Can statistical zero knowledge be made non interactive
This presentation is the property of its rightful owner.
Sponsored Links
1 / 85

Can Statistical Zero-Knowledge be made Non-Interactive? PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on
  • Presentation posted in: General

Can Statistical Zero-Knowledge be made Non-Interactive?. or On the relationship of SZK and NISZK. Oded Goldreich, Weizmann Amit Sahai, MIT Salil Vadhan, MIT. Zero-knowledge Proofs [GMR85]. One party (“the prover”) convinces another party (“the verifier”) that some assertion is true,

Download Presentation

Can Statistical Zero-Knowledge be made Non-Interactive?

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Can statistical zero knowledge be made non interactive

Can Statistical Zero-Knowledgebe made Non-Interactive?

or

On the relationship of SZK and NISZK

Oded Goldreich, Weizmann

Amit Sahai, MIT

Salil Vadhan, MIT


Zero knowledge proofs gmr85

Zero-knowledge Proofs [GMR85]

  • One party (“the prover”) convinces another

    • party (“the verifier”) that some assertion is true,

  • The verifier learns nothing except that the assertion

    • is true!

  • Statistical zero-knowledge: variant in which

    • “learns nothing” is interpreted in a very strong sense.


Non interactive zero knowledge bfm88 bdmp91

Non-Interactive Zero-knowledge [BFM88,BDMP91]

  • Can also define notion of Non-Interactive zero knowledge in shared random string model.

  • We study relationship of SZK and NISZK.

  • We show:

  • Main tool: complete problems.

SZKBPP  NISZKBPP.

NISZK closed under complement SZK=NISZK.


Szk motivation from cryptography

SZK: Motivation from Cryptography

  • Zero-knowledge  cryptographic protocols [GMW87]

  • Butstatistical ZK proofs not as expressive as computational

    • ZK or ZK arguments [GMW86,BCC87,F87,AH87]

Still study of statistical ZK useful:

  • Statistical ZK proofs: strongest security guarantee

  • Identification schemes [GMR85,FFS87]

  • “Cleanest” model of ZK:

    • allows for unconditional results (e.g. [Oka96,GSV98])

    • most suitable for initial study, later generalize techniques to other types of ZK (e.g., [Ost91,OW93,GSV98]).


Szk motivation from complexity

SZK: Motivation from Complexity

  • Contains “hard” problems:

    • QUADRATIC (NON)RESIDUOSITY [GMR85],

    • GRAPH (NON)ISOMORPHISM [GMW86]

    • DISCRETE LOG [GK88],

    • APPROX SHORTEST AND CLOSEST VECTOR [GG97]

  • Yet SZK  AM  coAM [F87,AH87], so unlikely to contain NP-hard problems [BHZ87,Sch88]

  • Has natural complete problems [SV97, GV98].

  • Closure Properties [SV99].


Can statistical zero knowledge be made non interactive

Promise Problems [ESY84]

YES

NO

YES

NO

Language

Promise Problem

excluded inputs

Example:UNIQUE SAT[VV86]


Statistical zero knowledge proof gmr85 for a promise problem

v1

p1

v2

pk

accept/reject

Statistical Zero-Knowledge Proof [GMR85]for a promise problem 

Prover

Verifier

  • Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance.

  • When x is a YES instance, Verifier accepts w.h.p.

  • When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.


Statistical zero knowledge proof cont

v1

p1

v2

pk

accept/reject

Statistical Zero-Knowledge Proof (cont.)

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view of interaction with Prover.

Note:ZK for honest verifier only.

(WLOG by [GSV98].)


Completeness for szk sv97

Completeness for SZK [SV97]

STATISTICAL DIFFERENCE (SD):

X ,Y =

probability

distributions

defined by

circuits

ENTROPY DIFFERENCE (ED):

Thm[SV97,GV99]:SD and ED are complete for SZK.


Can statistical zero knowledge be made non interactive

circuit

Statistical Difference between distributions

How circuits define distributions


Completeness for szk sv97 what does it mean

Completeness for SZK [SV97]:What does it mean?

  • SZK is closed under Karp reductions. [SV97]

  •  is complete for SZK if:

    •  Karp  for all   SZK.

    •   SZK.

  • We show NISZK is closed under Karp reductions, too.So same notion of completeness applies for NISZK.


