510 likes | 706 Views
Separating succinct non-interactive arguments from all falsifiable assumptions. Craig Gentry. Daniel Wichs. IBM. NYU. MIT Seminar (Dec’ 10). Non-Interactive Argument. Succinct?. Prove Language Membership. Language L µ {0,1}* . Want to show x 2 L .
E N D
Separating succinct non-interactive arguments from all falsifiable assumptions Craig Gentry Daniel Wichs IBM NYU MIT Seminar (Dec’ 10).
Non-Interactive Argument Succinct?
Prove Language Membership • Language L µ {0,1}*. Want to show x 2 L. • NP = Non-Interactive Proofs with Efficient Verifier. • Question: How succinct can proofs for NP be? • If L has witness-size t(n) then L 2DTIME( 2t(n)poly(n)). • Sub-linear proofs for all NP)NP2 DTIME( 2o(n)). • Generalizes to interactive proofs [GH98, GVW02].
Succinct Arguments for NP • Arguments = Comp Sound Proofs. [Kilian92, Micali 94] • Cannot prove false statements xefficiently. • Can prove true statements x efficiently given witness w. • Succinct: size is poly(n)polylog(|x| + |w|). n= security parameter. • What we know: • Interactive (4 rounds): Assuming CRHFs [Kilian 92]. • Non-interactive: Random Oracle model [Micali 94]. * Ignore: better efficiency for prover/verifier, languages outside of NP.
Succinct Non-Interactive Arguments • Question: Can we get Succinct Non-Interactive Arguments (SNARGs) in the standard model? • Problem: 9 small adversary with hard-coded false statement x and verifying proof ¼. • Same reason why un-keyed CRHFs don’t exist. • Rest of talk: SNARGs initialized with a common reference string (CRS).
Do SNARGS exist? • Positive Evidence: Take [Micali 94]construction, replace RO with “complicated hash function” H (set CRS = H). • Don’t know how to break it. Can conjecture security. • Can we prove any SNARG construction secure under OWFs, DDH, RSA, LWE,…? • “q-decisional-augmented-bilinear-Diffie-Hellman-exponent-assumption” ? • This work: NO*. *Restrictions apply.
Main Result • No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption. q-ABDHE,… DDH, RSA, LWE,…
Defining SNARGs • Completeness: Correctly generated proofs verify with overwhelming probability. CRSÃGen(1n) x, ¼ Verify(CRS, x, ¼) ¼ Ã Prove(CRS, x, w)
Defining SNARGs • Public Verifiability: any party can verify proofs. CRSÃGen(1n) x, ¼ Verify(CRS, x, ¼) ¼ Ã Prove(CRS, x, w)
Defining SNARGs • Public Verifiability: any party can verify proofs. • Designated Verifier: only verifier that knows SK can verify. • All our results hold for Designated Verifier SNARGs. • Syntactically same as two-round interactive arguments. • Challenge = CRS, Response = ¼. (CRS, SK)ÃGen(1n) x, ¼ Verify(CRS, SK, x, ¼) ¼ Ã Prove(CRS, x, w)
Security of SNARGs • (Adaptive) Soundness: For efficient Adv if (x, ¼)ÃAdv(CRS) Pr[ Verify(CRS, SK, x, ¼)= acceptand x 2L] = negligible(n) • Natural for SNARGs. • For 2-round arguments traditionally consider static soundness. (CRS, SK)ÃGen(1n) x, ¼ Verify(CRS, SK, x, ¼) (x, ¼)Ã Adv (CRS)
Succinct Arguments: What we know? SNARG without CRS Doesn’t Exist May exist (RO Heuristic) but cannot prove secure via BB reduction from falsifiable assumption. Publically Verifiable SNARG (CRS) Designated Verifier SNARG (CRS) (adaptive soundness) 2 round ?? (static soundness) 3 round Exist assuming CRHFs 4 round
Main Result • No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.
Falsifiable Assumptions • Falsifiable Assumption (in spirit of [Naor 03]): Interactive game between an efficientchallenger and adversary; challenger decides if adversary wins. • For PPT AdvPr[Adv wins] ·negl(n). • Examples:DDH, RSA, LWE, QR,…, q-ABDHE,… “RSA Signatures (Full-Domain-Hash) with SHA-1 are secure”. • Not Falsifiable: • “This Proof System is ZK”. (Not a game - requires Simulator) • “This SNARG construction is secure”. (Inefficient Challenger) • “Knowledge-of-Exponent” (KoE) Assumptions. [Dam91, HT98]
Main Result • No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.
