Download presentation
Presentation is loading. Please wait.
1
Impossibility of SNARGs
Research Seminar In Cryptography 2017/2018 Fall Impossibility of SNARGs Separating Succinct Non-Interactive Arguments From All Falsifiable Assumptions 28 Nov 2017 [C. Gentry, D. Wichsy 2011] Presentation: Karim Baghery Supervisor: Michal Zajac Coordinator: Dr. Vitaly Skachek
2
Contents: Motivation and Problem Statement Preliminary
Succinct Non-Interactive Arguments (SNARGs) Falsifiable Assumptions (FAs) Black-Box (BB) Analysis Hard Subset Membership Problems Contributions of the Paper No Black-Box Reduction Security Proof for any SNARG under Falsifiable Assumptions Main Theorem Main Idea: Simulatable Adversary Existence of a Simulatable Adversary Lemma
3
We are interested to make them succinct
Problem Statement: What is an argument? Interactive Non-Interactive ‼! ‼! ‼! We are interested to make them succinct as much as possible.
4
Problem Statement: Proof OK, xL
Witness w (x,w) RL OK, xL Proof Arguments = Comp. Sound Proofs. [Kilian 92, Micali 94] Cannot prove false statements 𝒙 efficiently (in Poly time). Can prove true statements 𝒙 efficiently given witness w Succinct: the size of argument (proof) is sublinear and short What we know? Interactive: Assuming CRHFs [Kilian92] Non-Interactive: Random Oracle Model [Micali 94]
5
No, We Cannot! ≡ Problem Statement: A Question… This work
Can we get Succinct Non-Interactive Arguments (SNARGs) in the Standard Model? ≡ Can we prove any SNARG construction secure under OWFs, CDH, DDH, RSA, LWE, …? This work No, We Cannot!
6
Main Result: This work No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption (OWFs, DDH, RSA, LWE, …).
7
SNARGs: Structure and Correctness
Completeness: Correctly generated proofs verify with overwhelming probability, equivalently honest verifier accepts honest prover. Public Verifier: Given CRS, any party can verifiy the proof. Designated Verifier: Only verifier that knows Priv can verify.
8
SNARGs: Security Soundness: For efficient Adv if 𝐱, 𝝅 ←𝐀𝐝𝐯(𝐂𝐑𝐒),
Succinct: the size of proof is 𝑷𝒐𝒍𝒚 𝒏 𝒙 + 𝒘 𝒐(𝟏) Zero-knowledge (ZK): Proof 𝝅 reveals nothing (except truth of the statement 𝐱)
9
Main Result: This work No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption (OWFs, DDH, RSA, LWE, …).
10
For PPT Adv: 𝐏𝐫 𝐀𝐝𝐯 𝐰𝐢𝐧𝐬 ≤𝐧𝐞𝐠𝐥𝐢𝐠𝐢𝐛𝐥𝐞(𝒏).
Falsifiable Assumptions (FAs) [Naor 03]: Interactive game between an efficient challenger and Adversary; Challenger decides if Adversary wins. For PPT Adv: 𝐏𝐫 𝐀𝐝𝐯 𝐰𝐢𝐧𝐬 ≤𝐧𝐞𝐠𝐥𝐢𝐠𝐢𝐛𝐥𝐞(𝒏). Examples: CDH, RSA, LWE, … DL Assumption Adversary Challenger 𝑔 𝑥 Picks random 𝑥 Computes 𝑔 𝑥 𝑥′ Checks 𝑥′ = ? 𝑥 Not Falsifiable: “This proof system is ZK.” (Not a game, requires Simulator) “This SNARG Construction is Secure”. “Knowledge-of-Exponent” (KoE) Assumptions [Dam91, HT98].
11
Main Result: This work No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption (OWFs, DDH, RSA, LWE, …).
