- 86 Views
- Uploaded on
- Presentation posted in: General

Can Statistical Zero-Knowledge be made Non-Interactive?

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Can Statistical Zero-Knowledgebe made Non-Interactive?

or

On the relationship of SZK and NISZK

Oded Goldreich, Weizmann

Amit Sahai, MIT

Salil Vadhan, MIT

- One party (“the prover”) convinces another
- party (“the verifier”) that some assertion is true,

- The verifier learns nothing except that the assertion
- is true!

- Statistical zero-knowledge: variant in which
- “learns nothing” is interpreted in a very strong sense.

- Can also define notion of Non-Interactive zero knowledge in shared random string model.
- We study relationship of SZK and NISZK.
- We show:
- Main tool: complete problems.

SZKBPP NISZKBPP.

NISZK closed under complement SZK=NISZK.

- Zero-knowledge cryptographic protocols [GMW87]

- Butstatistical ZK proofs not as expressive as computational
- ZK or ZK arguments [GMW86,BCC87,F87,AH87]

Still study of statistical ZK useful:

- Statistical ZK proofs: strongest security guarantee
- Identification schemes [GMR85,FFS87]
- “Cleanest” model of ZK:
- allows for unconditional results (e.g. [Oka96,GSV98])
- most suitable for initial study, later generalize techniques to other types of ZK (e.g., [Ost91,OW93,GSV98]).

- Contains “hard” problems:
- QUADRATIC (NON)RESIDUOSITY [GMR85],
- GRAPH (NON)ISOMORPHISM [GMW86]
- DISCRETE LOG [GK88],
- APPROX SHORTEST AND CLOSEST VECTOR [GG97]

- Yet SZK AM coAM [F87,AH87], so unlikely to contain NP-hard problems [BHZ87,Sch88]
- Has natural complete problems [SV97, GV98].
- Closure Properties [SV99].

Promise Problems [ESY84]

YES

NO

YES

NO

Language

Promise Problem

excluded inputs

Example:UNIQUE SAT[VV86]

v1

p1

v2

pk

accept/reject

Prover

Verifier

- Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance.
- When x is a YES instance, Verifier accepts w.h.p.
- When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.

v1

p1

v2

pk

accept/reject

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view of interaction with Prover.

Note:ZK for honest verifier only.

(WLOG by [GSV98].)

STATISTICAL DIFFERENCE (SD):

X ,Y =

probability

distributions

defined by

circuits

ENTROPY DIFFERENCE (ED):

Thm[SV97,GV99]:SD and ED are complete for SZK.

circuit

Statistical Difference between distributions

How circuits define distributions

- SZK is closed under Karp reductions. [SV97]
- is complete for SZK if:
- Karp for all SZK.
- SZK.

- We show NISZK is closed under Karp reductions, too.So same notion of completeness applies for NISZK.

- Characterizes SZK withno reference to interaction or zero-knowledge!

- Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )

- Closed under “boolean formula reductions,” equivalently, NC1-truth table reductions: new protocols! e.g. can give SZK proof for: “exactly n/2 of (G1,G2,…,Gn) are isomorphic to H, OR m is a Q.R. mod p.”

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

- On input x (instance of promise problem):
- When x is a YES instance, Verifier accepts w.h.p.
- When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view.

Note: above is “one proof” version.

- Motivation:
- communication-efficient.
- cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91,S99,...]

- Examples of NISZK proofs and some initial study in
- [BDMP91,BR90,DDP94,DDP97]. Main Focus: QNR proof system

- But most attention focused on NICZK, e.g. [FLS90,KP95].

- [DDPY98] apply “complete problem methodology”
- to show IMAGE DENSITY complete for NISZK.

[DDPY98]:IMAGE DENSITY (ID)

Thm: The following problems are complete for NISZK:

STATISTICAL DIFFERENCEFROM UNIFORM (SDU):

ENTROPY APPROXIMATION (EA):

- Recall complete problems for SZK:

- NISZK’s complete problems are natural restrictions of these.

can use complete problems to relate SZK and NISZK.

