1 / 16

Lower Bounds for Non-Black-Box Zero Knowledge

Lower Bounds for Non-Black-Box Zero Knowledge. Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard). Short. *Work done while in Weizmann Institute. Interactive Proof Systems [GMR]. x. V. P. Accept/Reject.

calais
Download Presentation

Lower Bounds for Non-Black-Box Zero Knowledge

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*)Yehuda Lindell (IBM)Salil Vadhan (Harvard) Short *Work done while in Weizmann Institute.

  2. Interactive Proof Systems [GMR] x V P Accept/Reject Completeness: If x2L , P can cause V to output “Accept” w.p. 1 Soundness: If xL , no matter what P does, V will output “Reject” w.h.p.

  3. Interactive Proof Systems [GMR] x V P Accept/Reject An interactive proof system iszero-knowledge (ZK)if verifier cannot learn anything new after interacting with the prover. That is, no matter what V does, it will not learn anything that it couldn’t have learned by itself (without any interaction with prover).

  4. Two r.v. X,Y are indist if 8 poly circuit D | Pr[ D(X)=1 ] – Pr[ D(Y)=1 ] | < n-(1) Interactive Proof Systems [GMR] x V P Accept/Reject Formalized by showing that for every verifier there exists a simulator– a non-interactive alg whose output is indist from verifier’s view in the interaction. S( , ) ~ Verifier’s strategy(Circuit / TM) Publicinput (X) Verifier’sview

  5. Some Known Results Under assumptions, 9 ZK proof for every language in NP. [GMW] In fact, 9 such proof that only uses a constant number of communication rounds. [FS,BCY,GKa] A ZK proof for a non-trivial* language must be interactive (i.e., have at least 2 rounds) [GO] A proof system for a non-trivial language that isZK w.r.t. verifiers that use a non-uniform strategy must have at least 3 rounds. [GO]

  6. A Natural Question Is there a 2-round proof system for NP that is ZK w.r.t. uniform verifiers? We show that under assumptions, the answer is NO. That is, we show that under reasonable assumptions, there is no 2-round ZK proof* system for a language not in co-NP. * The result is for (statistically sound) proof systems with perfect completeness.

  7. The Public-Coin Case x A 2-round proof system is public-coins if the verifier sends its entire random tape as its message. P V 2R {0,1}n  Accept iff A(x,,)=1 Thm 1: Let E=Dtime(2O(n)). If NCC(E)=2(n) then there is no 2-round ZK public-coins proof system for a non-trivial language.

  8. Thm 1: If NCC(E)=2(n) and L has a 2-round ZK public-coins proof then L2BPP. x P V Proof: Fix xL. Define 2{0,1}nas good if 8  A(x,,)=0. 2R {0,1}n  Note that: Accept iff A(x,,)=1 1. Pr2{0,1}n[  is good ] > ½ 2. Can test if  is good in non-deterministic time nc, where nc is running time of A. Under assumption, 9 poly-time G:{0,1}O(log n){0,1}ns.t. Pr=G(s)[  is good ] > ¼[KvM]

  9. In particular, if x2L, then Pr(,)=S(x)[ A(x,,)=1 ] > 1 – n(1) x Define verifier V* that sends =G(s) for s 2R {0,1}O(log n) P V* =G(s)  Accept iff A(x,,)=1 Let S be a simulator for V*. For every x2L, S should output a pair (,) that is indist from a real execution. For every x, =G(s), we define S(x,) to be result of following poly-time process: Run S(x) many times till output is of form (,). Output .

  10. We get that L2BPP: To decide if x2 L: • Choose s2R{0,1}O( log n), let =G(s). Note that  is good w.p. ¸ ¼ 2. Compute =S() 3. Output A(x,,) For every x, =G(s), we define S(x,) to be result of following poly-time process: Run S(x) many times till output is of form (,). Output .

  11. The Private-Coin Case x P V =(r)  Accept iff A(x,,;r)=1 Thm 2: If 2-CC(E)=2(n) then there is no 2-round ZK proof system for a Lco-NP.

  12. x Thm 2: If 2-CC(E)=2(n) and L has a 2-round ZK proof system then L2co-NP P V =(r)  Accept iff A(x,,;r)=1 Proof: Fix xL. Define =(r)as good if 8 9r s.t. A(x,,;r)=0 Under assumption, 9 poly-time G:{0,1}O(log n){0,1}ns.t. Pr=G(s)[  is good ] > ¼[KvM]

  13. x P V Define V* as before to use r=G(s), and define S to be the simulator for V*. =(r)  Accept iff A(x,,;r)=1 Again, for every x, =G(s), we define S(x,) to be result of following poly-time process: Run S(x) many times till output is of form (,). Output . Note that if x2L, and =P(x,) then 8rA(x,,,r)=1Therefore w.h.p. this also holds for S(x,)

  14. Consider the following attempted algorithm for L: To decide if x2 L: • Choose s2R{0,1}O( log n), let r0=G(s) and =(r0). Note that  is good w.p. ¸ ¼ 2. Compute =S(x,) 3. Output A(x,,;r) where r=r0. If x2L then w.h.p. 8rA(x,,S(x,);r)=1. If xL then w.p. ¸¼9r s.t. A(x,,;r)=0.However, it may be that A(x,,;r0)=1 ! However, we can choose r in step 3 via non-det guess and get that L2co-AM!

  15. Other Results • Under assumptions, there is no 2-round ZKproof system for NP w/ perfect completeness. 2. There is no constant-round public-coin proofsystem that is (even bounded) resettable ZK. 3. Under assumptions, there is no constant-round ZK strongproof of knowledge [G]. Tightness results: • 1 & 3 use essentially tight assumptions. Furthermore, similar assumptions are required to rule out that (log n)-wise parallel 3COL/HAM are ZK. • There is an argument system for NP that is constant-round and bounded resettable ZK.

  16. Conclusions Still several open questions regarding power of (non-BB) zero knowledge. This work shows that there is a difference between arguments and proofs, and that sometimes one must use (uncommon) computational assumptions. One of the most important open questions – prove the following under reasonable assumptions: Conjecture: There is no constant-round public-coins zero-knowledge proof system for NP.

More Related