Can statistical zero knowledge be made non interactive
This presentation is the property of its rightful owner.
Sponsored Links
1 / 85

Can Statistical Zero-Knowledge be made Non-Interactive? PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

Can Statistical Zero-Knowledge be made Non-Interactive?. or On the relationship of SZK and NISZK. Oded Goldreich, Weizmann Amit Sahai, MIT Salil Vadhan, MIT. Zero-knowledge Proofs [GMR85]. One party (“the prover”) convinces another party (“the verifier”) that some assertion is true,

Download Presentation

Can Statistical Zero-Knowledge be made Non-Interactive?

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Can Statistical Zero-Knowledgebe made Non-Interactive?

or

On the relationship of SZK and NISZK

Oded Goldreich, Weizmann

Amit Sahai, MIT

Salil Vadhan, MIT


Zero-knowledge Proofs [GMR85]

  • One party (“the prover”) convinces another

    • party (“the verifier”) that some assertion is true,

  • The verifier learns nothing except that the assertion

    • is true!

  • Statistical zero-knowledge: variant in which

    • “learns nothing” is interpreted in a very strong sense.


Non-Interactive Zero-knowledge [BFM88,BDMP91]

  • Can also define notion of Non-Interactive zero knowledge in shared random string model.

  • We study relationship of SZK and NISZK.

  • We show:

  • Main tool: complete problems.

SZKBPP  NISZKBPP.

NISZK closed under complement SZK=NISZK.


SZK: Motivation from Cryptography

  • Zero-knowledge  cryptographic protocols [GMW87]

  • Butstatistical ZK proofs not as expressive as computational

    • ZK or ZK arguments [GMW86,BCC87,F87,AH87]

Still study of statistical ZK useful:

  • Statistical ZK proofs: strongest security guarantee

  • Identification schemes [GMR85,FFS87]

  • “Cleanest” model of ZK:

    • allows for unconditional results (e.g. [Oka96,GSV98])

    • most suitable for initial study, later generalize techniques to other types of ZK (e.g., [Ost91,OW93,GSV98]).


SZK: Motivation from Complexity

  • Contains “hard” problems:

    • QUADRATIC (NON)RESIDUOSITY [GMR85],

    • GRAPH (NON)ISOMORPHISM [GMW86]

    • DISCRETE LOG [GK88],

    • APPROX SHORTEST AND CLOSEST VECTOR [GG97]

  • Yet SZK  AM  coAM [F87,AH87], so unlikely to contain NP-hard problems [BHZ87,Sch88]

  • Has natural complete problems [SV97, GV98].

  • Closure Properties [SV99].


Promise Problems [ESY84]

YES

NO

YES

NO

Language

Promise Problem

excluded inputs

Example:UNIQUE SAT[VV86]


v1

p1

v2

pk

accept/reject

Statistical Zero-Knowledge Proof [GMR85]for a promise problem 

Prover

Verifier

  • Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance.

  • When x is a YES instance, Verifier accepts w.h.p.

  • When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.


v1

p1

v2

pk

accept/reject

Statistical Zero-Knowledge Proof (cont.)

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view of interaction with Prover.

Note:ZK for honest verifier only.

(WLOG by [GSV98].)


Completeness for SZK [SV97]

STATISTICAL DIFFERENCE (SD):

X ,Y =

probability

distributions

defined by

circuits

ENTROPY DIFFERENCE (ED):

Thm[SV97,GV99]:SD and ED are complete for SZK.


circuit

Statistical Difference between distributions

How circuits define distributions


Completeness for SZK [SV97]:What does it mean?

  • SZK is closed under Karp reductions. [SV97]

  •  is complete for SZK if:

    •  Karp  for all   SZK.

    •   SZK.

  • We show NISZK is closed under Karp reductions, too.So same notion of completeness applies for NISZK.


Benefits of Complete Problems [SV97]

  • Characterizes SZK withno reference to interaction or zero-knowledge!

  • Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )

  • Closed under “boolean formula reductions,” equivalently, NC1-truth table reductions: new protocols! e.g. can give SZK proof for: “exactly n/2 of (G1,G2,…,Gn) are isomorphic to H, OR m is a Q.R. mod p.”


Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

  • On input x (instance of promise problem):

  • When x is a YES instance, Verifier accepts w.h.p.

  • When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.


Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view.

Note: above is “one proof” version.


Study of Noninteractive ZK

  • Motivation:

    • communication-efficient.

    • cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91,S99,...]

  • Examples of NISZK proofs and some initial study in

    • [BDMP91,BR90,DDP94,DDP97]. Main Focus: QNR proof system

  • But most attention focused on NICZK, e.g. [FLS90,KP95].

