Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Similar documents
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

CMSC 858K Advanced Topics in Cryptography March 4, 2004

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture Notes 20: Zero-Knowledge Proofs

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Notes on Complexity Theory Last updated: November, Lecture 10

Notes on Zero Knowledge

Non-Interactive Zero Knowledge (II)

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

1 Recap: Interactive Proofs

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

Constant-round Leakage-resilient Zero-knowledge from Collision Resistance *

CS151 Complexity Theory. Lecture 13 May 15, 2017

Lecture 15 - Zero Knowledge Proofs

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

Probabilistically Checkable Arguments

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Theory of Computation Chapter 12: Cryptography

Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations

Interactive Zero-Knowledge with Restricted Random Oracles

An Epistemic Characterization of Zero Knowledge

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model

Magic Functions. In Memoriam Bernard M. Dwork

Concurrent Non-malleable Commitments from any One-way Function

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Lecture 15: Interactive Proofs

Round-Efficient Multi-party Computation with a Dishonest Majority

Certifying Trapdoor Permutations, Revisited

Zero-Knowledge Proofs and Protocols

Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs

An Epistemic Characterization of Zero Knowledge

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

How to Go Beyond the Black-Box Simulation Barrier

CSCI 1590 Intro to Computational Complexity

Interactive protocols & zero-knowledge

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Lecture 17: Constructions of Public-Key Encryption

A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles

Cryptographic Protocols Notes 2

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

On The (In)security Of Fischlin s Paradigm

Lecture 3,4: Universal Composability

Statistical WI (and more) in Two Messages

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

1 Randomized Computation

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols

Chosen-Ciphertext Security (I)

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols

Unconditional Characterizations of Non-Interactive Zero-Knowledge

Concurrent Knowledge Extraction in the Public-Key Model

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

On The (In)security Of Fischlin s Paradigm

Cryptography in the Multi-string Model

Classical Verification of Quantum Computations

of trapdoor permutations has a \reversed sampler" (which given ; y generates a random r such that S 0 (; r) = y), then this collection is doubly-enhan

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Lecture 12: Interactive Proofs

III. Authentication - identification protocols

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

From Secure MPC to Efficient Zero-Knowledge

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

AUTHORIZATION TO LEND AND REPRODUCE THE THESIS

Weak Zero-Knowledge Beyond the Black-Box Barrier

Interactive protocols & zero-knowledge

On Achieving the Best of Both Worlds in Secure Multiparty Computation

Does Parallel Repetition Lower the Error in Computationally Sound Protocols?

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

Lecture 26: Arthur-Merlin Games

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Proofs of Ignorance and Applications to 2-Message Witness Hiding

Zero-Knowledge Against Quantum Attacks

Lecture 10: Zero-Knowledge Proofs

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

In this chapter we discuss zero-knowledge proof systems. Loosely speaking, such proof

How many rounds can Random Selection handle?

Chapter 2 : Perfectly-Secret Encryption

ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation

Lecture 18: Zero-Knowledge Proofs

A Note on Negligible Functions

How to Go Beyond the Black-Box Simulation Barrier

Smooth Projective Hash Function and Its Applications

Lecture 2: Program Obfuscation - II April 1, 2009

Soundness in the Public-Key Model

Lecture 9 - Symmetric Encryption

CPA-Security. Definition: A private-key encryption scheme

Universal Semantic Communication

Indistinguishability and Pseudo-Randomness

Homework 3 Solutions

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Improved OR-Composition of Sigma-Protocols

Transcription:

Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009

Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof system for L if V is polynomial-time and the following conditions hold: Completeness: for every x L, Pr[< P, V > (x) = 1] 1 ν(x) Soundness: for every x / L and every machine B, Pr[< B, V > (x) = 1] ν(x)

Remainders FLS protocol Definition (Computational Zero Knowledge) Let (P, V ) be an interactive proof system for L. We say that (P, V ) is computational zero knowledge if for every PPT interactive machine V exists a PPT simulator S such that the following {< P, V (z) > (x)} x L,z {0,1} n {S(x, z)} x L,z {0,1} n are computationally indistinguishable.

Motivation FLS protocol ZK with constant number of rounds is good.. But, think of a ZK proof consists of one message only from P to V. It opens a door for many cryptosystems: signatures (where the signer proves he knows some secret), CCA-encryptions (where the encryptor proves he knows the plaintext), identification and etc.

Is one message NIZK possible? Lets assume we have a protocol which is NIZK with one message there exists a simulator S BPP S can decide on L L BPP Proof. If x L then S convinces by definition. If x / L then, by the soundness of the NIZK, S must not be able to convince. So, we will go to a NIZK with pre-processing...

High level roadmap Introduce the Common random string (CRS) model ( realistic model ) and the definition of Non-interactive zero-knowledge. As a result, this yields a construction of a NIZK proof for every language in NP in the assuming the existence of trapdoor permutations.

