Transcript
Page 1: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

SEPARATING SUCCINCT NON-INTERACTIVE ARGUMENTS

FROM ALL FALSIFIABLE ASSUMPTIONS

Daniel WichsCraig GentryIBM NYU

MIT Seminar (Dec’ 10).

Page 2: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Non-Interactive Argument

Succinct?

Page 3: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Prove Language Membership

Language L µ {0,1}*. Want to show x 2 L.

NP = Non-Interactive Proofs with Efficient Verifier.

Question: How succinct can proofs for NP be?

If L has witness-size t(n) then L 2 DTIME( 2t(n)poly(n)). Sub-linear proofs for all NP ) NP 2

DTIME( 2o(n)). Generalizes to interactive proofs [GH98, GVW02].

Page 4: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Succinct Arguments for NP

Arguments = Comp Sound Proofs. [Kilian92, Micali 94] Cannot prove false statements x efficiently. Can prove true statements x efficiently given witness w. Succinct: size is poly(n)polylog(|x| + |w|).

n = security parameter.

What we know: Interactive (4 rounds): Assuming CRHFs [Kilian 92]. Non-interactive: Random Oracle model [Micali 94].

* Ignore: better efficiency for prover/verifier, languages outside of NP.

Page 5: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Succinct Non-Interactive Arguments

Question: Can we get Succinct Non-Interactive Arguments (SNARGs) in the standard model?

Problem: 9 small adversary with hard-coded false statement x and verifying proof ¼. Same reason why un-keyed CRHFs don’t exist.

Rest of talk: SNARGs initialized with a common reference string (CRS).

Page 6: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Do SNARGS exist?

Positive Evidence: Take [Micali 94] construction, replace RO with “complicated hash function” H (set CRS = H). Don’t know how to break it. Can conjecture security.

Can we prove any SNARG construction secure under OWFs, DDH, RSA, LWE,… ? “q-decisional-augmented-bilinear-Diffie-Hellman-exponent-

assumption” ?

This work: NO*. * Restrictions apply.

Page 7: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Main Result

No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.

DDH, RSA, LWE,…q-ABDHE,…

Page 8: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Defining SNARGs

Completeness: Correctly generated proofs verify with overwhelming probability.

CRS Ã Gen(1n)

¼ Ã Prove(CRS, x, w) Verify(CRS, x, ¼) x, ¼

Page 9: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Defining SNARGs

Public Verifiability: any party can verify proofs.

CRS Ã Gen(1n)

¼ Ã Prove(CRS, x, w) Verify(CRS, x, ¼) x, ¼

Page 10: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Defining SNARGs

Public Verifiability: any party can verify proofs. Designated Verifier: only verifier that knows SK can

verify. All our results hold for Designated Verifier SNARGs.

Syntactically same as two-round interactive arguments. Challenge = CRS, Response = ¼.

(CRS, SK) Ã Gen(1n)

¼ Ã Prove(CRS, x, w) Verify(CRS, SK, x, ¼) x, ¼

Page 11: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Security of SNARGs

(x, ¼) Ã Adv (CRS)

(Adaptive) Soundness: For efficient Adv if (x, ¼)Ã Adv(CRS) Pr[ Verify(CRS, SK, x, ¼) = accept and x 2 L ] = negligible(n)

Natural for SNARGs. For 2-round arguments traditionally consider static

soundness.

(CRS, SK) Ã Gen(1n)

Verify(CRS, SK, x, ¼) x, ¼

Page 12: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Succinct Arguments: What we know?

4 round

3 round2 round

Publically Verifiable SNARG (CRS)

SNARG without CRS

Designated Verifier SNARG (CRS)

Doesn’t Exist

May exist (RO Heuristic)but cannot prove securevia BB reduction from falsifiable assumption.

??

Exist assuming CRHFs

(adaptive soundness)

(static soundness)

Page 13: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Main Result

No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.

Page 14: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Falsifiable Assumptions

Falsifiable Assumption (in spirit of [Naor 03]): Interactive game between an efficient challenger and

adversary; challenger decides if adversary wins. For PPT Adv Pr[Adv wins] · negl(n).

Examples: DDH, RSA, LWE, QR,…, q-ABDHE,… “RSA Signatures (Full-Domain-Hash) with SHA-1 are secure”.

Not Falsifiable: “This Proof System is ZK”. (Not a game - requires Simulator) “This SNARG construction is secure”. (Inefficient Challenger) “Knowledge-of-Exponent” (KoE) Assumptions. [Dam91, HT98]

Page 15: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Main Result

No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.

Page 16: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

SNARG Attack

Assumption Attack

Black-Box Reductions

SNARG Security

Assumption

Page 17: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

SNARG Attack

Assumption Attack

Black-Box Reductions

Black-Box Reduction: Constructive Proof. Efficient Reduction Algorithm. Given Black-Box access

to any SNARG-Attacker becomes an Assumption-Attacker.

