On Non-Black-Box Proofs of Security Boaz Barak Princeton.

On Non-Black-Box Proofs of Security

Boaz BarakPrinceton

• 9 OWF ) 9 signature schemes [NaorYung,Rompel]

Prototypical Crypto Thm: If problem X is hard then scheme Y is secure.

Examples:

• DDH hard ) 9 CCA-secure encryption [CramerShoup98]

Contrapositive: 9 poly-alg A breaking Y ) 9 poly-alg B for X

Typical proof: Show generic B using A as subroutine.

BAx: instance of X solution for x

We call this a black-box proof of security.

In a non-black-box proof, B can use the code of A(not to be confused w/ black-box vs. non-black-box constructions)

More Formally: (Strongly) Black-Box Reductions (for OWF KA)

eff. (Alice, Bob), eff. Adv s.t. f and Eve [ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ]

f (Alice,Bob)

EveAdv

f

Security proof

Underlying primitive.

Adversary

Non-black-box proofs of security:1. Security proof may use code of underlying primitive (i.e., f) (examples: using specific assumptions, Cook-Levin)

2. Security proof may use code of adversary (this talk)

Non-Black-Box Security Proofs

Advantages:

• More general proof technique, can prove more thms.

• Bypass proven limitations of black-box proofs.

Disadvantages:

• Less robust proofs, more dependence on model.

• E.g.: Uniform TMs vs. circuits, quantum algorithms.

• Seem to come at steep cost in efficiency.

(Somewhat surprisingly, without “real” understanding of computation.)

Applications of Non-BB Proofs:

• O(1)-round bounded concurrent zero-knowledge (ZK)

• Resettable ZK proof of knowledge[B.GoldwasserGoldreichLindell01]

• ZK with strict poly-time simulation & extraction [B.Lindell02]

[B.01]

[B.02], [PassRosen05a], [PassRosen05b]

O(1)-round general multiparty computation [KatzOstrovskySmith03],[Pass04]

[Lindell03],[PassRosen03],[Pass04], [B.Sahai05]

• O(1)-round concurrent, non-malleable commitments

• Concurrent, non-malleable general computation

Composable protocols:

Strong Forms of Zero Knowledge:

• Resettably-sound ZK

Plan

I Basic Non-BB ZK Protocol [B.01]

II Making it bounded-concurrent [B.01]

III Making it bounded non-malleable.

IV Unbounded concurrency and non-malleability using super-polynomial simulation.

[Pass.04]

[B.Sahai.04]

V Limitations and open questions.

I Non-Black-Box Zero Knowledge

P proves to V that stmt x is true.Zero Knowledge Proof:

(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )

P

Stmt: x 2 {0,1}n

V

Witness: c:[n]{R,G,B}

“accept”/”reject”

I Non-Black-Box Zero Knowledge

P proves to V that stmt x is true.Zero Knowledge Proof:

(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )

P runs in poly-time given witness w for x.Completeness:

Soundness: If x false, V accepts w.p. < negl(n)=n-(1)

8 (possibly cheating) V*, 9 S s.t.

S(x) » V*’s view in exec with P(w)

Zero Knowledge:

P V*

»»

S( )

I Non-Black-Box Zero Knowledge

P proves to V that stmt x is true.Zero Knowledge Proof:

(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )

8 (possibly cheating) V*, 9 S s.t.

S(x) » V*’s view in exec with P(w)

Zero Knowledge:

P V*

»»

S( )V*

Non-BB ZK: S uses the code of V*

Black-Box ZK: S uses V* as a black-box subroutine.

(i.e. uses subroutine for V*’s next-message function)

,

x

Some Tools

Commitments: Efficient func Com:{0,1}k£{0,1}n{0,1}m

Hiding: 8 x,x’ Com(x,Un) » Com(x’,Un)

Binding: x x’ Com(x,{0,1}n), Com(x’,{0,1}n) disjoint

(Notation: Com(x) = Com(x,Un) )

[Blum84],[Naor91]

Collision Resistant Hash (CRH):

Collection H of efficient functions {0,1}*{0,1}n s.t.

for random h2H hard to find xx’ w/ h(x)=h(x’)

(implies CRH from {0,1}2n to {0,1}n)[GoldwasserMicaliRivest84], SHA1,AES,…

Witness Indistinguishable Proofs (WI):

[FeigeShamir90]

When proving x1Çx2, verifier can’t tell witness used.

