝑂 ≫ 𝑐 𝑆, M ∈ Rel ሚ

ℒ if

1) M is a Turing Machine that outputs 𝑆. 2) Size of M is 𝑐 + 𝜇

Completeness Soundness Zero Knowledge: Simulator uses the verifier’s code as

witness; verifier’s randomness simulated by a PRG.

𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣) 𝑆 ⟵ 0,1 𝑂 ෥ ct𝑆,𝑣 ⟵ ෫ WE.Enc𝑆(𝑣)

𝑆 ⟵ 0,1 𝑂 ෥ ct𝑆,𝑣 ⟵ ෫ WE.Enc𝑆(𝑣) 𝑣 ⟵ 0,1 𝑜 ct𝑦,𝑣 ⟵ WE.Enc𝑦(𝑣)

Explainable Verifier DPZK

Deterministic Prover (𝑦, 𝑥) Verifier (𝑦)

෤ 𝑣 ≔ WE.Dec(ct𝑦,𝑣, 𝑥)

ct𝑦,𝑣 ෥ ct𝑆,𝑣 𝑆 ෤ 𝑣

Output 1 iff 𝑣 = ෤ 𝑣

size ≤ 𝑐

includes auxiliary input 𝑂 ≫ 𝑐 𝑆, M ∈ Rel ሚ

ℒ if

1) M is a Turing Machine that outputs 𝑆. 2) Size of M is 𝑐 + 𝜇 Rel ሚ

ℒ is not an NP relation since we do not a priori bound the running

time of M. Efficient Witness Encryption for Rel ሚ

ℒ can be realized assuming

indistinguishability obfuscation for Turing Machines.

Malicious Verifier DPZK

Malicious Verifier DPZK Explainable Verifier DPZK Verifier proves honest behavior

Malicious Verifier DPZK

Malicious Verifier DPZK Explainable Verifier DPZK Verifier proves honest behavior

ℒ ∈ NP ∩ coNP

Verifier proves via NIWI that

• 1. It behaved honestly; OR

2. 𝑦 ∉ ℒ

Malicious Verifier DPZK

Malicious Verifier DPZK Explainable Verifier DPZK Verifier proves honest behavior

ℒ ∈ NP ∩ coNP

Verifier proves via NIWI that

• 1. It behaved honestly; OR

2. 𝑦 ∉ ℒ

ℒ ∈ NP

Verifier proves via NIWI that

• 1. It behaved honestly; OR
• 2. It has committed to a collision of keyless

CRHF.

Necessity of Witness Encryption for DPZK

Predictable Arguments (PA)

[Faonio-Nielsen-Venturi’17]

𝑤1

Prover (𝑦) Verifier (𝑦)

𝑤1, 𝑞1 ⟵ 𝑊(𝑦) Reject if ෤ 𝑞1 ≠ 𝑞1 ෤ 𝑞1

Predictable Arguments (PA)

[Faonio-Nielsen-Venturi’17]

𝑤1

Prover (𝑦) Verifier (𝑦)

𝑤1, 𝑞1 ⟵ 𝑊(𝑦) Reject if ෤ 𝑞1 ≠ 𝑞1 ෤ 𝑞1 𝑤2, 𝑞2 ⟵ 𝑊(𝑦, 𝑤1, 𝑞1) 𝑤2 Reject if ෤ 𝑞2 ≠ 𝑞2 ෤ 𝑞2

⋮

Predictable Arguments (PA)

[Faonio-Nielsen-Venturi’17]

𝑤1

Prover (𝑦) Verifier (𝑦)

𝑤1, 𝑞1, … , 𝑤ℓ, 𝑞ℓ ⟵ 𝑊(𝑦) Reject if ෤ 𝑞1 ≠ 𝑞1 ෤ 𝑞1 𝑤2 Reject if ෤ 𝑞2 ≠ 𝑞2 ෤ 𝑞2

⋮

Predictable Arguments (PA)

[Faonio-Nielsen-Venturi’17]

𝐼 = 𝜌(𝐻𝑐)

Prover (𝐻0, 𝐻1) Verifier (𝐻0, 𝐻1)

𝑐 ⟵ {0,1}, 𝜌 ⟵ Π𝑜 Reject if ෨ 𝑐 ≠ 𝑐 ෨ 𝑐

Predictable argument for Graph Non- Isomorphism

DPZK to WE

Predictable Argument for ℒ Witness Encryption for ℒ [Faonio-Nielsen-Venturi’17]

DPZK to WE

Predictable Argument for ℒ Witness Encryption for ℒ [Faonio-Nielsen-Venturi’17] DPZK Argument for ℒ

DPZK to PA

Prover (𝑦, 𝑥) Verifier (𝑦)

𝑤1 Reject if ෤ 𝑞1 ≠ 𝑞1 ෤ 𝑞1 𝑤2 Reject if ෤ 𝑞2 ≠ 𝑞2 ෤ 𝑞2

⋮

𝑤1, 𝑞1, … , 𝑤ℓ, 𝑞ℓ; 𝑠 ⟵ (𝑦)

Verifier rejects if HVZK simulator does not produce accepting transcript

Behaves identically to the DPZK prover

DPZK to PA

Prover (𝑦, 𝑥) Verifier (𝑦)

𝑤1 Reject if ෤ 𝑞1 ≠ 𝑞1 ෤ 𝑞1 𝑤2 Reject if ෤ 𝑞2 ≠ 𝑞2 ෤ 𝑞2

⋮

𝑤1, 𝑞1, … , 𝑤ℓ, 𝑞ℓ; 𝑠 ⟵ (𝑦)

Verifier rejects if HVZK simulator does not produce accepting transcript

Completeness: From the ZK property, the simulator and (real) DPZK

prover generate the same messages.

Behaves identically to the DPZK prover

DPZK to PA

Cheating Prover (𝑦) Verifier (𝑦)

𝑤1 Reject if ෤ 𝑞1 ≠ 𝑞1 ෤ 𝑞1 𝑤2 Reject if ෤ 𝑞2 ≠ 𝑞2 ෤ 𝑞2

⋮

𝑤1, 𝑞1, … , 𝑤ℓ, 𝑞ℓ; 𝑠 ⟵ (𝑦)

Verifier rejects if HVZK simulator does not produce accepting transcript

Completeness Soundness: If the verifier does not reject, the cheating prover generates

an accepting transcript when 𝑦 ∉ ℒ, breaking soundness of the ZK protocol.*

*implicitly assumed that simulated random coins are pseudorandom when 𝑦 ∉ ℒ.

Other Results

Any DPZK argument for bounded auxiliary input verifiers can be made two message, and laconic in the prover message.

Follows from the transformation on predictable arguments in [Faonio-Nielsen-Venturi’17]. We show that the transformations preserve zero-knowledge.

There exist two message DPZK arguments for all of NP against bounded auxiliary-input verifiers. Any DPZK argument for a language ℒ implies a witness encryption for ℒ.

Thank you. Questions?

Arka Rai Choudhuri achoud@cs.jhu.edu

ia.cr/2020/1160

There exist two message DPZK arguments for all of NP against bounded auxiliary-input verifiers. Any DPZK argument for a language ℒ implies a witness encryption for ℒ.