![Page 1: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/1.jpg)
On the Composition of PublicOn the Composition of Public--
Coin ZeroCoin Zero--Knowledge ProtocolsKnowledge Protocols
Rafael Pass (Cornell)
Wei-Lung Dustin Tseng (Cornell)
Douglas Wiktröm (KTH)
1
![Page 2: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/2.jpg)
Zero Knowledge [GMR85]Zero Knowledge [GMR85]
• Interactive protocol between a Prover and a
Verifier where the Verifier learns nothing
except the proof statement
• Fundamental construct of cryptography
• Used in secure MPC, authentication, etc, etc
2
Prover Verifier
![Page 3: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/3.jpg)
Zero Knowledge [GMR85]Zero Knowledge [GMR85]
• For every PPT V* (adversary) there is a PPT
simulator S:
Simulator S
≈
Prover Verifier V*
View of V* with Prover View generated by S
3
Indistinguishable
![Page 4: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/4.jpg)
BlackBlack--Box Zero Knowledge [GO90]Box Zero Knowledge [GO90]
• Universal S interacts with and rewinds V*
Equivalently:
– Most known and all practical ZK are BB
– This talk: Focus on BB ZK
4
Output ViewOutput View
![Page 5: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/5.jpg)
Composition of ZK [GKr90]Composition of ZK [GKr90]
• Do ZK protocols stay ZK when composed?
5
Parallel [FS90, GKr90]
Concurrent [FS90, DNS04]
![Page 6: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/6.jpg)
Composition of ZK [GKr90]Composition of ZK [GKr90]
• In general: ZK breaks even under 2 parallel
executions [FS90, GKr90]
• Specific protocols:
– Secure under both parallel and concurrent
composition (e.g., [GKa96, FS90, RK99, KP01,
PRS02])
– But these protocols use something new:
Private Coins
6
![Page 7: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/7.jpg)
Public vs. Private CoinsPublic vs. Private Coins
• Public-coin:
• The original ZK protocols are all public-coin
[GMR85,GMW91, Blum87]
• Why care about public-coin protocols?
– Theory:
– Practice:
7
Prover Verifier
Private-coin:
• Simpler to implement
• V resilient to leakage and side channel attacks
• Understand original protocols
• e.g. “IP(Poly) = AM(Poly)” [GS86]
![Page 8: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/8.jpg)
The Question:The Question:
Are private coins necessary for
composing ZK (even just) in parallel?
• First studied by Goldreich-Krawczyk in 1990
• Partial result: No constant round public-coin
BB ZK w/ neg. soundness error (L ∉ BPP)
– Known O(1) round public-coin BB ZK (with big
soundness error) not secure in parallel
8
![Page 9: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/9.jpg)
Our ResultsOur Results
9
1. Any public-coin protocol is not BBZK if
repeated sufficiently in parallel (L ∉ BPP).
1. Any public-coin protocol is not BBZK if
repeated sufficiently in parallel (L ∉ BPP).
2. For every m, there is a public-coin proof
for NP that is BBZK up to m concurrent
sessions, assuming OWF.
2. For every m, there is a public-coin proof
for NP that is BBZK up to m concurrent
sessions, assuming OWF.
[Bar01]: Public-coin constant round bounded-
concurrent non-BB ZK argument assuming CRH.
[Bar01]: Public-coin constant round bounded-
concurrent non-BB ZK argument assuming CRH.
