An Investigation of Statistical Zero-Knowledge Proofs

1 / 56

# An Investigation of Statistical Zero-Knowledge Proofs - PowerPoint PPT Presentation

An Investigation of Statistical Zero-Knowledge Proofs. Amit Sahai MIT Laboratory for Computer Science. Zero-knowledge Proofs [GMR85]. One party (“the prover”) convinces another party (“the verifier”) that some assertion is true, The verifier learns nothing except that the assertion

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'An Investigation of Statistical Zero-Knowledge Proofs' - radha

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### An Investigation ofStatistical Zero-KnowledgeProofs

Amit Sahai

MIT Laboratory for Computer Science

Zero-knowledge Proofs [GMR85]
• One party (“the prover”) convinces another
• party (“the verifier”) that some assertion is true,
• The verifier learns nothing except that the assertion
• is true!
• Statistical zero-knowledge: variant in which
• “learns nothing” is interpreted in a very strong information-theoretic sense.
Natural Questions
• What other assertions?
• Characterization?
• Efficiency of protocols?
• Cheating Verifiers?
Motivation from Cryptography
• Zero-knowledge  cryptographic protocols [GMW87]
• Butstatistical ZK proofs not as expressive as other types of ZK[GMW86,BCC87,F87,AH87]

Still study of statistical ZK useful:

• Statistical ZK proofs: strongest security guarantee
• Identification schemes [GMR85,FFS87]
• “Cleanest” model of ZK:
• allows for unconditional results (eg., [Oka96, GSV98])
• most suitable for initial study, later generalize techniques to other types of ZK (eg., [Ost91,OW93,GSV98]).
Motivation from Complexity
• Contains “hard” problems:
• GRAPH (NON)ISOMORPHISM [GMW86]
• DISCRETE LOG [GK88],
• APPROX SHORTEST AND CLOSEST VECTOR [GG97]
• Yet SZK  AM  coAM [F87,AH87], so unlikely to contain NP-hard problems [BHZ87,Sch88]
• Has natural complete problems.

### What isStatistical Zero-Knowledge?

Promise Problems [ESY84]

YES

NO

YES

NO

Language

Promise Problem

excluded inputs

Example:UNIQUE SAT[VV86]

v1

p1

v2

pk

accept/reject

Prover

Verifier

• Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance.
• When x is a YES instance, Verifier accepts w.h.p.
• When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.

v1

p1

v2

pk

accept/reject

Statistical Zero-Knowledge Proof (cont.)

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Note: ZK for “honest verifier” only.

HVSZK = {promise problems possessing such proofs}

circuit

Statistical Difference between distributions

How circuits define distributions

3

3

4

4

2

2

1

5

1

5

6

6

8

8

7

7

G1

G0

Example: GRAPH ISOMORPHISM

Are these graphs the same under a relabeling of vertices?

YES

1 2 3 4 5 6 7 8

6 2 8 1 4 5 3 7

Relabeling: G0 G1

Prover

Verifier

Protocol for GRAPH ISOMORPHISM [GMW86]

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof.

Correctness of GRAPHISO. SZK Proof

Completeness:

Soundness:

Simulator :

- Pick G0 or G1 at random first:coinÎR {0,1}.

- Then let H be random relabeling of Gcoin -- and call the relabeling .

Output (H, coin, ).

G1

G0

Protocol

H: rdm relabeling Of G0

coin: random bit

: relabeling H Gb

Simulator

H: rdm relabeling Of Gb

coin: random bit

: relabeling H Gb

H

Zero-knowledgenessof GRAPHISO. Proof
Zero-knowledgenessof GRAPHISO. Proof

Simulator on input (G0,G1):

Analysis: If G0 G1, then, in both simulator & protocol,

• H is a random isomorphic copy of G0 (equivalently, G1).
• coin is random & independent of H.
•  is a random isomorphism between Gcoin and H.
•  distributions are identical.
Other types of zero-knowledge proofs
• Different quality of simulation:

HVPZK — “Perfect” : distributions identical

HVSZK — “Statistical”: statistically close (negligible deviation)

HVCZK — “Computational”: computationally indistinguishable.

• Cheating-verifier versions: PZK,SZK,CZK
• Complexity:
• CZK=IP=PSPACE  NP if one-way functions exist

[GMW86,IY87,BGG+88,LFKN90,Sha90]

• but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87,Sch88]
Other types of zero-knowledge proofs
• Different quality of simulation:

HVPZK — “Perfect” : distributions identical

HVSZK — “Statistical”: statistically close (negligible deviation)

HVCZK — “Computational”: computationally indistinguishable.

