On the Composition of PublicCoin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktrm (KTH) 1 Zero Knowledge [GMR85] Interactive protocol between a Prover and a Verifier where the Verifier learns nothing except the proof statement Prover
Verifier Fundamental construct of cryptography Used in secure MPC, authentication, etc, etc 2 Zero Knowledge [GMR85] For every PPT V* (adversary) there is a PPT simulator S: Prover Verifier V*
Simulator S View generated by S View of V* with Prover Indistinguishable 3 Black-Box Zero Knowledge [GO90] Universal S interacts with and rewinds V*
Equivalently: Output View Most known and all practical ZK are BB This talk: Focus on BB ZK 4 Composition of ZK [GKr90] Parallel [FS90, GKr90] Concurrent [FS90, DNS04]
Do ZK protocols stay ZK when composed? 5 Composition of ZK [GKr90] In general: ZK breaks even under 2 parallel executions [FS90, GKr90] Specific protocols: Secure under both parallel and concurrent composition (e.g., [GKa96, FS90, RK99, KP01, PRS02]) But these protocols use something new:
Private Coins 6 Public vs. Private Coins Private-coin: Public-coin: Prover Verifier The original ZK protocols are all public-coin [GMR85,GMW91, Blum87]
Why care about public-coin protocols? Theory: Understand original protocols e.g. IP(Poly) = AM(Poly) [GS86] Simpler to implement Practice: V resilient to leakage and side channel attacks 7 The Question: Are private coins necessary for composing ZK (even just) in parallel?
First studied by Goldreich-Krawczyk in 1990 Partial result: No constant round public-coin BB ZK w/ neg. soundness error (L BPP) Known O(1) round public-coin BB ZK (with big soundness error) not secure in parallel 8 Our Results 1. Any public-coin protocol is not BBZK if repeated sufficiently in parallel (L BPP). 2. For every m, there is a public-coin proof for NP that is BBZK up to m concurrent sessions, assuming OWF.
[Bar01]: Public-coin constant round boundedconcurrent non-BB ZK argument assuming CRH. 9 The Goldreich-Krawczyk framework [GKr90]: If the verifier uses PRF to generate its messages in a constant round public-coin protocol Protocol is resettably-sound [BGGL01] Prover PRF( )
Verifier + PRF The Goldreich-Krawczyk framework [GKr90]: If the verifier uses PRF to generates it messages in a constant round public-coin protocol Protocol is resettably-sound [BGGL01] Resetting P* Verifier V + PRF
Goal: Accepting execution for x L The Goldreich-Krawczyk framework [GKr90]: If the verifier uses PRF to generates it messages in a constant round public-coin protocol Protocol is resettably-sound [BGGL01] If protocol is resettably-sound and BB ZK for L L BPP (decided by S) [GK90, BGGL01]: x L S(x) gives accepting view (ZK) x L S(x) gives rejecting view (resettable-sound) 12 Main Lemma
Any public-coin protocol (where V uses PRF for its messages) is resettably-sound when repeated sufficiently in parallel. Compare with soundness amplification Recent work: Parallel repetition amplifies soundness of public-coin arguments [PV07, HPPW08]: From poly(n) Our work: Quality of soundness also improves From standard sound resettably sound Can use soundness amplification techniques 13
Proof Idea Reduction R: Resettable P* normal P Reduction R Resetting P* Verifier V R tries to forward messages that P* utilize for an accepting execution Possible to continue simulation due to public-coin 14 Which Message to Forward?
[GKr90] For constant round protocols, choose random messages to forward Guess correctly w.p. 1/poly each round Doesnt work when there are more rounds Our approach: Do a test run to see which msg shouldve been forwarded. Forward it and continue simulation If P* doesnt use forwarded msg, rewind P* until it does 15 Example
Start: Two rounds are already forwarded Reduction R Verifier V Resetting P* FAIL Acc. Acc. Repeat Process Case: SForwarded fails to produce
msg is not accepting inin accepting accepting view. view view Found Rewind! next message to forward 16
The Reduction Again 1. In a test run of P*, find the msg used by P* to form an accepting view. 2. Forward the msg to V and receive a fixed reply. 3. Keep rewinding P* until the forwarded msg is used in an accepting view The next msg in view gets forwarded. Repeat. Reduction idea analogous to [HPPW08] Reduction always works! Is it poly time? 17
Analysis Sketch If we can rewind external V: Case: P* chooses which branch to use in view randomly. Then poly rewinds are enough This is actually the worst case But we cant rewind external V: Forwarded messages are fixed. Might fix a BAD message Reduction: Resettable standalone parallel P*normal standalone P New picture!
18 Analysis Sketch Can almost rewind the Verifier Results in a statistically close distribution! Technically shown by relying on Razs Lemma Technique used in soundness amplification of 2-prover games [Raz98] and public-coin arguments [HPPW08] Reduction R Resetting P* Verifier V
19 Conclusion Any public-coin protocol, with enough parallel repetitions, is resettably-sound so not BB ZK unless L BPP Elucidate connection between hardness amplification and BB ZK lower bounds New set of techniques for BB lower bounds 20
Corollary Bare Public-Key setup More efficient (private-coin) concurrent ZK Model studied in the soundness amplification literature [IW97, BIN97, HPPW08] Using [BIN97, HPPW08] techniques, we can extend our impossibility result to BPK too 21 Thank You!
Students will take the Reading, Writing, and Math portions of the TSI-A. Pre-Assessment Activity (PAA) ... Students are required to make a TCC grade of "C" or better in ALL Dual Credit courses to continue in the Dual Credit Program....
The Faces exhibition includes contemporary artworks that show people's faces. An artwork that shows one individual is called a portrait. Alfred J. Quiroz Linda Tracey Brandon Ancient Egyptian artisans had a tradition of making mask-like portrait sculptures on the lids...
Mission Statement-Emergency Preparedness. The Emergency Preparedness Mission of California State University Dominguez Hills shall . be to develop, organize, coordinate and lead the campus toward effective preparation for, and efficient response to, emergencies and disasters with the primary focus on...
Analysis Services Maestro Program. Deep-dive level 500 course on SSAS 2008 R2. Intense training spread across five days. Think Microsoft Certified Masters for SQL Server. Prepared by SQLCAT, top industry experts and SSAS Team "This was by far the best...
Moon phases - the change in appearance of the Moon from Earth Moon Phases Light from Moon is reflected from the Sun Waxing - looks to be getting larger Waning - looks to be getting smaller Moon Facts Dr. Eugene...
Understanding "Marigolds" Who is the author? Eugenia Collier (b. 1928) is an award-winning writer and critic best known for her 1969 short story "Marigolds," which won the Gwendolyn Brooks Prize for Fiction award.
Britain sought mercantilist policies: Making $ for the Mother country. However, this was not always successful: Colonial resistance - smuggling. Britain's policy of salutary neglect - British indifference. Colonial arguments for resistance? Self-government, lack of representation. Enlightenment ideas - liberty
Ready to download the document? Go ahead and hit continue!