Distinguisher-Dependent Simulation Dakshita Khurana Joint work with - PowerPoint PPT Presentation

Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and Ron Rothblum

Interactive Proofs for NP Interactive Proof (GMR85, Babai85) 𝑦 ∈ ℒ? 𝑦, 𝑥 P V accept

Security Against Malicious Provers Soundness 𝑦 ∉ ℒ? 𝑦 ∗ P V reject

Security Against Malicious Verifiers Shouldn’t learn witness w  Zero-Knowledge (GMR85)  Distributional Zero-Knowledge (Goldreich93)  Weak Zero-Knowledge (DNRS99)  Witness Hiding (FS90)  Witness Indistinguishability (FS90)  Strong Witness Indistinguishability (Goldreich93)

Zero-Knowledge ∀ 𝑦, 𝑦, 𝑥 𝑦 ≈ ∗ ∗ Sim P V V

Distributional Zero-Knowledge Can sample other 𝑦 ′ , 𝑥′ ∀ efficiently sampleable (𝑌, 𝑋) but must simulate proof for external 𝑦 without 𝑥 𝑦, 𝑥 ∼ 𝑦 ∼ 𝑌 (𝑌, 𝑋) ≈ ∗ Sim ∗ V P V Over the randomness of 𝑦

Weak Zero-Knowledge Gets to observe the output of the distinguisher ∗ ∗ P V ≈ V Sim 0/1 0/1 D D 𝑄𝑠 𝐸 = 1 𝑠𝑓𝑏𝑚 − Pr 𝐸 = 1 𝑇𝑗𝑛 ≤ 𝑜𝑓𝑕𝑚

Witness Hiding ∀ efficiently sampleable 𝑌, 𝑋 with hard to find witnesses, 𝑦, 𝑥 ∼ (𝑌, 𝑋) ∗ P V 𝑥 𝑦

Witness Indistinguishability 𝑦, 𝑥 1 𝑦, 𝑥 2 ≈ ∗ ∗ P P V V

Strong Witness Indistinguishability 𝑦 1 , 𝑥 1 𝑦 2 , 𝑥 2 ∗ ≈ ∗ P P V V when 𝑦 1 ≈ 𝑦 2

Round Complexity Timeline Impossibilities (GO94): - 2 round weak ZK - 2 round distributional ZK Can we do better than WI in Impossibilities: Impossibility: - 2 round ZK (GO94) - 3 round BB public-coin 2 rounds? Or even 3 rounds? - 3 round BB ZK (GK92) Witness Hiding (HRS09) Strong WI, witness hiding: … … … Round complexity open 3 round Witness Indistinguishability 1 & 2 round WI (DN00, 5 round ZK (GMR85, Blum86, FS90), BOV03, GOS06, BP15) proofs (GK96) 4 round Witness Hiding (FS90) 3 round ZK via non-standard 4 round ZK arguments (FS90, BJY97) assumptions (HT98, LM01, BP04, CD08, GLR12, BP13, BBKPV16, BKP17)

Overcoming Barriers

Distributional Protocols  Prover samples instance 𝑦 from some distribution P V 𝑦 𝑦, 𝑥 ∼ (𝑌, 𝑋) Why should we care?  ZK proofs used to prove correctness of cryptographic computation  Almost always, instances are chosen from some distribution  Strong WI, WH by definition are distributional notions

Distributional Protocols  Prover samples instance 𝑦 from some distribution P V Useful in secure computation: • [KO05, GLOV14, COSV16] Our paper: extractable • 𝑦 𝑦, 𝑥 ∼ commitments, 3 round 2pc (𝑌, 𝑋) Specific 2 & 3 round protocols: • [KS17, K17, ACJ17]  In 2 round protocols, P sends 𝑦 together with proof  Adaptive soundness: P* samples 𝑦 after V’s message  We will restrict to: delayed-input protocols  Cheating verifier cannot choose first message depending on 𝑦

Distributional Protocols , Delayed-Input  Prover samples instance 𝑦 from some distribution P V 𝑦 𝑦, 𝑥 ∼ (𝑌, 𝑋)  Simulate the view of malicious V*, when V* is committed to 1 st message, before P reveals instance 𝑦 ?  Distributional privacy for delayed-input statements .  Get around negative results!

