SEPARATING SUCCINCT NON-INTERACTIVE ARGUMENTS
FROM ALL FALSIFIABLE ASSUMPTIONS
Daniel WichsCraig GentryIBM NYU
MIT Seminar (Dec’ 10).
Non-Interactive Argument
Succinct?
Prove Language Membership
Language L µ {0,1}*. Want to show x 2 L.
NP = Non-Interactive Proofs with Efficient Verifier.
Question: How succinct can proofs for NP be?
If L has witness-size t(n) then L 2 DTIME( 2t(n)poly(n)). Sub-linear proofs for all NP ) NP 2
DTIME( 2o(n)). Generalizes to interactive proofs [GH98, GVW02].
Succinct Arguments for NP
Arguments = Comp Sound Proofs. [Kilian92, Micali 94] Cannot prove false statements x efficiently. Can prove true statements x efficiently given witness w. Succinct: size is poly(n)polylog(|x| + |w|).
n = security parameter.
What we know: Interactive (4 rounds): Assuming CRHFs [Kilian 92]. Non-interactive: Random Oracle model [Micali 94].
* Ignore: better efficiency for prover/verifier, languages outside of NP.
Succinct Non-Interactive Arguments
Question: Can we get Succinct Non-Interactive Arguments (SNARGs) in the standard model?
Problem: 9 small adversary with hard-coded false statement x and verifying proof ¼. Same reason why un-keyed CRHFs don’t exist.
Rest of talk: SNARGs initialized with a common reference string (CRS).
Do SNARGS exist?
Positive Evidence: Take [Micali 94] construction, replace RO with “complicated hash function” H (set CRS = H). Don’t know how to break it. Can conjecture security.
Can we prove any SNARG construction secure under OWFs, DDH, RSA, LWE,… ? “q-decisional-augmented-bilinear-Diffie-Hellman-exponent-
assumption” ?
This work: NO*. * Restrictions apply.
Main Result
No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.
DDH, RSA, LWE,…q-ABDHE,…
Defining SNARGs
Completeness: Correctly generated proofs verify with overwhelming probability.
CRS Ã Gen(1n)
¼ Ã Prove(CRS, x, w) Verify(CRS, x, ¼) x, ¼
Defining SNARGs
Public Verifiability: any party can verify proofs.
CRS Ã Gen(1n)
¼ Ã Prove(CRS, x, w) Verify(CRS, x, ¼) x, ¼
Defining SNARGs
Public Verifiability: any party can verify proofs. Designated Verifier: only verifier that knows SK can
verify. All our results hold for Designated Verifier SNARGs.
Syntactically same as two-round interactive arguments. Challenge = CRS, Response = ¼.
(CRS, SK) Ã Gen(1n)
¼ Ã Prove(CRS, x, w) Verify(CRS, SK, x, ¼) x, ¼
Security of SNARGs
(x, ¼) Ã Adv (CRS)
(Adaptive) Soundness: For efficient Adv if (x, ¼)Ã Adv(CRS) Pr[ Verify(CRS, SK, x, ¼) = accept and x 2 L ] = negligible(n)
Natural for SNARGs. For 2-round arguments traditionally consider static
soundness.
(CRS, SK) Ã Gen(1n)
Verify(CRS, SK, x, ¼) x, ¼
Succinct Arguments: What we know?
4 round
3 round2 round
Publically Verifiable SNARG (CRS)
SNARG without CRS
Designated Verifier SNARG (CRS)
Doesn’t Exist
May exist (RO Heuristic)but cannot prove securevia BB reduction from falsifiable assumption.
??
Exist assuming CRHFs
(adaptive soundness)
(static soundness)
Main Result
No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.
Falsifiable Assumptions
Falsifiable Assumption (in spirit of [Naor 03]): Interactive game between an efficient challenger and
adversary; challenger decides if adversary wins. For PPT Adv Pr[Adv wins] · negl(n).
Examples: DDH, RSA, LWE, QR,…, q-ABDHE,… “RSA Signatures (Full-Domain-Hash) with SHA-1 are secure”.
Not Falsifiable: “This Proof System is ZK”. (Not a game - requires Simulator) “This SNARG construction is secure”. (Inefficient Challenger) “Knowledge-of-Exponent” (KoE) Assumptions. [Dam91, HT98]
Main Result
No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.
SNARG Attack
Assumption Attack
Black-Box Reductions
SNARG Security
Assumption
SNARG Attack
Assumption Attack
Black-Box Reductions
Black-Box Reduction: Constructive Proof. Efficient Reduction Algorithm. Given Black-Box access
to any SNARG-Attacker becomes an Assumption-Attacker.
