Can Statistical Zero-Knowledge be made Non-Interactive?

Can Statistical Zero-Knowledgebe made Non-Interactive?

or

On the relationship of SZK and NISZK

Oded Goldreich, WeizmannAmit Sahai, MIT

Salil Vadhan, MIT

Zero-knowledge Proofs [GMR85]

• One party (“the prover”) convinces another party (“the verifier”) that some assertion is true,

• The verifier learns nothing except that the assertionis true!

• Statistical zero-knowledge: variant in which “learns nothing” is interpreted in a very strong sense.

Non-Interactive Zero-knowledge [BFM88,BDMP91]

• Can also define notion of Non-Interactive zero knowledge in shared random string model.

• We study relationship of SZK and NISZK.

• We show:

• Main tool: complete problems.

SZKBPP NISZKBPP.

NISZK closed under complement SZK=NISZK.

SZK: Motivation from Cryptography

• Statistical ZK proofs: strongest security guarantee

• Identification schemes [GMR85,FFS87]

• “Cleanest” model of ZK:

– allows for unconditional results

– most suitable for initial study, later generalize techniques to other

types of ZK (e.g., [Ost91,OW93,GSV98]).

• Zero-knowledge cryptographic protocols [GMW87]

• But statistical ZK proofs not as expressive as computational ZK or ZK arguments [GMW86,BCC87,F87,AH87]

Still study of statistical ZK useful:

SZK: Motivation from Complexity

• Contains “hard” problems:

– QUADRATIC (NON)RESIDUOSITY [GMR85],

– GRAPH (NON)ISOMORPHISM [GMW86]

– DISCRETE LOG [GK88],

– APPROX SHORTEST AND CLOSEST VECTOR [GG97]

• Yet SZK AM coAM [F87,AH87], so unlikely to contain

NP-hard problems [BHZ87,Sch88]

• Has natural complete problems [SV97, GV98].

• Closure Properties [SV99].

YES NO YES NO

0,1 *0,1 *

Language Promise Problem

Example: UNIQUE SAT [VV86]

bleunsatisfia is

assignment satisfying 1exactly has

:US

:USY

N

excluded inputs

Promise Problems [ESY84]

Statistical Zero-Knowledge Proof [GMR85]for a promise problem

v1

p1

v2

pk

accept/reject

Prover Verifier

Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance.

• When x is a YES instance, Verifier accepts w.h.p.• When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.

Statistical Zero-Knowledge Proof (cont.)

v1

p1

v2

pk

accept/reject

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view of interaction with Prover.

proof knowledge-zero lstatistica has : SZK Note: ZK for honest verifier only.

(WLOG by [GSV98].)

Completeness for SZK [SV97]

STATISTICAL DIFFERENCE (SD):

3

1),StatDiff(,SD3

2),StatDiff(,SD

YXYX

YXYX

N

Y

:

:

Thm[SV97,GV99]: SD and ED are complete for SZK.

1)H()H(,ED

1)H()H(,ED

XYYX

YXYX

N

Y

:

:

ENTROPY DIFFERENCE (ED):

X ,Y =probabilitydistributionsdefined by circuits

X Y2

Area),StatDiff( YX

Statistical Difference between distributions

How circuits define distributions

circuit

n1,0 on dist uniform m0,1 ondist output

xXxXXx

PrlogPr)H( functionentropy

Completeness for SZK [SV97]:What does it mean?

• SZK is closed under Karp reductions. [SV97]

is complete for SZK if:– Karp-reduces to for all SZK.– SZK.

• We show NISZK is closed under Karp reductions, too.So same notion of completeness applies for NISZK.

Benefits of Complete Problems [SV97]

• Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )

• Communication-efficient SZK proofs with exponentially small simulator deviation, for all of SZK.

• Closed under “boolean formula reductions,” equivalently, NC1-truth table reductions: new protocols! e.g. can give SZK proof for: “exactly n/2 of (G1,G2,…,Gn) are isomorphic to H, OR m is a Q.R. mod p.”

Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]

proof

accept/reject

Prover(unbounded)

Verifier(poly-time)

shared random string

On input x (instance of promise problem):

• When x is a YES instance, Verifier accepts w.h.p.• When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.

Noninteractive Statistical ZK (cont.)

When x is a YES instance, Verifier can simulate her view on her own.

Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view.

proofZK lstatistica tivenoninterac has : NISZK

proof


Note: above is “one proof” version.

Study of Noninteractive ZK

• Motivation:– communication-efficient.– cryptography vs. active adversaries

[BFM88,BG89,NY90,DDN91,S99,...]

