ZERO-KNOWLEDGE for NPcyber.biu.ac.il/wp-content/uploads/2018/08/WS-19-2-ZK...Can 𝐴 be proved in...
Transcript of ZERO-KNOWLEDGE for NPcyber.biu.ac.il/wp-content/uploads/2018/08/WS-19-2-ZK...Can 𝐴 be proved in...
BIU WINTER SCHOOL | February 2019
ZERO-KNOWLEDGE for NP
ALON ROSEN IDC HERZLIYA
Perfect ZK
Perfect ZK: ∀𝑃𝑃𝑇 𝑉∗ ∃𝑃𝑃𝑇 𝑆 ∀𝑥 ∈ 𝐿 ∀𝑧
𝑆 𝑥, 𝑧 ≅ 𝑃 𝑤 , 𝑉∗ 𝑧 𝑥
Proposition: 𝑄𝑅𝑁 ∈ PZK
𝑁𝑃 complete
𝑆𝐴𝑇
𝐿𝐼𝑁 P
NP
𝑄𝑅𝑁
Can 𝑆𝐴𝑇 be proved in ZK?
Why do we care?
• 𝑄𝑅𝑁 is specific
• 𝑆𝐴𝑇 is NP-complete
• If 𝑆𝐴𝑇 ∈ ZK then every 𝐿 ∈ NP is provable in ZK
Theorem [F’87, BHZ’87]: If 𝑆𝐴𝑇 ∈ PZK then the
polynomial-time hierarchy collapses to the second level
Possible relaxations:
• Computational indistinguishability (now)
• Computational soundness (later)
Statistical
Zero-Knowledge
Statistical Indistinguishabi lity
Let 𝑋 and 𝑌 be random variables taking values in a set Ω
Perfect indistinguishability (𝑋 ≅ 𝑌): ∀𝑇 ⊆ Ω
𝑃𝑟𝑋 𝑋 ∈ 𝑇 = 𝑃𝑟𝑌 𝑌 ∈ 𝑇
𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω
𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀
• 𝑋 = 𝑋𝑛 and 𝑌 = 𝑌𝑛
• 𝜀 = 𝜀 𝑛
Statistical Indistinguishabi lity
Let 𝑋 and 𝑌 be random variables taking values in a set Ω
Perfect indistinguishability (𝑋 ≅ 𝑌): ∀𝑇 ⊆ Ω
𝑃𝑟𝑋 𝑋 ∈ 𝑇 = 𝑃𝑟𝑌 𝑌 ∈ 𝑇
𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω
𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀
Triangle inequality: if
• 𝑋, 𝑌 are 𝜀1 -indistinguishable and
• 𝑌, 𝑍 are 𝜀2-indistinguishable then
• 𝑋, 𝑍 are 𝜀1 + 𝜀2 -indistinguishable
Statistical Indistinguishabi lity
Let 𝑋 and 𝑌 be random variables taking values in a set Ω
Perfect indistinguishability (𝑋 ≅ 𝑌): ∀𝑇 ⊆ Ω
𝑃𝑟𝑋 𝑋 ∈ 𝑇 = 𝑃𝑟𝑌 𝑌 ∈ 𝑇
𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω
𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀
Indistinguishability of multiple samples: if
• 𝑋, 𝑌 are 𝜀-indistinguishable then
• 𝑋𝑞 , 𝑌𝑞 are 𝑞𝜀-indistinguishable
Hybrid argument: 𝑋𝑞−𝑖𝒀𝑌𝑖−1 ≅𝑠 𝑋𝑞−𝑖𝑿𝑌𝑖−1
𝑋𝑞−𝑖𝒀𝑌𝑖−1 ≅𝑠 𝑋𝑞−𝑖𝑿𝑌𝑖−1
𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋≅𝑠 𝑌𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋≅𝑠 𝑌𝑌𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋≅𝑠 𝑌𝑌𝑌𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋
⋮
≅𝑠 𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑋≅𝑠 𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌
By triangle inequality: 𝜀 + 𝜀 + ⋯+ 𝜀 = 𝑞𝜀
Hybrid Argument
𝑖 = 0 𝑋𝑞 →
→ 𝑌𝑞
𝑖 = 1
𝑖 = 2𝑖 = 3
𝑖 = 𝑞 − 1𝑖 = 𝑞
Statistical ZK: ∀𝑃𝑃𝑇 𝑉∗ ∃𝑃𝑃𝑇 𝑆 ∀𝑥 ∈ 𝐿 ∀𝑧
𝑆 𝑥, 𝑧 ≅𝑠 𝑃, 𝑉∗ 𝑧 𝑥
• SZK - all 𝐿 that have a statistical ZK proof
• 𝑆 𝑥, 𝑧 and 𝑃, 𝑉∗ 𝑧 𝑥 are indexed by 𝑥, 𝑧
• Typically 𝑛 = 𝑥 (actually, 𝑛 = 𝑤 )
Theorem [F’87, BHZ’87]: If 𝑆𝐴𝑇 ∈ SZK then the polynomial-
time hierarchy collapses to the second level
Statistical ZK
Computational
Zero-Knowledge
𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω
𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀
𝑡, 𝜀 -indistinguishability (𝑋 ≅𝑐 𝑌): ∀𝑇 ⊆ Ω that are
“decidable in time 𝑡”
𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀
𝑇 ⊆ 𝐴 is decidable in time 𝑡 if ∃time-𝑡 𝐷 such that ∀𝑥 ∈ 𝐴
𝑥 ∈ 𝑇 ⟷ 𝐷 𝑥 = 1
Computational Indistinguishabi lity
𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω
𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀
𝑡, 𝜀 -indistinguishability (𝑋 ≅𝑐 𝑌): ∀time-𝑡 𝐷
𝑃𝑟 𝐷 𝑋 = 1 − 𝑃𝑟 𝐷 𝑌 = 1 ≤ 𝜀
Triangle inequality: if
• 𝑋, 𝑌 are 𝑡1, 𝜀1 -indistinguishable and
• 𝑌, 𝑍 are 𝑡2, 𝜀2 -indistinguishable then
• 𝑋, 𝑍 are 𝑚𝑖𝑛 𝑡1, 𝑡2 , 𝜀1 + 𝜀2 -indistinguishable
Computational Indistinguishabi lity
𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω
𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀
𝑡, 𝜀 -indistinguishability (𝑋 ≅𝑐 𝑌): ∀time-𝑡 𝐷
𝑃𝑟 𝐷 𝑋 = 1 − 𝑃𝑟 𝐷 𝑌 = 1 ≤ 𝜀
Indistinguishability of multiple samples: if
• 𝑋, 𝑌 are 𝑡, 𝜀 -indistinguishable then
• 𝑋𝑞 , 𝑌𝑞 are 𝑡, 𝑞𝜀 -indistinguishable
Hybrid argument (non-uniform):
𝑋𝑞−𝑖𝒀𝑌𝑖−1 ≅𝑠 𝑋𝑞−𝑖𝑿𝑌𝑖−1
Computational Indistinguishabi lity
Computational Indistinguishabi lity
Typically:
• 𝑡 = 𝑝𝑜𝑙𝑦 𝑛• 𝜀 = 𝑛𝑒𝑔 𝑛
Definition: 𝜀 = 𝜀 𝑛 is negligible if it is eventually smaller
than 1/𝑝 𝑛 for every polynomial 𝑝
𝜀 = 𝑛𝑒𝑔 𝑛 , 𝑞 = 𝑝𝑜𝑙𝑦 𝑛 → 𝑞𝜀 = 𝑛𝑒𝑔 𝑛
𝑋1 ≅𝜀 𝑋2⋯ ≅𝜀 𝑋
𝑞 → 𝑋1 ≅𝑞𝜀 𝑋𝑞
In practice: concrete choices of 𝑡,q and 𝜀
Computational ZK: ∀𝑃𝑃𝑇 𝑉∗ ∃𝑃𝑃𝑇 𝑆 ∀𝑥 ∈ 𝐿 ∀𝑧
𝑆 𝑥, 𝑧 ≅𝑐 𝑃, 𝑉∗ 𝑧 𝑥
PZK ⊆ SZK ⊆ CZK
Theorem [GMW’86]: Suppose one-way functions exist.