Should work even if SNARG-Attacker is inefficient. (If SNARG-Attacker is stateless can ignore rewinding).
Reduction
Assumption
Challenger
Main Result
No Black-Box-Reduction proof of security for any SNARG construction under any Falsifiable Assumption.
• Assuming the falsifiable assumption isn’t
false. • Assuming sub-exponentially hard OWFs exist.
Main Result
If there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumption then one of the following holds: The falsifiable assumption is false! There are no sub-exponentially hard OWFs.
Main Idea: Simulatable Attacker
Inefficient Attacker. Breaks soundness (outputs false statements,
“proofs”). Efficient Simulator.
Does not break soundness (outputs true statements, proofs).
No efficient distinguisher can tell them apart.
SNARG Attack
Simulator≈
Separation via Simulatable Attack
Existence of Simulatable Attack for any SNARG.
Simulatable Attack implies Black-Box Separation.
Simulatable Attack ) Separation
SNARG Attack
Assumption Attack
Reduction
Assumption
Challenger
Given access to the “Simulatable Attacker” reduction breaks assumption.
Attacker
WINS
Simulatable Attack ) Separation
SNARG Attack
Reduction
Assumption
Challenger
Given access to the “Simulatable Attacker” reduction breaks assumption.
Efficient
Attacker
WINS
Simulatable Attack ) Separation
Reduction
Assumption
Challenger
Given access to the “Simulatable Attacker” reduction breaks assumption.
Replace “Simulatable Attacker” with efficient Simulator.
Attacker
WINS
Simulator Efficient
Simulatable Attack ) Separation
Reduction
Assumption
Challenger
There is an efficient attack on the assumption. ) Assumption is false!
Attacker
WINS
Simulator
Efficient Attack
on Assumption
Separation via Simulatable Attack
Existence of Simulatable Attack for any SNARG.
Simulatable Attack implies Black-Box Separation. BB Reduction under Falsifiable Assumption
) Assumption false.
Existence of Simulatable Attack
If NP has poly-logarithmic witnesses, there may not be any attacks at all!
Assumption: Sub-exponentially-hard subset-membership problems in NP. An NP language L. Distributions: G µ L , B µ
{0,1}*\L. Can efficiently sample x à G along with a witness w. Cannot distinguish G from B in time 2n± with
probability 2-n±.
Implied by sub-exponentially secure PRGs, OWFs.
Existence of Simulatable Attack
Naïve Idea: try all ¼ until one verifies. Might not look at all like correct distribution!
Show: Way to sample “correct looking” ¼ for x à B.
SNARG Attack
Simulator≈
CRS (x, ¼)x à G witness w
x à B¼ à Prov(CRS, x, w)How to sample ¼ ?
x à G witness w
x à B¼ à Prov(x, w)¼ à Prov*(x)
≈
8 efficient Prov w/ short output 9 inefficient function Prov*:
(x, ¼) (x, ¼)
Existence of Simulatable Attack
If G, B are (s, ²)-indistinguishable thens* = s/poly(2|¼| ²), ²* = 2²
x à G¼ à Prov(x)
≈
8 inefficient Prov w/ short output 9 inefficient function Prov*:
(x, ¼) (x, ¼)
Indisitinguishability w/ Auxiliary Info
x à B¼ à Prov*(x)
Proof coming up soon.Assuming the Lemma…
(s*, ²*)
Existence of Simulatable Attack
Security of G,B exponential in size of proof. Proof-size nc polylog(|x| + |w|) = o(nc+1). Choose large enough statements to get security 2nc+1.
Distinguisher can ask many queries – hybrid argument.
SNARG Attack
Simulator≈
CRS (x, ¼)x à G witness wx à B
¼ Ã Prov(CRS, x, w)¼ Ã Prov*(CRS, x)
Simulator
Existence of Simulatable Attack
Problem: Who gets which security parameter? D can “lie” about security parameter to “oracle”.
Solution: Simulator gives false statements when m ¼ log(n). Annoying and messy! Simulator gets n and depends
on D.
SNARG Attack ≈
D(n)
CRS (x, ¼)x à G witness wx à B
¼ Ã Prov(CRS, x, w)¼ Ã Prov*(CRS, x)
Sec = m
Simulator
Existence of Simulatable Attack
Why is this a legitimate attack? Do proofs verify? Set D to be the verifier of the SNARG.
SNARG Attack ≈
D(n)
CRS (x, ¼)x à G witness wx à B
¼ Ã Prov(CRS, x, w)¼ Ã Prov*(CRS, x)
Sec = m
Separation via Simulatable Attack
Existence of Simulatable Attack for any SNARG. Any SNARG for a sub-exp hard membership
problem. Any SNARG for NP assuming sub-exp hard OWF.
