On Non-Black-Box Proofs of Security
Boaz BarakPrinceton
• 9 OWF ) 9 signature schemes [NaorYung,Rompel]
Prototypical Crypto Thm: If problem X is hard then scheme Y is secure.
Examples:
• DDH hard ) 9 CCA-secure encryption [CramerShoup98]
Contrapositive: 9 poly-alg A breaking Y ) 9 poly-alg B for X
Typical proof: Show generic B using A as subroutine.
BAx: instance of X solution for x
We call this a black-box proof of security.
In a non-black-box proof, B can use the code of A(not to be confused w/ black-box vs. non-black-box constructions)
More Formally: (Strongly) Black-Box Reductions (for OWF KA)
eff. (Alice, Bob), eff. Adv s.t. f and Eve [ Eve breaks (Alicef,Bobf) ) Advf, Eve inverts f ]
f (Alice,Bob)
EveAdv
f
Security proof
Underlying primitive.
Adversary
Non-black-box proofs of security:1. Security proof may use code of underlying primitive (i.e., f) (examples: using specific assumptions, Cook-Levin)
2. Security proof may use code of adversary (this talk)
Non-Black-Box Security Proofs
Advantages:
• More general proof technique, can prove more thms.
• Bypass proven limitations of black-box proofs.
Disadvantages:
• Less robust proofs, more dependence on model.
• E.g.: Uniform TMs vs. circuits, quantum algorithms.
• Seem to come at steep cost in efficiency.
(Somewhat surprisingly, without “real” understanding of computation.)
Applications of Non-BB Proofs:
• O(1)-round bounded concurrent zero-knowledge (ZK)
• Resettable ZK proof of knowledge[B.GoldwasserGoldreichLindell01]
• ZK with strict poly-time simulation & extraction [B.Lindell02]
[B.01]
[B.02], [PassRosen05a], [PassRosen05b]
O(1)-round general multiparty computation [KatzOstrovskySmith03],[Pass04]
[Lindell03],[PassRosen03],[Pass04], [B.Sahai05]
• O(1)-round concurrent, non-malleable commitments
• Concurrent, non-malleable general computation
Composable protocols:
Strong Forms of Zero Knowledge:
• Resettably-sound ZK
Plan
I Basic Non-BB ZK Protocol [B.01]
II Making it bounded-concurrent [B.01]
III Making it bounded non-malleable.
IV Unbounded concurrency and non-malleability using super-polynomial simulation.
[Pass.04]
[B.Sahai.04]
V Limitations and open questions.
I Non-Black-Box Zero Knowledge
P proves to V that stmt x is true.Zero Knowledge Proof:
(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )
P
Stmt: x 2 {0,1}n
V
Witness: c:[n]{R,G,B}
“accept”/”reject”
I Non-Black-Box Zero Knowledge
P proves to V that stmt x is true.Zero Knowledge Proof:
(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )
P runs in poly-time given witness w for x.Completeness:
Soundness: If x false, V accepts w.p. < negl(n)=n-(1)
8 (possibly cheating) V*, 9 S s.t.
S(x) » V*’s view in exec with P(w)
Zero Knowledge:
P V*
»»
S( )
I Non-Black-Box Zero Knowledge
P proves to V that stmt x is true.Zero Knowledge Proof:
(e.g., x = “string y is encryption of 0” x = “graph G is 3-colorable” )
8 (possibly cheating) V*, 9 S s.t.
S(x) » V*’s view in exec with P(w)
Zero Knowledge:
P V*
»»
S( )V*
Non-BB ZK: S uses the code of V*
Black-Box ZK: S uses V* as a black-box subroutine.