Then NP ⊆ CZK
Computational ZK
Definition: 𝑓: 0,1 ∗ → 0,1 ∗ is 𝑡, 𝜀 -one-way if ∀time-𝑡 𝐴
𝑃𝑟𝑋 𝐴 inverts 𝑓 𝑋 ≤ 𝜀
Candidate OWFs:
• Rabin/RSA: 𝑥2 𝑚𝑜𝑑 𝑁 𝑥𝑒 𝑚𝑜𝑑 𝑁
• Discrete exponentiation: 𝑔𝑥 𝑚𝑜𝑑 𝑃
• SIS/LWE: 𝐴𝑥 𝑚𝑜𝑑 𝑞 𝐴𝑥 + 𝑒 𝑚𝑜𝑑 𝑞
• AES: 𝐴𝐸𝑆𝑥 0𝑛
• SHA: ℎ 𝑥
One-way Functions
Commitment Schemes
Commitment Scheme
• Two-stage protocol between Committer and Receiver
Completeness: 𝐶 can always generate valid
𝑐 = 𝐶𝑜𝑚 𝑚, 𝑟
R𝑐 = 𝐶𝑜𝑚 𝑚, 𝑟
𝑚, 𝑟 = 𝐷𝑒𝑐 𝑐
Commit
Reveal
Commitment Scheme
• Two-stage protocol between Committer and Receiver
RCommit
Reveal
𝐶𝑜𝑚 𝑚, 𝑟 is
𝑅∗’s view of the
commit phase
𝐷𝑒𝑐 𝑐 is
𝑅∗’s view of the
reveal phase
Canonical reveal:
𝐷𝑒𝑐 𝑐 = 𝑚, 𝑟
Statistical ly-binding Commitments
Definition: A statistically-binding 𝐶𝑜𝑚,𝐷𝑒𝑐 satisfies:
Computational hiding: 𝑃𝑃𝑇 𝑅∗ ∀𝑚1, 𝑚2
𝐶𝑜𝑚 𝑚1 ≅𝑐 𝐶𝑜𝑚 𝑚2
Statistical binding: 𝐶∗ ∀𝑚1 ≠ 𝑚2
𝑃𝑟 𝐶∗ wins the binding game ≤ 𝑛𝑒𝑔 𝑛
𝐶∗ wins the binding game if it generates 𝑐 along with
• 𝑚1, 𝑟1 = 𝐷𝑒𝑐 𝑐• 𝑚2, 𝑟2 = 𝐷𝑒𝑐 𝑐
• Note: hiding holds even if 𝑚1, 𝑚2 are known
• Later: statistically-hiding commitments
• El-Gamal (assuming DDH):
𝐶𝑜𝑚𝑔,ℎ 𝑚, 𝑟 = 𝑔𝑟 , ℎ𝑟 ∙ 𝑔𝑚
• Any OWP:
𝐶𝑜𝑚 𝑚, 𝑟 = 𝑓 𝑟 , 𝑏 𝑟 ⊕ 𝑚
• Any PRG (and hence OWF):
𝐶𝑜𝑚𝑟 𝑏, 𝑠 = ቊ𝐺 𝑠 𝑏 = 0𝐺 𝑠 ⊕ 𝑟 𝑏 = 1
Examples (statistical ly-binding)
NP ⊆ CZK
Theorem [GMW’86]: If statistically-binding commitments
exist then NP ⊆ CZK
Theorem [B’86]: If statistically-binding commitments
exist then 𝐻𝐴𝑀 ∈ CZK
𝐻𝐴𝑀 = 𝐺| 𝐺 has a Hamiltomian cycle
