An Investigation of Statistical Zero-Knowledge Proofs

An Investigation ofStatistical Zero-KnowledgeProofs Amit Sahai MIT Laboratory for Computer Science

Zero-knowledge Proofs [GMR85] • Protocol in which one party (“the prover”) convinces another party (“the verifier”) that some assertion is true • Verifier learns nothing except that the assertion is true • Statistical Zero Knowledge: Interpret condition that Verifier “learns nothing” in a strong information-theoretic sense

Our Investigation • Goal: Unified, Simpler, Deeper Understanding of Statistical Zero Knowledge • Results: • A Complete Problem for the class of assertions that admit Statistical Zero Knowledge proofs • Transformation that fortifies Statistical Zero Knowledge Proofs against abuse by dishonest parties

3 3 4 4 2 2 1 5 1 5 6 6 8 8 7 7 G1 G0 Example: GRAPH ISOMORPHISM Are these graphs the same under a relabeling of vertices? YES 1 2 3 4 5 6 7 8 6 2 8 1 4 5 3 7 Relabeling: G0G1

3 2 4 1 5 6 8 Prover Verifier Protocol for GRAPH ISOMORPHISM [GMW86] Input: Graphs (G0,G1 ) H= 1. Let H be randomly relabeled copy of G0 7 2.Flip coin{0,1} coin 3.Let  be relabeling mapping Gcoin to H  4. Check (Gcoin)=H

Motivation from Complexity • “Hard” problems admit statistical ZK proofs: • QUADRATIC (NON)RESIDUOSITY [GMR85], • GRAPH (NON)ISOMORPHISM [GMW86] • DISCRETE LOG [GK88], • APPROX SHORTEST AND CLOSEST VECTOR [GG97] • Yet NP-hard problems cannot have statistical ZK proofs(unless analogue of P=NP holds) [F87,AH87, BHZ87]

Motivation from Cryptography • Zero-knowledge  cryptographic protocols [GMW87] • Statistical ZK proofs: strongest security guarantee • Identification schemes [GMR85,FFS87] • Theoretical Point of View: • Can prove results without any unproven assumptions(Contrast with most security results in cryptography) • Can generalize results about Statistical ZKto other types of zero knowledge.

Our Results • A Complete Problem for Statistical Zero Knowledge • New characterization of Statistical ZK • Simplifies and unifies study of entire class • Applications: • Simple Statistical ZK Proof Systems • Simpler proofs of nearly all previous results • Statistical ZK Proofs for Complex Assertions

Our Results (cont.) • Fortifying Zero Knowledge Proofs against Cheating Verifiers • Show how to transform: Any proof that is ZK only for Honest Verifier into proof that is ZK for Any Verifier. • Requires no unproven assumptions • Extends to other forms of ZK as well

Based On Joint work with Oded Goldreich and Salil Vadhan: [Sahai Vadhan -- FOCS ‘97] [Goldreich Sahai Vadhan -- STOC ‘98] [Sahai Vadhan -- Randomization Methods ‘99] [Goldreich Sahai Vadhan -- CRYPTO ‘99]

What isStatistical Zero-Knowledge?

Promise Problems [ESY84] YES NO YES NO Language Promise Problem excluded inputs Example:UNIQUE SAT[VV86] USY = {formulas with exactly 1 satisfying assignment}USN = {formulas that are unsatisfiable}

v1 p1 v2 pk accept/reject Statistical Zero-Knowledge Proof [GMR85]for a promise problem  Prover Verifier • Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance. • When x is a YES instance, Verifier accepts w.h.p. • When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.

Statistical Zero-Knowledge Proof (cont.) v1 When x is a YES instance, Verifier can simulate her view of the interaction on her own. p1 v2 pk accept/reject Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically almost identical to Verifier’s view of interaction with Prover. Note: Definition assumes “honest verifier” SZK = {promise problems possessing such proofs}

v1 p1 v2 pk accept/ reject Statistical Zero Knowledge v1 p1 v2 pk accept/ reject  Infinitely Powerful

3 2 4 1 5 6 8 Prover Verifier Protocol for GRAPH ISOMORPHISM [GMW86] Input: Graphs (G0,G1 ) H= 1. Let H be randomly relabeled copy of G0 7 2.Flip coin{0,1} coin 3.Let  be relabeling mapping Gcoin to H  4. Check (Gcoin)=H

Simulator : - Pick G0 or G1at random first:coinÎR {0,1}. - Let H be random relabeling of Gcoin-- and call the relabeling . Output (H, coin, ). Zero-knowledgenessof GRAPHISO. Proof Protocol H: rdm relabeling of G0 coin: random bit : relabeling H Gcoin Simulator H: rdm relabeling of Gcoin coin: random bit : relabeling H Gcoin

G1 G0 H  Simulation is identical to actual protocol.

