Distinguisher-Dependent Simulation Dakshita Khurana Joint work with - - PowerPoint PPT Presentation

β–Ά
distinguisher dependent simulation
SMART_READER_LITE
LIVE PREVIEW

Distinguisher-Dependent Simulation Dakshita Khurana Joint work with - - PowerPoint PPT Presentation

Aug 26, 2023 164 likes β€’518 views

Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and Ron Rothblum Interactive Proofs for NP Interactive Proof (GMR85, Babai85) ? , P V accept Security Against Malicious

slide-1
SLIDE 1

Distinguisher-Dependent Simulation

Dakshita Khurana

Joint work with Abhishek Jain, Yael Kalai and Ron Rothblum

slide-2
SLIDE 2

Interactive Proofs for NP

Interactive Proof (GMR85, Babai85)

P

V

𝑦 ∈ β„’? 𝑦, π‘₯

accept

slide-3
SLIDE 3

Security Against Malicious Provers

Soundness

P

βˆ—

V

𝑦 βˆ‰ β„’? 𝑦

reject

slide-4
SLIDE 4

Security Against Malicious Verifiers

ο‚΄ Zero-Knowledge (GMR85) ο‚΄Distributional Zero-Knowledge (Goldreich93) ο‚΄Weak Zero-Knowledge (DNRS99) ο‚΄Witness Hiding (FS90) ο‚΄Witness Indistinguishability (FS90) ο‚΄Strong Witness Indistinguishability (Goldreich93)

Shouldn’t learn witness w

slide-5
SLIDE 5

Zero-Knowledge

V

βˆ—

P

V

βˆ—

Sim

β‰ˆ

𝑦 𝑦, π‘₯ βˆ€ 𝑦,

slide-6
SLIDE 6

Distributional Zero-Knowledge

V

βˆ—

P

V

βˆ—

Sim

β‰ˆ

𝑦 ∼ π‘Œ 𝑦, π‘₯ ∼ (π‘Œ, 𝑋)

Over the randomness of 𝑦

βˆ€ efficiently sampleable (π‘Œ, 𝑋)

Can sample other 𝑦′, π‘₯β€² but must simulate proof for external 𝑦 without π‘₯

slide-7
SLIDE 7

Sim

Weak Zero-Knowledge

V

βˆ—

P

V

βˆ—

β‰ˆ

D

𝑄𝑠 𝐸 = 1 π‘ π‘“π‘π‘š βˆ’ Pr 𝐸 = 1 𝑇𝑗𝑛 ≀ π‘œπ‘“π‘•π‘š

D

Gets to observe the

  • utput of the distinguisher

0/1 0/1

slide-8
SLIDE 8

Witness Hiding

P

V

βˆ—

π‘₯ 𝑦, π‘₯ ∼ (π‘Œ, 𝑋)

βˆ€ efficiently sampleable π‘Œ, 𝑋 with hard to find witnesses,

𝑦

slide-9
SLIDE 9

Witness Indistinguishability

V

βˆ—

P

V

βˆ—

β‰ˆ

𝑦, π‘₯1 𝑦, π‘₯2

P

slide-10
SLIDE 10

Strong Witness Indistinguishability

V

βˆ—

P

V

βˆ— β‰ˆ

𝑦1, π‘₯1

P

𝑦2, π‘₯2 when 𝑦1 β‰ˆ 𝑦2

slide-11
SLIDE 11

Round Complexity Timeline

… … …

Impossibilities:

  • 2 round ZK (GO94)
  • 3 round BB ZK (GK92)

Impossibilities (GO94):

  • 2 round weak ZK
  • 2 round distributional ZK

3 round Witness Indistinguishability (GMR85, Blum86, FS90), 4 round Witness Hiding (FS90) 4 round ZK arguments (FS90, BJY97) 5 round ZK proofs (GK96) Impossibility:

  • 3 round BB public-coin

Witness Hiding (HRS09) 3 round ZK via non-standard assumptions (HT98, LM01, BP04, CD08, GLR12, BP13, BBKPV16, BKP17) 1 & 2 round WI (DN00, BOV03, GOS06, BP15)

Can we do better than WI in 2 rounds? Or even 3 rounds?