Benefits of complete problems sv97

Benefits of Complete Problems [SV97]

  • Characterizes SZK withno reference to interaction or zero-knowledge!

  • Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )

  • Closed under “boolean formula reductions,” equivalently, NC1-truth table reductions: new protocols! e.g. can give SZK proof for: “exactly n/2 of (G1,G2,…,Gn) are isomorphic to H, OR m is a Q.R. mod p.”


Noninteractive statistical zero knowledge bfm88 bdmp91

Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

  • On input x (instance of promise problem):

  • When x is a YES instance, Verifier accepts w.h.p.

  • When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.


Noninteractive statistical zk cont

Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view.

Note: above is “one proof” version.


Study of noninteractive zk

Study of Noninteractive ZK

  • Motivation:

    • communication-efficient.

    • cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91,S99,...]

  • Examples of NISZK proofs and some initial study in

    • [BDMP91,BR90,DDP94,DDP97]. Main Focus: QNR proof system

  • But most attention focused on NICZK, e.g. [FLS90,KP95].

  • [DDPY98] apply “complete problem methodology”

  • to show IMAGE DENSITY complete for NISZK.


Complete problems for niszk ddpy98

Complete Problems for NISZK [DDPY98]

[DDPY98]:IMAGE DENSITY (ID)


Complete problems for niszk

Complete Problems for NISZK

Thm: The following problems are complete for NISZK:

STATISTICAL DIFFERENCEFROM UNIFORM (SDU):

ENTROPY APPROXIMATION (EA):


Relating szk and niszk

Relating SZK and NISZK

  • Recall complete problems for SZK:

  • NISZK’s complete problems are natural restrictions of these.

 can use complete problems to relate SZK and NISZK.

  • Thm: NISZKBPP  SZKBPP.

  • Thm:NISZK closed under complementSZK=NISZK.


Two problems

Two Problems

ENTROPY APPROXIMATION (EA):

X ,Y =

probability

distributions

defined by

circuits

EA is complete for NISZK

ENTROPY DIFFERENCE (ED):

ED is complete for SZK


Reducing ed to ea

Reducing ED to EA

Say H(X)  H(Y)+1 (YES Instance of ED):

H(Y)

H(X)

n-1

n

0

1

2

Let X’ = 4 copies of X, and Y’ = 4 copies of Y.

H(Y’)

H(X’)

k

k+1

k-1

so,


Reducing ed to ea cont

Reducing ED to EA (cont.)

Now, say H(Y)  H(X)+1 (NO Instance of ED):

H(X)

H(Y)

n-1

n

0

1

2

Let X’ = 4 copies of X, and Y’ = 4 copies of Y.

H(X’)

H(Y’)

m

H(Y’)  k+1

H(X’) k-1

so,


Reducing ed to ea cont1

Reducing ED to EA (cont.)

  • Thus, we have “boolean formula reduction:”

Where:


Consequences for szk and niszk

Consequences for SZK and NISZK

  • Thm: NISZKBPP  SZKBPP Proof: Suppose NISZK=BPP. BPP is closed under boolean formula reductions; Hence using formula, can put ED in BPP. Thus, SZK=BPP. 

  • In fact, can show: NISZK = co-NISZK  NISZK closed under (const. depth) boolean formula reductions and hence  ED  NISZK  SZK = NISZK


Completeness of ea and sdu

Completeness of EA and SDU

  • Strategy:

    • NISZK  SDU (in fact, this is easy part)

    • SDU  EA (also easy)

    • EA  NISZK (technically hardest part)


Complete problems for niszk1

Complete Problems for NISZK

Thm: The following problems are complete for NISZK:

STATISTICAL DIFFERENCEFROM UNIFORM (SDU):

ENTROPY APPROXIMATION (EA):


Noninteractive statistical zk cont1

Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view.

Note: above is “one proof” version.


Niszk sdu

NISZK  SDU

  • Assume NISZK system with negligible completeness and soundness for .

  • Let X be circuit that:

    • Runs simulator to produce (R, proof)

    • If Verifier rejects (R, proof), output .

    • If Verifier accepts, output R.

  • Y  Verifier almost always accepts, R close to uniform.

  • N  Verifier accepts only for negl. fraction of possible R. Hence, output is from space of negligible size, thus far from uniform.


