# Resettably Sound Zero-Knowledge Arguments from OWFs - The (Semi) Black-Box Way

Lecture Notes in Computer Science, pp. 345.0-374.0, 2015.

EI

Weibo:

Abstract:

We construct a constant round resettably-sound zero knowledge argument of knowledge based on black-box use of any one-way function. Resettable-soundness was introduced by Barak, Goldreich, Goldwasser and Lindell [FOCS 01] and is a strengthening of the soundness requirement in interactive proofs demanding that soundness should hold even if...More

Code:

Data:

Introduction

- Zero-knowledge (ZK) proofs [13] allow a prover to convince a verifier of the validity of a mathematical statement of the form “x ∈ L” without revealing any additional knowledge to the verifier besides the fact that the theorem is true.
- Some of the key ideas that allow [16] for a black-box use of the hash function are: (1) the prover unfolds the paths of the Merkle tree so that the verifier can directly check the hash consistency, (2) the prover/simulator can arbitrarily extend a path on the fly by computing fake LEGO nodes and cheat in the proof of consistency using their respective trapdoors.

Highlights

- Zero-knowledge (ZK) proofs [13] allow a prover to convince a verifier of the validity of a mathematical statement of the form “x ∈ L” without revealing any additional knowledge to the verifier besides the fact that the theorem is true
- Barak et al in [3] prove that, unless NP ⊆ BPP, interactive proofs for NP cannot admit a black-box zero knowledge simulator and be resettablysound at same time. they provide the first resettably-sound zero-knowledge arguments for NP based on the non-black-box zero-knowledge protocol of [1] and on the existence of collision-resistant hash-functions (CRHFs)
- It might seem that achieving such result is a matter of combining techniques from [16], which provides a “black-box” implementation of Barak’s non-blackbox simulation and [9], which provides an implementation of Barak’s technique based on one-way functions
- Some of the key ideas that allow [16] for a black-box use of the hash function are: (1) the prover unfolds the paths of the Merkle tree so that the verifier can directly check the hash consistency, (2) the prover/simulator can arbitrarily extend a path on the fly by computing fake LEGO nodes and cheat in the proof of consistency using their respective trapdoors
- In [16], in order to use the collision-resistance hash-function in a black-box manner, the prover is required to open the paths of the Merkle Tree corresponding to the Probabilistically-Checkable Proof of Proximity queries and let the verifier check their consistency
- The prover proceeds with the protocol using the remaining half of the keys, namely by committing to n/2 roots, and obtaining n/2 sets of Probabilistically-Checkable Proof of Proximity queries from the verifier

Results

- Pass and Seth [9] showed how to implement the non-black-box simulation technique of Barak using OWFs. The main idea of CPS is to notice that digital signature schemes — which can be constructed from one-way functions — share many of the desirable properties of CRHFs, and to show how to appropriately instantiate Barak’s protocol using signature schemes instead of using CRHFs. More precisely, CPS show that by relying on strong fixed-length signature schemes, one can construct a signature tree analogous to the Merkle hash-tree that allows compression of arbitrary length messages into fixed length commitments and satisfies an analogue collision-resistance property.
- In [16], in order to use the CRHF in a black-box manner, the prover is required to open the paths of the Merkle Tree corresponding to the PCPP queries and let the verifier check their consistency.
- The prover proceeds with the protocol using the remaining half of the keys, namely by committing to n/2 roots, and obtaining n/2 sets of PCPP queries from the verifier.
- The protocol starts with a signature slot, where the prover sends T commitments, and the verifier signs all of them.
- Using a ZK protocol he proves that: (1) the paths are consistent with the root committed before, (2) the leaves of the paths open to accepting PCPP answers, in a black-box manner.
- The simulator computes consistent trees for the machine V ∗ and the PCPP proof by rewinding the verifier in the first signature slot, and committing to their depth at the beginning.

Conclusion

- Zero-knowledge follows from the t-privacy and soundness follows from the t-robustness of the MPC/VSS protocols, where t-robustness roughly means that, provided that the predicate to be proved is false and that the prover does not know in advance which views will be opened, corrupting only t players is not sufficient to convince the verifier with consistent views.
- The prover will decommits t views for all MPC/VSS protocol committed before as follow: first, it computes accepting MPC views by running the simulator granted by the t-security of the MPC-in-the-head protocol, it open to such views by equivocating the corresponding commitments.

Summary

- Zero-knowledge (ZK) proofs [13] allow a prover to convince a verifier of the validity of a mathematical statement of the form “x ∈ L” without revealing any additional knowledge to the verifier besides the fact that the theorem is true.
- Some of the key ideas that allow [16] for a black-box use of the hash function are: (1) the prover unfolds the paths of the Merkle tree so that the verifier can directly check the hash consistency, (2) the prover/simulator can arbitrarily extend a path on the fly by computing fake LEGO nodes and cheat in the proof of consistency using their respective trapdoors.
- Pass and Seth [9] showed how to implement the non-black-box simulation technique of Barak using OWFs. The main idea of CPS is to notice that digital signature schemes — which can be constructed from one-way functions — share many of the desirable properties of CRHFs, and to show how to appropriately instantiate Barak’s protocol using signature schemes instead of using CRHFs. More precisely, CPS show that by relying on strong fixed-length signature schemes, one can construct a signature tree analogous to the Merkle hash-tree that allows compression of arbitrary length messages into fixed length commitments and satisfies an analogue collision-resistance property.
- In [16], in order to use the CRHF in a black-box manner, the prover is required to open the paths of the Merkle Tree corresponding to the PCPP queries and let the verifier check their consistency.
- The prover proceeds with the protocol using the remaining half of the keys, namely by committing to n/2 roots, and obtaining n/2 sets of PCPP queries from the verifier.
- The protocol starts with a signature slot, where the prover sends T commitments, and the verifier signs all of them.
- Using a ZK protocol he proves that: (1) the paths are consistent with the root committed before, (2) the leaves of the paths open to accepting PCPP answers, in a black-box manner.
- The simulator computes consistent trees for the machine V ∗ and the PCPP proof by rewinding the verifier in the first signature slot, and committing to their depth at the beginning.
- Zero-knowledge follows from the t-privacy and soundness follows from the t-robustness of the MPC/VSS protocols, where t-robustness roughly means that, provided that the predicate to be proved is false and that the prover does not know in advance which views will be opened, corrupting only t players is not sufficient to convince the verifier with consistent views.
- The prover will decommits t views for all MPC/VSS protocol committed before as follow: first, it computes accepting MPC views by running the simulator granted by the t-security of the MPC-in-the-head protocol, it open to such views by equivocating the corresponding commitments.

