TY - GEN
T1 - On the (Im)possibility of arthur-merlin witness hiding protocols
AU - Haitner, Iftach
AU - Rosen, Alon
AU - Shaltiel, Ronen
PY - 2009
Y1 - 2009
N2 - The concept of witness-hiding suggested by Feige and Shamir is a natural relaxation of zero-knowledge. In this paper we identify languages and distributions for which many known constant-round public-coin protocols with negligible soundness cannot be shown to be witness-hiding using black-box techniques. One particular consequence of our results is that parallel repetition of either 3-Colorability or Hamiltonicity cannot be shown to be witness hiding with respect to some probability distribution over the inputs assuming that: the distribution assigns positive probability only to instances with exactly one witness. Polynomial size circuits cannot find a witness with noticeable probability on a random input chosen according to the distribution. The proof of security relies on a black-box reduction that is independent of the choice of the commitment scheme used in the protocol. These impossibility results conceptually match results of Feige and Shamir that use such black-box reductions to show that parallel repetition of 3-Colorability or Hamiltonicity is witness-hiding for distributions with "two independent witnesses". We also consider black-box reductions for parallel repetition of 3-Colorability or Hamiltonicity that depend on a specific implementation of the commitment scheme. While we cannot rule out such reductions completely, we show that "natural reductions" cannot bypass the limitations above. Our proofs use techniques developed by Goldreich and Krawczyk for the case of zero knowledge. The setup of witness-hiding, however, presents new technical and conceptual difficulties that do not arise in the zero-knowledge setting. The high level idea is that if a black-box reduction establishes the witness-hiding property for a protocol, and the protocol also happens to be a proof of knowledge, then this latter property can be actually used "against the reduction" to find witnesses unconditionally.
AB - The concept of witness-hiding suggested by Feige and Shamir is a natural relaxation of zero-knowledge. In this paper we identify languages and distributions for which many known constant-round public-coin protocols with negligible soundness cannot be shown to be witness-hiding using black-box techniques. One particular consequence of our results is that parallel repetition of either 3-Colorability or Hamiltonicity cannot be shown to be witness hiding with respect to some probability distribution over the inputs assuming that: the distribution assigns positive probability only to instances with exactly one witness. Polynomial size circuits cannot find a witness with noticeable probability on a random input chosen according to the distribution. The proof of security relies on a black-box reduction that is independent of the choice of the commitment scheme used in the protocol. These impossibility results conceptually match results of Feige and Shamir that use such black-box reductions to show that parallel repetition of 3-Colorability or Hamiltonicity is witness-hiding for distributions with "two independent witnesses". We also consider black-box reductions for parallel repetition of 3-Colorability or Hamiltonicity that depend on a specific implementation of the commitment scheme. While we cannot rule out such reductions completely, we show that "natural reductions" cannot bypass the limitations above. Our proofs use techniques developed by Goldreich and Krawczyk for the case of zero knowledge. The setup of witness-hiding, however, presents new technical and conceptual difficulties that do not arise in the zero-knowledge setting. The high level idea is that if a black-box reduction establishes the witness-hiding property for a protocol, and the protocol also happens to be a proof of knowledge, then this latter property can be actually used "against the reduction" to find witnesses unconditionally.
KW - Arthur Merlin protocols
KW - Black-box reductions
KW - Witness-Hiding
KW - Zero-Knowledge
UR - http://www.scopus.com/inward/record.url?scp=70350630631&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-00457-5_14
DO - 10.1007/978-3-642-00457-5_14
M3 - Conference contribution
AN - SCOPUS:70350630631
SN - 3642004563
SN - 9783642004568
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 220
EP - 237
BT - Theory of Cryptography - 6th Theory of Cryptography Conference, TCC 2009, Proceedings
T2 - 6th Theory of Cryptography Conference, TCC 2009
Y2 - 15 March 2009 through 17 March 2009
ER -