1 / 24

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function

Shien Jin Ong. Minh Nguyen. Statistical Zero-Knowledge Arguments for NP from Any One-Way Function. Salil Vadhan. Harvard University. Assumptions for Cryptography. One-way functions ) Pseudorandom generators [Hastad-Impagliazzo-Levin-Luby] .

marlee
Download Presentation

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shien Jin Ong Minh Nguyen Statistical Zero-Knowledge Arguments for NPfrom Any One-Way Function Salil Vadhan Harvard University

  2. Assumptions for Cryptography • One-way functions ) • Pseudorandom generators [Hastad-Impagliazzo-Levin-Luby]. • Pseudorandom functions & private-key cryptography[Goldreich-Goldwasser-Micali] • Commitment schemes [Naor]. • Zero-knowledge proofs for NP [Goldreich-Micali-Wigderson]. • Digital signatures [Rompel]. • Almost all cryptographic tasks ) one-way functions.[Impagliazzo-Luby, Ostrovsky-Wigderson] • Some tasks not “black-box reducible” to one-way fns. • Public-key encryption [Impagliazzo-Rudich] • Collision-resistant hashing [Simon]

  3. Main Result One-Way Functions )Statistical Zero-Knowledge Arguments for NP • Resolves an open problem posed by [Naor-Ostrovsky-Venkatesan-Yung92]. • OWF is essentially the minimal complexity assumption for ZK [Ostrovsky-Wigderson].

  4. Notions of Zero Knowledge [Goldwasser-Micali-Rackoff] Verifier learnsnothing Zero Knowledge • statistical • computational Soundness • statistical (proofs) • computational (arguments)[Brassard-Chaum-Crepeau] Completeness Prover cannot convince Verifier offalse statements

  5. Notions of Zero Knowledge [Goldwasser-Micali-Rackoff] Verifier learnsnothing Zero Knowledge • statistical • computational Soundness • statistical (proofs) • computational (arguments)[Brassard-Chaum-Crepeau] Prover cannot convince Verifier offalse statements Thm [Fortnow,Aiello-Hastad]: Only languages in AMÅ co-AM have statistical ZK proofs.

  6. Notions of Zero Knowledge [Goldwasser-Micali-Rackoff] Verifier learnsnothing Zero Knowledge • statistical • computational Soundness • statistical (proofs) • computational (arguments)[Brassard-Chaum-Crepeau] Prover cannot convince Verifier offalse statements Thm [1980’s]: one-way functions ) all of NP has computational ZK proofs.

  7. Notions of Zero Knowledge [Goldwasser-Micali-Rackoff] Verifier learnsnothing Zero Knowledge • statistical • computational Soundness • statistical (proofs) • computational (arguments)[Brassard-Chaum-Crepeau] Prover cannot convince Verifier offalse statements Thm [today]: one-way functions ) all of NP has statistical ZK arguments.

  8. Zero Knowledge for NP computational zero-knowledge proofs CommitmentSchemes One-WayFunctions ZK for NP [Hastad- Impagliazzo-Levin-Luby], [Naor] [Goldreich-Micali-Wigderson]

  9. Commitment Schemes Polynomial time algorithm Com(b; K) s.t. • HidingFor random K, Com(0; K) ¼ Com(1; K) • BindingCom(b; K) cannot be opened to b’, where b’  b. b2{0,1} S R K Ã {0,1}* Commit:c = Com(b;K) Reveal: (b,K)

  10. 1 2 6 3 5 4 (1,4) Zero Knowledge for NP:Graph 3-Coloring Protocol [Goldreich-Micali-Wigderson] P V 1. Randomly permutecoloring & commit to colors. 2. Pick random edge. 3. Send keys forendpoints. 4. Accept if colors different. Completeness: Graph 3-colorable ) V always accepts.