- Thm: NISZKBPP SZKBPP.

- Thm:NISZK closed under complementSZK=NISZK.

ENTROPY APPROXIMATION (EA):

X ,Y =

probability

distributions

defined by

circuits

EA is complete for NISZK

ENTROPY DIFFERENCE (ED):

ED is complete for SZK

Say H(X) H(Y)+1 (YES Instance of ED):

H(Y)

H(X)

n-1

n

0

1

2

Let X’ = 4 copies of X, and Y’ = 4 copies of Y.

H(Y’)

H(X’)

k

k+1

k-1

so,

Now, say H(Y) H(X)+1 (NO Instance of ED):

H(X)

H(Y)

n-1

n

0

1

2

Let X’ = 4 copies of X, and Y’ = 4 copies of Y.

H(X’)

H(Y’)

m

H(Y’) k+1

H(X’) k-1

so,

- Thus, we have “boolean formula reduction:”

Where:

- Thm: NISZKBPP SZKBPP Proof: Suppose NISZK=BPP. BPP is closed under boolean formula reductions; Hence using formula, can put ED in BPP. Thus, SZK=BPP.
- In fact, can show: NISZK = co-NISZK NISZK closed under (const. depth) boolean formula reductions and hence ED NISZK SZK = NISZK

- Strategy:
- NISZK SDU (in fact, this is easy part)
- SDU EA (also easy)
- EA NISZK (technically hardest part)

Thm: The following problems are complete for NISZK:

STATISTICAL DIFFERENCEFROM UNIFORM (SDU):

ENTROPY APPROXIMATION (EA):

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view.

Note: above is “one proof” version.

- Assume NISZK system with negligible completeness and soundness for .
- Let X be circuit that:
- Runs simulator to produce (R, proof)
- If Verifier rejects (R, proof), output .
- If Verifier accepts, output R.

- Y Verifier almost always accepts, R close to uniform.
- N Verifier accepts only for negl. fraction of possible R. Hence, output is from space of negligible size, thus far from uniform.

- Strategy:
- NISZK SDU (in fact, this is easy part)
- SDU EA (also easy)
- EA NISZK (technically hardest part)

- Let X be instance of SDU with output size n.
- Reduction: X (X,n - 3)
- For any distributions Y,Z on {0,1}n, we have: | H(Y) - H(Z) | n StatDiff(Y,Z) + H2(StatDiff(Y,Z))
- Let Y=Uniform(n), Z=X.
- SDUY n - H(X) n (1/n) + H2(StatDiff(U,X)) < 2 So H(X) n - 2 = (n - 3)+1
- SDUN H(X) n - log(n) +1 < (n - 3) - 1.

- Strategy:
- NISZK SDU (in fact, this is easy part)
- SDU EA (also easy)
- EA NISZK (technically hardest part)

- Basic Protocol:
- Transform instance (X,k) into Z such that:
- (X,k) EAY Z is close to uniform
- (X,k) EAN Z has tiny support

- Protocol:
- P selects rRZ-1(R), sends r to V
- V checks that Z(r) = R
- Simulator selects uniform r and outputs (R= Z(r), r )

- Transform instance (X,k) into Z such that:

- x is typical for distribution X if Pr[X=x] 2-H(X)
- Distribution X is nearly flat if with very high prob over x X, x is typical for X.
- For any X, if X’ = many copies of X, then X’ will be nearly flat. (by Hoefding inequality)
- Leftover Hash Lemma[ILL]: For any nearly flat X on {0,1}N, Let h be random universal hash function mapping {0,1}N to {0,1}H(X)-gap.
- Then (h, h(X)) is stat. indist. from uniform,

- Stage I:
- Let X’ be many copies of X:
- EAY H(X’) N + gap
- EAN H(X’) N - gap
- X’ is nearly flat

- Stage II:
- Let Y=(h, h(X’)) , where h is random universal hash fn.
- By Leftover Hash Lemma, EAY StatDiff( Y, Uniform( N’ ) ) = 2-(n)
- EAN H(Y) N’ - 1

- Stage III:
- Let Y’ be many copies of Y
- EAY StatDiff( Y’, Uniform( N’’ ) ) = poly(n) 2-(n) = 2-(n)
- EAN H(Y’) N’’ - gap
- Again, Y’ is nearly flat in both cases.

2-N’’

EAY

{0,1}N’’

2-H(Y’)

EAN

{0,1}N’’

- Final Stage:
- Let Z(h,r)=( Y’(r), h, h(r) )
- This is essentially a “lower-bound protocol” on inputs to Y’.
- EAY Because Y’ is nearly uniform, for almost all y, roughly same (large) number of r such that Y’(r)=y. By LHL, conditioned on most y,(h, h(r)) is close to uniform. Z is close to uniform.

2-N’’

EAY

{0,1}N’’

2-H(Y’)

EAN

{0,1}N’’

- EAN H(Y’) N’’ - gap & Y’ {0,1}N’’and nearly flat
- Want to show Z(h,r)=( Y’(r), h, h(r) ) has tiny support.
- Case 1: Pr[Y’=y] is tiny, i.e. very few r such that Y’(r)=y h(r) has tiny range.
- Case 2: tiny < Pr[Y’=y] << 2-H(Y’). By flatness, prob of such y is very small. However, each y is not too unlikely, very few such y.
- Case 3: Pr[Y’=y] 2-H(Y’)-slack >> 2-N’’ by def. of probability, very few such y.

- Find that natural restrictions (one-sided versions) of complete problems for SZK are complete for NISZK
- Use this to relate classes.
- In particular find that if NISZK=co-NISZK, then SZK=NISZK.
- NISZK is richer than one might have thought...
- Main Open Question: Is NISZK = co-NISZK?

- Idea: Guess a number between H(X) and H(Y):

- Thm: NISZKBPP SZKBPP Proof: Suppose NISZK=BPP. BPP is closed under

- Thm:NISZK closed under complementSZK=NISZK.

- Motivation
- What is statistical zero-knowledge?
- The complexity of statistical zero-knowledge
- Honest verifier vs. any verifier
- Noninteractive statistical zero-knowledge

Will not address works on power of the prover [BP92] or

knowledge complexity [GMR85,GP91,GOP94,ABV95,PT96]

What is Statistical Zero-Knowledge?

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

- On input x (instance of promise problem):
- When x is a YES instance, Verifier accepts w.h.p.
- When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.

Note: above is “one proof” version.

- Motivation:
- communication-efficient.
- cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]

- Examples of NISZK proofs and some initial study in
- [BDMP91,BR90,DDP94,DDP97].

- But most attention focused on NICZK, e.g. [FLS90,KP95].

[DDPY98]:IMAGE DENSITY (ID)

- [GSV98]:STATISTICAL DIFFERENCEFROM UNIFORM (SDU)
- and ENTROPY APPROXIMATION (EA)

- Recall complete problems for SZK:

- NISZK’s complete problems are natural restrictions of these.

can use complete problems to relate SZK and NISZK.

- Thm [GSV98]:SZKBPP NISZKBPP.

- Thm [GSV98]:
- SZK=NISZK NISZK closed under complement.

Prover

Verifier

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof.

Completeness:

Soundness:

What about zero-knowledgeness?

Simulator on input (G0,G1):

Analysis: If G0 G1, then, in both simulator & protocol,

- H is a random isomorphic copy of G0 (equivalently, G1).
- coin is random & independent of H.
- is a random isomorphism between Gcoin and H.
- distributions are identical.

- “Honest” verifiers versus cheating verifiers.
- Quality of simulation:
PZK — “Perfect” : distributions identical

SZK — “Statistical”: statistically close (negligible deviation)

CZK — “Computational”: computationally indistinguishable.

- Private coins vs. public coins.
- Resources — # rounds, communication.
- Error parameters (completeness, soundness, simulation).
- Complexity: Does it capture NP?
- CZK=IP=PSPACE NP if one-way functions exist
[GMW86,BGG+88,LFKN90,Sha90]

- but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87]

- CZK=IP=PSPACE NP if one-way functions exist

The Complexity of SZK

- SZK contains “hard” problems [GMR85,GMW86,GK93,GG98]
- Fortnow’s Methodology [F87]:
- 1. Find properties of simulator’s output that distinguish
- between YES and NO instances.

- 2. Show that these properties can be decided in low
- complexity.

- 1. Find properties of simulator’s output that distinguish
- Using this: SZK AM coAM. [F87,AH87]
- Obtain upper-bound on complexity of SZK, but
- does not give a characterization of SZK.

- We know: For a YESinstance,
- 1. Simulator outputs accepting conversations w.h.p., and
- 2. Simulated verifier “behaves like” real verifier.

- Claim: For a NO instance, cannot have both conditions.
- “Pf:” If both hold, contradict soundness of proof system by
- prover strategy which mimics simulated prover.
- Easy to distinguish between simulator outputting accepting
- conversations with high probability vs. low probability.
- Main challenge: how to quantify “behaves like.”

- Thm I [Oka96]:SZK=public-coin SZK.
- (i.e. can transform any SZK proof into one where
- verifier’s messages are just random coin flips)

Thm II [Oka96]:SZK is closed under complement.

- Public-coin proofs simpler to analyze/manipulate.
- (e.g. result for interactive pfs [GS86] found
- many applications [IY87,BGG+88,FGM+89])

Proofs very complicated, especially Thm I.

random coins

answer

Prover

Verifier

random coins

answer

accept/reject

1. Find properties of simulator’s output that distinguish

between YES and NO instances (may focus on

public-coin proofs by [Oka96]).

is a complete problem for SZK, i.e

- every problem in SZK reduces to (via 1,2).
- SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.

Def:STATISTICAL DIFFERENCE (SD) is the following promise problem:

Thm [SV97]:SD is complete for SZK.

Characterizes SZK with

no reference to interaction or zero-knowledge!

circuit

Statistical Difference between distributions

How circuits define distributions

- We know: For a YESinstance,
- 1. Simulator outputs accepting conversations w.h.p., and
- 2. Simulated verifier “behaves like” real verifier.

- Claim: For a NO instance, cannot have both conditions.
- Easy to distinguish between simulator outputting accepting
- conversations with high probability vs. low probability.
- In a public-coin proof, simulated verifier “behaves like”
- real verifier iff simulated verifier’s coins are
- nearly uniform, and
- nearly independent of conversation history.

- Key observation: Both properties can be captured by
- statistical difference between samplable distributions!

- Have argued: Every problem in SZK reduces to SD.
- Still need: SD SZK.

Lemma:There exists a poly-time computable function such that

Not just Chernoff bounds!

Chernoff bounds only yield:

Prover

Verifier

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof for SD.

- Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )

- Communication-efficient SZK proofs
- (1 round, prover sends 1 bit to achieve soundness 1/2)

- Closure properties:
- Previous results focused on specific problems
- or subclasses of SZK [DDPY94,DC95].
- Can apply techniques of [DDPY94] to
- STATISTICAL DIFFERENCE to obtain results
- about all of SZK.

Thm [SV97]:LSZK (L) SZK, where

= k-ary boolean formula

L= characteristic fn of L

e.g. can prove “exactly k/2 of (x1, x2,...,xk)are in L” in SZK.

Equivalently, SZK is closed under NC1-truth table reductions.

Use the “complete problem methodology”:

Consider promise problem ENTROPY DIFFERENCE (ED):

Main steps in proof:

- Reduce every problem in SZK to ED.
- (Uses analysis of simulator from [AH87].)

- Show that ED has a public-coin SZK proof system.
- (Employs two subprotocols of [Oka96].)

Simplifying Okamoto’s Thm I (cont.)

This gives:

- Simpler, modular proof that all of SZK has
- public-coins SZK proofs.

- ED is complete for SZK.

- (Yet another) proof that SZK is closed under
- complement.

- “weak-SZK” equals SZK.

Honest verifier vs. any verifier

- So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol.

- Cryptographic applications need zero-knowledge
- even vs. cheating verifiers.

- Main question: Does honest-verifier ZK=any-verifier ZK?

- Motivation?
- honest verifier classes suitable for study
- (e.g. complete problem, closure properties)

- methodology: design honest-verifier proof and
- convert to any-verifier proof.

- honest verifier classes suitable for study

v1

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

p1

v2

pk

accept/reject

Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Computational Zero-Knowledge (CZK): require simulator

distribution to be computationally indistinguishable rather

than statistically close.

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

- honest-ver CZK=any-ver CZK=IP=PSPACE
- [GMW86,IY87,BGG+88,Sha90]

- honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

- For both computational and statistical zero-knowledge,
- honest-verifier=any-verifier for constant-round
- public-coin proofs [Dam93,DGW94]

- For both computational and statistical zero-knowledge,
- honest-verifier=any-verifier for constant-round
- public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96]) honest-ver SZK=any-ver SZK

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

- honest-ver CZK=any-ver CZK=IP=PSPACE
- [GMW86,IY87,BGG+88,Sha90]

- honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

- For both computational and statistical zero-knowledge,
- honest-verifier=any-verifier for constant-round
- public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96]) honest-ver SZK=any-ver SZK

Prover

random coins 1

Verifier

answer 1

random coins 2

Any-verifier Proof System

answer k

accept/reject

Random Selection

Protocol

Honest-verifier Proof System

Verifier

Prover

1

answer 1

Random Selection

Protocol

2

answer k

accept/reject

- Dishonest verifier:

- Outcome distributed almost uniformly.

- Simulability: For (almost) every , can simulate
- RS protocol transcripts yielding output .

- Dishonest prover:

(OK for soundness by parallel repetition of

original proof system)

- [GSV98] give a public-coin protocol with these properties
- (building on [DGW94]).

Noninteractive Statistical Zero-Knowledge

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

- On input x (instance of promise problem):
- When x is a YES instance, Verifier accepts w.h.p.
- When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.

Note: above is “one proof” version.

- Motivation:
- communication-efficient.
- cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]

- Examples of NISZK proofs and some initial study in
- [BDMP91,BR90,DDP94,DDP97].

- But most attention focused on NICZK, e.g. [FLS90,KP95].

[DDPY98]:IMAGE DENSITY (ID)

- [GSV98]:STATISTICAL DIFFERENCEFROM UNIFORM (SDU)
- and ENTROPY APPROXIMATION (EA)

- Recall complete problems for SZK:

- NISZK’s complete problems are natural restrictions of these.

can use complete problems to relate SZK and NISZK.

- Thm [GSV98]:SZKBPP NISZKBPP.

- Thm [GSV98]:
- SZK=NISZK NISZK closed under complement.

- Recent work has refined our understanding of statistical
- zero-knowledge.

- Main tools:
- focus on public-coin proofs (via [Oka96])
- complete problems [SV97]

- Questions addressed:
- closure properties
- honest verifier vs. any verifier
- interactive vs. noninteractive

- 1. Generalize more results/techniques to computational
- zero-knowledge or arguments.

2. Does SZK=NISZK?

- 3. Is it necessary that power of prover must increase when
- transforming private-coin proofs to public-coin ones?

- 4. Show that SZKBPP if one-way functions exist
- (“converse” to [Ost91]).

5. Does SZK=PZK (“Perfect” zero-knowledge)?