1 / 78

Statistical Zero-Knowledge

Statistical Zero-Knowledge. Amit Sahai MIT Laboratory for Computer Science. Zero-knowledge Proofs [GMR85]. Protocol in which one party (“the prover”) convinces another party (“the verifier”) that some assertion is true Verifier learns nothing except that the assertion is true

tan
Download Presentation

Statistical Zero-Knowledge

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Statistical Zero-Knowledge Amit Sahai MIT Laboratory for Computer Science

  2. Zero-knowledge Proofs [GMR85] • Protocol in which one party (“the prover”) convinces another party (“the verifier”) that some assertion is true • Verifier learns nothing except that the assertion is true • Statistical Zero Knowledge: Interpret condition that Verifier “learns nothing” in a strong information-theoretic sense

  3. Example: GRAPH ISOMORPHISM 3 3 4 4 2 2 1 5 1 5 6 6 8 8 7 7 G1 G0 Are these graphs the same under a relabeling of vertices? YES 1 2 3 4 5 6 7 8 6 2 8 1 4 5 3 7 Relabeling: G0G1

  4. 3 2 4 1 5 6 8 Prover Verifier Protocol for GRAPH ISOMORPHISM [GMW86] Input: Graphs (G0,G1 ) H= 1. Let H be randomly relabeled copy of G0 7 2.Flip coin{0,1} coin 3.Let  be relabeling mapping Gcoin to H  4. Check (Gcoin)=H

  5. Intuition for GRAPHISOMORPHISM • Why is it convincing? • Suppose Prover is lying, i.e. G0 and G1 are NOT isomorphic: • Then H cannot be relabeling of bothG0 and G1: • If H is relabeling of G0, Prover fails when coin = 1 • If H is relabeling of G1, Prover fails when coin = 0 •  Prover fails with probability 1/2 • Repeat protocol k times  Prover fails at least once with probability  (1 - 2-k)

  6. Intuition for GRAPHISOMORPHISM (cont.) • Why does Verifier “learn nothing”? • At end, Verifier has transcript of protocol • Intuition: Verifier can generate transcript of protocolcompletely on her own: • Choose coin{0,1} first • Choose random relabeling . • Let H =(Gcoin). • Produce transcript: • 1.H • 2. coin • 3.

  7. Intuition for GRAPHISOMORPHISM (cont.) • Why does Verifier “learn nothing”? • Intuition: Anything Verifier learns from Prover, she could learn completely on her own: • At end, Verifier has transcript of protocol • We show: Verifier can generate transcript on her own: • Choose coin{0,1} first • Choose random relabeling . • Let H =(Gcoin). • Produce transcript: • 1.H • 2. coin • 3.

  8. Motivation from Complexity • “Hard” problems admit statistical ZK proofs: • QUADRATIC (NON)RESIDUOSITY [GMR85], • GRAPH (NON)ISOMORPHISM [GMW86] • DISCRETE LOG [GK88], • APPROX SHORTEST AND CLOSEST VECTOR [GG97] • Yet NP-hard problems cannot have statistical ZK proofs(unless analogue of P=NP holds) [F87,AH87, BHZ87]

  9. Complexity Picture NP HARD co-NP HARD SZK NP co-NP P NP -HardProblems

  10. Motivation from Complexity NP-HardProblems Separate by[F,AH,BHZ] SZK QUADRATIC (NON-)RESIDUOSITY[GMR85] GRAPH (NON-)ISOMORPHISM[GMW86] DISCRETE LOG[GK88] APPROX SHORTEST &CLOSEST VECTOR[GG97] P

  11. Motivation from Cryptography • Zero-knowledge  cryptographic protocols [GMW87] • Statistical ZK proofs: strongest security guarantee • Identification schemes [GMR85,FFS87] • Theoretical Point of View: • Can prove results without any unproven assumptions(Contrast with most security results in cryptography) • Can generalize results about Statistical ZKto other types of zero knowledge.

  12. Previous Work [GMR85] SpecificProblems [GMW86] [GK88] [GG97] Power of Prover [OVY90] [Ost91] [BP92] Complexity [For87] [AH87] [PT96] Robustness [BMO90] [OVY93] [Dam93] [DGW94] [Oka96] Knowledge Complexity [GP91] [ABV95] [PT96] [GOP98] Closure Properties [DDPY94] [Oka96] Important results, but fragmented, often incomplete, understanding

  13. Our Goal Unified, Simpler, Deeper Understandingof Statistical Zero Knowledge • Results: • A Complete Problem for the class of assertions that admit Statistical Zero Knowledge proofs • Transformation that fortifies Statistical Zero Knowledge Proofs against abuse by cheating Verifiers

  14. Our Results • A Complete Problem for Statistical Zero Knowledge • New characterization of Statistical ZK • Simplifies and unifies study of entire class • Applications: • Simple Statistical ZK Proof Systems • Simpler proofs of nearly all previous results • Statistical ZK Proofs for Complex Assertions

