On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round...
Transcript of On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round...
![Page 1: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/1.jpg)
On the Existence ofThree Round
Zero-Knowledge Proofs
Nils Fleischhacker, Vipul Goyal, Abhishek Jain
Tel Aviv, May 2, 2018
![Page 2: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/2.jpg)
2
Round-Complexity of ZK-Proofs for NP
[GO94]
X[GK96]
[Katz08] black box simulation
[KRR17] public coin
![Page 3: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/3.jpg)
2
Round-Complexity of ZK-Proofs for NP
[GO94]
X[GK96]
[Katz08] black box simulation
[KRR17] public coin
![Page 4: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/4.jpg)
2
Round-Complexity of ZK-Proofs for NP
[GO94]
X[GK96]
[Katz08] black box simulation
[KRR17] public coin
![Page 5: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/5.jpg)
2
Round-Complexity of ZK-Proofs for NP
[GO94]
X[GK96]
[Katz08] black box simulation
[KRR17] public coin
![Page 6: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/6.jpg)
2
Round-Complexity of ZK-Proofs for NP
[GO94]
X[GK96]
[Katz08] black box simulation
[KRR17] public coin
![Page 7: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/7.jpg)
2
Round-Complexity of ZK-Proofs for NP
[GO94]
X[GK96]
[Katz08] black box simulation
[KRR17] public coin
![Page 8: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/8.jpg)
2
Round-Complexity of ZK-Proofs for NP
[GO94]
X[GK96]
[Katz08] black box simulation
[KRR17] public coin
![Page 9: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/9.jpg)
2
Round-Complexity of ZK-Proofs for NP
[GO94]
X[GK96]
[Katz08] black box simulation
[KRR17] public coin
![Page 10: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/10.jpg)
3
The Result
Assuming sub-exponentially secure iO and sub-exponentially securePRFs as well as exponentially secure input-hiding obfuscation for
multi-bit point functions, even private coin three roundzero-knowledge proofs can only exist for languages in BPP.
![Page 11: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/11.jpg)
4
What About Four Rounds?
I We do not expect our technique to easily extend to fourrounds.
I Our result extends to a weaker notion of ε-ZK.
I For ε-ZK, four round private coin protocols exist based onkeyless multi-collision resistant hash functions (MCRH).[BKP17]
![Page 12: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/12.jpg)
5
Compressing Proofs
Sadly, it’s not that simple.
![Page 13: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/13.jpg)
5
Compressing Proofs
Sadly, it’s not that simple.
![Page 14: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/14.jpg)
5
Compressing Proofs
Sadly, it’s not that simple.
![Page 15: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/15.jpg)
5
Compressing Proofs
Sadly, it’s not that simple.
![Page 16: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/16.jpg)
6
Proofs vs. Arguments
Π Π′
We lose statistical soundness. Π′ is only an argument.