12
Black-Box (BB) Analysis:
A proof technique We take an Assumption Prove Security of SNARG To do the proof Attack on SNARG Implies an attack on the Assumption Black-Bock Reduction: A construction to this proof Build An Efficient Reduction Algorithm: given BB access to any SNARG adversary, becomes an Assumption Adversary. Assumption Attack Challenger Reduction SNARG Adv
13
Black-Box (BB) Analysis:
Black-Bock Reduction: A construction to this proof Efficient Reduction Algorithm: given BB access to any SNARG Adv, becomes an Assumption Adversary. Assumption Attack Challenger Reduction SNARG Adv It should work, even if SNARG Adv is inefficient. Efficient SNARG Adv Reduction Efficient All together Efficient
14
They need two assumptions
Main Result: Main Theorem This work No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption (OWFs, DDH, RSA, LWE, …). They need two assumptions The falsifiable assumption is not false. Sub-exponentially hard OWFs exists
15
No Efficient Distinguisher Can Distinguish Between them.
Main Idea of Proof: Simulatable Attack Simulatable Attack: is a special type of attack against SNARGs Inefficient Adversary Efficient Simulator Outputs false statements with valid proofs Outputs true statements with valid proofs Inefficient SNARG Adversary Efficient Simulator ≈ D can not distinguishe, because it cannot say weather statement is true of false. No Efficient Distinguisher Can Distinguish Between them.
16
Separation with Simulatable Attack:
To prove the theorem they needed to show… 1. Existence of Simulatable Attack for Any SNARG. 2. Simulatable Attack implies Black-Box Separation. Suppose that there is a simulatable attack Inefficient SNARG Adv Reduction Challenger BB Separation means you wont be able to proof security in BB reduction. Assumption Attack b. Given access to the Inefficient “Simulatable Adversary” Reduction breaks the assumption.
17
Separation with Simulatable Attack:
2. Simulatable Attack implies Black-Box Separation. Suppose that there is a simulatable attack b. Given access to the Inefficient “Simulatable Adversary” Reduction breaks assumption. c. Replace "Simulatable Adversary" with the Efficient Simulator. Inefficient SNARG Adv Reduction ≈ Assumption Attack Challenger After changing adversary with an efficiemt simulator we get the same outcome. Efficient Simulator Reduction Efficient Assumption Attack Assumption if False!
18
Separation with Simulatable Attack:
To prove the theorem they needed to show… 1. Existence of Simulatable Attack for Any SNARG. 2. Simulatable Attack implies Black-Box Separation. If there is BB Reduction to the Assumption and We have a Simulatable SNARG Attack Assumption if False! BB Separation means you wont be able to proof security in BB reduction.
19
Existence of Sim. Attack for all SNARGs:
Assumption: Sub-exponentially-hard subset-membership problem in 𝒩𝒫. There exists an 𝒩𝒫 language L. Two IND distributions: ℒ 𝑜𝑣𝑒𝑟 L, ℒ 𝑜𝑣𝑒𝑟 0,1 ∗ \L. Can efficiently sample 𝑥←ℒ along with a witness 𝑤 Cannot distinguish ℒ from ℒ in size 2 n 𝛿 with prob. 2 −n 𝛿 . This could be implied by sub-exponentially secure PRGs, OWFs. BB Separation means you wont be able to proof security in BB reduction. Note (Sub-exponentially-hard): A subset-membership problem over the 𝒩𝒫 is sub-exponentially hard if there exists some constant 𝛿>0 such that the problem is (𝑠 𝑛 ,𝜖(𝑛))–IND, where s 𝑛 = 2 Ω( n 𝛿 ) and 𝜖 𝑛 = 2 −Ω( n 𝛿 ) .
