Laconic Zero Knowledge to Public Key Cryptography Public Key - - PowerPoint PPT Presentation

laconic zero knowledge to public key cryptography public
SMART_READER_LITE
LIVE PREVIEW

Laconic Zero Knowledge to Public Key Cryptography Public Key - - PowerPoint PPT Presentation

Feb 01, 2024 46 likes •297 views

Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] pk sk Public Key Encryption Public Key Encryption

slide-1
SLIDE 1

Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography

Akshay Degwekar (MIT)

slide-2
SLIDE 2

Public Key Encryption (PKE)

[Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82]

pk sk

Public Key Encryption

ct = Encpk(m)

Public Key Encryption

GOAL: Construct “different” public-key encryption schemes

Number Theory

Lattices

public-key encryption schemes

slide-3
SLIDE 3

What What structure+hardness implies public-key crypto? public-key crypto?

slide-4
SLIDE 4

Possible answers:

NP-hardness

Some impossibility results [Brassard79, Feigenbaum-Fortnow93, Bogdanov- No Crypto Known

One-Way Functions SZK-hardness (SZK = Statistical Zero Knowledge)

Some barriers [Impagliazzo-Rudich89, Brakerski-Katz-Segev-Yerukhimovich11,

Dachman-Soled16, Garg-Hajiabadi-Mahmoody-Mohammed18]

Some impossibility results [Brassard79, Feigenbaum-Fortnow93, Bogdanov-

Trevisan03, Goldreich-Goldwasser98, AkaviaGoldreichGoldwasserMoshkovitz06]

SZK-hardness (SZK = Statistical Zero Knowledge)

Implies OWFs [Ostrovsky91] Many problems in SZK imply PKE

slide-5
SLIDE 5

Statistical Zero Knowledge (SZK)

[Goldwasser-Micali-Rackoff85]

Completeness:

V

Completeness:

P

Soundness:

P*

Proof : All powerful P* Argument : Efficient P*

slide-6
SLIDE 6

[Goldwasser-Micali-Rackoff85]

Honest-Verifier Statistical Zero Knowledge:

P V

Simulator:

slide-7
SLIDE 7

NP

Statistical Zero Knowledge

PKE from SZK-Hardness?

SZK

Seems Challenging:

Discrete Log, Graph Iso have SZK proofs but no PKE known.

Need more Structure?

DLog Graph Iso.

Need more Structure?

DLog QR Factoring LWE

slide-8
SLIDE 8

Example: Quadratic Non-Residuosity

[Goldwasser-Micali82, Goldwasser-Micali-Rackoff85]

(Honest-Verifier) Can sample hard instances w/ witnesses

(Or: From GMR to GM)

(Honest-Verifier) Statistical Zero-Knowledge Proof Efficient w/ witnesses Efficient Prover Prover talks very little

slide-9
SLIDE 9

Our Results: These Properties are Sufficient!

ZK PROOF SYSTEM

Public-Key Encryption

CRYPTO HARD LANGUAGE

+

CRYPTO HARD LANGUAGE

Implies One-Way Functions

slide-10
SLIDE 10

Instantiations

QR DDH

PKE

Our LWE Low noise LPN ABW Factoring

PKE

Our Assumption CDH

slide-11
SLIDE 11

Perspective: Relaxing the Assumption

ZK PROOF SYSTEM

[Sahai-Vadhan03]

CRYPTO HARD LANGUAGE

+

[Sahai-Vadhan03] [HaitnerNguyenOng ReingoldVadhan03]

CRYPTO HARD LANGUAGE

slide-12
SLIDE 12

Characterization

ZK PROOF SYSTEM WEAK

WEAK: soundness, completeness

hold on average

+

Public-Key Encryption

DISTRIBUTIONS CRYPTO HARD LANGUAGE

+ DISTRIBUTIONS

slide-13
SLIDE 13

Summary

Laconic, Efficient Prover, Laconic, Efficient Prover, HVSZK ARGUMENT

+

CRYPTO HARD LANGUAGE Public Key Encryption

slide-14
SLIDE 14

Techniques

slide-15
SLIDE 15

Warmup: 2-Msg, Deterministic Prover*

V

* a.k.a Hash Proof System [Cramer-Shoup02]

slide-16
SLIDE 16

Weak Key Agreement

Correctness: Every verifier challenge has Every verifier challenge has unique prover response

slide-17
SLIDE 17

V

D

0/1

Break average-case hardness Adv = Cheating Prover

soundness

V

0/1

Adv = Cheating Prover

soundness

  • Contradiction. D breaks average-case hardness.

Amplify from weak PKE to PKE using HolensteinRenner05

slide-18
SLIDE 18

We saw: PKE from deterministic, 2-msg SZK Proof System. Challenges: Randomized Prover Multi-round Proof System Stateful Prover Lesser Challenges: Relaxing perfect ZK, perfect completeness Lesser Challenges: Relaxing perfect ZK, perfect completeness

slide-19
SLIDE 19

Coping with Randomized Provers

Weak Security: Correctness: Weak Security:

Trapdoor Pseudoentropy Generator PKE Our Assumption

slide-20
SLIDE 20

Trapdoor Pseudoentropy Generator PKE Our Assumption

Security: Adv can only sample from “bigger” dist. Formalized using pseudoentropy [HILL99]

slide-21
SLIDE 21

Trapdoor Pseudoentropy Generator PKE Our Assumption

Challenges: Many rounds [Ostrovsky 91] Terminate at random round. Stateful Prover

  • Laconic. Rejection Sampling
slide-22
SLIDE 22

Trapdoor Pseudoentropy Generator PKE Our Assumption

Technically difficult half

Uses connections between Pseudorandomness & Unpredictability

Amplification Theorem

Ingredients from: OWFs => PRG (HILL99, VadhanZheng12)

slide-23
SLIDE 23

Conclusion and Open Problems

Laconic, Efficient Prover, HVSZK ARGUMENT

+

Public Key

+

CRYPTO HARD LANGUAGE Encryption

Big Open Q: Design new PKE schemes Big Open Q:

slide-24
SLIDE 24

Thank You!

slide-25
SLIDE 25

Trapdoor Pseudoentropy Generator

Public Key Encryption

Security: Gap between Decode & adversary Formalized using pseudoentropy [HILL99]