strict polynomial-time in simulation and extraction

Strict Polynomial-Time in Simulation and Extraction

Boaz Barak & Yehuda Lindell

Interactive Proofs/Arguments

L=L(R) 2 NP

P Vw2R(x)

x (x2L)

9 efficient S s.t. 8 efficient V*

8 x2 L S(V*,x) <P,V*>(x)

Everything an efficient verifier can learn after a ZK interaction can be learned by applying an efficient algorithm (i.e., simulator) to the public input.

Zero-Knowledge:

Interactive Proofs/Arguments

L=L(R) 2 NP

9 efficient E s.t. 8 efficient P*

8 x Pr[ E(P*,x)2 R(X)] » Pr[<P*,V>(x)=1]

Proof of Knowledge (POK):If an efficient prover can convince the honest verifier that x2L then there exists an efficient algorithm (knowledge extractor) to extract a witness for x from the prover’s strategy.

P Vw2R(x)

x (x2L)

Definition of Zero-Knowledge:

Everything an efficient verifier can learn after a ZK interaction can be learned by applying an efficient algorithm to the public input.

Popular formal interpretation:

efficient = probabilistic polynomial-timeefficient = probabilistic expected polynomial-time

9 efficient S s.t. 8 efficient V*

8 x2 L S(V*,x) <P,V*>(x)

Definition of Proofs of Knowledge (POK):

Popular formal interpretation:

efficient = probabilistic polynomial-timeefficient = probabilistic expected polynomial-time

If an efficient prover can convince the honest verifier that x2L then there exists an efficient algorithm (knowledge extractor) to extract a witness for x from the prover’s strategy.

9 efficient E s.t. 8 efficient P*

8 x Pr[ E(P*,x)2 R(X)] » Pr[<P*,V>(x)=1]

Efficient Verifier/ Prover

Efficient Simulator/ Extractor

ProsCons

Def 1

Strict Strict Strict=Efficient Computation No Gap

No Constant-round prot*

Def 2

StrictExpected 9 constant-round protocols

ExpectedEfficient Gap

Def 3

Expected

Expected 9 constant-round protocols**

ExpectedEfficient Problem w/def [Feige]

Possible Defs for Zero-Knowledge



ProsCons

Def 1

Strict Strict Strict=Efficient Computation No gap

No constant-round prot*

Def 2



Def 3

Expected

Expected 9 constant-round prot** No gap


Possible Defs for Zero-Knowledge / POK



ProsCons

Def 1

Strict Strict Strict=Efficient Computation No gap

No constant-round prot*

Def 2



Def 3

Expected

Expected 9 constant-round prot** No gap


Possible Defs for Zero-Knowledge

Summary: Def 1 is best if it can be met.



Def 1

Strict Strict

Def 2

StrictExpected

Def 3

Expected

Expected

Summary: Def 1 is best

if it can be met.

[B,BG]: For Zero-Knowledge Def 1 can be met by a constant-round prot. w/ a non-black-box simulator (assuming CRH)Our Results:

1. In both cases Def 1 can not be met in constant-rounds by a black-box simulator/extractor.

2. In case of POK Def 1 can be met by a constant-round prot. w/ a non-black-box extractor (assuming CRH&TDP)

Impossibility of strict poly-time black-box simulation

Motivation: Look at how known expected poly-time black-box simulators work (e.g. [FS])

P VV1

P1

V2

P2

S V*V1

P1

V2

P2’

V2 V2’

P1’

Suppose that V* only sends message v2 w.p.

Using (v1,v2) and (v1,v2’) can simulate proof!

No clue how to continue

S V*V1

P1

?

w.p. 1-: Output (v1,p1,?)


- n2 work


w.p. 1-: Output (v1,p1,?) - n2 work

S V*V1

P1

V2

P2’’’’

V2

P1’

?

P1’’’’

V2’’’’

w.p. : Output (v1,p1’’’’,v2’’’’,p2’’’’) - (1/)¢n2 work

Ex[work] = (1-)n2 + ¢(1/)¢n2 · O(n2)

1/ times…


w.p. 1-: Output (v1,p1,?) - n2 work

S V*V1

P1

V2

P2’’’’

V2

P1’

?

P1’’

?

P1’’’’

V2’’’’

w.p. : Output (v1,p1’’’’,v2’’’’,p2’’’’) - (1/)¢n2 work

Ex[work] = (1-)n2 + ¢(1/)¢n2 · O(n2)

If we stop simulator after less than 1/ steps then simulation fails!

Note that may be any non-negligible value(e.g., 1/ >> n2 )

Impossibility of strict black-box simulationfor constant-round protocols.Let <P,V> be ZK proof for L with c verifier messages and strict t(n)-time black-box simulator SLet V* be s.t. V* aborts in any round w.p. 1-where is chosen s.t. 8 x2 L

1. Pr[ <P,V*>(x)=1] = c > 1/p(n)

2. Pr[ SV*(x) sees more than c messages ] << 1/p(n)

Choose = ¼( c ) t(n) -1· ( c )c+1

t(n)

Our Results:

1. In both cases Def 1 can not be met in constant-rounds by a black-box simulator/extractor.

2. In case of POK Def 1 can be met by a constant-round prot. w/ a non-black-box extractor (assuming CRH&TDP)

Obtaining POK with strict poly-time extractor

Trapdoor Permutations

ZK membership proof* w/ strict simulation [B,BG]

constant-roundCommit With Extract Scheme

==++

Commit-With-Extract: Secure commitment scheme s.t. using sender’s code can extract committed value in strict polynomial-time.

Can be used to obtain a ZKPOK for NP

Conclusion:

Non-Black-Box techniques are both necessary and sufficient to obtain strict polynomial-time simulation and extraction.

Obtaining POK with strict poly-time extractorProof Outline: Let L 2 NP, a ZKPOK will be

P Vy=Comm(w)

x2L

w2W(x)

ZKPComm-1(y) 2 W(x)

Commit-With-Extract

Need constant-round commitment scheme s.t. can extract committed value in strict poly-time using sender’s code.

Proof Sketch: Assume <P,V> is c-round ZK proof for LSuppose S is strict t(n)-time black-box simulator

Lemma: If V* is honest+abort verifier and 8 x2 L

Pr[ SV*(x) is accepting and S saw · c responds ] > 1/p(n)

Then L2BPP

Why? For xL

Pr[ SV*(x) is accepting and S saw · c responds ] = negl(n)

Fix V* s.t. in any round independently

Thus 8 x2 L Pr [ SV*(x) is accepting proof for x] » c

Clearly, 8 x2 L Pr[ <P,V*>=1 ] = c

But Pr [ SV*(x) gets > c non-? responds ]

·( c )c+1

t(n)

Pr[ SV*(x) accepting and S saw · c responds]¸c-( c )c+1

t(n)

w.p. 1-: V* aborts

w.p. : V* behaves like honest verifier

And so

For < ¼( c ) this is > ½ c = 1/p(n)t(n) -1

Obtaining POK with strict poly-time extractor

Thm: Suppose that1. 9 Trapdoor Permutations2. 9 constant-round ZK argument for NP w/ strict poly-time simulator

Then, 9 constant-round ZK argument of knowledge w/ strict poly-time knowledge-extractor.

Trapdoor Permutations

ZK membership proof* w/ strict simulation [B,BG]

ZK proof* of knowledge w/ strict extraction

==++

strict polynomial-time in simulation and extraction

Documents