Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
CS 355 Lecture 16 ( 5123).
Logistics: HW4 due Friday (5/25)
HWS released on Friday( last problem set ! )
Sam's office hours cancelled this week and next week - other office hours unchangedUpcoming: Security seminar This thursday , 4:15pm [ Gates 415 ]
( Mariana Raykoua speaking about ORAM )
Bay area crypto day this Friday ,10am -
5pm [ Arillaga Alumni Center ]
( Talks on searching on encrypted data, Bulletproofs,
Zero knowledge,MPC )
Preview :Pairing
- basedcryptography
- additional structure over elliptic curvegroups enable new cryptographic constructions / properties
This : Succinct non . interactive arguments ( SNARGS )
Previously in This course,
we looked at building zero - knowledge proof systems - goal is minimizingthe
"
knowledge complexity"
↳ in This lecture,
our goal is To minimize the communicating of the proof system
Boolean circuit
What is a succinct proof / argument system ? It with ✓Consider the language of Boolean circuit satisfiability : £c= { xe { 0,13
"
/ 7- WE { 0,1 }~ : C ( x,
w ) = 1 }
Trivial proof system for Lc :
prover ( X ,w ) verifier ( x )
#↳ check That CC x. w ) = 1
Proof size is IWI.
Can we have a proof system where The total communication Is significantly shorter them the witness ?
Definition .A non . interactive proof ligament system for £c is
sectif
both the proof size as well as The- The length of the proof it satisfies IT' I =
Poly ( X, log ICI ) verifier complexity are muchstaler than
- the running time of the verifier is poly ( a,
1×1, log KD
)the size of the NP witness
Very strongnotion : succinct non . interactive pinots (Statistically sound proofs) unlikely to exist unless NP c- D TIME ( 204 )
↳ Even for argument systems ( computationallysound profs),
succinct arguments unlikely in the Standard model
↳Constructions known in the random oracle model and in The common reference string ( CRS ) model
- -"
CS proofs" -
computationallysound proofs Constructions from pairings (public verifiability )
[ Kilian's protocol + Fiat . Shamir ] Constructions from additively homomorphic encryption [ more precisely , k¥4 ]
(secretly verifiable )
Relatedprimes: NHK: succinct arguments of knowledge (SNARG + proof of knowledge)
ZKSNLARK: Zero - knowledge succinct arguments of knowledge ( zero .
knowledge + SNARK ) ←core Primitive behind
Z cash
High-level blueprint for constructing SNARGS [Bitansky - Chiesa - Ishai - Ostrosky - Pareth,
2013 ] :
1. Construct information - theoretic proof system with security against an algebraically - bounded prover
2 . Apply a cryptographic primitive To bind computationallyprovers to respect information - theoretic constraints
Informatica: linearprobabilistically
- checkable proofs ( linear PCPs )
traditional: ( X
,w ) statement - witness pair for an NP language
/ \ ±1¥17probabilistically - checkable proof ( long bit string )^
\ µ- chosenrandomty
Verifier ( x ) verifier reads a constantnumber of bits of The PCP and is convinced with
constant probability! [ long line of results -
one of The deepest results of complexity theory!]
LinearPCP= [ Ishai - Kushileuitz -
Ostrosky ,2007 ] :
( x ,w )
# \ fproof is a vector of fieldelements ( not necessarily binary field )
*8-D Tie Fm
of c- Fm / ) ( q ,t >
EEverifier ( X ) Verifier is given Oracle access to The linear PCP proof orade (e.g. ,
verifier
submits aquery
vector QEF"
and receives the response ( q ,Ti ) t F
Definition.
