BIU WINTER SCHOOL | February 2019

ZERO-KNOWLEDGE for NP

ALON ROSEN IDC HERZLIYA

Perfect ZK

Perfect ZK: ∀𝑃𝑃𝑇 𝑉∗ ∃𝑃𝑃𝑇 𝑆 ∀𝑥 ∈ 𝐿 ∀𝑧

𝑆 𝑥, 𝑧 ≅ 𝑃 𝑤 , 𝑉∗ 𝑧 𝑥

Proposition: 𝑄𝑅𝑁 ∈ PZK

𝑁𝑃 complete

𝑆𝐴𝑇

𝐿𝐼𝑁 P

NP

𝑄𝑅𝑁

Can 𝑆𝐴𝑇 be proved in ZK?

Why do we care?

• 𝑄𝑅𝑁 is specific

• 𝑆𝐴𝑇 is NP-complete

• If 𝑆𝐴𝑇 ∈ ZK then every 𝐿 ∈ NP is provable in ZK

Theorem [F’87, BHZ’87]: If 𝑆𝐴𝑇 ∈ PZK then the

polynomial-time hierarchy collapses to the second level

Possible relaxations:

• Computational indistinguishability (now)

• Computational soundness (later)

Statistical

Zero-Knowledge

Statistical Indistinguishabi lity

Let 𝑋 and 𝑌 be random variables taking values in a set Ω

Perfect indistinguishability (𝑋 ≅ 𝑌): ∀𝑇 ⊆ Ω

𝑃𝑟𝑋 𝑋 ∈ 𝑇 = 𝑃𝑟𝑌 𝑌 ∈ 𝑇

𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω

𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀

• 𝑋 = 𝑋𝑛 and 𝑌 = 𝑌𝑛

• 𝜀 = 𝜀 𝑛

Statistical Indistinguishabi lity

Let 𝑋 and 𝑌 be random variables taking values in a set Ω

Perfect indistinguishability (𝑋 ≅ 𝑌): ∀𝑇 ⊆ Ω

𝑃𝑟𝑋 𝑋 ∈ 𝑇 = 𝑃𝑟𝑌 𝑌 ∈ 𝑇

𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω

𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀

Triangle inequality: if

• 𝑋, 𝑌 are 𝜀1 -indistinguishable and

• 𝑌, 𝑍 are 𝜀2-indistinguishable then

• 𝑋, 𝑍 are 𝜀1 + 𝜀2 -indistinguishable

Statistical Indistinguishabi lity

Let 𝑋 and 𝑌 be random variables taking values in a set Ω

Perfect indistinguishability (𝑋 ≅ 𝑌): ∀𝑇 ⊆ Ω

𝑃𝑟𝑋 𝑋 ∈ 𝑇 = 𝑃𝑟𝑌 𝑌 ∈ 𝑇

𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω

𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀

Indistinguishability of multiple samples: if

• 𝑋, 𝑌 are 𝜀-indistinguishable then

• 𝑋𝑞 , 𝑌𝑞 are 𝑞𝜀-indistinguishable

Hybrid argument: 𝑋𝑞−𝑖𝒀𝑌𝑖−1 ≅𝑠 𝑋𝑞−𝑖𝑿𝑌𝑖−1

𝑋𝑞−𝑖𝒀𝑌𝑖−1 ≅𝑠 𝑋𝑞−𝑖𝑿𝑌𝑖−1

𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋≅𝑠 𝑌𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋≅𝑠 𝑌𝑌𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋≅𝑠 𝑌𝑌𝑌𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋

⋮

≅𝑠 𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑋≅𝑠 𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌𝑌

By triangle inequality: 𝜀 + 𝜀 + ⋯+ 𝜀 = 𝑞𝜀

Hybrid Argument

𝑖 = 0 𝑋𝑞 →

→ 𝑌𝑞

𝑖 = 1

𝑖 = 2𝑖 = 3

𝑖 = 𝑞 − 1𝑖 = 𝑞

Statistical ZK: ∀𝑃𝑃𝑇 𝑉∗ ∃𝑃𝑃𝑇 𝑆 ∀𝑥 ∈ 𝐿 ∀𝑧

𝑆 𝑥, 𝑧 ≅𝑠 𝑃, 𝑉∗ 𝑧 𝑥

• SZK - all 𝐿 that have a statistical ZK proof

• 𝑆 𝑥, 𝑧 and 𝑃, 𝑉∗ 𝑧 𝑥 are indexed by 𝑥, 𝑧

• Typically 𝑛 = 𝑥 (actually, 𝑛 = 𝑤 )

Theorem [F’87, BHZ’87]: If 𝑆𝐴𝑇 ∈ SZK then the polynomial-

time hierarchy collapses to the second level

Statistical ZK

Computational

Zero-Knowledge

𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω

𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀

𝑡, 𝜀 -indistinguishability (𝑋 ≅𝑐 𝑌): ∀𝑇 ⊆ Ω that are

“decidable in time 𝑡”

𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀

𝑇 ⊆ 𝐴 is decidable in time 𝑡 if ∃time-𝑡 𝐷 such that ∀𝑥 ∈ 𝐴

𝑥 ∈ 𝑇 ⟷ 𝐷 𝑥 = 1

Computational Indistinguishabi lity

𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω

𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀

𝑡, 𝜀 -indistinguishability (𝑋 ≅𝑐 𝑌): ∀time-𝑡 𝐷

𝑃𝑟 𝐷 𝑋 = 1 − 𝑃𝑟 𝐷 𝑌 = 1 ≤ 𝜀

Triangle inequality: if

• 𝑋, 𝑌 are 𝑡1, 𝜀1 -indistinguishable and

• 𝑌, 𝑍 are 𝑡2, 𝜀2 -indistinguishable then

• 𝑋, 𝑍 are 𝑚𝑖𝑛 𝑡1, 𝑡2 , 𝜀1 + 𝜀2 -indistinguishable

Computational Indistinguishabi lity

𝜀-indistinguishability (𝑋 ≅𝑠 𝑌): ∀𝑇 ⊆ Ω

𝑃𝑟 𝑋 ∈ 𝑇 − 𝑃𝑟 𝑌 ∈ 𝑇 ≤ 𝜀

𝑡, 𝜀 -indistinguishability (𝑋 ≅𝑐 𝑌): ∀time-𝑡 𝐷

𝑃𝑟 𝐷 𝑋 = 1 − 𝑃𝑟 𝐷 𝑌 = 1 ≤ 𝜀

Indistinguishability of multiple samples: if

• 𝑋, 𝑌 are 𝑡, 𝜀 -indistinguishable then

• 𝑋𝑞 , 𝑌𝑞 are 𝑡, 𝑞𝜀 -indistinguishable

Hybrid argument (non-uniform):

𝑋𝑞−𝑖𝒀𝑌𝑖−1 ≅𝑠 𝑋𝑞−𝑖𝑿𝑌𝑖−1

Computational Indistinguishabi lity

Computational Indistinguishabi lity

Typically:

• 𝑡 = 𝑝𝑜𝑙𝑦 𝑛• 𝜀 = 𝑛𝑒𝑔 𝑛

Definition: 𝜀 = 𝜀 𝑛 is negligible if it is eventually smaller

than 1/𝑝 𝑛 for every polynomial 𝑝

𝜀 = 𝑛𝑒𝑔 𝑛 , 𝑞 = 𝑝𝑜𝑙𝑦 𝑛 → 𝑞𝜀 = 𝑛𝑒𝑔 𝑛

𝑋1 ≅𝜀 𝑋2⋯ ≅𝜀 𝑋

𝑞 → 𝑋1 ≅𝑞𝜀 𝑋𝑞

In practice: concrete choices of 𝑡,q and 𝜀

Computational ZK: ∀𝑃𝑃𝑇 𝑉∗ ∃𝑃𝑃𝑇 𝑆 ∀𝑥 ∈ 𝐿 ∀𝑧

𝑆 𝑥, 𝑧 ≅𝑐 𝑃, 𝑉∗ 𝑧 𝑥

PZK ⊆ SZK ⊆ CZK

Theorem [GMW’86]: Suppose one-way functions exist.