G1 G0 H Simulator : - Pick G0 or G1at random first:coinÎR {0,1}. - Let H be random relabeling of Gcoin-- and call the relabeling . Output (H, coin, ). Zero-knowledgenessof GRAPHISO. Proof Protocol H: rdm relabeling of G0 coin: random bit : relabeling H Gcoin Simulator H: rdm relabeling of Gcoin coin: random bit : relabeling H Gcoin  Simulation is identical to actual protocol.

A Complete Problem for SZK

Complete Problems • NP-completeness: •  is NP-complete if: • All problems in NP reduce to  •   NP • Negative View: NP-complete means “hard!” • Positive View: NP-complete means single problem characterizes all of NP! • Questions about NP  Questions about  • Our Goal: Find problem complete for SZK.

The Complexity of SZK • SZK contains “hard” problems [GMR85,GMW86,GK93,GG98] • Fortnow[F87]: First to argue about all problems in SZK • Tried to argue: If problem has Statistical Zero Knowledge proof, can’t be “too” hard: • i.e. SZK cannot contain NP-hard problems (unless analogue of P=NP holds) • Obtain upper-bound on complexity of SZK, but • does not give a characterizationof SZK.

Our Approach 1. Examine properties of the simulator’s output: Find properties that distinguish between YES and NO instances. 2. Embed these properties in a natural computational problem . 3. Exhibit a statistical zero-knowledge proof for .  is a complete problemfor SZK, i.e • every problem in SZK reduces to  (via 1,2). • SZK(by 3).

Statistical Difference between distributions Efficiently sampleable distributions Circuit

A Complete Problem Def:STATISTICAL DIFFERENCE (SD) is the following promise problem: C0 andC1 are efficientlysampleabledistributions SDY = {(C0, C1): StatDiff(C0, C1) > 2/3}SDN = {(C0, C1): StatDiff(C0, C1) < 1/3} Thm:SD is complete for SZK.

Meaning of Completeness Theorem • “The assertions that can be proven in statistical zero knowledge are exactly those that can be cast as comparing the statistical difference between two efficiently sampleable distributions.” • Characterizes Statistical Zero Knowledge with no reference to interaction or zero knowledge. • Tool for proving general theorems about SZK.

Our Approach 1. Examine simulator’s output: Find properties that distinguish between YES and NO instances. 2. Embed these properties in a natural computational problem . 3. Exhibit a statistical zero-knowledge proof for .  is a complete problemfor SZK, i.e • every problem in SZK reduces to  (via 1,2). • SZK(by 3).

Analyzing the Simulator • Think of simulator output as interaction between a Virtual Prover & Virtual Verifier. • We know:For a YESinstance, • 1. Virtual Prover makes Virtual Verifier accept w.h.p. • 2. Virtual Verifier “behaves like” Real Verifier. • Claim:For a NO instance, cannot have both conditions. • “Pf:”If both hold, consider Prover strategy which mimics Virtual Prover. This convince Real Verifier to accept a NO instance w.h.p.  • Main challenge: how to quantify “behaves like”

Public-coin proofs • Thm [Oka96]:Can transform any SZK proof into one where Verifier’s messages are just random coin flips. (such proofs called Public-Coin Proofs) random coins answer Prover Verifier random coins answer accept/reject

Analyzing the Simulator (cont.) • By [Oka96]:Can focus on Public-Coin Proofs. • Now examine condition: • 2. Virtual Verifier “behaves like” Real Verifier. • In a Public-Coin Proof, Virtual Verifier “behaves like” Real Verifier  Virtual Verifier’s coins are: • nearly uniform, and • nearly independent of conversation history. • Key observation: Both properties can be captured by statistical difference between samplable distributions!

STATISTICAL DIFFERENCE (SD): C0 andC1 are efficientlysampleabledistributions SDY = {(C0, C1): StatDiff(C0, C1) > 2/3}SDN = {(C0, C1): StatDiff(C0, C1) < 1/3} Proving that SD is complete for SZK (cont.) • Have argued: Every problem in SZK reduces to SD. • Still need: SD SZK.

Polarization Lemma Lemma:There exists an efficient transformation function(C0, C1)  (D0, D1) such that: StatDiff(C0, C1) > 2/3StatDiff(D0, D1) > 1 - 2-k StatDiff(C0, C1) < 1/3StatDiff(D0, D1) < 2-k • Independent repetition increases StatDiff ( 1) • Alternative method decreases StatDiff ( 0) • Prove Lemma by balancing both methods.

(C0, C1) Prover Verifier A Protocol for STATISTICAL DIFFERENCE 1. Both parties compute (D0, D1) using Polarization Lemma. 2. Flip coin{0,1}; sample  Dcoin sample 3. If sample more likely from D0, let guess = 0 else guess = 1. 4. Accept iff guess= coin guess Claim:Protocol is an SZK proof for SD.