Completeness of ea and sdu1

Completeness of EA and SDU

  • Strategy:

    • NISZK  SDU (in fact, this is easy part)

    • SDU  EA (also easy)

    • EA  NISZK (technically hardest part)


Sdu ea

SDU  EA

  • Let X be instance of SDU with output size n.

  • Reduction: X  (X,n - 3)

  • For any distributions Y,Z on {0,1}n, we have: | H(Y) - H(Z) | n  StatDiff(Y,Z) + H2(StatDiff(Y,Z))

  • Let Y=Uniform(n), Z=X.

  • SDUY  n - H(X) n  (1/n) + H2(StatDiff(U,X)) < 2 So H(X)  n - 2 = (n - 3)+1

  • SDUN  H(X)  n - log(n) +1 < (n - 3) - 1.


Completeness of ea and sdu2

Completeness of EA and SDU

  • Strategy:

    • NISZK  SDU (in fact, this is easy part)

    • SDU  EA (also easy)

    • EA  NISZK (technically hardest part)


Ea niszk

EA  NISZK

  • Basic Protocol:

    • Transform instance (X,k) into Z such that:

      • (X,k)  EAY  Z is close to uniform

      • (X,k)  EAN  Z has tiny support

    • Protocol:

      • P selects rRZ-1(R), sends r to V

      • V checks that Z(r) = R

      • Simulator selects uniform r and outputs (R= Z(r), r )


Flatness

Flatness

  • x is typical for distribution X if Pr[X=x]  2-H(X)

  • Distribution X is nearly flat if with very high prob over x  X, x is typical for X.

  • For any X, if X’ = many copies of X, then X’ will be nearly flat. (by Hoefding inequality)

  • Leftover Hash Lemma[ILL]: For any nearly flat X on {0,1}N, Let h be random universal hash function mapping {0,1}N to {0,1}H(X)-gap.

    • Then (h, h(X)) is stat. indist. from uniform,


Transformation i

Transformation (I)

  • Stage I:

    • Let X’ be many copies of X:

    • EAY  H(X’)  N + gap

    • EAN  H(X’)  N - gap

    • X’ is nearly flat


Transformation ii

Transformation (II)

  • Stage II:

    • Let Y=(h, h(X’)) , where h is random universal hash fn.

    • By Leftover Hash Lemma, EAY  StatDiff( Y, Uniform( N’ ) ) = 2-(n)

    • EAN  H(Y)  N’ - 1


Transformation iii

Transformation (III)

  • Stage III:

    • Let Y’ be many copies of Y

    • EAY  StatDiff( Y’, Uniform( N’’ ) ) = poly(n) 2-(n) = 2-(n)

    • EAN  H(Y’)  N’’ - gap

    • Again, Y’ is nearly flat in both cases.


Y stage iii

Y’ (Stage III)

2-N’’

EAY 

{0,1}N’’

2-H(Y’)

EAN 

{0,1}N’’


Transformation iv

Transformation (IV)

  • Final Stage:

    • Let Z(h,r)=( Y’(r), h, h(r) )

    • This is essentially a “lower-bound protocol” on inputs to Y’.

    • EAY  Because Y’ is nearly uniform, for almost all y, roughly same (large) number of r such that Y’(r)=y.  By LHL, conditioned on most y,(h, h(r)) is close to uniform.  Z is close to uniform.


Y stage iii1

Y’ (Stage III)

2-N’’

EAY 

{0,1}N’’

2-H(Y’)

EAN 

{0,1}N’’


Transformation iv cont

Transformation (IV cont.)

  • EAN  H(Y’)  N’’ - gap & Y’  {0,1}N’’and nearly flat

    • Want to show Z(h,r)=( Y’(r), h, h(r) ) has tiny support.

    • Case 1: Pr[Y’=y] is tiny, i.e. very few r such that Y’(r)=y  h(r) has tiny range.

    • Case 2: tiny < Pr[Y’=y] << 2-H(Y’). By flatness, prob of such y is very small. However, each y is not too unlikely,  very few such y.

    • Case 3: Pr[Y’=y]  2-H(Y’)-slack >> 2-N’’  by def. of probability, very few such y.


Conclusions

Conclusions

  • Find that natural restrictions (one-sided versions) of complete problems for SZK are complete for NISZK

  • Use this to relate classes.