• Examples of NISZK proofs and some initial study in [BDMP91,BR90,DDP94,DDP97]. Main Focus: QNR proof system

• But most attention focused on NICZK, e.g. [FLS90,KP95].

• [DDPY98] apply “complete problem methodology” to show IMAGE DENSITY complete for NISZK.

Complete Problems for NISZK

[DDPY98]: IMAGE DENSITY (ID)

circuitby encoded

ondistributi

support small has : ondistributi uniform to close is

C

CC

CC

N

Y

ID

:ID

Here: STATISTICAL DIFFERENCE FROM UNIFORM (SDU)and ENTROPY APPROXIMATION (EA)

1)H(,EA

1)H(,EA

kCkC

kCkC

N

Y

: :

nUCC

nUCC

N

Y

11SDU

1SDU

:

:

difference lstatistica

on ondistributi uniform

nU 1,0 functionentropy H


STATISTICAL DIFFERENCE FROM UNIFORM (SDU):

1)H(,EA

1)H(,EA

kXkX

kXkX

N

Y

:

:

nUXX

nUXX

N

Y

11,StatDiffSDU

1,StatDiffSDU

:

:

on

dist. uniform nU

1,0

functionentropy H

Thm: The following problems are complete for NISZK:

ENTROPY APPROXIMATION (EA):

Relating SZK and NISZK

• Recall complete problems for SZK:

• NISZK’s complete problems are natural restrictions of these.

can use complete problems to relate SZK and NISZK.

• Thm: NISZKBPP SZKBPP.

• Thm: NISZK closed under complement SZK=NISZK.

3

1),StatDiff(,SD3

2),StatDiff(,SD

YXYX

YXYX

N

Y

:

: 1)H()H(,ED

1)H()H(,ED

XYYX

YXYX

N

Y

:

:

Two Problems

1)H()H(,ED

1)H()H(,ED

XYYX

YXYX

N

Y

:

:

ENTROPY DIFFERENCE (ED):

X ,Y =probabilitydistributionsdefined by circuits

1)H(,EA

1)H(,EA

kXkX

kXkX

N

Y

:

:


EA is complete for NISZK

ED is complete for SZK

Reducing ED to EA

H(Y) H(X)

0 n

H(Y’) H(X’)

Let X’ =XXXX, and Y’ =YYYY.

Say H(X) H(Y)+1 (YES Instance of ED):

k k+1k-1

NYY kYkXYX EA ),'( AND EA ),'( ORED,4n

1k

so,

1 2 n-1

Reducing ED to EA (cont.)

H(X) H(Y)

0

H(X’) H(Y’)

Now, say H(Y) H(X)+1 (NO Instance of ED):

so,

YNN kYkXYX EA ),'( OR EA ),'( ANDED,4n

1k

H(Y’) k+1 H(X’) k-1

n1 2 n-1

m

Let X’ =XXXX, and Y’ =YYYY.

Reducing ED to EA (cont.)

• Thus, we have “boolean formula reduction:”

YNN

NYY

kYkXYX

kYkXYX

EA ),'( OR EA ),'( ANDED,

EA ),'( AND EA ),'( ORED,

4n

1k

4n

1k

' and ' 44 YYXXWhere:

Consequences for SZK and NISZK

• Thm: NISZKBPP SZKBPP

Proof: Suppose NISZK=BPP. BPP is closed under boolean formula reductions; Hence using formula, can put ED in BPP. Thus, SZK=BPP.

• In fact, can show: NISZK = co-NISZK NISZK closed under (const. depth) boolean formula reductions and hence ED NISZK SZK = NISZK

Completeness of EA and SDU

• Strategy:

• NISZK SDU (in fact, this is easy part)

• SDU EA (also easy)

• EA NISZK (technically hardest part)


STATISTICAL DIFFERENCE FROM UNIFORM (SDU):

1)H(,EA

1)H(,EA

kXkX

kXkX

N

Y

:

:

nUXX

nUXX

N

Y

11,StatDiffSDU

1,StatDiffSDU

:

:

on

dist. uniform nU

1,0

functionentropy H

Thm: The following problems are complete for NISZK:




Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically indistinguishable from Verifier’s view.


proof



NISZK SDU

• Assume NISZK system with negligible completeness and soundness for .

• Let X be circuit that:• Runs simulator to produce (R, proof)• If Verifier rejects (R, proof), output .• If Verifier accepts, output R.

• Y Verifier almost always accepts, R close to uniform.

