[PPT] - On the Existence of Three Round Zero-Knowledge Proofs Nils PowerPoint Presentation

SLIDE 1

On the Existence of Three Round Zero-Knowledge Proofs

Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018

SLIDE 2 2 Round-Complexity of ZK-Proofs for NP

SLIDE 3 2 Round-Complexity of ZK-Proofs for NP

SLIDE 4 2 Round-Complexity of ZK-Proofs for NP [GO94]

SLIDE 5 2 Round-Complexity of ZK-Proofs for NP [GO94]

[GK96]

SLIDE 6 2 Round-Complexity of ZK-Proofs for NP [GO94]

[GK96]

SLIDE 7 2 Round-Complexity of ZK-Proofs for NP [GO94]

[GK96]

[Katz08] black box simulation

SLIDE 8 2 Round-Complexity of ZK-Proofs for NP [GO94]

[GK96]

[Katz08] black box simulation [KRR17] public coin

SLIDE 9 2 Round-Complexity of ZK-Proofs for NP [GO94]

[GK96]

[Katz08] black box simulation [KRR17] public coin

SLIDE 10 3 The Result Assuming sub-exponentially secure iO and sub-exponentially secure PRFs as well as exponentially secure input-hiding obfuscation for multi-bit point functions, even private coin three round zero-knowledge proofs can only exist for languages in BPP.

SLIDE 11 4 What About Four Rounds? ◮ We do not expect our technique to easily extend to four rounds. ◮ Our result extends to a weaker notion of ǫ-ZK. ◮ For ǫ-ZK, four round private coin protocols exist based on keyless multi-collision resistant hash functions (MCRH). [BKP17]

SLIDE 12 5 Compressing Proofs

SLIDE 13 5 Compressing Proofs

SLIDE 14 5 Compressing Proofs

SLIDE 15 5 Compressing Proofs Sadly, it’s not that simple.

SLIDE 16 6 Proofs vs. Arguments Π Π′ We lose statistical soundness. Π′ is only an argument. Π Sound Π′ Sound Π not ZK

SLIDE 17 7 How to Compress Proofs α ← P1(x, w) α β ← V1(x, α) β γ ← P2(x, w) γ

SLIDE 18 7 How to Compress Proofs α ← P1(x, w) α β ← V1(x, α) β γ ← P2(x, w) γ

SLIDE 19 7 How to Compress Proofs α ← P1(x, w) α β ← V1(x, α) β γ ← P2(x, w) γ

SLIDE 20 7 How to Compress Proofs α ← P1(x, w) α β ← V1(x, α) β γ ← P2(x, w) γ β ←$ {0, 1}n

SLIDE 21 8 The Public Coin Case α ← P1(x, w) α β ←$ {0, 1}n β γ ← P2(x, w) γ

SLIDE 22 8 The Public Coin Case α ← P1(x, w) α β ←$ {0, 1}n β γ ← P2(x, w) γ

SLIDE 23 8 The Public Coin Case α ← P1(x, w) α β ←$ {0, 1}n β γ ← P2(x, w) γ H ←$ H

SLIDE 24 8 The Public Coin Case α ← P1(x, w) α β ←$ {0, 1}n β γ ← P2(x, w) γ H ←$ H H β := H(x, α)

SLIDE 25 8 The Public Coin Case α ← P1(x, w) α β ←$ {0, 1}n β γ ← P2(x, w) γ H ←$ H H β := H(x, α) (α, )

SLIDE 26 8 The Public Coin Case α ← P1(x, w) α β ←$ {0, 1}n β γ ← P2(x, w) γ H ←$ H H β := H(x, α) (α, ) [KRR17]: H := iO(PRFk(·))

SLIDE 27 9 But What About Private Coin? α ← P1(x, w) α β ← V1(x, α) β γ ← P2(x, w) γ

SLIDE 28 9 But What About Private Coin? α ← P1(x, w) α β ← V1(x, α) β γ ← P2(x, w) γ CV[k, x](α) s := PRFk(α) β := V1(x, α; s) return β

SLIDE 29 9 But What About Private Coin? α ← P1(x, w) α β ← V1(x, α) β γ ← P2(x, w) γ CV[k, x](α) s := PRFk(α) β := V1(x, α; s) return β

SLIDE 30 9 But What About Private Coin? α ← P1(x, w) α β ← V1(x, α) β γ ← P2(x, w) γ B ← iO(CV[k, x]) CV[k, x](α) s := PRFk(α) β := V1(x, α; s) return β B β := B(α) (α, )

SLIDE 31 10 How to Prove it. Π Π′ We need to prove two things:

1. If Π′ is sound then Π is not zero knowledge.
2. The compression preserves soundness. I.e., if Π is sound then

Π′ is also sound.

SLIDE 32 11 Π′ sound = ⇒ Π′ not ZK [GO94] aux α β ← aux(α) β γ (α, β, γ)

SLIDE 33 11 Π′ sound = ⇒ Π′ not ZK [GO94] aux α β ← aux(α) β γ (α, β, γ) Sim aux (α′, β′, γ′)

SLIDE 34 11 Π′ sound = ⇒ Π′ not ZK [GO94] aux α β ← aux(α) β γ (α, β, γ) Sim aux (α′, β′, γ′) ≈c

SLIDE 35 12 Π′ sound = ⇒ Π′ not ZK B (α, β, γ) ← Sim(B) (α, γ)

(x∗ ∈ L) ≈c (x∗ ∈ L) unless L ∈ BPP

SLIDE 36 12 Π′ sound = ⇒ Π′ not ZK B (α, β, γ) ← Sim(B) (α, γ)

(x∗ ∈ L) ≈c (x∗ ∈ L) unless L ∈ BPP

But is it sound?

