Statistical WI (and more) in Two-Messages Yael Tauman Kalai Joint - - PowerPoint PPT Presentation

β–Ά
statistical wi and more
SMART_READER_LITE
LIVE PREVIEW

Statistical WI (and more) in Two-Messages Yael Tauman Kalai Joint - - PowerPoint PPT Presentation

May 20, 2023 213 likes β€’404 views

Statistical WI (and more) in Two-Messages Yael Tauman Kalai Joint work with: Dakshita Khurana and Amit Sahai Interactive Proofs [Goldwasser-Micali-Rackoff85, Babai85] Zero-knowledge proofs for all ! [Goldreich-Micali-Wigderson87 ]

slide-1
SLIDE 1

Statistical WI (and more) in Two-Messages

Yael Tauman Kalai Joint work with: Dakshita Khurana and Amit Sahai

slide-2
SLIDE 2

P V

𝑦 ∈ β„’?

π‘₯

accept

P V

𝑦 ∈ β„’?

π‘₯

P

βˆ—

Proof: Sound against unbounded π‘„βˆ— Argument: Sound against non-uniform PPT π‘„βˆ—

𝑦 βˆ‰ β„’?

Interactive Proofs

[Goldwasser-Micali-Rackoff85, Babai85]

Zero-knowledge proofs for all 𝑢𝑸! [Goldreich-Micali-Wigderson87 ] Preserve Secrecy? Statistical zero-knowledge arguments for all 𝑢𝑸! [Brassard-Chaum-Crepeau88]

slide-3
SLIDE 3

Computational Secrecy

[Jain-Kalai-Khurana-Rothblum17, Badrinarayanan-Garg-Ishai-Sahai-Wadia17]

P V

𝑦 ∈ β„’? π‘₯

3-Round Zero-Knowledge Proof for Graph Hamiltonicity (with soundness Β½)

𝑑𝑝𝑛 𝑓 ← {0,1} 𝑨

P V

𝑦 ∈ β„’? π‘₯

𝑓 𝑨

𝑑𝑝𝑛

2-msg π‘ƒπ‘ˆ scheme

[Biel-Meyer-Wetzel99] [Kalai-Raz09] PIR Heuristic

Soundness: Against poly-size π‘„βˆ—, assuming π‘ƒπ‘ˆ is β€œmore secure” than 𝑑𝑝𝑛. [Kalai-Raz09] Secrecy: Witness Indistinguishable (and more) [JKKR17, BGISW17]

slide-4
SLIDE 4

This Work: Statistical Secrecy

P V

𝑦 ∈ β„’? π‘₯

𝑓 𝑨

𝑑𝑝𝑛2

2-msg π‘ƒπ‘ˆ scheme Soundness: ??

β€œTheorem”: Resulting 2-msg protocol is statistically witness indistinguishable (and more)

P V

𝑦 ∈ β„’? π‘₯

4-Round Statistical Zero-Knowledge argument (with soundness Β½)

𝑑𝑝𝑛1 𝑑𝑝𝑛2 𝑓 ← {0,1} 𝑨 Statistically hiding commitment 𝑑𝑝𝑛1

Secrecy: ??

slide-5
SLIDE 5

2-Message OT

[Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01]

S

R

𝑁𝑓𝑑𝑑𝑏𝑕𝑓𝑑 (𝑛0, 𝑛1) π·β„Žπ‘π‘—π‘‘π‘“ 𝑐𝑗𝑒 𝑐 𝑛𝑐

𝑐 𝑛0, 𝑛1

slide-6
SLIDE 6

Sβˆ—

R

𝑁𝑓𝑑𝑑𝑏𝑕𝑓𝑑 (𝑛0, 𝑛1) π·β„Žπ‘π‘—π‘‘π‘“ 𝑐𝑗𝑒 𝑐 𝑛𝑐

  • βˆ€ π‘„π‘„π‘ˆ π‘‡βˆ— cannot guess b

2-Message OT

[Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01]

𝑛0, 𝑛1 𝑐

slide-7
SLIDE 7
  • βˆ€ π‘„π‘„π‘ˆ π‘‡βˆ— cannot guess b
  • βˆ€unbounded π‘†βˆ—: π‘†βˆ— does not learn anything about 𝑛1βˆ’π‘

Rβˆ—

𝑁𝑓𝑑𝑑𝑏𝑕𝑓𝑑 (𝑛0, 𝑛1) π·β„Žπ‘π‘—π‘‘π‘“ 𝑐𝑗𝑒 𝑐 [Naor-Pinkas01]: construction from DDH [Halevi-Kalai05]: Quadratic Residuosity or Nth Residuosity

