Nir Bitansky and Omer Paneth. Interactive Proofs.

Slides:



Advertisements
Similar presentations
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Advertisements

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
On Virtual Grey-Box Obfuscation for General Circuits Nir Bitansky Ran Canetti Yael Tauman-Kalai Omer Paneth.
Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions.
Introductions for the “Weizmann Distinguished Lectures Day” by Oded Goldreich.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
1 Theory and Application of Extractable Functions Ramzi Ronny Dakdouk.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak.
Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai
On the Implausibility of Differing-Inputs Obfuscation (and Extractable Witness Encryption) with Auxiliary Input Daniel Wichs (Northeastern U) with: Sanjam.
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
2012/1/25 Complete Problem for Perfect Zero-Knowledge Quantum Interactive Proof Jun Yan State Key Laboratory of Computer Science, Institute.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity Ran Canetti, Abhishek Jain and Omer Paneth 1.
Input-Indistinguishable Computation Silvio MicaliMIT Rafael PassCornell Alon RosenHarvard.
Generic and Practical Resettable Zero- Knowledge in the Bare Public-Key Model Moti Yung RSA Laboratories and CS Dept. of Columbia University Yunlei Zhao.
Nir Bitansky and Omer Paneth. Program Obfuscation.
6.897: Selected Topics in Cryptography Lecturers: Ran Canetti, Ron Rivest Scribe?
Non-interactive quantum zero-knowledge proofs
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Introduction to Obfuscation Mohammad Mahmoody University of Virginia *some slides borrowed from abhi shelat.
NIR BITANSKY, OMER PANETH, ALON ROSEN ON THE CRYPTOGRAPHIC HARDNESS OF FINDING A NASH EQUILIBRIUM.
Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)
Boaz Barak, Nir Bitansky, Ran Canetti, Yael Tauman Kalai, Omer Paneth, Amit Sahai.
Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Yi Deng IIE,Chinese Academy of Sciences (Beijing) Joint work with
Online/Offline OR Composition of ∑-Protocols
Our Current Knowledge of Knowledge Assumptions
A Generic Approach for Constructing Verifiable Random Functions
Zero Knowledge Proofs. 20 Years after its Invention
Cryptography Lecture 6.
Quantum-security of commitment schemes and hash functions
Post-Quantum Security of Fiat-Shamir
Impossibility of SNARGs
Presentation transcript:

Nir Bitansky and Omer Paneth

Interactive Proofs

Negligible soundness error

Prover’s security Zero-Knowledge [Goldwasser-Micali-Rackoff-85] Weak Zero-Knowlage [Dwork-Naor-Reingold-Stockmeyer-99] Witness Hiding [Feige-Shamir-90] Witness Indistinguishability [Feige-Shamir-90]

Prover’s security Zero-Knowledge (ZK) Weak Zero-Knowlage Witness Hiding (WI) Witness Indistinguishability (WH)

Prover’s security Zero-Knowledge (ZK) Weak Zero-Knowlage Witness Hiding (WI) Witness Indistinguishability (WH)

Prover’s security Zero-Knowledge (ZK) Weak Zero-Knowlage Witness Hiding (WI) Witness Indistinguishability (WH)

Prover’s security Zero-Knowledge (ZK) Weak Zero-Knowlage Witness Hiding (WI) Witness Indistinguishability (WH)

Relation Between Notions Zero-Knowledge Weak ZK WI WH Only if every instance hes two independent witnesses [FS90]

The Round-Complexity of ZK Proofs [Goldreich- Kahan-96] Impossible [Goldreich-Oren-94] ? # rounds Arguments [Feige-Shamir-90] [Bellare-Jakobsson- Yung-97]

Black-Box vs. Non-Black-Box Simulation Black-box simulationNon-black-box simulation

Theorem: 3-round ZK protocols with black-box simulator exist only for trivial languages Getting 3-Round ZK – The Challenge [ GK96 ]:

Relaxations of ZK Black-box reduction \ simulation is impossible Black-box reduction \ simulation exist Notion (3-round) [GK96]ZK [GK96]Weak ZK [FS90]WI [HRS09] (One witness case) [FS90] (Two witnesses case) WH

Barak’s Non-black-box ZK protocol [B01]: -Overcomes black-box impossibilities -But: too many rounds Non-Black-Box Techniques

Example: Assume parallel repetition of some basic ZK protocol is also ZK. [GMW91,B86]. An Alternative: Assumptions Non-Black-Box Transformation S For every:There exists:

Under what assumptions do 3-round ZK protocols exist?

3-Round ZK from Other Assumptions WorkAssumptionResult [Hada-Tanaka-98] [Bellare-Palacio-04] Knowledge of Exponent [D91] 3-round ZK argument [Lepinski-Micali-01] A specific number theoretic protocol is a POK 3-round ZK Proof [Canetti-Dakdouk-08] [Goldwasser-Lin- Rubinstein-12] Extractable 1-to-1 OWF 3-round ZK argument

3-Round ZK from Non-Standard Assumptions All of the assumptions used imply the existence of Extractable OWFs Extractable OWF [D91] [HT98] [LM01] [BP04] [CD08] [GLR12]

Are extractable OWFs necessary? - We do not know. Can we get 3-round ZK from different assumptions?

Our Results: Auxiliary Input Point Obfuscation Relaxations of ZK From: To:

Our Results: Auxiliary Input Point Obfuscation Indistinguishability definition (weaker) 3-Round Witness hiding

Our Results: Auxiliary Input Point Obfuscation Indistinguishability definition (weaker) 3-Round Witness hiding Simulation definition (stronger) 3-Round Weak ZK

Point Obfuscation Witness Hiding Definitions

Point Obfuscation

Virtual Black-Box [BGI+01]

Indistinguishability Definition

Constructions: [Canetti97], extensions of [Wee05]

Witness Hiding

Our Witness Hiding Protocol

2-party computation

3-Round Witness Hiding (1)

3-Round Witness Hiding (2)

Attack on Witness Hiding

The Final Protocol

Fixing the Attack

Given

Fixing the Attack

Properties of the Protocol Protocol is not zero-knowledge. Protocol is a proof-of-knowledge. Unconditional soundness (proof). Attack on ZK:

What is the non-black-box component in our reduction?

Auxiliary Input Point Obfuscation

For every distinguisher there exists a predictor Non-Black-Box Transformation Distinguisher Predictor Auxiliary Input Point Obfuscation

The Non-Black-Box Component

Predictor

Some assumptions give us a non-black-box transformation: Some 3-round protocol is indeed ZK Extructable OWF \ Knowledge of Exponent Auxiliary Input Point Obfuscation Conclusion Distinguisher Predictor Non-Black-Box Transformations S

Given such assumptions we can get 3-round ZK. How to compare these assumptions? What type of non-black-box transformation is required for 3-round ZK? Conclusion

 ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.