Post on 28-Mar-2015
On the (Im)Possibility of Arthur-Merlin Witness Hiding
Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel
1
Interactive ProofsLet (P,V) be a proof system for L2NP• Completeness: for every x2L and a w2RL(x)
Pr[P(w),V)(x) = 1] = 1 • Soundness: for every x2L and (even unbounded) P*
Pr[(P*,V)(x) = 1] < ε
• Prover’s privacy: what information leaks through the interaction to a cheating V*?
2
Prover’s Privacy• Zero knowledge (ZK) [GMR]: the only “information” that V*
obtains from interaction is that x2L– strong privacy, sometimes hard to achieve (e.g., in public-coins
constant-round protocols)
• Witness Hiding (WH) [FS]: the witness remains hiddenLet D be a samplable distribution over RL,
Pr(x,w)ÃD[A(x) = w] = neg for every efficient A
Pr(x,w)ÃD[(P(w),V*) (x) = w] = neg for every efficient V*
• Witness Indistinguishability (WI) [FS]: V* cannot distinguish between (P(w),V*)(x) and (P(w’),V*)(x), for any w,w’ 2 RL(x) = {w: w is a witness for “x2L”}– much weaker privacy, easier to achieve– meaningless in case of a single witness
3
MotivationConsider ``atomic” ZK protocols such as 3-Colorbility [GMW] and
Hamiltonicity [Blum] that have constant soundness. Parallel repetition of these protocols: • Negligible soundness error• Known to be WI• Not ZK via black-box simulator [Goldreich-Krawczyk] • Are they WH?For some distributions WI ) WH [Feige-Shamir] (each x has two
“independent witnesses”)– In these settings the WH has “black-box” proof.
In which settings these protocols are WH with black-box proof?
4
Our Result (informally)If each x2L has a unique witness, i.e., |RL(x)|=1,
then 9 black-box Arthur-Merlin WH protocol with negligible soundness error.
Under natural definition of black box
Corollary:• Parallel repetition of 3-Corolability/Hamiltonicty• ZAPS [Dwork-Naor]
Conceptually matches the upper bound of [Feige-Shamir] (for languages with two independent witnesses)
5
constant-round public-coin
The Rest of the Talk• Defining fully black-box WH reduction
– In the paper, we consider additional types of black-box reductions
• Develop techniques to prove impossibility results for such reductions– Starting point is the technique developed by [Goldreich-
Krawczyk] for showing impossibility results of ZK with black-box simulators
– Need new ideas to overcome the new difficulties that come up in the setup of WH.
• In the following we fix (P,V), L and D– L has a unique witness – (P,V) has negligible soundness error
6
Fully Black-box ReductionsWe like to come up with a definition that is 1. Natural2. Agrees with known reductions3. Possible to rule out…
Black-box construction:We only consider constructions that • Use commitment scheme Com as a black box • The hiding of Com does not hold )
extracting the witness from an accepting transcript is easy (w.h.p)
Agrees with all (generic) Arthur-Merlin WH protocols
7
Fully Black-box Reduction cont.Proof of security: If an efficient V* breaks the WH of (P,V) over D, then
computing the witness over D is easy (assuming that Com is hiding)
Black-box proof: 9 efficient A() that for every V* breaking the WH of (P,V) over D, – Pr[AV*(x) = w] > neg (i.e., D is “easy” given V*), or– AV* violates the hiding of Com
- Agrees with all known Arthur-Merlin WH (proofs) reductions- More restricted than [Pass ‘06]
Thm: 9 fully-black-box reduction of Arthur-Merlin WH for D ) computing the witness over D is easy.
8
or, Com is not hiding
Starting Point
Let (P,V) be an Arthur-Merlin protocol (with neg. soundness error).[Goldreich-Krawczyk] – the protocol remains sound even when a
cheating prover can rewind the verifier
More accurately, for every efficient A there exists an efficient VA s.t.
Pr[(A,VA)(x) = 1] > neg when A can rewind VA
Pr[(“A”,V) (x)= 1] > neg in the interactive settings
[GK] Black-box simulator for L ) distinguisher for L
9
Applying [GK] Idea to WHAssume that (P,V) is an Arthur-Merlin WH protocol with a fully-black-
box reduction, and let A() be the reduction guaranteed by the black-box proof.
Consider the inefficient V* that behaves as VA, where if convinced to accept x, it returns w2 RL(x) (using brute force)
Therefore, Pr(x,w)ÃD[(P(w),V*)(x) = w] = 1
• AV*computes well the witness over D, or • AV* violates the hiding of Com
We show next how to emulate the execution of AV*efficiently 10
11
A V*
• Assume that (A,V*)(x1) =1
• w2RL(x1) can be extracted from the transcript
• Since x1 has unique witness, w is the “right answer”
• AV*can be efficiently emulated ) computing the witness over D is easy
AV* finds the witness or AV* breaks ComCom
with “trapdoor”Random permutation that we
compute “on the fly”Random permutationCom
X2
…
w2 RL(x2) if accepts/ o,w ?
X3
…
X1q1a1
…
am
qm
w2 RL(x1) if accepts/o.w ?
Further issuesExtensions:• “Unique feature function”:
for every w,w’2 RL(x) ) g(w) = g(w’)• Strong Witness Indistinguishability
Further research:Consider relaxed definitions of black-box reduction.
Implication to [Pass] approach for proving NP P OWF
Bottom line:• WH is a useful relaxation of ZK• Is WH easy to achieve?
In many cases, not easier than ZK
12