A linear PCP for an NP language £ ( with corresponding relation R ) consists of Two algorithms ( P,
V ) with The
following properties :
-
Completes: If ( x ,w ) ER
,then if we set I ← PCX ,w ) :
Pr[ V( " ' " ( × ) = I ] =
If proof dimension
-
Sounded : For all Xcf £ and all I* E Fm
Pr [ ✓' " *
'' > ( x ) = I ] I E
€ soundness error
Constructing linear PCPs ( for Boolean circuit satisfiability- let C be the circuit )
- Can instantiate usingWalsh - Hadarmard code [ Arora - Lund . Motwani - Sudan - Szgedy ,
1992 ]
( 3 queries , query length m=0( 142 ),
soundness error e.- 2h # ]
•
Can instantiate using quadratic span programs [ Gennaro - Gentry - Parno - Ray Kara,
2013 ]
[ 3 queries , query length m= 0 ( Icl )
,soundness error E =
°( SYITH ]
Several useful properties of these linear PCP constructions :
- Verifier is oblivious lie,
The queries do not depend on the choice of the statement )- Verification algorithm Is a quadratic relation over the linear PCP responses ( useful primarily for achieving public verifiability ]
( if r,
= th, q ,
),
...
,rk = ( T
, qk >,
verifier's response is quadratic function in the variables r, ,
...
,rk )
From linear PCPs to SNARGS : Suppose verifier in linear PCP system is oblivious .Then
,we can generate the verifier 's
queries
ahead of Time (before the statement is known ).
Lye:generate the queries during setup :
Setup ( 1h ) → ( o,
a ) where o is the CRS and T is the verification state
Suppose we have a k -
querylinear PCP
.
Then :
Setup ( 1" ) → ( 0,2 ) :
generate queries of , ,...
, qkE In and linear PCP verification state Tipcp
↳ 0 = ( q , ,...
, qk ) and T = tcpcp
preparation: 1. Encode statement - witness ( ×
,W ) as linear PCP TE Fm
2 . Compute responses To verifier 'squeries
r,
= ( I, of , >
,...
, rk = ( it, qk ) E Tt
3 . Proof consists of linear PCP responses r, ,
...
, rk ETF
Verifier runs verification procedure for underlying linear PCP (using r, ,
... ,rk and a )
Klein : Prover can choose proof TEFM after seeingThe verifier 's queries
⇒ cannot appear to soundness of linear PCP !
Solution: encrypt verifier 's queries with additively - homomorphic encryption scheme [ sufficesfor designated - verifier SNARGS ]
Setup ( 1 " ) : lpk.sk) ←Key Gen ( 17
generate linear PCPqueries q , ,
...
, qkE Fm and Tipcp encrypt each component of the query vector
-let Ctij for it [ K ] and jE[m ] be Ctij ←
Encrypt lpk , qi ;) ,and let Cti = ( ctin
,...
,Hi ,m
)
Output O= ( Ct, ,
...
, Ctk ) and Ti' ( SK
,tipcp )
TO construct a proof , prover homomorphically computes
Cti'
← GearsTy ' ctij = Encrypt (pk ,ti
, of ;D
Verifier Takes Cti, ... , ctk
'
, decrypts The cipher texts to obtain responses r, ,
... ,rk and applies linear PCP verification
Problem: Prover need not apply safe linear function a to construct Its queries
Solution : Introduce an additional consistency check
prover operates on queries q , ,...
, qk and can compete
r,
= ( q , ,it , )
rz=lq.
,a.) | neoatcnthetseponasaewattoebsin:FIAT.FI#oYFFanof
: thequery components
- but same idea applies +0•
the general settingrk = ( qk
,Tk )
useful Trick : tandemlinearity check - verifies chooses X , ,...
,2k£
FI and submits a query qk+ ,= [ ieck , tniqi £ Tt
"
Verifier additionally
checks that rkti = [
ieek ]&ri
Observe : ifprover uses The same t for all
queries:
Sieck ]Ari = { ieck ]
Xi ( qi ,T' ) = { Eiea . ] digi ,
I ) = ( qµ , ,
I )
ifprover
does not use The same I for allqueries ,
then
{ ieek ] Ari = { ieek ]A { Gi ,
Ti ) and (qk+ , ,
Tlkn ) = Sieck] & ( 9i , That )
Verifier acceptsonly If
{ ieek ]Xi { 9i , Ti ) = Sieck ]
& ( 9i , Ikti )
< ⇒ Sieck ] Xi ( gi ,Ii - That ) = 0
- if q; =0 on all
positions where Tlit Thai ,
non - Zero value | then can replace IT ; with TKH and There is
since Ii - TKH # ° for some i
( no longer an inconsistency
)↳ since di ¥ IF
,and independent of I , ,
...