  • [DDPY98] apply “complete problem methodology”

  • to show IMAGE DENSITY complete for NISZK.


Complete Problems for NISZK [DDPY98]

[DDPY98]:IMAGE DENSITY (ID)


Complete Problems for NISZK

Thm: The following problems are complete for NISZK:

STATISTICAL DIFFERENCEFROM UNIFORM (SDU):

ENTROPY APPROXIMATION (EA):


Relating SZK and NISZK

  • Recall complete problems for SZK:

  • NISZK’s complete problems are natural restrictions of these.

 can use complete problems to relate SZK and NISZK.

  • Thm: NISZKBPP  SZKBPP.

  • Thm:NISZK closed under complementSZK=NISZK.


Two Problems

ENTROPY APPROXIMATION (EA):

X ,Y =

probability

distributions

defined by

circuits

EA is complete for NISZK

ENTROPY DIFFERENCE (ED):

ED is complete for SZK


Reducing ED to EA

Say H(X)  H(Y)+1 (YES Instance of ED):

H(Y)

H(X)

n-1

n

0

1

2

Let X’ = 4 copies of X, and Y’ = 4 copies of Y.

H(Y’)

H(X’)

k

k+1

k-1

so,


Reducing ED to EA (cont.)

Now, say H(Y)  H(X)+1 (NO Instance of ED):

H(X)

H(Y)

n-1

n

0

1

2

Let X’ = 4 copies of X, and Y’ = 4 copies of Y.

H(X’)

H(Y’)

m

H(Y’)  k+1

H(X’) k-1

so,


Reducing ED to EA (cont.)

  • Thus, we have “boolean formula reduction:”

Where:


Consequences for SZK and NISZK

  • Thm: NISZKBPP  SZKBPP Proof: Suppose NISZK=BPP. BPP is closed under boolean formula reductions; Hence using formula, can put ED in BPP. Thus, SZK=BPP. 

  • In fact, can show: NISZK = co-NISZK  NISZK closed under (const. depth) boolean formula reductions and hence  ED  NISZK  SZK = NISZK


Completeness of EA and SDU

  • Strategy:

    • NISZK  SDU (in fact, this is easy part)

    • SDU  EA (also easy)

    • EA  NISZK (technically hardest part)


Complete Problems for NISZK

Thm: The following problems are complete for NISZK:

STATISTICAL DIFFERENCEFROM UNIFORM (SDU):

ENTROPY APPROXIMATION (EA):


Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view.

Note: above is “one proof” version.


NISZK  SDU

  • Assume NISZK system with negligible completeness and soundness for .

  • Let X be circuit that:

    • Runs simulator to produce (R, proof)

    • If Verifier rejects (R, proof), output .

    • If Verifier accepts, output R.

  • Y  Verifier almost always accepts, R close to uniform.

  • N  Verifier accepts only for negl. fraction of possible R. Hence, output is from space of negligible size, thus far from uniform.


Completeness of EA and SDU

  • Strategy:

    • NISZK  SDU (in fact, this is easy part)

    • SDU  EA (also easy)

    • EA  NISZK (technically hardest part)


SDU  EA

  • Let X be instance of SDU with output size n.

  • Reduction: X  (X,n - 3)

  • For any distributions Y,Z on {0,1}n, we have: | H(Y) - H(Z) | n  StatDiff(Y,Z) + H2(StatDiff(Y,Z))

  • Let Y=Uniform(n), Z=X.

  • SDUY  n - H(X) n  (1/n) + H2(StatDiff(U,X)) < 2 So H(X)  n - 2 = (n - 3)+1

  • SDUN  H(X)  n - log(n) +1 < (n - 3) - 1.


Completeness of EA and SDU

  • Strategy:

    • NISZK  SDU (in fact, this is easy part)

    • SDU  EA (also easy)

    • EA  NISZK (technically hardest part)


EA  NISZK

  • Basic Protocol:

    • Transform instance (X,k) into Z such that:

      • (X,k)  EAY  Z is close to uniform

      • (X,k)  EAN  Z has tiny support

    • Protocol:

      • P selects rRZ-1(R), sends r to V

      • V checks that Z(r) = R

      • Simulator selects uniform r and outputs (R= Z(r), r )


Flatness

  • x is typical for distribution X if Pr[X=x]  2-H(X)

  • Distribution X is nearly flat if with very high prob over x  X, x is typical for X.

  • For any X, if X’ = many copies of X, then X’ will be nearly flat. (by Hoefding inequality)

  • Leftover Hash Lemma[ILL]: For any nearly flat X on {0,1}N, Let h be random universal hash function mapping {0,1}N to {0,1}H(X)-gap.

    • Then (h, h(X)) is stat. indist. from uniform,


Transformation (I)

  • Stage I:

    • Let X’ be many copies of X:

    • EAY  H(X’)  N + gap

    • EAN  H(X’)  N - gap

    • X’ is nearly flat


Transformation (II)

  • Stage II:

    • Let Y=(h, h(X’)) , where h is random universal hash fn.

    • By Leftover Hash Lemma, EAY  StatDiff( Y, Uniform( N’ ) ) = 2-(n)

    • EAN  H(Y)  N’ - 1


Transformation (III)

  • Stage III:

    • Let Y’ be many copies of Y

    • EAY  StatDiff( Y’, Uniform( N’’ ) ) = poly(n) 2-(n) = 2-(n)

    • EAN  H(Y’)  N’’ - gap

    • Again, Y’ is nearly flat in both cases.


Y’ (Stage III)

2-N’’

EAY 

{0,1}N’’

2-H(Y’)

EAN 

{0,1}N’’


Transformation (IV)

  • Final Stage:

    • Let Z(h,r)=( Y’(r), h, h(r) )

    • This is essentially a “lower-bound protocol” on inputs to Y’.

    • EAY  Because Y’ is nearly uniform, for almost all y, roughly same (large) number of r such that Y’(r)=y.  By LHL, conditioned on most y,(h, h(r)) is close to uniform.  Z is close to uniform.


Y’ (Stage III)

2-N’’

EAY 

{0,1}N’’

2-H(Y’)

EAN 

{0,1}N’’


Transformation (IV cont.)

  • EAN  H(Y’)  N’’ - gap & Y’  {0,1}N’’and nearly flat

    • Want to show Z(h,r)=( Y’(r), h, h(r) ) has tiny support.

    • Case 1: Pr[Y’=y] is tiny, i.e. very few r such that Y’(r)=y  h(r) has tiny range.

    • Case 2: tiny < Pr[Y’=y] << 2-H(Y’). By flatness, prob of such y is very small. However, each y is not too unlikely,  very few such y.

    • Case 3: Pr[Y’=y]  2-H(Y’)-slack >> 2-N’’  by def. of probability, very few such y.


Conclusions

  • Find that natural restrictions (one-sided versions) of complete problems for SZK are complete for NISZK

  • Use this to relate classes.

  • In particular find that if NISZK=co-NISZK, then SZK=NISZK.

  • NISZK is richer than one might have thought...

  • Main Open Question: Is NISZK = co-NISZK?


Reducing ED to EA

  • Idea: Guess a number between H(X) and H(Y):

  • Thm: NISZKBPP  SZKBPP Proof: Suppose NISZK=BPP. BPP is closed under

  • Thm:NISZK closed under complementSZK=NISZK.


Organization

  • Motivation

  • What is statistical zero-knowledge?

  • The complexity of statistical zero-knowledge

  • Honest verifier vs. any verifier

  • Noninteractive statistical zero-knowledge

Will not address works on power of the prover [BP92] or

knowledge complexity [GMR85,GP91,GOP94,ABV95,PT96]


What is Statistical Zero-Knowledge?


Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

  • On input x (instance of promise problem):

  • When x is a YES instance, Verifier accepts w.h.p.

  • When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.


Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.

Note: above is “one proof” version.


Study of Noninteractive ZK

  • Motivation:

    • communication-efficient.

    • cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]

  • Examples of NISZK proofs and some initial study in

    • [BDMP91,BR90,DDP94,DDP97].

  • But most attention focused on NICZK, e.g. [FLS90,KP95].


Complete Problems for NISZK

[DDPY98]:IMAGE DENSITY (ID)

  • [GSV98]:STATISTICAL DIFFERENCEFROM UNIFORM (SDU)

    • and ENTROPY APPROXIMATION (EA)


Relating SZK and NISZK

  • Recall complete problems for SZK:

  • NISZK’s complete problems are natural restrictions of these.

 can use complete problems to relate SZK and NISZK.

  • Thm [GSV98]:SZKBPP  NISZKBPP.

  • Thm [GSV98]:

    • SZK=NISZK  NISZK closed under complement.


Prover

Verifier

Example: GRAPH ISOMORPHISM [GMW86]

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof.


Correctness of GRAPHISO. SZK Proof

Completeness:

Soundness:

What about zero-knowledgeness?


Zero-knowledgenessof GRAPHISO. Proof

Simulator on input (G0,G1):

Analysis: If G0 G1, then, in both simulator & protocol,

  • H is a random isomorphic copy of G0 (equivalently, G1).

