Concurrent Concurrent Zero-Knowledge Zero-Knowledge Cynthia Dwork (IBM Almaden) Moni Naor (Weizmann) Amit Sahai (MIT)
Jan 23, 2016
ConcurrentConcurrentZero-KnowledgeZero-Knowledge
Cynthia Dwork (IBM Almaden)Moni Naor (Weizmann)
Amit Sahai (MIT)
Zero-KnowledgeZero-Knowledgeon the Interneton the Internet
Prover
Verifier 1
Verifier 2
Verifier 3
Verifier 4
Deniable MessageDeniable MessageAuthenticationAuthentication
MonicaL.
Linda Tripp
Bill
OutlineOutline
1. Zero Knowledge -- What goes wrong in the concurrent setting?
2. Timing -- Assumptions and Uses
3. Concurrent Zero-Knowledge for NP
4. Open Problems
Zero-Knowledge Paradigm Zero-Knowledge Paradigm [GMR85][GMR85]
v1
p1
v2
pk
accept/reject
When assertion is true, Verifier can simulate her view of the interaction on her own.
Formally, require that for every probabilistic poly-time Verifier, there is probabilistic poly-time simulator such that when assertion is true, its output distribution is indistinguishable from Verifier’s view of its interaction with Prover.
We require same to hold for every collectionof polynomially many Verifiers, controlled by a probabilistic poly-time Adversary.
Protocol for NP:Protocol for NP:Graph 3-ColorabilityGraph 3-Colorability
Verifier Prover1. Commit to the edge to be queried
2. Commit to Vertex colors
3. Open commitment to the edge
4. Open commitments to colors on the edge
Simulator forSimulator forGraph 3-ColorabilityGraph 3-Colorability
• Get Verifier Step 1 commitment• Commit to nonsense in Step 2• See Verifier’s revealed edge e in Step 3• Rewind Verifier to Step 2• Commit to colors good for e in Step 2• Verifier must reveal same e in Step 3• Open commitments to e’s colors in Step 4
1234
Many Verifiers:Many Verifiers:A Troublesome InterleavingA Troublesome Interleaving
V1 V2 … Vn-1 Vn
1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4
(…)
Simulation takesexponential time!
Our GoalOur Goal
• Zero-Knowledge protocol for NP
secure under concurrent execution
• few rounds
• simple
• local control
TimingTiming
Explicit use of time.
Weak Synchronization Assumption:There exist such that:
Your clock All other clocks
But: Allow Adversary to controltiming of all messages, subjectto constraint above.
Uses of TimingUses of Timing
In Zero-Knowledge:
• [Beth & Desmet90] [Brands & Chaum93] Use very accurate timing to prevent PIM attacks
As Cryptanalytic Tool:
• [Kocher96] Attack PK Cryptosystems by measuring time to decrypt (shows time-awareness is necessary)
We use only:
• Time-outs (require message within time )• Delays (wait local time before sending message)
Previous Work:Previous Work:
Protocol for NP Protocol for NP with timingwith timing::Graph 3-ColorabilityGraph 3-Colorability
Verifier Prover1. Commit to the edge to be queried
2. Commit to Vertex colors
3. Open commitment to the edge
4. Open commitments to colors on the edge
Timing Constraints:• Verifier must send Step 3 message within time of Step 1 message. (Prover waits )
• Prover waits until time has elapsed since Step 1 before sending Step 4.
Invariant: While any Verifier is in Steps 1-3,no new interaction can start and proceed toStep 4.
Many Verifiers:Many Verifiers:A Troublesome InterleavingA Troublesome Interleaving
V1 V2 … Vn-1 Vn
1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4
Are we done?Are we done?Not quite…Not quite…
Naïve simulation still does not work:
• Bad static interleavings are impossible… But:
• Adversary can select timings (and hence interleavings) of messages randomly.
• Careful simulator design yields almost Zero-Knowledge (1/poly simulation error).
• For Arguments, assuming “trapdoor” statistically hiding commitment schemes exist (e.g. exist under Discrete Log Assumption), can achieve Perfect Zero-Knowledge.
Other Results and Other Results and ExtensionsExtensions
• Also achieve Proofs of Knowledge with Concurrent Perfect Extractors.
• Simple protocols for Deniable Message Authentication using Timing to ensure both Privacy and Soundness.
• Recent work of Dwork and Sahai (Crypto ‘98) -- for Arguments, show how to restrict Timing Constraints to short Preprocessing Protocol, still achieve Concurrent Zero-Knowledge.
Open ProblemsOpen Problems
• Concurrent Zero-Knowledge possible in the standard model?