, Ikn,
over the choice of xi,
This relation is satisfied with probability at most ¥1
[ Schwartz - Zppel lemma ]
Prnoblem: To appeal to soundness of linear PCP,
we need to ensure Thatprover only implements linear strategy
Solution : Assume encryption scheme is
" linear -
only" ( ice
; only supports linear homomorphisms )"
Linear -
only"
(informally ) :
for all efficient adversaries A,
There exists an extractor E where for any sequence
of messages mi ,...
, mk :
Cti ←Encrypt (pk ,
mi ) fieck ]
ct'
← A (pk ,et
, ,...
,ctk )
|( T
,b) ← E ( pk , oh
,...
,ctk )
it follows That
Decrypt ( sk,
ct' ) = Eiea . ] Timi + b E #
"
any cipher text That the adversary can compute can be explained by a linear function of the provided cipher text"
Note: Notyour Typical cryptographic assumption ( non - falsifiable)
-
Typical cryptographic assumptions like factoring ,DDH
,LWE can be formulated as a game
between a Challenger and an
adversary- To break the linear -
only assumption ,need To exhibit some adversary such That there is noeffi.ae#extractI ( can be
very challenging ! )
Putting :
Setup ( 17 ) : (pk.sk) ←Key Gen (E) generate public /private key for a linear .
onlyencryption scheme
Compute linear PCPqueries of . ,
... , qk ,linear consistency check
query qµ , and linear PCP verification state TLPCP
encrypt queries of , ,...
, qk+,(component - wise ) using linear -
only encryption scheme To obtain encrypted queries
Cti,
...
,CTKH
publish 0 = ( pk , cti,
...
,Ctku ) and T = tcpcp
Prove ( 0,
x,
w ) : construct linear PCP proof a EFM from ( X ,
w )
homomorphically compute Cti'
← Encrypt (pk , ( qi ,it >) from encrypted queries Cti
,...
, ctkt ,
Output SNARG Tsnaro= ( Ct
'
'
,...
, Ctk'+, )
Verify ( t, Tsnaro
,k ) : decrypt cipher texts in tsnarc and verify responses using linear PCP verifier
CompletedFollows by correctness of encryption scheme + completeness of linear PCP
Scoundrelly : Prover 'sstrategy can be explained by a linear function [ linear -
only encryption ]
Consistent linear function used for all responses [ linear consistency check ]
Power 's linear function independent of The verifier'squeries
[ semantic security ]
it
appeal to soundness of linear PCP proof size independent of
circuit size !Succinctness : Proof consists of ( KH ) cipher texts
. -
↳ Existing linear PCPs are constant query ( e.g. , 1<=3 ) ⇒ SNARG proof consists of 4 cipher texts ( 8th bit proofs! )
CI-einstantat.in : We can instantiate linear - only encryption with Poitier,
El Gamal ( over small fields), or Reger
↳gives designated
- verifier SNARGS
Can also instantiate withpairing
- basedlinearonlyencodingh> if the underlying linear PCP has a quadratic verification relation
,then can verify The SNARG publicly
( by evaluating The check in the exponent using the pairing)↳ Most efficient instantiations based on quadratic span / arithmetic programs
( Porno - Raykora - Howell - Ray koua,
2013 ] } proofs are 287 bytes for any statement
[ Ben - Sasson , Chiesa, Trower
,Vizm
,2014 ] ( 8
group elements )( Basis for
privacy-
preserving concurrences like Zash )
↳ Most fancy crypto that has seen large-scale deployment !
Note: Techniques readily generalize To yield both Zero - knowledge as well as pmts of knowledge ( i.e. ZKSNARKS )