• Cheating-verifier versions: PZK,SZK,CZK
• Private coins vs. Public coins:
• Private coins: No restrictions on Verifier.
• Public coins: Verifier only sends random bits.
Results

[Mostly joint work with Oded Goldreich and Salil Vadhan]

• Complete problem for HVSZK [SV97]
• New characterization of statistical zero-knowledge.
• Simplify study of entire class.
• Applications of complete problems [SV97]
• Very efficient HVSZK proofs.
• Strong closure properties of HVSZK.
• Simpler proofs of most previously known results.
• Manipulating statistical properties of efficiently sampleable distributions.
• Knowledge complexity.
Results (cont.)
• Private coins vs. public coins [GV99]
• Transform any HVSZK proof system into a “public coin” one

(i.e., verifier’s messages are just random coins flips)

• Originally proved by Okamoto [Oka96]; new proof much simpler
• Honest verifiers vs. cheating verifiers [GSV98]
• Transform public-coin honest-verifier ZK proofs to cheating-verifier ZK proofs.
• Combining w/previous result, HVSZK=SZK.
• Honest-verifier ZK results translate to cheating-verifier ZK.
• “Noninteractive” SZK [GSV99]
• Complete problems related to those for SZK
• Use these to compare the two classes.

### Complete Problems for HVSZK

The Complexity of SZK
• SZK contains “hard” problems [GMR85,GMW86,GK93,GG98]
• Fortnow’s Methodology [F87]:
• 1. Find properties of simulator’s output that distinguish
• between YES and NO instances.
• 2. Show that these properties can be decided in low
• complexity.
• Using this: SZK  AM  coAM. [F87,AH87]
• Obtain upper-bound on complexity of SZK, but
• does not give a characterization of SZK.
Refinement of Fortnow Methodology [SV97]

1. Find properties of simulator’s output that distinguish

between YES and NO instances.

  is a complete problem for SZK, i.e

• every problem in SZK reduces to  (via 1,2).
• SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.

A Complete Problem

Def:STATISTICAL DIFFERENCE (SD) is the following promise problem:

Thm [SV97]:SD is complete for SZK.

circuit

Statistical Difference between distributions

How circuits define distributions

Meaning of Completeness Thm
• “The assertions that can be proven in statistical zero knowledge are exactly those that can be cast as comparing the statistical difference between two sampleable distributions.”
• Characterizes HVSZK with no reference to interaction or zero knowledge.
• Tool for proving general theorems about HVSZK.
• Results about HVSZK  Techniques for manipulating sampleable distributions
Refinement of Fortnow Methodology [SV97]

1. Find properties of simulator’s output that distinguish

between YES and NO instances.

  is a complete problem for SZK, i.e

• every problem in SZK reduces to  (via 1,2).
• SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.

Proof Ideas: Analyzing the simulator
• We know: For a YESinstance,
• 1. Simulator outputs accepting conversations w.h.p., and
• 2. Simulated verifier “behaves like” real verifier.
• Claim: For a NO instance, cannot have both conditions.
• “Pf:” If both hold, contradict soundness of proof system by
• prover strategy which mimics simulated prover.
• Easy to distinguish between simulator outputting accepting
• conversations with high probability vs. low probability.
• Main challenge: how to quantify “behaves like.”
Proof Ideas (cont.)
• Thm I [Oka96]:SZK=public-coin SZK.
• (i.e. can transform any SZK proof into one where
• verifier’s messages are just random coin flips)
• Now examine condition:
• 2. Simulated verifier “behaves like” real verifier.
• In a public-coin proof, simulated verifier “behaves like”
• real verifier iff simulated verifier’s coins are
• nearly uniform, and
• nearly independent of conversation history.
• Key observation: Both properties can be captured by
• statistical difference between samplable distributions!
Public-coin proofs [Bab85]

random coins

Prover

Verifier

random coins

accept/reject

Proving that SD is complete for SZK (cont.)
• Have argued: Every problem in SZK reduces to SD.
• Still need: SD SZK.
A Polarization Lemma

Lemma:There exists a poly-time computable function such that

Not just Chernoff bounds!

Chernoff bounds only yield:

Prover

Verifier

A Protocol for SD

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof for SD.

### Applications of Complete Problem Methodology

Efficient HVSZK proof systems
• Cor: Every problem in HVSZK has an honest-verifier statistical zero-knowledge proof system with:
• 2 messages
• 1 bit of prover-to-verifier communication.
• soundness error 1/2+2-k
• completeness error & simulator deviation 2-k
• deterministic prover

(where k is a “security parameter” independent of input length)

Other Benefits of Complete Problem [SV97]
• Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )
• Closure properties:
• Previous results focused on specific problems
• or subclasses of SZK [DDPY94,DC95].
• Can apply techniques of [DDPY94] to
• STATISTICAL DIFFERENCE to obtain results
Closure Properties of SZK

Thm [SV97]:LSZK  (L) SZK, where

 = k-ary boolean formula

L= characteristic fn of L

e.g. can prove “exactly k/2 of (x1, x2,...,xk)are in L” in SZK.

