on non black box proofs of security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
On Non-Black-Box Proofs of Security PowerPoint Presentation
Download Presentation
On Non-Black-Box Proofs of Security

Loading in 2 Seconds...

play fullscreen
1 / 35

On Non-Black-Box Proofs of Security - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

On Non-Black-Box Proofs of Security. Boaz Barak Princeton. B. x : instance of X. solution for x. Prototypical Crypto Thm : If problem X is hard then scheme Y is secure. Examples:. 9 OWF ) 9 signature schemes [NaorYung,Rompel].

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'On Non-Black-Box Proofs of Security' - isleen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2

B

x: instance of X

solution for x

Prototypical Crypto Thm: If problem X is hard then scheme Y is secure.

Examples:

  • 9 OWF )9 signature schemes [NaorYung,Rompel]
  • DDH hard )9 CCA-secure encryption [CramerShoup98]

Contrapositive: 9 poly-alg A breaking Y)9 poly-alg B for X

Typical proof: Show generic B using A as subroutine.

A

We call this a black-box proof of security.

In a non-black-box proof, B can use the code of A

(not to be confused w/ black-box vs. non-black-box constructions)

more formally strongly black box reductions for owf ka

f

(Alice,

Bob)

Underlying primitive.

f

Security proof

Adversary

Eve

Adv

Non-black-box proofs of security:1. Security proof may use code of underlying primitive (i.e., f)(examples: using specific assumptions, Cook-Levin)

2. Security proof may use code of adversary(this talk)

More Formally: (Strongly) Black-Box Reductions (for OWF KA)

 eff. (Alice, Bob), eff. Adv s.t. fand Eve[ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f]

non black box security proofs
Non-Black-Box Security Proofs

Advantages:

  • More general proof technique, can prove more thms.
  • Bypass proven limitations of black-box proofs.

(Somewhat surprisingly, without “real” understanding of computation.)

Disadvantages:

  • Less robust proofs, more dependence on model.
  • E.g.: Uniform TMs vs. circuits, quantum algorithms.
  • Seem to come at steep cost in efficiency.
applications of non bb proofs
Applications of Non-BB Proofs:

Composable protocols:

  • O(1)-round bounded concurrent zero-knowledge (ZK)

[B.01]

  • O(1)-round concurrent, non-malleable commitments

[B.02], [PassRosen05a], [PassRosen05b]

  • Concurrent, non-malleable general computation

[Lindell03],[PassRosen03],[Pass04], [B.Sahai05]

Strong Forms of Zero Knowledge:

  • Resettable ZK proof of knowledge

[B.GoldwasserGoldreichLindell01]

  • Resettably-sound ZK
  • ZK with strict poly-time simulation & extraction

[B.Lindell02]

O(1)-round general multiparty computation

[KatzOstrovskySmith03],[Pass04]

slide6
Plan

I Basic Non-BB ZK Protocol

[B.01]

II Making it bounded-concurrent

[B.01]

III Making it bounded non-malleable.

[Pass.04]

IV Unbounded concurrency and non-malleability using super-polynomial simulation.

[B.Sahai.04]

V Limitations and open questions.

i non black box zero knowledge
I Non-Black-Box Zero Knowledge

Zero Knowledge Proof:

P proves to V that stmt x is true.

(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )

Stmt: x 2 {0,1}n

Witness: c:[n]{R,G,B}

P

V

“accept”/”reject”

i non black box zero knowledge8

Zero Knowledge:

8 (possibly cheating) V*, 9S s.t.

S(x)»V*’s view in exec with P(w)

S( )

P

V*

»

I Non-Black-Box Zero Knowledge

Zero Knowledge Proof:

P proves to V that stmt x is true.

(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )

Completeness:

P runs in poly-time given witnessw for x.

Soundness:

If x false, V accepts w.p. < negl(n)=n-(1)

i non black box zero knowledge9

Black-Box ZK:

S uses V* as a black-box subroutine.

(i.e. uses subroutine for V*’s next-message function)

Non-BB ZK:

S uses the code of V*

I Non-Black-Box Zero Knowledge

Zero Knowledge Proof:

P proves to V that stmt x is true.

(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )

Zero Knowledge:

8 (possibly cheating) V*, 9S s.t.

