On Non-Black-Box Proofs of Security

1 / 35

# On Non-Black-Box Proofs of Security - PowerPoint PPT Presentation

On Non-Black-Box Proofs of Security. Boaz Barak Princeton. B. x : instance of X. solution for x. Prototypical Crypto Thm : If problem X is hard then scheme Y is secure. Examples:. 9 OWF ) 9 signature schemes [NaorYung,Rompel].

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'On Non-Black-Box Proofs of Security' - isleen

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### On Non-Black-Box Proofs of Security

Boaz BarakPrinceton

B

x: instance of X

solution for x

Prototypical Crypto Thm: If problem X is hard then scheme Y is secure.

Examples:

• 9 OWF )9 signature schemes [NaorYung,Rompel]
• DDH hard )9 CCA-secure encryption [CramerShoup98]

Contrapositive: 9 poly-alg A breaking Y)9 poly-alg B for X

Typical proof: Show generic B using A as subroutine.

A

We call this a black-box proof of security.

In a non-black-box proof, B can use the code of A

(not to be confused w/ black-box vs. non-black-box constructions)

f

(Alice,

Bob)

Underlying primitive.

f

Security proof

Eve

Non-black-box proofs of security:1. Security proof may use code of underlying primitive (i.e., f)(examples: using specific assumptions, Cook-Levin)

2. Security proof may use code of adversary(this talk)

 eff. (Alice, Bob), eff. Adv s.t. fand Eve[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f]

Non-Black-Box Security Proofs

• More general proof technique, can prove more thms.
• Bypass proven limitations of black-box proofs.

(Somewhat surprisingly, without “real” understanding of computation.)

• Less robust proofs, more dependence on model.
• E.g.: Uniform TMs vs. circuits, quantum algorithms.
• Seem to come at steep cost in efficiency.
Applications of Non-BB Proofs:

Composable protocols:

• O(1)-round bounded concurrent zero-knowledge (ZK)

[B.01]

• O(1)-round concurrent, non-malleable commitments

[B.02], [PassRosen05a], [PassRosen05b]

• Concurrent, non-malleable general computation

[Lindell03],[PassRosen03],[Pass04], [B.Sahai05]

Strong Forms of Zero Knowledge:

• Resettable ZK proof of knowledge

[B.GoldwasserGoldreichLindell01]

• Resettably-sound ZK
• ZK with strict poly-time simulation & extraction

[B.Lindell02]

O(1)-round general multiparty computation

[KatzOstrovskySmith03],[Pass04]

Plan

I Basic Non-BB ZK Protocol

[B.01]

II Making it bounded-concurrent

[B.01]

III Making it bounded non-malleable.

[Pass.04]

IV Unbounded concurrency and non-malleability using super-polynomial simulation.

[B.Sahai.04]

V Limitations and open questions.

I Non-Black-Box Zero Knowledge

Zero Knowledge Proof:

P proves to V that stmt x is true.

(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )

Stmt: x 2 {0,1}n

Witness: c:[n]{R,G,B}

P

V

“accept”/”reject”

Zero Knowledge:

8 (possibly cheating) V*, 9S s.t.

S(x)»V*’s view in exec with P(w)

S( )

P

V*

»

I Non-Black-Box Zero Knowledge

Zero Knowledge Proof:

P proves to V that stmt x is true.

(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )

Completeness:

P runs in poly-time given witnessw for x.

Soundness:

If x false, V accepts w.p. < negl(n)=n-(1)

Black-Box ZK:

S uses V* as a black-box subroutine.

(i.e. uses subroutine for V*’s next-message function)

Non-BB ZK:

S uses the code of V*

I Non-Black-Box Zero Knowledge

Zero Knowledge Proof:

P proves to V that stmt x is true.

(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )

Zero Knowledge:

8 (possibly cheating) V*, 9S s.t.