• Other uses of Timing under only a Weak Synchronization Assumption?
MotivationMotivation
Easier to prove statements about the honest-verifier model, e.g. HVSZK. By result, structural properties extend to General ZK as well.
Methodology:
Design an HVZK proof
Transform into General ZK proof
Why would one want to give such a transformation?
Many Verifiers:Many Verifiers:A Troublesome InterleavingA Troublesome Interleaving
V1 V2 … Vn-1 Vn
1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4
Many Verifiers:Many Verifiers:A Troublesome InterleavingA Troublesome Interleaving
V1 V2 … Vn-1 Vn
1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4
Many Verifiers:Many Verifiers:A Troublesome InterleavingA Troublesome Interleaving
V1 V2 … Vn-1 Vn
1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4
Many Verifiers:Many Verifiers:A Troublesome InterleavingA Troublesome Interleaving
V1 V2 … Vn-1 Vn
1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4
Many Verifiers:Many Verifiers:A Troublesome InterleavingA Troublesome Interleaving
V1 V2 … Vn-1 Vn
1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4
(…)
Simulation takesexponential time!
Many Verifiers:Many Verifiers:A Troublesome InterleavingA Troublesome Interleaving
V1 V2 … Vn-1 Vn
1 2 1 2 .. 1 2 1 2 3 4 3 4 .. 3 4 3 4
(… 2n simulations…)
2
Area YXX Y
Statistical Difference metric between distributions
x
xYxXYX ]Pr[]Pr[2
1
statistically close means statistical difference is exponentially small in input size n =|x|.
Our ResultsOur Results
For Public-Coin Proof Systems, for both Statistical ZK and Computational ZK:
Show how to transform any proof ZKfor Honest Verifier into proof ZK for Any Verifier.
No computational assumptions needed for transformation.
ZK condition holds even for computationally unbounded Verifiers
For SZK, [Oka96] gives a transformation: HV Public-Coin HV. We transform: Public-Coin HV General Hence, HV General w/o Public Coins.
Public Coin ProofsPublic Coin Proofs[Babai][Babai]
Arthur(Verifier)
Merlin(Prover)
Response
Response
Accept/Reject
Random Coins
Random Coins
Previous WorkPrevious Work
Conditional:
For Computational Zero-Knowledge, assuming one-way functions exist, General CZK = IP = HVCZK [GMW86, IY87, Ben-Or+88]
For Statistical Zero-Knowledge, assuming one-way functions exist, HVSZK General SZK [BMO90, OVY93, Oka96]
Unconditional:
For both CZK and SZK, but restricted to constant round Public-Coin Proofs, HV General [Dam94, DGW94]
TechniquesTechniques
Main Ingredients:
A new Random Selection Protocol.
A new Hashing Lemma about 2-universal hash functions.
r
r
Random Selection
r
r
Arthur Merlin
The TransformationThe Transformation
Random Selection
Arthur Merlin
The SimulatorThe Simulator
Use the Honest-Verifier Simulator togenerate transcript:
r
r
r
r
Desired Properties ofDesired Properties ofRandom Selection Random Selection
(RS) I(RS) I Dishonest Merlin: need guarantee that Merlin cannot control output distribution too much to ensure Soundness.
)(2] Outcome RSPr[
,)s'( messagesArthur possible of set any For
SdensityS
Sn
Let B be set of possible r ’s on whichoriginal Merlin can fool Arthur.
(details omitted)
after r rounds, Merlin can make B at most
2 r n
times more likely than in original protocol.
Hence Final Soundness Error at most 2-n
.
Use parallel repetition of original proof system
to make Pr[B] at most 2-(r+1) n
So if, at each RS protocol,
Desired Properties ofDesired Properties ofRandom Selection Random Selection
(RS) II(RS) II Dishonest Arthur: need Simulatordistribution to be close to true distribution:
HV Simulator outputs nearly uniform ‘s.Hence, RS protocol must also.
Moreover, for almost every , need to simulate RS protocol to output .
i.e. For almost any , need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts, conditioned on the output being .
Random Selection Random Selection [DGW][DGW]
Arthur MerlinCell Rpartition
Dishonest Merlin can cause at most 1/poly(n) statistical deviation.
When Arthur is Dishonest, can simulate for only a 1/poly(n) fraction of ’s.
Yields result only for constant round.
We fix this.
Arthur selects “random” partition of message space into cells of size poly(n).
RCell
Cell
)(}1,0{ n
Our SolutionOur Solution
Arthur Merlin
Use [DGW] protocol to select randomly among sets of 2n possible ’s.