• N Verifier accepts only for negl. fraction of possible R. Hence, output is from space of negligible size, thus far from uniform.


• Strategy:




SDU EA

• Let X be instance of SDU with output size n.• Reduction: X (X,n - 3)

• For any distributions Y,Z on {0,1}n, we have:

| H(Y) - H(Z) | n StatDiff(Y,Z) + H2(StatDiff(Y,Z))

• Let Y=Uniform(n), Z=X.

• SDUY n - H(X) n (1/n) + H2(StatDiff(U,X)) < 2 So H(X) n - 2 = (n - 3)+1

• SDUN H(X) n - log(n) +1 < (n - 3) - 1.


• Strategy:




EA NISZK

• Basic Protocol:

• Transform instance (X,k) into Z such that:

– (X,k) EAY Z is close to uniform

– (X,k) EAN Z has tiny support

• Protocol:– P selects r uniformly among preimages of reference string R under Z, sends r to V

– V checks that Z(r) = R

Flatness and Typicality

• x is typical for distribution X if Pr[X=x] 2-H(X)

• Distribution X is nearly flat if with very high prob over x X, x is typical for X.

• Note that for any X, if X’ = many copies of X, then X’ will be nearly flat.

• Can apply Leftover Hash Lemma to nearly flat distributions to obtain nearly uniform distribution.

Transformation (I)

• Stage I:

• Let X’ be many copies of X:

• EAY H(X’) N + gap• EAN H(X’) N - gap

• X’ is nearly flat

Transformation (II)

• Stage II:

• Let Y=(h, h(X’)) , where h is random universal hash fn.

• By Leftover Hash Lemma, EAY StatDiff( Y, Uniform( N’ ) ) = 2-(n)

• EAN H(Y) N’ - 1

Transformation (III)

• Stage III:

• Let Y’ be many copies of Y

• EAY StatDiff( Y’, Uniform( N’’ ) ) = poly(n) 2-(n) = 2-(n)

• EAN H(Y’) N’’ - gap

• Again, Y’ is nearly flat in both cases.

Transformation (IV)

• Final Stage:

• Let Z(h,r)=( Y’(r), h, h(r) )

• This is essentially a “lower-bound protocol” on inputs to Y’.

• EAY Because Y’ is nearly uniform, for almost all y, roughly same (large) number of r such that Y’(r)=y. By LHL, conditioned on most y, (h, h(r)) is close to uniform. Z is close to uniform.

Transformation (IV cont.)

• EAN H(Y’) N’’ - gap & Y’ {0,1}N’’and nearly flat

• Want to show Z(h,r)=( Y’(r), h, h(r) ) has tiny support.

• Case 1: Pr[Y’=y] is tiny, i.e. very few r such that Y’(r)=y h(r) has tiny range.

• Case 2: tiny < Pr[Y’=y] << 2-(N’’ - gap). By flatness, prob of such y is very small. However, each y is not too unlikely, very few such y exist.

• Case 3: Pr[Y’=y] 2-(N’’ - gap+slack) >> 2-N’’

by def. of probability, very few such y.

Conclusions

• Find that natural restrictions (one-sided versions) of complete problems for SZK are complete for NISZK

• Use this to relate classes.

• In particular find that if NISZK=co-NISZK, then SZK=NISZK.

• NISZK is richer than one might have thought...

• Main Open Question: Is NISZK = co-NISZK?

Reducing ED to EA

• Idea: Guess a number between H(X) and H(Y):

YNN

NYY

kYkXYX

kYkXYX

EA ),'( OR EA ),'( ANDED,

EA ),'( AND EA ),'( ORED,

n

1k

n

1k

• Thm: NISZKBPP SZKBPP Proof: Suppose NISZK=BPP. BPP is closed under

• Thm: NISZK closed under complement SZK=NISZK.

Organization

• Motivation

• What is statistical zero-knowledge?

• The complexity of statistical zero-knowledge

• Honest verifier vs. any verifier

• Noninteractive statistical zero-knowledge

Will not address works on power of the prover [BP92] or knowledge complexity [GMR85,GP91,GOP94,ABV95,PT96]

What is Statistical Zero-Knowledge?


proof

accept/reject

Prover(unbounded)

Verifier(poly-time)






Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.


proof





[BFM88,BG89,NY90,DDN91]

• Examples of NISZK proofs and some initial study in [BDMP91,BR90,DDP94,DDP97].




circuitby encoded

ondistributi


C

CC

CC

N

Y

ID

:ID

[GSV98]: STATISTICAL DIFFERENCE FROM UNIFORM (SDU)and ENTROPY APPROXIMATION (EA)

1)H(,EA

1)H(,EA

kCkC

kCkC

N

Y

: :

nUCC

nUCC

N

Y

11SDU

1SDU

:

:





3

1,SD

32,SD

1010

1010

CCCC

CCCC

N

Y

:

: 1)H()H(,ED

1)H()H(,ED

0110

1010

CCCC

CCCC

N

Y

:

:




• Thm [GSV98]: SZKBPP NISZKBPP.

