1 / 56

An Investigation of Statistical Zero-Knowledge Proofs

An Investigation of Statistical Zero-Knowledge Proofs. Amit Sahai MIT Laboratory for Computer Science. Zero-knowledge Proofs [GMR85]. One party (“the prover”) convinces another party (“the verifier”) that some assertion is true, The verifier learns nothing except that the assertion

radha
Download Presentation

An Investigation of Statistical Zero-Knowledge Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Investigation ofStatistical Zero-KnowledgeProofs Amit Sahai MIT Laboratory for Computer Science

  2. Zero-knowledge Proofs [GMR85] • One party (“the prover”) convinces another • party (“the verifier”) that some assertion is true, • The verifier learns nothing except that the assertion • is true! • Statistical zero-knowledge: variant in which • “learns nothing” is interpreted in a very strong information-theoretic sense.

  3. Natural Questions • What other assertions? • Characterization? • Efficiency of protocols? • Cheating Verifiers?

  4. Motivation from Cryptography • Zero-knowledge  cryptographic protocols [GMW87] • Butstatistical ZK proofs not as expressive as other types of ZK[GMW86,BCC87,F87,AH87] Still study of statistical ZK useful: • Statistical ZK proofs: strongest security guarantee • Identification schemes [GMR85,FFS87] • “Cleanest” model of ZK: • allows for unconditional results (eg., [Oka96, GSV98]) • most suitable for initial study, later generalize techniques to other types of ZK (eg., [Ost91,OW93,GSV98]).

  5. Motivation from Complexity • Contains “hard” problems: • QUADRATIC (NON)RESIDUOSITY [GMR85], • GRAPH (NON)ISOMORPHISM [GMW86] • DISCRETE LOG [GK88], • APPROX SHORTEST AND CLOSEST VECTOR [GG97] • Yet SZK  AM  coAM [F87,AH87], so unlikely to contain NP-hard problems [BHZ87,Sch88] • Has natural complete problems.

  6. What isStatistical Zero-Knowledge?

  7. Promise Problems [ESY84] YES NO YES NO Language Promise Problem excluded inputs Example:UNIQUE SAT[VV86]

  8. v1 p1 v2 pk accept/reject Statistical Zero-Knowledge Proof [GMR85]for a promise problem  Prover Verifier • Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance. • When x is a YES instance, Verifier accepts w.h.p. • When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.

  9. v1 p1 v2 pk accept/reject Statistical Zero-Knowledge Proof (cont.) When x is a YES instance, Verifier can simulate her view of the interaction on her own. Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover. Note: ZK for “honest verifier” only. HVSZK = {promise problems possessing such proofs}

  10. circuit Statistical Difference between distributions How circuits define distributions

  11. 3 3 4 4 2 2 1 5 1 5 6 6 8 8 7 7 G1 G0 Example: GRAPH ISOMORPHISM Are these graphs the same under a relabeling of vertices? YES 1 2 3 4 5 6 7 8 6 2 8 1 4 5 3 7 Relabeling: G0 G1

  12. Prover Verifier Protocol for GRAPH ISOMORPHISM [GMW86] 1. 2. 3. 4. Claim:Protocol is an (honest ver) SZK proof.

  13. Correctness of GRAPHISO. SZK Proof Completeness: Soundness: What about zero-knowledgeness?

  14. Simulator : - Pick G0 or G1 at random first:coinÎR {0,1}. - Then let H be random relabeling of Gcoin -- and call the relabeling . Output (H, coin, ). G1 G0 Protocol H: rdm relabeling Of G0 coin: random bit : relabeling H Gb Simulator H: rdm relabeling Of Gb coin: random bit : relabeling H Gb H Zero-knowledgenessof GRAPHISO. Proof

  15. Zero-knowledgenessof GRAPHISO. Proof Simulator on input (G0,G1): Analysis: If G0 G1, then, in both simulator & protocol, • H is a random isomorphic copy of G0 (equivalently, G1). • coin is random & independent of H. •  is a random isomorphism between Gcoin and H. •  distributions are identical.

  16. Other types of zero-knowledge proofs • Different quality of simulation: HVPZK — “Perfect” : distributions identical HVSZK — “Statistical”: statistically close (negligible deviation) HVCZK — “Computational”: computationally indistinguishable. • Cheating-verifier versions: PZK,SZK,CZK • Complexity: • CZK=IP=PSPACE  NP if one-way functions exist [GMW86,IY87,BGG+88,LFKN90,Sha90] • but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87,Sch88]

  17. Other types of zero-knowledge proofs • Different quality of simulation: HVPZK — “Perfect” : distributions identical HVSZK — “Statistical”: statistically close (negligible deviation) HVCZK — “Computational”: computationally indistinguishable. • Cheating-verifier versions: PZK,SZK,CZK • Private coins vs. Public coins: • Private coins: No restrictions on Verifier. • Public coins: Verifier only sends random bits.