  • coin is random & independent of H.

  •  is a random isomorphism between Gcoin and H.

  •  distributions are identical.


Some Issues in Zero-Knowledge Proofs

  • “Honest” verifiers versus cheating verifiers.

  • Quality of simulation:

    PZK — “Perfect” : distributions identical

    SZK — “Statistical”: statistically close (negligible deviation)

    CZK — “Computational”: computationally indistinguishable.

  • Private coins vs. public coins.

  • Resources — # rounds, communication.

  • Error parameters (completeness, soundness, simulation).

  • Complexity: Does it capture NP?

    • CZK=IP=PSPACE  NP if one-way functions exist

      [GMW86,BGG+88,LFKN90,Sha90]

    • but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87]


The Complexity of SZK


The Complexity of SZK

  • SZK contains “hard” problems [GMR85,GMW86,GK93,GG98]

  • Fortnow’s Methodology [F87]:

    • 1. Find properties of simulator’s output that distinguish

      • between YES and NO instances.

    • 2. Show that these properties can be decided in low

      • complexity.

  • Using this: SZK  AM  coAM. [F87,AH87]

  • Obtain upper-bound on complexity of SZK, but

    • does not give a characterization of SZK.


Analyzing the simulator

  • We know: For a YESinstance,

    • 1. Simulator outputs accepting conversations w.h.p., and

    • 2. Simulated verifier “behaves like” real verifier.

  • Claim: For a NO instance, cannot have both conditions.

  • “Pf:” If both hold, contradict soundness of proof system by

  • prover strategy which mimics simulated prover.

  • Easy to distinguish between simulator outputting accepting

  • conversations with high probability vs. low probability.

  • Main challenge: how to quantify “behaves like.”


Public coins vs. Private coins

  • Thm I [Oka96]:SZK=public-coin SZK.

    • (i.e. can transform any SZK proof into one where

    • verifier’s messages are just random coin flips)

Thm II [Oka96]:SZK is closed under complement.

  • Public-coin proofs simpler to analyze/manipulate.

    • (e.g. result for interactive pfs [GS86] found

    • many applications [IY87,BGG+88,FGM+89])

Proofs very complicated, especially Thm I.


Public-coin proofs [Bab85]

random coins

answer

Prover

Verifier

random coins

answer

accept/reject


Refinement of Fortnow Methodology [SV97]

1. Find properties of simulator’s output that distinguish

between YES and NO instances (may focus on

public-coin proofs by [Oka96]).

  is a complete problem for SZK, i.e

  • every problem in SZK reduces to  (via 1,2).

  • SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.


A Complete Problem

Def:STATISTICAL DIFFERENCE (SD) is the following promise problem:

Thm [SV97]:SD is complete for SZK.

Characterizes SZK with

no reference to interaction or zero-knowledge!


circuit

Statistical Difference between distributions

How circuits define distributions


Analyzing the simulator of public-coin proof

  • We know: For a YESinstance,

    • 1. Simulator outputs accepting conversations w.h.p., and

    • 2. Simulated verifier “behaves like” real verifier.

  • Claim: For a NO instance, cannot have both conditions.

  • Easy to distinguish between simulator outputting accepting

  • conversations with high probability vs. low probability.

  • In a public-coin proof, simulated verifier “behaves like”

    • real verifier iff simulated verifier’s coins are

    • nearly uniform, and

    • nearly independent of conversation history.

  • Key observation: Both properties can be captured by

    • statistical difference between samplable distributions!


Proving that SD is complete for SZK (cont.)

  • Have argued: Every problem in SZK reduces to SD.

  • Still need: SD SZK.


A Polarization Lemma

Lemma:There exists a poly-time computable function such that

Not just Chernoff bounds!

Chernoff bounds only yield:


Prover

Verifier

A Protocol for SD

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof for SD.


Properties of D0 and D1


Benefits of Complete Problem [SV97]

  • Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )

  • Communication-efficient SZK proofs

  • (1 round, prover sends 1 bit to achieve soundness 1/2)

  • Closure properties:

    • Previous results focused on specific problems

    • or subclasses of SZK [DDPY94,DC95].

    • Can apply techniques of [DDPY94] to

    • STATISTICAL DIFFERENCE to obtain results

    • about all of SZK.


Closure Properties of SZK

Thm [SV97]:LSZK  (L) SZK, where

 = k-ary boolean formula

L= characteristic fn of L

e.g. can prove “exactly k/2 of (x1, x2,...,xk)are in L” in SZK.

