Separating succinct non-interactive arguments from all falsifiable assumptions

Separating succinct non-interactive arguments from all falsifiable assumptionsDaniel WichsCraig GentryIBMNYUMIT Seminar (Dec 10).

Non-Interactive ArgumentSuccinct?Prove Language MembershipLanguage L {0,1}*. Want to show x 2 L.

NP = Non-Interactive Proofs with Efficient Verifier.

Question: How succinct can proofs for NP be?

If L has witness-size t(n) then L 2 DTIME( 2t(n)poly(n)).Sub-linear proofs for all NP ) NP 2 DTIME( 2o(n)). Generalizes to interactive proofs [GH98, GVW02].

Succinct Arguments for NPArguments = Comp Sound Proofs. [Kilian92, Micali 94]Cannot prove false statements x efficiently.Can prove true statements x efficiently given witness w.Succinct: size is poly(n)polylog(|x| + |w|). n = security parameter.

What we know:Interactive (4 rounds): Assuming CRHFs [Kilian 92].Non-interactive: Random Oracle model [Micali 94].

* Ignore: better efficiency for prover/verifier, languages outside of NP.Succinct Non-Interactive ArgumentsQuestion: Can we get Succinct Non-Interactive Arguments (SNARGs) in the standard model?

Problem: 9 small adversary with hard-coded false statement x and verifying proof . Same reason why un-keyed CRHFs dont exist.

Rest of talk: SNARGs initialized with a common reference string (CRS).

Do SNARGS exist?Positive Evidence: Take [Micali 94] construction, replace RO with complicated hash function H (set CRS = H).Dont know how to break it. Can conjecture security.

Can we prove any SNARG construction secure under OWFs, DDH, RSA, LWE, ?q-decisional-augmented-bilinear-Diffie-Hellman-exponent-assumption ?

This work: NO*. * Restrictions apply. Main ResultNo Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.DDH, RSA, LWE,q-ABDHE,Defining SNARGsCompleteness: Correctly generated proofs verify with overwhelming probability. CRS Gen(1n) Prove(CRS, x, w)Verify(CRS, x, ) x, Defining SNARGsPublic Verifiability: any party can verify proofs.

CRS Gen(1n) Prove(CRS, x, w)Verify(CRS, x, ) x, Defining SNARGsPublic Verifiability: any party can verify proofs.Designated Verifier: only verifier that knows SK can verify.All our results hold for Designated Verifier SNARGs.

Syntactically same as two-round interactive arguments.Challenge = CRS, Response = . (CRS, SK) Gen(1n) Prove(CRS, x, w)Verify(CRS, SK, x, ) x, Security of SNARGs(x, ) Adv (CRS)(Adaptive) Soundness: For efficient Adv if (x, ) Adv(CRS) Pr[ Verify(CRS, SK, x, ) = accept and x 2 L ] = negligible(n)

Natural for SNARGs. For 2-round arguments traditionally consider static soundness.

(CRS, SK) Gen(1n)Verify(CRS, SK, x, ) x, Succinct Arguments: What we know?4 round3 round2 roundPublically Verifiable SNARG (CRS)SNARG without CRSDesignated Verifier SNARG (CRS)Doesnt ExistMay exist (RO Heuristic)but cannot prove securevia BB reduction from falsifiable assumption.??Exist assuming CRHFs(adaptive soundness)(static soundness)Main ResultNo Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.Falsifiable AssumptionsFalsifiable Assumption (in spirit of [Naor 03]): Interactive game between an efficient challenger and adversary; challenger decides if adversary wins. For PPT Adv Pr[Adv wins] negl(n).

Examples: DDH, RSA, LWE, QR,, q-ABDHE, RSA Signatures (Full-Domain-Hash) with SHA-1 are secure.

Not Falsifiable: This Proof System is ZK. (Not a game - requires Simulator)This SNARG construction is secure. (Inefficient Challenger)Knowledge-of-Exponent (KoE) Assumptions. [Dam91, HT98]

Main ResultNo Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.SNARG AttackAssumption AttackBlack-Box Reductions

SNARG SecurityAssumption SNARG AttackAssumption AttackBlack-Box ReductionsBlack-Box Reduction: Constructive Proof.Efficient Reduction Algorithm. Given Black-Box access to any SNARG-Attacker becomes an Assumption-Attacker. Should work even if SNARG-Attacker is inefficient.(If SNARG-Attacker is stateless can ignore rewinding).ReductionAssumptionChallenger

Main ResultNo Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.