• Implied by zero knowledge.

• Closed under concurrent composition.

A Flawed Zero Knowledge Protocol

P VStmt: x 2 {0,1}n

z=Com(r’)

r 2R {0,1}n

UAWI either1) x is true.

2) r’=r

or

Completeness:Prover has efficient strategy using witness for x

Soundness:Suppose x is false.

Let z be prover’s message.Denote r’=Com-1(z)

Pr[ r = r’ ] = 2-n

Zero Knowledge:

V*

Let V* be possibly cheating ver.

Assume w.l.o.g V* deterministic

r=V*(z)

Sim’s goal: z=Com(r)

Problem: could take 2n guesses.

Find r s.t. r=V*(Com(r))

Flawed Protocol – High Level View

P VStmt: x 2 {0,1}n

z=Com(r’)

r 2R {0,1}n

UAWI either1) x is true.

2) r’=r

or

r=V*(z)

P VStmt: x 2 {0,1}n

guess r

r 2R {0,1}n

Stmt trueor

I guessed r

Main Tool – Universal Arguments

Interactive proof system for super-polynomial languages.[Kilian92],[Micali94],[B.Goldreich02]

Based on following variant of PCP thm: [BabaiFortnowLevinSzegedy91]

Verifier

c queries

2-(c) error

M x

n bits description

T running time

TO(1) long proof

c¢polylog(T) time

Statement: “M(x)=1”

(M can be deterministic/non-det)

Every statement verifiable in T time deterministically, can be proven in polylog(T) time in “prob. proof in sky” (PCP) model.

[Merkle]

Universal Arguments

M x

n bits description

T running time

P V

TO(1) long proof

h col-res hashh:{0,1}2k{0,1}k

= root of hash tree of

invoke h

root

…

= q1,…,qc PCP ver queries

Answers + paths in tree

Prover time: poly(T)

Soundness: negl(k)

Communication: k¢polylog(T)

Verifier time:k¢polylog(T)+poly(n)

[Kilian92,Micali94],…

Using commitments and ZK/WI proofs for NP can get UAZK/UAWI w/ same parameters.

Is proof of knowledge[B.Goldreich02]

Basic Non-BB Zero Knowledge

P VCRH h:{0,1}*{0,1}n

Stmt: x 2 {0,1}n

z=Com(h(M))

r 2R {0,1}n

UAWI either1) x is true.

2) M(z)=r (in ·nlog n steps)

or

Completeness:Prover has efficient strategy using witness for x

Soundness:Suppose x is false.

Let z be prover’s message.Assume it binds to a single TM M.Denote r’=M(z)

Pr[ r = r’ ] = 2-n

Zero Knowledge:

M: Turing machine.

Honest prover uses “junk” TM: always outputs 0

V*

Let V* be possibly cheating ver.

Assume w.l.o.g V* deterministic

r=V*(z)

z=Com(h(V*))

Sim uses z=Com(h(V*))

Inherently non-BB simulator.

Note use of UA property.

[GoldreichKrawczyck86]

[B.01]

High Level View: Basic Non-BB ZK

P VCRH h:{0,1}*{0,1}n

Stmt: x 2 {0,1}n

z=Com(h(M))

r 2R {0,1}n

UAWI either1) x is true.

2) M(z)=r (in ·nlog n steps)

or

[B.01]

P VStmt: x 2 {0,1}n

implicitly guess r

r 2R {0,1}n

Stmt true

I guessed r

or

II Bounded-Concurrent ZKConcurrent ZK:

[DworkNaorSahai98],[RichardsonKilian99],…

Coordinated attack of several verifiers against concurrently

scheduled ZK proofs.