Π Sound Π′ Sound Π not ZK
![Page 17: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/17.jpg)
7
How to Compress Proofs
α← P1(x,w)α
β ← V1(x, α)β
γ ← P2(x,w) γ
β←$ {0, 1}n
![Page 18: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/18.jpg)
7
How to Compress Proofs
α← P1(x,w)α
β ← V1(x, α)β
γ ← P2(x,w) γ
β←$ {0, 1}n
![Page 19: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/19.jpg)
7
How to Compress Proofs
α← P1(x,w)α
β ← V1(x, α)β
γ ← P2(x,w) γ
β←$ {0, 1}n
![Page 20: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/20.jpg)
7
How to Compress Proofs
α← P1(x,w)α
β ← V1(x, α)β
γ ← P2(x,w) γβ←$ {0, 1}n
![Page 21: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/21.jpg)
8
The Public Coin Case
α← P1(x,w)α
β←$ {0, 1}nβ
γ ← P2(x,w) γ
H←$HH
β := H(x, α)
(α, )
[KRR17]: H := iO(PRFk(·))
![Page 22: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/22.jpg)
8
The Public Coin Case
α← P1(x,w)α
β←$ {0, 1}nβ
γ ← P2(x,w) γ
H←$HH
β := H(x, α)
(α, )
[KRR17]: H := iO(PRFk(·))
![Page 23: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/23.jpg)
8
The Public Coin Case
α← P1(x,w)α
β←$ {0, 1}nβ
γ ← P2(x,w) γH←$H
Hβ := H(x, α)
(α, )
[KRR17]: H := iO(PRFk(·))
![Page 24: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/24.jpg)
8
The Public Coin Case
α← P1(x,w)α
β←$ {0, 1}nβ
γ ← P2(x,w) γH←$H
Hβ := H(x, α)
(α, )
[KRR17]: H := iO(PRFk(·))
![Page 25: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/25.jpg)
8
The Public Coin Case
α← P1(x,w)α
β←$ {0, 1}nβ
γ ← P2(x,w) γH←$H
Hβ := H(x, α)
(α, )
[KRR17]: H := iO(PRFk(·))
![Page 26: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/26.jpg)
8
The Public Coin Case
α← P1(x,w)α
β←$ {0, 1}nβ
γ ← P2(x,w) γH←$H
Hβ := H(x, α)
(α, )
[KRR17]: H := iO(PRFk(·))
![Page 27: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/27.jpg)
9
But What About Private Coin?
α← P1(x,w)α
β ← V1(x, α)β
γ ← P2(x,w) γ
B← iO(CV[k, x])
CV[k, x](α)
s := PRFk(α)
β := V1(x, α; s)
return β
Bβ := B(α)
(α, )
![Page 28: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/28.jpg)
9
But What About Private Coin?
α← P1(x,w)α
β ← V1(x, α)β
γ ← P2(x,w) γ
B← iO(CV[k, x])
CV[k, x](α)
s := PRFk(α)
β := V1(x, α; s)
return β
Bβ := B(α)
(α, )
![Page 29: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/29.jpg)
9
But What About Private Coin?
α← P1(x,w)α
β ← V1(x, α)β
γ ← P2(x,w) γ
B← iO(CV[k, x])
CV[k, x](α)
s := PRFk(α)
β := V1(x, α; s)
return β
Bβ := B(α)
(α, )
![Page 30: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/30.jpg)
9
But What About Private Coin?
α← P1(x,w)α
β ← V1(x, α)β
γ ← P2(x,w) γB← iO(CV[k, x])
CV[k, x](α)
s := PRFk(α)
β := V1(x, α; s)
return β
Bβ := B(α)
(α, )
![Page 31: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/31.jpg)
10
How to Prove it.
Π Π′
We need to prove two things:
1. If Π′ is sound then Π is not zero knowledge.
2. The compression preserves soundness. I.e., if Π is sound thenΠ′ is also sound.
![Page 32: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/32.jpg)
11
Π′ sound =⇒ Π′ not ZK [GO94]
aux
α
β ← aux(α)β
γ
(α, β, γ)
Sim
aux
(α′, β′, γ′)≈c
![Page 33: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/33.jpg)
11
Π′ sound =⇒ Π′ not ZK [GO94]
aux
α
β ← aux(α)β
γ
(α, β, γ)
Sim
aux
(α′, β′, γ′)
≈c
![Page 34: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/34.jpg)
11
Π′ sound =⇒ Π′ not ZK [GO94]
aux
α
β ← aux(α)β
γ
(α, β, γ)
Sim
aux
(α′, β′, γ′)≈c
![Page 35: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/35.jpg)
12
Π′ sound =⇒ Π′ not ZK
B
(α, β, γ)← Sim(B) (α, γ)
X
(x∗ ∈ L) ≈c (x∗ 6∈ L) unless L ∈ BPP
But is it sound?
![Page 36: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/36.jpg)
12
Π′ sound =⇒ Π′ not ZK
B
(α, β, γ)← Sim(B) (α, γ)
X
(x∗ ∈ L) ≈c (x∗ 6∈ L) unless L ∈ BPP
But is it sound?
![Page 37: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/37.jpg)
13
How Can a Prover Cheat? Defining Bad Alphas.