Should work even if SNARG-Attacker is inefficient. (If SNARG-Attacker is stateless can ignore rewinding).

Reduction

Assumption

Challenger

Page 18: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Main Result

No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.

• Assuming the falsifiable assumption isn’t

false. • Assuming sub-exponentially hard OWFs exist.

Page 19: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Main Result

If there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumption then one of the following holds: The falsifiable assumption is false! There are no sub-exponentially hard OWFs.

Page 20: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Main Idea: Simulatable Attacker

Inefficient Attacker. Breaks soundness (outputs false statements,

“proofs”). Efficient Simulator.

Does not break soundness (outputs true statements, proofs).

No efficient distinguisher can tell them apart.

SNARG Attack

Simulator≈

Page 21: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Separation via Simulatable Attack

Existence of Simulatable Attack for any SNARG.

Simulatable Attack implies Black-Box Separation.

Page 22: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Simulatable Attack ) Separation

SNARG Attack

Assumption Attack

Reduction

Assumption

Challenger

Given access to the “Simulatable Attacker” reduction breaks assumption.

Attacker

WINS

Page 23: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Simulatable Attack ) Separation

SNARG Attack

Reduction

Assumption

Challenger

Given access to the “Simulatable Attacker” reduction breaks assumption.

Efficient

Attacker

WINS

Page 24: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Simulatable Attack ) Separation

Reduction

Assumption

Challenger

Given access to the “Simulatable Attacker” reduction breaks assumption.

Replace “Simulatable Attacker” with efficient Simulator.

Attacker

WINS

Simulator Efficient

Page 25: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Simulatable Attack ) Separation

Reduction

Assumption

Challenger

There is an efficient attack on the assumption. ) Assumption is false!

Attacker

WINS

Simulator

Efficient Attack

on Assumption

Page 26: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Separation via Simulatable Attack

Existence of Simulatable Attack for any SNARG.

Simulatable Attack implies Black-Box Separation. BB Reduction under Falsifiable Assumption

) Assumption false.

Page 27: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Existence of Simulatable Attack

If NP has poly-logarithmic witnesses, there may not be any attacks at all!

Assumption: Sub-exponentially-hard subset-membership problems in NP. An NP language L. Distributions: G µ L , B µ

{0,1}*\L. Can efficiently sample x à G along with a witness w. Cannot distinguish G from B in time 2n± with

probability 2-n±.

Implied by sub-exponentially secure PRGs, OWFs.

Page 28: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Existence of Simulatable Attack

Naïve Idea: try all ¼ until one verifies. Might not look at all like correct distribution!

Show: Way to sample “correct looking” ¼ for x à B.

SNARG Attack

Simulator≈

CRS (x, ¼)x à G witness w

x à B¼ à Prov(CRS, x, w)How to sample ¼ ?

Page 29: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

x à G witness w

x à B¼ à Prov(x, w)¼ à Prov*(x)

8 efficient Prov w/ short output 9 inefficient function Prov*:

(x, ¼) (x, ¼)

Existence of Simulatable Attack

Page 30: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

If G, B are (s, ²)-indistinguishable thens* = s/poly(2|¼| ²), ²* = 2²

x à G¼ à Prov(x)

8 inefficient Prov w/ short output 9 inefficient function Prov*:

(x, ¼) (x, ¼)

Indisitinguishability w/ Auxiliary Info

x à B¼ à Prov*(x)

Proof coming up soon.Assuming the Lemma…

(s*, ²*)

Page 31: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Existence of Simulatable Attack

Security of G,B exponential in size of proof. Proof-size nc polylog(|x| + |w|) = o(nc+1). Choose large enough statements to get security 2nc+1.

Distinguisher can ask many queries – hybrid argument.

SNARG Attack

Simulator≈

CRS (x, ¼)x à G witness wx à B

¼ Ã Prov(CRS, x, w)¼ Ã Prov*(CRS, x)

Page 32: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Simulator

Existence of Simulatable Attack

Problem: Who gets which security parameter? D can “lie” about security parameter to “oracle”.

Solution: Simulator gives false statements when m ¼ log(n). Annoying and messy! Simulator gets n and depends

on D.

SNARG Attack ≈

D(n)

CRS (x, ¼)x à G witness wx à B

¼ Ã Prov(CRS, x, w)¼ Ã Prov*(CRS, x)

Sec = m

Page 33: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Simulator

Existence of Simulatable Attack

Why is this a legitimate attack? Do proofs verify? Set D to be the verifier of the SNARG.

SNARG Attack ≈

D(n)

CRS (x, ¼)x à G witness wx à B

¼ Ã Prov(CRS, x, w)¼ Ã Prov*(CRS, x)

Sec = m

Page 34: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Separation via Simulatable Attack

Existence of Simulatable Attack for any SNARG. Any SNARG for a sub-exp hard membership

problem. Any SNARG for NP assuming sub-exp hard OWF.