Equivalently, SZK is closed under NC1-truth table reductions.

Simplifying Okamoto’s Thm I [GV98]

Use the “complete problem methodology”:

Consider promise problem ENTROPY DIFFERENCE (ED):

Main steps in proof:

• Reduce every problem in SZK to ED.
• (Uses analysis of simulator from [AH87].)
• Show that ED has a public-coin SZK proof system.
• (Employs two subprotocols of [Oka96].)

Simplifying Okamoto’s Thm I (cont.)

This gives:

• Simpler, modular proof that all of SZK has
• public-coins SZK proofs.
• ED is complete for SZK.
• (Yet another) proof that SZK is closed under
• complement.
• “weak-SZK” equals SZK.

### Honest verifier vs. any verifier

Honest verifier vs. any verifier
• So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol.
• Cryptographic applications need zero-knowledge
• even vs. cheating verifiers.
• Main question: Does honest-verifier ZK=any-verifier ZK?
• Motivation?
• honest verifier classes suitable for study
• (e.g. complete problem, closure properties)
• methodology: design honest-verifier proof and
• convert to any-verifier proof.
Any-verifier Statistical Zero-Knowledge

v1

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

p1

v2

pk

accept/reject

Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Computational Zero-Knowledge (CZK): require simulator

distribution to be computationally indistinguishable rather

than statistically close.

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

• honest-ver CZK=any-ver CZK=IP=PSPACE
• [GMW86,IY87,BGG+88,Sha90]
• honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

• For both computational and statistical zero-knowledge,
• honest-verifier=any-verifier for constant-round
• public-coin proofs [Dam93,DGW94]

For both computational and statistical zero-knowledge,

• honest-verifier=any-verifier for constant-round
• public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96])  honest-ver SZK=any-ver SZK

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

• honest-ver CZK=any-ver CZK=IP=PSPACE
• [GMW86,IY87,BGG+88,Sha90]
• honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

• For both computational and statistical zero-knowledge,
• honest-verifier=any-verifier for constant-round
• public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96])  honest-ver SZK=any-ver SZK

The Transformation

Prover

random coins 1

Verifier

random coins 2

Any-verifier Proof System

accept/reject

Random Selection

Protocol

Honest-verifier Proof System

Verifier

Prover

1

Random Selection

Protocol

2

accept/reject

Simulating the Transformed Pf System

1. Use honest-verifier simulator

to generate a transcript

1

1

2

k

accept/reject

1

2

2. “Fill in” transcripts of

Random Selection

protocols

accept/reject

Desired Properties of Random Selection Protocol
• Dishonest verifier:
• Outcome  distributed almost uniformly.
• Simulability: For (almost) every , can simulate
• RS protocol transcripts yielding output .
• Dishonest prover:

(OK for soundness by parallel repetition of

original proof system)

• [GSV98] give a public-coin protocol with these properties
• (building on [DGW94]).

### Noninteractive Statistical Zero-Knowledge

Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

• On input x (instance of promise problem):
• When x is a YES instance, Verifier accepts w.h.p.
• When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.
Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.

Note: above is “one proof” version.

Study of Noninteractive ZK
• Motivation:
• communication-efficient.
• cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]
• Examples of NISZK proofs and some initial study in
• [BDMP91,BR90,DDP94,DDP97].
• But most attention focused on NICZK, e.g. [FLS90,KP95].
• [DDPY98] apply “complete problem methodology”
• to show IMAGE DENSITY complete for NISZK.
Complete Problems for NISZK [GSV99]

Thm: The following problems are complete for NISZK:

STATISTICAL DIFFERENCEFROM UNIFORM (SDU):

ENTROPY APPROXIMATION (EA):

Relating SZK and NISZK
• Recall complete problems for SZK:
• NISZK’s complete problems are natural restrictions of these.

 can use complete problems to relate SZK and NISZK.

• Thm [GSV98]:SZKBPP  NISZKBPP.
• Thm [GSV98]:
• SZK=NISZK  NISZK closed under complement.
Summary
• Recent work has refined our understanding of statistical
• zero-knowledge.
• Main tools:
• focus on public-coin proofs (via [Oka96])
• complete problems [SV97]
• closure properties
• honest verifier vs. any verifier
• interactive vs. noninteractive
Open Problems
• 1. Generalize more results/techniques to computational
• zero-knowledge or arguments.

2. Combinatorial or number-theoretic complete problems?

3. Does SZK=NISZK?

• 4. Show that SZKBPP if one-way functions exist
• (“converse” to [Ost91]).

5. Does SZK=PZK (“Perfect” zero-knowledge)?