How to Go Beyond the Black-Box Simulation Barrier Boaz Barak

Summery of the previous classes  Every language in NP has ZK protocol.  ZK is not closed under parallel composition.  Last week we saw w(logn) – round BBCZK for all languages in NP.

Paper Main Results There exists a zero-knowledge proof for any language in NP that satisfies the following properties. 1. It is a zero knowledge with respect to non-uniform adversaries with auxiliary information. 2. It has a constant number of rounds and negligible sounds error. 3.It is an Arthur-Merlin (public coins) protocol. It follows that the protocol cannot be BBZK. (Unless the language is in BPP.)

Paper Main Results 4.It is bounded concurrent zero knowledge – It remains zero knowledge if executed concurrently n times, where n is the security parameter. 5.“Only” computationally sound proof. The idea is to use the fact that the simulator has access to the code of the verifier. This will come instead of the trick of rewinding.

Let L ∈ NP, x ∈ L, w,w’ witnesses to x ∈ L. Regardless of efficient strategy Verifier uses, he can not tell if prover used w or w’ Prover (Alice) knows w or w’ Verifier (Bob) knows only x Relaxation of ZK. Instead of requiring “Verifier learns nothing” only require that the verifier doesn't learn if Alice (prover) used w or w'. Witness Indistinguishable (WI) Proofs [FeiSha]

Let L ∈ NP, x ∈ L, w,w’ witnesses to x ∈ L. Regardless of efficient strategy Verifier uses, he can not tell if prover used w or w’ Prover (Alice) knows w or w’ Verifier (Bob) knows only x Weaker property than ZK. Every ZK proof is also WI proof. Closed under parallel (even concurrent) composition. => We can take BLUM protocol and compose it parallel and get a WI proof.

Protocol outline  The verifier chooses a secret s and send to the prover some information I(s). No prover can recover s from interacting with the verifier. The simulator can recover s by using the verifier code.  The prover provides WI proof that either x ∈ L or I know s from I(s).

Protocol outline Analyses:  Completeness: OK – if x ∈ L then the prover will prove it to the verifier.  Computationally soundness – since the prover cannot recover s in step q it must prove use that x ∈ L  ZK – the simulator extracts s and proves step 2 using s. Works since step 2 is WI.

Naive implementation Public Input: x ∈ {0,1} n (need to prove x ∈ L)‏ r ∈ {0,1} n WIP either x ∈ L or c = comm(r)‏ Doesn't work, since r depends on c and the simulator can't predict r (Due to the binding property of the commitment scheme). Problem: c=Comm(0)‏

Better implementation Public Input: x ∈ {0,1} n (need to prove x ∈ L)‏ r ∈ {0,1} n WIP either x ∈ L or c is a commitment to program  s.t.  ()=r and c=comm(  Prover uses 1 st case and Simulator 2 nd case (w/ witness=V*) WI ensures indistinguishably c=Comm( π )‏ ZK seems to work: The simulator will commit on c=comm(V). The verifier won't be able to distinguish between the real and the simulated proof. Soundness - How can we make sure that the prover won't commit on program that on input c output r. Problem:

Better implementation Public Input: x ∈ {0,1} n (need to prove x ∈ L)‏ r ∈ {0,1} WIP either x ∈ L or c is a commitment to program  s.t.  ()=r and comm(  comm(0)‏ Soundness - How can we make sure that the prover won't commit on program that on input c output r. Problem: Prover uses 1 st case and Simulator 2 nd case (w/ witness=V*) WI ensures indistinguishably c=Comm(0,s)‏ ZK seems to work: The simulator will commit on c=comm(V). The verifier won't be able to distinguish between the real and the simulated proof. Make r much longer than c. This way, since c is fixed before r, there is negligible probability that c will open to something that encodes r.

First attempt Public Input: x ∈ {0,1} n (need to prove x ∈ L)‏ r ∈ {0,1} (|c| +m)‏ WIP either x ∈ L or (c,r,v,s) ∈ RP I.E c=comm(V,s) and r=V(c)‏ Prover uses 1 st case and Simulator 2 nd case (w/ witness=V*) WI ensures indistinguishably c=Comm(0 n,s) s- add randomness for commitment In order to insure the binding property of the commitment scheme. The size of c can be at any polynomial length, with respect to the size of V*. And might be larger than the communication complexity of the protocol. Problem:

 Instead of using statistically binding commitment scheme, we will use a computationally binding commitment scheme.  A computationally binding commitment scheme for large messages can be constructed by composing a standard, statistically binding commitment scheme with collision resistant hash function. Commitment length - solution Computationally binding commitment scheme Collision resistant hash function Statistically binding commitment scheme Note: Once we use a commitment scheme that is computationally binding we will only be able to prove that our protocol is computationally sound.