S

𝑛𝑐

2-Message OT

[Rabin81, Aiello-Ishai-Reingold01, Naor-Pinkas01]

𝑐 𝑛0, 𝑛1

Super- poly

slide-8
SLIDE 8

This Work: Statistical Secrecy

P V

𝑦 ∈ β„’? π‘₯

𝑓 𝑨

𝑑𝑝𝑛2

2-msg π‘ƒπ‘ˆ scheme Soundness:

Theorem 1: Resulting 2-msg protocol is statistically witness indistinguishable (and more)

P V

𝑦 ∈ β„’? π‘₯

4-Round Statistical Zero-Knowledge argument (with soundness Β½)

𝑑𝑝𝑛1 𝑑𝑝𝑛2 𝑓 ← {0,1} 𝑨 Statistically hiding commitment 𝑑𝑝𝑛1

Secrecy:

slide-9
SLIDE 9

Fiat-Shamir heuristic PIR heuristic

Round Reduction for Interactive Proofs

  • Secure when applied to proofs

[Kalai-Rothblum-Rothblum17, Canetti-Chen-Reyzin-Rothblum18]

  • Insecure when applied to arguments [Barak01, Goldwasser-Kalai03]
  • Secure when applied to proofs

[Kalai-Raz09]

  • Seems to be insecure when applied to arguments

[Gentry-Wichs11, Dodis-Halevi-Rothblum-Wichs16, Brakerski-Kalai-Perlman17]

slide-10
SLIDE 10

This Work: Statistical Secrecy

P V

𝑦 ∈ β„’? π‘₯

𝑓 𝑨

𝑑𝑝𝑛2

P V

𝑦 ∈ β„’? π‘₯

4-Round Statistical Zero-Knowledge argument (with soundness Β½)

𝑑𝑝𝑛1 𝑑𝑝𝑛2 𝑓 ← {0,1} 𝑨 Statistically hiding commitment 𝑑𝑝𝑛1

slide-11
SLIDE 11

This Work: Statistical Secrecy

P V

𝑦 ∈ β„’? π‘₯

𝑓 𝑨

𝑑𝑝𝑛2

P V

𝑦 ∈ β„’? π‘₯

𝑑𝑝𝑛1 𝑑𝑝𝑛2 𝑓 ← {0,1} 𝑨 Statistically hiding commitment 𝑑𝑝𝑛1

Special Commitment Scheme!

  • Almost always statistically hiding
  • With small probability statistically binding
  • Hard to distinguish between these two modes

Statistical ZK Sound

extractable

slide-12
SLIDE 12

Statistically-Hiding Extractable Commitments

Say what?

slide-13
SLIDE 13

Statistically-Hiding Extractable Commitments

Inspired by [Khurana-Sahai17]

C

R

Statistically hiding Computational binding

  • With small probability, switches to statistical (extractable) binding mode
  • Committer cannot tell whether statistically binding or hiding
slide-14
SLIDE 14

Statistically-Hiding Extractable Commitments (basic protocol)

𝐷(𝑁)

𝑆

𝑐 𝑠 𝑁0, 𝑁1 Sample random r ← 0,1 Set 𝑁𝑠 = 𝑁 Set 𝑁1βˆ’π‘  = 𝑉

𝑐 ← {0,1} W.p. Β½: Statistically hiding (𝑠 β‰  𝑐) W.p. Β½: Extractable (𝑠 = 𝑐) Inspired by [Khurana-Sahai17]

slide-15
SLIDE 15

P V

𝑦 ∈ β„’? π‘₯

𝑨

𝑑𝑝𝑛2

𝑓

𝑑𝑝𝑛1

Additional Results:

P V

𝑦 ∈ β„’? π‘₯

4-Round Statistical Zero-Knowledge argument (with soundness Β½)

𝑑𝑝𝑛1 𝑑𝑝𝑛2 𝑓 ← {0,1} 𝑨 Statistically hiding commitment

  • 1. Statistical WI
  • 2. Adaptive soundness
  • 3. In delayed input setting:

Statistical distributional weak ZK

Similar to [JKKR17]

Strong statistical WI

slide-16
SLIDE 16

Summary ry

Thm: βˆƒ2-msg statistical WI argument for NP, assuming quasi-poly secure OT

P V

𝑦 ∈ β„’?

P V

𝑦 ∈ β„’?

𝑑𝑝𝑛1 𝑑𝑝𝑛2 𝑓 𝑨 𝑓 𝑨 𝑑𝑝𝑛1 𝑑𝑝𝑛2

Reducing interaction from interactive arguments via PIR heuristic can be sound! By constructing statistical and extractable commitments!

[Biel-Meyer-Wetzel99] [Kalai-Raz09] PIR Heuristic

slide-17
SLIDE 17