S(x)»V*’s view in exec with P(w)

V*

S( )

,

P

V*

»

Some Tools

Commitments:

Efficient func Com:{0,1}k£{0,1}n{0,1}m

[Blum84],[Naor91]

Hiding: 8 x,x’ Com(x,Un) » Com(x’,Un)

Binding:x x’ Com(x,{0,1}n), Com(x’,{0,1}n) disjoint

x

(Notation:Com(x) = Com(x,Un) )

Collision Resistant Hash (CRH):

Collection H of efficient functions {0,1}*{0,1}n s.t.

for random h2H hard to find xx’ w/ h(x)=h(x’)

(implies CRH from {0,1}2n to {0,1}n)

[GoldwasserMicaliRivest84], SHA1,AES,…

When proving x1Çx2, verifier can’t tell witness used.

Witness Indistinguishable Proofs (WI):

• Implied by zero knowledge.
• Closed under concurrent composition.

[FeigeShamir90]

z=Com(r’)

r=V*(z)

r 2R {0,1}n

UAWI either

1) x is true.

or

2) r’=r

A Flawed Zero Knowledge Protocol

Completeness:

Stmt: x 2 {0,1}n

P

V*

V

Prover has efficient strategy using witness for x

Soundness:

Suppose x is false.

Let z be prover’s message.Denote r’=Com-1(z)

Pr[ r = r’ ] = 2-n

Zero Knowledge:

Let V* be possibly cheating ver.

Assume w.l.o.g V* deterministic

Sim’s goal: z=Com(r)

Find r s.t. r=V*(Com(r))

Problem: could take 2n guesses.

Stmt: x 2 {0,1}n

P

V

guess r

z=Com(r’)

r=V*(z)

Stmt true

r 2R {0,1}n

r 2R {0,1}n

or

I guessed r

UAWI either

1) x is true.

or

2) r’=r

Flawed Protocol – High Level View

Stmt: x 2 {0,1}n

P

V

n bits description

TO(1) long proof

M

x

T running time

Main Tool – Universal Arguments

Interactive proof system for super-polynomial languages.

[Kilian92],[Micali94],[B.Goldreich02]

Based on following variant of PCP thm:

[BabaiFortnowLevinSzegedy91]

Every statement verifiable in T time deterministically, can be proven in polylog(T) time in “prob. proof in sky” (PCP) model.

c queries

Statement: “M(x)=1”

2-(c) error

Verifier

(Mcan be deterministic/non-det)

c¢polylog(T) time

n bits description

TO(1) long proof

M

x

Using commitments and ZK/WI proofs for NP can get UAZK/UAWIw/ same parameters.

T running time

h:{0,1}2k{0,1}k

Is proof of knowledge

h col-res hash

[B.Goldreich02]

root

= root of hash tree of 

 = q1,…,qc PCP ver queries

Universal Arguments

[Kilian92,Micali94],…

invoke h

P

V

[Merkle]

Prover time: poly(T)

Soundness: negl(k)

Communication: k¢polylog(T)

Verifier time:k¢polylog(T)+poly(n)

M: Turing machine.

Honest prover uses “junk” TM: always outputs 0

CRH h:{0,1}*{0,1}n

z=Com(h(V*))

z=Com(h(M))

r=V*(z)

Inherently non-BB simulator.

r 2R {0,1}n

[GoldreichKrawczyck86]

Note use of UA property.

UAWI either

1) x is true.

or

2) M(z)=r (in ·nlog n steps)

Basic Non-BB Zero Knowledge

[B.01]

Completeness:

Stmt: x 2 {0,1}n

P

V*

V

Prover has efficient strategy using witness for x

Soundness:

Suppose x is false.

Let z be prover’s message.Assume it binds to a single TM M.Denote r’=M(z)

Pr[ r = r’ ] = 2-n

Zero Knowledge:

Let V* be possibly cheating ver.

Assume w.l.o.g V* deterministic

Sim uses z=Com(h(V*))

Stmt: x 2 {0,1}n

P

V

CRH h:{0,1}*{0,1}n

z=Com(h(M))

implicitly guess r

r 2R {0,1}n

r 2R {0,1}n

UAWI either

Stmt true

or

1) x is true.

or

I guessed r

2) M(z)=r (in ·nlog n steps)

High Level View: Basic Non-BB ZK

[B.01]

Stmt: x 2 {0,1}n

P

V

[CanettiKilianPetrankRosen01]

Requires ~(log n) rounds for BB ZK.