Reference

- Barak, B.: How to go beyond the black-box simulation barrier. In: FOCS, pp. 106–115. IEEE Computer Society (2001)
- Barak, B., Goldreich, O.: Universal arguments and their applications. In: Computational Complexity, pp. 162–171 (2002)
- Barak, B., Goldreich, O., Goldwasser, S., Lindell, Y.: Resettably-sound zeroknowledge and its applications. In: FOCS 2001, pp. 116–125 (2001)
- Ben-Sasson, E., Goldreich, O., Harsha, P., Sudan, M., Vadhan, S.P.: Robust pcps of proximity, shorter pcps, and applications to coding. SIAM J. Comput. 36(4), 889–974 (2006)
- Bitansky, N., Paneth, O.: On the impossibility of approximate obfuscation and applications to resettable cryptography. In: STOC, pp. 241–250 (2013)
- Choi, S.G., Dachman-Soled, D., Malkin, T., Wee, H.: Simple, black-box constructions of adaptively secure protocols. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 387–402. Springer, Heidelberg (2009)
- Chor, B., Goldwasser, S., Micali, S., Awerbuch, B.: Verifiable Secret Sharing and Achieving Simultaneity in the Presence of Faults (Extended Abstract). In: Proceedings of the 26th Annual IEEE Symposium on Foundations of Computer Science, FOCS 1985, pp. 383–395 (1985)
- Chung, K.M., Ostrovsky, R., Pass, R., Venkitasubramaniam, M., Visconti, I.: 4round resettably-sound zero knowledge. In: TCC. pp. 192–216 (2014)
- Chung, K.M., Pass, R., Seth, K.: Non-black-box simulation from one-way functions and applications to resettable security. In: STOC (2013)
- Dachman-Soled, D., Kalai, Y.T.: Securing circuits against constant-rate tampering. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 533–551. Springer, Heidelberg (2012)
- Dachman-Soled, D., Malkin, T., Raykova, M., Venkitasubramaniam, M.: Adaptive and concurrent secure computation from new adaptive, non-malleable commitments. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 316–336. Springer, Heidelberg (2013)
- Goldreich, O.: Foundations of Cryptography — Basic Tools. Cambridge University Press (2001)
- Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: STOC, pp. 291–304 (1985)
- Goyal, V.: Constant round non-malleable protocols using one way functions. In: Fortnow, L., Vadhan, S.P. (eds.) STOC, pp. 695–704. ACM (2011)
- Goyal, V., Lee, C.K., Ostrovsky, R., Visconti, I.: Constructing non-malleable commitments: A black-box approach. In: FOCS, pp. 51–60. IEEE Computer Society (2012)
- Goyal, V., Ostrovsky, R., Scafuro, A., Visconti, I.: Black-box non-black-box zero knowledge. In: STOC (2014)
- Haitner, I.: Semi-honest to malicious oblivious transfer—the black-box way. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 412–426. Springer, Heidelberg (2008)
- Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Goldwasser, S. (ed.) Advances in Cryptology - CRYPT0 1988. LNCS, vol. 403, pp. 8–26. Springer, Heidelberg (1990)
- Ishai, Y., Kushilevitz, E., Lindell, Y., Petrank, E.: Black-box constructions for secure computation. In: Proceedings of the 38th Annual ACM Symposium on Theory of Computing, Seattle, WA, USA, May 21-23, pp. 99–108. ACM (2006)
- Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Johnson, D.S., Feige, U. (eds.) STOC, pp. 21–30. ACM (2007)
- Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: Kosaraju, S.R., Fellows, M., Wigderson, A., Ellis, J.A. (eds.) STOC, pp. 723–732. ACM (1992)
- Lin, H., Pass, R.: Black-box constructions of composable protocols without setup. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 461–478. Springer, Heidelberg (2012)
- Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238.
- Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: STOC 1989, pp. 33–43 (1989)
- Ostrovsky, R., Scafuro, A., Venkitasubramaniam, M.: Resettably sound zeroknoweldge arguments from owfs - the (semi) black-box way. Cryptology ePrint Archive, Report 2014/284 (2014), http://eprint.iacr.org/
- Pass, R., Rosen, A.: New and improved constructions of non-malleable cryptographic protocols. In: STOC 2005, pp. 533–542 (2005)
- Pass, R., Tseng, W.-L.D., Wikström, D.: On the composition of public-coin zero-knowledge protocols. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 160–176. Springer, Heidelberg (2009)
- Pass, R., Wee, H.: Black-box constructions of two-party protocols from one-way functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 403–418.
- Reingold, O., Trevisan, L., Vadhan, S.P.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004)
- Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, USA, May 13-17, pp. 387–394. ACM (1990)
- Wee, H.: Black-box, round-efficient secure computation via non-malleability amplification. In: FOCS, pp. 531–540. IEEE Computer Society (2010)

Tags

Comments