an investigation of statistical zero-knowledge proofs
DESCRIPTION
An Investigation of Statistical Zero-Knowledge Proofs. Amit Sahai MIT Laboratory for Computer Science. Zero-knowledge Proofs [GMR85]. One party (“the prover”) convinces another party (“the verifier”) that some assertion is true, The verifier learns nothing except that the assertion - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/1.jpg)
An Investigation ofAn Investigation ofStatistical Zero-KnowledgeStatistical Zero-Knowledge
ProofsProofs
Amit Sahai
MIT Laboratory for Computer Science
![Page 2: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/2.jpg)
Zero-knowledge Proofs [GMR85]Zero-knowledge Proofs [GMR85]
• One party (“the prover”) convinces another party (“the verifier”) that some assertion is true,
• The verifier learns nothing except that the assertionis true!
• Statistical zero-knowledge: variant in which “learns nothing” is interpreted in a very strong information-theoretic sense.
![Page 3: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/3.jpg)
Natural QuestionsNatural Questions
• What other assertions?
• Characterization?
• Efficiency of protocols?
• Cheating Verifiers?
![Page 4: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/4.jpg)
Motivation from CryptographyMotivation from Cryptography
• Statistical ZK proofs: strongest security guarantee
• Identification schemes [GMR85,FFS87]
• “Cleanest” model of ZK:
– allows for unconditional results (eg., [Oka96, GSV98])
– most suitable for initial study, later generalize techniques to other types of
ZK (eg., [Ost91,OW93,GSV98]).
• Zero-knowledge cryptographic protocols [GMW87]
• But statistical ZK proofs not as expressive as other types of ZK [GMW86,BCC87,F87,AH87]
Still study of statistical ZK useful:
![Page 5: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/5.jpg)
Motivation from ComplexityMotivation from Complexity
• Contains “hard” problems:
– QUADRATIC (NON)RESIDUOSITY [GMR85],
– GRAPH (NON)ISOMORPHISM [GMW86]
– DISCRETE LOG [GK88],
– APPROX SHORTEST AND CLOSEST VECTOR [GG97]
• Yet SZK AM coAM [F87,AH87], so unlikely to contain
NP-hard problems [BHZ87,Sch88]
• Has natural complete problems.
![Page 6: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/6.jpg)
What isWhat isStatistical Zero-Knowledge?Statistical Zero-Knowledge?
![Page 7: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/7.jpg)
YES NO YES NO
0,1 *0,1 *
Language Promise Problem
Example: UNIQUE SAT [VV86]
bleunsatisfia is
assignment satisfying 1exactly has
:US
:USY
N
excluded inputs
Promise Problems [ESY84]Promise Problems [ESY84]
![Page 8: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/8.jpg)
Statistical Zero-Knowledge Proof [GMR85]for a promise problem
v1
p1
v2
pk
accept/reject
Prover Verifier
Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance.
• When x is a YES instance, Verifier accepts w.h.p.
• When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.
![Page 9: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/9.jpg)
Statistical Zero-Knowledge Proof (cont.)
v1
p1
v2
pk
accept/reject
When x is a YES instance, Verifier can simulate her view of the interaction on her own.
Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.
Note: ZK for “honest verifier” only.
HVSZK = {promise problems possessing such proofs}
![Page 10: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/10.jpg)
X Y X Y Area
2
Statistical Difference between distributions
How circuits define distributions
circuit
n1,0 on dist uniform m0,1 ondist output
![Page 11: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/11.jpg)
Example: GExample: GRAPHRAPH I ISOMORPHISMSOMORPHISM
Are these graphs the same under a relabeling of vertices?
YES
6 2 8 1 4 5 3 7
1 2 3 4 5 6 7 8
Relabeling: G0 G1
1
2
34
5
6
78
1
2
34
5
6
78
G0 G1
![Page 12: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/12.jpg)
Protocol for GRAPH ISOMORPHISM [GMW86]
10 ,GG Graphs :Input
.0G
H
ofcopy isomorphic random Let
.1,0R
coin Flip
.HGcoin ifAccept
H
1.
2.
4.