…,[PrabhakaranRosenSahai03]

II Bounded-Concurrent ZK

Concurrent ZK:

Coordinated attack of several verifiers against concurrently scheduled ZK proofs.

[DworkNaorSahai98],[RichardsonKilian99],…

V*

P1

V1

P2

V2

P3

V3

Bounded Concurrent:

t sessions. Protocol communication and time poly(t,n).

Challenging because typical “rewinding” technique blows up simulation time.

h

h

z=Com(h(V*))

z=Com(h(V*))

r=V*(z)

UAWI either

UAWI either

1) x is true.

1) x is true.

2) M(z)=r

2) M(z)=r

r=V*(z,trans)

Is Basic Protocol Concurrent ZK?

Stmt: x 2 {0,1}n

Stmt: x 2 {0,1}n

P1

V*

P2

V*

trans

?

Stmt: x 2 {0,1}n

Stmt: x 2 {0,1}n

P1

V*

P2

V*

h

h

z=Com(h(V*))

z=Com(h(V*))

r=V*(z)

UAWI either

UAWI either

1) x is true.

1) x is true.

trans

2) M(z)=r

2) M(z)=r

r=V*(z,trans)

?

Is Basic Protocol Concurrent ZK?

Stmt: x 2 {0,1}n

Stmt: x 2 {0,1}n

P1

V*

P2

V*

h

h

z=Com(h(V*))

z=Com(h(V*))

r=V*(z)

UAWI either

UAWI either

1) x is true.

1) x is true.

trans

2) M(z)=r

2) M(z)=r

r=V*(z,trans)

?

Corollary:O(1)-round bounded ZK (bcZK) for all NP.

[B.01]

Is Basic Protocol Concurrent ZK?

Idea:relax the definition of “guessing” r

Change (2) to M(z,trans)=r for some |trans| < |r|/2

That is:z is implicit guess for 2|trans| possibilities for r. (notation: guess|trans| r )

Crucial point: can ensure all proververifier msgs have length << |r|

Security goal:

Ensure proof to honest verifiers is sound even when simulating honest prover – simulation soundness.

[Sahai00]

• 2 sessions with unique id.
• Arbitrary scheduling.

(synchronized is hardest)

Bounded non-malleability:

id’s come from set of size t,protocol communication and time poly(t,n)

III Non-Malleable ZK

Adversary is “man-in-middle” between prover & verifier.

[DworkDolevNaor90]

V*

P

V1

P2

V

[DDN]: O(logn)-rounds

[B.02]: O(1)-rounds

A bit different non-BB technique.

[Pass04]: O(1)-rounds bounded non-mal

(simpler, weaker assump)

[PassRosen05a]: make [Pass04]unbounded NM

Is Simulation Soundness Trivial?

V*

P

V1

P2

V

x,id

x’,id’

Note: known not to hold for some protocols, but why does naïve “proof” fail?

Naive attempt to prove that every ZK protocol is simulation sound:

First, note that in real MIM interaction, right session is sound. (otherwise combine V* and P to prover contradicting standalone soundness)

To simulate – consider V and V* as one standalone verifier V’, and use simulator forV’.

Simulator uses coins of V, so right session not necessarily sound.

But, since simulator’s output ~ real interaction, how can simulation differ?

The event that x’ is true is not efficiently observable.

P

imp. guess r1

V1

P2

V

imp. guess r2

m1

r12R{0,1}

m2

r22R{0,1}

Stmt true or

Stmt true or

guessedm1r1

guessedm2r2

Pass’s Bounded-NMZK Protocol

[Pass04]

Crucial observation: use bcZK to get one-directional simulation soundness.

If m1 >> |right session| then can simulate left w/o right verifier’s coins!

Pass’s Protocol:

1. Use |r| = id*B(B bound on all other comm in all sessions, note id’s bounded)

2. Run another iteration w/ id = max{id} - id

3. Prove in WI that at least one of the iterations succeeded.

Good News:

Sufficient for concurrent secure computation of any task.