  11. 1 2 6 3 5 4 (1,4) Zero Knowledge for NP:Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] P V 1. Randomly permutecoloring & commit to colors. 2. Pick random edge. 3. Send keys forendpoints. 4. Accept if colors different. Soundness: Graph not 3-colorable ) V rejects w.p. ¸ 1/(# edges) because commitment binding

  12. 1 2 6 3 5 4 (1,4) Zero Knowledge for NP:Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] P V 1. Randomly permutecoloring & commit to colors. 2. Pick random edge. 3. Send keys forendpoints. 4. Accept if colors different. Zero knowledge: Graph 3-colorable ) Verifier learns nothing because commitment hiding

  13. Zero Knowledge for NP computational zero-knowledge proofs computationally hiding,statistically binding CommitmentSchemes One-WayFunctions ZK for NP [Hastad- Impagliazzo-Levin-Luby], [Naor] [Goldreich-Micali-Wigderson]

  14. Zero Knowledge for NP statistical zero-knowledge arguments statistically hiding,computationally binding ??? CommitmentSchemes One-WayFunctions ZK for NP [Brassard-Chaum- Crepeau]

  15. [NY] collision-resistanthash functions Complexity of SZK Arguments for NP stat. hidingcomp. bindingcommitments number-theoreticassumptions [BCC] [BCC] SZK arguments [GK] [GMR,BKK] claw-free perm [GMR, Damgard]

  16. [NY] collision-resistanthash functions Complexity of SZK arguments for NP stat. hidingcomp. bindingcommitments number-theoreticassumptions [BCC] [BCC] SZK arguments [GK] [GMR,BKK] claw-free perm [NOVY 92] [HHK+ 05] one-way perm regular OWF

  17. Complexity of SZK arguments for NP stat. hidingcomp. bindingcommitments number-theoreticassumptions [BCC] [BCC] SZK arguments [GK] [GMR,BKK] claw-free perm [NOVY 92] [NY] [HHK+ 05] one-way perm collision-resistanthash functions regular OWF one-way function

  18. Complexity of SZK Arguments for NP stat. hidingcomp. bindingcommitments number-theoreticassumptions [BCC] [BCC] SZK arguments [GK] [GMR,BKK] claw-free perm [NOVY 92] [NY] [HHK+ 05] one-way perm collision-resistanthash functions regular OWF stat. hiding1-out-of-2 comp. bindingcommitments one-way function

  19. 1-out-of-2 binding commitments [Nguyen-Vadhan06] • Commitment in 2 phases. • Statistically hiding in both phases. • Computational binding in at least one phase. Phase 1 commit:c = Com(1)(b;K) S R Phase 1 reveal: (b,K) Phase 2 commit:c’ = Com(2)(b’;K’) Phase 2 reveal: (b’,K’)

  20. Zero Knowledge for NP statistical zero-knowledge arguments statistically hiding, 1-out-of-2 binding Main Thm CommitmentSchemes One-WayFunctions ZK for NP [Nguyen- Vadhan06]

  21. Overview of our constructionfrom one-way functions stat hiding 1-out-of-2binding StatisticalZK argumentfor NP One-wayfunction (1/n)-hiding 1-out-of-2binding (1)-hiding 1-out-of-2binding

  22. OWF ) (1/n)-hiding • Starting Point:OWF w/ “approximable preimage size” ) stat. hiding commitments [HHK+05] • Idea: sender “guess” preimage size) hiding w.p. 1/n • Problem: sender sends overestimate. • Solution:use second phase to “prove” estimate correct [NV06] • Main tool: interactive hashing [OVY]

  23. (1/n)-hiding )(1)-hiding • Amplify in O(log n) stages • Each time -hiding  2-hiding • Inspired by [Reingold05,Dinur06] • Each Stage • O(1) repetitions of basic protocol • Combine using interactive hashing [OVY] • Analyze with nonstandard measures.

  24. Future Work • Standard statistically hiding commitments from OWF. • Useful for verifier commitments. • Many applications beyond ZK. • Better (sub-polynomial) round complexity • Open even for one-way permutations [NOVY]. • Simplify the construction.

More Related