Simulatable Attack implies Black-Box Separation. BB reduction under falsifiable assumption

) Assumption false.

Page 35: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Returning to:

Indisitinguishability with

Auxiliary Information

Page 36: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

x à G¼ à Aux(x)

8 short inefficient Aux 9 inefficient Aux*:

(x, ¼) (x, ¼)

Indisitinguishability w. Auxiliary Info

x à B¼ à Aux*(x)

If G, B are (s, ²)-indistinguishable then s* = s/poly(2|¼| ²), ²* = 2²

(s*, ²*)

) L-bit leakage on seed of PRG reduces HILL entropy of output

by L bits. [DP08]

Proof related to Nisan’s proof of Impagliazzo Hardcore Lemma.

Page 37: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à G

¼ Ã Aux(x)

9 short inefficient Aux

Proof: Indisitinguishability w. Auxiliary Info

x à B¼ à Aux*(x)

8 inefficient function Aux* 9 D of size s*

Distinguish G, B with s = s* poly(2|¼| ²) ² = ²* /2

Task:

Goal: switch quantifiers with Min-Max theorem.

Page 38: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à G

¼ Ã Aux(x)

9 short inefficient Aux

Proof: Indisitinguishability w. Auxiliary Info

x à B¼ à Aux*(x)

min Aux* max D of size s*

Goal: switch quantifiers with Min-Max theorem.

Page 39: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à G

¼ Ã Aux(x)

9 short inefficient Aux

Proof: Indisitinguishability w. Auxiliary Info

x à B¼ à Aux*(x)

min Aux* max Dist(over D of size s*)

D Ã Dist D Ã Dist

Goal: switch quantifiers with Min-Max theorem.

Page 40: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à G

¼ Ã Aux(x)

9 short inefficient Aux

Proof: Indisitinguishability w. Auxiliary Info

x à B¼ à Aux*(x)D à Dist D à Dist

min Aux*max Dist(over D of size s*)

[von Neumann 28]

Page 41: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à G

¼ Ã Aux(x)

9 short inefficient Aux,

Proof: Indisitinguishability w. Auxiliary Info

x à B¼ à Aux*(x)D à Dist D à Dist

min Aux*Dist(over D of size s*)

Val(x) := min¼ Pr[D(x, ¼) = 1]Goal: get rid of auxiliary information.

E[Val(x)] - E[Val(x)] > ²* x à B x à G

Page 42: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

E[Val(x)] - E[Val(x)] > ²* x à B x à G

9 short inefficient Aux,

Proof: Indisitinguishability w. Auxiliary Info

Dist(over D of size s*)

Val(x) := min¼ Pr[D(x, ¼) = 1]

To distinguish if x comes from G, or B: Get estimate for Val(x).

Try all possible values of ¼. Run many D on each choice.

Output “B” with that probability.

size = poly(2|¼|²).

Page 43: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Main Result

If there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumption then one of the following holds: The falsifiable assumption is false! There are no sub-exponentially hard OWFs.

Slightly succinct: sub-linear arguments.

No exponentially hard subset-membership problems.

Page 44: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Main Result

If there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumption then one of the following holds: The falsifiable assumption is false! There are no sub-exponentially hard OWFs.

(sub)-exponential

(sub)-exponential version of

Page 45: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Comparison to other BB Separations

Notion A is not sufficient to realize B in a “black-box way”. [Impagliazzo Rudrich 89]: Separate KA from OWP. [Sim98]: Separate CRHFs from OWP. [GKM+00, GKTRV00, GMR01, RTV04, BPR+08 …]

Usually: Notion A is generic e.g. “existence of some OWP”. Construction of B using a generic instance of A as black-box.

(Reduction uses adversary as a black-box.)

Our result: Notion A can be a specific assumption e.g. “RSA is a OWP”. Reduction uses adversary as a black-box. Similar to: [DOP05, AF07,HH09].

Page 46: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

BB Reductions for Succinct Arguments

[Rothblum-Vadhan 10] : Any interactive succinct argument with a black-box proof of security under a falsifiable assumption can be easily converted into a “PCP System”.

Not a separation since PCPs exist unconditionally.

Shows: heavy PCP machinery inherent in succinct args.

Page 47: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

Summary & Open Problems

Black-box separation of SNARGs from Falsifiable Assumptions.

Non-black-box techniques? Only know [Bar01].

SNARGs under non-falsifiable assumptions (e.g. Knowledge of Exponent). Some results by [Gro10].

Succinct arguments with long CRS? Succinct in witness but not statement? Constructions of 2 or 3 round arguments? Or, do black-box separations extend?

Page 48: Separating  succinct non-interactive  arguments  from  all falsifiable assumptions

THANK YOU!

QUESTIONS?