  18. Results [Mostly joint work with Oded Goldreich and Salil Vadhan] • Complete problem for HVSZK [SV97] • New characterization of statistical zero-knowledge. • Simplify study of entire class. • Applications of complete problems [SV97] • Very efficient HVSZK proofs. • Strong closure properties of HVSZK. • Simpler proofs of most previously known results. • Manipulating statistical properties of efficiently sampleable distributions. • Knowledge complexity.

  19. Results (cont.) • Private coins vs. public coins [GV99] • Transform any HVSZK proof system into a “public coin” one (i.e., verifier’s messages are just random coins flips) • Originally proved by Okamoto [Oka96]; new proof much simpler • Honest verifiers vs. cheating verifiers [GSV98] • Transform public-coin honest-verifier ZK proofs to cheating-verifier ZK proofs. • Combining w/previous result, HVSZK=SZK. • Honest-verifier ZK results translate to cheating-verifier ZK. • “Noninteractive” SZK [GSV99] • Complete problems related to those for SZK • Use these to compare the two classes.

  20. Complete Problems for HVSZK

  21. The Complexity of SZK • SZK contains “hard” problems [GMR85,GMW86,GK93,GG98] • Fortnow’s Methodology [F87]: • 1. Find properties of simulator’s output that distinguish • between YES and NO instances. • 2. Show that these properties can be decided in low • complexity. • Using this: SZK  AM  coAM. [F87,AH87] • Obtain upper-bound on complexity of SZK, but • does not give a characterization of SZK.

  22. Refinement of Fortnow Methodology [SV97] 1. Find properties of simulator’s output that distinguish between YES and NO instances.   is a complete problem for SZK, i.e • every problem in SZK reduces to  (via 1,2). • SZK(by 3). 2. Show that these properties can be decided in lowcomplexity. 2. Embed these properties in a natural computational problemP. 3. Exhibit a statistical zero-knowledge proof for P.

  23. A Complete Problem Def:STATISTICAL DIFFERENCE (SD) is the following promise problem: Thm [SV97]:SD is complete for SZK.

  24. circuit Statistical Difference between distributions How circuits define distributions

  25. Meaning of Completeness Thm • “The assertions that can be proven in statistical zero knowledge are exactly those that can be cast as comparing the statistical difference between two sampleable distributions.” • Characterizes HVSZK with no reference to interaction or zero knowledge. • Tool for proving general theorems about HVSZK. • Results about HVSZK  Techniques for manipulating sampleable distributions

  26. Refinement of Fortnow Methodology [SV97] 1. Find properties of simulator’s output that distinguish between YES and NO instances.   is a complete problem for SZK, i.e • every problem in SZK reduces to  (via 1,2). • SZK(by 3). 2. Show that these properties can be decided in lowcomplexity. 2. Embed these properties in a natural computational problemP. 3. Exhibit a statistical zero-knowledge proof for P.

  27. Proof Ideas: Analyzing the simulator • We know: For a YESinstance, • 1. Simulator outputs accepting conversations w.h.p., and • 2. Simulated verifier “behaves like” real verifier. • Claim: For a NO instance, cannot have both conditions. • “Pf:” If both hold, contradict soundness of proof system by • prover strategy which mimics simulated prover. • Easy to distinguish between simulator outputting accepting • conversations with high probability vs. low probability. • Main challenge: how to quantify “behaves like.”

  28. Proof Ideas (cont.) • Thm I [Oka96]:SZK=public-coin SZK. • (i.e. can transform any SZK proof into one where • verifier’s messages are just random coin flips) • Now examine condition: • 2. Simulated verifier “behaves like” real verifier. • In a public-coin proof, simulated verifier “behaves like” • real verifier iff simulated verifier’s coins are • nearly uniform, and • nearly independent of conversation history. • Key observation: Both properties can be captured by • statistical difference between samplable distributions!