Then NP ⊆ CZK

Computational ZK

Definition: 𝑓: 0,1 ∗ → 0,1 ∗ is 𝑡, 𝜀 -one-way if ∀time-𝑡 𝐴

𝑃𝑟𝑋 𝐴 inverts 𝑓 𝑋 ≤ 𝜀

Candidate OWFs:

• Rabin/RSA: 𝑥2 𝑚𝑜𝑑 𝑁 𝑥𝑒 𝑚𝑜𝑑 𝑁

• Discrete exponentiation: 𝑔𝑥 𝑚𝑜𝑑 𝑃

• SIS/LWE: 𝐴𝑥 𝑚𝑜𝑑 𝑞 𝐴𝑥 + 𝑒 𝑚𝑜𝑑 𝑞

• AES: 𝐴𝐸𝑆𝑥 0𝑛

• SHA: ℎ 𝑥

One-way Functions

Commitment Schemes

Commitment Scheme

• Two-stage protocol between Committer and Receiver

Completeness: 𝐶 can always generate valid

𝑐 = 𝐶𝑜𝑚 𝑚, 𝑟

R𝑐 = 𝐶𝑜𝑚 𝑚, 𝑟

𝑚, 𝑟 = 𝐷𝑒𝑐 𝑐

Commit

Reveal

Commitment Scheme

• Two-stage protocol between Committer and Receiver

RCommit

Reveal

𝐶𝑜𝑚 𝑚, 𝑟 is

𝑅∗’s view of the

commit phase

𝐷𝑒𝑐 𝑐 is

𝑅∗’s view of the

reveal phase

Canonical reveal:

𝐷𝑒𝑐 𝑐 = 𝑚, 𝑟

Statistical ly-binding Commitments

Definition: A statistically-binding 𝐶𝑜𝑚,𝐷𝑒𝑐 satisfies:

Computational hiding: 𝑃𝑃𝑇 𝑅∗ ∀𝑚1, 𝑚2

𝐶𝑜𝑚 𝑚1 ≅𝑐 𝐶𝑜𝑚 𝑚2

Statistical binding: 𝐶∗ ∀𝑚1 ≠ 𝑚2

𝑃𝑟 𝐶∗ wins the binding game ≤ 𝑛𝑒𝑔 𝑛

𝐶∗ wins the binding game if it generates 𝑐 along with

• 𝑚1, 𝑟1 = 𝐷𝑒𝑐 𝑐• 𝑚2, 𝑟2 = 𝐷𝑒𝑐 𝑐

• Note: hiding holds even if 𝑚1, 𝑚2 are known

• Later: statistically-hiding commitments

• El-Gamal (assuming DDH):

𝐶𝑜𝑚𝑔,ℎ 𝑚, 𝑟 = 𝑔𝑟 , ℎ𝑟 ∙ 𝑔𝑚

• Any OWP:

𝐶𝑜𝑚 𝑚, 𝑟 = 𝑓 𝑟 , 𝑏 𝑟 ⊕ 𝑚

• Any PRG (and hence OWF):

𝐶𝑜𝑚𝑟 𝑏, 𝑠 = ቊ𝐺 𝑠 𝑏 = 0𝐺 𝑠 ⊕ 𝑟 𝑏 = 1

Examples (statistical ly-binding)