S(x)»V*’s view in exec with P(w)

V*

S( )

,

P

V*

»

some tools
Some Tools

Commitments:

Efficient func Com:{0,1}k£{0,1}n{0,1}m

[Blum84],[Naor91]

Hiding: 8 x,x’ Com(x,Un) » Com(x’,Un)

Binding:x x’ Com(x,{0,1}n), Com(x’,{0,1}n) disjoint

x

(Notation:Com(x) = Com(x,Un) )

Collision Resistant Hash (CRH):

Collection H of efficient functions {0,1}*{0,1}n s.t.

for random h2H hard to find xx’ w/ h(x)=h(x’)

(implies CRH from {0,1}2n to {0,1}n)

[GoldwasserMicaliRivest84], SHA1,AES,…

When proving x1Çx2, verifier can’t tell witness used.

Witness Indistinguishable Proofs (WI):

  • Implied by zero knowledge.
  • Closed under concurrent composition.

[FeigeShamir90]

a flawed zero knowledge protocol

z=Com(r’)

r=V*(z)

r 2R {0,1}n

UAWI either

1) x is true.

or

2) r’=r

A Flawed Zero Knowledge Protocol

Completeness:

Stmt: x 2 {0,1}n

P

V*

V

Prover has efficient strategy using witness for x

Soundness:

Suppose x is false.

Let z be prover’s message.Denote r’=Com-1(z)

Pr[ r = r’ ] = 2-n

Zero Knowledge:

Let V* be possibly cheating ver.

Assume w.l.o.g V* deterministic

Sim’s goal: z=Com(r)

Find r s.t. r=V*(Com(r))

Problem: could take 2n guesses.

flawed protocol high level view

Stmt: x 2 {0,1}n

P

V

guess r

z=Com(r’)

r=V*(z)

Stmt true

r 2R {0,1}n

r 2R {0,1}n

or

I guessed r

UAWI either

1) x is true.

or

2) r’=r

Flawed Protocol – High Level View

Stmt: x 2 {0,1}n

P

V

main tool universal arguments

n bits description

TO(1) long proof

M

x

T running time

Main Tool – Universal Arguments

Interactive proof system for super-polynomial languages.

[Kilian92],[Micali94],[B.Goldreich02]

Based on following variant of PCP thm:

[BabaiFortnowLevinSzegedy91]

Every statement verifiable in T time deterministically, can be proven in polylog(T) time in “prob. proof in sky” (PCP) model.

c queries

Statement: “M(x)=1”

2-(c) error

Verifier

(Mcan be deterministic/non-det)

c¢polylog(T) time

universal arguments

n bits description

TO(1) long proof

M

x

Using commitments and ZK/WI proofs for NP can get UAZK/UAWIw/ same parameters.

T running time

h:{0,1}2k{0,1}k

Is proof of knowledge

h col-res hash

[B.Goldreich02]

root

= root of hash tree of 

 = q1,…,qc PCP ver queries

Answers + paths in tree

Universal Arguments

[Kilian92,Micali94],…

invoke h

P

V

[Merkle]

Prover time: poly(T)

Soundness: negl(k)

Communication: k¢polylog(T)

Verifier time:k¢polylog(T)+poly(n)

basic non bb zero knowledge

M: Turing machine.

Honest prover uses “junk” TM: always outputs 0

CRH h:{0,1}*{0,1}n

z=Com(h(V*))

z=Com(h(M))

r=V*(z)

Inherently non-BB simulator.

r 2R {0,1}n

[GoldreichKrawczyck86]

Note use of UA property.

UAWI either

1) x is true.

or

2) M(z)=r (in ·nlog n steps)

Basic Non-BB Zero Knowledge

[B.01]

Completeness:

Stmt: x 2 {0,1}n

P

V*

V

Prover has efficient strategy using witness for x

Soundness:

Suppose x is false.

Let z be prover’s message.Assume it binds to a single TM M.Denote r’=M(z)

Pr[ r = r’ ] = 2-n

Zero Knowledge:

Let V* be possibly cheating ver.

Assume w.l.o.g V* deterministic

Sim uses z=Com(h(V*))

high level view basic non bb zk

Stmt: x 2 {0,1}n

P

V

CRH h:{0,1}*{0,1}n

z=Com(h(M))

implicitly guess r

r 2R {0,1}n

r 2R {0,1}n

UAWI either

Stmt true

or

1) x is true.

or

I guessed r

2) M(z)=r (in ·nlog n steps)

High Level View: Basic Non-BB ZK

[B.01]

Stmt: x 2 {0,1}n

P

V

ii bounded concurrent zk

[CanettiKilianPetrankRosen01]

Requires ~(log n) rounds for BB ZK.