• Thm [GSV98]: SZK=NISZK NISZK closed under complement.

Example: GRAPH ISOMORPHISM [GMW86]

10 ,GG Graphs :Input

.0G

H

ofcopy isomorphic random Let

.1,0R

coin Flip

.HGcoin ifAccept

H

1.

2.

4.

Prover Verifier

Claim: Protocol is an (honest ver) SZK proof.

10 GG :YES

10 GG :NO

coin

3.

.HGcoin and between misomorphis

(random) a be Let

Correctness of GRAPH ISO. SZK Proof

Completeness: accepts Verifier HGGG coin10

Soundness:

21 y probabilit withrejects Verifier

sends) prover whatmatter (no2

1 y probabilit with

H

HGGG coin10

What about zero-knowledgeness?

Zero-knowledgeness of GRAPH ISO. Proof

Simulator on input (G0,G1):

,,

).(

.

.1,0

coinH

GH

S

coin

coin

nR

R

Output 4.

Let 3.

npermutatio random a Choose 2.

Flip 1.

Analysis: If G0 G1, then, in both simulator & protocol,

• H is a random isomorphic copy of G0 (equivalently, G1).

• coin is random & independent of H.

• is a random isomorphism between Gcoin and H.

distributions are identical.

Some Issues in Zero-Knowledge Proofs

• “Honest” verifiers versus cheating verifiers.• Quality of simulation:

PZK — “Perfect” : distributions identical

SZK — “Statistical”: statistically close (negligible deviation)

CZK — “Computational”: computationally indistinguishable.

• Private coins vs. public coins.• Resources — # rounds, communication.• Error parameters (completeness, soundness, simulation).

• Complexity: Does it capture NP?– CZK=IP=PSPACE NP if one-way functions exist

[GMW86,BGG+88,LFKN90,Sha90]– but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87]

The Complexity of SZK

The Complexity of SZK

• SZK contains “hard” problems [GMR85,GMW86,GK93,GG98]

• Fortnow’s Methodology [F87]:

1. Find properties of simulator’s output that distinguishbetween YES and NO instances.

2. Show that these properties can be decided in lowcomplexity.

• Using this: SZK AM coAM. [F87,AH87]

• Obtain upper-bound on complexity of SZK, butdoes not give a characterization of SZK.

Analyzing the simulator

• We know: For a YES instance,1. Simulator outputs accepting conversations w.h.p., and2. Simulated verifier “behaves like” real verifier.

• Claim: For a NO instance, cannot have both conditions.

• “Pf:” If both hold, contradict soundness of proof system byprover strategy which mimics simulated prover.

• Easy to distinguish between simulator outputting accepting conversations with high probability vs. low probability.

• Main challenge: how to quantify “behaves like.”

Public coins vs. Private coins

Thm II [Oka96]: SZK is closed under complement.

Thm I [Oka96]: SZK=public-coin SZK. (i.e. can transform any SZK proof into one where verifier’s messages are just random coin flips)

Public-coin proofs simpler to analyze/manipulate. (e.g. result for interactive pfs [GS86] found many applications [IY87,BGG+88,FGM+89])

Proofs very complicated, especially Thm I.

SZK)SZK coin-public showing by (proved

Public-coin proofs [Bab85]

random coinsanswer

random coins

answeraccept/reject

Prover Verifier

Refinement of Fortnow Methodology [SV97]

is a complete problem for SZK, i.e– every problem in SZK reduces to (via 1,2). SZK (by 3).

1. Find properties of simulator’s output that distinguish between YES and NO instances (may focus on public-coin proofs by [Oka96]).

2. Show that these properties can be decided in low complexity.

2. Embed these properties in a natural computational problem .

3. Exhibit a statistical zero-knowledge proof for .

A Complete Problem

Def: STATISTICAL DIFFERENCE (SD) is the following promise problem:

SDY C0 ,C1 : C0 C1 23

SDN C0 ,C1 : C0 C1 13

C0 ,C1 are

circuits

Thm [SV97]: SD is complete for SZK.