Prover Verifier
Claim: Protocol is an (honest ver) SZK proof.
10 GG :YES
10 GG :NO
coin
3.
.HGcoin and between misomorphis
(random) a be Let
![Page 13: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/13.jpg)
Correctness of GCorrectness of GRAPHRAPH IISOSO. SZK Proof. SZK Proof
Completeness: accepts Verifier HGGG coin10
Soundness:
21 y probabilit withrejects Verifier
sends) prover whatmatter (no2
1 y probabilit with
H
HGGG coin10
What about zero-knowledgeness?
![Page 14: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/14.jpg)
Simulator :- Pick G0 or G1 at random first: coin R {0,1}.- Then let H be random relabeling of Gcoin -- and call the relabeling .Output (H, coin, ).
SimulatorH: rdm relabeling Of Gb
coin: random bit
: relabeling H Gb
ProtocolH: rdm relabeling Of G0
coin: random bit
: relabeling H Gb
H
G0G1
Zero-knowledgenessZero-knowledgeness of Gof GRAPHRAPH IISOSO. . Proof Proof
![Page 15: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/15.jpg)
Zero-knowledgenessZero-knowledgeness of Gof GRAPHRAPH IISOSO. . Proof Proof
Simulator on input (G0,G1):
,,
).(
.
.1,0
coinH
GH
S
coin
coin
nR
R
Output 4.
Let 3.
npermutatio random a Choose 2.
Flip 1.
Analysis: If G0 G1, then, in both simulator & protocol,
• H is a random isomorphic copy of G0 (equivalently, G1).
• coin is random & independent of H.
• is a random isomorphism between Gcoin and H.
distributions are identical.
![Page 16: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/16.jpg)
Other types of zero-knowledge proofs
• Different quality of simulation:HVPZK — “Perfect” : distributions identical
HVSZK — “Statistical”: statistically close (negligible deviation)
HVCZK — “Computational”: computationally indistinguishable.
• Cheating-verifier versions: PZK,SZK,CZK
• Complexity:– CZK=IP=PSPACE NP if one-way functions exist
[GMW86,IY87,BGG+88,LFKN90,Sha90]– but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87,Sch88]
![Page 17: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/17.jpg)
Other types of zero-knowledge proofs
• Different quality of simulation:HVPZK — “Perfect” : distributions identical
HVSZK — “Statistical”: statistically close (negligible deviation)
HVCZK — “Computational”: computationally indistinguishable.
• Cheating-verifier versions: PZK,SZK,CZK
• Private coins vs. Public coins:– Private coins: No restrictions on Verifier.– Public coins: Verifier only sends random bits.
![Page 18: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/18.jpg)
Results
• Complete problem for HVSZK [SV97]– New characterization of statistical zero-knowledge.– Simplify study of entire class.
• Applications of complete problems [SV97]– Very efficient HVSZK proofs.– Strong closure properties of HVSZK.– Simpler proofs of most previously known results.– Manipulating statistical properties of efficiently sampleable
distributions.– Knowledge complexity.
[Mostly joint work with Oded Goldreich and Salil Vadhan]
![Page 19: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/19.jpg)
Results (cont.)
• Private coins vs. public coins [GV99]– Transform any HVSZK proof system into a “public coin” one
(i.e., verifier’s messages are just random coins flips)– Originally proved by Okamoto [Oka96]; new proof much simpler
• Honest verifiers vs. cheating verifiers [GSV98]– Transform public-coin honest-verifier ZK proofs to cheating-
verifier ZK proofs.– Combining w/previous result, HVSZK=SZK.– Honest-verifier ZK results translate to cheating-verifier ZK.
• “Noninteractive” SZK [GSV99]– Complete problems related to those for SZK– Use these to compare the two classes.
![Page 20: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/20.jpg)
Complete Problems for HVSZK
![Page 21: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/21.jpg)
The Complexity of SZK
• SZK contains “hard” problems [GMR85,GMW86,GK93,GG98]
• Fortnow’s Methodology [F87]:
1. Find properties of simulator’s output that distinguishbetween YES and NO instances.
2. Show that these properties can be decided in lowcomplexity.
• Using this: SZK AM coAM. [F87,AH87]
• Obtain upper-bound on complexity of SZK, butdoes not give a characterization of SZK.