Any 1/poly(n) fraction of such sets will cover the space of ’s almost uniformly.
[DGW] RS protocolSet S of 2n
’sR S
Hash FunctionsHash Functions
We use hash functions to describe setsof ’s.
.}1,0{ to}1,0{ from ,)(
functionslinear -affine of space thebe Let
.}1,0{ be messagesArthur of space Let the
)()(
)(
nnn
n
bAxxh
H
For almost all h’s, h-1(0) is of size 2n.
H is a 2-universal family of hash functions, so ’s will be “well spread” over sets h-1(0).
We will use h-1(0) to be our set of ’s.
New Random New Random SelectionSelection
Arthur MerlinCell Rpartition
Arthur selects “random” partition of H into cells of size poly(n).
h RCell
h
Rh-
1(0)
Cell
Properties ofProperties ofRandom Selection Random Selection
(RS)(RS) Dishonest Merlin:
Still OK for Soundness.
Dishonest Arthur: Outcome almost uniform. For almost every , can simulate RS protocol to output .
i.e. For almost any , distribution of Simulator for RS is statistically close to distribution of actual RS transcripts, conditioned on the output being .
)(2] OutcomePr[ , messagesArthur ofset any For SdensitySS
n )(
1npoly
Simulation ofSimulation ofRandom Selection Random Selection
(RS)(RS) The random tape of Arthur is already fixed; Arthur is deterministic.
Simulator, on input :
Obtains Arthur’s partition p.
Chooses cell y randomly among cells containing some h such that h(
If Arthur picks h such that h(, output (p,y,h,Otherwise repeat. Why does this work?
Simulator, on input : Obtains Arthur’s partition p. Chooses cell y randomly among cells containing some h such that h(. If Arthur picks h such that h(, output (p,y,h,Otherwise repeat.
RS Protocol & SimulatorRS Protocol & Simulator
Arthur MerlinCell Rpartition
h RCell
h
Rh-
1(0)
Cell
H ’s
2n
Blue hash functions: any inverse polynomial fraction of all hash functions H
Weight from blue edges nearly uniform on ’s.
New Hashing LemmaNew Hashing Lemma(first view)
New Hashing LemmaNew Hashing Lemma(another view)
H ’s
For almost any , fraction of blue neighbors is almost same as fraction of blue hash functions.
New Hashing LemmaNew Hashing Lemma
s,' offraction 2 abut allfor Then, (n)-
. )(
npoly
H
Moreover, the statistical difference betweenthe following two distributions is at most 2-n:
).,(Output
Let .}1,0{ Choose II)(
).,(Output
).0(Let . Choose (I)
)(
1
h
h
h
hh
Rn
R
RR
(Hence the simulation is polynomial time)
(Hence the simulation is statistically close.)
Let H be any set of size Blue
hBlue h
h hhBlue h
Blue
Blue
2-(n).
Proof SketchProof Sketch(of first view)
Want to show: for all sets S of ’s, Pr[Ouput in S] = density(S) 2-(n).
We show that for 1-2-(n) fraction of hH,h is a “good choice” for S, i.e.
h-1(0)h-1(0) Sdensity(S) 2-(n).
(First show this is true in expectation over hH, then use Chebyshev’s inequality to prove deviation from expectation is 2-(n) with probability 1-2-(n). Analysis made possibleby pairwise independence of hH.)
Since Blue is inverse polynomial fraction of H,also holds for 1-2-(n) fraction of hBlue.
ConclusionsConclusions
We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier.
HVSZK = SZK
Public-Coin HVCZK= Public-Coin CZK
We give a new Hashing Lemma which may be of independent interest.
ConclusionsConclusions
We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier.
HVSZK = SZK
We give a new Hashing Lemma which may be of independent interest.
Zero-Knowledge: yeild nothing beyond validity of assertion
Usual proof: - Convincing - Lots of Knowledge
New Notion of Proof:
Interactive Process: Prover tries to convince Verifier
Probabilistic Confidence
Proofs and Zero-Proofs and Zero-KnowledgeKnowledge
I understand!
I tell you, PNP!
How’s that?
Proof: …………..….
Interactive Proof Interactive Proof System[GMR]System[GMR]
for a language L
v1
p1
v2
pk
accept/reject
ProverVerifier
Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x belongs to language L.
• (Completeness): When xL, Verifier accepts with high prob.• (Soundness): When xL, no matter what strategy Prover uses, Verifier accepts with low prob.
Graph IsomorphismGraph Isomorphism
The Problem:
1
2
34
5
6
78
1
2
34
5
6
78
Are these graphs the same undera relabeling of vertices?