Strong WI, witness hiding: Round complexity open

slide-12
SLIDE 12

Overcoming Barriers

slide-13
SLIDE 13

Distributional Protocols

ο‚΄ Prover samples instance 𝑦 from some distribution Why should we care? ο‚΄ ZK proofs used to prove correctness of cryptographic computation ο‚΄ Almost always, instances are chosen from some distribution ο‚΄ Strong WI, WH by definition are distributional notions

P

V

𝑦

𝑦, π‘₯ ∼ (π‘Œ, 𝑋)

slide-14
SLIDE 14

Distributional Protocols

ο‚΄ Prover samples instance 𝑦 from some distribution ο‚΄ In 2 round protocols, P sends 𝑦 together with proof ο‚΄ Adaptive soundness: P* samples 𝑦 after V’s message ο‚΄ We will restrict to: delayed-input protocols ο‚΄ Cheating verifier cannot choose first message depending on 𝑦

P

V

𝑦

𝑦, π‘₯ ∼ (π‘Œ, 𝑋)

  • Useful in secure computation:

[KO05, GLOV14, COSV16]

  • Our paper: extractable

commitments, 3 round 2pc

  • Specific 2 & 3 round protocols:

[KS17, K17, ACJ17]

slide-15
SLIDE 15

Distributional Protocols

ο‚΄ Prover samples instance 𝑦 from some distribution ο‚΄ Simulate the view of malicious V*, when V* is committed to 1st message, before P reveals instance 𝑦? ο‚΄ Distributional privacy for delayed-input statements. ο‚΄ Get around negative results!

P

V

𝑦

𝑦, π‘₯ ∼ (π‘Œ, 𝑋)

, Delayed-Input

slide-16
SLIDE 16

Our Results

Assuming quasi-polynomial DDH, QR or Nth residuosity, we get ο‚΄ 2 Round arguments in the delayed-input setting

  • Distributional weak ZK
  • Witness Hiding
  • Strong Witness Indistinguishability

ο‚΄ 2 Round WI arguments [concurrent work: BGISW17]

  • Previously, trapdoor perm (DN00), b-maps (GOS06), or iO (BP15)

ο‚΄ 3 Round protocols from polynomial hardness + applications

Sim depends on distinguisher

slide-17
SLIDE 17

New Technique: Black-box Simulation in 2 Rounds

slide-18
SLIDE 18

(1) Interactive Proof (2) 2-Message Argument

  • KR09: Assuming quasi-polynomially secure PIR, (2) is sound against adaptive PPT P*.
  • Our goal: 2 message arguments for NP with privacy.
  • Apply KR09 transform to three round proof of Blum86.

Kalai-Raz (KR09) Transform

P

βˆ—

V

P*

V

π‘Ÿ1 π‘Ÿ2 𝑏2 𝑏1 𝑏0 (π‘Ÿ1, π‘Ÿ2) 𝑏1, π‘Ÿ1, 𝑏2

β‡’

𝑏0,

PIR scheme

slide-19
SLIDE 19

Blum Protocol for Graph Hamiltonicity

P

V

𝑓 = 0 or e = 1 𝐷𝑝𝑛 Ο€ 𝐻 , 𝐷𝑝𝑛(Ο€) 𝐸𝑓𝑑𝑝𝑛 Ο€ 𝐻 , 𝐸𝑓𝑑𝑝𝑛(Ο€), OR 𝐸𝑓𝑑𝑝𝑛 𝑓𝑒𝑕𝑓𝑑 𝑝𝑔 𝐼 π‘—π‘œ Ο€ 𝐻

π»π‘ π‘π‘žβ„Ž 𝐻, πΌπ‘π‘›π‘—π‘šπ‘’π‘π‘œπ‘—π‘π‘œ 𝐼

  • Honest verifier zero-knowledge: Sim that knows 𝑓 can simulate.
  • Repeat in parallel to amplify soundness. Preserves honest verifier ZK.
slide-20
SLIDE 20

