statistical zero-knowledge arguments for np from any one-way function salil vadhan minh nguyen shien...

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Upload: amanda-hodgens

Post on 01-Apr-2015




0 download


Page 1: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Statistical Zero-Knowledge Arguments for NP

from Any One-Way Function

Salil Vadhan

Minh Nguyen Shien Jin Ong

Harvard University

Page 2: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Assumptions for Cryptography

One-way functions )– Pseudorandom generators [Hastad-Impagliazzo-Levin-Luby].– Pseudorandom functions & private-key cryptography


– Commitment schemes [Naor].– Zero-knowledge proofs for NP [Goldreich-Micali-Wigderson].– Digital signatures [Rompel].

Almost all cryptographic tasks ) one-way functions.[Impagliazzo-Luby, Ostrovsky-Wigderson]

Some tasks not “black-box reducible” to one-way fns.– Public-key encryption [Impagliazzo-Rudich]– Collision-resistant hashing [Simon]

Page 3: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Main Result

One-Way Functions ) Statistical Zero-Knowledge Arguments for NP

– Resolves an open problem posed by [Naor-Ostrovsky-Venkatesan-Yung92].

– OWF is essentially the minimal complexity assumption for ZK [Ostrovsky-Wigderson].

Page 4: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Notions of Zero Knowledge

Zero Knowledge– statistical– computational

Soundness– statistical (proofs)– computational (arguments)




Verifier learnsnothing

Verifier learnsnothing

Prover cannot convince Verifier offalse statements

Prover cannot convince Verifier offalse statements

Page 5: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Notions of Zero Knowledge

Zero Knowledge– statistical– computational

Soundness– statistical (proofs)– computational (arguments)



Verifier learnsnothing

Verifier learnsnothing

Prover cannot convince Verifier offalse statements

Prover cannot convince Verifier offalse statements

Thm [Fortnow,Aiello-Hastad]: Only languages in AMÅ co-AM have statistical ZK proofs.

Page 6: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Notions of Zero Knowledge

Zero Knowledge– statistical– computational

Soundness– statistical (proofs)– computational (arguments)



Verifier learnsnothing

Verifier learnsnothing

Prover cannot convince Verifier offalse statements

Prover cannot convince Verifier offalse statements

Thm [1980’s]: one-way functions ) all of NP has computational ZK proofs.

Page 7: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Notions of Zero Knowledge

Zero Knowledge– statistical– computational

Soundness– statistical (proofs)– computational (arguments)



Verifier learnsnothing

Verifier learnsnothing

Prover cannot convince Verifier offalse statements

Prover cannot convince Verifier offalse statements

Thm [today]: one-way functions ) all of NP has statistical ZK arguments.

Page 8: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Zero Knowledge for NP



ZK for NP[Goldreich-Micali-Wigderson]

[Hastad-Impagliazzo-Levin-Luby], [Naor]

computational zero-knowledge


Page 9: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Commitment Schemes

Polynomial time algorithm Com(b; K) s.t.

– HidingFor random K, Com(0; K) ¼ Com(1; K)

– BindingCom(b; K) cannot be opened to b’, where b’ b.


Commit:c = Com(b;K)


K Ã {0,1}*


Page 10: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Zero Knowledge for NP:Graph 3-Coloring Protocol






6P V

1. Randomly permutecoloring & commit to colors.

2. Pick random edge. (1,4)

4. Accept if colors different.

3. Send keys forendpoints.

Completeness: Graph 3-colorable ) V always accepts.

Page 11: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Zero Knowledge for NP:Graph 3-Coloring Protocol

[Goldreich- Micali-Wigderson]





6P V

1. Randomly permutecoloring & commit to colors.

2. Pick random edge. (1,4)

4. Accept if colors different.

3. Send keys forendpoints.

Soundness: Graph not 3-colorable ) V rejects w.p. ¸ 1/(# edges) because commitment binding

Page 12: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Zero Knowledge for NP:Graph 3-Coloring Protocol

[Goldreich- Micali-Wigderson]





6P V

1. Randomly permutecoloring & commit to colors.

2. Pick random edge. (1,4)

4. Accept if colors different.

3. Send keys forendpoints.

Zero knowledge: Graph 3-colorable ) Verifier learns nothing because commitment hiding

Page 13: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Zero Knowledge for NP



ZK for NP[Goldreich-Micali-Wigderson]

[Hastad-Impagliazzo-Levin-Luby], [Naor]

computational zero-knowledge


computationally hiding,statistically binding

Page 14: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Zero Knowledge for NP



ZK for NP[Brassard-Chaum-Crepeau]

statistical zero-knowledge


statistically hiding,computationally binding


Page 15: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Complexity of SZK Arguments for NP


claw-free perm

SZK argumentsstat. hiding

comp. bindingcommitments




collision-resistanthash functions

[GMR, Damgard]


Page 16: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Complexity of SZK arguments for NP


claw-free perm

one-way perm

regular OWF

SZK argumentsstat. hiding

comp. bindingcommitments


+ 05][N

OVY 92]




collision-resistanthash functions


Page 17: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Complexity of SZK arguments for NP


claw-free perm

one-way perm

regular OWF

one-way function

SZK argumentsstat. hiding

comp. bindingcommitments


+ 05][N

OVY 92]



collision-resistanthash functions


Page 18: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Complexity of SZK Arguments for NP


claw-free perm

one-way perm

regular OWF

one-way function

SZK arguments

stat. hiding1-out-of-2 comp. binding


stat. hidingcomp. bindingcommitments


+ 05][N

OVY 92]



collision-resistanthash functions


Page 19: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

1-out-of-2 binding commitments

Commitment in 2 phases.

Statistically hiding in both phases.

Computational binding in at least one phase.


S RPhase 1 commit:c = Com(1)(b;K)

Phase 1 reveal:(b,K)

Phase 2 commit:c’ = Com(2)(b’;K’)

Phase 2 reveal:(b’,K’)

Page 20: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Zero Knowledge for NP



ZK for NP[Nguyen-Vadhan06]

statistical zero-knowledge


statistically hiding,1-out-of-2 binding

Main Thm

Page 21: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Overview of our constructionfrom one-way functions




stat hiding1-out-of-2binding

StatisticalZK argumentfor NP

Page 22: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

OWF ) (1/n)-hiding

Starting Point:OWF w/ “approximable preimage size” ) stat. hiding commitments [HHK+05]

Idea: sender “guess” preimage size) hiding w.p. 1/n

Problem: sender sends overestimate.

Solution: use second phase to “prove” estimate correct [NV06]

– Main tool: interactive hashing [OVY]

Page 23: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

(1/n)-hiding ) (1)-hiding

Amplify in O(log n) stages– Each time -hiding 2-hiding– Inspired by [Reingold05,Dinur06]

Each Stage– O(1) repetitions of basic protocol– Combine using interactive hashing [OVY]– Analyze with nonstandard measures.

Page 24: Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University

Future Work

Standard statistically hiding commitments from OWF.– Useful for verifier commitments.– Many applications beyond ZK.

Better (sub-polynomial) round complexity– Open even for one-way permutations [NOVY].

Simplify the construction.