(i.e. uses subroutine for V*’s next-message function)
,
x
Some Tools
Commitments: Efficient func Com:{0,1}k£{0,1}n{0,1}m
Hiding: 8 x,x’ Com(x,Un) » Com(x’,Un)
Binding: x x’ Com(x,{0,1}n), Com(x’,{0,1}n) disjoint
(Notation: Com(x) = Com(x,Un) )
[Blum84],[Naor91]
Collision Resistant Hash (CRH):
Collection H of efficient functions {0,1}*{0,1}n s.t.
for random h2H hard to find xx’ w/ h(x)=h(x’)
(implies CRH from {0,1}2n to {0,1}n)[GoldwasserMicaliRivest84], SHA1,AES,…
Witness Indistinguishable Proofs (WI):
[FeigeShamir90]
When proving x1Çx2, verifier can’t tell witness used.
• Implied by zero knowledge.
• Closed under concurrent composition.
A Flawed Zero Knowledge Protocol
P VStmt: x 2 {0,1}n
z=Com(r’)
r 2R {0,1}n
UAWI either1) x is true.
2) r’=r
or
Completeness:Prover has efficient strategy using witness for x
Soundness:Suppose x is false.
Let z be prover’s message.Denote r’=Com-1(z)
Pr[ r = r’ ] = 2-n
Zero Knowledge:
V*
Let V* be possibly cheating ver.
Assume w.l.o.g V* deterministic
r=V*(z)
Sim’s goal: z=Com(r)
Problem: could take 2n guesses.
Find r s.t. r=V*(Com(r))
Flawed Protocol – High Level View
P VStmt: x 2 {0,1}n
z=Com(r’)
r 2R {0,1}n
UAWI either1) x is true.
2) r’=r
or
r=V*(z)
P VStmt: x 2 {0,1}n
guess r
r 2R {0,1}n
Stmt trueor
I guessed r
Main Tool – Universal Arguments
Interactive proof system for super-polynomial languages.[Kilian92],[Micali94],[B.Goldreich02]
Based on following variant of PCP thm: [BabaiFortnowLevinSzegedy91]
Verifier
c queries
2-(c) error
M x
n bits description
T running time
TO(1) long proof
c¢polylog(T) time
Statement: “M(x)=1”
(M can be deterministic/non-det)
Every statement verifiable in T time deterministically, can be proven in polylog(T) time in “prob. proof in sky” (PCP) model.
[Merkle]
Universal Arguments
M x
n bits description
T running time
P V
TO(1) long proof
h col-res hashh:{0,1}2k{0,1}k
= root of hash tree of
invoke h
root
…
= q1,…,qc PCP ver queries
Answers + paths in tree
Prover time: poly(T)
Soundness: negl(k)
Communication: k¢polylog(T)
Verifier time:k¢polylog(T)+poly(n)
[Kilian92,Micali94],…
Using commitments and ZK/WI proofs for NP can get UAZK/UAWI w/ same parameters.
Is proof of knowledge[B.Goldreich02]
Basic Non-BB Zero Knowledge
P VCRH h:{0,1}*{0,1}n
Stmt: x 2 {0,1}n
z=Com(h(M))
r 2R {0,1}n
UAWI either1) x is true.
2) M(z)=r (in ·nlog n steps)
or
Completeness:Prover has efficient strategy using witness for x
Soundness:Suppose x is false.
Let z be prover’s message.Assume it binds to a single TM M.Denote r’=M(z)
Pr[ r = r’ ] = 2-n
Zero Knowledge:
M: Turing machine.
Honest prover uses “junk” TM: always outputs 0
V*
Let V* be possibly cheating ver.
Assume w.l.o.g V* deterministic
r=V*(z)
z=Com(h(V*))
Sim uses z=Com(h(V*))
Inherently non-BB simulator.
Note use of UA property.
[GoldreichKrawczyck86]
[B.01]
High Level View: Basic Non-BB ZK
P VCRH h:{0,1}*{0,1}n
Stmt: x 2 {0,1}n
z=Com(h(M))
r 2R {0,1}n
UAWI either1) x is true.
2) M(z)=r (in ·nlog n steps)
or
[B.01]
P VStmt: x 2 {0,1}n
implicitly guess r
r 2R {0,1}n
Stmt true
I guessed r
or
II Bounded-Concurrent ZKConcurrent ZK:
[DworkNaorSahai98],[RichardsonKilian99],…
Coordinated attack of several verifiers against concurrently
scheduled ZK proofs.
