an investigation of statistical zero knowledge proofs n.
Download
Skip this Video
Download Presentation
An Investigation of Statistical Zero-Knowledge Proofs

Loading in 2 Seconds...

play fullscreen
1 / 56

An Investigation of Statistical Zero-Knowledge Proofs - PowerPoint PPT Presentation


  • 123 Views
  • Uploaded on

An Investigation of Statistical Zero-Knowledge Proofs. Amit Sahai MIT Laboratory for Computer Science. Zero-knowledge Proofs [GMR85]. One party (“the prover”) convinces another party (“the verifier”) that some assertion is true, The verifier learns nothing except that the assertion

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'An Investigation of Statistical Zero-Knowledge Proofs' - radha


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
an investigation of statistical zero knowledge proofs

An Investigation ofStatistical Zero-KnowledgeProofs

Amit Sahai

MIT Laboratory for Computer Science

zero knowledge proofs gmr85
Zero-knowledge Proofs [GMR85]
  • One party (“the prover”) convinces another
    • party (“the verifier”) that some assertion is true,
  • The verifier learns nothing except that the assertion
    • is true!
  • Statistical zero-knowledge: variant in which
    • “learns nothing” is interpreted in a very strong information-theoretic sense.
natural questions
Natural Questions
  • What other assertions?
  • Characterization?
  • Efficiency of protocols?
  • Cheating Verifiers?
motivation from cryptography
Motivation from Cryptography
  • Zero-knowledge  cryptographic protocols [GMW87]
  • Butstatistical ZK proofs not as expressive as other types of ZK[GMW86,BCC87,F87,AH87]

Still study of statistical ZK useful:

  • Statistical ZK proofs: strongest security guarantee
  • Identification schemes [GMR85,FFS87]
  • “Cleanest” model of ZK:
    • allows for unconditional results (eg., [Oka96, GSV98])
    • most suitable for initial study, later generalize techniques to other types of ZK (eg., [Ost91,OW93,GSV98]).
motivation from complexity
Motivation from Complexity
  • Contains “hard” problems:
    • QUADRATIC (NON)RESIDUOSITY [GMR85],
    • GRAPH (NON)ISOMORPHISM [GMW86]
    • DISCRETE LOG [GK88],
    • APPROX SHORTEST AND CLOSEST VECTOR [GG97]
  • Yet SZK  AM  coAM [F87,AH87], so unlikely to contain NP-hard problems [BHZ87,Sch88]
  • Has natural complete problems.
slide7

Promise Problems [ESY84]

YES

NO

YES

NO

Language

Promise Problem

excluded inputs

Example:UNIQUE SAT[VV86]

statistical zero knowledge proof gmr85 for a promise problem

v1

p1

v2

pk

accept/reject

Statistical Zero-Knowledge Proof [GMR85]for a promise problem 

Prover

Verifier

  • Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance.
  • When x is a YES instance, Verifier accepts w.h.p.
  • When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.
statistical zero knowledge proof cont

v1

p1

v2

pk

accept/reject

Statistical Zero-Knowledge Proof (cont.)

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Note: ZK for “honest verifier” only.

HVSZK = {promise problems possessing such proofs}

slide10

circuit

Statistical Difference between distributions

How circuits define distributions

example g raph i somorphism

3

3

4

4

2

2

1

5

1

5

6

6

8

8

7

7

G1

G0

Example: GRAPH ISOMORPHISM

Are these graphs the same under a relabeling of vertices?

YES

1 2 3 4 5 6 7 8

6 2 8 1 4 5 3 7

Relabeling: G0 G1

protocol for g raph i somorphism gmw86

Prover

Verifier

Protocol for GRAPH ISOMORPHISM [GMW86]

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof.

correctness of g raph i so szk proof
Correctness of GRAPHISO. SZK Proof

Completeness:

Soundness:

What about zero-knowledgeness?

zero knowledgeness of g raph i so proof

Simulator :

- Pick G0 or G1 at random first:coinÎR {0,1}.

- Then let H be random relabeling of Gcoin -- and call the relabeling .

Output (H, coin, ).

