- 98 Views
- Uploaded on
- Presentation posted in: General

An Investigation of Statistical Zero-Knowledge Proofs

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

An Investigation ofStatistical Zero-KnowledgeProofs

Amit Sahai

MIT Laboratory for Computer Science

- One party (“the prover”) convinces another
- party (“the verifier”) that some assertion is true,

- The verifier learns nothing except that the assertion
- is true!

- Statistical zero-knowledge: variant in which
- “learns nothing” is interpreted in a very strong information-theoretic sense.

- What other assertions?
- Characterization?
- Efficiency of protocols?
- Cheating Verifiers?

- Zero-knowledge cryptographic protocols [GMW87]

- Butstatistical ZK proofs not as expressive as other types of ZK[GMW86,BCC87,F87,AH87]

Still study of statistical ZK useful:

- Statistical ZK proofs: strongest security guarantee
- Identification schemes [GMR85,FFS87]
- “Cleanest” model of ZK:
- allows for unconditional results (eg., [Oka96, GSV98])
- most suitable for initial study, later generalize techniques to other types of ZK (eg., [Ost91,OW93,GSV98]).

- Contains “hard” problems:
- QUADRATIC (NON)RESIDUOSITY [GMR85],
- GRAPH (NON)ISOMORPHISM [GMW86]
- DISCRETE LOG [GK88],
- APPROX SHORTEST AND CLOSEST VECTOR [GG97]

- Yet SZK AM coAM [F87,AH87], so unlikely to contain NP-hard problems [BHZ87,Sch88]
- Has natural complete problems.

What isStatistical Zero-Knowledge?

Promise Problems [ESY84]

YES

NO

YES

NO

Language

Promise Problem

excluded inputs

Example:UNIQUE SAT[VV86]

v1

p1

v2

pk

accept/reject

Prover

Verifier

- Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance.
- When x is a YES instance, Verifier accepts w.h.p.
- When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.

v1

p1

v2

pk

accept/reject

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Note: ZK for “honest verifier” only.

HVSZK = {promise problems possessing such proofs}

circuit

Statistical Difference between distributions

How circuits define distributions

3

3

4

4

2

2

1

5

1

5

6

6

8

8

7

7

G1

G0

Are these graphs the same under a relabeling of vertices?

YES

12345678

62814537

Relabeling: G0 G1

Prover

Verifier

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof.

Completeness:

Soundness:

What about zero-knowledgeness?

Simulator :

- Pick G0 or G1 at random first:coinÎR {0,1}.

- Then let H be random relabeling of Gcoin -- and call the relabeling .

Output (H, coin, ).

G1

G0

Protocol

H: rdm relabeling Of G0

coin: random bit

: relabeling H Gb

Simulator

H: rdm relabeling Of Gb

coin: random bit

: relabeling H Gb

H

Simulator on input (G0,G1):

Analysis: If G0 G1, then, in both simulator & protocol,

- H is a random isomorphic copy of G0 (equivalently, G1).
- coin is random & independent of H.
- is a random isomorphism between Gcoin and H.
- distributions are identical.

- Different quality of simulation:
HVPZK — “Perfect” : distributions identical

HVSZK — “Statistical”: statistically close (negligible deviation)

HVCZK — “Computational”: computationally indistinguishable.

- Cheating-verifier versions: PZK,SZK,CZK
- Complexity:
- CZK=IP=PSPACE NP if one-way functions exist
[GMW86,IY87,BGG+88,LFKN90,Sha90]

- but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87,Sch88]

- CZK=IP=PSPACE NP if one-way functions exist

- Different quality of simulation:
HVPZK — “Perfect” : distributions identical

HVSZK — “Statistical”: statistically close (negligible deviation)

HVCZK — “Computational”: computationally indistinguishable.

- Cheating-verifier versions: PZK,SZK,CZK
- Private coins vs. Public coins:
- Private coins: No restrictions on Verifier.
- Public coins: Verifier only sends random bits.

[Mostly joint work with Oded Goldreich and Salil Vadhan]

- Complete problem for HVSZK [SV97]
- New characterization of statistical zero-knowledge.
- Simplify study of entire class.