20
Existence of Sim. Attack for all SNARGs:
Inefficient SNARG Adv Efficient Simulator ≈ 𝑥 ← ℒ 𝑪𝑹𝑺 (𝒙,𝝅) 𝑥←ℒ with a witness 𝑤 How to sample 𝜋 ? 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) Naïve idea: try all 𝜋 until one verifies. - Might not look at all like correct distribution. BB Separation means you wont be able to proof security in BB reduction. Show: A way to sample “correct looking” 𝜋 for 𝑥 ← ℒ
21
Existence of Sim. Attack for all SNARGs:
The statement which needs to be shown - ∀ efficient Prov with short output (𝜋), ∃ inefficient function Prov* : 𝑥 ← ℒ 𝑥←ℒ with a witness 𝑤 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 ) 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) BB Separation means you wont be able to proof security in BB reduction. Proving algorithm can just sample on its own. x , 𝜋 ≈ (x,𝜋)
22
Proof is described with details in the report.
Indistinguishability with Aux. Info: ∀ inefficient Prov with short output (𝜋), ∃ inefficient function Prov* : 𝑥 ← ℒ 𝑥←ℒ x , 𝜋 ≈(x,𝜋) 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 ) 𝜋←Prov(𝐶𝑅𝑆, 𝑥) Lemma 1: They show that for any two distributions (ℒ and ℒ ) that are IND, if we are given some short extra Aux. information (𝜋) about the sample taken from first distribution (𝑥←ℒ), there exists a way of lying ( 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 )) about samples from the other distribution that the joint distribution still looking IND. BB Separation means you wont be able to proof security in BB reduction. Proof is described with details in the report. Assuming the lemma…
23
Existence of Sim. Attack for all SNARGs:
Inefficient SNARG Adv 𝑥 ← ℒ ≈ Efficient Simulator 𝑥←ℒ with 𝑤 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 ) 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) Lemma 2: Let L be a language with a sub-exponentially hard subset- membership problem. Let Π be a non-interactive proof system for L that satisfies the completeness and succinctness properties. Then, there is a machine 𝐴𝑑𝑣, called a simulatable Π- 𝐴𝑑𝑣 satisfying the following, Adv is a stateless and computationally unbounded Π- 𝐴𝑑𝑣. On input ( 1 m ,CRS) it always outputs some (𝑥,𝜋) with 𝑥∉𝐿 of size 𝑙 𝑠𝑡 𝑚 , for sum polynomial 𝑙 𝑠𝑡 . , 𝑎𝑛𝑑: BB Separation means you wont be able to proof security in BB reduction. Adv is poly-time simulatable. That means, for every efficient distinguisher D there exists some efficient simulator S such that:
24
Modify the simulator to use a table of hard-coded responses
Existence of Sim. Attack for all SNARGs: SNARG Adv Inefficient Simulator Efficient ≈ 𝑥 ← ℒ ( 𝟏 𝒏 ,𝑪𝑹𝑺) (𝒙,𝝅) 𝑥←ℒ with witness 𝑤 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 ) 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) Proof Intuition: Given Lemma 1 on IND with Aux. information, Given 1 𝑚 , 𝐶𝑅𝑆 , Sim. and Adv. act as the following, Simulator efficiently samples 𝑥,𝑤 ←Sam( 1 𝑚 ), and computes 𝜋 honestly using the SNARG. 𝐴𝑑𝑣 generates 𝑥 , 𝜋 using the manner given in the Lemma 1. BB Separation means you wont be able to proof security in BB reduction. If 𝑚 small enough compared to 𝑛: Answers of S and 𝐴𝑑𝑣 are Dis. Modify the simulator to use a table of hard-coded responses