G1

G0

Protocol

H: rdm relabeling Of G0

coin: random bit

: relabeling H Gb

Simulator

H: rdm relabeling Of Gb

coin: random bit

: relabeling H Gb

H

Zero-knowledgenessof GRAPHISO. Proof
zero knowledgeness of g raph i so proof1
Zero-knowledgenessof GRAPHISO. Proof

Simulator on input (G0,G1):

Analysis: If G0 G1, then, in both simulator & protocol,

  • H is a random isomorphic copy of G0 (equivalently, G1).
  • coin is random & independent of H.
  •  is a random isomorphism between Gcoin and H.
  •  distributions are identical.
other types of zero knowledge proofs
Other types of zero-knowledge proofs
  • Different quality of simulation:

HVPZK — “Perfect” : distributions identical

HVSZK — “Statistical”: statistically close (negligible deviation)

HVCZK — “Computational”: computationally indistinguishable.

  • Cheating-verifier versions: PZK,SZK,CZK
  • Complexity:
    • CZK=IP=PSPACE  NP if one-way functions exist

[GMW86,IY87,BGG+88,LFKN90,Sha90]

    • but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87,Sch88]
other types of zero knowledge proofs1
Other types of zero-knowledge proofs
  • Different quality of simulation:

HVPZK — “Perfect” : distributions identical

HVSZK — “Statistical”: statistically close (negligible deviation)

HVCZK — “Computational”: computationally indistinguishable.

  • Cheating-verifier versions: PZK,SZK,CZK
  • Private coins vs. Public coins:
    • Private coins: No restrictions on Verifier.
    • Public coins: Verifier only sends random bits.
results
Results

[Mostly joint work with Oded Goldreich and Salil Vadhan]

  • Complete problem for HVSZK [SV97]
    • New characterization of statistical zero-knowledge.
    • Simplify study of entire class.
  • Applications of complete problems [SV97]
    • Very efficient HVSZK proofs.
    • Strong closure properties of HVSZK.
    • Simpler proofs of most previously known results.
    • Manipulating statistical properties of efficiently sampleable distributions.
    • Knowledge complexity.
results cont
Results (cont.)
  • Private coins vs. public coins [GV99]
    • Transform any HVSZK proof system into a “public coin” one

(i.e., verifier’s messages are just random coins flips)

    • Originally proved by Okamoto [Oka96]; new proof much simpler
  • Honest verifiers vs. cheating verifiers [GSV98]
    • Transform public-coin honest-verifier ZK proofs to cheating-verifier ZK proofs.
    • Combining w/previous result, HVSZK=SZK.
    • Honest-verifier ZK results translate to cheating-verifier ZK.
  • “Noninteractive” SZK [GSV99]
    • Complete problems related to those for SZK
    • Use these to compare the two classes.
the complexity of szk
The Complexity of SZK
  • SZK contains “hard” problems [GMR85,GMW86,GK93,GG98]
  • Fortnow’s Methodology [F87]:
    • 1. Find properties of simulator’s output that distinguish
      • between YES and NO instances.
    • 2. Show that these properties can be decided in low
      • complexity.
  • Using this: SZK  AM  coAM. [F87,AH87]
  • Obtain upper-bound on complexity of SZK, but
    • does not give a characterization of SZK.
refinement of fortnow methodology sv97
Refinement of Fortnow Methodology [SV97]

1. Find properties of simulator’s output that distinguish

between YES and NO instances.

  is a complete problem for SZK, i.e

  • every problem in SZK reduces to  (via 1,2).
  • SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.

a complete problem
A Complete Problem

Def:STATISTICAL DIFFERENCE (SD) is the following promise problem:

Thm [SV97]:SD is complete for SZK.

slide24

circuit

Statistical Difference between distributions

How circuits define distributions

meaning of completeness thm
Meaning of Completeness Thm
  • “The assertions that can be proven in statistical zero knowledge are exactly those that can be cast as comparing the statistical difference between two sampleable distributions.”
  • Characterizes HVSZK with no reference to interaction or zero knowledge.
  • Tool for proving general theorems about HVSZK.
  • Results about HVSZK  Techniques for manipulating sampleable distributions
refinement of fortnow methodology sv971
Refinement of Fortnow Methodology [SV97]

1. Find properties of simulator’s output that distinguish

between YES and NO instances.

  is a complete problem for SZK, i.e

  • every problem in SZK reduces to  (via 1,2).
  • SZK(by 3).