Bounded Concurrent:
P1 V1 P2 V2 P3 V3
t sessions. Protocol communication and time poly(t,n).
V*
Challenging because typical “rewinding” technique blows up simulation time.
Requires ~(log n) rounds for BB ZK.[CanettiKilianPetrankRosen01]…,[PrabhakaranRosenSahai03]
P1h
Stmt: x 2 {0,1}n
UAWI either1) x is true.
2) M(z)=r
V*
r=V*(z)
z=Com(h(V*))
Is Basic Protocol Concurrent ZK?
P2Stmt: x 2 {0,1}n
hV*
z=Com(h(V*))
trans
r=V*(z,trans)
UAWI either1) x is true.
2) M(z)=r ?
Is Basic Protocol Concurrent ZK?
P1h
Stmt: x 2 {0,1}n
UAWI either1) x is true.
2) M(z)=r
V*
r=V*(z)
z=Com(h(V*))
P2Stmt: x 2 {0,1}n
hV*
z=Com(h(V*))
trans
r=V*(z,trans)
UAWI either1) x is true.
2) M(z)=r ?
Is Basic Protocol Concurrent ZK?
P1h
Stmt: x 2 {0,1}n
UAWI either1) x is true.
2) M(z)=r
V*
r=V*(z)
z=Com(h(V*))
P2Stmt: x 2 {0,1}n
hV*
z=Com(h(V*))
trans
r=V*(z,trans)
UAWI either1) x is true.
2) M(z)=r ?Idea: relax the definition of “guessing” r
Change (2) to M(z,trans)=r for some |trans| < |r|/2
That is: z is implicit guess for 2|trans| possibilities for r. (notation: guess|trans| r )
Crucial point: can ensure all proververifier msgs have length << |r|
Corollary: O(1)-round bounded ZK (bcZK) for all NP. [B.01]
III Non-Malleable ZK[DworkDolevNaor90]Adversary is “man-in-middle” between prover & verifier.
P V1 P2 V
V*
Bounded non-malleability: id’s come from set of size t,protocol communication and time poly(t,n)
[DDN]: O(logn)-rounds
[B.02]: O(1)-rounds
[Pass04]: O(1)-roundsbounded non-mal
[PassRosen05a]: make [Pass04]
unbounded NM
(simpler, weaker assump)
A bit different non-BB technique.
Security goal: Ensure proof to honest verifiers is sound even when simulating honest prover – simulation soundness. [Sahai00]
• 2 sessions with unique id. • Arbitrary scheduling.
(synchronized is hardest)
Is Simulation Soundness Trivial?
x,idP V1 P2 VV*x’,id’
To simulate – consider V and V* as one standalone verifier V’, and use simulator for V’.
First, note that in real MIM interaction, right session is sound. (otherwise combine V* and P to prover contradicting standalone soundness)
But, since simulator’s output ~ real interaction, how can simulation differ?
Note: known not to hold for some protocols, but why does naïve “proof” fail?
Naive attempt to prove that every ZK protocol is simulation sound:
The event that x’ is true is not efficiently observable.
Simulator uses coins of V, so right session not necessarily sound.
Pass’s Bounded-NMZK Protocol
P V1imp. guess r1
r12R{0,1}
Stmt true or
guessedm1 r1
m1
[Pass04]
Crucial observation: use bcZK to get one-directional simulation soundness.
P2 Vimp. guess r2
r22R{0,1}
Stmt true or
guessedm2 r2
m2
If m1 >> |right session| then can simulate left w/o right verifier’s coins!
Pass’s Protocol:
1. Use |r| = id*B (B bound on all other comm in all sessions, note id’s bounded)
2. Run another iteration w/ id = max{id} - id
3. Prove in WI that at least one of the iterations succeeded.
IV Concurrent+Non-Malleable ZKMany concurrent executions. Adversary corrupts both verifiers and provers.
Bad News: [PS] construction uses non-standard “tailored” assumptions.