Ham cycle: passes via each vertex exactly once
𝐻𝐴𝑀 ∈ CZK
Every 𝐿 ∈ NP is poly-time reducible to 𝐻𝐴𝑀
∃poly-time computable 𝑓 such that ∀𝑥
𝑥 ∈ 𝐿 ⇔ 𝑓 𝑥 ∈ 𝐻𝐴𝑀
To prove 𝐿 ∈ CZK, sufficient to prove 𝐻𝐴𝑀 ∈ CZK
𝐻𝐴𝑀 i s NP -complete
VP 𝑥 ∈ 𝐿↕
𝑓 𝑥 ∈ 𝐻𝐴𝑀
ACCEPT/REJECT
𝑤 for 𝑥 ∈ 𝐿↕
𝑔(𝑤) for 𝑓 𝑥 ∈ 𝐻𝐴𝑀
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
Adjacency Matrix Representation
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
Graph 𝐺 Ham cycle 𝑤
0 𝟏 0 0 1 1
1 0 1 𝟏 0 0
1 1 0 0 𝟏 0
0 0 𝟏 0 1 1
1 0 1 1 0 𝟏
𝟏 1 0 1 1 0
0 𝟏 0 0 1 1
1 0 1 𝟏 0 0
1 1 0 0 𝟏 0
0 0 𝟏 0 1 1
1 0 1 1 0 𝟏
𝟏 1 0 1 1 0
Committing to 𝐺 and opening cycle 𝑤
Graph 𝐺 𝒄 = 𝐶𝑜𝑚 𝐺
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
→
0 𝟏 0 0 1 1
1 0 1 𝟏 0 0
1 1 0 0 𝟏 0
0 0 𝟏 0 1 1
1 0 1 1 0 𝟏
𝟏 1 0 1 1 0
𝑤 ∈ 𝐷𝑒𝑐 𝑐𝐺 = 𝐷𝑒𝑐 𝑐
An interactive proof for 𝐻𝐴𝑀
VP
𝑏 = 0: 𝑢 ∈ 𝐷𝑒𝑐 𝒄
𝑏
𝐺 ∈ 𝐻𝐴𝑀
𝑏 ∈𝑅 0,1
𝒄 = 𝐶𝑜𝑚 𝜋(𝐺)𝜋 ∈𝑅 𝑆𝑛
Ham cycle 𝑤
𝑏 = 1: 𝜋, 𝐻 = 𝐷𝑒𝑐 𝒄
In either case,
verify hat 𝐷𝑒𝑐 are valid
𝑢=𝜋(𝑤) Verify that 𝑢 is a cycle
Verify that 𝐻 = 𝜋 𝐺
When 𝑏 = 0
𝒄 = 𝐶𝑜𝑚 𝜋(𝐺)
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
𝑢 ∈ 𝐷𝑒𝑐 𝒄
𝑏 = 0
Verify :
• That 𝐷𝑒𝑐 is valid
• That 𝑢 is a cycle
When 𝑏 = 1
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
6 1 3 2 5 4
𝐻 = 𝐷𝑒𝑐 𝒄𝒄 = 𝐶𝑜𝑚 𝜋(𝐺)
𝜋
𝑏 = 1
Verify :
• That 𝐷𝑒𝑐 is valid
• That 𝐻 = 𝜋 𝐺
Soundness
Claim: If 𝐶𝑜𝑚,𝐷𝑒𝑐 is statistically binding then 𝑃, 𝑉is an interactive proof for 𝐻𝐴𝑀
Soundness:
If 𝑃𝑟𝑏 𝑃∗, 𝑉 accepts 𝑥 > 1/2