NP ⊆ CZK

Theorem [GMW’86]: If statistically-binding commitments

exist then NP ⊆ CZK

Theorem [B’86]: If statistically-binding commitments

exist then 𝐻𝐴𝑀 ∈ CZK

𝐻𝐴𝑀 = 𝐺| 𝐺 has a Hamiltomian cycle

Ham cycle: passes via each vertex exactly once

𝐻𝐴𝑀 ∈ CZK

Every 𝐿 ∈ NP is poly-time reducible to 𝐻𝐴𝑀

∃poly-time computable 𝑓 such that ∀𝑥

𝑥 ∈ 𝐿 ⇔ 𝑓 𝑥 ∈ 𝐻𝐴𝑀

To prove 𝐿 ∈ CZK, sufficient to prove 𝐻𝐴𝑀 ∈ CZK

𝐻𝐴𝑀 i s NP -complete

VP 𝑥 ∈ 𝐿↕

𝑓 𝑥 ∈ 𝐻𝐴𝑀

ACCEPT/REJECT

𝑤 for 𝑥 ∈ 𝐿↕

𝑔(𝑤) for 𝑓 𝑥 ∈ 𝐻𝐴𝑀

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

Adjacency Matrix Representation

0 1 0 0 1 1

1 0 1 1 0 0

1 1 0 0 1 0

0 0 1 0 1 1

1 0 1 1 0 1

1 1 0 1 1 0

Graph 𝐺 Ham cycle 𝑤

0 𝟏 0 0 1 1

1 0 1 𝟏 0 0

1 1 0 0 𝟏 0

0 0 𝟏 0 1 1

1 0 1 1 0 𝟏

𝟏 1 0 1 1 0

0 𝟏 0 0 1 1

1 0 1 𝟏 0 0

1 1 0 0 𝟏 0

0 0 𝟏 0 1 1

1 0 1 1 0 𝟏

𝟏 1 0 1 1 0

Committing to 𝐺 and opening cycle 𝑤

Graph 𝐺 𝒄 = 𝐶𝑜𝑚 𝐺

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

→

0 𝟏 0 0 1 1

1 0 1 𝟏 0 0

1 1 0 0 𝟏 0

0 0 𝟏 0 1 1

1 0 1 1 0 𝟏

𝟏 1 0 1 1 0

𝑤 ∈ 𝐷𝑒𝑐 𝑐𝐺 = 𝐷𝑒𝑐 𝑐

An interactive proof for 𝐻𝐴𝑀

VP

𝑏 = 0: 𝑢 ∈ 𝐷𝑒𝑐 𝒄

𝑏

𝐺 ∈ 𝐻𝐴𝑀

𝑏 ∈𝑅 0,1

𝒄 = 𝐶𝑜𝑚 𝜋(𝐺)𝜋 ∈𝑅 𝑆𝑛

Ham cycle 𝑤

𝑏 = 1: 𝜋, 𝐻 = 𝐷𝑒𝑐 𝒄

In either case,

verify hat 𝐷𝑒𝑐 are valid

𝑢=𝜋(𝑤) Verify that 𝑢 is a cycle

Verify that 𝐻 = 𝜋 𝐺

When 𝑏 = 0

𝒄 = 𝐶𝑜𝑚 𝜋(𝐺)

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

𝑢 ∈ 𝐷𝑒𝑐 𝒄

𝑏 = 0

Verify :

• That 𝐷𝑒𝑐 is valid

• That 𝑢 is a cycle

When 𝑏 = 1

0 1 0 0 1 1

1 0 1 1 0 0

1 1 0 0 1 0

0 0 1 0 1 1

1 0 1 1 0 1

1 1 0 1 1 0

6 1 3 2 5 4

𝐻 = 𝐷𝑒𝑐 𝒄𝒄 = 𝐶𝑜𝑚 𝜋(𝐺)

𝜋

𝑏 = 1

Verify :

• That 𝐷𝑒𝑐 is valid

• That 𝐻 = 𝜋 𝐺

Soundness

Claim: If 𝐶𝑜𝑚,𝐷𝑒𝑐 is statistically binding then 𝑃, 𝑉is an interactive proof for 𝐻𝐴𝑀

Soundness:

If 𝑃𝑟𝑏 𝑃∗, 𝑉 accepts 𝑥 > 1/2

then both

• 𝑢 is a cycle in 𝐻

• and 𝐻 = 𝜋 𝐺

So 𝜋−1 𝑢 is a cycle in 𝐺

VP*

𝑏 = 0: 𝑢

𝑏

𝐶𝑜𝑚 𝜋(𝐺)

