On the (Im)Possibility of Arthur-Merlin Witness Hiding

Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel

1

Interactive ProofsLet (P,V) be a proof system for L2NP• Completeness: for every x2L and a w2RL(x)

Pr[P(w),V)(x) = 1] = 1 • Soundness: for every x2L and (even unbounded) P*

Pr[(P*,V)(x) = 1] < ε

• Prover’s privacy: what information leaks through the interaction to a cheating V*?

2

Prover’s Privacy• Zero knowledge (ZK) [GMR]: the only “information” that V*

obtains from interaction is that x2L– strong privacy, sometimes hard to achieve (e.g., in public-coins

constant-round protocols)

• Witness Hiding (WH) [FS]: the witness remains hiddenLet D be a samplable distribution over RL,

Pr(x,w)ÃD[A(x) = w] = neg for every efficient A

Pr(x,w)ÃD[(P(w),V*) (x) = w] = neg for every efficient V*

• Witness Indistinguishability (WI) [FS]: V* cannot distinguish between (P(w),V*)(x) and (P(w’),V*)(x), for any w,w’ 2 RL(x) = {w: w is a witness for “x2L”}– much weaker privacy, easier to achieve– meaningless in case of a single witness

3

MotivationConsider ``atomic” ZK protocols such as 3-Colorbility [GMW] and

Hamiltonicity [Blum] that have constant soundness. Parallel repetition of these protocols: • Negligible soundness error• Known to be WI• Not ZK via black-box simulator [Goldreich-Krawczyk] • Are they WH?For some distributions WI ) WH [Feige-Shamir] (each x has two

“independent witnesses”)– In these settings the WH has “black-box” proof.

In which settings these protocols are WH with black-box proof?

4

Our Result (informally)If each x2L has a unique witness, i.e., |RL(x)|=1,

then 9 black-box Arthur-Merlin WH protocol with negligible soundness error.

Under natural definition of black box

Corollary:• Parallel repetition of 3-Corolability/Hamiltonicty• ZAPS [Dwork-Naor]

Conceptually matches the upper bound of [Feige-Shamir] (for languages with two independent witnesses)

5

constant-round public-coin

The Rest of the Talk• Defining fully black-box WH reduction

– In the paper, we consider additional types of black-box reductions

• Develop techniques to prove impossibility results for such reductions– Starting point is the technique developed by [Goldreich-

Krawczyk] for showing impossibility results of ZK with black-box simulators

– Need new ideas to overcome the new difficulties that come up in the setup of WH.

• In the following we fix (P,V), L and D– L has a unique witness – (P,V) has negligible soundness error

6

Fully Black-box ReductionsWe like to come up with a definition that is 1. Natural2. Agrees with known reductions3. Possible to rule out…

Black-box construction:We only consider constructions that • Use commitment scheme Com as a black box • The hiding of Com does not hold )

extracting the witness from an accepting transcript is easy (w.h.p)

Agrees with all (generic) Arthur-Merlin WH protocols

7

Fully Black-box Reduction cont.Proof of security: If an efficient V* breaks the WH of (P,V) over D, then

computing the witness over D is easy (assuming that Com is hiding)

Black-box proof: 9 efficient A() that for every V* breaking the WH of (P,V) over D, – Pr[AV*(x) = w] > neg (i.e., D is “easy” given V*), or– AV* violates the hiding of Com

- Agrees with all known Arthur-Merlin WH (proofs) reductions- More restricted than [Pass ‘06]

Thm: 9 fully-black-box reduction of Arthur-Merlin WH for D ) computing the witness over D is easy.

8

or, Com is not hiding

Starting Point

Let (P,V) be an Arthur-Merlin protocol (with neg. soundness error).[Goldreich-Krawczyk] – the protocol remains sound even when a

cheating prover can rewind the verifier

More accurately, for every efficient A there exists an efficient VA s.t.

Pr[(A,VA)(x) = 1] > neg when A can rewind VA

Pr[(“A”,V) (x)= 1] > neg in the interactive settings

[GK] Black-box simulator for L ) distinguisher for L

9

Applying [GK] Idea to WHAssume that (P,V) is an Arthur-Merlin WH protocol with a fully-black-

box reduction, and let A() be the reduction guaranteed by the black-box proof.

Consider the inefficient V* that behaves as VA, where if convinced to accept x, it returns w2 RL(x) (using brute force)

Therefore, Pr(x,w)ÃD[(P(w),V*)(x) = w] = 1

• AV*computes well the witness over D, or • AV* violates the hiding of Com

We show next how to emulate the execution of AV*efficiently 10

11

A V*

• Assume that (A,V*)(x1) =1

• w2RL(x1) can be extracted from the transcript

• Since x1 has unique witness, w is the “right answer”

• AV*can be efficiently emulated ) computing the witness over D is easy

AV* finds the witness or AV* breaks ComCom

with “trapdoor”Random permutation that we

compute “on the fly”Random permutationCom

X2

…

w2 RL(x2) if accepts/ o,w ?

X3

…

X1q1a1

…

am

qm

w2 RL(x1) if accepts/o.w ?

Further issuesExtensions:• “Unique feature function”:

for every w,w’2 RL(x) ) g(w) = g(w’)• Strong Witness Indistinguishability

Further research:Consider relaxed definitions of black-box reduction.

Implication to [Pass] approach for proving NP P OWF

Bottom line:• WH is a useful relaxation of ZK• Is WH easy to achieve?

In many cases, not easier than ZK

12