Black-Box Reductions Assumption Attack SNARG Attack Assumption SNARG Security
Black-Box Reductions • Black-Box Reduction: Constructive Proof. • Efficient Reduction Algorithm. Given Black-Box access to anySNARG-Attacker becomes an Assumption-Attacker. • Should work even if SNARG-Attacker is inefficient. • (If SNARG-Attacker is stateless can ignore rewinding). Assumption Attack SNARG Attack Assumption Challenger Reduction
Main Result • No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption. • Assuming the falsifiable assumption isn’t false. • Assuming sub-exponentially hard OWFs exist.
Main Result • If there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumptionthen one of the following holds: • The falsifiable assumption is false! • There are no sub-exponentially hard OWFs.
Main Idea: Simulatable Attacker • Inefficient Attacker. • Breaks soundness (outputs false statements, “proofs”). • Efficient Simulator. • Does not break soundness (outputs true statements, proofs). • No efficient distinguisher can tell them apart. Simulator SNARG Attack ≈
Separation via Simulatable Attack • Existence of Simulatable Attack for any SNARG. • Simulatable Attack implies Black-Box Separation.
Simulatable Attack ) Separation • Given access to the “Simulatable Attacker” reduction breaks assumption. Assumption Attack Attacker WINS SNARG Attack Assumption Challenger Reduction
Simulatable Attack ) Separation • Given access to the “Simulatable Attacker” reduction breaks assumption. Attacker WINS SNARG Attack Efficient Assumption Challenger Reduction
Simulatable Attack ) Separation • Given access to the “Simulatable Attacker” reduction breaks assumption. • Replace “Simulatable Attacker” with efficient Simulator. Attacker WINS Simulator Efficient Assumption Challenger Reduction
Simulatable Attack ) Separation • There is an efficient attack on the assumption. • ) Assumption is false! Efficient Attack on Assumption Attacker WINS Simulator Assumption Challenger Reduction
Separation via Simulatable Attack • Existence of Simulatable Attack for any SNARG. • Simulatable Attack implies Black-Box Separation. • BB Reduction under Falsifiable Assumption ) Assumption false.
Existence of Simulatable Attack • If NPhas poly-logarithmic witnesses, there may not be any attacks at all! • Assumption: Sub-exponentially-hard subset-membership problems in NP. • An NP language L. Distributions: G µ L ,B µ{0,1}*\L. • Can efficiently sample x à G along with a witness w. • Cannot distinguish G fromB in time 2n± with probability 2-n±. • Implied by sub-exponentially secure PRGs, OWFs.
Existence of Simulatable Attack • Naïve Idea: try all ¼ until one verifies. • Might not look at all like correct distribution! • Show: Way to sample “correct looking” ¼ for x à B. Simulator SNARG Attack ≈ CRS (x, ¼) x à B x à G witness w How to sample ¼ ? ¼ÃProv(CRS, x, w)
Existence of Simulatable Attack 8 efficient Provw/ short output 9 inefficient function Prov*: x à G witness w x à B ¼ÃProv(x, w) ¼ÃProv*(x) ≈ (x, ¼) (x, ¼)
Indisitinguishability w/ Auxiliary Info 8 inefficient Provw/ short output 9 inefficient function Prov*: x à G x à B ¼ÃProv(x) ¼ÃProv*(x) ≈ (x, ¼) (x, ¼) (s*, ²*) Proof coming up soon. Assuming the Lemma… If G, B are (s, ²)-indistinguishable then s* = s/poly(2|¼|²), ²* = 2²
Existence of Simulatable Attack • Security of G,B exponential in size of proof. • Proof-size ncpolylog(|x| + |w|) = o(nc+1). • Choose large enough statements to get security 2nc+1. • Distinguisher can ask many queries – hybrid argument. Simulator SNARG Attack ≈ CRS (x, ¼) x à B x à G witness w ¼ÃProv*(CRS, x) ¼ÃProv(CRS, x, w)
Existence of Simulatable Attack • Problem: Who gets which security parameter? • D can “lie” about security parameter to “oracle”. • Solution: Simulator gives false statements when m ¼ log(n). • Annoying and messy! Simulator gets n and depends on D. Simulator SNARG Attack ≈ Sec = m CRS (x, ¼) x à B x à G witness w D(n) ¼ÃProv*(CRS, x) ¼ÃProv(CRS, x, w)
Existence of Simulatable Attack • Why is this a legitimate attack? Do proofs verify? • Set D to be the verifier of the SNARG. Simulator SNARG Attack ≈ Sec = m CRS (x, ¼) x à B x à G witness w D(n) ¼ÃProv*(CRS, x) ¼ÃProv(CRS, x, w)
Separation via Simulatable Attack • Existence of Simulatable Attack for any SNARG. • Any SNARG for a sub-exp hard membership problem. • Any SNARG for NP assuming sub-exp hard OWF. • Simulatable Attack implies Black-Box Separation. • BB reduction under falsifiable assumption ) Assumption false.