Our Results Assuming quasi-polynomial DDH, QR or N th residuosity, we get  2 Round arguments in the delayed-input setting Sim depends on  Distributional weak ZK distinguisher  Witness Hiding  Strong Witness Indistinguishability  2 Round WI arguments [concurrent work: BGISW17]  Previously, trapdoor perm (DN00), b-maps (GOS06), or iO (BP15)  3 Round protocols from polynomial hardness + applications

New Technique: Black-box Simulation in 2 Rounds

Kalai-Raz (KR09) Transform PIR scheme (1) Interactive Proof (2) 2-Message Argument 𝑏 0 𝑟 1 , (𝑟 1 , 𝑟 2 ) 𝑟 1 ∗ ⇒ 𝑏 1 P * P V V 𝑟 2 𝑏 2 𝑏 0 , 𝑏 1 , 𝑏 2 - KR09: Assuming quasi-polynomially secure PIR, (2) is sound against adaptive PPT P*. - Our goal: 2 message arguments for NP with privacy. - Apply KR09 transform to three round proof of Blum86.

Blum Protocol for Graph Hamiltonicity 𝐻𝑠𝑏𝑞ℎ 𝐻, 𝐼𝑏𝑛𝑗𝑚𝑢𝑝𝑜𝑗𝑏𝑜 𝐼 𝐷𝑝𝑛 π 𝐻 , 𝐷𝑝𝑛(π ) 𝑓 = 0 or e = 1 P V 𝐸𝑓𝑑𝑝𝑛 π 𝐻 , 𝐸𝑓𝑑𝑝𝑛(π ), OR 𝐸𝑓𝑑𝑝𝑛 𝑓𝑒𝑕𝑓𝑡 𝑝𝑔 𝐼 𝑗𝑜 π 𝐻 - Honest verifier zero-knowledge: Sim that knows 𝑓 can simulate. - Repeat in parallel to amplify soundness. Preserves honest verifier ZK.

KR09 transform on Blum 𝐻𝑠𝑏𝑞ℎ 𝐻, 𝐼𝑏𝑛𝑗𝑚𝑢𝑝𝑜𝑗𝑏𝑜 𝐼 𝑓 = 0 or e = 1 ∗ 𝐷𝑝𝑛 π 𝐻 , 𝐷𝑝𝑛(π ) P V 𝐸𝑓𝑑𝑝𝑛 π 𝐻 , 𝐸𝑓𝑑𝑝𝑛(π ), OR 𝐸𝑓𝑑𝑝𝑛 𝑓𝑒𝑕𝑓𝑡 𝑝𝑔 𝐼 𝑗𝑜 π 𝐻 - Remains honest verifier zero-knowledge. - What if malicious V* sends malformed query that doesn’t encode any bit? - Prevent this by using a special PIR scheme.

2-Message Oblivious Transfer 𝐷ℎ𝑝𝑗𝑑𝑓 𝑐𝑗𝑢 𝑐 𝑁𝑓𝑡𝑡𝑏𝑕𝑓𝑡 (𝑛 0 , 𝑛 1 ) 𝑑 = 𝑃𝑈 1 (𝑐) Known constructions from S R DDH (NP01), 𝑃𝑈 2 (𝑑, 𝑛 0 , 𝑛 1 ) Quadratic Residuosity and N th Residuosity (HK05) 𝑛 𝑐 - S cannot guess b - R cannot distinguish OT 2 𝑛 0 , 𝑛 1 from : • OT 2 𝑛 0 , 𝑛 0 when b = 0 , OR • OT 2 𝑛 1 , 𝑛 1 when b = 1 . - Every string 𝑑 corresponds to 𝑃𝑈 1 (𝑐) for some bit 𝑐

Kalai-Raz Transform on Blum using OT Blum Proof (1) Argument (2) { 𝑏 i } i ∈ [N] (𝑓 i ) i ∈ [N] ⇒ P P V V {𝑓 i } i ∈ [N] { 𝑏 i } i ∈ [N] , (𝑨 𝑗0 , 𝑨 i 1 ) i ∈ [N] { 𝑨 i, e } i ∈ [N] - KR09: (2) remains sound against PPT provers, even if they choose 𝑦 adaptively - What about privacy?