Bounded Concurrent:

P1 V1 P2 V2 P3 V3

t sessions. Protocol communication and time poly(t,n).

V*

Challenging because typical “rewinding” technique blows up simulation time.

Requires ~(log n) rounds for BB ZK.[CanettiKilianPetrankRosen01]…,[PrabhakaranRosenSahai03]

P1h

Stmt: x 2 {0,1}n

UAWI either1) x is true.

2) M(z)=r

V*

r=V*(z)

z=Com(h(V*))

Is Basic Protocol Concurrent ZK?

P2Stmt: x 2 {0,1}n

hV*

z=Com(h(V*))

trans

r=V*(z,trans)

UAWI either1) x is true.

2) M(z)=r ?

Is Basic Protocol Concurrent ZK?

P1h

Stmt: x 2 {0,1}n

UAWI either1) x is true.

2) M(z)=r

V*

r=V*(z)

z=Com(h(V*))

P2Stmt: x 2 {0,1}n

hV*

z=Com(h(V*))

trans

r=V*(z,trans)

UAWI either1) x is true.

2) M(z)=r ?

Is Basic Protocol Concurrent ZK?

P1h

Stmt: x 2 {0,1}n

UAWI either1) x is true.

2) M(z)=r

V*

r=V*(z)

z=Com(h(V*))

P2Stmt: x 2 {0,1}n

hV*

z=Com(h(V*))

trans

r=V*(z,trans)

UAWI either1) x is true.

2) M(z)=r ?Idea: relax the definition of “guessing” r

Change (2) to M(z,trans)=r for some |trans| < |r|/2

That is: z is implicit guess for 2|trans| possibilities for r. (notation: guess|trans| r )

Crucial point: can ensure all proververifier msgs have length << |r|

Corollary: O(1)-round bounded ZK (bcZK) for all NP. [B.01]

III Non-Malleable ZK[DworkDolevNaor90]Adversary is “man-in-middle” between prover & verifier.

P V1 P2 V

V*

Bounded non-malleability: id’s come from set of size t,protocol communication and time poly(t,n)

[DDN]: O(logn)-rounds

[B.02]: O(1)-rounds

[Pass04]: O(1)-roundsbounded non-mal

[PassRosen05a]: make [Pass04]

unbounded NM

(simpler, weaker assump)

A bit different non-BB technique.

Security goal: Ensure proof to honest verifiers is sound even when simulating honest prover – simulation soundness. [Sahai00]

• 2 sessions with unique id. • Arbitrary scheduling.

(synchronized is hardest)

Is Simulation Soundness Trivial?

x,idP V1 P2 VV*x’,id’

To simulate – consider V and V* as one standalone verifier V’, and use simulator for V’.

First, note that in real MIM interaction, right session is sound. (otherwise combine V* and P to prover contradicting standalone soundness)

But, since simulator’s output ~ real interaction, how can simulation differ?

Note: known not to hold for some protocols, but why does naïve “proof” fail?

Naive attempt to prove that every ZK protocol is simulation sound:

The event that x’ is true is not efficiently observable.

Simulator uses coins of V, so right session not necessarily sound.

Pass’s Bounded-NMZK Protocol

P V1imp. guess r1

r12R{0,1}

Stmt true or

guessedm1 r1

m1

[Pass04]

Crucial observation: use bcZK to get one-directional simulation soundness.

P2 Vimp. guess r2

r22R{0,1}

Stmt true or

guessedm2 r2

m2

If m1 >> |right session| then can simulate left w/o right verifier’s coins!

Pass’s Protocol:

1. Use |r| = id*B (B bound on all other comm in all sessions, note id’s bounded)

2. Run another iteration w/ id = max{id} - id

3. Prove in WI that at least one of the iterations succeeded.

IV Concurrent+Non-Malleable ZKMany concurrent executions. Adversary corrupts both verifiers and provers.

Bad News: [PS] construction uses non-standard “tailored” assumptions.

