Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography...
Transcript of Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography...
![Page 1: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/1.jpg)
Laconic Zero Knowledge to
Public Key CryptographyPublic Key Cryptography
Akshay Degwekar(MIT)
![Page 2: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/2.jpg)
Public Key Encryption (PKE)[Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82]
pkskPublic Key Encryption
ct = Encpk(m)
Public Key Encryption
GOAL: Construct “different” public-key encryption schemes
Number Theory
Lattices
public-key encryption schemes
![Page 3: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/3.jpg)
WhatWhatstructure+hardness
implies public-key crypto?public-key crypto?
![Page 4: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/4.jpg)
Possible answers:NP-hardness
Some impossibility results [Brassard79, Feigenbaum-Fortnow93, Bogdanov-
No Crypto Known
One-Way Functions
SZK-hardness (SZK = Statistical Zero Knowledge)
Some barriers [Impagliazzo-Rudich89, Brakerski-Katz-Segev-Yerukhimovich11,
Dachman-Soled16, Garg-Hajiabadi-Mahmoody-Mohammed18]
Some impossibility results [Brassard79, Feigenbaum-Fortnow93, Bogdanov-
Trevisan03, Goldreich-Goldwasser98, AkaviaGoldreichGoldwasserMoshkovitz06]
SZK-hardness (SZK = Statistical Zero Knowledge)
Implies OWFs [Ostrovsky91]
Many problems in SZK imply PKE
![Page 5: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/5.jpg)
Statistical Zero Knowledge (SZK)[Goldwasser-Micali-Rackoff85]
Completeness:
V
Completeness:
PSoundness:
P*
Proof : All powerful P*
Argument : Efficient P*
![Page 6: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/6.jpg)
[Goldwasser-Micali-Rackoff85]
Honest-Verifier Statistical Zero Knowledge:
P V
Simulator:
![Page 7: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/7.jpg)
NP
Statistical Zero Knowledge
PKE from SZK-Hardness?
SZK
Seems Challenging:
Discrete Log, Graph Iso have SZK proofsbut no PKE known.
Need more Structure?DLog
Graph Iso.
Need more Structure?DLog
QR
FactoringLWE
![Page 8: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/8.jpg)
Example: Quadratic Non-Residuosity
[Goldwasser-Micali82, Goldwasser-Micali-Rackoff85]
(Honest-Verifier)
Can sample hard instancesw/ witnesses
(Or: From GMR to GM)
(Honest-Verifier)Statistical
Zero-KnowledgeProof
Efficient
w/ witnesses
Efficient Prover
Prover talksvery little
![Page 9: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/9.jpg)
Our Results: These Properties are Sufficient!ZK PROOF SYSTEM
Public-KeyEncryption
CRYPTO HARD LANGUAGE
+CRYPTO HARD LANGUAGE
ImpliesOne-WayFunctions
![Page 10: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/10.jpg)
Instantiations
QR
DDH
PKEOur
LWE
Low noise LPN
ABW
Factoring
PKEOur
Assumption
CDH
![Page 11: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/11.jpg)
Perspective: Relaxing the AssumptionZK PROOF SYSTEM
[Sahai-Vadhan03]
CRYPTO HARD LANGUAGE
+
[Sahai-Vadhan03]
[HaitnerNguyenOngReingoldVadhan03]
CRYPTO HARD LANGUAGE
![Page 12: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/12.jpg)
Characterization
ZK PROOF SYSTEM
WEAK WEAK: soundness, completeness hold on average
+
Public-KeyEncryption
DISTRIBUTIONS
CRYPTO HARD LANGUAGE
+ DISTRIBUTIONS
![Page 13: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/13.jpg)
Summary
Laconic, Efficient Prover,Laconic, Efficient Prover,HVSZK ARGUMENT
+CRYPTO HARD LANGUAGE
Public Key Encryption
![Page 14: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/14.jpg)
Techniques
![Page 15: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/15.jpg)
Warmup: 2-Msg, Deterministic Prover*
V
* a.k.a Hash Proof System [Cramer-Shoup02]
![Page 16: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/16.jpg)
Weak Key Agreement
Correctness: Every verifier challenge has Every verifier challenge has unique prover response
![Page 17: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/17.jpg)
V
D
0/1
Break average-casehardnessAdv = Cheating Prover
soundness
V 0/1 Adv = Cheating Prover
soundness
Contradiction. D breaks average-case hardness.
Amplify from weak PKE to PKE using HolensteinRenner05
![Page 18: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/18.jpg)
We saw: PKE from deterministic, 2-msg SZK Proof System.
Challenges:
Randomized Prover
Multi-round Proof System
Stateful Prover
Lesser Challenges: Relaxing perfect ZK, perfect completeness Lesser Challenges: Relaxing perfect ZK, perfect completeness
![Page 19: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/19.jpg)
Coping with Randomized Provers
Weak Security: Correctness:Weak Security:
Trapdoor Pseudoentropy
GeneratorPKE
Our Assumption
![Page 20: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/20.jpg)
Trapdoor Pseudoentropy
GeneratorPKE
Our Assumption
Security: Adv can only samplefrom “bigger” dist.
Formalized using pseudoentropy [HILL99]
![Page 21: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/21.jpg)
Trapdoor Pseudoentropy
GeneratorPKE
Our Assumption
Challenges: Many rounds
[Ostrovsky 91] Terminate at random round.
Stateful Prover
Laconic. Rejection Sampling
![Page 22: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/22.jpg)
Trapdoor Pseudoentropy
GeneratorPKE
Our Assumption
Technically difficult half
Uses connections between Pseudorandomness & Unpredictability
Amplification Theorem
Ingredients from: OWFs => PRG (HILL99, VadhanZheng12)
![Page 23: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/23.jpg)
Conclusion and Open Problems
Laconic, Efficient Prover,HVSZK ARGUMENT
+Public Key
+CRYPTO HARD LANGUAGE
Encryption
Big Open Q:
Design new PKE schemes
Big Open Q:
![Page 24: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/24.jpg)
Thank You!
![Page 25: Laconic Zero Knowledge to Public Key CryptographyLaconic Zero Knowledge to Public Key Cryptography AkshayDegwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78,](https://reader030.fdocuments.in/reader030/viewer/2022040608/5ec369583f28472bf4404eef/html5/thumbnails/25.jpg)
Trapdoor PseudoentropyGenerator
Public Key Encryption
Security: Gap betweenDecode & adversary
Formalized using pseudoentropy [HILL99]