![Page 22: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/22.jpg)
Refinement of Fortnow Methodology [SV97]
is a complete problem for SZK, i.e– every problem in SZK reduces to (via 1,2). SZK (by 3).
1. Find properties of simulator’s output that distinguish between YES and NO instances.
2. Show that these properties can be decided in low complexity.
2. Embed these properties in a natural computational problem .
3. Exhibit a statistical zero-knowledge proof for .
![Page 23: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/23.jpg)
A Complete Problem
Def: STATISTICAL DIFFERENCE (SD) is the following promise problem:
SDY C0 ,C1 : C0 C1 23
SDN C0 ,C1 : C0 C1 13
C0 ,C1 are
circuits
Thm [SV97]: SD is complete for SZK.
![Page 24: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/24.jpg)
X Y X Y Area
2
Statistical Difference between distributions
How circuits define distributions
circuit
n1,0 on dist uniform m0,1 ondist output
![Page 25: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/25.jpg)
Meaning of Completeness Thm
• “The assertions that can be proven in statistical zero knowledge are exactly those that can be cast as comparing the statistical difference between two sampleable distributions.”
• Characterizes HVSZK with no reference to interaction or zero knowledge.
• Tool for proving general theorems about HVSZK.
• Results about HVSZK Techniques for manipulating sampleable distributions
![Page 26: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/26.jpg)
Refinement of Fortnow Methodology [SV97]
is a complete problem for SZK, i.e– every problem in SZK reduces to (via 1,2). SZK (by 3).
1. Find properties of simulator’s output that distinguish between YES and NO instances.
2. Show that these properties can be decided in low complexity.
2. Embed these properties in a natural computational problem .
3. Exhibit a statistical zero-knowledge proof for .
![Page 27: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/27.jpg)
Proof Ideas: Analyzing the simulator
• We know: For a YES instance,1. Simulator outputs accepting conversations w.h.p., and2. Simulated verifier “behaves like” real verifier.
• Claim: For a NO instance, cannot have both conditions.
• “Pf:” If both hold, contradict soundness of proof system byprover strategy which mimics simulated prover.
• Easy to distinguish between simulator outputting accepting conversations with high probability vs. low probability.
• Main challenge: how to quantify “behaves like.”
![Page 28: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/28.jpg)
Proof Ideas (cont.)• Thm I [Oka96]: SZK=public-coin SZK.
(i.e. can transform any SZK proof into one where verifier’s messages are just random coin flips)
• Now examine condition:2. Simulated verifier “behaves like” real verifier.
• In a public-coin proof, simulated verifier “behaves like”real verifier iff simulated verifier’s coins are • nearly uniform, and• nearly independent of conversation history.
• Key observation: Both properties can be captured by statistical difference between samplable distributions!
![Page 29: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/29.jpg)
Public-coin proofs [Bab85]
random coinsanswer
random coins
answeraccept/reject
Prover Verifier
![Page 30: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/30.jpg)
Proving that SD is complete for SZK (cont.)
• Have argued: Every problem in SZK reduces to SD.
• Still need: SD SZK.
![Page 31: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/31.jpg)
A Polarization Lemma
Lemma: There exists a poly-time computable function such that
1010 ,1,, DDCC k
C0 C1 23 D0 D1 1 2 k
C0 C1 13 D0 D1 2 k
Not just Chernoff bounds!
Chernoff bounds only yield:
C0 C1 1 e m 2 mC0
m C1 m
where m X def
m independent copies of X
![Page 32: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/32.jpg)
A Protocol for SD
C0 ,C1
).1,,Polarize(, 1010kCCDD compute Both
.
.1,0
coin
R
Dsample
coin
Sample
Flip
.
0
,]Pr[
]Pr[
1
0
1= let else
,= let
)
( If
guess
guess
sampleD
sampleD
.coinguess if Accept
sample
guess
1.
2.
3.
4.
Prover Verifier
Claim: Protocol is an (honest ver) SZK proof for SD.