[CanettiLindellOstrovskySahai02],[GoldreichMicaliWigderson87]

Impossible to achieve natural definition (UC).

[Lindell03],[Lindell04]

Good News:

Maybe can achieve relaxed def: quasi-polynomial simulation.

Implies: securely computing any task w/ qpoly simulation.

[PrabhakaranSahai04]

[PS] construction uses non-standard “tailored” assumptions.

Good News:

Using non-BB obtain same result under standard assumptions (i.e., implied by factoring is subexp hard)

[B.Sahai05]

IV Concurrent+Non-Malleable ZK

Many concurrent executions. Adversary corrupts both verifiers and provers.

P1

V1

P2

V*

V2

P3

V3

Goal:simulation soundness: proofs to honest verifiers valid even in simulation.

Brute Force Op

In simulation V* can ensure 2nd condition is true.

No reason for right session to be sound!

Broke BFOP

same N

N

z=Com(p)

same z

x true or p|N

x’ true or p|N

Isn’t qpoly simulation trivial?

Stmt: x 2 {0,1}n

P

V

Completeness:

N = pretty large random composite

As always.

Soundness:

Com(p)

From hardness of factoring

Concurrent ZK:

[Pass03]

WI proof either

Straight-line simulation.

1) x is true.

2) p prime factor of N

Simulation soundness??

Stmt: x 2 {0,1}n

Stmt: x’ 2 {0,1}n

V*

V1

P2

P

V

m1

r12R{0,1}

Com(h(r1))

m1

r12R{0,1}

Implicitly send r1

If proof succssesful, have qpoly-time knowledge extractor can obtain r1 by rewinding

UAZK

Know r1

Concurrent Non-Mal qZK Protocol

[B.Sahai05]

Starting point: Pass’s protocol for bounded-NM zero knowledge

1st Step: Change it to handle #id’s to t=nlog n

Problem: In Pass’s protocol communication>t

Solution: “Compress” the long messages.

r1=0n

Is it (stand-alone) sound?

Is it (stand-alone) zero knowledge?

Stmt: x 2 {0,1}n

id2[t]

P

V

imp guess r1

Completeness:

As before.

imp send r1

Soundness:

BFOP

imp guess r2

imp send r2

UAWI either

1) stmt true

2) guessedm1r1

3) guessedm2r2

4) broke BFOP

m1 = nlognid , m2 = nlogn(t-id)

Concurrent Non-Mal qZK Protocol*

[B.Sahai05]

ZK+Simulation Soundness:

Straightline simulator breaking BFOP (4).

Why is that simulation sound??

Stmt: x 2 {0,1}n

id2[t]

P

V

imp guess r1

imp send r1

BFOP

imp guess r2

imp send r2

UAWI either

1) stmt true

2) guessedm1r1

3) guessedm2r2

4) broke BFOP

m1 = nlognid , m2 = nlogn(t-id)

Concurrent Non-Mal qZK Protocol*

[B.Sahai05]

ZK+Simulation Soundness:

Straightline simulator breaking BFOP (4)

Change: Make option (1) weakly indist – observable in qpoly time.

Not an immediate solution: simulator now only weakly indist from real prover.

Idea: build auxiliary simulator that:

1) Strongly indist from “real” simulator.

2) Satisfies simulation soundness.

Why we need the “real” simulator?

Auxiliary simulator uses the witness.

Stmt: x 2 {0,1}n

id2[t]

P

V

imp guess r1

Real Prover:

Uses:witness(1)

imp send r1

Sim-sound: yes

BFOP

imp guess r2

Real Simulator:

Uses: time (4)

Sim-sound: ?