Equivalently, SZK is closed under NC1-truth table reductions.


Simplifying Okamoto’s Thm I [GV98]

Use the “complete problem methodology”:

Consider promise problem ENTROPY DIFFERENCE (ED):

Main steps in proof:

  • Reduce every problem in SZK to ED.

    • (Uses analysis of simulator from [AH87].)

  • Show that ED has a public-coin SZK proof system.

    • (Employs two subprotocols of [Oka96].)


Simplifying Okamoto’s Thm I (cont.)

This gives:

  • Simpler, modular proof that all of SZK has

    • public-coins SZK proofs.

  • ED is complete for SZK.

  • (Yet another) proof that SZK is closed under

    • complement.

  • “weak-SZK” equals SZK.


Honest verifier vs. any verifier


Honest verifier vs. any verifier

  • So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol.

  • Cryptographic applications need zero-knowledge

  • even vs. cheating verifiers.

  • Main question: Does honest-verifier ZK=any-verifier ZK?

  • Motivation?

    • honest verifier classes suitable for study

      • (e.g. complete problem, closure properties)

    • methodology: design honest-verifier proof and

    • convert to any-verifier proof.


Any-verifier Statistical Zero-Knowledge

v1

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

p1

v2

pk

accept/reject

Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Computational Zero-Knowledge (CZK): require simulator

distribution to be computationally indistinguishable rather

than statistically close.


Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

  • honest-ver CZK=any-ver CZK=IP=PSPACE

    • [GMW86,IY87,BGG+88,Sha90]

  • honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

  • For both computational and statistical zero-knowledge,

    • honest-verifier=any-verifier for constant-round

    • public-coin proofs [Dam93,DGW94]


  • For both computational and statistical zero-knowledge,

    • honest-verifier=any-verifier for constant-round

    • public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96])  honest-ver SZK=any-ver SZK


Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

  • honest-ver CZK=any-ver CZK=IP=PSPACE

    • [GMW86,IY87,BGG+88,Sha90]

  • honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

  • For both computational and statistical zero-knowledge,

    • honest-verifier=any-verifier for constant-round

    • public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96])  honest-ver SZK=any-ver SZK


The Transformation

Prover

random coins 1

Verifier

answer 1

random coins 2

Any-verifier Proof System

answer k

accept/reject

Random Selection

Protocol

Honest-verifier Proof System

Verifier

Prover

1

answer 1

Random Selection

Protocol

2

answer k

accept/reject


Desired Properties of Random Selection Protocol

  • Dishonest verifier:

  • Outcome  distributed almost uniformly.

  • Simulability: For (almost) every , can simulate

  • RS protocol transcripts yielding output .

  • Dishonest prover:

(OK for soundness by parallel repetition of

original proof system)

  • [GSV98] give a public-coin protocol with these properties

    • (building on [DGW94]).


Noninteractive Statistical Zero-Knowledge


Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

  • On input x (instance of promise problem):

  • When x is a YES instance, Verifier accepts w.h.p.

  • When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.


Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.

Note: above is “one proof” version.


Study of Noninteractive ZK

  • Motivation:

    • communication-efficient.

    • cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]

  • Examples of NISZK proofs and some initial study in

    • [BDMP91,BR90,DDP94,DDP97].

  • But most attention focused on NICZK, e.g. [FLS90,KP95].


Complete Problems for NISZK

[DDPY98]:IMAGE DENSITY (ID)

  • [GSV98]:STATISTICAL DIFFERENCEFROM UNIFORM (SDU)

    • and ENTROPY APPROXIMATION (EA)


Relating SZK and NISZK

  • Recall complete problems for SZK:

  • NISZK’s complete problems are natural restrictions of these.

 can use complete problems to relate SZK and NISZK.

  • Thm [GSV98]:SZKBPP  NISZKBPP.

  • Thm [GSV98]:

    • SZK=NISZK  NISZK closed under complement.


Summary

  • Recent work has refined our understanding of statistical

    • zero-knowledge.

  • Main tools:

    • focus on public-coin proofs (via [Oka96])

    • complete problems [SV97]

  • Questions addressed:

    • closure properties

    • honest verifier vs. any verifier

    • interactive vs. noninteractive


Open Problems

  • 1. Generalize more results/techniques to computational

    • zero-knowledge or arguments.

2. Does SZK=NISZK?

  • 3. Is it necessary that power of prover must increase when

    • transforming private-coin proofs to public-coin ones?

  • 4. Show that SZKBPP if one-way functions exist

    • (“converse” to [Ost91]).

5. Does SZK=PZK (“Perfect” zero-knowledge)?


  • Login