Proving that SD is complete for SZK (cont.) • Have argued: Every problem in SZK reduces to SD. • Have argued: SD SZK. SD is complete for SZK

Applications of Complete Problem Methodology

Applications: Simple Protocols • Every problem in SZK can be reduced to SD. Every problem in SZK has proof system with: • 2 messages • only 1 bit of prover-to-verifier communication

Applications: Simpler proofs • Can simplify proofs of previously known results: • e.g. SZK cannot have NP-hard problems unless analogue of P=NP holds [F87,AH87] • e.g. SZK is closed under complementation [Oka96]:If  has Stat. ZK proof, so does . • many others...

Applications: Complex Assertions • In fact, can show SZK enjoys powerful closure properties. • e.g. Can prove in statistical zero knowledge: • All made possible by focusing on single complete problem. “Exactly n/2 of the graphs G1, G2, ..., Gn are isomorphic to each other!”

Defending AgainstCheating Verifiers

Cheating Verifiers • So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol. • Cryptographic applications: need protection fromparties that do not follow protocol. • Main Question: How much cheating can we tolerate?

Our Result • Answer: tolerate Any Verifier! • We show transformation: Any Proof that is ZK only for Honest Verifier Proof that is ZK for Any Verifier • No unproven assumptions. • Motivation: • All our results about SZK apply to Any-Verifier SZK. • Gives design methodology: • Design honest-verifier proof • Apply transformation to get Any-Verifier Proof

Any-Verifier Statistical Zero-Knowledge v1 When x is a YES instance, for every Verifier, can simulate Verifier’s view of the interaction. p1 v2 pk accept/reject Formally, for every Verifier,there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically almost identical to Verifier’s view of interaction with Prover.

Previous Results on Any-Verifier SZK • Results with assumptions:If one-way functions exist,Can transform Honest-Verifier SZK  (almost) Any-Verifier SZK [BMO90,OVY93,Oka96] • Results with no assumptions:Can transform Honest-Verifier SZK  Any-Verifier SZK but only for Constant-Round Public-Coin Proofs [Dam93,DGW94]

Our Approach • We show, with no assumptions:Can transform Honest-Verifier SZK  Any-Verifier SZK for all Public-coin proofs • In fact, our transformation extends to other types of ZK too. (Computational Zero Knowledge) • [Oka96]: Public-Coin is W.L.O.G. for SZKOur transformation works for all of SZK.

The Transformation random coins 1 Prover Verifier answer 1 random coins 2 Any-verifier Proof System answer k accept/reject Random Selection Protocol Honest-verifier Proof System Verifier Prover 1 answer 1 Random Selection Protocol 2 answer k accept/reject

Simulating the Transformed Pf System 1. Use honest-verifier simulator to generate a transcript 1 1 2 k accept/reject 1 answer 1 2 2. “Fill in” transcripts of Random Selection protocols answer k accept/reject

Can be seen as extracting randomness () from weak random source (cheating verifier) Desired Properties of Random Selection Protocol • No matter what Verifier does: • Output distribution of RS protocol is almost uniform • Moreover, given desired output  (chosen uniformly), can simulate RS protocol to force  to be output! • On the other hand, Prover can’t control output too much (otherwise Prover might be able to prove false assertions) • Key: New Lemma about Universal Hash Functions.

Conclusion • Before our work: Many isolated results on SZK. • Our Work: • A Complete Problem for SZK • Simplifies and unifies previous results • New results • Transform Any Proof that is ZK only for Honest Verifier Proof that is ZK for Any Verifier Coherent Picture of Statistical Zero Knowledge

Noninteractive Statistical Zero-Knowledge

Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91] shared random string Prover (unbounded) Verifier (poly-time) proof accept/reject • On input x (instance of promise problem): • When x is a YES instance, Verifier accepts w.h.p. • When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.

An Investigation of Statistical Zero-Knowledge Proofs

An Investigation of Statistical Zero-Knowledge Proofs

Presentation Transcript

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs and Nuclear Disarmament

Zero Knowledge Proofs of Identity

Using Zero Knowledge Proofs to Validate Electronic Votes

Zero-Knowledge Proofs

Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge

An Investigation of Statistical Zero-Knowledge Proofs

Zero Knowledge Proofs

Zero-Knowledge Proofs

Statistical Zero-Knowledge

Zero-Knowledge Proofs

Zero-Knowledge Proofs

Introduction to Zero Knowledge Proofs

Pairing-Based Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs

Pairing-Based Non-interactive Zero-Knowledge Proofs

What is the Zero Knowledge proofs protocol System?

How Zero-Knowledge Proofs are Revolutionizing Blockchain Technology