V*
P1
P2
P3
V1
V2
V3
Goal: simulation soundness: proofs to honest verifiers valid even in simulation.
Sufficient for concurrent secure computation of any task.Good News:[CanettiLindellOstrovskySahai02],[GoldreichMicaliWigderson87]
Impossible to achieve natural definition (UC).Bad News: [Lindell03],[Lindell04]
Good News: Maybe can achieve relaxed def: quasi-polynomial simulation.
Implies: securely computing any task w/ qpoly simulation.[PrabhakaranSahai04]
Good News: Using non-BB obtain same result under standard assumptions (i.e., implied by factoring is subexp hard) [B.Sahai05]
Isn’t qpoly simulation trivial?
P VStmt: x 2 {0,1}n
N = pretty large random composite
WI proof either
1) x is true.
Completeness:As always.
Soundness:From hardness of factoring
Com(p)
Concurrent ZK:
2) p prime factor of N
Straight-line simulation.
[Pass03]
Simulation soundness??
V1 P2V*
P VNsame N
z=Com(p) same z
x true or p|N
Stmt: x 2 {0,1}n Stmt: x’ 2 {0,1}n
x’ true or p|N
In simulation V* can ensure 2nd condition is true.
No reason for right session to be sound!
Brute Force Op
Broke BFOP
Starting point: Pass’s protocol for bounded-NM zero knowledge
1st Step: Change it to handle #id’s to t=nlog n
Problem: In Pass’s protocol communication>t
Solution: “Compress” the long messages.
r12R{0,1}m1
r12R{0,1}m1
Com(h(r1))
Know r1
UAZK
r1=0n
Is it (stand-alone) sound?
Is it (stand-alone) zero knowledge?
Concurrent Non-Mal qZK Protocol[B.Sahai05]
If proof succssesful, have qpoly-time knowledge extractor can obtain r1 by rewinding
Implicitly send r1
Completeness:
As before.
Soundness:
Will follow from simulation soundness.
ZK+Simulation Soundness:
Straightline simulator breaking BFOP (4).
Why is that simulation sound??
P VStmt: x 2 {0,1}n
imp guess r1
imp send r1
UAWI either1) stmt true2) guessedm1 r1
id2[t]
3) guessedm2 r2
BFOP
4) broke BFOP m1 = nlognid , m2 = nlogn(t-id)
imp guess r2
imp send r2
Concurrent Non-Mal qZK Protocol*[B.Sahai05]
ZK+Simulation Soundness:
Straightline simulator breaking BFOP (4)
Change: Make option (1) weakly indist – observable in qpoly time.
Not an immediate solution: simulator now only weakly indist from real prover.
Idea: build auxiliary simulator that:
1) Strongly indist from “real” simulator.
2) Satisfies simulation soundness.
Why we need the “real” simulator?
Auxiliary simulator uses the witness.
P VStmt: x 2 {0,1}n
imp guess r1
imp send r1
UAWI either1) stmt true2) guessedm1 r1
id2[t]
3) guessedm2 r2
BFOP
4) broke BFOP m1 = nlognid , m2 = nlogn(t-id)
imp guess r2
imp send r2
Concurrent Non-Mal qZK Protocol*[B.Sahai05]
ZK+Simulation Soundness:
Real Prover:Uses:witness(1)Sim-sound: yes
Real Simulator:Uses: time (4)Sim-sound: ?
~(weak)
~ ~
(strong)
Aux Simulator:Uses: witness,non-BB (2,3)Sim-sound: yes
P VStmt: x 2 {0,1}n
imp guess r1
imp send r1
UAWI either1) stmt true2) guessedm1 r1
id2[t]
3) guessedm2 r2
BFOP
4) broke BFOP m1 = nlognid , m2 = nlogn(t-id)
imp guess r2
imp send r2
Concurrent Non-Mal qZK Protocol*[B.Sahai05]
Yes!
ZK+Simulation Soundness:Constructing the auxiliary simulator.
