An investigation of statistical zero knowledge proofs
This presentation is the property of its rightful owner.
Sponsored Links
1 / 56

An Investigation of Statistical Zero-Knowledge Proofs PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on
  • Presentation posted in: General

An Investigation of Statistical Zero-Knowledge Proofs. Amit Sahai MIT Laboratory for Computer Science. Zero-knowledge Proofs [GMR85]. One party (“the prover”) convinces another party (“the verifier”) that some assertion is true, The verifier learns nothing except that the assertion

Download Presentation

An Investigation of Statistical Zero-Knowledge Proofs

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


An investigation of statistical zero knowledge proofs

An Investigation ofStatistical Zero-KnowledgeProofs

Amit Sahai

MIT Laboratory for Computer Science


Zero knowledge proofs gmr85

Zero-knowledge Proofs [GMR85]

  • One party (“the prover”) convinces another

    • party (“the verifier”) that some assertion is true,

  • The verifier learns nothing except that the assertion

    • is true!

  • Statistical zero-knowledge: variant in which

    • “learns nothing” is interpreted in a very strong information-theoretic sense.


Natural questions

Natural Questions

  • What other assertions?

  • Characterization?

  • Efficiency of protocols?

  • Cheating Verifiers?


Motivation from cryptography

Motivation from Cryptography

  • Zero-knowledge  cryptographic protocols [GMW87]

  • Butstatistical ZK proofs not as expressive as other types of ZK[GMW86,BCC87,F87,AH87]

Still study of statistical ZK useful:

  • Statistical ZK proofs: strongest security guarantee

  • Identification schemes [GMR85,FFS87]

  • “Cleanest” model of ZK:

    • allows for unconditional results (eg., [Oka96, GSV98])

    • most suitable for initial study, later generalize techniques to other types of ZK (eg., [Ost91,OW93,GSV98]).


Motivation from complexity

Motivation from Complexity

  • Contains “hard” problems:

    • QUADRATIC (NON)RESIDUOSITY [GMR85],

    • GRAPH (NON)ISOMORPHISM [GMW86]

    • DISCRETE LOG [GK88],

    • APPROX SHORTEST AND CLOSEST VECTOR [GG97]

  • Yet SZK  AM  coAM [F87,AH87], so unlikely to contain NP-hard problems [BHZ87,Sch88]

  • Has natural complete problems.


What is statistical zero knowledge

What isStatistical Zero-Knowledge?


An investigation of statistical zero knowledge proofs

Promise Problems [ESY84]

YES

NO

YES

NO

Language

Promise Problem

excluded inputs

Example:UNIQUE SAT[VV86]


Statistical zero knowledge proof gmr85 for a promise problem

v1

p1

v2

pk

accept/reject

Statistical Zero-Knowledge Proof [GMR85]for a promise problem 

Prover

Verifier

  • Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance.

  • When x is a YES instance, Verifier accepts w.h.p.

  • When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.


Statistical zero knowledge proof cont

v1

p1

v2

pk

accept/reject

Statistical Zero-Knowledge Proof (cont.)

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Note: ZK for “honest verifier” only.

HVSZK = {promise problems possessing such proofs}


An investigation of statistical zero knowledge proofs

circuit

Statistical Difference between distributions

How circuits define distributions


Example g raph i somorphism

3

3

4

4

2

2

1

5

1

5

6

6

8

8

7

7

G1

G0

Example: GRAPH ISOMORPHISM

Are these graphs the same under a relabeling of vertices?

YES

12345678

62814537

Relabeling: G0 G1


Protocol for g raph i somorphism gmw86

Prover

Verifier

Protocol for GRAPH ISOMORPHISM [GMW86]

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof.


Correctness of g raph i so szk proof

Correctness of GRAPHISO. SZK Proof

Completeness:

Soundness:

What about zero-knowledgeness?


Zero knowledgeness of g raph i so proof

Simulator :

- Pick G0 or G1 at random first:coinÎR {0,1}.

- Then let H be random relabeling of Gcoin -- and call the relabeling .

Output (H, coin, ).