G0 G1
YES
6 2 8 1 4 5 3 7
1 2 3 4 5 6 7 8
Relabeling: G0 G1
Desired Properties ofDesired Properties ofRandom Selection Random Selection
(RS)(RS)ProtocolProtocol
When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted)
When Arthur is Dishonest, need Simulatordistribution to be close to true distribution: HV Simulator outputs nearly uniform ‘s.Hence, RS protocol must also. Moreover, for almost every , need to simulate RS protocol to output .
i.e. For almost any , need distribution of Simulator for RS to be statistically close to distribution of actual RS transcripts that output .
Zero Knowledge Zero Knowledge Proof System [GMW]Proof System [GMW]
Verifier Prover
H
Pick G0 or G1
at random:b R {0,1} b
Check if maps H Gb.If so, accept. If not, reject.
Let H be graph obtained by random relabelingof G0
Let be therelabeling H Gb
Honest Verifier Simulator :- Pick G0 or G1 at random first: b R {0,1}.- Then let H be graph obtained by random relabeling of Gb -- and call the relabeling .Output (H, b, ).
General Verifiers...
SimulatorH: rdm relabeling Of Gb
b: random bit: relabeling H Gb
H
G0G1
Why it worksWhy it works
ProtocolH: rdm relabeling Of G0
b: random bit: relabeling H Gb
Zero-Knowledge (ZK)Zero-Knowledge (ZK)
Scope:
Honest Verifier
Any Verifier
v1
p1
v2
pk
accept/reject
When assertion is true, Verifier can produce transcripts of the interaction on her own.
Zero-Knowledge means Verifier learns nothing except truth of assertion.
Implementation Idea:
Statistical Zero-Knowledge Statistical Zero-Knowledge (SZK)(SZK)
Proof Systems[GMR]:Proof Systems[GMR]:Honest and GeneralHonest and General
Proof system for L is statistical zero-knowledge for the Honest Verifier (HVZK) if for the honest Verifier V, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V with Prover. Proof system for L is statistical zero-knowledge for General Verifiers (General ZK), if for every probabilistic poly-time Verifier V*, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V* with Prover.
2
Area YXX Y
Statistical Difference metric between distributions
x
xYxXYX ]Pr[]Pr[2
1
statistically close means statistical difference is exponentially small in input size n =|x|.
Our Results (really)Our Results (really)
For Public-Coin Statistical Zero-Knowledge Proof Systems:
Show how to transform any proof ZKfor Honest Verifier into proof ZK for Any Verifier.
No computational assumptions needed for transformation.
ZK condition holds even for computationally unbounded Verifiers
For SZK, [Oka96] gives a transformation: HV Public-Coin HV. We transform: Public-Coin HV General Hence, HV General w/o Public Coins.
Previous WorkPrevious Work
Assuming one-way functions exist, HV General. [BMO90, OVY93, Oka96]
Without such assumptions: but restricted to constant rounds, Public Coin HV General. [Dam94, DGW94]
Random SelectionRandom Selection
Two distrustful parties agree on a random string.
If any one party is dishonest, output should still have random properties.
Statistical Zero-Knowledge Statistical Zero-Knowledge (SZK)(SZK)
Proof Systems[GMR]:Proof Systems[GMR]:Honest and GeneralHonest and General
Proof system for L is statistical zero-knowledge for the Honest Verifier (HVZK) if for the honest Verifier V, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V with Prover.
Proof system for L is statistical zero-knowledge for General Verifiers (General ZK), if for every probabilistic poly-time Verifier V*, there exists a probabilistic poly-time simulator S such that, when xL, the output distribution S(x) is statistically close to the distribution of transcripts from actual interactions of V* with Prover.
Hello there, my friend.
Hello there, my friend.
This is the beginning of the end, he said.There is no hope. What’s the use in going on? We’re all dead anyway… The door opened.
Hello there, my friend.
Test
Desired Properties ofDesired Properties ofRandom Selection Random Selection
(RS)(RS)ProtocolProtocol
When Merlin is Dishonest, need guarantee that Merlin cannot control output distribution too much to ensure soundness of resulting proof system. (details omitted)
When Arthur is Dishonest, need Simulatordistribution to be close to true distribution: HV Simulator outputs nearly uniform ‘s.Hence, RS protocol must also. Moreover, for almost every , need to simulate RS protocol to output .
i.e. Conditioned on a fixed , need Simulator distribution to be statistically close to distribution of actual RS transcripts that output .
Zero-Knowledge means Verifier learns nothing except truth of assertion.Formally, can simulate interaction.