![Page 10: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/10.jpg)
Prover Verifierα
The The GoldreichGoldreich--KrawczykKrawczyk frameworkframework
[GKr90]: If the verifier uses PRF to generate its
messages in a constant round public-coin protocol
→ Protocol is resettably-sound [BGGL01]
10
+ PRFPRF(α )
![Page 11: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/11.jpg)
The The GoldreichGoldreich--KrawczykKrawczyk frameworkframework
[GKr90]: If the verifier uses PRF to generates it
messages in a constant round public-coin protocol
→ Protocol is resettably-sound [BGGL01]
11
Goal: Accepting execution for x
∉ L
Goal: Accepting execution for x
∉ L
Verifier V
+ PRF
Resetting P*
![Page 12: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/12.jpg)
The The GoldreichGoldreich--KrawczykKrawczyk frameworkframework
[GKr90]: If the verifier uses PRF to generates it
messages in a constant round public-coin protocol
→ Protocol is resettably-sound [BGGL01]
• If protocol is resettably-sound and BB ZK for L
→ L ∈ BPP (decided by S) [GK90, BGGL01]:
x ∈ L → S(x) gives accepting view (ZK)
x ∉ L → S(x) gives rejecting view (resettable-sound)
12
![Page 13: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/13.jpg)
Main LemmaMain Lemma
• Compare with soundness amplification
– Recent work: Parallel repetition amplifies sound-
ness of public-coin arguments [PV07, HPPW08]:
• From ε → εpoly(n)
– Our work: “Quality” of soundness also improves
• From “standard sound” → “resettably sound”
– Can use soundness amplification techniques13
Any public-coin protocol (where V uses PRF for
its messages) is resettably-sound when
repeated sufficiently in parallel.
Any public-coin protocol (where V uses PRF for
its messages) is resettably-sound when
repeated sufficiently in parallel.
![Page 14: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/14.jpg)
Proof IdeaProof Idea
• Reduction R: Resettable P* → normal P
• R tries to forward messages that P* utilize for
an accepting execution
– Possible to continue simulation due to public-coin14
Verifier V
Reduction R
Resetting P*
![Page 15: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/15.jpg)
Which Message to Forward?Which Message to Forward?
• [GKr90] For constant round protocols, choose
random messages to forward
– Guess correctly w.p. 1/poly each round
– Doesn’t work when there are more rounds
• Our approach:
– Do a test run to see which msg “should’ve been”
forwarded. Forward it and continue simulation
– If P* doesn’t use forwarded msg, rewind P* until
it does15
![Page 16: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/16.jpg)
Acc.Acc.
ExampleExample
16
Verifier V
Start: Two rounds are already forwarded
Case: S fails to produce accepting view.
→ Rewind!
FAILFAIL
Case: Forwarded msg not in accepting view
→ Rewind!
Case: Forwarded msg is in accepting view
→ Found next message to forward
Repeat ProcessRepeat ProcessAcc.Acc.
Reduction R
Resetting P*
![Page 17: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/17.jpg)
The Reduction AgainThe Reduction Again
1. In a test run of P*, find the msg used by P* to
form an accepting view.
2. Forward the msg to V and receive a fixed reply.
3. Keep rewinding P* until the forwarded msg is
used in an accepting view
• The next msg in view gets forwarded. Repeat.
Reduction idea analogous to [HPPW08]
Reduction always works! Is it poly time?
17
![Page 18: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/18.jpg)
Analysis SketchAnalysis Sketch
• If we can rewind external V:
– Case: P* chooses which branch to use in view randomly.
→ Then poly rewinds are enough
– This is actually the worst case
• But we can’t rewind external V:
– Forwarded messages are fixed. Might fix a BAD message
– Reduction: Resettable parallel P*→normal standalone P
– New picture!
18
standalone
![Page 19: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/19.jpg)
Analysis SketchAnalysis Sketch
• Can almost rewind the Verifier
• Results in a statistically close distribution!
– Technically shown by relying on Raz’s Lemma
– Technique used in soundness amplification of 2-prover
games [Raz98] and public-coin arguments [HPPW08]
19
Verifier V
Reduction R
Resetting P*
![Page 20: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/20.jpg)
ConclusionConclusion
• Any public-coin protocol, with enough parallel
repetitions, is resettably-sound
→ so not BB ZK unless L ∈ BPP
• Elucidate connection between hardness
amplification and BB ZK lower bounds
– New set of techniques for BB lower bounds
20
![Page 21: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/21.jpg)
Corollary Corollary
• Bare Public-Key setup
– More efficient (private-coin) concurrent ZK
– Model studied in the soundness amplification
literature [IW97, BIN97, HPPW08]
• Using [BIN97, HPPW08] techniques, we can
extend our impossibility result to BPK too
21
![Page 22: On the Composition of Public- Coin Zero -Knowledge ProtocolsOn the Composition of Public-Coin Zero -Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas](https://reader030.vdocuments.us/reader030/viewer/2022040509/5e4e0a310eb5b8354b559662/html5/thumbnails/22.jpg)
Thank You!Thank You!
22