  • In particular find that if NISZK=co-NISZK, then SZK=NISZK.

  • NISZK is richer than one might have thought...

  • Main Open Question: Is NISZK = co-NISZK?


Reducing ed to ea1

Reducing ED to EA

  • Idea: Guess a number between H(X) and H(Y):

  • Thm: NISZKBPP  SZKBPP Proof: Suppose NISZK=BPP. BPP is closed under

  • Thm:NISZK closed under complementSZK=NISZK.


Organization

Organization

  • Motivation

  • What is statistical zero-knowledge?

  • The complexity of statistical zero-knowledge

  • Honest verifier vs. any verifier

  • Noninteractive statistical zero-knowledge

Will not address works on power of the prover [BP92] or

knowledge complexity [GMR85,GP91,GOP94,ABV95,PT96]


What is statistical zero knowledge

What is Statistical Zero-Knowledge?


Noninteractive statistical zero knowledge bfm88 bdmp911

Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

  • On input x (instance of promise problem):

  • When x is a YES instance, Verifier accepts w.h.p.

  • When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.


Noninteractive statistical zk cont2

Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.

Note: above is “one proof” version.


Study of noninteractive zk1

Study of Noninteractive ZK

  • Motivation:

    • communication-efficient.

    • cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]

  • Examples of NISZK proofs and some initial study in

    • [BDMP91,BR90,DDP94,DDP97].

  • But most attention focused on NICZK, e.g. [FLS90,KP95].


Complete problems for niszk2

Complete Problems for NISZK

[DDPY98]:IMAGE DENSITY (ID)

  • [GSV98]:STATISTICAL DIFFERENCEFROM UNIFORM (SDU)

    • and ENTROPY APPROXIMATION (EA)


Relating szk and niszk1

Relating SZK and NISZK

  • Recall complete problems for SZK:

  • NISZK’s complete problems are natural restrictions of these.

 can use complete problems to relate SZK and NISZK.

  • Thm [GSV98]:SZKBPP  NISZKBPP.

  • Thm [GSV98]:

    • SZK=NISZK  NISZK closed under complement.


Example g raph i somorphism gmw86

Prover

Verifier

Example: GRAPH ISOMORPHISM [GMW86]

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof.


Correctness of g raph i so szk proof

Correctness of GRAPHISO. SZK Proof

Completeness:

Soundness:

What about zero-knowledgeness?


Zero knowledgeness of g raph i so proof

Zero-knowledgenessof GRAPHISO. Proof

Simulator on input (G0,G1):

Analysis: If G0 G1, then, in both simulator & protocol,

  • H is a random isomorphic copy of G0 (equivalently, G1).

  • coin is random & independent of H.

  •  is a random isomorphism between Gcoin and H.

  •  distributions are identical.


Some issues in zero knowledge proofs

Some Issues in Zero-Knowledge Proofs

  • “Honest” verifiers versus cheating verifiers.

  • Quality of simulation:

    PZK — “Perfect” : distributions identical

    SZK — “Statistical”: statistically close (negligible deviation)

    CZK — “Computational”: computationally indistinguishable.

  • Private coins vs. public coins.

  • Resources — # rounds, communication.

  • Error parameters (completeness, soundness, simulation).

  • Complexity: Does it capture NP?

    • CZK=IP=PSPACE  NP if one-way functions exist

      [GMW86,BGG+88,LFKN90,Sha90]

    • but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87]


The complexity of szk

The Complexity of SZK


The complexity of szk1

The Complexity of SZK

  • SZK contains “hard” problems [GMR85,GMW86,GK93,GG98]

  • Fortnow’s Methodology [F87]:

    • 1. Find properties of simulator’s output that distinguish

      • between YES and NO instances.

    • 2. Show that these properties can be decided in low

      • complexity.

  • Using this: SZK  AM  coAM. [F87,AH87]

  • Obtain upper-bound on complexity of SZK, but

    • does not give a characterization of SZK.


Analyzing the simulator

Analyzing the simulator

  • We know: For a YESinstance,

    • 1. Simulator outputs accepting conversations w.h.p., and

    • 2. Simulated verifier “behaves like” real verifier.

  • Claim: For a NO instance, cannot have both conditions.

  • “Pf:” If both hold, contradict soundness of proof system by

  • prover strategy which mimics simulated prover.

