+

ZKP学习笔记

ZK-Learning MOOC课程笔记

+

Lecture 11: From Practice to Theory (Guest Lecturer: Alex Lombardi)

11.3 What can we do without random oracle model

    +
  • Falsifiable Assumptions
      +
    • Prove security assuming that some concrete algorithmic task is infeasible:
        +
      • Computing discrete logarithms is hard.
      • +
      • Solving random noisy linear equations (LWE) is hard.
      • +
      • SHA256 is collision-resistant
      • +
      +
    • +
    • Many cryptographic constructions use random oracles to get better efficiency, but can be based on falsifiable assumptions.
        +
      • CCA-secure public key encryption
      • +
      • Identity-based encryption.
      • +
      • Non-interactive zero knowledge
      • +
      +
    • +
    • Can (ZK-)SNARKs for NP be built based on falsifiable assumptions?
        +
      • (minor caveats but) No!
      • +
      • No way to extract a long witness from a short proof. Need assumption (RO, “knowledge assumption”) that guarantees adversary “knows” a long string given a short commitment.
      • +
      +
    • +
    • Can (ZK-)SNARGs for NP be built based on falsifiable assumptions?
        +
      • It’s complicated. (We don’t know)
      • +
      • Significant barriers [Gentry-Wichs ‘11]
      • +
      • The community is still trying to understand this.
      • +
      +
    • +
    +
  • +
  • SNARGs for limited computations from falsifiable assumptions (LWE)
      +
    • Two tools/techniques
        +
      • Correlation-intractable hash functions [CCHLRRW19,PS19,HLR21]
          +
        • Used to instantiate Fiat-Shamir without random oracles, for “nice enough” interactive protocols
        • +
        +
      • +
      • Somewhere extractable commitments [HW15]
          +
        • Used to make a “nice enough” interactive protocol
        • +
        • Special variant of the typical IOP-based approach.
        • +
        +
      • +
      +
    • +
    +
  • +
  • Correlation Intractability
      +
    • Function
    • +
    • Binary relations
    • +
    • Weren’t these impossible to build?
        +
      • Restrict to fixed input length (necessary)
      • +
      • Restrict to fixed running time on f (unclear if necessary)
      • +
      +
    • +
    • CI Construction
        +
      • A simple construction [CLW18] using Fully Homomorphic Encryption (FHE)

      • +
      +
    • +
    • Security Analysis
    • +
    • Correlation Intractability: what we know
    • +
    +
  • +
+ +