Assuming the falsifiable assumption isnt false. Assuming sub-exponentially hard OWFs exist.Main ResultIf there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumption then one of the following holds: The falsifiable assumption is false! There are no sub-exponentially hard OWFs. Main Idea: Simulatable AttackerInefficient Attacker.Breaks soundness (outputs false statements, proofs). Efficient Simulator.Does not break soundness (outputs true statements, proofs).No efficient distinguisher can tell them apart.SNARG Attack

Simulator

Separation via Simulatable AttackExistence of Simulatable Attack for any SNARG.

Simulatable Attack implies Black-Box Separation.Simulatable Attack ) SeparationSNARG AttackAssumption AttackReductionAssumptionChallenger

Given access to the Simulatable Attacker reduction breaks assumption.

AttackerWINSSimulatable Attack ) SeparationSNARG AttackReductionAssumptionChallenger

Given access to the Simulatable Attacker reduction breaks assumption.

EfficientAttackerWINSSimulatable Attack ) SeparationReductionAssumptionChallengerGiven access to the Simulatable Attacker reduction breaks assumption.Replace Simulatable Attacker with efficient Simulator.

AttackerWINSSimulator

EfficientSimulatable Attack ) SeparationReductionAssumptionChallengerThere is an efficient attack on the assumption. ) Assumption is false!AttackerWINSSimulator

Efficient Attackon AssumptionSeparation via Simulatable AttackExistence of Simulatable Attack for any SNARG.

Simulatable Attack implies Black-Box Separation.BB Reduction under Falsifiable Assumption ) Assumption false.Existence of Simulatable AttackIf NP has poly-logarithmic witnesses, there may not be any attacks at all!

Assumption: Sub-exponentially-hard subset-membership problems in NP.An NP language L. Distributions: G L , B {0,1}*\L.Can efficiently sample x G along with a witness w.Cannot distinguish G from B in time 2n with probability 2-n.

Implied by sub-exponentially secure PRGs, OWFs. Existence of Simulatable AttackNave Idea: try all until one verifies. Might not look at all like correct distribution! Show: Way to sample correct looking for x B. SNARG Attack

Simulator

CRS(x, )x G witness w

x B Prov(CRS, x, w)How to sample ?x G witness w

x B Prov(x, w) Prov*(x)8 efficient Prov w/ short output 9 inefficient function Prov*: (x, )(x, )Existence of Simulatable AttackIf G, B are (s, )-indistinguishable thens* = s/poly(2|| ), * = 2x G

Prov(x)8 inefficient Prov w/ short output 9 inefficient function Prov*: (x, )(x, )Indisitinguishability w/ Auxiliary Infox B Prov*(x)Proof coming up soon.Assuming the Lemma (s*, *)Existence of Simulatable AttackSecurity of G,B exponential in size of proof.Proof-size nc polylog(|x| + |w|) = o(nc+1). Choose large enough statements to get security 2nc+1.Distinguisher can ask many queries hybrid argument.

SNARG Attack

Simulator

CRS(x, )x G witness w

x B Prov(CRS, x, w) Prov*(CRS, x)SimulatorExistence of Simulatable AttackProblem: Who gets which security parameter?D can lie about security parameter to oracle.Solution: Simulator gives false statements when m log(n).Annoying and messy! Simulator gets n and depends on D.SNARG Attack

D(n)CRS(x, )x G witness w

x B Prov(CRS, x, w) Prov*(CRS, x)Sec = m SimulatorExistence of Simulatable AttackWhy is this a legitimate attack? Do proofs verify?Set D to be the verifier of the SNARG.SNARG Attack

D(n)CRS(x, )x G witness w

x B Prov(CRS, x, w) Prov*(CRS, x)Sec = m Separation via Simulatable AttackExistence of Simulatable Attack for any SNARG.Any SNARG for a sub-exp hard membership problem.Any SNARG for NP assuming sub-exp hard OWF.