V*

P1

P2

P3

V1

V2

V3

Goal: simulation soundness: proofs to honest verifiers valid even in simulation.

Sufficient for concurrent secure computation of any task.Good News:[CanettiLindellOstrovskySahai02],[GoldreichMicaliWigderson87]

Impossible to achieve natural definition (UC).Bad News: [Lindell03],[Lindell04]

Good News: Maybe can achieve relaxed def: quasi-polynomial simulation.

Implies: securely computing any task w/ qpoly simulation.[PrabhakaranSahai04]

Good News: Using non-BB obtain same result under standard assumptions (i.e., implied by factoring is subexp hard) [B.Sahai05]

Isn’t qpoly simulation trivial?

P VStmt: x 2 {0,1}n

N = pretty large random composite

WI proof either

1) x is true.

Completeness:As always.

Soundness:From hardness of factoring

Com(p)

Concurrent ZK:

2) p prime factor of N

Straight-line simulation.

[Pass03]

Simulation soundness??

V1 P2V*

P VNsame N

z=Com(p) same z

x true or p|N

Stmt: x 2 {0,1}n Stmt: x’ 2 {0,1}n

x’ true or p|N

In simulation V* can ensure 2nd condition is true.

No reason for right session to be sound!

Brute Force Op

Broke BFOP

Starting point: Pass’s protocol for bounded-NM zero knowledge

1st Step: Change it to handle #id’s to t=nlog n

Problem: In Pass’s protocol communication>t

Solution: “Compress” the long messages.

r12R{0,1}m1

r12R{0,1}m1

Com(h(r1))

Know r1

UAZK

r1=0n

Is it (stand-alone) sound?

Is it (stand-alone) zero knowledge?

Concurrent Non-Mal qZK Protocol[B.Sahai05]

If proof succssesful, have qpoly-time knowledge extractor can obtain r1 by rewinding

Implicitly send r1

Completeness:

As before.

Soundness:

Will follow from simulation soundness.

ZK+Simulation Soundness:

Straightline simulator breaking BFOP (4).

Why is that simulation sound??

P VStmt: x 2 {0,1}n

imp guess r1

imp send r1

UAWI either1) stmt true2) guessedm1 r1

id2[t]

3) guessedm2 r2

BFOP

4) broke BFOP m1 = nlognid , m2 = nlogn(t-id)

imp guess r2

imp send r2

Concurrent Non-Mal qZK Protocol*[B.Sahai05]

ZK+Simulation Soundness:

Straightline simulator breaking BFOP (4)

Change: Make option (1) weakly indist – observable in qpoly time.

Not an immediate solution: simulator now only weakly indist from real prover.

Idea: build auxiliary simulator that:

1) Strongly indist from “real” simulator.

2) Satisfies simulation soundness.

Why we need the “real” simulator?

Auxiliary simulator uses the witness.

P VStmt: x 2 {0,1}n

imp guess r1

imp send r1

UAWI either1) stmt true2) guessedm1 r1

id2[t]

3) guessedm2 r2

BFOP

4) broke BFOP m1 = nlognid , m2 = nlogn(t-id)

imp guess r2

imp send r2

Concurrent Non-Mal qZK Protocol*[B.Sahai05]

ZK+Simulation Soundness:

Real Prover:Uses:witness(1)Sim-sound: yes

Real Simulator:Uses: time (4)Sim-sound: ?

~(weak)

~ ~

(strong)

Aux Simulator:Uses: witness,non-BB (2,3)Sim-sound: yes

P VStmt: x 2 {0,1}n

imp guess r1

imp send r1

UAWI either1) stmt true2) guessedm1 r1

id2[t]

3) guessedm2 r2

BFOP

4) broke BFOP m1 = nlognid , m2 = nlogn(t-id)

imp guess r2

imp send r2

Concurrent Non-Mal qZK Protocol*[B.Sahai05]

Yes!

ZK+Simulation Soundness:Constructing the auxiliary simulator.