  • Easy to distinguish between simulator outputting accepting

  • conversations with high probability vs. low probability.

  • Main challenge: how to quantify “behaves like.”


Public coins vs private coins

Public coins vs. Private coins

  • Thm I [Oka96]:SZK=public-coin SZK.

    • (i.e. can transform any SZK proof into one where

    • verifier’s messages are just random coin flips)

Thm II [Oka96]:SZK is closed under complement.

  • Public-coin proofs simpler to analyze/manipulate.

    • (e.g. result for interactive pfs [GS86] found

    • many applications [IY87,BGG+88,FGM+89])

Proofs very complicated, especially Thm I.


Public coin proofs bab85

Public-coin proofs [Bab85]

random coins

answer

Prover

Verifier

random coins

answer

accept/reject


Refinement of fortnow methodology sv97

Refinement of Fortnow Methodology [SV97]

1. Find properties of simulator’s output that distinguish

between YES and NO instances (may focus on

public-coin proofs by [Oka96]).

  is a complete problem for SZK, i.e

  • every problem in SZK reduces to  (via 1,2).

  • SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.


A complete problem

A Complete Problem

Def:STATISTICAL DIFFERENCE (SD) is the following promise problem:

Thm [SV97]:SD is complete for SZK.

Characterizes SZK with

no reference to interaction or zero-knowledge!


Can statistical zero knowledge be made non interactive

circuit

Statistical Difference between distributions

How circuits define distributions


Analyzing the simulator of public coin proof

Analyzing the simulator of public-coin proof

  • We know: For a YESinstance,

    • 1. Simulator outputs accepting conversations w.h.p., and

    • 2. Simulated verifier “behaves like” real verifier.

  • Claim: For a NO instance, cannot have both conditions.

  • Easy to distinguish between simulator outputting accepting

  • conversations with high probability vs. low probability.

  • In a public-coin proof, simulated verifier “behaves like”

    • real verifier iff simulated verifier’s coins are

    • nearly uniform, and

    • nearly independent of conversation history.

  • Key observation: Both properties can be captured by

    • statistical difference between samplable distributions!


Proving that sd is complete for szk cont

Proving that SD is complete for SZK (cont.)

  • Have argued: Every problem in SZK reduces to SD.

  • Still need: SD SZK.


A polarization lemma

A Polarization Lemma

Lemma:There exists a poly-time computable function such that

Not just Chernoff bounds!

Chernoff bounds only yield:


A protocol for sd

Prover

Verifier

A Protocol for SD

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof for SD.


Properties of d 0 and d 1

Properties of D0 and D1


Benefits of complete problem sv97

Benefits of Complete Problem [SV97]

  • Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )

  • Communication-efficient SZK proofs

  • (1 round, prover sends 1 bit to achieve soundness 1/2)

  • Closure properties:

    • Previous results focused on specific problems

    • or subclasses of SZK [DDPY94,DC95].

    • Can apply techniques of [DDPY94] to

    • STATISTICAL DIFFERENCE to obtain results

    • about all of SZK.


Closure properties of szk

Closure Properties of SZK

Thm [SV97]:LSZK  (L) SZK, where

 = k-ary boolean formula

L= characteristic fn of L

e.g. can prove “exactly k/2 of (x1, x2,...,xk)are in L” in SZK.

Equivalently, SZK is closed under NC1-truth table reductions.


Simplifying okamoto s thm i gv98

Simplifying Okamoto’s Thm I [GV98]

Use the “complete problem methodology”:

Consider promise problem ENTROPY DIFFERENCE (ED):

Main steps in proof:

  • Reduce every problem in SZK to ED.

    • (Uses analysis of simulator from [AH87].)

  • Show that ED has a public-coin SZK proof system.

    • (Employs two subprotocols of [Oka96].)


Can statistical zero knowledge be made non interactive

Simplifying Okamoto’s Thm I (cont.)

This gives:

  • Simpler, modular proof that all of SZK has

    • public-coins SZK proofs.

  • ED is complete for SZK.

  • (Yet another) proof that SZK is closed under

    • complement.

  • “weak-SZK” equals SZK.


Honest verifier vs any verifier

Honest verifier vs. any verifier


Honest verifier vs any verifier1

Honest verifier vs. any verifier

  • So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol.