Execution we need to simulate:
V1
V3
V*
P1
P2
P3
V2
Useful observation:
Can assume only one honest verifier.
m1 = nlognid , m2 = nlogn(t-id)
P VStmt: x 2 {0,1}n
imp guess r1
imp send r1
UAWI either1) stmt true2) guessedm1 r1
id2[t]
3) guessedm2 r2
BFOP
4) broke BFOP
imp guess r2
imp send r2
Concurrent Non-Mal qZK Protocol*[B.Sahai05]
Aux Simulator:Uses: witness,non-BB (2,3)Sim-sound: yes
The auxiliary simulator:
P* Vimp guess r1
imp send r1
2) guessedm1 r1
BFOP
UAWI either1) stmt true
3) guessedm2 r2
4) broke BFOP
imp guess r2
imp send r2
V*imp guess r1
imp send r’1
BFOP
2) guessedm1 r1
UAWI either1) stmt true
3) guessedm2 r2
4) broke BFOP
imp guess r’2
imp send r’2
P
Honest ver uses r1=0n
We’ll user12R {0,1}m1
Need program s.t. ()=r’1 for |1|<< r’1
Can now simulate this part w/o access to ver’s coins.
Build using V* + r1 + UA knowledge extractor
P2P3Pm…
The auxiliary simulator:
P* Vimp guess r1
imp send r1
2) guessedm1 r1
BFOP
UAWI either1) stmt true
3) guessedm2 r2
4) broke BFOP
imp guess r2
imp send r2
V*imp guess r1
imp send r’1
BFOP
2) guessedm1 r1
UAWI either1) stmt true
3) guessedm2 r2
4) broke BFOP
imp guess r’2
imp send r’2
P
Build using V* + r1 + UA knowledge extractor
• To run extractor need to simulate other sessions.
• To simulate other sessions, need to run extractor.
When building use witness to sim other sessions!
never sent in clear – still strongly indist!
Questions:
• All these use universal args. Are there different non-BB techniques?
• Random oracle model also used to achieve non-malleability and concurrent security. Can we justify this?
(so far mostly negative results [CanettiGoldreichHalevi98],[GoldwasserTa03] )
• Is there ZK system w/ O(1)-rounds and public coin verifier?
Related to both these questions.
• Are these non-BB techniques inherently unpractical?
Two problematic components: general ZK and PCP theorem.
On other hand: PCP get simpler, more efficient
Maybe can push complexity to simulation?
[BenSassonSudan05],[Dinur05]
• Handling quantum adversaries?
[B.Sahai05]
V* Vh
Stmt: x 2 {0,1}n
z1=Com(h(M1))
UACom(r1)
UAWI either1) x is true.2) 9 |t1|<k1-n s.t.M1(z1,t1)=r1
id2[t]
3) 9 |t2|<k2-n s.t.M2(z2,t2)=r2
z2=Com(h(M1))
UACom(r2)
BFOP
4) Broke BFOP.
k1 = nlognid , k2 = nlogn(t-id)
P1 P2
Rules of engagement:
Simulate execution s.t.:
1) Never use option #1 in UAWI
2) No use of time between dotted lines.
2) No use of ver. coins after green line.
Use M1 = V* program + r1 + extractor for UA
To rewind, M1 uses witness!
Use random r1 of length k1
V* Vh
Stmt: x 2 {0,1}n
z1=Com(h(M1))
UACom(r1)
UAWI either1) x is true.2) 9 |t1|<k1-n s.t.M1(z1,t1)=r1
id2[t]
3) 9 |t2|<k2-n s.t.M2(z2,t2)=r2
z2=Com(h(M1))
UACom(r2)
BFOP
4) Broke BFOP.
k1 = nlognid , k2 = nlogn(t-id)
P1 P2
Rules of engagement:
Simulate execution s.t.:
1) Never use option #1 in UAWI
2) No use of time between dotted lines.
2) No use of ver. coins after green line.
Use M1 = V* program + r1 + extractor for UA
To rewind, M1 uses witness!
Use random r1 of length k1