KR09 transform on Blum

P

V

βˆ—

𝑓 = 0 or e = 1 𝐷𝑝𝑛 Ο€ 𝐻 , 𝐷𝑝𝑛(Ο€) 𝐸𝑓𝑑𝑝𝑛 Ο€ 𝐻 , 𝐸𝑓𝑑𝑝𝑛(Ο€), OR 𝐸𝑓𝑑𝑝𝑛 𝑓𝑒𝑕𝑓𝑑 𝑝𝑔 𝐼 π‘—π‘œ Ο€ 𝐻

π»π‘ π‘π‘žβ„Ž 𝐻, πΌπ‘π‘›π‘—π‘šπ‘’π‘π‘œπ‘—π‘π‘œ 𝐼

  • Remains honest verifier zero-knowledge.
  • What if malicious V* sends malformed query that doesn’t encode any bit?
  • Prevent this by using a special PIR scheme.
slide-21
SLIDE 21
  • S cannot guess b
  • R cannot distinguish OT2 𝑛0, 𝑛1 from :
  • OT2 𝑛0, 𝑛0 when b = 0, OR
  • OT2 𝑛1, 𝑛1 when b = 1.
  • Every string 𝑑 corresponds to π‘ƒπ‘ˆ1(𝑐) for some bit 𝑐

2-Message Oblivious Transfer

S

R

𝑑 = π‘ƒπ‘ˆ1(𝑐)

𝑁𝑓𝑑𝑑𝑏𝑕𝑓𝑑 (𝑛0, 𝑛1) π·β„Žπ‘π‘—π‘‘π‘“ 𝑐𝑗𝑒 𝑐

π‘ƒπ‘ˆ2(𝑑, 𝑛0, 𝑛1)

Known constructions from DDH (NP01), Quadratic Residuosity and Nth Residuosity (HK05) 𝑛𝑐

slide-22
SLIDE 22

Blum Proof (1) Argument (2)

  • KR09: (2) remains sound against PPT provers, even if they choose 𝑦 adaptively
  • What about privacy?

Kalai-Raz Transform on Blum using OT

P

V

P

V

{𝑓i} i ∈ [N] {𝑨i, e} i ∈ [N] {𝑏i} i ∈ [N] (𝑓i) i ∈ [N]

β‡’

{𝑏i} i ∈ [N], (𝑨𝑗0, 𝑨i1) i ∈ [N]

slide-23
SLIDE 23

Real World

  • Every message sent by V* corresponds to an encryption of some {𝑓i} i ∈ [N]
  • If Sim knew {𝑓i} i ∈ [N], then easy to simulate (by HVZK).
  • Privacy via super-poly simulation: Sim breaks encryption to find 𝑓𝑗 [BGISW17]

Kalai-Raz Transform on Blum

P

V

βˆ—

Sim

V

βˆ—

{𝑏i} i ∈ [N] {𝑏i} i ∈ [N], (𝑓i) i ∈ [N] (𝑨𝑗0, 𝑨i1) i ∈ [N] (𝑓i) i ∈ [N] (𝑨𝑗0, 𝑨i1) i ∈ [N]

Polynomial Simulation??

slide-24
SLIDE 24

Real World Ideal World

Rely on the Distinguisher to find e

P

V

βˆ—

Sim

V

βˆ—

{𝑏i} i ∈ [N], (𝑓i) i ∈ [N] (𝑨𝑗0, 𝑨i1) i ∈ [N] (𝑓i) i ∈ [N]

D D

slide-25
SLIDE 25

Real World Ideal World

Simplify: single parallel execution

P

V

βˆ—

Sim

V

βˆ—

𝑏, 𝑓 (𝑨0, 𝑨1) 𝑓

D D

Unclear how to simulate!

slide-26
SLIDE 26

Real World Ideal World

Simplify: single parallel execution

P

V

βˆ—

Sim

V

βˆ—

𝑏, 𝑏, 𝑓 (𝑨0, 𝑨1) 𝑓 π‘˜π‘£π‘œπ‘™!

D D

Can D tell the difference?

  • Suppose NOT: eg, D doesn’t know randomness for
  • 𝑏 is already computationally hiding, Sim can easily sample

𝑓 𝑏, π‘˜π‘£π‘œπ‘™!

slide-27
SLIDE 27

Real World Ideal World

Simplify: Single parallel execution

P

V

βˆ—

Sim

V

βˆ—

𝑏, 𝑏, 𝑓 (𝑨0, 𝑨1) 𝑓 π‘˜π‘£π‘œπ‘™!