![Page 33: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/33.jpg)
Properties of D0 and D1
kN
kY
DDCC
DDCC
2,StatDiffSD,
21,StatDiffSD,
1010
1010
parametersecurity where k
![Page 34: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/34.jpg)
Applications of Complete Problem Methodology
![Page 35: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/35.jpg)
Efficient HVSZK proof systems
• Cor: Every problem in HVSZK has an honest-verifier statistical zero-knowledge proof system with:
– 2 messages
– 1 bit of prover-to-verifier communication.
– soundness error 1/2+2-k
– completeness error & simulator deviation 2-k
– deterministic prover
(where k is a “security parameter” independent of input length)
![Page 36: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/36.jpg)
Other Benefits of Complete Problem [SV97]
• Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )
• Closure properties:– Previous results focused on specific problems or subclasses of SZK [DDPY94,DC95].– Can apply techniques of [DDPY94] to STATISTICAL DIFFERENCE to obtain results about all of SZK.
![Page 37: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/37.jpg)
Closure Properties of SZK
Thm [SV97]: LSZK (L) SZK, where
1)(,),(:,,,,)( 121 kLLk xxxxxL
= k-ary boolean formulaL= characteristic fn of L
Equivalently, SZK is closed under NC1-truth table reductions.
e.g. can prove “exactly k/2 of (x1, x2,..., xk) are in L” in SZK.
![Page 38: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/38.jpg)
Simplifying Okamoto’s Thm I [GV98]
Use the “complete problem methodology”:
1)H()H(,ED
1)H()H(,ED
0110
1010
CCCC
CCCC
N
Y
: :
• Reduce every problem in SZK to ED. (Uses analysis of simulator from [AH87].)
• Show that ED has a public-coin SZK proof system.(Employs two subprotocols of [Oka96].)
Consider promise problem ENTROPY DIFFERENCE (ED):
Main steps in proof:
xXxXXx
PrlogPr)H( functionentropy
![Page 39: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/39.jpg)
Simplifying Okamoto’s Thm I (cont.)
This gives:
• Simpler, modular proof that all of SZK haspublic-coins SZK proofs.
• ED is complete for SZK.
• (Yet another) proof that SZK is closed undercomplement.
• “weak-SZK” equals SZK.
![Page 40: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/40.jpg)
Honest verifier vs. any verifier
![Page 41: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/41.jpg)
Honest verifier vs. any verifier
• So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol.
• Cryptographic applications need zero-knowledge even vs. cheating verifiers.
• Main question: Does honest-verifier ZK=any-verifier ZK?
• Motivation?– honest verifier classes suitable for study
(e.g. complete problem, closure properties)– methodology: design honest-verifier proof and convert to any-verifier proof.
![Page 42: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/42.jpg)
Any-verifier Statistical Zero-Knowledge
v1
p1
v2
pk
accept/reject
When x is a YES instance, Verifier can simulate her view of the interaction on her own.
Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.
Computational Zero-Knowledge (CZK): require simulator distribution to be computationally indistinguishable rather than statistically close.
![Page 43: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/43.jpg)
Conditional Results:
• honest-ver CZK=any-ver CZK=IP=PSPACE
[GMW86,IY87,BGG+88,Sha90]
If one-way functions exist,
• honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]
Unconditional Results:
• For both computational and statistical zero-knowledge,honest-verifier=any-verifier for constant-round public-coin proofs [Dam93,DGW94]
Results on honest verifier vs. any verifier
![Page 44: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/44.jpg)
• For both computational and statistical zero-knowledge,honest-verifier=any-verifier for constant-round public-coin proofs [Dam93,DGW94] [GSV98]
(+ [Oka96]) honest-ver SZK=any-ver SZK
![Page 45: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/45.jpg)
Conditional Results:
• honest-ver CZK=any-ver CZK=IP=PSPACE
[GMW86,IY87,BGG+88,Sha90]
If one-way functions exist,
• honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]
Unconditional Results:
• For both computational and statistical zero-knowledge,honest-verifier=any-verifier for constant-round public-coin proofs [Dam93,DGW94][GSV98]
(+ [Oka96]) honest-ver SZK=any-ver SZK
Results on honest verifier vs. any verifier
![Page 46: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/46.jpg)
The Transformationrandom coins 1
answer 1random coins 2
answer kaccept/reject
answer 1
answer kaccept/reject
Random SelectionProtocol
1
Random SelectionProtocol
2
Honest-verifier Proof System
Any-verifier Proof System
Prover Verifier
Prover Verifier
![Page 47: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/47.jpg)
Simulating the Transformed Pf System
answer 1
answer kaccept/reject
1
2
1. Use honest-verifier simulator to generate a transcript
1
12
kaccept/reject
2. “Fill in” transcripts ofRandom Selection
protocols
![Page 48: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/48.jpg)
Desired Properties of Random Selection Protocol
• Dishonest prover:
Sdensity2Pr nS
S
Outcome
, messages verifier of setany For
(OK for soundness by parallel repetition of original proof system)
• Dishonest verifier:
– Outcome distributed almost uniformly.