High level roadmap Introduce the Common random string (CRS) model ( realistic model ) and the definition of Non-interactive zero-knowledge. Introduce the Hidden bits (HB) model. As a result, this yields a construction of a NIZK proof for every language in NP in the assuming the existence of trapdoor permutations.

High level roadmap Introduce the Common random string (CRS) model ( realistic model ) and the definition of Non-interactive zero-knowledge. Introduce the Hidden bits (HB) model. Show that any NIZK proof system in the HB model can be transformed to a NIZK proof system in the, assuming the existence of trapdoor permutations. As a result, this yields a construction of a NIZK proof for every language in NP in the assuming the existence of trapdoor permutations.

High level roadmap Introduce the Common random string (CRS) model ( realistic model ) and the definition of Non-interactive zero-knowledge. Introduce the Hidden bits (HB) model. Show that any NIZK proof system in the HB model can be transformed to a NIZK proof system in the, assuming the existence of trapdoor permutations. Show how to construct a NIZK proof for the Hamiltonian cycle problem in the HB model. As a result, this yields a construction of a NIZK proof for every language in NP in the assuming the existence of trapdoor permutations.

High level roadmap Introduce the Common random string (CRS) model ( realistic model ) and the definition of Non-interactive zero-knowledge. Introduce the Hidden bits (HB) model. Show that any NIZK proof system in the HB model can be transformed to a NIZK proof system in the, assuming the existence of trapdoor permutations. Show how to construct a NIZK proof for the Hamiltonian cycle problem in the HB model. As a result, this yields a construction of a NIZK proof for every language in NP in the assuming the existence of trapdoor permutations.

The common random string (CRS) model Intuition[Wiki]: Captures the assumption that a trusted setup in which all involved parties get access to the same string crs taken from uniform distribution exists. When used for interactive proofs Besides P and V, the system also consists of a PPT algorithm G. G gets as an input 1 k and outputs a uniform distributed string σ k. Except for the regular inputs, P and V also get σ k. The probabilities for the system are taken over the coin tosses of P, V and G. Note that even when we consider cheating provers, we still assume that σ k is correctly generated.

Definition (Non interactive zero knowledge proof system) A pair of interactive machines (P, V ) is called a non-interactive zero-knowledge proof system for L if machine V is polynomial-time and the following conditions hold: Completeness: for every x L, Pr(V (x, R, P(x, R)) = 1) 1 ν(x) Soundness: for every x / L and every machine B, Pr(V (x, R, B(x, R)) = 1) ν(x) Zero-knowledge: there exists a PPT algorithm S such that the ensembles {(x, R x, P(x, R x ))} x L,{S(x)} x L are computationally indistinguishable. where R is a random variable uniformly distributed in {0, 1} poly( x ) (CRS).

HB model - Informal intuition The prover is initially given some sequence of bits which are hidden from the verifier. In the course of proving that x L, the prover can choose to reveal some arbitrary set of these bits to the verifier. The verifier never learns the bits of the string that are not revealed to it by the prover, and the prover cannot cheat and change the values in the string it is given. Formally, we imagine that the prover is given a string R of length n and sends to the verifier (along with other information) a set of indices I [n]. The verifier is then given the bits, denoted by R I.

Definition (Proof system in the HB model) A pair of probabilistic machines (P, V ) is called a hidden-bits proof system for L if V is polynomial-time and the following conditions hold: Completeness: for every x L, where (I, π) = P(x, R). Pr(V (x, R I, I, π) = 1) 1 ν(x) Soundness: for every x / L and every machine B, where (I, π) = B(x, R). Pr(V (x, R I, I, π) = 1) ν(x) Zero-knowledge: similar to previous definition. where R is a random variable uniformly distributed in {0, 1} poly( x ) (CRS).

: The Construction Let (P, V ) be a HB proof system for L, f : {0, 1} {0, 1} trapdoor permutation, and b : {0, 1} {0, 1} hard-core of f. Follows is a construction of (P, V ) in the : Common input x {0, 1} n. Common random string s = (s 1, s 2,... s m ) where each s i = n.

Prover P Computes r i = b(f 1 (s i )) for each s i. Executes P to get (I, π) = P(x, r 1, r 2,... r m ), Outputs (I, π, r I ) where r I = {f 1 (s i )} i I. Verfier V Verifies that r i = f (r i ) for each i I. Outputs reject if something is invalid. Computes b i = b(r i ) for each i I. Executes V on (x, {r i } i I, I, π) and outputs the result.

