```SEPARATING
SUCCINCT NON-INTERACTIVE
ARGUMENTS
FROM
ALL FALSIFIABLE ASSUMPTIONS
Craig Gentry
Daniel Wichs
IBM
NYU
MIT Seminar (Dec’ 10).
Non-Interactive Argument
Succinct?
Prove Language Membership

Language L µ {0,1}*. Want to show x 2 L.

NP = Non-Interactive Proofs with Efficient Verifier.

Question: How succinct can proofs for NP be?

If L has witness-size t(n) then L 2 DTIME( 2t(n)poly(n)).
 Sub-linear

proofs for all NP ) NP 2 DTIME( 2o(n)).
Generalizes to interactive proofs [GH98, GVW02].
Succinct Arguments for NP

Arguments = Comp Sound Proofs.
[Kilian92, Micali 94]
 Cannot
prove false statements x efficiently.
 Can prove true statements x efficiently given witness w.
 Succinct: size is poly(n)polylog(|x| + |w|).
n = security parameter.

What we know:
 Interactive
(4 rounds): Assuming CRHFs [Kilian 92].
 Non-interactive: Random Oracle model [Micali 94].
* Ignore: better efficiency for prover/verifier, languages outside of NP.
Succinct Non-Interactive Arguments


Question: Can we get Succinct Non-Interactive Arguments
(SNARGs) in the standard model?
Problem: 9 small adversary with hard-coded false
statement x and verifying proof ¼.
 Same

reason why un-keyed CRHFs don’t exist.
Rest of talk:
SNARGs initialized with a common reference string (CRS).
Do SNARGS exist?

Positive Evidence: Take [Micali 94] construction, replace
RO with “complicated hash function” H (set CRS = H).
 Don’t

Can we prove any SNARG construction secure under
OWFs, DDH, RSA, LWE,… ?


know how to break it. Can conjecture security.
“q-decisional-augmented-bilinear-Diffie-Hellman-exponent-assumption” ?
This work: NO*.
* Restrictions apply.
Main Result

No Black-Box-Reduction proof of
security for any SNARG construction
under any
Assumption.
q-ABDHE,…
DDH,Falsifiable
RSA, LWE,…
Defining SNARGs
CRS Ã Gen(1n)
¼ Ã Prove(CRS, x, w)

x, ¼
Verify(CRS, x, ¼)
Completeness: Correctly generated proofs verify with
overwhelming probability.
Defining SNARGs
CRS Ã Gen(1n)
¼ Ã Prove(CRS, x, w)

x, ¼
Verify(CRS, x, ¼)
Public Verifiability: any party can verify proofs.
Defining SNARGs
(CRS, SK) Ã Gen(1n)
¼ Ã Prove(CRS, x, w)


Verify(CRS, SK, x, ¼)
Public Verifiability: any party can verify proofs.
Designated Verifier: only verifier that knows SK can verify.


x, ¼
All our results hold for Designated Verifier SNARGs.
Syntactically same as two-round interactive arguments.
 Challenge = CRS, Response = ¼.
Security of SNARGs
(CRS, SK) Ã Gen(1n)



x, ¼
Verify(CRS, SK, x, ¼)
Pr[ Verify(CRS, SK, x, ¼) = accept and x 2 L ] = negligible(n)
Natural for SNARGs.
For 2-round arguments traditionally consider static soundness.
Succinct Arguments: What we know?
Doesn’t Exist
May exist (RO Heuristic)
but cannot prove secure
via BB reduction from
falsifiable assumption.
??
Exist assuming CRHFs
SNARG without CRS
Publically Verifiable SNARG (CRS)
Designated Verifier SNARG (CRS)
2 round
3 round
4 round
(static soundness)
Main Result

No Black-Box-Reduction proof of
security for any SNARG construction
under any Falsifiable Assumption.
Falsifiable Assumptions

Falsifiable Assumption (in spirit of [Naor 03]):
Interactive game between an efficient challenger and
 For

Examples: DDH, RSA, LWE, QR,…, q-ABDHE,…
“RSA Signatures (Full-Domain-Hash) with SHA-1 are secure”.

Not Falsifiable:
 “This
Proof System is ZK”. (Not a game - requires Simulator)
 “This SNARG construction is secure”. (Inefficient Challenger)
 “Knowledge-of-Exponent” (KoE) Assumptions. [Dam91, HT98]
Main Result

No Black-Box-Reduction proof of
security for any SNARG construction
under any Falsifiable Assumption.
Black-Box Reductions
SNARG
Attack
Assumption
Assumption
Attack
SNARG
Security
Black-Box Reductions
SNARG
Attack
Assumption
Attack
Reduction

Assumption
Challenger
Black-Box Reduction: Constructive Proof.
 Efficient
SNARG-Attacker becomes an Assumption-Attacker.
 Should work even if SNARG-Attacker is inefficient.
 (If SNARG-Attacker is stateless can ignore rewinding).