Zero-Knowledge (ZK)Zero-Knowledge (ZK)
We give a transformation:
Proof ZK for Honest Verifier
Proof ZK for General Verifiers
Computational
Statistical General
HonestQuality Scope
Definitions
Black-Box Simulator:
Random TapeSimulator Verifier
v1
p1
pk
vk+1
vk
Simulator Verifier
Computational Zero-Knowledge: Require Simulator Distribution to be only Computationally Indistinguishable rather than statistically close.
Zero-Knowledge Proof Zero-Knowledge Proof [GMR85][GMR85]
v1
p1
v2
pk
accept/reject
When assertion is true, Verifier can simulate her view of the interaction on her own.
Formally, a proof system is Statistical ZK if for every Verifier, there is probabilistic poly-time simulator such that, when the assertion is true, its output distribution is statistically close to Verifier’s view of the interaction with Prover.Computational ZK : require simulator distribution to be computationallyindistinguishable rather than statistically close .
Our ResultsOur Results
For Public-Coin Proof Systems, for both Statistical ZK and Computational ZK:
Show how to transform any proof ZKfor Honest Verifier into proof ZK for Any Verifier.
For Statistical ZK, HVSZK = Public-Coin HVSZK [Oka96], so we show HVSZK = General SZK.
No computational assumptions
ZK condition holds even for computationally unbounded Verifiers
Previous WorkPrevious Work
For Computational Zero-Knowledge, assuming one-way functions exist, CZK = HVCZK = IP = PSPACE [GMW86, IY87, Ben-Or+88]
For Statistical Zero-Knowledge, assuming one-way functions exist, SZK = HVSZK [BMO90, OVY93, Oka96]
For both CZK and SZK, unconditionally, but restricted to constant round Public-Coin Proofs, Honest Verifier = General Verifier [Dam94, DGW94]
Desired Properties ofDesired Properties ofRandom Selection Random Selection
(RS)(RS) Dishonest Merlin:
)(2] OutcomePr[ , messagesArthur ofset any For SdensitySS
n
OK for Soundness by parallel repetitionof Original Proof System.
Dishonest Arthur: Outcome almost uniform. For every , can simulate RS to produce .
i.e. Conditioned on a fixed , the simulator distribution is statistically close to distribution of actual RS transcripts that produce .
Random Selection Random Selection [DGW][DGW]
Arthur MerlinCell Rpartition
Dishonest Merlin can cause at most 1/poly(n) statistical deviation.
For Dishonest Arthur: can simulate for only a 1/poly(n) fraction of ’s.
Yields result only for constant round.
We fix this.
Arthur selects “random” partition of message space into cells of size poly(n).
RCell
Cell
Properties ofProperties ofRandom Selection Random Selection
(RS)(RS) Dishonest Merlin:
)(2] OutcomePr[ , messagesArthur ofset any For SdensitySS
n
Still OK for Soundness.
Dishonest Arthur: Outcome almost uniform. For almost every , can simulate RS to produce .
i.e. Conditioned on a fixed , the simulator distribution is statistically close to distribution of actual RS transcripts that produce .
)(1npoly
Public Coin ProofsPublic Coin Proofs[Babai][Babai]
Arthur Merlin
Random Coins
Response
Random Coins
Response
Accept/Reject
Properties ofProperties ofRandom Selection Random Selection
(RS)(RS) Dishonest Merlin:
)(2] OutcomePr[ , messagesArthur ofset any For SdensitySS
n
Still OK for Soundness.
Dishonest Arthur: Outcome almost uniform. For almost every , can simulate RS to produce .
i.e. Conditioned on a fixed , the simulator distribution is statistically close to distribution of actual RS transcripts that produce .
)(1npoly
New Hashing LemmaNew Hashing Lemma
s,' offraction 2 abut allfor Then, (n)-
}.0)(|{Let hhH
. )(
npoly
H
)(1
npolyH
H
Moreover, the statistical difference betweenthe following two distributions is at most 2-n:
).,(Output . Let .}1,0{ Choose II)(
).,(Output ).0(Let . Choose (I)
)(
1
hHh
hhh
Rn
R
RR
(Hence the simulation is polynomial time)
(Hence the simulation is statistically close.)
Let H be any set of size
Blue
Blue
Blue
Blue
Honest-Verifier Honest-Verifier Statistical Zero-Statistical Zero-
Knowledge Knowledge EqualsEquals
General Statistical General Statistical
Zero-KnowledgeZero-Knowledge
Oded Goldreich (Weizmann)Amit Sahai (MIT)
Salil Vadhan (MIT)