160 likes | 275 Views
Universal Arguments and Their Applications. Boaz Barak & Oded Goldreich. Interactive Proofs for NP. [GMW] gave ZK proof w/ n 2 complexity for 3-Coloring. Corollary: ZK proof w/ t(n) 4 complexity for any Ntime(t) language L . (Since L is t(n) 2 -time reducible to 3-Coloring).
E N D
Universal Arguments and Their Applications Boaz Barak & Oded Goldreich
Interactive Proofs for NP [GMW] gave ZK proof w/ n2 complexity for 3-Coloring Corollary: ZK proof w/ t(n)4 complexity for any Ntime(t) language L. (Since L is t(n)2-time reducible to 3-Coloring) Corollary:8 NP language L9 ZK proof for L w/ polynomial complexity. Note order of quantifiers! What about a single universal proof system for all NP languages? Note: This is interesting even without the ZK property n = input size
CS Proofs [M] : Informal Description A CS proof system is a system for proving* membership in the (N)EXP-complete language U where <M,x,t> 2U iff M(x) outputs 1 within t steps ( t is binary number, M is non-deterministic machine) Verifier’s complexity is fixed polynomial (e.g. n3) in |M|+|x|+|t| Any NP language L is reducible to U by a O(n)-time reduction. (e.g., even if L 2 Ntime(n12) !) Thus a CS proof system yields a single protocol for proving membership for all L2NP. (even NE)
Thm [K,M]: If there exists hash functions that are collision resistant for 2n-sized circuits then there exists a CS proof system. CS Proofs [M] : Informal Description A CS proof system is a system for proving* membership in the (N)EXP-complete language U where <M,x,t> 2U iff M(x) outputs 1 within t steps ( t is binary number, M is non-deterministic machine) Our Goal: Obtain a single (universal) argument for NP under a standard assumption (i.e., hardness for poly-size circuits).
Seems to inherently require subexponential hardness assumption. CS Proofs: Formal Def Def: <P,V> is a CS proof system for U if it satisfies: [complexity] V runs in probabilistic polynomial time [completeness] 8 <M,x,t> 2U <P(w), V>(M,x,t)=1 where P(M,x,t) runs for tO(1) (possibly 2O(n)) steps [soundness] 8 2O(n)-sized P* and 8 <M,x,t>U Pr[ <P*,V>(M,x,t) = 1] = negl(n) Note: Max running time of P< Allowed running time for P*
CS Proofs: Formal Def Universal Argument Def: <P,V> is a CS proof system for U if it satisfies: [complexity] V runs in probabilistic polynomial time [completeness] 8 <M,x,t> 2U <P(w), V>(M,x,t)=1 where P(M,x,t) runs for tO(1) (possibly 2O(n)) steps [soundness] 8 2O(n)-sized P* and 8 <M,x,t>U Pr[ <P*,V>(M,x,t) = 1] = negl(n) polynomial size [proof of knowledge]There is a polynomial-time weak knowledge extractor. Note: Max running time of P< Allowed running time for P*
Our Results: Thm 1: If standard collision-resistant hash functions exist then there exists a universal argument system. Corollary 2: If standard collision resistent hash functions exist then there exists a ZK argument satisfying (as in [B]) - Non-black-box simulation- Constant-round - Arthur-Merlin (public coin)-Strict polynomial-time simulator- Bounded concurrent zero-knowledge Same conclusion as [B] under weaker hypothesis
Collision Resistant Hash Functions Def: A family H = {Hn} of functions from {0,1}2n to {0,1}n is called collision resistent if for any poly-size A Prh2H[ A(h) = (x,y) s.t. h(x)=h(y) ] = negl(n)
Vpcp(M,x,t) The Construction (following [K]) Thm [BFL]:NEXP=PCP[poly,poly] ||=tO(1) (possibly 2O(n)) <M,x,t> Ppcp(M,x,t,w)
PCP Properties [completeness] 9P s.t. 8 <M,x,t> 2U (and witness w)Pr[VP(M,x,t,w) (M,x,t)=1] =1where P(M,x,t) runs in time tO(1) [soundness] If <M,x,t> U then 8 Pr[ Vpcp(M,x,t)=1] < 2-n [non-adaptive verifier] Verifier’s queries are non-adaptive [efficient reverse-sampling] Given i,q can sample random verifier tape conditioned on ith query being q. [proof of knowledge] 9 poly-time E s.t. If Vpcp(M,x,t) > 2-|x| then 9 witness w s.t. 8 i Pr[ E(<M,x,t>,i) = wi ] > 2/3
q h rpcp path1,…,pathk <M,x,t> Pua Vua h 2RH pathq, is called a certificate that q = Preliminary Observations: 1. Verifier complexity and communication is polynomial 2. Completeness follows from completeness of PCP
q 4 h 3 2 1 <M,x,t> P* Vua h 2RH Soundness: If poly-sizeP* convinces Vua that <M,x,t> 2Uw.p. then 9pcp proof * for <M,x,t> that convinces Vpcp w.p. 2 – negl(n). Fix “typical” choice of h. Assume w.l.o.g P* deterministic and so root is also fixed.We treat P* as a function that gets a random pcp-verifier tape and returns a list of paths. Observation: For any q, given two inconsistentpaths pathq,0and pathq,1 can obtain x,y s.t. h(x)=h(y)
h 1 p_q(1) > p_q(0) 0 otherwise *q = <M,x,t> P* Vua h 2RH Define:pq() = Pr[ P* sends pathq, | q is asked ] Define Claim: * is a convincing pcp proof.
1 p_q(1) > p_q(0) 0 otherwise *q = Define:pq() = Pr[ P* sends pathq, | q is asked ] Define Claim: * is a convincing pcp proof. LetA – ambigous locations k - length of verifier’s random tape Previous Analysis[K,M,B]: If h is 2k secure then A=;
1 p_q(1) > p_q(0) 0 otherwise *q = Define:pq() = Pr[ P* sends pathq, | q is asked ] Define Claim: * is a convincing pcp proof. LetA – ambigous locations k - length of verifier’s random tape Our Analysis: Define A’µA to be locations that are ambigous with non-negligible probability.If h is poly-size secure then Pr[ Verifier’s query hits A’ ] = negl(n) Why? Otherwise could find collision by reverse-sampling.
Proof of Knowledge Property 9E s.t. if P* convinces Vuaw.p. that <M,x,t> 2U then9witnessw s.t. w.p. Pr[8 i EP*(M,x,t,i) = wi ] > (1) where E runs in poly(1/,n) time Follows from analogous property of the pcp system.