Simulatable Attack implies Black-Box Separation. BB reduction under falsifiable assumption
) Assumption false.
Returning to:
Indisitinguishability with
Auxiliary Information
x à G¼ à Aux(x)
≈
8 short inefficient Aux 9 inefficient Aux*:
(x, ¼) (x, ¼)
Indisitinguishability w. Auxiliary Info
x à B¼ à Aux*(x)
If G, B are (s, ²)-indistinguishable then s* = s/poly(2|¼| ²), ²* = 2²
(s*, ²*)
) L-bit leakage on seed of PRG reduces HILL entropy of output
by L bits. [DP08]
Proof related to Nisan’s proof of Impagliazzo Hardcore Lemma.
Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à G
¼ Ã Aux(x)
9 short inefficient Aux
Proof: Indisitinguishability w. Auxiliary Info
x à B¼ à Aux*(x)
8 inefficient function Aux* 9 D of size s*
Distinguish G, B with s = s* poly(2|¼| ²) ² = ²* /2
Task:
Goal: switch quantifiers with Min-Max theorem.
Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à G
¼ Ã Aux(x)
9 short inefficient Aux
Proof: Indisitinguishability w. Auxiliary Info
x à B¼ à Aux*(x)
min Aux* max D of size s*
Goal: switch quantifiers with Min-Max theorem.
Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à G
¼ Ã Aux(x)
9 short inefficient Aux
Proof: Indisitinguishability w. Auxiliary Info
x à B¼ à Aux*(x)
min Aux* max Dist(over D of size s*)
D Ã Dist D Ã Dist
Goal: switch quantifiers with Min-Max theorem.
Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à G
¼ Ã Aux(x)
9 short inefficient Aux
Proof: Indisitinguishability w. Auxiliary Info
x à B¼ à Aux*(x)D à Dist D à Dist
min Aux*max Dist(over D of size s*)
[von Neumann 28]
Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²* x à G
¼ Ã Aux(x)
9 short inefficient Aux,
Proof: Indisitinguishability w. Auxiliary Info
x à B¼ à Aux*(x)D à Dist D à Dist
min Aux*Dist(over D of size s*)
Val(x) := min¼ Pr[D(x, ¼) = 1]Goal: get rid of auxiliary information.
E[Val(x)] - E[Val(x)] > ²* x à B x à G
E[Val(x)] - E[Val(x)] > ²* x à B x à G
9 short inefficient Aux,
Proof: Indisitinguishability w. Auxiliary Info
Dist(over D of size s*)
Val(x) := min¼ Pr[D(x, ¼) = 1]
To distinguish if x comes from G, or B: Get estimate for Val(x).
Try all possible values of ¼. Run many D on each choice.
Output “B” with that probability.
size = poly(2|¼|²).
Main Result
If there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumption then one of the following holds: The falsifiable assumption is false! There are no sub-exponentially hard OWFs.
Slightly succinct: sub-linear arguments.
No exponentially hard subset-membership problems.
Main Result
If there is a Black-Box-Reduction proof for some SNARG construction under some Falsifiable Assumption then one of the following holds: The falsifiable assumption is false! There are no sub-exponentially hard OWFs.
(sub)-exponential
(sub)-exponential version of
Comparison to other BB Separations
Notion A is not sufficient to realize B in a “black-box way”. [Impagliazzo Rudrich 89]: Separate KA from OWP. [Sim98]: Separate CRHFs from OWP. [GKM+00, GKTRV00, GMR01, RTV04, BPR+08 …]
Usually: Notion A is generic e.g. “existence of some OWP”. Construction of B using a generic instance of A as black-box.
(Reduction uses adversary as a black-box.)
Our result: Notion A can be a specific assumption e.g. “RSA is a OWP”. Reduction uses adversary as a black-box. Similar to: [DOP05, AF07,HH09].
BB Reductions for Succinct Arguments
[Rothblum-Vadhan 10] : Any interactive succinct argument with a black-box proof of security under a falsifiable assumption can be easily converted into a “PCP System”.
Not a separation since PCPs exist unconditionally.
Shows: heavy PCP machinery inherent in succinct args.
Summary & Open Problems
Black-box separation of SNARGs from Falsifiable Assumptions.
Non-black-box techniques? Only know [Bar01].
SNARGs under non-falsifiable assumptions (e.g. Knowledge of Exponent). Some results by [Gro10].
Succinct arguments with long CRS? Succinct in witness but not statement? Constructions of 2 or 3 round arguments? Or, do black-box separations extend?
THANK YOU!
QUESTIONS?