- Applications of complete problems [SV97]
- Very efficient HVSZK proofs.
- Strong closure properties of HVSZK.
- Simpler proofs of most previously known results.
- Manipulating statistical properties of efficiently sampleable distributions.
- Knowledge complexity.

- Private coins vs. public coins [GV99]
- Transform any HVSZK proof system into a “public coin” one
(i.e., verifier’s messages are just random coins flips)

- Originally proved by Okamoto [Oka96]; new proof much simpler

- Transform any HVSZK proof system into a “public coin” one
- Honest verifiers vs. cheating verifiers [GSV98]
- Transform public-coin honest-verifier ZK proofs to cheating-verifier ZK proofs.
- Combining w/previous result, HVSZK=SZK.
- Honest-verifier ZK results translate to cheating-verifier ZK.

- “Noninteractive” SZK [GSV99]
- Complete problems related to those for SZK
- Use these to compare the two classes.

Complete Problems for HVSZK

- SZK contains “hard” problems [GMR85,GMW86,GK93,GG98]
- Fortnow’s Methodology [F87]:
- 1. Find properties of simulator’s output that distinguish
- between YES and NO instances.

- 2. Show that these properties can be decided in low
- complexity.

- 1. Find properties of simulator’s output that distinguish
- Using this: SZK AM coAM. [F87,AH87]
- Obtain upper-bound on complexity of SZK, but
- does not give a characterization of SZK.

1. Find properties of simulator’s output that distinguish

between YES and NO instances.

is a complete problem for SZK, i.e

- every problem in SZK reduces to (via 1,2).
- SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.

Def:STATISTICAL DIFFERENCE (SD) is the following promise problem:

Thm [SV97]:SD is complete for SZK.

circuit

Statistical Difference between distributions

How circuits define distributions

- “The assertions that can be proven in statistical zero knowledge are exactly those that can be cast as comparing the statistical difference between two sampleable distributions.”
- Characterizes HVSZK with no reference to interaction or zero knowledge.
- Tool for proving general theorems about HVSZK.
- Results about HVSZK Techniques for manipulating sampleable distributions

1. Find properties of simulator’s output that distinguish

between YES and NO instances.

is a complete problem for SZK, i.e

- every problem in SZK reduces to (via 1,2).
- SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.

- We know: For a YESinstance,
- 1. Simulator outputs accepting conversations w.h.p., and
- 2. Simulated verifier “behaves like” real verifier.

- Claim: For a NO instance, cannot have both conditions.
- “Pf:” If both hold, contradict soundness of proof system by
- prover strategy which mimics simulated prover.
- Easy to distinguish between simulator outputting accepting
- conversations with high probability vs. low probability.
- Main challenge: how to quantify “behaves like.”

- Thm I [Oka96]:SZK=public-coin SZK.
- (i.e. can transform any SZK proof into one where
- verifier’s messages are just random coin flips)

- Now examine condition:
- 2. Simulated verifier “behaves like” real verifier.

- In a public-coin proof, simulated verifier “behaves like”
- real verifier iff simulated verifier’s coins are
- nearly uniform, and
- nearly independent of conversation history.

- Key observation: Both properties can be captured by
- statistical difference between samplable distributions!

random coins

answer

Prover

Verifier

random coins

answer

accept/reject

- Have argued: Every problem in SZK reduces to SD.
- Still need: SD SZK.

Lemma:There exists a poly-time computable function such that

Not just Chernoff bounds!

Chernoff bounds only yield:

Prover

Verifier

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof for SD.

Applications of Complete Problem Methodology

- Cor: Every problem in HVSZK has an honest-verifier statistical zero-knowledge proof system with:
- 2 messages
- 1 bit of prover-to-verifier communication.
- soundness error 1/2+2-k
- completeness error & simulator deviation 2-k
- deterministic prover
(where k is a “security parameter” independent of input length)

- Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )

- Closure properties:
- Previous results focused on specific problems
- or subclasses of SZK [DDPY94,DC95].
- Can apply techniques of [DDPY94] to
- STATISTICAL DIFFERENCE to obtain results
- about all of SZK.

Thm [SV97]:LSZK (L) SZK, where

= k-ary boolean formula

L= characteristic fn of L

e.g. can prove “exactly k/2 of (x1, x2,...,xk)are in L” in SZK.

Equivalently, SZK is closed under NC1-truth table reductions.

