Presentation is loading. Please wait.

Presentation is loading. Please wait.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Published byAmanda Hodgens Modified over 10 years ago

Similar presentations

Presentation on theme: "Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University."— Presentation transcript:

1 Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

2 Assumptions for Cryptography  One-way functions ) –Pseudorandom generators [Hastad-Impagliazzo-Levin-Luby]. –Pseudorandom functions & private-key cryptography [Goldreich-Goldwasser-Micali] –Commitment schemes [Naor]. –Zero-knowledge proofs for NP [Goldreich-Micali-Wigderson]. –Digital signatures [Rompel].  Almost all cryptographic tasks ) one-way functions. [Impagliazzo-Luby, Ostrovsky-Wigderson]  Some tasks not “black-box reducible” to one-way fns. –Public-key encryption [Impagliazzo-Rudich] –Collision-resistant hashing [Simon]

3 Main Result One-Way Functions ) Statistical Zero-Knowledge Arguments for NP –Resolves an open problem posed by [Naor-Ostrovsky-Venkatesan-Yung92]. –OWF is essentially the minimal complexity assumption for ZK [Ostrovsky-Wigderson].

4 Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] Completeness [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements

5 Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [Fortnow,Aiello-Hastad]: Only languages in AM Å co-AM have statistical ZK proofs.

6 Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [1980’s]: one-way functions ) all of NP has computational ZK proofs.

7 Notions of Zero Knowledge Zero Knowledge –statistical –computational Soundness –statistical (proofs) –computational (arguments) [Brassard-Chaum-Crepeau] [Goldwasser-Micali-Rackoff] Verifier learns nothing Prover cannot convince Verifier of false statements Thm [today]: one-way functions ) all of NP has statistical ZK arguments.

8 Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Goldreich- Micali- Wigderson] [Hastad- Impagliazzo- Levin-Luby], [Naor] computational zero-knowledge proofs

9 Commitment Schemes Polynomial time algorithm Com(b; K) s.t. –Hiding For random K, Com(0; K) ¼ Com(1; K) –Binding Com(b; K) cannot be opened to b’, where b’  b. SR Commit: c = Com(b;K) Reveal: (b,K) K Ã {0,1}* b 2 {0,1}

10 Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] 1 2 3 4 5 6 PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Completeness: Graph 3-colorable ) V always accepts.

11 Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] 1 2 3 4 5 6 PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Soundness: Graph not 3-colorable ) V rejects w.p. ¸ 1/(# edges) because commitment binding

12 Zero Knowledge for NP: Graph 3-Coloring Protocol [Goldreich- Micali-Wigderson] 1 2 3 4 5 6 PV 1. Randomly permute coloring & commit to colors. 2. Pick random edge. (1,4) 4. Accept if colors different. 3. Send keys for endpoints. Zero knowledge: Graph 3-colorable ) Verifier learns nothing because commitment hiding

13 Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Goldreich- Micali- Wigderson] [Hastad- Impagliazzo- Levin-Luby], [Naor] computational zero-knowledge proofs computationally hiding, statistically binding

14 Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Brassard- Chaum- Crepeau] statistical zero-knowledge arguments statistically hiding, computationally binding ???

15 Complexity of SZK Arguments for NP number-theoretic assumptions claw-free perm SZK arguments stat. hiding comp. binding commitments [BCC] [GMR,BKK] [NY] collision-resistant hash functions [GMR, Damgard] [GK]

16 Complexity of SZK arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF SZK arguments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [GMR,BKK] [NY] collision-resistant hash functions [GK]

17 Complexity of SZK arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF one-way function SZK arguments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [NY] collision-resistant hash functions [GMR,BKK] [GK]

18 Complexity of SZK Arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF one-way function SZK arguments stat. hiding 1-out-of-2 comp. binding commitments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [NY] collision-resistant hash functions [GMR,BKK] [GK]

19 1-out-of-2 binding commitments  Commitment in 2 phases.  Statistically hiding in both phases.  Computational binding in at least one phase. [Nguyen-Vadhan06] SR Phase 1 commit: c = Com (1) (b;K) Phase 1 reveal: (b,K) Phase 2 commit: c’ = Com (2) (b’;K’) Phase 2 reveal: (b’,K’)

20 1-out-of-2 binding commitments suffice for SZK arguments  Commitment in 2 phases.  Statistically hiding in both phases.  Computational binding in at least one phase. [Nguyen-Vadhan06] PV Com (1) (coloring) Query an edge Reveal color of nodes Com (2) (coloring) Query an edge Reveal color of nodes Phase 1 Phase 2 ZK since Prover does not reveal knowledge in both phases

21 1-out-of-2 binding commitments suffice for SZK arguments  Commitment in 2 phases.  Statistically hiding in both phases.  Computational binding in at least one phase. [Nguyen-Vadhan06] PV Com (1) (coloring) Query an edge Reveal color of nodes Com (2) (coloring) Query an edge Reveal color of nodes Phase 1 Phase 2 Sound since Verifier checks valid colorings in both phases.

22 Zero Knowledge for NP One-Way Functions Commitment Schemes ZK for NP [Nguyen- Vadhan06] statistical zero-knowledge arguments statistically hiding, 1-out-of-2 binding Main Thm

23 Overview of our construction from one-way functions One-way function (1/n)-hiding 1-out-of-2 binding  1)-hiding 1-out-of-2 binding stat hiding 1-out-of-2 binding Statistical ZK argument for NP

24 OWF ) (1/n)-hiding  Starting Point: OWF w/ “approximable preimage size” ) stat. hiding commitments [HHK+05]  Idea: sender “guess” preimage size ) hiding w.p. 1/n  Problem: sender sends overestimate.  Solution: use second phase to “prove” estimate correct [NV06] – Main tool: interactive hashing [OVY]

25 (1/n)-hiding )  (1)-hiding  Amplify in O(log n) stages –Each time  -hiding  2  -hiding –Inspired by [Reingold05,Dinur06]  Each Stage –O(1) repetitions of basic protocol –Combine using interactive hashing [OVY] –Analyze with nonstandard measures.

26 Future Work  Standard statistically hiding commitments from OWF. –Useful for verifier commitments. –Many applications beyond ZK.  Better (sub-polynomial) round complexity –Open even for one-way permutations [NOVY].  Simplify the construction.

Download ppt "Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Wonders of the Digital Envelope

Wonders of the Digital Envelope
A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.

A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Similar presentations

Ads by Google