from point obfuscation to 3-round zero-knowledge
DESCRIPTION
From Point Obfuscation To 3-Round Zero-Knowledge. Nir Bitansky and Omer Paneth. Interactive Proofs. An interactive proof :. Interactive Proofs. Negligible soundness error. Prover’s security . Zero-Knowledge [Goldwasser-Micali-Rackoff-85] - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/1.jpg)
From Point Obfuscation To 3-Round Zero-
KnowledgeNir Bitansky and Omer Paneth
![Page 2: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/2.jpg)
Interactive ProofsAn interactive proof :𝒫 𝒱𝑥∈ℒ?
![Page 3: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/3.jpg)
Interactive ProofsNegligible soundness error𝒱𝑥∉ℒ𝒫∗
![Page 4: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/4.jpg)
Prover’s security • Zero-Knowledge
[Goldwasser-Micali-Rackoff-85]
• Weak Zero-Knowlage[Dwork-Naor-Reingold-Stockmeyer-99]
• Witness Hiding[Feige-Shamir-90]
• Witness Indistinguishability[Feige-Shamir-90]
![Page 5: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/5.jpg)
Prover’s security • Zero-Knowledge (ZK)
• Weak Zero-Knowlage
• Witness Hiding (WI)
• Witness Indistinguishability (WH)𝒫𝒱∗𝒮≈ 𝒱∗
![Page 6: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/6.jpg)
Prover’s security • Zero-Knowledge (ZK)
• Weak Zero-Knowlage
• Witness Hiding (WI)
• Witness Indistinguishability (WH)𝒫𝒱∗𝒮≈ 𝒱∗𝐷
𝐷
![Page 7: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/7.jpg)
Prover’s security • Zero-Knowledge (ZK)
• Weak Zero-Knowlage
• Witness Hiding (WI)
• Witness Indistinguishability (WH)
𝑤𝒫 𝒱∗
![Page 8: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/8.jpg)
Prover’s security • Zero-Knowledge (ZK)
• Weak Zero-Knowlage
• Witness Hiding (WI)
• Witness Indistinguishability (WH)𝒫𝒱∗≈ 𝒱∗𝒫 𝑤1𝑤2
![Page 9: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/9.jpg)
Relation Between NotionsZero-Knowledge
Weak ZK
WI WHOnly if every instance hes two independent witnesses [FS90]
![Page 10: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/10.jpg)
The Round-Complexity of ZK
2 3 4 5
Proofs[Goldreich-Kahan-96]
Impossible[Goldreich-Oren-94] ?
#rounds
Arguments[Feige-Shamir-90]
[Bellare-Jakobsson-Yung-97]
![Page 11: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/11.jpg)
Black-Box vs. Non-Black-Box Simulation 𝒱∗𝒮 𝒱∗𝒮Black-box simulationNon-black-box simulation
![Page 12: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/12.jpg)
Theorem:
3-round ZK protocols with black-box simulator
exist only for trivial languages
Getting 3-Round ZK – The Challenge [GK96]:
![Page 13: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/13.jpg)
Relaxations of ZKBlack-box reduction \ simulation is impossible
Black-box reduction \ simulation exist
Notion(3-round)
[GK96] ZK
[GK96] Weak ZK
[FS90] WI
[HRS09](One witness case)
[FS90](Two witnesses
case)
WH
![Page 14: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/14.jpg)
Barak’s Non-black-box ZK protocol
[B01]:- Overcomes black-box impossibilities- But: too many rounds
Non-Black-Box Techniques
![Page 15: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/15.jpg)
Example: Assume parallel repetition of some
basic ZK protocol is also ZK. [GMW91,B86]
.
An Alternative: Assumptions
Non-Black-Box Transformation 𝒱∗ S
For every: There exists:
![Page 16: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/16.jpg)
Under what assumptions do 3-round ZK protocols
exist?
![Page 17: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/17.jpg)
3-Round ZK from Other AssumptionsWork Assumption Result[Hada-Tanaka-98][Bellare-Palacio-04]
Knowledge of Exponent [D91]
3-round ZK argument
[Lepinski-Micali-01] A specific number
theoretic protocol is a POK
3-round ZK Proof
[Canetti-Dakdouk-08][Goldwasser-Lin-Rubinstein-12]
Extractable 1-to-1 OWF
3-round ZK argument
![Page 18: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/18.jpg)
3-Round ZK from Non-Standard AssumptionsAll of the assumptions used imply the
existence of Extractable OWFs
Extractabl
e OWF
[D91] [HT98] [LM01] [BP04] [CD08] [GLR12]
![Page 19: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/19.jpg)
Are extractable OWFs necessary?- We do not know.
Can we get 3-round ZK from different assumptions?
![Page 20: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/20.jpg)
Our Results:
Auxiliary Input Point Obfuscation
Relaxations of ZK
From:
To:
![Page 21: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/21.jpg)
Our Results:
Auxiliary Input Point Obfuscation
Indistinguishability definition (weaker)
3-RoundWitness hiding
![Page 22: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/22.jpg)
Our Results:
Auxiliary Input Point Obfuscation
Indistinguishability definition (weaker)
3-RoundWitness hiding
Simulationdefinition (stronger)
3-RoundWeak ZK
![Page 23: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/23.jpg)
• Point Obfuscation• Witness Hiding
Definitions
![Page 24: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/24.jpg)
Point Program:
Point Obfuscation
An obfuscation computes the function but hides all other information about.