25
Detailed Proof: 𝑥 , 𝜋 ← ℒ 𝑚 ∗ Proof:
Note that, Π is succinct, they assume, exists 𝑑: 𝐶𝑅𝑆 <𝑂( 𝑛 𝑑 ) The size of proof is bounded: 𝜋 <𝑂 𝑛 𝑑 𝑥 + 𝑤 𝑜(1) . Sub-exponentially hard subset-membership problems implies (𝑠 𝑛 ,𝜖 𝑛 ) -hard subset-membership problem, 𝑠 𝑛 = 2 𝑛 𝑑+2 = 𝜖 −1 (𝑛) Adv and Simulator description: Adv: Adversary outputs a sample x , 𝜋 ← ℒ 𝑚 ∗ which is ( 𝑠 ∗ 𝑛 , 𝜖 ∗ 𝑛 )-IND from ℒ 𝑚 ∗ , where 𝑠 𝑛 ∗ = 2 Ω( 𝑛 𝑑+2 ) & 𝜖 ∗ 𝑛 = 2 −Ω( 𝑛 𝑑+2 ) - (More details in proof of Lemma 1, in the report) BB Separation means you wont be able to proof security in BB reduction. Adv (Inefficient): 𝑥 , 𝜋 ← ℒ 𝑚 ∗
26
Detailed Proof: Structure of Simulator
Simulator: Simulator has a threshold value 𝑚 ∗ 𝑛 ≅ log 𝑛 , On input m> 𝑚 ∗ 𝑛 it acts as usual and sample 𝑥,𝑤 and 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) and returns 𝑥,𝜋 . On input m≤ 𝑚 ∗ 𝑛 : Simulator is given an advice table T with tuples (𝑖, 𝑚, 𝐶𝑅𝑆, 𝑥,𝜋). In 𝑖th query, for input ( 𝑖 𝑚 , 𝐶𝑅𝑆) it returns a tupple. Hard-coded table T (𝑖, 𝑐𝑟𝑠, 𝑚) Its size is
27
Detailed Proof: Structure of Simulator
Efficient Simulator m> 𝑚 ∗ 𝑛 : samples 𝑥,𝑤 and 𝜋←Prov(𝐶𝑅𝑆, 𝑥,𝑤) m≤ 𝑚 ∗ 𝑛 : Uses the following table (𝑖, 𝑐𝑟𝑠, 𝑚) - returns 𝒙,𝝅 .
28
Detailed Proof: Structure of Simulator
To prove the first part of the lemma which was as, 1. In the Lemma 1 it is shown that, 2. Which could be written as follows, The second inequality follows by completeness.
29
Detailed Proof: Structure of Simulator
To prove the second part of the lemma which was as, Assumption Challenger First, change the machine Adv with Adv(T) ( 1 𝑚 ,𝐶𝑅𝑆)
30
Detailed Proof: Structure of Simulator
First, change the machine Adv with Adv(T) Assumption Challenger ( 1 𝑚 ,𝐶𝑅𝑆) 2.
31
Thank You! Institute of Computer Science Cryptology Research Group
32
BACKUP SLIDES
33
Indistinguishability Auxiliary Information
Returning to… Lemma 1: Indistinguishability with Auxiliary Information BB Separation means you wont be able to proof security in BB reduction.
34
Main intuition: x , 𝜋 ≈(x,𝜋) 𝑥 ← ℒ 𝑥←ℒ 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 )
∀ inefficient Prov with short output ∃ inefficient function Prov* : 𝑥 ← ℒ 𝑥←ℒ 𝜋 ← Prov ∗ (𝐶𝑅𝑆, 𝑥 ) 𝜋←Prov(𝐶𝑅𝑆, 𝑥) x , 𝜋 ≈(x,𝜋)
35
Proof: Note on proof: The proof does not give a simple description of the distribution ℒ 𝑛 ∗ , and instead shows its existence non-constructively. Define size(m) be the set of all circuits of size m and let dist(m) be the set of all distributions over size(m). Fix the distributions ℒ 𝑛 , ℒ 𝒏 and some joint-distribution ℒ 𝑛 ∗ over tuples (𝑥,𝜋). Define 𝑑𝑖𝑠𝑡 ℒ 𝒏 be the set of all joint-distributions on tuples ( 𝒙 , 𝝅 ). the component 𝒙 distributed according to ℒ 𝒏 . BB Separation means you wont be able to proof security in BB reduction. Now by contradiction assume that there does not exists,
36
Proof: Follows by von Neumann's min-max theorem
BB Separation means you wont be able to proof security in BB reduction. Follows by von Neumann's min-max theorem
37
Proof: Then, for each pair (𝒙,𝝅) they define
BB Separation means you wont be able to proof security in BB reduction.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.