Upload
amanda-hodgens
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Statistical Zero-Knowledge Arguments for NP
from Any One-Way Function
Salil Vadhan
Minh Nguyen Shien Jin Ong
Harvard University
Assumptions for Cryptography
One-way functions )– Pseudorandom generators [Hastad-Impagliazzo-Levin-Luby].– Pseudorandom functions & private-key cryptography
[Goldreich-Goldwasser-Micali]
– Commitment schemes [Naor].– Zero-knowledge proofs for NP [Goldreich-Micali-Wigderson].– Digital signatures [Rompel].
Almost all cryptographic tasks ) one-way functions.[Impagliazzo-Luby, Ostrovsky-Wigderson]
Some tasks not “black-box reducible” to one-way fns.– Public-key encryption [Impagliazzo-Rudich]– Collision-resistant hashing [Simon]
Main Result
One-Way Functions ) Statistical Zero-Knowledge Arguments for NP
– Resolves an open problem posed by [Naor-Ostrovsky-Venkatesan-Yung92].
– OWF is essentially the minimal complexity assumption for ZK [Ostrovsky-Wigderson].
Notions of Zero Knowledge
Zero Knowledge– statistical– computational
Soundness– statistical (proofs)– computational (arguments)
[Brassard-Chaum-Crepeau]
Completeness
[Goldwasser-Micali-Rackoff]
Verifier learnsnothing
Verifier learnsnothing
Prover cannot convince Verifier offalse statements
Prover cannot convince Verifier offalse statements
Notions of Zero Knowledge
Zero Knowledge– statistical– computational
Soundness– statistical (proofs)– computational (arguments)
[Brassard-Chaum-Crepeau]
[Goldwasser-Micali-Rackoff]
Verifier learnsnothing
Verifier learnsnothing
Prover cannot convince Verifier offalse statements
Prover cannot convince Verifier offalse statements
Thm [Fortnow,Aiello-Hastad]: Only languages in AMÅ co-AM have statistical ZK proofs.
Notions of Zero Knowledge
Zero Knowledge– statistical– computational
Soundness– statistical (proofs)– computational (arguments)
[Brassard-Chaum-Crepeau]
[Goldwasser-Micali-Rackoff]
Verifier learnsnothing
Verifier learnsnothing
Prover cannot convince Verifier offalse statements
Prover cannot convince Verifier offalse statements
Thm [1980’s]: one-way functions ) all of NP has computational ZK proofs.
Notions of Zero Knowledge
Zero Knowledge– statistical– computational
Soundness– statistical (proofs)– computational (arguments)
[Brassard-Chaum-Crepeau]
[Goldwasser-Micali-Rackoff]
Verifier learnsnothing
Verifier learnsnothing
Prover cannot convince Verifier offalse statements
Prover cannot convince Verifier offalse statements
Thm [today]: one-way functions ) all of NP has statistical ZK arguments.
Zero Knowledge for NP
One-WayFunctions
CommitmentSchemes
ZK for NP[Goldreich-Micali-Wigderson]
[Hastad-Impagliazzo-Levin-Luby], [Naor]
computational zero-knowledge
proofs
Commitment Schemes
Polynomial time algorithm Com(b; K) s.t.
– HidingFor random K, Com(0; K) ¼ Com(1; K)
– BindingCom(b; K) cannot be opened to b’, where b’ b.
S R
Commit:c = Com(b;K)
Reveal:(b,K)
K Ã {0,1}*
b2{0,1}
Zero Knowledge for NP:Graph 3-Coloring Protocol
[Goldreich-Micali-Wigderson]
12
3
4
5
6P V
1. Randomly permutecoloring & commit to colors.
2. Pick random edge. (1,4)
4. Accept if colors different.
3. Send keys forendpoints.
Completeness: Graph 3-colorable ) V always accepts.
