How to Go Beyond the BlackBox Simulation Barrier

1
How to Go Beyond theBlack-Box Simulation Barrier

• Boaz Barak
• Weizmann Institute

2
Zero Knowledge Proofs GMR
e.g. L x x is a 3-colorable graph
L 2 NP
x 2 L
e.g. x is a 3-colorable graph
w 2 Wit(x)
e.g. w is a 3-coloring of x
Prover (Alice) knows w
Verifier (Bob) knows only x
m1
m2
m2
3
Def of Interactive Proofs
Prover (Alice) knows w
Verifier (Bob) knows only x
m1
m2
m2
Completeness Given w, Prover can convince the
Verifier that x2L
Comp. Soundness If x?L, then, regardless of
Provers (efficient) strategy, the verifier will
reject with very high prob.
4
Zero Knowledge Property
Informal Definition of ZK
Prover (Alice) knows w
Verifier (Bob) knows only x
Regardless of efficient strategy Verifier uses,
he can not gain new knowledge on the witness
Computationally Indistinguishable
Statistically Indistinguishable
Formal Def 8 efficient verifier V 9 S s.t.


Vs view in interaction w/ P(x,w) ? S(x)
Usual way to show ZK Show universal S s.t. 8 V
Vs view ? SV(x)
5
Black-Box Simulation
Formal Def 8 efficient verifier V 9 S s.t.
Vs view in interaction w/ P(x,w) ? S(x)
Black-Box Simulation Show alg S s.t. 8 V
Vs view ? SV(x)
All previously known ZK protocols used black-box
simulators GMR,GMW,BCC,FS,GKa,RK,
Conjecture If a protocol is ZK, then it has a
black-box simulator.
Implication Black-box ZK limitations ) ZK
limitations
6
The Main Result
Main Thm If CRH exist then there exists a ZK
argument that does not have a black-box simulator.
With negligible soundness error.
Proof Combine the following two theorems
Thm 1 GolKra89 If L?BPP then every
constant-round Arthur-Merlin argument for L does
not have a black-box simulator.
Thm 2 If CRH exist then every L2NP has a
constant-round Arthur-Merlin ZK argument.
Remark Protocol of Thm 2 has other useful
properties impossible to obtain w/ black-box
simulation. More details later.
CRH Collision Resistent Hash functions
7
Proof of Thm 2 High Level View
Thm 2 If CRH exist then every L2NP has a
constant-round Arthur-Merlin ZK argument.
We construct a protocol with non-black-box
simulation We show universal S s.t. 8 V
Vs view ? S (desc of Vs code, x)
Protocol will be Sound because honest verifier
will use a program chosen at random (from some
collection).
Protocol will be ZK because non-black-box
simulator knows the verifier program.
8
Proof of Thm 2
Thm 2 If CRH exist then every L2NP has a
constant-round Arthur-Merlin ZK argument.
Well first describe 3 tools we need

• Commitment Schemes (digital envelopes)
  Blum,Naor
• Witness Indistinguishable (WI) proofs
  FeiSha
• Universal Arguments
  Mic,Kil,BGol

We then show for every L2NP, the construction of
a protocol with desired properties.
9
Witness Indistinguishable (WI) Proofs FeiSha
Prover (Alice) knows w or w
Verifier (Bob) knows only x
L 2 NP
x 2 L
w,w 2 Wit(x)
Regardless of efficient strategy Verifier uses,
he can not tell if prover used w or w

• Weaker property than ZK.
• Trivial for languages with unique witnesses.
• Closed under parallel (even concurrent)
  composition.
• If OWF exist then 9 3-round Arthur-Merlin WI
  proof for all L2NP

10
Universal Arguments Mic,BGol
Let M Ntime(T(n)) machine (T() polynomial),
x 2 0,1n
Suppose Alice knows non-det choice w 2 0,1T(n)
s.t. M(xw)1and wants to prove this to Bob.
In standard NP proof systems
Comm. Complexity Bobs running time poly(T(n))
A Universal Arguments System allows to prove
statement with Comm. Complexity Bobs running
time nfor every polynomial T().
Actually, for every function T() complexity
T(n)o(1)(e.g. complexity polylog(T(n)) )
(Proof uses NEXPPCP(poly,poly) BabForLun
Merkle hash-trees)
11
A First Attempt
Honest Verifier chooses r at random. For general
verifier V we have rV( )
r 2R 0,1n
Idea Prove that you knew ? before seeing r
Idea
Prover uses 1st case and Simulator 2nd case (w/
witnessV) WI ensures indistinguishability.
Problem
Not sound! Cheating prover can choose ? after
seeing r!
12
A Second Attempt
Not sound! Cheating prover can choose ? after
seeing r!
Old Problem
?
r 2R 0,1n
Why use ?(?) and not ?( )??
Use C(?) instead of ?!
Sound!
Let r?(?) , then Pr rr 2-n
Simulator will send ? code of Vs
strategyWhat will honest prover use for ? ?
Problem
13
Protocol UZK
zC(?s)
C(?s) denotes commit. to ? w/ coins s
r 2R 0,1n
WIP either x2 L or 9 ?,s s.t. zC(?,s) ?(z)r
Sound!
Let ?C-1(z) and let r?(z) , then Pr rr
2-n
Prover sends zC(0n)Simulator sends zC(Vs
strategy)Indistinguishability follows from
commit security WI
ZK!
No fixed polynomial bound on Vs running time
Problem
Use a WI Universal Argument
14
Protocol UZK
zC(?s)
r 2R 0,1n
WIP either x2 L or 9 ?,s s.t. zC(?,s) ?(z)r
Thm
Prot UZK is a constant-round Arthur-Merlin ZK
arg. for L.
Cor
Prot UZK does not have a black-box simulator
15
More Results

• Prot UZK can be modified to obtain ZK against
  non-uniform verifiers.
• Prot UZK has simulator with strict prob.
  poly-timeImpossible w/ black-box simulation
  BL
• Modified version of Prot UZK remains ZK under
  bounded-concurrent compositionImpossible w/
  black-box simulation CKPR
• Instantiating Prot UZK in crypto schemes (e.g.
  identification, voting) yields schemes with
  non-black-box proof of security.

16
Black-Box Reductions in Crypto
Typical Crypto Thm Scheme X (e.g. voting) is as
secure as Problem Y (e.g. factoring).
This is called a Black-Box proof of security.
Typical Proof By contrapositive. Show that if 9
efficient alg A to break Scheme X, then 9
efficient alg B to solve Problem Y.
Almost always show a universal B such that 8
efficient A if A breaks Scheme X then BA()
solves Problem Y
Question Is it possible to gain something by
using a non-black-box proof of security?
17
The End