  • Cryptographic applications need zero-knowledge

  • even vs. cheating verifiers.

  • Main question: Does honest-verifier ZK=any-verifier ZK?

  • Motivation?

    • honest verifier classes suitable for study

      • (e.g. complete problem, closure properties)

    • methodology: design honest-verifier proof and

    • convert to any-verifier proof.


Any verifier statistical zero knowledge

Any-verifier Statistical Zero-Knowledge

v1

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

p1

v2

pk

accept/reject

Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Computational Zero-Knowledge (CZK): require simulator

distribution to be computationally indistinguishable rather

than statistically close.


Can statistical zero knowledge be made non interactive

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

  • honest-ver CZK=any-ver CZK=IP=PSPACE

    • [GMW86,IY87,BGG+88,Sha90]

  • honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

  • For both computational and statistical zero-knowledge,

    • honest-verifier=any-verifier for constant-round

    • public-coin proofs [Dam93,DGW94]


Can statistical zero knowledge be made non interactive

  • For both computational and statistical zero-knowledge,

    • honest-verifier=any-verifier for constant-round

    • public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96])  honest-ver SZK=any-ver SZK


Can statistical zero knowledge be made non interactive

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

  • honest-ver CZK=any-ver CZK=IP=PSPACE

    • [GMW86,IY87,BGG+88,Sha90]

  • honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

  • For both computational and statistical zero-knowledge,

    • honest-verifier=any-verifier for constant-round

    • public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96])  honest-ver SZK=any-ver SZK


The transformation

The Transformation

Prover

random coins 1

Verifier

answer 1

random coins 2

Any-verifier Proof System

answer k

accept/reject

Random Selection

Protocol

Honest-verifier Proof System

Verifier

Prover

1

answer 1

Random Selection

Protocol

2

answer k

accept/reject


Desired properties of random selection protocol

Desired Properties of Random Selection Protocol

  • Dishonest verifier:

  • Outcome  distributed almost uniformly.

  • Simulability: For (almost) every , can simulate

  • RS protocol transcripts yielding output .

  • Dishonest prover:

(OK for soundness by parallel repetition of

original proof system)

  • [GSV98] give a public-coin protocol with these properties

    • (building on [DGW94]).


Noninteractive statistical zero knowledge

Noninteractive Statistical Zero-Knowledge


Noninteractive statistical zero knowledge bfm88 bdmp912

Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

  • On input x (instance of promise problem):

  • When x is a YES instance, Verifier accepts w.h.p.

  • When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.


Noninteractive statistical zk cont3

Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.

Note: above is “one proof” version.


Study of noninteractive zk2

Study of Noninteractive ZK

  • Motivation:

    • communication-efficient.

    • cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]

  • Examples of NISZK proofs and some initial study in

    • [BDMP91,BR90,DDP94,DDP97].

  • But most attention focused on NICZK, e.g. [FLS90,KP95].


Complete problems for niszk3

Complete Problems for NISZK

[DDPY98]:IMAGE DENSITY (ID)

  • [GSV98]:STATISTICAL DIFFERENCEFROM UNIFORM (SDU)

    • and ENTROPY APPROXIMATION (EA)


Relating szk and niszk2

Relating SZK and NISZK

  • Recall complete problems for SZK:

  • NISZK’s complete problems are natural restrictions of these.

 can use complete problems to relate SZK and NISZK.

  • Thm [GSV98]:SZKBPP  NISZKBPP.

  • Thm [GSV98]:

    • SZK=NISZK  NISZK closed under complement.


Summary

Summary

  • Recent work has refined our understanding of statistical

    • zero-knowledge.

  • Main tools:

    • focus on public-coin proofs (via [Oka96])

    • complete problems [SV97]

  • Questions addressed:

    • closure properties

    • honest verifier vs. any verifier

    • interactive vs. noninteractive


Open problems

Open Problems

  • 1. Generalize more results/techniques to computational

    • zero-knowledge or arguments.

2. Does SZK=NISZK?

  • 3. Is it necessary that power of prover must increase when

    • transforming private-coin proofs to public-coin ones?

  • 4. Show that SZKBPP if one-way functions exist

    • (“converse” to [Ost91]).

5. Does SZK=PZK (“Perfect” zero-knowledge)?


  • Login