Theorem Provided that Pr(b(U n )) = 1/2, (P, V ) is a non-interactive ZK proof system for L. Moreover, assuming the existence of families of trapdoor permutations for which membership in the family can be decided in BPP, the prover P can be implemented efficiently. Completeness: trivial. Zero knowledge: use S(x) to get indexes, and select pre-images r i such that b(r i ) equals the revealed bits. Soundness: the only difference is the tdp, a cheater can choose specific best f. f works on n bits: there are O(2 n ) different f he can cheat w.p. 2 n ν(n) we can run the protocol O(n) times in order to get negligible soundness.

: The construction Common input: directed graph G = (V, E) where V = n. Common random string: n 3 n 3 boolean matrix M where each entry has 1 with probability n 5. Definition: matrix is called useful if it contains n n submatrix with hamiltonian cycle and all other entries are 0 (occurs with probability Ω(n 3/2 )).

Prover If M is not useful, reveals all M s entries. If M is useful, (lets denote by H the hamiltonian submatrix), Reveals all entries which are not in H. Outputs a 1 1 mapping π of vertices from V to columns/rows of H. Reveals the entries corresponding to non-edges of G. Verifier If the prover revealed all entries of M, accept iff M is not useful. Else, verifies that all entries, except for the entries {(π(u), π(v)) (u, v) E}, are revealed as 0.

Proofs FLS protocol Completeness and ZK are trivial. Efficiency: also easy (prover only computes the permutation). Soundness: lets assume G is non-hamiltonian. If M is useful the prover can t lie- the proof that each non-edge of G is mapped to 0-entry of H basically means that each 1-entry of H must be mapped to an edge of G. This means that G has hamiltonian cycle, in contradiction with our assumption. So, using the fact that Pr(M is useful) = Ω(n 3/2 ) we run the protocol O(n 2 ) to get negligible soundness.

Finally.. FLS protocol Theorem (FLS Theorem) Assuming existence of OWP, each language in NP has zero-knowledge non-interactive proof system. Furthermore, assuming the existence of families of trapdoor permutations for which membership in the family can be decided in BPP, the prover can be implemented efficiently.

The problem The solution - The problem For practical reasons, we prefer using the same random string for many assertions. But then, our simulator fails and we lose ZK.

The problem The solution The solution We show how to transform any bounded NIZK proof system, into a general NIZK proof system. General Zero-knowledge There exists a PPT algorithm S such that for any polynomial sequence of x 1, x 2,... L, the ensembles {(R x, x 1, P(x 1, R x ), x 2, P(x 2, R x ),...)},{S(x 1, x 2,...)} are computationally indistinguishable.

The problem The solution The construction Let G : {0, 1} l {0, 1} 2l be a pseudorandom generator, and let (P, V ) be a bounded NIZK proof system for NPC language L. Follows is a construction of (P, V ): Common input x {0, 1} l. Common random string y R where y = {0, 1} 2l and R = {0, 1} n 2l.

The problem The solution Prover P Lets denote L = {(a, b) a L w, G(w ) = b} Using standard reduction of L to L, reduces (x, y) to X (L s instance). It also reduces the witness W. Executes P with X, common random string R and auxiliary input W, and outputs the same. Verifier V Reduces (x, y) to X using the same reduction. Executes V with X, common random string R and P s output, and returns the same.

The problem The solution Informal proofs Completeness: trivial. Soundness: P can cheat with a negligible probability 2 l (if y is in the range of G). Zero knowledge: the simulator simply chooses w {0, 1} l and sets y = G(w ). Next, he follows the protocol using (reduction of) w as a witness for P. The output of the simulator is computationally indistinguishable: because 1) G is pseudorandom generator 2) ZK implies WI, therefore, the cases are indistinguishable (see FLS for the full proof).

Until now we dealt with non-adaptive adversaries, i.e., they choose the input message before the reference string is given to them.

Definition ( proof system) A pair of interactive machines (P, V ) is called a adaptive non-interactive zero-knowledge proof system for L if, for some polynomials p 1, p 2 : (Completeness omitted) Soundness: for every x / L and every (even unbounded) machine B, Pr(R {0, 1} p 2(k) ; (x, π) B(R) : V (x, R, π) = 1) ν(k) Zero-knowledge: there exists PPT algorithms S 1, S 2 such that for all PPT adversaries A, the next are comp. indist. {R {0, 1} p 2( x ) ; (x, w) A(R); π P(R, x, w) : (R, x, π)} x L {(R, state) S 1 ; (x, w) A(R); π S 2 (x, state) : (r, x, π)} x L where A() outputs a pair (x, w) such that x p 1 (k).

Adaptization of previous constructions Our previous constructions are very close to being adaptive- Zero knowledge: we can use our original simulator for the HC-NIZK system because it didn t care about the input, it just plays with the crs, so it can work also in the adaptive case. Soundness: instead of using one p(k) random string, use 2k p(k) random string and run (P, V ) 2k times. V will accept only if all proofs were valid. Now, for each x the probability to cheat is at most 2 2k, therefore, the overall probability to cheat is 2 2k 2 k.

Done.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback