Ran Canetti, Huijia (Rachel) Lin, Omer Paneth
Zero-Knowledge Proofs
• Completeness
• Soundness
𝑥 ∈ ℒ?
𝒫
𝒱
Zero-Knowledge Proofs
• Completeness
• Soundness
• Zero-knowledge
𝑥∈ℒ
𝒫
𝒱𝒱∗
Zero-Knowledge
[Goldwasser-Micali-Rackoff 85]
• 𝒱 ∗ learn nothing except "𝑥 ∈ ℒ"
• 𝒱 ∗ knows how to generate a proof
• There is a Simulator that
efficiently extracts a proof from 𝒱 ∗
Two Types of
Zero-Knowledge proofs
Public-Coin Protocols
𝑟1 ← 𝑈
𝑚1
𝒫
𝑟2 ← 𝑈
𝑚2
𝒱
Concurrent Composition
𝑚1
𝑚2
𝑚1
𝑚2
𝒫
𝒫
𝑚3
𝑚3
𝑚4
𝑚4
𝒱∗
State of the Art
Constant-round public-coin
zero-knowledge
[Barak 01]
Concurrent zero-knowledge
[Richardson-Kilian 99]
[Kilian-Petrank 01]
[Prabhakaran-Rosen-Sahai 02]
Question
Is there a
public-coin concurrent
zero-knowledge protocol?
Yes! (well, almost)
Technical Motivation
Combine state of the art
simulation techniques
Applications to concurrent 2PC
[Goyal 13]
What are the existing
simulation techniques?
The Simulator
Simulator
proof transcript
𝒱∗
How does the simulator
∗
extract a proof from 𝒱 ?
The FLS Paradigm
[Feige-Lapidot-Shamir 90]
Set a trapdoor statement such that
only 𝒱 knows a trapdoor witness
𝒫
Witness Indistinguishable
proof for 𝑥 ∈ ℒ or
for a trapdoor statement
𝒱
The FLS Paradigm
Simulator
𝒱∗
proof transcript
trapdoor
witness
How does the simulator
extract a trapdoor witness?
Rewinding
𝑚1
𝑞
𝒫
Question-answer
slot
𝑎
𝑚4
𝒱
Rewinding
𝑚1
𝒮
𝑞
𝑞′
𝑎
𝑎′
𝑎 + 𝑎′ = Trapdoor witness
𝑚4
𝒱
∗
Other Techniques
• Public-coin protocols
[Goldreich-Krawczyk 96]
• Concurrent composition
[Dwork-Naor-Sahai 98]
Public-Coin Protocols
𝑟0
𝑞
𝒮
𝑞′
Goldreich-Krawczyk
96:
𝑟
𝑟′
∗
𝒱
No black-box simulator
𝑟 and 𝑟′ are independent
Public-Coin Protocols
The solution:
Non-black-box simulation
[Barak 01]
Concurrent Composition
𝑚1
𝑞
𝑚1
𝑞
𝒫
𝒫
𝑎
𝑚4
𝑎
𝑚4
𝒱∗
Concurrent Composition
𝑚1
𝒮
𝑞
𝑞′
𝑚1
𝑚1 ′
𝑞
𝑞′
𝑎
𝑚4
𝑎′
𝑚4 ′
𝑎
𝑎′
𝒱
∗
Concurrent Composition
𝑚1
𝑞′
𝑞
𝑚1
𝒮
𝑚1 ′
𝑞
𝑞′
𝑞′′
𝑞′′′
𝑎
𝑎′
𝑎′′
𝑎′′′
𝑚4
𝑚4 ′
𝑎
𝑎′
𝒱
∗
Concurrent Composition
The solution:
Rewinding with many slots
[Richardson-Kilian 99]
[Kilian-Petrank 01]
[Prabhakaran-Rosen-Sahai 02]
Current Techniques
rewinding
stand-alone
private-coin
zero-knowledge
rewinding with
many slots
concurrent
zero-knowledge
[RK,KP,PRS]
non-black-box
simulation
public-coin
zero-knowledge
[Barak 01]
This work
public-coin
concurrent
zero-knowledge
Barak’s Protocol (sketch)
𝑐 = COM(Π)
𝑟
𝒫
𝒱
Witness indistinguishable proof
for 𝑥 ∈ ℒ or trapdoor statement
Trapdoor statement: the program Π predicts
the randomness 𝑟 before it was sent
Barak’s Protocol
𝑐 = COM(Π)
𝑟
𝒫
𝒱
Witness indistinguishable proof
for 𝑥 ∈ ℒ or Π c → 𝑟
Trapdoor statement:
∃Π: 𝑐 = COM Π ∧ Π 𝑐 → 𝑟
Barak’s Protocol
Soundness:
𝒫∗ can not commit to Π that predicts 𝑟
Zero-knowledge:
Π = 𝒱∗
𝒫 𝒮
𝑐 = COM(Π)
𝑐 = COM(𝒱 ∗ )
𝑟
𝑟
Witness indistinguishable proof
∗
Proof
that
𝒱
(𝑐)𝑟 → 𝑟
for 𝑥 ∈ ℒ or Π c →
𝒱
∗𝒱
Concurrent Barak
𝑐 = COM(𝒱 ∗ )
𝑐
𝑟
𝒮
𝒱∗
Proof
𝑟
Proof that 𝒱 ∗ (𝑐)
→𝑟
Concurrent Barak
𝑐 = COM(𝒱 ∗ ⋅, 𝑐, "Proof" )
𝑐
𝑟
𝒮
Proof
𝑟
𝒱 ∗ (𝑐, 𝑐, "Proof") → 𝑟
𝒱∗
Folklore Approach
[Deng-Goyal-Sahai 09]
[Pass-Rosen-Tseng 11]
[Goyal-Jain-Ostrovsky-Richelson-Visconti 13]
Folklore Approach
𝑐 = COM(𝒱 ∗ ⋅, 𝑐, "Proof" )
𝑐
𝑟
𝒮
Proof
𝑟
𝒱∗
Folklore Approach
𝑐 = COM(𝒮′)
𝒮′
𝑐
𝑟
𝒮
Proof
𝑟
Proof that 𝒮′(𝑐) → 𝑟
𝒱∗
Simulation Running Time
𝑐 = COM(𝒮′)
𝑐 = COM(𝒮′)
𝒮′
𝑟
𝒮
Proof that 𝒮′(𝑐) → 𝑟
𝑟
Proof that 𝒮′(𝑐) → 𝑟
𝒱∗
𝒮′
Simulation Running Time
𝑇 𝒮
′
𝑇 𝒮
′
𝑇 𝒮′
≥ 2𝑇 𝒮 ′
𝒮′
Proof that 𝒮 ′ (𝑐) → 𝑟
Proof that 𝒮′(𝑐) → 𝑟
𝒮′
Simulation Running Time
𝑇 𝒮 ′ ≥ 2𝑇 𝒮 ′
𝑇 𝒮 ′ ≥ 2𝑇 𝒮 ′ ≥ 4𝑇 𝒮 ′
…
𝒮′
Proof that 𝒮 ′ (𝑐) → 𝑟
Proof that 𝒮′(𝑐) → 𝑟
Proof that 𝒮′(𝑐) → 𝑟
𝒮′
𝒮′
Recursive Rewinding
𝑚1
𝑚2 ′
𝑚2
𝑚1
𝒮
𝑚1 ′
𝑚2
𝑚2 ′
𝑚2 ′′
𝑚2 ′′′
𝑚3
𝑚3 ′
𝑚3 ′′
𝑚3 ′′′
𝑚4
𝑚4 ′
𝑚3
𝑚3 ′
𝒱
∗
The Problem
Simulate
Prove a
𝑇
≥2⋅𝑇
a proof
statement
Roadmap
add slots
stand-alone
private-coin
zero-knowledge
non-black-box
simulation
public-coin
zero-knowledge
[Barak 01]
concurrent
zero-knowledge
[RK,KP,PRS]
simulation
runtime is
exponential
concurrent
compassion
public-coin
concurrent
zero-knowledge
Concurrent Zero-Knowledge
𝑚1
𝑞1
𝒫
Slot
𝑎1
𝑞2
𝒱
𝑎2
𝑚6
Slot
Concurrent Zero-Knowledge
𝑚1
𝒮
𝑞1
𝑞1 ′
𝑎1
𝑎1 ′
𝑞2
𝑎1 + 𝑎1 ′
𝑎2
𝑚6
𝒱∗
Concurrent Zero-Knowledge
𝑚1
𝑞1
𝑎1
𝒮
𝑞2
𝑞2 ′
𝑎2
𝑎2 ′
𝑎2 + 𝑎2 ′
𝑚6
𝒱∗
Concurrent Zero-Knowledge
𝒫
𝒫
𝒱∗
Concurrent Zero-Knowledge
𝒮
𝒱∗
Concurrent Zero-Knowledge
𝒮
𝒱∗
The KP-PRS Strategy
The KP-PRS Strategy
The Protocol
𝑐1 = COM(Π)
𝑟1
…
𝒫
Slot
Slot
𝑐𝑘 = COM(Π)
𝑟𝑘
WI proof for 𝑥 ∈ ℒ or
∃i, Π: 𝑐𝑖 = COM Π ∧ Π 𝑐𝑖 → 𝑟𝑖
𝒱
Simulation
Black-box world - Rewinding
Non-black-box world – Proving
Simulation
𝑐𝑖 = COM(𝒮′)
KP-PRS
Block
𝒮
𝑟𝑖
𝒮′
Round complexity
1+𝜖
log
𝑛 for 𝜖 > 0
Proof that 𝒮 ′ (𝑐𝑖 ) → 𝑟𝑖
𝒱
∗
A Caveat
Simulation constructs many long proof
Solved by using memory delegation
Need all session to use one hash function
The Global Hash Model
ℎ ←𝑅 ℋ
collision-resistant
hash function
𝒫
𝒱
𝒫
𝒱
𝒫
𝒱
The Global Hash Model
Breaking
soundness
Explicit uniform
reduction
Finding
collisions
The Global Hash Model
Uniform Hash Function
𝒫
𝒱
𝒫
𝒱
𝒫
Protocol in the plain model
against uniform adversaries
𝒱
The Global Hash Model
SHA-256
𝒫
𝒱
𝒫
𝒱
𝒫
Protocol in the plain model
from human ignorance [Rogaway 06]
𝒱
GHM vs. CRS
Common reference
string model
Global hash
model
Simulated 𝐶𝑅𝑆
with a trapdoor
Simulation for
every ℎ
Public-coin concurrent zero-knowledge
NIZK
Black-box impossibility
[Pass-Tseng-Wikström]
What is next?
• [Goyal 13]:
Public-coin concurrent zero-knowledge
with poly(𝑛) rounds without a global hash
• Open question:
Public-coin concurrent zero-knowledge
with O(log 𝑛) rounds without a global hash
• Open question:
Concurrent zero-knowledge
with o(log 𝑛) rounds
[slide: Mira Blenekiy]