Simulatable Attack implies Black-Box Separation.BB reduction under falsifiable assumption ) Assumption false.Returning to:

Indisitinguishability with Auxiliary Informationx G

Aux(x)8 short inefficient Aux 9 inefficient Aux*: (x, )(x, )Indisitinguishability w. Auxiliary Infox B Aux*(x)If G, B are (s, )-indistinguishable then s* = s/poly(2|| ), * = 2(s*, *)) L-bit leakage on seed of PRG reduces HILL entropy of output by L bits. [DP08] Proof related to Nisans proof of Impagliazzo Hardcore Lemma.Pr[ D(x, )=1] - Pr[D(x, )=1] > *

x G

Aux(x)9 short inefficient AuxProof: Indisitinguishability w. Auxiliary Infox B Aux*(x) 8 inefficient function Aux* 9 D of size s*Distinguish G, B with s = s* poly(2|| ) = * /2Task:Goal: switch quantifiers with Min-Max theorem.Pr[ D(x, )=1] - Pr[D(x, )=1] > *

x G

Aux(x)9 short inefficient AuxProof: Indisitinguishability w. Auxiliary Infox B Aux*(x)min Aux* max D of size s*Goal: switch quantifiers with Min-Max theorem.Pr[ D(x, )=1] - Pr[D(x, )=1] > *

x G

Aux(x)9 short inefficient AuxProof: Indisitinguishability w. Auxiliary Infox B Aux*(x)min Aux* max Dist(over D of size s*)D DistD DistGoal: switch quantifiers with Min-Max theorem.Pr[ D(x, )=1] - Pr[D(x, )=1] > *

x G

Aux(x)9 short inefficient AuxProof: Indisitinguishability w. Auxiliary Infox B Aux*(x)D DistD Distmin Aux*max Dist(over D of size s*)

[von Neumann 28]

Pr[ D(x, )=1] - Pr[D(x, )=1] > *

x G

Aux(x)9 short inefficient Aux,Proof: Indisitinguishability w. Auxiliary Infox B Aux*(x)D DistD Distmin Aux*Dist(over D of size s*)Val(x) := min Pr[D(x, ) = 1]Goal: get rid of auxiliary information.E[Val(x)] - E[Val(x)] > *

x Bx G

E[Val(x)] - E[Val(x)] > *

x Bx G

9 short inefficient Aux,Proof: Indisitinguishability w. Auxiliary InfoDist(over D of size s*)Val(x) := min Pr[D(x, ) = 1]To distinguish if x comes from G, or B: Get estimate for Val(x). Try all possible values of . Run many D on each choice. Output B with that probability. size = poly(2||).Main ResultIf there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumption then one of the following holds: The falsifiable assumption is false! There are no sub-exponentially hard OWFs. Slightly succinct: sub-linear arguments.No exponentially hard subset-membership problems.Main ResultIf there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumption then one of the following holds: The falsifiable assumption is false! There are no sub-exponentially hard OWFs. (sub)-exponential(sub)-exponential version ofComparison to other BB SeparationsNotion A is not sufficient to realize B in a black-box way. [Impagliazzo Rudrich 89]: Separate KA from OWP.[Sim98]: Separate CRHFs from OWP.[GKM+00, GKTRV00, GMR01, RTV04, BPR+08 ]

Usually: Notion A is generic e.g. existence of some OWP. Construction of B using a generic instance of A as black-box. (Reduction uses adversary as a black-box.)

Our result: Notion A can be a specific assumption e.g. RSA is a OWP. Reduction uses adversary as a black-box.Similar to: [DOP05, AF07,HH09].BB Reductions for Succinct Arguments[Rothblum-Vadhan 10] : Any interactive succinct argument with a black-box proof of security under a falsifiable assumption can be easily converted into a PCP System.

Not a separation since PCPs exist unconditionally.Shows: heavy PCP machinery inherent in succinct args. Summary & Open ProblemsBlack-box separation of SNARGs from Falsifiable Assumptions.

Non-black-box techniques? Only know [Bar01].

SNARGs under non-falsifiable assumptions (e.g. Knowledge of Exponent). Some results by [Gro10].

Succinct arguments with long CRS? Succinct in witness but not statement? Constructions of 2 or 3 round arguments?Or, do black-box separations extend?

THANK YOU!QUESTIONS?