D D

Can D tell the difference?

  • Suppose YES: eg, D knows randomness for
  • Sim can’t just sample : will be distinguishable!

𝑓 𝑏, π‘˜π‘£π‘œπ‘™!

Sim will use D to extract 𝒇 !

slide-28
SLIDE 28

Ideal World

  • Recall: want a simulator for 𝑦 ∼ π‘Œ, which generates a proof without witness.
  • However, Sim can sample other (𝑦’, π‘₯’) ∼ (π‘Œ, 𝑋) from the same distribution.
  • Sim can also sample proofs for these other (𝑦’, π‘₯’) ∼ (π‘Œ, 𝑋).

Recall: Distributional Simulation

Sim

V

βˆ—

𝑦′, 𝑏

D

𝑓 (𝑨0, 𝑨1)

slide-29
SLIDE 29

Main Simulation Technique

Sim

V

βˆ—

𝑦′, 𝑏

D

𝑓 (π’œπŸ, π’œπŸ)

Sim

V

βˆ—

𝑦′, 𝑏

D

𝑓 (π’œπŸ, π’œπŸ)

Sim

V

βˆ—

𝑦′, 𝑏

D

𝑓 (π’œπŸ, π’œπŸ)

Checks if π’ƒπ’…π’–π’—π’ƒπ’Ž β‰ˆ (𝟏) Or, if π’ƒπ’…π’–π’—π’ƒπ’Ž β‰ˆ (𝟐) Use this to extract e.

(π’ƒπ’…π’–π’—π’ƒπ’Ž) (𝟏) (𝟐)

OR

slide-30
SLIDE 30

Polynomial Simulation

Sim

V

βˆ—

𝑦′, 𝑏

D

𝑓 (π’œπŸ, π’œπŸ)

1

(π’œπŸ, π’œπŸ) (π’œπŸ, π’œπŸ)

  • Simulator rewinds the distinguisher to learn the OT challenge 𝑓.
  • Technique extends to extracting {𝑓i} i ∈ [N] from parallel repetition.

Simulate proof for external 𝑦 without π‘₯

slide-31
SLIDE 31
  • Black-box polynomial simulation strategy that requires only 2 messages.
  • Previously, rewinding took more rounds
  • Towards resolving open problems on round complexity of WH, strong WI.
  • Applications to multiple 2-round, 3-round protocols, beyond proofs.

Perspective: Extraction in Cryptography

V

βˆ—

Sim

V

βˆ—

Sim D

slide-32
SLIDE 32

Conclusion & Open Problems

slide-33
SLIDE 33

… … …

Round Complexity Timeline

Impossibilities:

  • 2 round ZK (GO94)
  • 3 round BB ZK (GK92)

Impossibilities (GO94):

  • 2 round weak ZK
  • 2 round distributional ZK

3 round Witness Indistinguishability (FS90), 4 round Witness Hiding (FS90) 4 round ZK arguments (FS90, BJY97) 5 round ZK proofs (GK96) Impossibility:

  • 3 round Witness

Hiding (HRS09) 3 round ZK from non-std assumptions (HT98, LM01, BP04, CD08, GLR12, BP13, BBKPV16, BKP17) 1 & 2 round WI From TDPs / iO (DN00, BOV03, BP15) Delayed-input setting:

  • Distributional weak ZK
  • Witness Hiding, Strong WI

2 rounds from quasi-poly &, 3 rounds from poly assumptions 2 round WI from quasi-poly DDH, QR, Nth residuosity

slide-34
SLIDE 34

Open Questions

ο‚΄ 2 round protocols from polynomial hardness? ο‚΄ Low round public-coin protocols with strong privacy? ο‚΄ New applications of distinguisher-dependent simulation ο‚΄ Other black-box/non-black-box techniques for 2 round protocols

ο‚΄A 2-round rewinding technique from superpoly DDH in [KS17, BKS17]

slide-35
SLIDE 35

Thank you!