  29. Public-coin proofs [Bab85] random coins answer Prover Verifier random coins answer accept/reject

  30. Proving that SD is complete for SZK (cont.) • Have argued: Every problem in SZK reduces to SD. • Still need: SD SZK.

  31. A Polarization Lemma Lemma:There exists a poly-time computable function such that Not just Chernoff bounds! Chernoff bounds only yield:

  32. Prover Verifier A Protocol for SD 1. 2. 3. 4. Claim:Protocol is an (honest ver) SZK proof for SD.

  33. Properties of D0 and D1

  34. Applications of Complete Problem Methodology

  35. Efficient HVSZK proof systems • Cor: Every problem in HVSZK has an honest-verifier statistical zero-knowledge proof system with: • 2 messages • 1 bit of prover-to-verifier communication. • soundness error 1/2+2-k • completeness error & simulator deviation 2-k • deterministic prover (where k is a “security parameter” independent of input length)

  36. Other Benefits of Complete Problem [SV97] • Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] ) • Closure properties: • Previous results focused on specific problems • or subclasses of SZK [DDPY94,DC95]. • Can apply techniques of [DDPY94] to • STATISTICAL DIFFERENCE to obtain results • about all of SZK.

  37. Closure Properties of SZK Thm [SV97]:LSZK  (L) SZK, where  = k-ary boolean formula L= characteristic fn of L e.g. can prove “exactly k/2 of (x1, x2,...,xk)are in L” in SZK. Equivalently, SZK is closed under NC1-truth table reductions.

  38. Simplifying Okamoto’s Thm I [GV98] Use the “complete problem methodology”: Consider promise problem ENTROPY DIFFERENCE (ED): Main steps in proof: • Reduce every problem in SZK to ED. • (Uses analysis of simulator from [AH87].) • Show that ED has a public-coin SZK proof system. • (Employs two subprotocols of [Oka96].)

  39. Simplifying Okamoto’s Thm I (cont.) This gives: • Simpler, modular proof that all of SZK has • public-coins SZK proofs. • ED is complete for SZK. • (Yet another) proof that SZK is closed under • complement. • “weak-SZK” equals SZK.

  40. Honest verifier vs. any verifier

  41. Honest verifier vs. any verifier • So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol. • Cryptographic applications need zero-knowledge • even vs. cheating verifiers. • Main question: Does honest-verifier ZK=any-verifier ZK? • Motivation? • honest verifier classes suitable for study • (e.g. complete problem, closure properties) • methodology: design honest-verifier proof and • convert to any-verifier proof.

  42. Any-verifier Statistical Zero-Knowledge v1 When x is a YES instance, Verifier can simulate her view of the interaction on her own. p1 v2 pk accept/reject Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover. Computational Zero-Knowledge (CZK): require simulator distribution to be computationally indistinguishable rather than statistically close.

  43. Results on honest verifier vs. any verifier Conditional Results: If one-way functions exist, • honest-ver CZK=any-ver CZK=IP=PSPACE • [GMW86,IY87,BGG+88,Sha90] • honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96] Unconditional Results: • For both computational and statistical zero-knowledge, • honest-verifier=any-verifier for constant-round • public-coin proofs [Dam93,DGW94]

  44. For both computational and statistical zero-knowledge, • honest-verifier=any-verifier for constant-round • public-coin proofs [Dam93,DGW94][GSV98] (+ [Oka96])  honest-ver SZK=any-ver SZK

  45. Results on honest verifier vs. any verifier Conditional Results: If one-way functions exist, • honest-ver CZK=any-ver CZK=IP=PSPACE • [GMW86,IY87,BGG+88,Sha90] • honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96] Unconditional Results: • For both computational and statistical zero-knowledge, • honest-verifier=any-verifier for constant-round • public-coin proofs [Dam93,DGW94][GSV98] (+ [Oka96])  honest-ver SZK=any-ver SZK

  46. The Transformation Prover random coins 1 Verifier answer 1 random coins 2 Any-verifier Proof System answer k accept/reject Random Selection Protocol Honest-verifier Proof System Verifier Prover 1 answer 1 Random Selection Protocol 2 answer k accept/reject

  47. Simulating the Transformed Pf System 1. Use honest-verifier simulator to generate a transcript 1 1 2 k accept/reject 1 answer 1 2 2. “Fill in” transcripts of Random Selection protocols answer k accept/reject

  48. Desired Properties of Random Selection Protocol • Dishonest verifier: • Outcome  distributed almost uniformly. • Simulability: For (almost) every , can simulate • RS protocol transcripts yielding output . • Dishonest prover: (OK for soundness by parallel repetition of original proof system) • [GSV98] give a public-coin protocol with these properties • (building on [DGW94]).

  49. Noninteractive Statistical Zero-Knowledge

  50. Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91] shared random string Prover (unbounded) Verifier (poly-time) proof accept/reject • On input x (instance of promise problem): • When x is a YES instance, Verifier accepts w.h.p. • When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.

More Related