![Page 25: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/25.jpg)
For every there exists :
Virtual Black-Box [BGI+01]
𝑆𝐴𝐼 𝑦𝒪 ( 𝑦 )
𝑧 𝑧
𝑏 ′𝑏 ≈
![Page 26: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/26.jpg)
Unpredictable Distribution: is unpredictable if for every poly-size circuit family :
Indistinguishability Definition
![Page 27: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/27.jpg)
Auxiliary Input Point Obfuscation [C97]:For every unpredictable :
Indistinguishability Definition
Constructions: [Canetti97], extensions of [Wee05]
![Page 28: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/28.jpg)
Witness Hiding𝒫 𝒱∗
𝑤 , 𝑥
𝑤
![Page 29: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/29.jpg)
Witness Hiding𝒫 𝒱∗
𝑤 , 𝑥←𝒟𝑤
![Page 30: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/30.jpg)
For every hard distribution* on an NP relation :
* is hard if poly-size circuits cannot f.
Witness Hiding
![Page 31: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/31.jpg)
Our Witness Hiding Protocol
![Page 32: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/32.jpg)
Our Witness Hiding Protocol𝒫 𝒱2-party computation
𝑉 ℒ (𝑥 ,𝑤 )
𝑥 ,𝑤 𝑥
• – The NP verification circuit of .
![Page 33: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/33.jpg)
𝒫 𝒱OT1(𝑤)
𝑥 ,𝑤 𝑥
Garbled Circuit for 𝑉 ℒ(𝑥 , ⋅)OT2
𝑉 ℒ (𝑥 ,𝑤)
3-Round Witness Hiding (1)• , - 2-message malicious oblivious transfer
![Page 34: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/34.jpg)
3-Round Witness Hiding (1)𝒫 𝒱Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝑉 ℒ (𝑥 ,𝑤))𝑉 ℒ (𝑥 ,𝑤)
• – A 1-hop homomorphic encryption [GHV10]
![Page 35: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/35.jpg)
3-Round Witness Hiding (2)𝒫 𝒱Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝑉 ℒ , 𝑠(𝑥 ,𝑤))
𝑠
• – The NP verification circuit of outputs only if is in the relation.
𝑠←𝒰𝑠
![Page 36: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/36.jpg)
𝒱∗
Attack on Witness Hiding𝒫 Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝐼 (𝑤))
𝑤 𝑤
• cheats by evaluating the identity function instead of .
![Page 37: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/37.jpg)
The Final Protocol𝒫 𝒱Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝑉 ℒ , 𝑠(𝑥 ,𝑤))
𝑠
• – A point obfuscator.For soundness, must be recognizable.
𝑠←𝒰𝒪(𝑠 )
![Page 38: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/38.jpg)
𝒱∗
Fixing the Attack𝒫 Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝐼 (𝑤))
𝑤 𝒪(𝑤)
is hard
![Page 39: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/39.jpg)
𝒱∗
Fixing the Attack𝒫 Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝐼 (𝑤))
𝑤 𝒪(𝑤)
is hard
Given
![Page 40: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/40.jpg)
𝒱∗
Fixing the Attack𝒫 Enc (𝑤)
𝑥 ,𝑤 𝑥
Enc (𝐼 (𝑤))𝒪(𝒰)
is hard
![Page 41: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/41.jpg)
𝒱∗
Fixing the Attack𝒫 Enc (0𝑛)
𝑥 ,𝑤 𝑥
𝒪(𝒰)
is hard
![Page 42: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/42.jpg)
Properties of the Protocol• Protocol is not zero-knowledge.
• Protocol is a proof-of-knowledge.
• Unconditional soundness (proof). 𝒱∗𝒫 Enc (𝑤)
Enc (𝑃 (𝑤 )→ 𝑠0 {s¿¿1)𝒪(𝑠0 {s¿¿1)
𝑠0 ,𝑠1Attack on ZK:
![Page 43: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/43.jpg)
What is the non-black-box
component in our reduction?
![Page 44: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/44.jpg)
For every unpredictable :
Auxiliary Input Point Obfuscation
![Page 45: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/45.jpg)
𝒪 ( 𝑦 )/𝒪 (𝒰 )
0 /1
𝑧
𝑦
For every distinguisher there exists a predictor
Non-Black-Box Transformation
Distinguisher Predictor
𝑧𝑦 , 𝑧←𝒟
Auxiliary Input Point Obfuscation
![Page 46: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/46.jpg)
The Non-Black-Box Component𝒫 𝒱∗
𝑤 , 𝑥←𝒟𝑤
![Page 47: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/47.jpg)
The Non-Black-Box Component 𝒱∗
𝑥←𝒟𝒪 (𝑤 )¿ (𝒰 )
0 /1
![Page 48: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/48.jpg)
𝑤
The Non-Black-Box Component
𝑥←𝒟𝒪 (𝑤 )¿ (𝒰 )
0 /1𝒱∗Predictor
![Page 49: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/49.jpg)
Some assumptions give us a non-black-box transformation:• Some 3-round protocol is indeed ZK• Extructable OWF \ Knowledge of
Exponent• Auxiliary Input Point Obfuscation
Conclusion
Distinguisher Predictor
Non-Black-Box Transformations
𝒱∗ S
![Page 50: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/50.jpg)
• Given such assumptions we can get
3-round ZK.• How to compare these
assumptions?• What type of non-black-box
transformation is required for 3-round ZK?
Conclusion
![Page 51: From Point Obfuscation To 3-Round Zero-Knowledge](https://reader036.vdocuments.us/reader036/viewer/2022062323/568166fa550346895ddb5bac/html5/thumbnails/51.jpg)
?