2. Show that these properties can be decided in

lowcomplexity.

2. Embed these properties in a natural computational

problemP.

3. Exhibit a statistical zero-knowledge proof for P.

proof ideas analyzing the simulator
Proof Ideas: Analyzing the simulator
  • We know: For a YESinstance,
    • 1. Simulator outputs accepting conversations w.h.p., and
    • 2. Simulated verifier “behaves like” real verifier.
  • Claim: For a NO instance, cannot have both conditions.
  • “Pf:” If both hold, contradict soundness of proof system by
  • prover strategy which mimics simulated prover.
  • Easy to distinguish between simulator outputting accepting
  • conversations with high probability vs. low probability.
  • Main challenge: how to quantify “behaves like.”
proof ideas cont
Proof Ideas (cont.)
  • Thm I [Oka96]:SZK=public-coin SZK.
    • (i.e. can transform any SZK proof into one where
    • verifier’s messages are just random coin flips)
  • Now examine condition:
    • 2. Simulated verifier “behaves like” real verifier.
  • In a public-coin proof, simulated verifier “behaves like”
    • real verifier iff simulated verifier’s coins are
    • nearly uniform, and
    • nearly independent of conversation history.
  • Key observation: Both properties can be captured by
    • statistical difference between samplable distributions!
public coin proofs bab85
Public-coin proofs [Bab85]

random coins

answer

Prover

Verifier

random coins

answer

accept/reject

proving that sd is complete for szk cont
Proving that SD is complete for SZK (cont.)
  • Have argued: Every problem in SZK reduces to SD.
  • Still need: SD SZK.
a polarization lemma
A Polarization Lemma

Lemma:There exists a poly-time computable function such that

Not just Chernoff bounds!

Chernoff bounds only yield:

a protocol for sd

Prover

Verifier

A Protocol for SD

1.

2.

3.

4.

Claim:Protocol is an (honest ver) SZK proof for SD.

efficient hvszk proof systems
Efficient HVSZK proof systems
  • Cor: Every problem in HVSZK has an honest-verifier statistical zero-knowledge proof system with:
    • 2 messages
    • 1 bit of prover-to-verifier communication.
    • soundness error 1/2+2-k
    • completeness error & simulator deviation 2-k
    • deterministic prover

(where k is a “security parameter” independent of input length)

other benefits of complete problem sv97
Other Benefits of Complete Problem [SV97]
  • Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )
  • Closure properties:
    • Previous results focused on specific problems
    • or subclasses of SZK [DDPY94,DC95].
    • Can apply techniques of [DDPY94] to
    • STATISTICAL DIFFERENCE to obtain results
    • about all of SZK.
closure properties of szk
Closure Properties of SZK

Thm [SV97]:LSZK  (L) SZK, where

 = k-ary boolean formula

L= characteristic fn of L

e.g. can prove “exactly k/2 of (x1, x2,...,xk)are in L” in SZK.

Equivalently, SZK is closed under NC1-truth table reductions.

simplifying okamoto s thm i gv98
Simplifying Okamoto’s Thm I [GV98]

Use the “complete problem methodology”:

Consider promise problem ENTROPY DIFFERENCE (ED):

Main steps in proof:

  • Reduce every problem in SZK to ED.
    • (Uses analysis of simulator from [AH87].)
  • Show that ED has a public-coin SZK proof system.
    • (Employs two subprotocols of [Oka96].)
slide39

Simplifying Okamoto’s Thm I (cont.)

This gives:

  • Simpler, modular proof that all of SZK has
    • public-coins SZK proofs.
  • ED is complete for SZK.
  • (Yet another) proof that SZK is closed under
    • complement.
  • “weak-SZK” equals SZK.
honest verifier vs any verifier1
Honest verifier vs. any verifier
  • So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol.
  • Cryptographic applications need zero-knowledge
  • even vs. cheating verifiers.
  • Main question: Does honest-verifier ZK=any-verifier ZK?
  • Motivation?
    • honest verifier classes suitable for study
      • (e.g. complete problem, closure properties)
    • methodology: design honest-verifier proof and
    • convert to any-verifier proof.
any verifier statistical zero knowledge
Any-verifier Statistical Zero-Knowledge

v1

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

p1

v2

pk

accept/reject

Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Computational Zero-Knowledge (CZK): require simulator

distribution to be computationally indistinguishable rather

than statistically close.