𝑏 = 1: 𝜋, 𝐻 𝐻 = 𝜋 𝐺

𝑢 is a cycle

Computational ZK

Simulator 𝑆𝑉∗𝐺 :

1. Set 𝐺0 = 𝑢 for 𝑢 ∈𝑅 𝑐𝑦𝑐𝑙𝑒𝑛2. Set 𝐺1 = 𝜋(𝐺) for 𝜋 ∈𝑅 𝑆𝑛3. Sample 𝑏 ∈𝑅 ℤ𝑁

∗

𝑏 = 0: Set 𝒄 = 𝐶𝑜𝑚 𝐺0𝑏 = 1: Set 𝒄 = 𝐶𝑜𝑚 𝐺1

4. If 𝑉∗ 𝒄 = 𝑏

𝑏 = 0: Output 𝒄,𝑏, 𝑢

𝑏 = 1: Output 𝒄,𝑏, 𝜋,𝐺1

5. Otherwise repeat

V*P

𝑏 = 0: 𝑢

𝑏 = 𝑉∗ 𝑐

𝒄

𝑏 = 1: 𝜋, 𝐻

0 𝟏 0 0 0 0

0 0 0 𝟏 0 0

0 0 0 0 𝟏 0

0 0 𝟏 0 0 0

0 0 0 0 0 𝟏

𝟏 0 0 0 0 0

Computational ZK

𝐺0

𝑏 = 0

𝐺1

𝑏 = 1

𝜋

6 1 3 2 5 4

0 1 0 0 1 1

1 0 1 1 0 0

1 1 0 0 1 0

0 0 1 0 1 1

1 0 1 1 0 1

1 1 0 1 1 0

Computational ZK

𝑏 = 0

𝒄 = 𝐶𝑜𝑚 𝐺0

𝑏 = 1

𝒄 = 𝐶𝑜𝑚 𝐺1

≅𝑐

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

Computational ZK

If 𝑉∗ 𝒄 = 0(otherwise repeat)

If 𝑉∗ 𝒄 = 1(otherwise repeat)

𝐺0 = 𝑢 𝐺1 = 𝜋(𝐺)

𝜋

6 1 3 2 5 4

0 1 0 0 1 1

1 0 1 1 0 0

1 1 0 0 1 0

0 0 1 0 1 1

1 0 1 1 0 1

1 1 0 1 1 0

Claim: If 𝐶𝑜𝑚 is computationally hiding then 𝑆𝑉∗𝐺 runs

in polynomial time

1. From hiding of 𝐶𝑜𝑚 and the fact that 𝑉∗is 𝑃𝑃𝑇:

𝑃𝑟𝒄,𝑏 𝑉∗ 𝐶𝑜𝑚 𝐺𝑏 = 𝑏 ≈ 1/2

Exercise: otherwise 𝑉∗ distinguishes between

𝐶𝑜𝑚 𝐺0 and 𝐶𝑜𝑚 𝐺1

2. This implies: 𝔼 #repetitions ≈ 2

Computational ZK

Claim: If 𝐶𝑜𝑚 is computationally hiding then ∀𝐺 ∈ 𝐻𝐴𝑀

𝑆𝑉∗𝐺 ≅𝑐 𝑃(𝑤), 𝑉∗ 𝐺

1. Let 𝐻𝑉∗ 𝐺,𝑤 act identically to 𝑆𝑉∗𝐺 except that:

• 𝐻 commits to 𝐺1 instead of 𝐺0• When 𝑉∗ 𝑐 = 0, 𝐻 outputs 𝜋(𝑤) instead of 𝑢

2. Exercise:

𝑆𝑉∗𝐺 ≅𝑐 𝐻

𝑉∗ 𝐺,𝑤 ≅ 𝑃(𝑤), 𝑉∗ 𝐺

Hint: 𝐶𝑜𝑚 𝐺0 ≅𝑐 𝐶𝑜𝑚 𝐺1 even if 𝐺,𝑤, 𝜋 are known.