α
Bad
???
1. Specify a set of bad α’s.
2. Prove that a cheating prover must use a bad α to cheat.
3. Prove that bad α’s remain hidden by the obfuscation.
![Page 38: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/38.jpg)
13
How Can a Prover Cheat? Defining Bad Alphas.
α
Bad
???
1. Specify a set of bad α’s.
2. Prove that a cheating prover must use a bad α to cheat.
3. Prove that bad α’s remain hidden by the obfuscation.
![Page 39: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/39.jpg)
13
How Can a Prover Cheat? Defining Bad Alphas.
α
Bad
???
1. Specify a set of bad α’s.
2. Prove that a cheating prover must use a bad α to cheat.
3. Prove that bad α’s remain hidden by the obfuscation.
![Page 40: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/40.jpg)
13
How Can a Prover Cheat? Defining Bad Alphas.
α
Bad
???
1. Specify a set of bad α’s.
2. Prove that a cheating prover must use a bad α to cheat.
3. Prove that bad α’s remain hidden by the obfuscation.
![Page 41: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/41.jpg)
14
How Can a Prover Cheat? Defining Bad Alphas.
α
Bad
I In the public coin case, defining bad α’s is trivial: Any α, suchthat for β := PRFk(α) there exists an accepting γ.
I In the private coin case, however there may always beaccepting γ’s.
I But, those γ’s depend on which consistent random tape wasused.
I Security of iO and puncturable PRF hide which random tapewas used.
![Page 42: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/42.jpg)
14
How Can a Prover Cheat? Defining Bad Alphas.
α
Bad
I In the public coin case, defining bad α’s is trivial: Any α, suchthat for β := PRFk(α) there exists an accepting γ.
I In the private coin case, however there may always beaccepting γ’s.
I But, those γ’s depend on which consistent random tape wasused.
I Security of iO and puncturable PRF hide which random tapewas used.
![Page 43: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/43.jpg)
14
How Can a Prover Cheat? Defining Bad Alphas.
α
Bad
I In the public coin case, defining bad α’s is trivial: Any α, suchthat for β := PRFk(α) there exists an accepting γ.
I In the private coin case, however there may always beaccepting γ’s.
I But, those γ’s depend on which consistent random tape wasused.
I Security of iO and puncturable PRF hide which random tapewas used.
![Page 44: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/44.jpg)
14
How Can a Prover Cheat? Defining Bad Alphas.
α
Bad
I In the public coin case, defining bad α’s is trivial: Any α, suchthat for β := PRFk(α) there exists an accepting γ.
I In the private coin case, however there may always beaccepting γ’s.
I But, those γ’s depend on which consistent random tape wasused.
I Security of iO and puncturable PRF hide which random tapewas used.
![Page 45: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/45.jpg)
14
How Can a Prover Cheat? Defining Bad Alphas.
α
Bad
I In the public coin case, defining bad α’s is trivial: Any α, suchthat for β := PRFk(α) there exists an accepting γ.
I In the private coin case, however there may always beaccepting γ’s.
I But, those γ’s depend on which consistent random tape wasused.
I Security of iO and puncturable PRF hide which random tapewas used.
![Page 46: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/46.jpg)
15
Bad Alphas in the Private Coin Case.
α
Bad
I An α is bad if the random tape s := PRFk(α) leads to a βsuch that for (α, β) there exists γ that will be accepted by theverifier with high probability over all consistent random tapes.
![Page 47: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/47.jpg)
16
Hiding Bad Alphas.
I A cheating prover will output a bad α with high probability.
I This can be lead to a direct contradiction with the soundnessof Π but incurs an exponential loss.
I We follow the approach of [KRR17] and “transfer” the loss toa seperate primitive.
![Page 48: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/48.jpg)
16
Hiding Bad Alphas.
I A cheating prover will output a bad α with high probability.
I This can be lead to a direct contradiction with the soundnessof Π but incurs an exponential loss.
I We follow the approach of [KRR17] and “transfer” the loss toa seperate primitive.
