1 / 22

Strict Polynomial-Time in Simulation and Extraction

Strict Polynomial-Time in Simulation and Extraction. Boaz Barak & Yehuda Lindell. Interactive Proofs/Arguments. L=L(R) 2 NP. x (x 2 L). P. V. w 2 R(x). Zero-Knowledge:.

chapa
Download Presentation

Strict Polynomial-Time in Simulation and Extraction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell

  2. Interactive Proofs/Arguments L=L(R) 2NP x (x2L) P V w2R(x) Zero-Knowledge: Everything an efficient verifier can learn after a ZK interaction can be learned by applying an efficient algorithm (i.e., simulator) to the public input. 9efficientSs.t.8 efficientV*8 x2 L S(V*,x)  <P,V*>(x)

  3. Interactive Proofs/Arguments L=L(R) 2NP x (x2L) P V w2R(x) Proof of Knowledge (POK): If an efficient prover can convince the honest verifier that x2L then there exists an efficient algorithm (knowledge extractor) to extract a witness for x from the prover’s strategy. 9efficientEs.t.8 efficientP* 8 x Pr[ E(P*,x)2 R(X)] » Pr[<P*,V>(x)=1]

  4. Definition of Zero-Knowledge: Everything an efficient verifier can learn after a ZK interaction can be learned by applying an efficient algorithm to the public input. 9efficientSs.t.8 efficientV*8 x2 L S(V*,x)  <P,V*>(x) Popular formal interpretation: efficient= probabilistic polynomial-time efficient= probabilistic expectedpolynomial-time

  5. Definition of Proofs of Knowledge (POK): If an efficient prover can convince the honest verifier that x2L then there exists an efficient algorithm (knowledge extractor) to extract a witness for x from the prover’s strategy. 9efficientEs.t.8 efficientP* 8 x Pr[ E(P*,x)2 R(X)] » Pr[<P*,V>(x)=1] Popular formal interpretation: efficient= probabilistic polynomial-time efficient= probabilistic expectedpolynomial-time

  6. Possible Defs for Zero-Knowledge

  7. Possible Defs for Zero-Knowledge / POK

  8. Possible Defs for Zero-Knowledge Summary:Def 1 is best if it can be met.

  9. Summary:Def 1 is best if it can be met. [B,BG]: For Zero-Knowledge Def 1 can be met by a constant-round prot. w/ a non-black-box simulator (assuming CRH) Our Results: 1. In both cases Def 1 can not be met in constant-rounds by a black-box simulator/extractor. 2. In case of POK Def 1can be met by a constant-round prot. w/ a non-black-box extractor (assuming CRH&TDP)

  10. V1 V2 P1 P2 Impossibility of strict poly-time black-boxsimulation Motivation: Look at how known expectedpoly-time black-box simulators work (e.g. [FS]) P V

  11. No clue how to continue V1 V2 V2’ P1 P2’ P1’ Suppose that V* only sends message v2 w.p.  S V* V2 Using (v1,v2) and (v1,v2’) can simulate proof!

  12. V1 ? P1 Suppose that V* only sends message v2 w.p.  S V* - n2 work w.p. 1-: Output (v1,p1,?)

  13. V2’’’’ ? V1 V2 P2’’’’ P1’’’’ P1’ P1 Suppose that V* only sends message v2 w.p.  S V* 1/ times… V2 - n2 work w.p. 1-: Output (v1,p1,?) w.p. : Output (v1,p1’’’’,v2’’’’,p2’’’’) - (1/)¢n2 work Ex[work] = (1-)n2 + ¢(1/)¢n2· O(n2)

  14. If we stop simulator after less than 1/ steps then simulation fails! Note that  may be any non-negligible value(e.g., 1/>>n2 ) V2’’’’ ? V1 V2 ? P1’ P1 P2’’’’ P1’’’’ P1’’ Suppose that V* only sends message v2 w.p.  S V* V2 - n2 work w.p. 1-: Output (v1,p1,?) w.p. : Output (v1,p1’’’’,v2’’’’,p2’’’’) - (1/)¢n2 work Ex[work] = (1-)n2 + ¢(1/)¢n2· O(n2)

  15. ·(c)c+1 t(n) Choose = ¼(c) -1 t(n) Impossibility of strictblack-boxsimulationfor constant-round protocols. Let <P,V> be ZK proof for L with c verifier messages and strictt(n)-time black-box simulator S Let V* be s.t. V* aborts in any round w.p. 1-where  is chosen s.t. 8 x2 L 1. Pr[ <P,V*>(x)=1] = c > 1/p(n) 2. Pr[ SV*(x) sees more than c messages ]<< 1/p(n)

  16. Our Results: 1. In both cases Def 1 can not be met in constant-rounds by a black-box simulator/extractor. 2. In case of POK Def 1can be met by a constant-round prot. w/ a non-black-box extractor (assuming CRH&TDP)

  17. Obtaining POK with strictpoly-time extractor ZK membershipproof* w/ strict simulation [B,BG] constant-roundCommit With Extract Scheme + = Trapdoor Permutations Commit-With-Extract: Secure commitment scheme s.t. using sender’s code can extract committed value in strict polynomial-time. Can be used to obtain a ZKPOK for NP

  18. Conclusion: Non-Black-Box techniques are both necessaryand sufficient to obtain strictpolynomial-time simulation and extraction.

  19. Commit-With-Extract Need constant-round commitment scheme s.t. can extract committed value in strict poly-time using sender’s code. Obtaining POK with strict poly-time extractor Proof Outline: Let L 2 NP, a ZKPOK will be x2L P V w2W(x) y=Comm(w) ZKPComm-1(y) 2 W(x)

  20. Proof Sketch: Assume <P,V> is c-roundZK proof for L Suppose S is strictt(n)-time black-box simulator Lemma: If V* is honest+abort verifier and 8 x2 L Pr[ SV*(x) is accepting and S saw· c responds ] > 1/p(n) Then L2BPP Why? For xL Pr[ SV*(x) is accepting and S saw· c responds ] = negl(n)

  21. ButPr [ SV*(x) gets > c non-? responds ] ·( c )c+1 t(n) Pr[ SV*(x) accepting and S saw ·c responds]¸c-( c )c+1 t(n) For  < ¼( c ) this is > ½c = 1/p(n) t(n) -1 Fix V* s.t. in any round independently w.p. 1-: V* aborts w.p. : V* behaves like honest verifier Clearly, 8 x2 L Pr[ <P,V*>=1 ] = c Thus 8 x2 L Pr [ SV*(x) is accepting proof for x] »c And so

  22. Obtaining POK with strictpoly-time extractor ZK membershipproof* w/ strict simulation [B,BG] ZK proof* of knowledgew/ strictextraction + = Trapdoor Permutations Thm: Suppose that 1. 9 Trapdoor Permutations 2. 9 constant-round ZK argument for NP w/ strict poly-time simulatorThen, 9 constant-round ZK argument of knowledge w/ strict poly-time knowledge-extractor.

More Related