Kalai-Raz Transform on Blum Real World (𝑓 i ) i ∈ [N] (𝑓 i ) i ∈ [N] ∗ ∗ Sim P V V { 𝑏 i } i ∈ [N] , (𝑨 𝑗0, 𝑨 i 1 ) i ∈ [N] (𝑨 𝑗0, 𝑨 i 1 ) i ∈ [N] { 𝑏 i } i ∈ [N] - Every message sent by V* corresponds to an encryption of some {𝑓 i } i ∈ [N] Polynomial - If Sim knew {𝑓 i } i ∈ [N] , then easy to simulate (by HVZK). Simulation?? - Privacy via super-poly simulation: Sim breaks encryption to find 𝑓 𝑗 [BGISW17]

Rely on the Distinguisher to find e Real World Ideal World (𝑓 i ) i ∈ [N] (𝑓 i ) i ∈ [N] ∗ ∗ Sim P V V { 𝑏 i } i ∈ [N] , (𝑨 𝑗0, 𝑨 i 1 ) i ∈ [N] D D

Simplify: single parallel execution Unclear how to simulate! Real World Ideal World 𝑓 𝑓 ∗ ∗ Sim P V V 𝑏, (𝑨 0 , 𝑨 1 ) D D

Simplify: single parallel execution Real World Ideal World 𝑓 𝑓 ∗ ∗ Sim P V V 𝑏, (𝑨 0 , 𝑨 1 ) 𝑏, 𝑘𝑣𝑜𝑙! D D Can D tell the difference? - Suppose NOT : eg , D doesn’t know randomness for 𝑓 - 𝑏 is already computationally hiding, Sim can easily sample 𝑘𝑣𝑜𝑙! 𝑏,

Simplify: Single parallel execution Real World Ideal World 𝑓 𝑓 ∗ ∗ Sim P V V 𝑏, (𝑨 0 , 𝑨 1 ) 𝑏, 𝑘𝑣𝑜𝑙! D D Can D tell the difference? Sim will use D - Suppose YES : eg, D knows randomness for 𝑓 to extract 𝒇 ! - Sim can’t just sample : will be distinguishable! 𝑘𝑣𝑜𝑙! 𝑏,

Recall: Distributional Simulation Ideal World 𝑓 ∗ Sim V (𝑨 0 , 𝑨 1 ) 𝑦′, 𝑏 D - Recall: want a simulator for 𝑦 ∼ 𝑌 , which generates a proof without witness. - However, Sim can sample other ( 𝑦 ’, 𝑥 ’) ∼ ( 𝑌 , 𝑋 ) from the same distribution. - Sim can also sample proofs for these other ( 𝑦 ’, 𝑥 ’) ∼ ( 𝑌 , 𝑋 ).

Main Simulation Technique (𝟏) 𝑓 ∗ Sim V (𝒃𝒅𝒖𝒗𝒃𝒎) (𝒜 𝟏 , 𝒜 𝟏 ) 𝑦′, 𝑏 D 𝑓 ∗ Sim V OR 𝑦′, 𝑏 (𝒜 𝟏 , 𝒜 𝟐 ) (𝟐) D 𝑓 ∗ Sim V (𝒜 𝟐 , 𝒜 𝟐 ) 𝑦′, 𝑏 Checks if 𝒃𝒅𝒖𝒗𝒃𝒎 ≈ (𝟏) Or, if 𝒃𝒅𝒖𝒗𝒃𝒎 ≈ (𝟐) D Use this to extract e.

Polynomial Simulation Simulate proof for external 𝑦 without 𝑥 𝑓 ∗ Sim V (𝒜 𝟏 , 𝒜 𝟐 ) 𝑦′, 𝑏 (𝒜 𝟏 , 𝒜 𝟏 ) (𝒜 𝟐 , 𝒜 𝟐 ) D 1 0 Simulator rewinds the distinguisher to learn the OT challenge 𝑓 . - Technique extends to extracting {𝑓 i } i ∈ [N] from parallel repetition. -

Perspective: Extraction in Cryptography - Black-box polynomial simulation strategy that requires only 2 messages. - Previously, rewinding took more rounds ∗ ∗ Sim Sim V V D - Towards resolving open problems on round complexity of WH, strong WI. - Applications to multiple 2-round, 3-round protocols, beyond proofs.

Conclusion & Open Problems