![Page 49: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/49.jpg)
16
Hiding Bad Alphas.
I A cheating prover will output a bad α with high probability.
I This can be lead to a direct contradiction with the soundnessof Π but incurs an exponential loss.
I We follow the approach of [KRR17] and “transfer” the loss toa seperate primitive.
![Page 50: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/50.jpg)
17
Input Hiding Obfuscation of Multi-Bit Point Functions
hideO
α∗, s∗
B
Correctness: B(α∗) = s∗
∀α 6= α∗ : B(α) = ⊥Security: Pr[A(B, 1n) = α∗] ≤ 2−n
Can be instantiated in the generic group model by [CD08] asshown in [BC10] based on a strong variant of DDH.
![Page 51: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/51.jpg)
17
Input Hiding Obfuscation of Multi-Bit Point Functions
hideO
α∗, s∗
B
Correctness: B(α∗) = s∗
∀α 6= α∗ : B(α) = ⊥Security: Pr[A(B, 1n) = α∗] ≤ 2−n
Can be instantiated in the generic group model by [CD08] asshown in [BC10] based on a strong variant of DDH.
![Page 52: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/52.jpg)
18
Transferring the Loss
Cpct[k, α∗, β∗](α)
if α?=α∗
β := β∗
else
s := PRFk(α)
β := V1(x, α; s)
return β
Chide[k,B](α)
s := B(α)
if s = ⊥s := PRFk(α)
β := V1(x∗, α; s)
return β
Conditioned on α∗ being bad we get that
Pr
k,α∗,s∗,iO,A
[P∗(
iO(Cpct[k{α∗}, α∗,V1(x
∗, α; s∗)]))
= (α∗, γ)]
is slightly higher than random chance.
![Page 53: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/53.jpg)
18
Transferring the Loss
Cpct[k, α∗, β∗](α)
if α?=α∗
β := β∗
else
s := PRFk(α)
β := V1(x, α; s)
return β
Chide[k,B](α)
s := B(α)
if s = ⊥s := PRFk(α)
β := V1(x∗, α; s)
return β
Conditioned on α∗ being bad we get that
Pr
k,α∗,s∗,iO,A
[P∗(
iO(Cpct[k{α∗}, α∗,V1(x
∗, α; s∗)]))
= (α∗, γ)]
is slightly higher than random chance.
![Page 54: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/54.jpg)
18
Transferring the Loss
Cpct[k, α∗, β∗](α)
if α?=α∗
β := β∗
else
s := PRFk(α)
β := V1(x, α; s)
return β
Chide[k,B](α)
s := B(α)
if s = ⊥s := PRFk(α)
β := V1(x∗, α; s)
return β
Conditioned on α∗ being bad we get that
Pr
k,α∗,s∗,iO,A
[P∗(
iO(Cpct[k{α∗}, α∗,V1(x
∗, α; s∗)]))
= (α∗, γ)]
is slightly higher than random chance.
![Page 55: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/55.jpg)
18
Transferring the Loss
Cpct[k, α∗, β∗](α)
if α?=α∗
β := β∗
else
s := PRFk(α)
β := V1(x, α; s)
return β
Chide[k,B](α)
s := B(α)
if s = ⊥s := PRFk(α)
β := V1(x∗, α; s)
return β
Conditioned on α∗ being bad we get that
Pr
k,α∗,s∗,iO,A
[P∗(
iO(Cpct[k{α∗}, α∗,V1(x
∗, α; s∗)]))
= (α∗, γ)]
is slightly higher than random chance.
![Page 56: On the Existence of Three Round Zero-Knowledge Proofs · On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018](https://reader035.fdocuments.net/reader035/viewer/2022071013/5fcc0effd1db5b13615ad245/html5/thumbnails/56.jpg)
19
Conclusion
Assuming sub-exponentially secure iO and sub-exponentially securePRFs as well as exponentially secure input-hiding obfuscation formulti-bit point functions, three round zero-knowledge proofs can
only exist for languages in BPP.
Thanks!ia.cr/2018/167