  15. Our Results (cont.) • Fortifying Zero Knowledge Proofs against Cheating Verifiers • Show how to transform: Any proof that is ZK only for Honest Verifier into proof that is ZK for Any Verifier. • Requires no unproven assumptions • Extends to other forms of ZK as well

  16. Based On Joint work with Oded Goldreich and Salil Vadhan: [Sahai Vadhan -- FOCS ‘97] [Goldreich Sahai Vadhan -- STOC ‘98] [Sahai Vadhan -- Randomization Methods ‘99] [Goldreich Sahai Vadhan -- CRYPTO ‘99]

  17. What isStatistical Zero-Knowledge?

  18. Promise Problems [ESY84] YES NO YES NO Language Promise Problem excluded inputs Example:UNIQUE SAT[VV86] USY = {formulas with exactly 1 satisfying assignment}USN = {formulas that are unsatisfiable}

  19. v1 p1 v2 pk accept/reject Statistical Zero-Knowledge Proof [GMR85]for a promise problem  Prover Verifier • Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance. • When x is a YES instance, Verifier accepts w.h.p. • When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.

  20. Statistical Zero-Knowledge Proof (cont.) v1 When assertion is true, Verifier can simulate her view of the interaction on her own. p1 v2 pk accept/reject Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically almost identical to Verifier’s view of interaction with Prover. Note: Definition assumes “honest verifier” SZK = {promise problems possessing such proofs}

  21. 3 2 4 1 5 6 8 Prover Verifier Protocol for GRAPH ISOMORPHISM [GMW86] Input: Graphs (G0,G1 ) H= 1. Let H be randomly relabeled copy of G0 7 2.Flip coin{0,1} coin 3.Let  be relabeling mapping Gcoin to H  4. Check (Gcoin)=H

  22. Simulator : 1. Choose coin{0,1} first 2. Choose random relabeling . 3. Let H =(Gcoin). Zero-knowledgenessof GRAPHISO. Proof Protocol H: rdm relabeling of G0 coin: random bit : relabeling Gcoin H Simulator H: rdm relabeling of Gcoin coin: random bit : relabeling Gcoin H

  23. G1 G0 H  Simulation is identical to actual protocol.

  24. G1 G0 H Simulator : 1. Choose coin{0,1} first 2. Choose random relabeling . 3. Let H =(Gcoin). Zero-knowledgenessof GRAPHISO. Proof Protocol H: rdm relabeling of G0 coin: random bit : relabeling Gcoin H Simulator H: rdm relabeling of Gcoin coin: random bit : relabeling Gcoin H  Simulation is identical to actual protocol.

  25. A Complete Problem for SZK

  26. Complete Problems • NP-completeness: • SATISFIABILITY(SAT) is NP-complete since: • All problems in NP reduce to SAT • SAT  NP • Negative View: NP-complete means “hard!” • Positive View: NP-complete means single problem characterizes all of NP! • Questions about NP  Questions about SAT • Our Goal: Find problem complete for SZK.

  27. The Complexity of SZK • SZK contains “hard” problems [GMR85,GMW86,GK93,GG98] • Fortnow[F87]: First to argue about all problems in SZK • Tried to argue: If problem has Statistical Zero Knowledge proof, can’t be “too” hard: • i.e. SZK cannot contain NP-hard problems (unless analogue of P=NP holds) • Obtain upper-bound on complexity of SZK, but • does not give a characterizationof SZK.

  28. Statistical Difference between distributions Samplable distributions Circuit

  29. Statistical Difference between distributions Samplable distributions Circuit

  30. Statistical Difference between distributions StatDiff(X, Y) = | Pr[X = z] - Pr[Y = z] | z Samplable distributions Circuit

  31. Statistical Difference between distributions X Y Samplable distributions Circuit Uniform Dist on {0,1}n Output Dist on {0,1}m

  32. A Complete Problem Def:STATISTICAL DIFFERENCE (SD) is the following promise problem: SDY = {(C0, C1): StatDiff(C0, C1) > 2/3}SDN = {(C0, C1): StatDiff(C0, C1) < 1/3} C0 andC1 are sampleabledistributions Thm:SD is complete for SZK.

  33. Completeness Theorem • The assertions provable in statistical zero knowledge are exactly those that can be cast as comparingthe statistical difference between two sampleable distributions. • Characterizes Statistical Zero Knowledge with no reference to interaction or zero knowledge. • Tool for proving general theorems about SZK.

  34. Our Approach • Must show: every problem in SZK reduces to SD • Make reduction using Simulator: • Find general properties of Simulator output that distinguish between YES and NO instances. • Embed these properties in our problem SD. • Finish completeness proof by exhibiting statistical zero-knowledge proof for SD.SDSZK

  35. Our Approach 1. Examine simulator’s output: Find general properties that distinguish between YES and NO instances. 2. Embed these properties in our problem SD. 3. Exhibit a statistical zero-knowledge proof for SD.  SDis a complete problemfor SZK, i.e • every problem in SZK reduces to SD (via 1,2). • SDSZK(by 3).

