how to go beyond the black-box simulation barrier boaz barak

How to Go Beyond theBlack-Box Simulation Barrier

Boaz Barak

Summery of the previous classes

Every language in NP has ZK protocol.

ZK is not closed under parallel composition.

Last week we saw w(logn) – round BBCZK for all languages in NP.

Paper Main Results

There exists a zero-knowledge proof for any language in NP that satisfies the following properties.

1. It is a zero knowledge with respect to non-uniform

adversaries with auxiliary information.

2. It has a constant number of rounds and negligible

sounds error.

3.It is an Arthur-Merlin (public coins) protocol.

It follows that the protocol cannot be BBZK.

(Unless the language is in BPP.)

Paper Main Results

4. It is bounded concurrent zero knowledge – It remains zero knowledge if executed concurrently n times, where n is the security parameter.

5. “Only” computationally sound proof.

The idea is to use the fact that the simulator has access to the code of the verifier.This will come instead of the trick of rewinding.

Let L NP, x L, w,w’ ∈ ∈witnesses to x L.∈Regardless of efficient strategy Verifier uses, he can not tell if prover used w or w’

Prover (Alice) knows w or w’

Verifier (Bob) knows only x

Relaxation of ZK.Instead of requiring “Verifier learns nothing” only require that the verifier doesn't learn if Alice (prover) used w or w'.

Witness Indistinguishable (WI) Proofs [FeiSha]

Witness Indistinguishable (WI)

Proofs [FeiSha]

Let L NP, x L, w,w’ ∈ ∈witnesses to x L.∈Regardless of efficient strategy Verifier uses, he can not tell if prover used w or w’

Prover (Alice) knows w or w’

Verifier (Bob) knows only x

Weaker property than ZK.

Every ZK proof is also WI proof.

Closed under parallel (even concurrent) composition.

=> We can take BLUM protocol and compose it parallel and get a WI proof.

Protocol outline

The verifier chooses a secret s and send to the prover some

information I(s).

No prover can recover s from interacting with the

verifier.

The simulator can recover s by using the verifier code. The prover provides WI proof that either x L or I know s ∈

from I(s).

Protocol outline

Analyses: Completeness: OK – if x L then the prover will prove it to the ∈

verifier. Computationally soundness – since the prover cannot recover s

in step q it must prove use that x L∈ ZK – the simulator extracts s and proves step 2 using s. Works

since step 2 is WI.

Naive implementation

Public Input: x {0,1}∈ n (need to prove x L)∈

r {0,1}∈ n

WIP either x∈ L or c = comm(r)

Doesn't work, since r depends on c and the simulator can't predict r (Due to the binding property of the commitment scheme).

Problem:

c=Comm(0)

Better implementation


r {0,1}∈ n

WIP either x∈ L or c is a commitment to program s.t. ()=r and c=comm(

Prover uses 1st case and Simulator 2nd case (w/ witness=V*) WI ensures indistinguishably

c=Comm(π)

ZK seems to work:The simulator will commit on c=comm(V).The verifier won't be able to distinguish

between the real and the simulated proof.

Soundness - How can we make sure that the prover won't commit on program that on input c output r.

Problem:

Better implementation


r {0,1}∈

WIP either x∈ L or c is a commitment to program s.t. ()=r and comm(comm(0)

Soundness - How can we make sure that the prover won't commit on program that on input c output r.

Problem:


c=Comm(0,s)

ZK seems to work:The simulator will commit on c=comm(V).The verifier won't be able to distinguish

between the real and the simulated proof.

Make r much longer than c. This way, since c is fixed before r, there is negligible probability that c will open to something

that encodes r.

First attempt


r {0,1}∈ (|c| +m)

WIP either x∈ L or (c,r,v,s) RP∈

I.E c=comm(V,s) and r=V(c)


c=Comm(0n,s) s- add randomness for commitment

In order to insure the binding property of the commitment scheme. The size of c can be at any polynomial length, with respect to the size of V*.

And might be larger than the communicationcomplexity of the protocol.

Problem:

Instead of using statistically binding commitment scheme, we will

use a computationally binding commitment scheme. A computationally binding commitment scheme for large

messages can be constructed by composing a standard,

statistically binding commitment scheme with collision resistant

hash function.