Execution we need to simulate:

V1

V3

V*

P1

P2

P3

V2

Useful observation:

Can assume only one honest verifier.

m1 = nlognid , m2 = nlogn(t-id)

P VStmt: x 2 {0,1}n

imp guess r1

imp send r1

UAWI either1) stmt true2) guessedm1 r1

id2[t]

3) guessedm2 r2

BFOP

4) broke BFOP

imp guess r2

imp send r2

Concurrent Non-Mal qZK Protocol*[B.Sahai05]

Aux Simulator:Uses: witness,non-BB (2,3)Sim-sound: yes

The auxiliary simulator:

P* Vimp guess r1

imp send r1

2) guessedm1 r1

BFOP

UAWI either1) stmt true

3) guessedm2 r2

4) broke BFOP

imp guess r2

imp send r2

V*imp guess r1

imp send r’1

BFOP

2) guessedm1 r1

UAWI either1) stmt true

3) guessedm2 r2

4) broke BFOP

imp guess r’2

imp send r’2

P

Honest ver uses r1=0n

We’ll user12R {0,1}m1

Need program s.t. ()=r’1 for |1|<< r’1

Can now simulate this part w/o access to ver’s coins.

Build using V* + r1 + UA knowledge extractor

P2P3Pm…

The auxiliary simulator:

P* Vimp guess r1

imp send r1

2) guessedm1 r1

BFOP

UAWI either1) stmt true

3) guessedm2 r2

4) broke BFOP

imp guess r2

imp send r2

V*imp guess r1

imp send r’1

BFOP

2) guessedm1 r1

UAWI either1) stmt true

3) guessedm2 r2

4) broke BFOP

imp guess r’2

imp send r’2

P

Build using V* + r1 + UA knowledge extractor

• To run extractor need to simulate other sessions.

• To simulate other sessions, need to run extractor.

When building use witness to sim other sessions!

never sent in clear – still strongly indist!

Questions:

• All these use universal args. Are there different non-BB techniques?

• Random oracle model also used to achieve non-malleability and concurrent security. Can we justify this?

(so far mostly negative results [CanettiGoldreichHalevi98],[GoldwasserTa03] )

• Is there ZK system w/ O(1)-rounds and public coin verifier?

Related to both these questions.

• Are these non-BB techniques inherently unpractical?

Two problematic components: general ZK and PCP theorem.

On other hand: PCP get simpler, more efficient

Maybe can push complexity to simulation?

[BenSassonSudan05],[Dinur05]

• Handling quantum adversaries?

[B.Sahai05]

V* Vh

Stmt: x 2 {0,1}n

z1=Com(h(M1))

UACom(r1)

UAWI either1) x is true.2) 9 |t1|<k1-n s.t.M1(z1,t1)=r1

id2[t]

3) 9 |t2|<k2-n s.t.M2(z2,t2)=r2

z2=Com(h(M1))

UACom(r2)

BFOP

4) Broke BFOP.

k1 = nlognid , k2 = nlogn(t-id)

P1 P2

Rules of engagement:

Simulate execution s.t.:

1) Never use option #1 in UAWI

2) No use of time between dotted lines.

2) No use of ver. coins after green line.

Use M1 = V* program + r1 + extractor for UA

To rewind, M1 uses witness!

Use random r1 of length k1

V* Vh

Stmt: x 2 {0,1}n

z1=Com(h(M1))

UACom(r1)

UAWI either1) x is true.2) 9 |t1|<k1-n s.t.M1(z1,t1)=r1

id2[t]

3) 9 |t2|<k2-n s.t.M2(z2,t2)=r2

z2=Com(h(M1))

UACom(r2)

BFOP

4) Broke BFOP.

k1 = nlognid , k2 = nlogn(t-id)

P1 P2

Rules of engagement:

Simulate execution s.t.:

1) Never use option #1 in UAWI

2) No use of time between dotted lines.

2) No use of ver. coins after green line.

Use M1 = V* program + r1 + extractor for UA

To rewind, M1 uses witness!

Use random r1 of length k1