G1

G0

Protocol

H: rdm relabeling Of G0

coin: random bit

: relabeling H Gb

Simulator

H: rdm relabeling Of Gb

coin: random bit

: relabeling H Gb

H

Zero-knowledgenessof GRAPHISO. Proof


Zero knowledgeness of g raph i so proof1

Zero-knowledgenessof GRAPHISO. Proof

Simulator on input (G0,G1):

Analysis: If G0 G1, then, in both simulator & protocol,

  • H is a random isomorphic copy of G0 (equivalently, G1).

  • coin is random & independent of H.

  •  is a random isomorphism between Gcoin and H.

  •  distributions are identical.


Other types of zero knowledge proofs

Other types of zero-knowledge proofs

  • Different quality of simulation:

    HVPZK — “Perfect” : distributions identical

    HVSZK — “Statistical”: statistically close (negligible deviation)

    HVCZK — “Computational”: computationally indistinguishable.

  • Cheating-verifier versions: PZK,SZK,CZK

  • Complexity:

    • CZK=IP=PSPACE  NP if one-way functions exist

      [GMW86,IY87,BGG+88,LFKN90,Sha90]

    • but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87,Sch88]


Other types of zero knowledge proofs1

Other types of zero-knowledge proofs

  • Different quality of simulation:

    HVPZK — “Perfect” : distributions identical

    HVSZK — “Statistical”: statistically close (negligible deviation)

    HVCZK — “Computational”: computationally indistinguishable.

  • Cheating-verifier versions: PZK,SZK,CZK

  • Private coins vs. Public coins:

    • Private coins: No restrictions on Verifier.

    • Public coins: Verifier only sends random bits.


Results

Results

[Mostly joint work with Oded Goldreich and Salil Vadhan]

  • Complete problem for HVSZK [SV97]

    • New characterization of statistical zero-knowledge.

    • Simplify study of entire class.

  • Applications of complete problems [SV97]

    • Very efficient HVSZK proofs.

    • Strong closure properties of HVSZK.

    • Simpler proofs of most previously known results.

    • Manipulating statistical properties of efficiently sampleable distributions.

    • Knowledge complexity.


Results cont

Results (cont.)

  • Private coins vs. public coins [GV99]

    • Transform any HVSZK proof system into a “public coin” one

      (i.e., verifier’s messages are just random coins flips)

    • Originally proved by Okamoto [Oka96]; new proof much simpler

  • Honest verifiers vs. cheating verifiers [GSV98]

    • Transform public-coin honest-verifier ZK proofs to cheating-verifier ZK proofs.

    • Combining w/previous result, HVSZK=SZK.

    • Honest-verifier ZK results translate to cheating-verifier ZK.

  • “Noninteractive” SZK [GSV99]

    • Complete problems related to those for SZK

    • Use these to compare the two classes.


Complete problems for hvszk

Complete Problems for HVSZK


The complexity of szk

The Complexity of SZK

  • SZK contains “hard” problems [GMR85,GMW86,GK93,GG98]

  • Fortnow’s Methodology [F87]:

    • 1. Find properties of simulator’s output that distinguish

      • between YES and NO instances.

    • 2. Show that these properties can be decided in low

      • complexity.

  • Using this: SZK  AM  coAM. [F87,AH87]

  • Obtain upper-bound on complexity of SZK, but

    • does not give a characterization of SZK.


Refinement of fortnow methodology sv97

Refinement of Fortnow Methodology [SV97]

1. Find properties of simulator’s output that distinguish

between YES and NO instances.

  is a complete problem for SZK, i.e

  • every problem in SZK reduces to  (via 1,2).

  • SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.


A complete problem

A Complete Problem

Def:STATISTICAL DIFFERENCE (SD) is the following promise problem:

Thm [SV97]:SD is complete for SZK.


An investigation of statistical zero knowledge proofs

circuit

Statistical Difference between distributions

How circuits define distributions


Meaning of completeness thm

Meaning of Completeness Thm

  • “The assertions that can be proven in statistical zero knowledge are exactly those that can be cast as comparing the statistical difference between two sampleable distributions.”

  • Characterizes HVSZK with no reference to interaction or zero knowledge.

  • Tool for proving general theorems about HVSZK.

  • Results about HVSZK  Techniques for manipulating sampleable distributions


Refinement of fortnow methodology sv971

Refinement of Fortnow Methodology [SV97]

1. Find properties of simulator’s output that distinguish

between YES and NO instances.

  is a complete problem for SZK, i.e

  • every problem in SZK reduces to  (via 1,2).

  • SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.


Proof ideas analyzing the simulator

Proof Ideas: Analyzing the simulator

  • We know: For a YESinstance,

    • 1. Simulator outputs accepting conversations w.h.p., and

    • 2. Simulated verifier “behaves like” real verifier.

  • Claim: For a NO instance, cannot have both conditions.

  • “Pf:” If both hold, contradict soundness of proof system by

  • prover strategy which mimics simulated prover.

  • Easy to distinguish between simulator outputting accepting

  • conversations with high probability vs. low probability.

  • Main challenge: how to quantify “behaves like.”


Proof ideas cont

Proof Ideas (cont.)

  • Thm I [Oka96]:SZK=public-coin SZK.

    • (i.e. can transform any SZK proof into one where

    • verifier’s messages are just random coin flips)

  • Now examine condition:

    • 2. Simulated verifier “behaves like” real verifier.

  • In a public-coin proof, simulated verifier “behaves like”

    • real verifier iff simulated verifier’s coins are

    • nearly uniform, and

    • nearly independent of conversation history.

  • Key observation: Both properties can be captured by

    • statistical difference between samplable distributions!


Public coin proofs bab85

Public-coin proofs [Bab85]

random coins

answer

Prover

Verifier

random coins

answer

accept/reject


Proving that sd is complete for szk cont

Proving that SD is complete for SZK (cont.)

  • Have argued: Every problem in SZK reduces to SD.

  • Still need: SD SZK.


A polarization lemma

A Polarization Lemma

Lemma:There exists a poly-time computable function such that

Not just Chernoff bounds!

Chernoff bounds only yield:


A protocol for sd

Prover

Verifier

A Protocol for SD

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof for SD.


Properties of d 0 and d 1

Properties of D0 and D1


Applications of complete problem methodology

Applications of Complete Problem Methodology


Efficient hvszk proof systems

Efficient HVSZK proof systems

  • Cor: Every problem in HVSZK has an honest-verifier statistical zero-knowledge proof system with:

    • 2 messages

    • 1 bit of prover-to-verifier communication.

    • soundness error 1/2+2-k

    • completeness error & simulator deviation 2-k

    • deterministic prover

      (where k is a “security parameter” independent of input length)


Other benefits of complete problem sv97

Other Benefits of Complete Problem [SV97]

  • Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )

  • Closure properties:

    • Previous results focused on specific problems

    • or subclasses of SZK [DDPY94,DC95].

    • Can apply techniques of [DDPY94] to

    • STATISTICAL DIFFERENCE to obtain results

    • about all of SZK.


Closure properties of szk

Closure Properties of SZK

Thm [SV97]:LSZK  (L) SZK, where

 = k-ary boolean formula

L= characteristic fn of L

e.g. can prove “exactly k/2 of (x1, x2,...,xk)are in L” in SZK.

Equivalently, SZK is closed under NC1-truth table reductions.


Simplifying okamoto s thm i gv98

Simplifying Okamoto’s Thm I [GV98]

Use the “complete problem methodology”:

Consider promise problem ENTROPY DIFFERENCE (ED):

Main steps in proof:

  • Reduce every problem in SZK to ED.

    • (Uses analysis of simulator from [AH87].)

  • Show that ED has a public-coin SZK proof system.

    • (Employs two subprotocols of [Oka96].)


An investigation of statistical zero knowledge proofs

Simplifying Okamoto’s Thm I (cont.)

This gives:

  • Simpler, modular proof that all of SZK has

    • public-coins SZK proofs.

  • ED is complete for SZK.

  • (Yet another) proof that SZK is closed under

    • complement.

  • “weak-SZK” equals SZK.


Honest verifier vs any verifier

Honest verifier vs. any verifier


Honest verifier vs any verifier1

Honest verifier vs. any verifier

  • So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol.

  • Cryptographic applications need zero-knowledge

  • even vs. cheating verifiers.

  • Main question: Does honest-verifier ZK=any-verifier ZK?

  • Motivation?

    • honest verifier classes suitable for study

      • (e.g. complete problem, closure properties)

    • methodology: design honest-verifier proof and

    • convert to any-verifier proof.


