Making the best of a leaky situation: Zero-knowledge PCPs from leakage-resilient circuits

Yuval Ishai, Mor Weiss, Guang Yang

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

11 Scopus citations

Abstract

A Probabilistically Checkable Proof (PCP) allows a randomized verifier, with oracle access to a purported proof, to probabilistically verify an input statement of the form “x ∈ L” by querying only few bits of the proof. A zero-knowledge PCP (ZKPCP) is a PCP with the additional guarantee that the view of any verifier querying a bounded number of proof bits can be efficiently simulated given the input x alone, where the simulated and actual views are statistically close. Originating from the first ZKPCP construction of Kilian et al. [21], all previous constructions relied on locking schemes, an unconditionally secure oracle-based commitment primitive. The use of locking schemes makes the verifier inherently adaptive, namely, it needs to make at least two rounds of queries to the proof. Motivated by the goal of constructing non-adaptively verifiable ZKPCPs, we suggest a new technique for compiling standard PCPs into ZKPCPs. Our approach is based on leakage-resilient circuits, which are circuits that withstand certain “side-channel” attacks, in the sense that these attacks reveal nothing about the (properly encoded) input, other than the output. We observe that the verifier’s oracle queries constitute a side-channel attack on the wire-values of the circuit verifying membership in L, so a PCP constructed from a circuit resilient against such attacks would be ZK. However, a leakage-resilient circuit evaluates the desired function only if its input is properly encoded, i.e., has a specific structure, whereas by generating a “proof” from the wire-values of the circuit on an ill-formed “encoded” input, one can cause the verification to accept inputs x ∉ L with probability 1. We overcome this obstacle by constructing leakage-resilient circuits with the additional guarantee that ill-formed encoded inputs are detected. Using this approach, we obtain the following results:– We construct the first witness-indistinguishable PCPs (WIPCP) for NP with non-adaptive verification. WIPCPs relax ZKPCPs by only requiring that different witnesses be indistinguishable. Our construction combines strong leakage-resilient circuits as above with the PCPof Arora and Safra [2], in which queries correspond to side-channel attacks by shallow circuits, and with correlation bounds for shallow circuits due to Lovett and Srivinasan [22]. – Building on these WIPCPs, we construct non-adaptively verifiable computational ZKPCPs for NP in the common random string model, assuming that one-way functions exist. – As an application of the above results, we construct 3-round WI and ZK proofs for NP in a distributed setting in which the prover and the verifier interact with multiple servers of which t can be corrupted, and the total communication involving the verifier consists of poly log(t) bits.

Original languageEnglish
Title of host publicationTheory of Cryptography - 3th International Conference, TCC 2016-A, Proceedings
EditorsEyal Kushilevitz, Tal Malkin
PublisherSpringer Verlag
Pages3-32
Number of pages30
ISBN (Print)9783662490983
DOIs
StatePublished - 2016
Externally publishedYes
Event13th International Conference on Theory of Cryptography, TCC 2016 - Tel Aviv, Israel
Duration: 10 Jan 201613 Jan 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9563
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference13th International Conference on Theory of Cryptography, TCC 2016
Country/TerritoryIsrael
CityTel Aviv
Period10/01/1613/01/16

Bibliographical note

Publisher Copyright:
© International Association for Cryptologic Research 2016.

Funding

We thank the anonymous TCC reviewers for helpful comments, and in particular for pointing out the simple construction of CZKPCP from PCP and NIZK. The first author was supported by ERC starting grant 259426, ISF grant 1709/14, and BSF grant 2012378. Research done in part while visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant #CNS-1523467. Research also supported in part from a DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, NSF grants 1228984, 1136174, 1118096, and 1065276. This material is based upon work supported by the Defense Advanced Research Projects Agency through the ARL under Contract W911NF-15-C-0205. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government. The second author was supported by ERC starting grant 259426 and an IBM PhD Fellowship. The third author was supported by the National Basic Research Program of China Grant 2011CBA00300, 2011CBA00301, and the National Natural Science Foundation of China Grant 61033001, 61350110536, 61361136003.

FundersFunder number
Simons Institute
National Science Foundation-1523467
Defense Advanced Research Projects AgencyW911NF-15-C-0205
Simons Foundation
International Business Machines Corporation
Army Research Laboratory1228984, 1413955, 1065276, 1118096, 1136174
European Commission259426
United States-Israel Binational Science Foundation2012378
National Natural Science Foundation of China61350110536, 61361136003, 61033001
Israel Science Foundation1709/14
National Key Research and Development Program of China2011CBA00300, 2011CBA00301

    Fingerprint

    Dive into the research topics of 'Making the best of a leaky situation: Zero-knowledge PCPs from leakage-resilient circuits'. Together they form a unique fingerprint.

    Cite this