Second attempt Public Input: x ∈ {0,1} n (need to prove x ∈ L)‏ Prover uses 1 st case and Simulator 2 nd case (w/ witness=V*) WI ensures indistinguishably WIP either x ∈ L or (k,c,r,V,z,s) ∈ RP I.E c=Comm(H k (V),s)and r=V(z,c)‏ r ∈ {0,1} (|c| +m)‏ c=Comm(H k (0 n ),s) s- add randomness for commitment K – key for the hash

Second attempt - How to prove that the protocol is computational sound?  We will do a reduction to the computational binding property of the commitment scheme.  We need to generate a commitment with two different openings.  We will use WI proofs that are also PoK. Then use the extractor to break the binding of the commitment. For any P* there exists an extractor E that succeeds to extract whenever P convinces the verifier, i.e for any x,z: Prob[(P*(z),V(x)) = 1,E(z)=w : (x,w) ∉ R L ] <negl Reminder PoK:

Second attempt - How to prove that the protocol is computational sound? Proof Outline:  Assume V get convinced when x ∉ L. This means that the WI extractor will extract a witness to RP.  This witness is an opening of the commitment c.  Now rewind the prover to step 1, give it a different r (resulted from different z) and obtain an opening on the same commitment.  We got two witnesses with the same commitment.

Second attempt - How to prove that the protocol is computational sound?  Why is it guaranteed that in the second time around (with a new r) we'll get a different opening of the commitment?  This is because V(z,c) is a deterministic function of c (for a given z), so a different r will have to result from a different. How much time does it take for S to run V*? Is RP a polytime relation? No, since V can have an arbitrary polynomial running it. Problem:

Universal Arguments Universal language:  Lu= {(M,x,t) | M is a non-deterministic machine that accepts x within t steps }.  Lu is in NEXP-complete.  Ru = {((M,x,t),w) | M accepts w within t steps}.

Universal Arguments Universal argument system for Lu is a two party protocol (P,V), for common input (M,x,t), w (witness for the prover) that satisfies the following:  Efficient verification: There exists a polynomial p such that for any input y=(M,x,t), the run time of V, is at p(|y|).  Completeness by relatively-efficient prover: For every ((M,x,t),w) in Ru, Prob[(P(w),V)(m,x,t) = 1] = 1, The running time of P is ≤ p(TM(x,w)) ≤ p(t).

Universal Arguments  Computational soundness: For every P* and every (M,x,t) ∉ Lu. Prob[(P*,V)(M,x,t)=1]<u(n)  Weak proof of knowledge property: For every P*, if Prob[(P*,V)(y)=1]>1/p(|y|) => Prob[ ∃ w=w1,w2,…wn ∈ Ru(y), ∀ i ∈ {1…t}, E(y,i)=wi] > 1/p’(|y|)

Universal Arguments Construction of Universal argument for Lu Construct an universal argument that is witness indistinguishable for Lu

PCP – Probabilistic checkable proofs. A PCP system is a system were the verifier has access to oracle which represents a proof. The verifier hash access to only few bits of the oracle bits according to the verifier coin tosses.  Completeness: For every x ∈ L there exist an oracle π, such that V, on input x and access to oracle π always accepts x.  Soundness: For every x ∉ L and every oracle π, such that V, on input x and access to oracle π, rejects x with probability 1-ε|x|.

PCP – auxiliary properties. (will be useful for our construction) Let V be a PCP verifier, with an error ε for a language L ∈ NEXP, let R(x,w) be the corresponding witness relation. 1.Relativity-efficient oracle-construction: There exists a prover P such that for given (x,w) ∈ R, it outputs an oracle π that make V always accept. 2.Non-adaptive verifier: The verifier queries will be determined only on the external input and its coin tosses, and not on previous queries.

PCP – auxiliary properties. (will be useful for our construction) 3.Efficient reverse sampling: There exists a polynomial time algorithm S, that given x, query number i, query output j outputs the coin tosses r of the verifier. Q(x,r,i) = j. 4.Proof of knowledge: There exists a polynomial time extractor E such that for every x and π: If Prob[V π (x) = 1] > ε|x|, then there exists w=w 1,w 2,…w t such that Prob[E π (x,i) = w i ] > 2/3, for every i.

