Laconic Zero Knowledge to. Akshay Degwekar (MIT)

Transcription

1 Laconic Zero Knowledge to Public Key Cryptography Akshay Degwekar (MIT)

2 Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] sk pk Public Key Encryption ct = Enc pk (m) GOAL: Construct different public-key encryption schemes Number Theory Lattices

3 What structure+hardness implies public-key crypto?

4 Possible answers: NP-hardness No Crypto Known Some impossibility results [Brassard79, Feigenbaum-Fortnow93, Bogdanov- Trevisan03, Goldreich-Goldwasser98, AkaviaGoldreichGoldwasserMoshkovitz06] One-Way Functions Some barriers [Impagliazzo-Rudich89, Brakerski-Katz-Segev-Yerukhimovich11, Dachman-Soled16, Garg-Hajiabadi-Mahmoody-Mohammed18] SZK-hardness (SZK = Statistical Zero Knowledge) Implies OWFs [Ostrovsky91] Many problems in SZK imply PKE

5 Statistical Zero Knowledge (SZK) [Goldwasser-Micali-Rackoff85] Completeness: P * P V Soundness: Proof : All powerful P * Argument : Efficient P *

6 Honest-Verifier Statistical Zero Knowledge: [Goldwasser-Micali-Rackoff85] P V Simulator:

7 Statistical Zero Knowledge NP PKE from SZK-Hardness? Factoring DLog LWE QR SZK Graph Iso. Seems Challenging: Discrete Log, Graph Iso have SZK proofs but no PKE known. Need more Structure?

8 Example: Quadratic Non-Residuosity (Or: From GMR to GM) [Goldwasser-Micali82, Goldwasser-Micali-Rackoff85] (Honest-Verifier) Statistical Zero-Knowledge Proof Efficient Prover Prover talks very little Can sample hard instances w/ witnesses

9 Our Results: These Properties are Sufficient! ZK PROOF SYSTEM Public-Key Encryption + CRYPTO HARD LANGUAGE Implies One-Way Functions

10 Instantiations QR DDH LWE Low noise LPN ABW Factoring CDH Our Assumption PKE

11 Perspective: Relaxing the Assumption ZK PROOF SYSTEM + CRYPTO HARD LANGUAGE [Sahai-Vadhan03] [HaitnerNguyenOng ReingoldVadhan03]

12 Characterization WEAK ZK PROOF SYSTEM WEAK: soundness, completeness hold on average Public-Key Encryption + DISTRIBUTIONS CRYPTO HARD LANGUAGE

13 Summary Laconic, Efficient Prover, HVSZK ARGUMENT + CRYPTO HARD LANGUAGE Public Key Encryption

14 Techniques

15 Warmup: 2-Msg, Deterministic Prover * V * a.k.a Hash Proof System [Cramer-Shoup02]

16 Weak Key Agreement Correctness: Every verifier challenge has Every verifier challenge has unique prover response

17 Break average-case hardness Adv = Cheating Prover D V 0/1 soundness Contradiction. D breaks average-case hardness. Amplify from weak PKE to PKE using HolensteinRenner05

18 We saw: PKE from deterministic, 2-msg SZK Proof System. Challenges: Randomized Prover Multi-round Proof System Stateful Prover Lesser Challenges: Relaxing perfect ZK, perfect completeness

19 Coping with Randomized Provers Weak Security: Correctness: Our Assumption Trapdoor Pseudoentropy Generator PKE

20 Our Assumption Trapdoor Pseudoentropy Generator PKE Security: Adv can only sample from bigger dist. Formalized using pseudoentropy [HILL99]

21 Our Assumption Trapdoor Pseudoentropy Generator PKE Challenges: Many rounds [Ostrovsky 91] Terminate at random round. Stateful Prover Laconic. Rejection Sampling

22 Our Assumption Trapdoor Pseudoentropy Generator Amplification Theorem Technically difficult half Uses connections between Pseudorandomness & Unpredictability Ingredients from: OWFs => PRG (HILL99, VadhanZheng12) PKE

23 Conclusion and Open Problems Laconic, Efficient Prover, HVSZK ARGUMENT + CRYPTO HARD LANGUAGE Public Key Encryption Big Open Q: Design new PKE schemes

24 Thank You!

25 Trapdoor Pseudoentropy Generator Public Key Encryption Security: Gap between Decode & adversary Formalized using pseudoentropy [HILL99]