then both
• 𝑢 is a cycle in 𝐻
• and 𝐻 = 𝜋 𝐺
So 𝜋−1 𝑢 is a cycle in 𝐺
VP*
𝑏 = 0: 𝑢
𝑏
𝐶𝑜𝑚 𝜋(𝐺)
𝑏 = 1: 𝜋, 𝐻 𝐻 = 𝜋 𝐺
𝑢 is a cycle
Computational ZK
Simulator 𝑆𝑉∗𝐺 :
1. Set 𝐺0 = 𝑢 for 𝑢 ∈𝑅 𝑐𝑦𝑐𝑙𝑒𝑛2. Set 𝐺1 = 𝜋(𝐺) for 𝜋 ∈𝑅 𝑆𝑛3. Sample 𝑏 ∈𝑅 ℤ𝑁
∗
𝑏 = 0: Set 𝒄 = 𝐶𝑜𝑚 𝐺0𝑏 = 1: Set 𝒄 = 𝐶𝑜𝑚 𝐺1
4. If 𝑉∗ 𝒄 = 𝑏
𝑏 = 0: Output 𝒄,𝑏, 𝑢
𝑏 = 1: Output 𝒄,𝑏, 𝜋,𝐺1
5. Otherwise repeat
V*P
𝑏 = 0: 𝑢
𝑏 = 𝑉∗ 𝑐
𝒄
𝑏 = 1: 𝜋, 𝐻
0 𝟏 0 0 0 0
0 0 0 𝟏 0 0
0 0 0 0 𝟏 0
0 0 𝟏 0 0 0
0 0 0 0 0 𝟏
𝟏 0 0 0 0 0
Computational ZK
𝐺0
𝑏 = 0
𝐺1
𝑏 = 1
𝜋
6 1 3 2 5 4
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
Computational ZK
𝑏 = 0
𝒄 = 𝐶𝑜𝑚 𝐺0
𝑏 = 1
𝒄 = 𝐶𝑜𝑚 𝐺1
≅𝑐
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
Computational ZK
If 𝑉∗ 𝒄 = 0(otherwise repeat)
If 𝑉∗ 𝒄 = 1(otherwise repeat)
𝐺0 = 𝑢 𝐺1 = 𝜋(𝐺)
𝜋
6 1 3 2 5 4
0 1 0 0 1 1
1 0 1 1 0 0
1 1 0 0 1 0
0 0 1 0 1 1
1 0 1 1 0 1
1 1 0 1 1 0
Claim: If 𝐶𝑜𝑚 is computationally hiding then 𝑆𝑉∗𝐺 runs
in polynomial time
1. From hiding of 𝐶𝑜𝑚 and the fact that 𝑉∗is 𝑃𝑃𝑇:
𝑃𝑟𝒄,𝑏 𝑉∗ 𝐶𝑜𝑚 𝐺𝑏 = 𝑏 ≈ 1/2
Exercise: otherwise 𝑉∗ distinguishes between
𝐶𝑜𝑚 𝐺0 and 𝐶𝑜𝑚 𝐺1
2. This implies: 𝔼 #repetitions ≈ 2
Computational ZK
Claim: If 𝐶𝑜𝑚 is computationally hiding then ∀𝐺 ∈ 𝐻𝐴𝑀
𝑆𝑉∗𝐺 ≅𝑐 𝑃(𝑤), 𝑉∗ 𝐺
1. Let 𝐻𝑉∗ 𝐺,𝑤 act identically to 𝑆𝑉∗𝐺 except that:
• 𝐻 commits to 𝐺1 instead of 𝐺0• When 𝑉∗ 𝑐 = 0, 𝐻 outputs 𝜋(𝑤) instead of 𝑢
2. Exercise:
𝑆𝑉∗𝐺 ≅𝑐 𝐻
𝑉∗ 𝐺,𝑤 ≅ 𝑃(𝑤), 𝑉∗ 𝐺
Hint: 𝐶𝑜𝑚 𝐺0 ≅𝑐 𝐶𝑜𝑚 𝐺1 even if 𝐺,𝑤, 𝜋 are known.