Main Result

No Black-Box-Reduction proof of
security for any SNARG construction
under any Falsifiable Assumption.
•
•
Assuming the falsifiable assumption isn’t false.
Assuming sub-exponentially hard OWFs exist.
Main Result

If there is a Black-Box-Reduction proof for some
SNARG construction under some Falsifiable
Assumption then one of the following holds:

The falsifiable assumption is false!

There are no sub-exponentially hard OWFs.
Main Idea: Simulatable Attacker
SNARG
Attack

soundness (outputs false statements, “proofs”).
Efficient Simulator.
 Does

Simulator
Inefficient Attacker.
 Breaks

≈
not break soundness (outputs true statements, proofs).
No efficient distinguisher can tell them apart.
Separation via Simulatable Attack

Existence of Simulatable Attack for any SNARG.

Simulatable Attack implies Black-Box Separation.
Simulatable Attack ) Separation
SNARG
Attack
Assumption
Attack
Reduction

Attacker
WINS
Assumption
Challenger
breaks assumption.
Simulatable Attack ) Separation
SNARG
Attack
Efficient
Reduction

Attacker
WINS
Assumption
Challenger
breaks assumption.
Simulatable Attack ) Separation
Simulator
Efficient
Reduction


Attacker
WINS
Assumption
Challenger
breaks assumption.
Replace “Simulatable Attacker” with efficient Simulator.
Simulatable Attack ) Separation
Simulator
Efficient Attack
on Assumption
Reduction

Attacker
WINS
Assumption
Challenger
There is an efficient attack on the assumption.

) Assumption is false!
Separation via Simulatable Attack

Existence of Simulatable Attack for any SNARG.

Simulatable Attack implies Black-Box Separation.
 BB
Reduction under Falsifiable Assumption
) Assumption false.
Existence of Simulatable Attack


If NP has poly-logarithmic witnesses, there may not be any
attacks at all!
Assumption: Sub-exponentially-hard subset-membership
problems in NP.
 An
NP language L. Distributions: G µ L , B µ {0,1}*\L.
 Can efficiently sample x Ã G along with a witness w.
±
±
 Cannot distinguish G from B in time 2n with probability 2-n .

Implied by sub-exponentially secure PRGs, OWFs.
Existence of Simulatable Attack
SNARG
Attack
≈
CRS
xÃB
Simulator
(x, ¼)
How to sample ¼ ?

Naïve Idea: try all ¼ until one verifies.
 Might

x Ã G witness w
¼ Ã Prov(CRS, x, w)
not look at all like correct distribution!
Show: Way to sample “correct looking” ¼ for
x Ã B.
Existence of Simulatable Attack
8 efficient Prov w/ short output 9 inefficient function Prov*:
x Ã G witness w
¼ Ã Prov(x, w)
xÃB
¼ Ã Prov*(x)
(x, ¼)
≈
(x, ¼)
Indisitinguishability w/ Auxiliary Info
8 inefficient Prov w/ short output 9 inefficient function Prov*:
xÃG
¼ Ã Prov(x)
xÃB
¼ Ã Prov*(x)
(x, ¼)
≈
(x, ¼)
(s*, ²*)
coming up soon.
If G, B are Proof
(s, ²)-indistinguishable
then
|¼| ²), ²* = 2²
s* = s/poly(2
Assuming
the Lemma…
Existence of Simulatable Attack
SNARG
Attack
xÃB
¼ Ã Prov*(CRS, x)

≈
CRS
(x, ¼)
Simulator
x Ã G witness w
¼ Ã Prov(CRS, x, w)
Security of G,B exponential in size of proof.
nc polylog(|x| + |w|) = o(nc+1).
c+1
n
 Choose large enough statements to get security 2
.
 Proof-size

Distinguisher can ask many queries – hybrid argument.
Existence of Simulatable Attack
SNARG
Attack
≈
Sec = m CRS
xÃB
¼ Ã Prov*(CRS, x)

D(n)
x Ã G witness w
¼ Ã Prov(CRS, x, w)
Problem: Who gets which security parameter?
D

(x, ¼)
Simulator
can “lie” about security parameter to “oracle”.
Solution: Simulator gives false statements when m ¼ log(n).
 Annoying
and messy! Simulator gets n and depends on D.
Existence of Simulatable Attack
SNARG
Attack
≈
Sec = m CRS
xÃB
¼ Ã Prov*(CRS, x)

Simulator
(x, ¼)
D(n)
x Ã G witness w
¼ Ã Prov(CRS, x, w)
Why is this a legitimate attack? Do proofs verify?
 Set
D to be the verifier of the SNARG.
Separation via Simulatable Attack

Existence of Simulatable Attack for any SNARG.
 Any
SNARG for a sub-exp hard membership problem.
 Any SNARG for NP assuming sub-exp hard OWF.

Simulatable Attack implies Black-Box Separation.