– Simulability: For (almost) every , can simulate RS protocol transcripts yielding output .
• [GSV98] give a public-coin protocol with these properties(building on [DGW94]).
![Page 49: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/49.jpg)
Noninteractive Statistical Zero-Knowledge
![Page 50: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/50.jpg)
Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]
proof
accept/reject
Prover(unbounded)
Verifier(poly-time)
shared random string
On input x (instance of promise problem):
• When x is a YES instance, Verifier accepts w.h.p.• When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.
![Page 51: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/51.jpg)
Noninteractive Statistical ZK (cont.)
When x is a YES instance, Verifier can simulate her view on her own.
Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.
proofZK lstatistica tivenoninterac has : NISZK
proof
shared random string
Note: above is “one proof” version.
![Page 52: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/52.jpg)
Study of Noninteractive ZK
• Motivation:– communication-efficient.– cryptography vs. active adversaries
[BFM88,BG89,NY90,DDN91]
• Examples of NISZK proofs and some initial study in [BDMP91,BR90,DDP94,DDP97].
• But most attention focused on NICZK, e.g. [FLS90,KP95].
• [DDPY98] apply “complete problem methodology” to show IMAGE DENSITY complete for NISZK.
![Page 53: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/53.jpg)
Complete Problems for NISZK [GSV99]
STATISTICAL DIFFERENCE FROM UNIFORM (SDU):
1)H(,EA
1)H(,EA
kXkX
kXkX
N
Y
:
:
nUXX
nUXX
N
Y
11,StatDiffSDU
1,StatDiffSDU
:
:
on
dist. uniform nU
1,0
functionentropy H
Thm: The following problems are complete for NISZK:
ENTROPY APPROXIMATION (EA):
![Page 54: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/54.jpg)
Relating SZK and NISZK
3
1,SD
32,SD
1010
1010
CCCC
CCCC
N
Y
:
: 1)H()H(,ED
1)H()H(,ED
0110
1010
CCCC
CCCC
N
Y
:
:
• Recall complete problems for SZK:
• NISZK’s complete problems are natural restrictions of these.
can use complete problems to relate SZK and NISZK.
• Thm [GSV98]: SZKBPP NISZKBPP.
• Thm [GSV98]: SZK=NISZK NISZK closed under complement.
![Page 55: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/55.jpg)
Summary
• Recent work has refined our understanding of statisticalzero-knowledge.
• Main tools: – focus on public-coin proofs (via [Oka96])– complete problems [SV97]
• Questions addressed:– closure properties– honest verifier vs. any verifier– interactive vs. noninteractive
![Page 56: An Investigation of Statistical Zero-Knowledge Proofs](https://reader035.vdocuments.us/reader035/viewer/2022062217/5681525f550346895dc091b3/html5/thumbnails/56.jpg)
Open Problems
5. Does SZK=PZK (“Perfect” zero-knowledge)?
3. Does SZK=NISZK?
2. Combinatorial or number-theoretic complete problems?
1. Generalize more results/techniques to computational zero-knowledge or arguments.
4. Show that SZKBPP if one-way functions exist (“converse” to [Ost91]).