Zero Knowledge for NP:Graph 3-Coloring Protocol
[Goldreich- Micali-Wigderson]
12
3
4
5
6P V
1. Randomly permutecoloring & commit to colors.
2. Pick random edge. (1,4)
4. Accept if colors different.
3. Send keys forendpoints.
Soundness: Graph not 3-colorable ) V rejects w.p. ¸ 1/(# edges) because commitment binding
Zero Knowledge for NP:Graph 3-Coloring Protocol
[Goldreich- Micali-Wigderson]
12
3
4
5
6P V
1. Randomly permutecoloring & commit to colors.
2. Pick random edge. (1,4)
4. Accept if colors different.
3. Send keys forendpoints.
Zero knowledge: Graph 3-colorable ) Verifier learns nothing because commitment hiding
Zero Knowledge for NP
One-WayFunctions
CommitmentSchemes
ZK for NP[Goldreich-Micali-Wigderson]
[Hastad-Impagliazzo-Levin-Luby], [Naor]
computational zero-knowledge
proofs
computationally hiding,statistically binding
Zero Knowledge for NP
One-WayFunctions
CommitmentSchemes
ZK for NP[Brassard-Chaum-Crepeau]
statistical zero-knowledge
arguments
statistically hiding,computationally binding
???
Complexity of SZK Arguments for NP
number-theoreticassumptions
claw-free perm
SZK argumentsstat. hiding
comp. bindingcommitments
[BCC] [BCC]
[GMR,BKK]
[NY]
collision-resistanthash functions
[GMR, Damgard]
[GK]
Complexity of SZK arguments for NP
number-theoreticassumptions
claw-free perm
one-way perm
regular OWF
SZK argumentsstat. hiding
comp. bindingcommitments
[HHK
+ 05][N
OVY 92]
[BCC] [BCC]
[GMR,BKK]
[NY]
collision-resistanthash functions
[GK]
Complexity of SZK arguments for NP
number-theoreticassumptions
claw-free perm
one-way perm
regular OWF
one-way function
SZK argumentsstat. hiding
comp. bindingcommitments
[HHK
+ 05][N
OVY 92]
[BCC] [BCC]
[NY]
collision-resistanthash functions
[GMR,BKK] [GK]
Complexity of SZK Arguments for NP
number-theoreticassumptions
claw-free perm
one-way perm
regular OWF
one-way function
SZK arguments
stat. hiding1-out-of-2 comp. binding
commitments
stat. hidingcomp. bindingcommitments
[HHK
+ 05][N
OVY 92]
[BCC] [BCC]
[NY]
collision-resistanthash functions
[GMR,BKK] [GK]
1-out-of-2 binding commitments
Commitment in 2 phases.
Statistically hiding in both phases.
Computational binding in at least one phase.
[Nguyen-Vadhan06]
S RPhase 1 commit:c = Com(1)(b;K)
Phase 1 reveal:(b,K)
Phase 2 commit:c’ = Com(2)(b’;K’)
Phase 2 reveal:(b’,K’)
Zero Knowledge for NP
One-WayFunctions
CommitmentSchemes
ZK for NP[Nguyen-Vadhan06]
statistical zero-knowledge
arguments
statistically hiding,1-out-of-2 binding
Main Thm
Overview of our constructionfrom one-way functions
One-wayfunction
(1/n)-hiding1-out-of-2binding
1)-hiding1-out-of-2binding
stat hiding1-out-of-2binding
StatisticalZK argumentfor NP
OWF ) (1/n)-hiding
Starting Point:OWF w/ “approximable preimage size” ) stat. hiding commitments [HHK+05]
Idea: sender “guess” preimage size) hiding w.p. 1/n
Problem: sender sends overestimate.
Solution: use second phase to “prove” estimate correct [NV06]
– Main tool: interactive hashing [OVY]
(1/n)-hiding ) (1)-hiding
Amplify in O(log n) stages– Each time -hiding 2-hiding– Inspired by [Reingold05,Dinur06]
Each Stage– O(1) repetitions of basic protocol– Combine using interactive hashing [OVY]– Analyze with nonstandard measures.
Future Work
Standard statistically hiding commitments from OWF.– Useful for verifier commitments.– Many applications beyond ZK.
Better (sub-polynomial) round complexity– Open even for one-way permutations [NOVY].
Simplify the construction.