  36. Statistical Zero-Knowledge Proof (cont.) v1 When assertion is true, Verifier can simulate her view of the interaction on her own. p1 v2 pk accept/reject Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically almost identical to Verifier’s view of interaction with Prover. Note: Definition assumes “honest verifier” SZK = {promise problems possessing such proofs}

  37. G1 G0 H Simulator : 1. Choose coin{0,1} first 2. Choose random relabeling . 3. Let H =(Gcoin). Zero-knowledgenessof GRAPHISO. Proof Protocol H: rdm relabeling of G0 coin: random bit : relabeling Gcoin H Simulator H: rdm relabeling of Gcoin coin: random bit : relabeling Gcoin H  Simulation is identical to actual protocol.

  38. Analyzing the Simulator • Think of simulator output as interaction between a Virtual Prover & Virtual Verifier. • We know:For a YESinstance, • 1. Virtual Prover makes Virtual Verifier accept w.h.p. • 2. Virtual Verifier “behaves like” Real Verifier. • Claim:For a NO instance, cannot have both conditions. • “Pf:”If both hold, consider Prover strategy which mimics Virtual Prover. This convince Real Verifier to accept a NO instance w.h.p.  • Main challenge: how to quantify “behaves like”

  39. Public-coin proofs • Thm [Oka96]:Can transform any SZK proof into one where Verifier’s messages are just random coin flips. (such proofs called Public-Coin Proofs) random coins answer Prover Verifier random coins answer accept/reject

  40. Analyzing the Simulator (cont.) • By [Oka96]:Can focus on Public-Coin Proofs. • Now examine condition: • 2. Virtual Verifier “behaves like” Real Verifier. • In a Public-Coin Proof, Virtual Verifier “behaves like” Real Verifier  Virtual Verifier’s coins are: • nearly uniform, and • nearly independent of conversation history. • Key observation: Both properties can be captured by statistical difference between samplable distributions!

  41. Proving that SD is complete for SZK (cont.) • Have argued: Every problem in SZK reduces to SD. • Still need: SD SZK. STATISTICAL DIFFERENCE (SD): SDY = {(C0, C1): StatDiff(C0, C1) > 2/3}SDN = {(C0, C1): StatDiff(C0, C1) < 1/3} C0 andC1 are sampleabledistributions

  42. Polarization Lemma Lemma:There exists an efficient transformation function(C0, C1)  (D0, D1) such that: StatDiff(C0, C1) > 2/3StatDiff(D0, D1) > 1 - 2-k StatDiff(C0, C1) < 1/3StatDiff(D0, D1) < 2-k • Independent repetition increases StatDiff ( 1) • Alternative method decreases StatDiff ( 0) • Prove Lemma by balancing both methods.

  43. Statistical XOR Lemma • Given (C0, C1), • Let X0 = (Ccoin, Ccoin) wherecoinÎR{0,1} • Let X1 = (Ccoin, C1-coin) wherecoinÎR{0,1} • Then: StatDiff(X0, X1) =(StatDiff(C0, C1))2 • This is “alternative method” used in Polarization Lemma to decrease StatDiff

  44. (C0, C1) Prover Verifier A Protocol for STATISTICAL DIFFERENCE 1. Both parties compute (D0, D1) using Polarization Lemma. 2. Flip coin{0,1}; sample  Dcoin sample 3. If sample more likely from D0, let guess = 0 else guess = 1. 4. Accept iff guess= coin guess Claim:Protocol is an SZK proof for SD.

  45. Intuition for SD Protocol • Why convincing? • If (C0, C1) SDN, then StatDiff(D0, D1) < 2-k Prover gets caught with prob.  1/2 • If (C0, C1) SDY, then StatDiff(D0, D1) > 1-2-k Prover almost always guesses correctly • Zero Knowledge is trivial in this case: • Verifier only gets one bit (guess) from Prover • When assertion is true, almost always guess= coin • Verifier already knows coin!

  46. Proving that SD is complete for SZK (cont.) • Have argued: Every problem in SZK reduces to SD. • Have argued: SD SZK. SD is complete for SZK

  47. Consequences of Our Complete Problem

  48. Consequences: Simple Protocols • Every problem in SZK can be reduced to SD. Every problem in SZK has proof system with: • 2 messages • only 1 bit of prover-to-verifier communication

  49. Consequences: Simpler proofs • Can simplify proofs of previously known results: • e.g. SZK cannot have NP-hard problems unless analogue of P=NP holds [F87,AH87] • e.g. SZK is closed under complementation [Oka96]:If  has Stat. ZK proof, so does . • many others...

  50. Consequences: Complex Assertions • In fact, can show SZK enjoys powerful closure properties. • e.g. Can prove in statistical zero knowledge: • All made possible by focusing on single complete problem. “Exactly n/2 of the graphs G1, G2, ..., Gn are isomorphic to each other!”

More Related