SLIDE 37 13 How Can a Prover Cheat? Defining Bad Alphas.

α

SLIDE 38 13 How Can a Prover Cheat? Defining Bad Alphas.

α

Bad

1. Specify a set of bad α’s.

SLIDE 39 13 How Can a Prover Cheat? Defining Bad Alphas.

α

Bad

1. Specify a set of bad α’s.
2. Prove that a cheating prover must use a bad α to cheat.

SLIDE 40 13 How Can a Prover Cheat? Defining Bad Alphas.

α

Bad ???

1. Specify a set of bad α’s.
2. Prove that a cheating prover must use a bad α to cheat.
3. Prove that bad α’s remain hidden by the obfuscation.

SLIDE 41 14 How Can a Prover Cheat? Defining Bad Alphas.

α

Bad

SLIDE 42 14 How Can a Prover Cheat? Defining Bad Alphas.

α

Bad ◮ In the public coin case, defining bad α’s is trivial: Any α, such that for β := PRFk(α) there exists an accepting γ.

SLIDE 43 14 How Can a Prover Cheat? Defining Bad Alphas.

α

Bad ◮ In the public coin case, defining bad α’s is trivial: Any α, such that for β := PRFk(α) there exists an accepting γ. ◮ In the private coin case, however there may always be accepting γ’s.

SLIDE 44 14 How Can a Prover Cheat? Defining Bad Alphas.

α

Bad ◮ In the public coin case, defining bad α’s is trivial: Any α, such that for β := PRFk(α) there exists an accepting γ. ◮ In the private coin case, however there may always be accepting γ’s. ◮ But, those γ’s depend on which consistent random tape was used.

SLIDE 45 14 How Can a Prover Cheat? Defining Bad Alphas.

α

Bad ◮ In the public coin case, defining bad α’s is trivial: Any α, such that for β := PRFk(α) there exists an accepting γ. ◮ In the private coin case, however there may always be accepting γ’s. ◮ But, those γ’s depend on which consistent random tape was used. ◮ Security of iO and puncturable PRF hide which random tape was used.

SLIDE 46 15 Bad Alphas in the Private Coin Case.

α

Bad ◮ An α is bad if the random tape s := PRFk(α) leads to a β such that for (α, β) there exists γ that will be accepted by the verifier with high probability over all consistent random tapes.

SLIDE 47 16 Hiding Bad Alphas. ◮ A cheating prover will output a bad α with high probability.

SLIDE 48 16 Hiding Bad Alphas. ◮ A cheating prover will output a bad α with high probability. ◮ This can be lead to a direct contradiction with the soundness

f Π but incurs an exponential loss.

SLIDE 49 16 Hiding Bad Alphas. ◮ A cheating prover will output a bad α with high probability. ◮ This can be lead to a direct contradiction with the soundness

f Π but incurs an exponential loss.

◮ We follow the approach of [KRR17] and “transfer” the loss to a seperate primitive.

SLIDE 50 17 Input Hiding Obfuscation of Multi-Bit Point Functions hideO α∗, s∗ B Correctness: B(α∗) = s∗ ∀α = α∗ : B(α) = ⊥ Security: Pr[A(B, 1n) = α∗] ≤ 2−n

SLIDE 51 17 Input Hiding Obfuscation of Multi-Bit Point Functions hideO α∗, s∗ B Correctness: B(α∗) = s∗ ∀α = α∗ : B(α) = ⊥ Security: Pr[A(B, 1n) = α∗] ≤ 2−n Can be instantiated in the generic group model by [CD08] as shown in [BC10] based on a strong variant of DDH.

SLIDE 52 18 Transferring the Loss

SLIDE 53 18 Transferring the Loss Cpct[k, α∗, β∗](α) if α ? =α∗ β := β∗ else s := PRFk(α) β := V1(x, α; s) return β

SLIDE 54 18 Transferring the Loss Cpct[k, α∗, β∗](α) if α ? =α∗ β := β∗ else s := PRFk(α) β := V1(x, α; s) return β Conditioned on α∗ being bad we get that Pr k,α∗,s∗,iO,A

P∗

iO

Cpct[k{α∗}, α∗, V1(x∗, α; s∗)]
= (α∗, γ)
is slightly higher than random chance.

SLIDE 55 18 Transferring the Loss Cpct[k, α∗, β∗](α) if α ? =α∗ β := β∗ else s := PRFk(α) β := V1(x, α; s) return β Chide[k, B](α) s := B(α) if s = ⊥ s := PRFk(α) β := V1(x∗, α; s) return β Conditioned on α∗ being bad we get that Pr k,α∗,s∗,iO,A

P∗

iO

Cpct[k{α∗}, α∗, V1(x∗, α; s∗)]
= (α∗, γ)
is slightly higher than random chance.

SLIDE 56 19 Conclusion Assuming sub-exponentially secure iO and sub-exponentially secure PRFs as well as exponentially secure input-hiding obfuscation for multi-bit point functions, three round zero-knowledge proofs can

nly exist for languages in BPP.

Thanks!

ia.cr/2018/167