Computational ZK

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

𝟏

Computational ZK

𝑆𝑉∗𝐺 | 𝑏 = 0

𝒄 = 𝐶𝑜𝑚 𝐺0 𝒄 = 𝐶𝑜𝑚 𝐺1

≅𝑐

𝒄 = 𝐶𝑜𝑚 𝐺0 − 𝐶𝑜𝑚(𝜋(𝑤)) 𝒄 = 𝐶𝑜𝑚 𝐺1 − 𝐶𝑜𝑚(𝜋(𝑤))

𝐻𝑉∗ 𝐺,𝑤 | 𝑏 = 0

One-way functions (or rather some weak form of them)

are necessary for non-trivial ZK

Theorem [OW’90]: If ∃ZK proofs for languages outside of

BPP then there exist functions with one-way instances

Theorem [OW’90]: If ∃ZK proofs for languages that are

hard on average then there exist one-way functions

Unconditional characterization of ZK [Vad’06]:

• HVZK = ZK• ZK is closed under union

• Public-coin ZK equals private-coin ZK• ZK w/ imperfect compl. equals ZK w/ perfect compl.

Techniques borrowed from the study of SZK [SV’90’s]

Computational ZK – some more

Summary

BPP ⊆ PZK ⊆ SZK ⊂ CZK = IP

Defined:

• Statistical indistinguishability

• Computational indistinguishability

• SZK, CZK

• One way-functions

• Statistically-binding commitments

Saw:

• Examples of statistically-binding commitments

• NP ⊆ CZK via 𝐻𝐴𝑀 ∈ CZK

Food for Thought

• Efficiency of reduction to 𝐻𝐴𝑀• Classic reduction from 𝑆𝐴𝑇 to 𝐻𝐴𝑀 has quadratic blowup

• Ideally: linear blowup (with small constants)

• Communication complexity• Statistically-binding commitments imply linear communication

• Next lecture: statistically-hiding commitments

• Open up the possibility of sublinear communication

• Efficiency of prover and/or verifier• May have to optimize 𝑃, 𝑉 even if sublinear communication

• Both time and space complexities – tradeoff between 𝑃, 𝑉

• Round complexity• Much research devoted to minimizing rounds (see next lecture)

Other considerations

Define

• what it means to break the system

• Adversary’s access/resources

Build

• In ZK first there were protocols, only then defs

Prove

• We still do not have good “language” for proofs

• ML theory vs Crypto theory (crypto theory is essential)

First feasibility then efficiency

• Optimize (round/comm. complexity, verifier time/space)

Relax definition (Argument/WI/WH/NIZK)

Modern Crypto Methodology

Auxi l iary input to 𝐷 and Non-uniform 𝑉∗

Computational ZK: ∀𝑃𝑃𝑇 𝑉∗ ∃𝑃𝑃𝑇 𝑆 ∀𝑷𝑷𝑻 𝑫 ∀𝑥 ∈ 𝐿 ∀𝑧

𝑃𝑟 𝐷 𝑥,𝑧, 𝑆 𝑥, 𝑧 = 1 − 𝑃𝑟 𝐷 𝑥, 𝑧, 𝑃, 𝑉∗ 𝑧 𝑥 , 𝑧 = 1 ≤ 𝑛𝑒𝑔(|𝑥|)

Advanced comment:

• 𝐷 is also given 𝑧

• If 𝑧 is sufficiently long, 𝐷 can make use of its suffix

• 𝑉∗ and 𝑆 cannot (𝐷 is determined after them)

• implies indistinguishability against non-uniform circuits 𝐷

• Making 𝑉∗ also non uniform yields “weaker” security

reduction (from 𝑉∗ to 𝑆)

History

Oded Goldreich Avi Wigderson Manuel Blum

Moni Naor Salil VadhanRafail Ostrovsky Amit Sahai

The End

Questions?