 BB
reduction under falsifiable assumption
) Assumption false.

Returning to:
Indisitinguishability
with
Auxiliary Information
Indisitinguishability w. Auxiliary Info
8 short inefficient Aux 9 inefficient Aux*:
xÃG
¼ Ã Aux(x)
xÃB
¼ Ã Aux*(x)
(x, ¼)
≈
(x, ¼)
(s*, ²*)
If G, B are
(s, ²)-indistinguishable
then
) L-bit
leakage
of
PRG
Proof
relatedontoseed
Nisan’s
proofreduces
of
|¼| ²), ²* = 2²
s* = s/poly(2
HILLImpagliazzo
entropy of output
Hardcore
by LLemma.
bits. [DP08]
Proof:
Indisitinguishability w. Auxiliary Info
9 short inefficient Aux
8 inefficient function Aux* 9 D of size s*
Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²*
xÃB
¼ Ã Aux*(x)
xÃG
¼ Ã Aux(x)
Distinguish G, B with
s = s* poly(2|¼|Goal:
²) switch
² =quantifiers
²* /2 with Min-Max theorem.
Proof:
Indisitinguishability w. Auxiliary Info
9 short inefficient Aux
min Aux* max D of size s*
Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²*
xÃB
¼ Ã Aux*(x)
xÃG
¼ Ã Aux(x)
Goal: switch quantifiers with Min-Max theorem.
Proof:
Indisitinguishability w. Auxiliary Info
9 short inefficient Aux
min Aux* max Dist(over D of size s*)
Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²*
xÃB
¼ Ã Aux*(x)
D Ã Dist
xÃG
¼ Ã Aux(x)
D Ã Dist
Goal: switch quantifiers with Min-Max theorem.
Proof:
Indisitinguishability w. Auxiliary Info
9 short inefficient Aux
min Aux* max Dist(over D of size s*)
Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²*
xÃB
¼ Ã Aux*(x)
D Ã Dist
xÃG
¼ Ã Aux(x)
D Ã Dist
[von Neumann 28]
Proof:
Indisitinguishability w. Auxiliary Info
9 short inefficient Aux, Dist(over D of size s*)
min Aux*
Pr[ D(x, ¼)=1] - Pr[D(x, ¼)=1] > ²*
xÃB
xÃG
¼ Ã Aux(x)
D Ã Dist
¼ Ã Aux*(x)
D Ã Dist
Val(x) := min¼ Pr[D(x, ¼) = 1]
E[Val(x)]
xÃB
Goal: get rid of auxiliary information.
-
E[Val(x)] > ²*
xÃG
Proof:
Indisitinguishability w. Auxiliary Info
9 short inefficient Aux, Dist(over D of size s*)
To distinguish if x comes from G, or B:
 Get estimate for Val(x).
Try all possible values of ¼.
size = poly(2|¼|²).
Run many D on each choice.
 Output “B” with that probability.
Val(x) := min¼ Pr[D(x, ¼) = 1]
E[Val(x)]
xÃB
-
E[Val(x)] > ²*
xÃG
Main Result
Slightly succinct: sub-linear arguments.

If there is a Black-Box-Reduction proof for some
SNARG construction under some Falsifiable
Assumption then one of the following holds:

The falsifiable assumption is false!

There are no sub-exponentially hard OWFs.
No exponentially hard subset-membership problems.
Main Result
(sub)-exponential

If there is a Black-Box-Reduction proof for some
SNARG construction under some Falsifiable
Assumption then one of the following holds:

The falsifiable assumption is false!

There are no sub-exponentially hard OWFs.
(sub)-exponential version of
Comparison to other BB Separations

Notion A is not sufficient to realize B in a “black-box way”.
[Impagliazzo Rudrich 89]: Separate KA from OWP.
 [Sim98]: Separate CRHFs from OWP.
 [GKM+00, GKTRV00, GMR01, RTV04, BPR+08 …]



Usually: Notion A is generic e.g. “existence of some OWP”.
Construction of B using a generic instance of A as black-box.
(Reduction uses adversary as a black-box.)
Our result: Notion A can be a specific assumption e.g. “RSA
is a OWP”. Reduction uses adversary as a black-box.

Similar to: [DOP05, AF07,HH09].
BB Reductions for Succinct Arguments



[Rothblum-Vadhan 10] : Any interactive succinct
argument with a black-box proof of security under a
falsifiable assumption can be easily converted into a
“PCP System”.
Not a separation since PCPs exist unconditionally.
Shows: heavy PCP machinery inherent in succinct args.
Summary & Open Problems




Black-box separation of SNARGs from Falsifiable
Assumptions.
Non-black-box techniques? Only know [Bar01].
SNARGs under non-falsifiable assumptions
(e.g. Knowledge of Exponent). Some results by [Gro10].
Succinct arguments with long CRS? Succinct in witness but
not statement? Constructions of 2 or 3 round arguments?
 Or,
do black-box separations extend?
THANK YOU!
```