8 research outputs found
Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP
As recent studies show, the notions of *program obfuscation* and *zero
knowledge* are intimately connected. In this work, we explore this connection further, and prove the following general result. If there exists *differing input obfuscation* (diO) for the class of all polynomial time Turing machines, then there exists a *four message, fully concurrent zero-knowledge* proof system for all languages in NP with negligible soundness error. This result is constructive: given diO, our reduction yields an explicit protocol along with an *explicit* simulator that is ``straight line\u27\u27 and runs in strict
polynomial time.
Our reduction relies on a new non-black-box simulation technique which does not use the PCP theorem. In addition to assuming diO, our reduction also assumes (standard and polynomial time) cryptographic assumptions such as collision-resistant hash functions.
The round complexity of our protocol also sheds new light on the *exact* round complexity of concurrent zero-knowledge. It shows, for the first time, that in the realm of non-black-box simulation, concurrent zero-knowledge may not necessarily require more rounds than *stand alone* zero-knowledge
One-Way Functions and (Im)perfect Obfuscation
A program obfuscator takes a program and outputs an scrambled version of it, where the goal is that the obfuscated program will not reveal much about its structure beyond what is apparent from executing it. There are several ways of formalizing this goal. Specifically, in indistinguishability obfuscation, first defined by Barak et al. (CRYPTO 2001), the requirement is that the results of obfuscating any two functionally equivalent programs (circuits) will be computationally indistinguishable. Recently, a fascinating candidate construction for indistinguishability obfuscation was proposed by Garg et al. (FOCS 2013). This has led to a flurry of discovery of intriguing constructions of primitives and protocols whose existence was not previously known (for instance, fully deniable encryption by Sahai and Waters, STOC 2014). Most of them explicitly rely on additional hardness assumptions, such as one-way functions.
Our goal is to get rid of this extra assumption. We cannot argue that indistinguishability obfuscation of all polynomial-time circuits implies the existence of one-way functions, since if , then program obfuscation (under the indistinguishability notion) is possible. Instead, the ultimate goal is to argue that if and program obfuscation is possible, then one-way functions exist.
Our main result is that if and there is an efficient (even imperfect) indistinguishability obfuscator, then there are one-way functions. In addition, we show that the existence of an indistinguishability obfuscator implies (unconditionally) the existence of SZK-arguments for . This, in turn, provides an alternative version of our main result, based on the assumption of hard-on-the average problems. To get some of our results we need obfuscators for simple programs such as 3CNF formulas
Incremental Program Obfuscation
Recent advances in program obfuscation suggest that it is possible to create
software that can provably safeguard secret information. However, software
systems usually contain large executable code that is updated multiple times
and sometimes very frequently. Freshly obfuscating the program for every small
update will lead to a considerable efficiency loss. Thus, an extremely
desirable property for obfuscation algorithms is incrementality: small changes
to the underlying program translate into small changes to the corresponding
obfuscated program.
We initiate a thorough investigation of incremental program obfuscation. We
show that the strong simulation-based notions of program obfuscation, such as
``virtual black-box\u27\u27 and ``virtual grey-box\u27\u27 obfuscation, cannot be
incremental (according to our efficiency requirements) even for very simple
functions such as point functions. We then turn to the
indistinguishability-based notions, and present two security definitions of
varying strength --- namely, a weak one and a strong one. To understand the
overall strength of our definitions, we formulate the notion of incremental
best-possible obfuscation and show that it is equivalent to our strong
indistinguishability-based notion.
Finally, we present constructions for incremental program obfuscation
satisfying both our security notions. We first give a construction achieving
the weaker security notion based on the existence of general purpose
indistinguishability obfuscation. Next, we present a generic transformation
using oblivious RAM to amplify security from weaker to stronger, while
maintaining the incrementality property
Batch Verification for Statistical Zero Knowledge Proofs
A statistical zero-knowledge proof (SZK) for a problem enables a computationally unbounded prover to convince a polynomial-time verifier that without revealing any additional information about to the verifier, in a strong information-theoretic sense.
Suppose, however, that the prover wishes to convince the verifier that separate inputs all belong to (without revealing anything else). A naive way of doing so is to simply run the SZK protocol separately for each input. In this work we ask whether one can do better -- that is, is efficient batch verification possible for SZK?
We give a partial positive answer to this question by constructing a batch verification protocol for a natural and important subclass of SZK -- all problems that have a non-interactive SZK protocol (in the common random string model). More specifically, we show that, for every such problem , there exists an honest-verifier SZK protocol for batch verification of instances, with communication complexity , where refers to a fixed polynomial that depends only on (and not on ). This result should be contrasted with the naive solution, which has communication complexity .
Our proof leverages a new NISZK-complete problem, called Approximate Injectivity, that we find to be of independent interest. The goal in this problem is to distinguish circuits that are nearly injective, from those that are non-injective on almost all inputs
Constant-Round Concurrent Zero-knowledge from Indistinguishability Obfuscation
We present a constant-round concurrent zero-knowledge protocol for NP. Our protocol relies on the existence of families of collision-resistant hash functions, one-way permutations, and indistinguishability obfuscators for P/poly (with slightly super-polynomial security)
Non-black-box Simulation in the Fully Concurrent Setting, Revisited
We give a new proof of the existence of -round public-coin concurrent zero-knowledge arguments for NP, where is an arbitrary constant. The security is proven in the plain model under the assumption that collision-resistant hash functions exist. (The existence of such concurrent zero-knowledge arguments was previously proven by Goyal (STOC\u2713) in the plain model under the same assumption.) In the proof, we use a new variant of the non-black-box simulation technique of Barak (FOCS\u2701). An important property of our simulation technique is that the simulator runs in a straight-line manner in the fully concurrent setting. Compared with the simulation technique of Goyal, which also has such a property, the analysis of our simulation technique is (arguably) simpler
How to Avoid Obfuscation Using Witness PRFs
We propose a new cryptographic primitive called \emph{witness pseudorandom functions} (witness PRFs). Witness PRFs are related to witness encryption, but appear strictly stronger: we show that witness PRFs can be used for applications such as multi-party key exchange without trsuted setup, polynomially-many hardcore bits for any one-way function, and several others that were previously only possible using obfuscation. Current candidate obfuscators are far from practical and typically rely on unnatural hardness assumptions about multilinear maps. We give a construction of witness PRFs from multilinear maps that is simpler and much more efficient than current obfuscation candidates, thus bringing several applications of obfuscation closer to practice. Our construction relies on new but very natural hardness assumptions about the underlying maps that appear to be resistant to a recent line of attacks