Commitment length - solution

Computationally binding commitment scheme

Collision resistant

hash function

Statisticallybinding

commitmentscheme

Note:Once we use a commitment scheme that is computationally binding we will only be able to prove that our protocol is computationally sound.

Second attempt

Public Input: x {0,1}∈ n (need to prove x L)∈ Prover uses 1st case and

Simulator 2nd case (w/ witness=V*) WI ensures indistinguishably

WIP either x∈ L or (k,c,r,V,z,s) RP∈

I.E c=Comm(Hk(V),s)and r=V(z,c)

r {0,1}∈ (|c| +m)

c=Comm(Hk(0n),s) s- add

randomness for commitment

K – key for the hash

Second attempt -How to prove that the protocol is computational sound?

We will do a reduction to the computational binding property of the commitment scheme.

We need to generate a commitment with two different

openings. We will use WI proofs that are also PoK.

Then use the extractor to break the binding of the

commitment.For any P* there exists an extractor E that succeeds to extract whenever P convinces the verifier, i.e for any x,z:

Prob[(P*(z),V(x)) = 1,E(z)=w : (x,w) R∉L] <negl

Reminder PoK:


Proof Outline: Assume V get convinced when x L.∉

This means that the WI extractor will extract a witness <V,z,s> to

RP. This witness is an opening of the commitment c. Now rewind the prover to step 1, give it a different r (resulted from

different z) and obtain an opening on the same commitment. We got two witnesses with the same commitment.


Why is it guaranteed that in the second time around (with a new r)

we'll get a different opening of the commitment?

This is because V(z,c) is a deterministic function of c (for a given

z), so a different r will have to result from a different <V,z>.

How much time does it take for S to run V*?

Is RP a polytime relation?

No, since V can have an arbitrary polynomial running it.

Problem:

Universal Arguments

Universal language: Lu= {(M,x,t) | M is a non-deterministic machine that accepts x within t steps}. Lu is in NEXP-complete.

Ru = {((M,x,t),w) | M accepts w within t steps}.

Universal Arguments

Universal argument system for Lu is a two party protocol (P,V), for

common input (M,x,t), w (witness for the prover) that satisfies the

following: Efficient verification:

There exists a polynomial p such that for any input y=(M,x,t), the

run time of V, is at p(|y|). Completeness by relatively-efficient prover:

For every ((M,x,t),w) in Ru,

Prob[(P(w),V)(m,x,t) = 1] = 1,

The running time of P is ≤ p(TM(x,w)) ≤ p(t).

Universal Arguments

Computational soundness:

For every P* and every (M,x,t) Lu.∉

Prob[(P*,V)(M,x,t)=1]<u(n) Weak proof of knowledge property:

For every P*, if Prob[(P*,V)(y)=1]>1/p(|y|)

=> Prob[ w=w1,w2,…wn Ru(y),∃ ∈

i {1…t}, E(y,i)=wi] > 1/p’(|y|)∀∈

Universal Arguments

Construction of Universal argument for Lu

Construct an universal argumentthat is witness indistinguishable for Lu

PCP – Probabilistic checkable proofs.

A PCP system is a system were the verifier has access to oracle

which represents a proof. The verifier hash access to only few

bits of the oracle bits according to the verifier coin tosses. Completeness:

For every x L there exist an oracle π, such that V, on input x ∈

and access to oracle π always accepts x. Soundness:

For every x L and every oracle π, such that V, on input x and ∉

access to oracle π, rejects x with probability 1-ε|x|.

PCP – auxiliary properties.(will be useful for our construction)

Let V be a PCP verifier, with an error ε for a language L NEXP, let ∈

R(x,w) be the corresponding witness relation.

1. Relativity-efficient oracle-construction:

There exists a prover P such that for given (x,w) R, it outputs an ∈

oracle π that make V always accept.

2. Non-adaptive verifier:

The verifier queries will be determined only on the external input

and its coin tosses, and not on previous queries.

PCP – auxiliary properties.(will be useful for our construction)

3. Efficient reverse sampling:

There exists a polynomial time algorithm S, that given x, query

number i, query output j outputs the coin tosses r of the verifier.

Q(x,r,i) = j.