Universal Arguments  Theorem: For every L ∈ NEXP and for every ε(n)>2 -poly(n), there exists a PCP system with error ε that satisfies all the auxiliary properties.  Lu has such a PCP system.  Theorem: The existence if collision free hash functions implies the existence of universal arguments that are public coins (Arthur-Merlin) and use constant number of Rounds.

Universal Arguments for Lu– construction Public Input: y = (M,x,t)‏ Private Input for P: w such that (y,w) ∈ Ru.‏ Prover steps: 1.Creates a PCP oracle  on (y,w). 2.Construct a hash tree. 3.Sends the root of the tree to the verifier. K – key for the hash P au V au Root of the tree.

Universal Arguments for Lu– construction of the hash tree. The leafs of the tree are the oracle answers for the queries. For example leaf Lq holds the oracle answer to query q. L 001 L 010 L 111 L 110 L 100 L 011 L 101 L 000 Query Hash(L 000, L 001 ) Hash(L 010, L 011 ) Hash(L 100, L 101 ) Hash(L 100, L 101 ) L0L1 ROOT  d- height of the tree

Root  Universal Arguments for Lu– construction Public Input: y = (M,x,t)‏ Private Input for P: w such that (y,w) ∈ Ru.‏ Query Root  K – key for the hash P au V au Root of the tree. R – coins for the PCP PCP answers with the path of the tree to the root. The prover determines the sequence of m queries for the PCP oracle, with the random input r. Preliminary Observations: 1. Verifier complexity and communication is polynomial 2. Completeness follows from completeness of PCP

Universal Arguments  Still we have to establish the last two properties of universal arguments:  Computational soundness: For every P* and every (M,x,t) ∉ Lu. Prob[(P*,V)(M,x,t)=1]<u(n)  Weak proof of knowledge propery: For every P*, if Prob[(P*,V)(y)=1]>1/p(|y|) => Prob[ ∃ w=w1,w2,…wn ∈ Ru(y), ∀ i ∈ {1…t}, E(y,i)=wi] > 1/p’(|y|)

Universal Arguments  Computational soundness follows from the week proof of knowledge property. Because whenever some adversary can convince the verifier to accept with non-negligible probability the extractor outputs a valid witness for membership in Lu. => If x ∉ L and P* will convince V that x ∈ L and the extractor will output a valid witness with non-negligible probability, and we will get a contradiction to the weak proof of knowledge property.

Universal Arguments – Computational soundness.  We will prove the computational soundness using a reduction to the PCP.  Assume there is a malicious prover P* au that will convince V that M accepts x for the universal argument. We will build an oracle  * for the PCP machine. P* au V pcp ** Hash key Root Give me  (ask all possible queries) r -coins

Universal Arguments – Computational soundness.  Some of the queries won’t be “proper” for the proof and P* au will have to find a collision at the hash tree. Otherwise if all the queries are correct we will get a PCP proof that M accepts X. P* au V pcp ** Hash key Root Give me  (ask all possible queries) r -coins

Universal Arguments –proof of knowledge property.  Weak proof of knowledge property: For every P*, if Prob[(P*,V)(y)=1]>1/p(|y|) => Prob[ ∃ w=w1,w2,…wn ∈ Ru(y), ∀ i ∈ {1…t}, E(y,i)=wi] > 1/p’(|y|)  In order to prove that proof of knowledge property we will use the extractor of the PCP (The PCP is also weak PoK).  The extractor of the PCP will run P* and V and will rewind the protocol to the “root phase” until it will get enough queries to find a witness for the PCP proof. Since the proof is the same it is the same withness.

Universal Arguments Construction of Universal argument for Lu Construct an universal argument that is witness indistinguishable for Lu

Witness Indistinguishable Universal Arguments  Our starting point is any constant round, pubic-coins universal argument for Lu – (Pua,Vua).  Next we will use a witness indistinguishable proof of knowledge for NP-complete language (Pwi,Uwi). Every ZK proof is also WI proof => BLUM for example is WI- proof.  Finally we will use commitment scheme C.