Yes!

imp send r2

UAWI either

Aux Simulator:

1) stmt true

Uses: witness,non-BB (2,3)

2) guessedm1r1

Sim-sound: yes

3) guessedm2r2

4) broke BFOP

m1 = nlognid , m2 = nlogn(t-id)

Concurrent Non-Mal qZK Protocol*

[B.Sahai05]

ZK+Simulation Soundness:

~

(weak)

~

~

(strong)

Stmt: x 2 {0,1}n

id2[t]

P

V

imp guess r1

imp send r1

P1

P2

V*

V2

BFOP

P3

imp guess r2

imp send r2

UAWI either

Aux Simulator:

1) stmt true

Uses: witness,non-BB (2,3)

2) guessedm1r1

Sim-sound: yes

3) guessedm2r2

4) broke BFOP

Concurrent Non-Mal qZK Protocol*

[B.Sahai05]

ZK+Simulation Soundness:

Constructing the auxiliary simulator.

Execution we need to simulate:

V1

V3

Useful observation:

Can assume only one honest verifier.

m1 = nlognid , m2 = nlogn(t-id)

The auxiliary simulator:

P

V*

P*

V

imp guess r1

imp guess r1

Need program s.t. ()=r’1 for |1|<< r’1

imp send r’1

imp send r1

Build  using V* + r1 + UA knowledge extractor

BFOP

BFOP

imp guess r’2

imp guess r2

imp send r’2

imp send r2

UAWI either

UAWI either

1) stmt true

1) stmt true

2) guessedm1r1

2) guessedm1r1

3) guessedm2r2

3) guessedm2r2

4) broke BFOP

4) broke BFOP

Honest ver uses r1=0n

We’ll user12R {0,1}m1

The auxiliary simulator:

Pm

P3

P2

imp guess r1

imp send r’1

BFOP

BFOP

imp guess r’2

imp send r’2

When building  use witness to sim other sessions!

UAWI either

1) stmt true

2) guessedm1r1

 never sent in clear – still strongly indist!

3) guessedm2r2

4) broke BFOP

P

V*

P*

V

imp guess r1

imp send r1

• To run extractor need to simulate other sessions.

Build  using V* + r1 + UA knowledge extractor

imp guess r2

• To simulate other sessions, need to run extractor.

imp send r2

UAWI either

1) stmt true

2) guessedm1r1

3) guessedm2r2

4) broke BFOP

Questions:
• Random oracle model also used to achieve non-malleability and concurrent security. Can we justify this?

(so far mostly negative results[CanettiGoldreichHalevi98],[GoldwasserTa03])

• All these use universal args. Are there different non-BB techniques?
• Is there ZK system w/ O(1)-rounds and public coin verifier?

Related to both these questions.

• Are these non-BB techniques inherently unpractical?

Two problematic components: general ZK and PCP theorem.

On other hand:

PCP get simpler, more efficient

[BenSassonSudan05],[Dinur05]

Maybe can push complexity to simulation?

[B.Sahai05]

Stmt: x 2 {0,1}n

id2[t]

Use random r1of length k1

Use M1 = V* program + r1 + extractor for UA

BFOP

To rewind, M1 uses witness!

Rules of engagement:

Simulate execution s.t.:

1) Never use option #1 in UAWI

2) No use of time between dotted lines.

2) No use of ver. coins after green line.

P1

P2

V*

V

h

z1=Com(h(M1))

UACom(r1)

z2=Com(h(M1))

UACom(r2)

UAWI either

1) x is true.

2) 9 |t1|<k1-n s.t.M1(z1,t1)=r1

3) 9 |t2|<k2-n s.t.M2(z2,t2)=r2

4) Broke BFOP.

k1 = nlognid , k2 = nlogn(t-id)

Stmt: x 2 {0,1}n

id2[t]

Use random r1of length k1

Use M1 = V* program + r1 + extractor for UA

BFOP

To rewind, M1 uses witness!

Rules of engagement:

Simulate execution s.t.:

1) Never use option #1 in UAWI

2) No use of time between dotted lines.

2) No use of ver. coins after green line.

P1

P2

V*

V

h

z1=Com(h(M1))

UACom(r1)

z2=Com(h(M1))

UACom(r2)

UAWI either

1) x is true.

2) 9 |t1|<k1-n s.t.M1(z1,t1)=r1

3) 9 |t2|<k2-n s.t.M2(z2,t2)=r2

4) Broke BFOP.

k1 = nlognid , k2 = nlogn(t-id)