Use the “complete problem methodology”:

Consider promise problem ENTROPY DIFFERENCE (ED):

Main steps in proof:

- Reduce every problem in SZK to ED.
- (Uses analysis of simulator from [AH87].)

- Show that ED has a public-coin SZK proof system.
- (Employs two subprotocols of [Oka96].)

Simplifying Okamoto’s Thm I (cont.)

This gives:

- Simpler, modular proof that all of SZK has
- public-coins SZK proofs.

- ED is complete for SZK.

- (Yet another) proof that SZK is closed under
- complement.

- “weak-SZK” equals SZK.

Honest verifier vs. any verifier

- So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol.

- Cryptographic applications need zero-knowledge
- even vs. cheating verifiers.

- Main question: Does honest-verifier ZK=any-verifier ZK?

- Motivation?
- honest verifier classes suitable for study
- (e.g. complete problem, closure properties)

- methodology: design honest-verifier proof and
- convert to any-verifier proof.

- honest verifier classes suitable for study

v1

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

p1

v2

pk

accept/reject

Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Computational Zero-Knowledge (CZK): require simulator

distribution to be computationally indistinguishable rather

than statistically close.

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

- honest-ver CZK=any-ver CZK=IP=PSPACE
- [GMW86,IY87,BGG+88,Sha90]

- honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

- For both computational and statistical zero-knowledge,
- honest-verifier=any-verifier for constant-round
- public-coin proofs [Dam93,DGW94]

- For both computational and statistical zero-knowledge,
- honest-verifier=any-verifier for constant-round
- public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96]) honest-ver SZK=any-ver SZK

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

- honest-ver CZK=any-ver CZK=IP=PSPACE
- [GMW86,IY87,BGG+88,Sha90]

- honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

- For both computational and statistical zero-knowledge,
- honest-verifier=any-verifier for constant-round
- public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96]) honest-ver SZK=any-ver SZK

Prover

random coins 1

Verifier

answer 1

random coins 2

Any-verifier Proof System

answer k

accept/reject

Random Selection

Protocol

Honest-verifier Proof System

Verifier

Prover

1

answer 1

Random Selection

Protocol

2

answer k

accept/reject

1. Use honest-verifier simulator

to generate a transcript

1

1

2

k

accept/reject

1

answer 1

2

2. “Fill in” transcripts of

Random Selection

protocols

answer k

accept/reject

- Dishonest verifier:

- Outcome distributed almost uniformly.

- Simulability: For (almost) every , can simulate
- RS protocol transcripts yielding output .

- Dishonest prover:

(OK for soundness by parallel repetition of

original proof system)

- [GSV98] give a public-coin protocol with these properties
- (building on [DGW94]).

Noninteractive Statistical Zero-Knowledge

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

- On input x (instance of promise problem):
- When x is a YES instance, Verifier accepts w.h.p.
- When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.

Note: above is “one proof” version.

- Motivation:
- communication-efficient.
- cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]

- Examples of NISZK proofs and some initial study in
- [BDMP91,BR90,DDP94,DDP97].

- But most attention focused on NICZK, e.g. [FLS90,KP95].

- [DDPY98] apply “complete problem methodology”
- to show IMAGE DENSITY complete for NISZK.

Thm: The following problems are complete for NISZK:

STATISTICAL DIFFERENCEFROM UNIFORM (SDU):

ENTROPY APPROXIMATION (EA):

- Recall complete problems for SZK:

- NISZK’s complete problems are natural restrictions of these.

can use complete problems to relate SZK and NISZK.

- Thm [GSV98]:SZKBPP NISZKBPP.

- Thm [GSV98]:
- SZK=NISZK NISZK closed under complement.

- Recent work has refined our understanding of statistical
- zero-knowledge.

- Main tools:
- focus on public-coin proofs (via [Oka96])
- complete problems [SV97]

- Questions addressed:
- closure properties
- honest verifier vs. any verifier
- interactive vs. noninteractive

- 1. Generalize more results/techniques to computational
- zero-knowledge or arguments.

2. Combinatorial or number-theoretic complete problems?

3. Does SZK=NISZK?

- 4. Show that SZKBPP if one-way functions exist
- (“converse” to [Ost91]).

5. Does SZK=PZK (“Perfect” zero-knowledge)?