4. Proof of knowledge:

There exists a polynomial time extractor E such that for every x

and π:

If Prob[Vπ(x) = 1] > ε|x|, then

there exists w=w1,w2,…wt such that Prob[Eπ(x,i) = wi] > 2/3,

for every i.

Universal Arguments

Theorem:

For every L NEXP and for∈ every ε(n)>2-poly(n) , there exists a PCP

system with error ε that satisfies all the auxiliary properties.

Lu has such a PCP system.

Theorem:

The existence if collision free hash functions implies the existence

of universal arguments that are public coins (Arthur-Merlin) and

use constant number of Rounds.

Universal Arguments for Lu– construction

Public Input: y = (M,x,t)Private Input for P:

w such that (y,w) Ru.∈

Prover steps:

1. Creates a PCP oracle on (y,w) .

2. Construct a hash tree.

3. Sends the root of the tree to the verifier.

K – key for the hashPau

Vau

Root of the tree.

Universal Arguments for Lu– construction of the hash tree.

The leafs of the tree are the oracle answers for the queries. For example leaf Lq holds the oracle answer to query q.

L001 L010 L111L110L100L011 L101L000

Query

Hash(L000,L001)

Hash(L010,L011)

Hash(L100,L101)

Hash(L100,L101)

L0 L1

ROOT

d- height of

the tree

Root

Universal Arguments for Lu– construction



Query

Root


PauVau

Root of the tree.

R – coins for the PCP

PCP answers with the path of the tree to the root.

The prover determines thesequence of m queries forthe PCP oracle, with the random input r.

Preliminary Observations:1. Verifier complexity and communication is polynomial2. Completeness follows from completeness of PCP

Universal Arguments

Still we have to establish the last two properties of universal

arguments: Computational soundness:

For every P* and every (M,x,t) Lu.∉

Prob[(P*,V)(M,x,t)=1]<u(n) Weak proof of knowledge propery:

For every P*, if Prob[(P*,V)(y)=1]>1/p(|y|)

=> Prob[ w=w1,w2,…wn Ru(y),∃ ∈

i {1…t}, E(y,i)=wi] > 1/p’(|y|)∀∈

Universal Arguments

Computational soundness follows from the week proof of

knowledge property.

Because whenever some adversary can convince the verifier to

accept with non-negligible probability the extractor outputs a valid

witness for membership in Lu.

=> If x L and P* will convince V that x L and the extractor will ∉ ∈

output a valid witness with non-negligible probability, and we will

get a contradiction to the weak proof of knowledge property.

Universal Arguments – Computational soundness.

We will prove the computational soundness using a reduction to the

PCP. Assume there is a malicious prover P*au that <M,x,t> will convince V

that M accepts x for the universal argument. We will build an oracle *

for the PCP machine.

P*au Vpcp*

Hash key

Root

Give me (ask all possible queries)

r -coins

Universal Arguments – Computational soundness.

Some of the queries won’t be “proper” for the proof and P*au will have

to find a collision at the hash tree.

Otherwise if all the queries are correct we will get a PCP proof that M

accepts X.

P*au Vpcp*

Hash key

Root

Give me (ask all possible queries)

r -coins

Universal Arguments –proof of knowledge property.

Weak proof of knowledge property:For every P*, if Prob[(P*,V)(y)=1]>1/p(|y|)

=> Prob[ w=w1,w2,…wn Ru(y),∃ ∈ i {1…t}, E(y,i)=wi] > 1/p’(|y|) ∀∈

In order to prove that proof of knowledge property we will use the

extractor of the PCP (The PCP is also weak PoK). The extractor of the PCP will run P* and V and will rewind the

protocol to the “root phase” until it will get enough queries to find

a witness for the PCP proof.

Since the proof is the same it is the same withness.

Universal Arguments



Witness Indistinguishable Universal Arguments

Our starting point is any constant round, pubic-coins universal

argument for Lu – (Pua,Vua).

Next we will use a witness indistinguishable proof of knowledge

for NP-complete language (Pwi,Uwi).

Every ZK proof is also WI proof => BLUM for example is WI-

proof.

Finally we will use commitment scheme C.



Prover steps:1. Creates a PCP oracle .