Computational ZK
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
𝟏
Computational ZK
𝑆𝑉∗𝐺 | 𝑏 = 0
𝒄 = 𝐶𝑜𝑚 𝐺0 𝒄 = 𝐶𝑜𝑚 𝐺1
≅𝑐
𝒄 = 𝐶𝑜𝑚 𝐺0 − 𝐶𝑜𝑚(𝜋(𝑤)) 𝒄 = 𝐶𝑜𝑚 𝐺1 − 𝐶𝑜𝑚(𝜋(𝑤))
𝐻𝑉∗ 𝐺,𝑤 | 𝑏 = 0
One-way functions (or rather some weak form of them)
are necessary for non-trivial ZK
Theorem [OW’90]: If ∃ZK proofs for languages outside of
BPP then there exist functions with one-way instances
Theorem [OW’90]: If ∃ZK proofs for languages that are
hard on average then there exist one-way functions
Unconditional characterization of ZK [Vad’06]:
• HVZK = ZK• ZK is closed under union
• Public-coin ZK equals private-coin ZK• ZK w/ imperfect compl. equals ZK w/ perfect compl.
Techniques borrowed from the study of SZK [SV’90’s]
Computational ZK – some more
Summary
BPP ⊆ PZK ⊆ SZK ⊂ CZK = IP
Defined:
• Statistical indistinguishability
• Computational indistinguishability
• SZK, CZK
• One way-functions
• Statistically-binding commitments
Saw:
• Examples of statistically-binding commitments
• NP ⊆ CZK via 𝐻𝐴𝑀 ∈ CZK
Food for Thought
• Efficiency of reduction to 𝐻𝐴𝑀• Classic reduction from 𝑆𝐴𝑇 to 𝐻𝐴𝑀 has quadratic blowup
• Ideally: linear blowup (with small constants)
• Communication complexity• Statistically-binding commitments imply linear communication
• Next lecture: statistically-hiding commitments
• Open up the possibility of sublinear communication
• Efficiency of prover and/or verifier• May have to optimize 𝑃, 𝑉 even if sublinear communication
• Both time and space complexities – tradeoff between 𝑃, 𝑉
• Round complexity• Much research devoted to minimizing rounds (see next lecture)
Other considerations
Define
• what it means to break the system
• Adversary’s access/resources
Build
• In ZK first there were protocols, only then defs
Prove
• We still do not have good “language” for proofs
• ML theory vs Crypto theory (crypto theory is essential)
First feasibility then efficiency
• Optimize (round/comm. complexity, verifier time/space)
Relax definition (Argument/WI/WH/NIZK)
Modern Crypto Methodology
Auxi l iary input to 𝐷 and Non-uniform 𝑉∗
Computational ZK: ∀𝑃𝑃𝑇 𝑉∗ ∃𝑃𝑃𝑇 𝑆 ∀𝑷𝑷𝑻 𝑫 ∀𝑥 ∈ 𝐿 ∀𝑧
𝑃𝑟 𝐷 𝑥,𝑧, 𝑆 𝑥, 𝑧 = 1 − 𝑃𝑟 𝐷 𝑥, 𝑧, 𝑃, 𝑉∗ 𝑧 𝑥 , 𝑧 = 1 ≤ 𝑛𝑒𝑔(|𝑥|)
Advanced comment:
• 𝐷 is also given 𝑧
• If 𝑧 is sufficiently long, 𝐷 can make use of its suffix
• 𝑉∗ and 𝑆 cannot (𝐷 is determined after them)
• implies indistinguishability against non-uniform circuits 𝐷
• Making 𝑉∗ also non uniform yields “weaker” security
reduction (from 𝑉∗ to 𝑆)
History
Oded Goldreich Avi Wigderson Manuel Blum
Moni Naor Salil VadhanRafail Ostrovsky Amit Sahai
The End
Questions?