Returning to: Indisitinguishability with Auxiliary Information
Indisitinguishability w. Auxiliary Info 8 short inefficient Aux 9 inefficient Aux*: x à G x à B ¼Ã Aux(x) ¼Ã Aux*(x) ≈ (x, ¼) (x, ¼) (s*, ²*) )L-bit leakage on seed of PRG reduces HILL entropy of output by L bits. [DP08] Proof related to Nisan’s proof of Impagliazzo Hardcore Lemma. If G, B are (s, ²)-indistinguishable then s* = s/poly(2|¼|²), ²* = 2²
Proof: Indisitinguishability w. Auxiliary Info 9 short inefficient Aux 8 inefficient function Aux*9 D of size s* Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à B x à G ¼Ã Aux(x) ¼Ã Aux*(x) Task: Distinguish G, B with s = s* poly(2|¼|²) ² = ²* /2 Goal: switch quantifiers with Min-Max theorem.
Proof: Indisitinguishability w. Auxiliary Info 9 short inefficient Aux min Aux* maxD of size s* Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à B x à G ¼Ã Aux(x) ¼Ã Aux*(x) Goal: switch quantifiers with Min-Max theorem.
Proof: Indisitinguishability w. Auxiliary Info 9 short inefficient Aux min Aux* maxDist(over D of size s*) Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à B x à G ¼Ã Aux(x) ¼Ã Aux*(x) D à Dist D à Dist Goal: switch quantifiers with Min-Max theorem.
Proof: Indisitinguishability w. Auxiliary Info 9 short inefficient Aux min Aux* maxDist(over D of size s*) Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à B x à G ¼Ã Aux(x) ¼Ã Aux*(x) D à Dist D à Dist [von Neumann 28]
Proof: Indisitinguishability w. Auxiliary Info 9 short inefficient Aux, Dist(over D of size s*) min Aux* Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à B x à G ¼Ã Aux(x) ¼Ã Aux*(x) D à Dist D à Dist Val(x) := min¼Pr[D(x, ¼) = 1] Goal: get rid of auxiliary information. E[Val(x)] - E[Val(x)] > ²* x à B x à G
Proof: Indisitinguishability w. Auxiliary Info 9 short inefficient Aux, Dist(over D of size s*) • To distinguish if x comes from G, or B: • Get estimate for Val(x). • Try all possible values of ¼. • Run many D on each choice. • Output “B” with that probability. • size = poly(2|¼|²). Val(x) := min¼Pr[D(x, ¼) = 1] E[Val(x)] - E[Val(x)] > ²* x à B x à G
Main Result • If there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumptionthen one of the following holds: • The falsifiable assumption is false! • There are no sub-exponentially hard OWFs. Slightly succinct: sub-linear arguments. No exponentially hard subset-membership problems.
Main Result • If there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumptionthen one of the following holds: • The falsifiable assumption is false! • There are no sub-exponentially hard OWFs. (sub)-exponential (sub)-exponential version of
Comparison to other BB Separations • Notion Ais not sufficient to realize B in a “black-box way”. • [ImpagliazzoRudrich 89]: Separate KA from OWP. • [Sim98]: Separate CRHFs from OWP. • [GKM+00, GKTRV00, GMR01, RTV04, BPR+08 …] • Usually: Notion A is generic e.g. “existence of some OWP”. Construction of B using a generic instance of A as black-box. (Reduction uses adversary as a black-box.) • Our result: Notion A can be a specific assumption e.g. “RSA is a OWP”. Reduction uses adversary as a black-box. • Similar to: [DOP05, AF07,HH09].
BB Reductions for Succinct Arguments • [Rothblum-Vadhan 10] : Any interactivesuccinct argument with a black-box proof of security under a falsifiable assumption can be easily converted into a “PCP System”. • Not a separation since PCPs exist unconditionally. • Shows: heavy PCP machinery inherent in succinct args.
Summary & Open Problems • Black-box separation of SNARGs from Falsifiable Assumptions. • Non-black-box techniques? Only know [Bar01]. • SNARGs under non-falsifiable assumptions (e.g. Knowledge of Exponent). Some results by [Gro10]. • Succinct arguments with long CRS? Succinct in witness but not statement? Constructions of 2 or 3 round arguments? • Or, do black-box separations extend?
THANK YOU! QUESTIONS?