slide43

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

  • honest-ver CZK=any-ver CZK=IP=PSPACE
    • [GMW86,IY87,BGG+88,Sha90]
  • honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

  • For both computational and statistical zero-knowledge,
    • honest-verifier=any-verifier for constant-round
    • public-coin proofs [Dam93,DGW94]
slide44

For both computational and statistical zero-knowledge,

    • honest-verifier=any-verifier for constant-round
    • public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96])  honest-ver SZK=any-ver SZK

slide45

Results on honest verifier vs. any verifier

Conditional Results:

If one-way functions exist,

  • honest-ver CZK=any-ver CZK=IP=PSPACE
    • [GMW86,IY87,BGG+88,Sha90]
  • honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

  • For both computational and statistical zero-knowledge,
    • honest-verifier=any-verifier for constant-round
    • public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96])  honest-ver SZK=any-ver SZK

the transformation
The Transformation

Prover

random coins 1

Verifier

answer 1

random coins 2

Any-verifier Proof System

answer k

accept/reject

Random Selection

Protocol

Honest-verifier Proof System

Verifier

Prover

1

answer 1

Random Selection

Protocol

2

answer k

accept/reject

simulating the transformed pf system
Simulating the Transformed Pf System

1. Use honest-verifier simulator

to generate a transcript

1

1

2

k

accept/reject

1

answer 1

2

2. “Fill in” transcripts of

Random Selection

protocols

answer k

accept/reject

desired properties of random selection protocol
Desired Properties of Random Selection Protocol
  • Dishonest verifier:
  • Outcome  distributed almost uniformly.
  • Simulability: For (almost) every , can simulate
  • RS protocol transcripts yielding output .
  • Dishonest prover:

(OK for soundness by parallel repetition of

original proof system)

  • [GSV98] give a public-coin protocol with these properties
    • (building on [DGW94]).
noninteractive statistical zero knowledge bfm88 bdmp91
Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]

shared

random string

Prover

(unbounded)

Verifier

(poly-time)

proof

accept/reject

  • On input x (instance of promise problem):
  • When x is a YES instance, Verifier accepts w.h.p.
  • When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.
noninteractive statistical zk cont
Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

shared

random string

proof

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.

Note: above is “one proof” version.

study of noninteractive zk
Study of Noninteractive ZK
  • Motivation:
    • communication-efficient.
    • cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]
  • Examples of NISZK proofs and some initial study in
    • [BDMP91,BR90,DDP94,DDP97].
  • But most attention focused on NICZK, e.g. [FLS90,KP95].
  • [DDPY98] apply “complete problem methodology”
  • to show IMAGE DENSITY complete for NISZK.
complete problems for niszk gsv99
Complete Problems for NISZK [GSV99]

Thm: The following problems are complete for NISZK:

STATISTICAL DIFFERENCEFROM UNIFORM (SDU):

ENTROPY APPROXIMATION (EA):

relating szk and niszk
Relating SZK and NISZK
  • Recall complete problems for SZK:
  • NISZK’s complete problems are natural restrictions of these.

 can use complete problems to relate SZK and NISZK.

  • Thm [GSV98]:SZKBPP  NISZKBPP.
  • Thm [GSV98]:
      • SZK=NISZK  NISZK closed under complement.
summary
Summary
  • Recent work has refined our understanding of statistical
    • zero-knowledge.
  • Main tools:
    • focus on public-coin proofs (via [Oka96])
    • complete problems [SV97]
  • Questions addressed:
    • closure properties
    • honest verifier vs. any verifier
    • interactive vs. noninteractive
open problems
Open Problems
  • 1. Generalize more results/techniques to computational
    • zero-knowledge or arguments.

2. Combinatorial or number-theoretic complete problems?

3. Does SZK=NISZK?

  • 4. Show that SZKBPP if one-way functions exist
    • (“converse” to [Ost91]).

5. Does SZK=PZK (“Perfect” zero-knowledge)?