2. Construct a hash tree.

3. Sends the root of the tree to the verifier.

4. Sends commitments on the queries answers of the PCP oracle and the corresponding nodes at the tree.


Pau-wi Vau-wi

Root of the tree.


ri – random input

Csi(ai), ai = Pau(y,ri)

WI proof that DC(Csi(ai)) = ai


Clearly the construction is constant round and public coins, also

as in the universal argument construction the verifier and prover

run time is probabilistic polynomial time. We still need to prove:

1. The weak proof of knowledge property, which implies the

computational soundness property.

2. The witness indistinguishable property.

WI-UA –weak proof of knowledge.

Let P*ua-wi be a prover for an input y such that Prob[(P*ua-wi,V) =1]

= Py. We will construct a prover P*ua that makes Vua accepts y w.p >

poly(Py). The strategy P*ua operates in c iterations, where in each iteration

it obtains from P*ua-wi a commitment, and using the knowledge

extractor of (Pua-wi,Vua-wi) it extracts a witness.

WI-UA –weak proof of knowledge.

P*ua-wi P*ua V*ua

Ewi

Hash keyHash key

Root Root

rr,p2,p3,…pc

Comm e1e2,..,ec

Comm e1e2,..,ec

a

a

Since Ewi succeed to extract w.p > poly(Py) then it will succeed to extract all c messages w.p > poly(Py)c, and we got an extractorfor (Pua,Vua) – contradiction.

WI-UA –Witness Indistinguishable.

In order to see that the construction is WI we need to show that

when using 2 different witnesses:

1. The 2 commitments (y,r,c(a’1),…c(a’c)) and (y,r,c(a’’1),…c(a’’c))

for 2 witnesses w’,w’’ are computationally indistinguishable.

Follows from the computational hiding property of the

commitment scheme.

2. The WI proof used is witness indistinguishable - follows

immediately.

Universal Arguments



Second attempt -reminder

Public Input: x {0,1}∈ n (need to prove x L)∈ Prover uses 1st case and

Simulator 2nd case (w/ witness=V*) WI ensures indistinguishably

WIP either x∈ L or (k,c,r,V,z,s) RP∈

I.E c=Comm(Hk(V),s)and r=V(z,c)

r {0,1}∈ (|c| +m)




We will use the WI universal argument at the triplet y= (ML’ ,(x,k,c,r),2n), y Lu.∈machine ML’ that accepts the language L’ if:1. x L ∈ .2. V*(x,k,c) = r.

WI universal argument

Concurrent execution

Let (P,V) be a two party protocol, V* an interactive machine.

Let {(ai,bi)}i=1..t be a set of t inputs to the protocol (P,V).

A t-times concurrent execution of (P,V) is the following

experiment:

1. Run t independent copies of P with the ith copy getting ai as

input.

2. Provide V* with b1,…,bt.

3. At each step V* outputs a message (I,m). The ith copy of P is

getting message m, The verifier V* is getting the response.

Concurrent execution

V*

P1

Pt

P2

Concurrent ZK - Naïve simulator

We will invoke the simulator we used n times independently. At first look the protocol seems readily CZK, since there are no

rewinds.

Why this naïve simulator will fail?

The problem is that the verifier V gets additional information between getting the second message and sending the third message.So the challenge r is computed based on some other information.

Concurrent ZK The relation RP will be changed to account for that extra

information. We denote by y this extra information i.e y= all of the

messages previously sent. (we will keep a table with all of these

messages).

r {0,1}∈ (|c| +k)

WIP either x∈ L or (<k,c,r>,<V,z,y,s) RP∈

I.E c=Comm(Hk(V),s)and r=V(z,y,c)



K – key for the hashThe soundness isn’t holds:

Since the relation RP allows the plover to choose y after seeing the challenge r, and we get that r isn’t a deterministic function of <V,z> and we can choose y such that <V,y,z> = r .

But yet there is a Problem:

Bounded Concurrent ZK

The solution will be to choose y that is shorter then r.

This will guarantee that the probability that there exists a y that

allows the adversary to ambiguity the commitment is 2(|r|-|y|)

Bounding the size of y corresponds to bounding the number of

sessions the protocol can run concurrently with.

how to go beyond the black-box simulation barrier boaz barak

Documents