…,[PrabhakaranRosenSahai03]

II Bounded-Concurrent ZK

Concurrent ZK:

Coordinated attack of several verifiers against concurrently scheduled ZK proofs.

[DworkNaorSahai98],[RichardsonKilian99],…

V*

P1

V1

P2

V2

P3

V3

Bounded Concurrent:

t sessions. Protocol communication and time poly(t,n).

Challenging because typical “rewinding” technique blows up simulation time.

is basic protocol concurrent zk

h

h

z=Com(h(V*))

z=Com(h(V*))

r=V*(z)

UAWI either

UAWI either

1) x is true.

1) x is true.

2) M(z)=r

2) M(z)=r

r=V*(z,trans)

Is Basic Protocol Concurrent ZK?

Stmt: x 2 {0,1}n

Stmt: x 2 {0,1}n

P1

V*

P2

V*

trans

?

is basic protocol concurrent zk19

Stmt: x 2 {0,1}n

Stmt: x 2 {0,1}n

P1

V*

P2

V*

h

h

z=Com(h(V*))

z=Com(h(V*))

r=V*(z)

UAWI either

UAWI either

1) x is true.

1) x is true.

trans

2) M(z)=r

2) M(z)=r

r=V*(z,trans)

?

Is Basic Protocol Concurrent ZK?
is basic protocol concurrent zk20

Stmt: x 2 {0,1}n

Stmt: x 2 {0,1}n

P1

V*

P2

V*

h

h

z=Com(h(V*))

z=Com(h(V*))

r=V*(z)

UAWI either

UAWI either

1) x is true.

1) x is true.

trans

2) M(z)=r

2) M(z)=r

r=V*(z,trans)

?

Corollary:O(1)-round bounded ZK (bcZK) for all NP.

[B.01]

Is Basic Protocol Concurrent ZK?

Idea:relax the definition of “guessing” r

Change (2) to M(z,trans)=r for some |trans| < |r|/2

That is:z is implicit guess for 2|trans| possibilities for r. (notation: guess|trans| r )

Crucial point: can ensure all proververifier msgs have length << |r|

iii non malleable zk

Security goal:

Ensure proof to honest verifiers is sound even when simulating honest prover – simulation soundness.

[Sahai00]

  • 2 sessions with unique id.
  • Arbitrary scheduling.

(synchronized is hardest)

Bounded non-malleability:

id’s come from set of size t,protocol communication and time poly(t,n)

III Non-Malleable ZK

Adversary is “man-in-middle” between prover & verifier.

[DworkDolevNaor90]

V*

P

V1

P2

V

[DDN]: O(logn)-rounds

[B.02]: O(1)-rounds

A bit different non-BB technique.

[Pass04]: O(1)-rounds bounded non-mal

(simpler, weaker assump)

[PassRosen05a]: make [Pass04]unbounded NM

is simulation soundness trivial
Is Simulation Soundness Trivial?

V*

P

V1

P2

V

x,id

x’,id’

Note: known not to hold for some protocols, but why does naïve “proof” fail?

Naive attempt to prove that every ZK protocol is simulation sound:

First, note that in real MIM interaction, right session is sound. (otherwise combine V* and P to prover contradicting standalone soundness)

To simulate – consider V and V* as one standalone verifier V’, and use simulator forV’.

Simulator uses coins of V, so right session not necessarily sound.

But, since simulator’s output ~ real interaction, how can simulation differ?

The event that x’ is true is not efficiently observable.

pass s bounded nmzk protocol

P

imp. guess r1

V1

P2

V

imp. guess r2

m1

r12R{0,1}

m2

r22R{0,1}

Stmt true or

Stmt true or

guessedm1r1

guessedm2r2

Pass’s Bounded-NMZK Protocol

[Pass04]

Crucial observation: use bcZK to get one-directional simulation soundness.

If m1 >> |right session| then can simulate left w/o right verifier’s coins!

Pass’s Protocol:

1. Use |r| = id*B(B bound on all other comm in all sessions, note id’s bounded)

2. Run another iteration w/ id = max{id} - id

3. Prove in WI that at least one of the iterations succeeded.

iv concurrent non malleable zk

Good News:

Sufficient for concurrent secure computation of any task.