Any verifier statistical zero knowledge

Any-verifier Statistical Zero-Knowledge

v1

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

p1

v2

pk

accept/reject

Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Computational Zero-Knowledge (CZK): require simulator

distribution to be computationally indistinguishable rather

than statistically close.


An investigation of statistical zero knowledge proofs

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

  • honest-ver CZK=any-ver CZK=IP=PSPACE

    • [GMW86,IY87,BGG+88,Sha90]

  • honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

  • For both computational and statistical zero-knowledge,

    • honest-verifier=any-verifier for constant-round

    • public-coin proofs [Dam93,DGW94]


An investigation of statistical zero knowledge proofs

  • For both computational and statistical zero-knowledge,

    • honest-verifier=any-verifier for constant-round

    • public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96])  honest-ver SZK=any-ver SZK


An investigation of statistical zero knowledge proofs

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

  • honest-ver CZK=any-ver CZK=IP=PSPACE

    • [GMW86,IY87,BGG+88,Sha90]

  • honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

  • For both computational and statistical zero-knowledge,

    • honest-verifier=any-verifier for constant-round

    • public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96])  honest-ver SZK=any-ver SZK


The transformation

The Transformation

Prover

random coins 1

Verifier

answer 1

random coins 2

Any-verifier Proof System

answer k

accept/reject

Random Selection

Protocol

Honest-verifier Proof System

Verifier

Prover

1

answer 1

Random Selection

Protocol

2

answer k

accept/reject


Simulating the transformed pf system

Simulating the Transformed Pf System

1. Use honest-verifier simulator

to generate a transcript

1

1

2

k

accept/reject

1

answer 1

2

2. “Fill in” transcripts of

Random Selection

protocols

answer k

accept/reject


Desired properties of random selection protocol

Desired Properties of Random Selection Protocol

  • Dishonest verifier:

  • Outcome  distributed almost uniformly.

  • Simulability: For (almost) every , can simulate

  • RS protocol transcripts yielding output .

  • Dishonest prover:

(OK for soundness by parallel repetition of

original proof system)

  • [GSV98] give a public-coin protocol with these properties

    • (building on [DGW94]).


Noninteractive statistical zero knowledge

Noninteractive Statistical Zero-Knowledge


Noninteractive statistical zero knowledge bfm88 bdmp91

Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

  • On input x (instance of promise problem):

  • When x is a YES instance, Verifier accepts w.h.p.

  • When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.


Noninteractive statistical zk cont

Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.

Note: above is “one proof” version.


Study of noninteractive zk

Study of Noninteractive ZK

  • Motivation:

    • communication-efficient.

    • cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]

  • Examples of NISZK proofs and some initial study in

    • [BDMP91,BR90,DDP94,DDP97].

  • But most attention focused on NICZK, e.g. [FLS90,KP95].

  • [DDPY98] apply “complete problem methodology”

  • to show IMAGE DENSITY complete for NISZK.


Complete problems for niszk gsv99

Complete Problems for NISZK [GSV99]

Thm: The following problems are complete for NISZK:

STATISTICAL DIFFERENCEFROM UNIFORM (SDU):

ENTROPY APPROXIMATION (EA):


Relating szk and niszk

Relating SZK and NISZK

  • Recall complete problems for SZK:

  • NISZK’s complete problems are natural restrictions of these.

 can use complete problems to relate SZK and NISZK.

  • Thm [GSV98]:SZKBPP  NISZKBPP.

  • Thm [GSV98]:

    • SZK=NISZK  NISZK closed under complement.


Summary

Summary

  • Recent work has refined our understanding of statistical

    • zero-knowledge.

  • Main tools:

    • focus on public-coin proofs (via [Oka96])

    • complete problems [SV97]

  • Questions addressed:

    • closure properties

    • honest verifier vs. any verifier

    • interactive vs. noninteractive


Open problems

Open Problems

  • 1. Generalize more results/techniques to computational

    • zero-knowledge or arguments.

2. Combinatorial or number-theoretic complete problems?

3. Does SZK=NISZK?

  • 4. Show that SZKBPP if one-way functions exist

    • (“converse” to [Ost91]).

5. Does SZK=PZK (“Perfect” zero-knowledge)?


  • Login