Public Input: y = (M,x,t)‏ Private Input for P: w such that (y,w) ∈ Ru.‏ Prover steps: 1.Creates a PCP oracle . 2.Construct a hash tree. 3.Sends the root of the tree to the verifier. 4.Sends commitments on the queries answers of the PCP oracle and the corresponding nodes at the tree. K – key for the hash P au-wi V au-wi Root of the tree. Witness Indistinguishable Universal Arguments r i – random input C si (a i ), a i = P au (y,r i ) WI proof that DC(C si (a i )) = a i

Witness Indistinguishable Universal Arguments  Clearly the construction is constant round and public coins, also as in the universal argument construction the verifier and prover run time is probabilistic polynomial time.  We still need to prove: 1.The weak proof of knowledge property, which implies the computational soundness property. 2.The witness indistinguishable property.

WI-UA –weak proof of knowledge.  Let P* ua-wi be a prover for an input y such that Prob[(P* ua-wi,V) =1] = Py.  We will construct a prover P* ua that makes V ua accepts y w.p > poly(Py).  The strategy P* ua operates in c iterations, where in each iteration it obtains from P* ua-wi a commitment, and using the knowledge extractor of (P ua-wi,V ua-wi ) it extracts a witness.

WI-UA –weak proof of knowledge. P*ua-wiP*ua V*ua Ewi Hash key Root rr,p 2,p 3,…p c Comm e 1 e 2,..,e c a a Since Ewi succeed to extract w.p > poly(Py) then it will succeed to extract all c messages w.p > poly(Py) c, and we got an extractor for (Pua,Vua) – contradiction.

WI-UA –Witness Indistinguishable.  In order to see that the construction is WI we need to show that when using 2 different witnesses: 1.The 2 commitments (y,r,c(a’ 1 ),…c(a’ c )) and (y,r,c(a’’ 1 ),…c(a’’ c )) for 2 witnesses w’,w’’ are computationally indistinguishable. Follows from the computational hiding property of the commitment scheme. 2.The WI proof used is witness indistinguishable - follows immediately.

Universal Arguments Construction of Universal argument for Lu Construct an universal argument that is witness indistinguishable for Lu

Second attempt -reminder Public Input: x ∈ {0,1} n (need to prove x ∈ L)‏ Prover uses 1 st case and Simulator 2 nd case (w/ witness=V*) WI ensures indistinguishably WIP either x ∈ L or (k,c,r,V,z,s) ∈ RP I.E c=Comm(H k (V),s)and r=V(z,c)‏ r ∈ {0,1} (|c| +m)‏ c=Comm(H k (0 n ),s) s- add randomness for commitment K – key for the hash We will use the WI universal argument at the triplet y= (M L’,(x,k,c,r),2 n ), y ∈ Lu. machine M L’ that accepts the language L’ if: 1.x ∈ L. 2.V*(x,k,c) = r. WI universal argument

Concurrent execution  Let (P,V) be a two party protocol, V* an interactive machine. Let {(a i,b i )} i=1..t be a set of t inputs to the protocol (P,V).  A t-times concurrent execution of (P,V) is the following experiment: 1.Run t independent copies of P with the i th copy getting a i as input. 2.Provide V* with b 1,…,b t. 3.At each step V* outputs a message (I,m). The i th copy of P is getting message m, The verifier V* is getting the response.

Concurrent execution V* P1P1 PtPt P2P2

Concurrent ZK - Naïve simulator  We will invoke the simulator we used n times independently.  At first look the protocol seems readily CZK, since there are no rewinds.  Why this naïve simulator will fail? The problem is that the verifier V gets additional information between getting the second message and sending the third message. So the challenge r is computed based on some other information.

Concurrent ZK  The relation RP will be changed to account for that extra information. We denote by y this extra information i.e y= all of the messages previously sent. (we will keep a table with all of these messages). r ∈ {0,1} (|c| +k)‏ WIP either x ∈ L or (,<V,z,y,s) ∈ RP I.E c=Comm(H k (V),s)and r=V(z,y,c)‏ c=Comm(H k (0 n ),s) s- add randomness for commitment K – key for the hash The soundness isn’t holds: Since the relation RP allows the plover to choose y after seeing the challenge r, and we get that r isn’t a deterministic function of and we can choose y such that = r. But yet there is a Problem:

Bounded Concurrent ZK  The solution will be to choose y that is shorter then r. This will guarantee that the probability that there exists a y that allows the adversary to ambiguity the commitment is 2 (|r|-|y|)  Bounding the size of y corresponds to bounding the number of sessions the protocol can run concurrently with.