[CanettiLindellOstrovskySahai02],[GoldreichMicaliWigderson87]

Bad News:

Impossible to achieve natural definition (UC).

[Lindell03],[Lindell04]

Good News:

Maybe can achieve relaxed def: quasi-polynomial simulation.

Implies: securely computing any task w/ qpoly simulation.

[PrabhakaranSahai04]

Bad News:

[PS] construction uses non-standard “tailored” assumptions.

Good News:

Using non-BB obtain same result under standard assumptions (i.e., implied by factoring is subexp hard)

[B.Sahai05]

IV Concurrent+Non-Malleable ZK

Many concurrent executions. Adversary corrupts both verifiers and provers.

P1

V1

P2

V*

V2

P3

V3

Goal:simulation soundness: proofs to honest verifiers valid even in simulation.

isn t qpoly simulation trivial

Brute Force Op

In simulation V* can ensure 2nd condition is true.

No reason for right session to be sound!

Broke BFOP

same N

N

z=Com(p)

same z

x true or p|N

x’ true or p|N

Isn’t qpoly simulation trivial?

Stmt: x 2 {0,1}n

P

V

Completeness:

N = pretty large random composite

As always.

Soundness:

Com(p)

From hardness of factoring

Concurrent ZK:

[Pass03]

WI proof either

Straight-line simulation.

1) x is true.

2) p prime factor of N

Simulation soundness??

Stmt: x 2 {0,1}n

Stmt: x’ 2 {0,1}n

V*

V1

P2

P

V

concurrent non mal qzk protocol

m1

r12R{0,1}

Com(h(r1))

m1

r12R{0,1}

Implicitly send r1

If proof succssesful, have qpoly-time knowledge extractor can obtain r1 by rewinding

UAZK

Know r1

Concurrent Non-Mal qZK Protocol

[B.Sahai05]

Starting point: Pass’s protocol for bounded-NM zero knowledge

1st Step: Change it to handle #id’s to t=nlog n

Problem: In Pass’s protocol communication>t

Solution: “Compress” the long messages.

r1=0n

Is it (stand-alone) sound?

Is it (stand-alone) zero knowledge?

concurrent non mal qzk protocol27

Stmt: x 2 {0,1}n

id2[t]

P

V

imp guess r1

Completeness:

As before.

imp send r1

Soundness:

Will follow from simulation soundness.

BFOP

imp guess r2

imp send r2

UAWI either

1) stmt true

2) guessedm1r1

3) guessedm2r2

4) broke BFOP

m1 = nlognid , m2 = nlogn(t-id)

Concurrent Non-Mal qZK Protocol*

[B.Sahai05]

ZK+Simulation Soundness:

Straightline simulator breaking BFOP (4).

Why is that simulation sound??

concurrent non mal qzk protocol28

Stmt: x 2 {0,1}n

id2[t]

P

V

imp guess r1

imp send r1

BFOP

imp guess r2

imp send r2

UAWI either

1) stmt true

2) guessedm1r1

3) guessedm2r2

4) broke BFOP

m1 = nlognid , m2 = nlogn(t-id)

Concurrent Non-Mal qZK Protocol*

[B.Sahai05]

ZK+Simulation Soundness:

Straightline simulator breaking BFOP (4)

Change: Make option (1) weakly indist – observable in qpoly time.

Not an immediate solution: simulator now only weakly indist from real prover.

Idea: build auxiliary simulator that:

1) Strongly indist from “real” simulator.

2) Satisfies simulation soundness.

Why we need the “real” simulator?

Auxiliary simulator uses the witness.

concurrent non mal qzk protocol29

Stmt: x 2 {0,1}n

id2[t]

P

V

imp guess r1

Real Prover:

Uses:witness(1)

imp send r1

Sim-sound: yes

BFOP

imp guess r2

Real Simulator:

Uses: time (4)

Sim-sound: ?

Yes!

imp send r2

UAWI either

Aux Simulator:

1) stmt true

Uses: witness,non-BB (2,3)

2) guessedm1r1

Sim-sound: yes

3) guessedm2r2

4) broke BFOP

m1 = nlognid , m2 = nlogn(t-id)

Concurrent Non-Mal qZK Protocol*

[B.Sahai05]

ZK+Simulation Soundness:

~

(weak)

~

~

(strong)

concurrent non mal qzk protocol30

Stmt: x 2 {0,1}n

id2[t]

P

V

imp guess r1

imp send r1

P1

P2

V*

V2

BFOP

P3

imp guess r2

imp send r2

UAWI either

Aux Simulator:

1) stmt true

Uses: witness,non-BB (2,3)

2) guessedm1r1

Sim-sound: yes

3) guessedm2r2

4) broke BFOP

Concurrent Non-Mal qZK Protocol*

[B.Sahai05]

ZK+Simulation Soundness:

Constructing the auxiliary simulator.

Execution we need to simulate:

V1

V3

Useful observation:

Can assume only one honest verifier.

m1 = nlognid , m2 = nlogn(t-id)

slide31

The auxiliary simulator:

P

V*

P*

V

imp guess r1

imp guess r1

Need program s.t. ()=r’1 for |1|<< r’1

imp send r’1

imp send r1

Build  using V* + r1 + UA knowledge extractor

BFOP

BFOP

imp guess r’2

imp guess r2

imp send r’2

imp send r2

Can now simulate this part w/o access to ver’s coins.

UAWI either

UAWI either

1) stmt true

1) stmt true

2) guessedm1r1

2) guessedm1r1

3) guessedm2r2

3) guessedm2r2

4) broke BFOP

4) broke BFOP

Honest ver uses r1=0n

We’ll user12R {0,1}m1

slide32

The auxiliary simulator:

Pm

P3

P2

imp guess r1

imp send r’1

BFOP

BFOP

imp guess r’2

imp send r’2

When building  use witness to sim other sessions!

UAWI either

1) stmt true

2) guessedm1r1

 never sent in clear – still strongly indist!

3) guessedm2r2

4) broke BFOP

P

V*

P*

V

imp guess r1

imp send r1

  • To run extractor need to simulate other sessions.

Build  using V* + r1 + UA knowledge extractor

imp guess r2

  • To simulate other sessions, need to run extractor.

imp send r2

UAWI either

1) stmt true

2) guessedm1r1

3) guessedm2r2

4) broke BFOP

questions
Questions:
  • Random oracle model also used to achieve non-malleability and concurrent security. Can we justify this?

(so far mostly negative results[CanettiGoldreichHalevi98],[GoldwasserTa03])

  • All these use universal args. Are there different non-BB techniques?
  • Is there ZK system w/ O(1)-rounds and public coin verifier?

Related to both these questions.

  • Are these non-BB techniques inherently unpractical?

Two problematic components: general ZK and PCP theorem.

On other hand:

PCP get simpler, more efficient

[BenSassonSudan05],[Dinur05]

Maybe can push complexity to simulation?

[B.Sahai05]

  • Handling quantum adversaries?
slide34

Stmt: x 2 {0,1}n

id2[t]

Use random r1of length k1

Use M1 = V* program + r1 + extractor for UA

BFOP

To rewind, M1 uses witness!

Rules of engagement:

Simulate execution s.t.:

1) Never use option #1 in UAWI

2) No use of time between dotted lines.

2) No use of ver. coins after green line.

P1

P2

V*

V

h

z1=Com(h(M1))

UACom(r1)

z2=Com(h(M1))

UACom(r2)

UAWI either

1) x is true.

2) 9 |t1|<k1-n s.t.M1(z1,t1)=r1

3) 9 |t2|<k2-n s.t.M2(z2,t2)=r2

4) Broke BFOP.

k1 = nlognid , k2 = nlogn(t-id)

slide35

Stmt: x 2 {0,1}n

id2[t]

Use random r1of length k1

Use M1 = V* program + r1 + extractor for UA

BFOP

To rewind, M1 uses witness!

Rules of engagement:

Simulate execution s.t.:

1) Never use option #1 in UAWI

2) No use of time between dotted lines.

2) No use of ver. coins after green line.

P1

P2

V*

V

h

z1=Com(h(M1))

UACom(r1)

z2=Com(h(M1))

UACom(r2)

UAWI either

1) x is true.

2) 9 |t1|<k1-n s.t.M1(z1,t1)=r1

3) 9 |t2|<k2-n s.t.M2(z2,t2)=r2

4) Broke BFOP.

k1 = nlognid , k2 = nlogn(t-id)