Characterizes SZK with no reference to interaction or zero-knowledge!

X Y X Y Area

2

Statistical Difference between distributions

How circuits define distributions

circuit

n1,0 on dist uniform m0,1 ondist output

Analyzing the simulator of public-coin proof• We know: For a YES instance,

1. Simulator outputs accepting conversations w.h.p., and2. Simulated verifier “behaves like” real verifier.

• Claim: For a NO instance, cannot have both conditions.

• Easy to distinguish between simulator outputting accepting conversations with high probability vs. low probability.

• In a public-coin proof, simulated verifier “behaves like”real verifier iff simulated verifier’s coins are • nearly uniform, and• nearly independent of conversation history.

• Key observation: Both properties can be captured by statistical difference between samplable distributions!

Proving that SD is complete for SZK (cont.)

• Have argued: Every problem in SZK reduces to SD.

• Still need: SD SZK.

A Polarization Lemma

Lemma: There exists a poly-time computable function such that

1010 ,1,, DDCC k

C0 C1 23 D0 D1 1 2 k

C0 C1 13 D0 D1 2 k

Not just Chernoff bounds!

Chernoff bounds only yield:

C0 C1 1 e m 2 mC0

m C1 m

where m Xdef

m independent copies of X

A Protocol for SD

C0 ,C1

).1,,Amplify(, 1010nCCDD compute Both

.

.1,0

coin

R

Dsample

coin

Sample

Flip

.

0

,]Pr[

]Pr[

1

0

1= let else

,= let

)

( If

guess

guess

sampleD

sampleD

.coinguess if Accept

sample

guess

1.

2.

3.

4.

Prover Verifier

Claim: Protocol is an (honest ver) SZK proof for SD.

Properties of D0 and D1

nN

nY

DDCC

DDCC

2SD,

21SD,

1010

1010

10 ,CCn where

Benefits of Complete Problem [SV97]

• Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )

• Communication-efficient SZK proofs (1 round, prover sends 1 bit to achieve soundness 1/2)

• Closure properties:– Previous results focused on specific problems or subclasses of SZK [DDPY94,DC95].– Can apply techniques of [DDPY94] to STATISTICAL DIFFERENCE to obtain results about all of SZK.

Closure Properties of SZK

Thm [SV97]: LSZK (L) SZK, where

1)(,),(:,,,,)( 121 kLLk xxxxxL

= k-ary boolean formulaL= characteristic fn of L

Equivalently, SZK is closed under NC1-truth table reductions.

e.g. can prove “exactly k/2 of (x1, x2,..., xk) are in L” in SZK.

Simplifying Okamoto’s Thm I [GV98]

Use the “complete problem methodology”:

1)H()H(,ED

1)H()H(,ED

0110

1010

CCCC

CCCC

N

Y

: :

• Reduce every problem in SZK to ED. (Uses analysis of simulator from [AH87].)

• Show that ED has a public-coin SZK proof system.(Employs two subprotocols of [Oka96].)

Consider promise problem ENTROPY DIFFERENCE (ED):

Main steps in proof:

xXxXXx

PrlogPr)H( functionentropy

Simplifying Okamoto’s Thm I (cont.)

This gives:

• Simpler, modular proof that all of SZK haspublic-coins SZK proofs.

• ED is complete for SZK.

• (Yet another) proof that SZK is closed undercomplement.

• “weak-SZK” equals SZK.

Honest verifier vs. any verifier

Honest verifier vs. any verifier

• So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol.

• Cryptographic applications need zero-knowledge even vs. cheating verifiers.

• Main question: Does honest-verifier ZK=any-verifier ZK?

• Motivation?– honest verifier classes suitable for study

(e.g. complete problem, closure properties)– methodology: design honest-verifier proof and convert to any-verifier proof.

Any-verifier Statistical Zero-Knowledge

v1

p1

v2

pk

accept/reject

When x is a YES instance, Verifier can simulate her view of the interaction on her own.

Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.

Computational Zero-Knowledge (CZK): require simulator distribution to be computationally indistinguishable rather than statistically close.

Conditional Results:

• honest-ver CZK=any-ver CZK=IP=PSPACE

[GMW86,IY87,BGG+88,Sha90]

If one-way functions exist,

• honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

• For both computational and statistical zero-knowledge,honest-verifier=any-verifier for constant-round public-coin proofs [Dam93,DGW94]

Results on honest verifier vs. any verifier

• For both computational and statistical zero-knowledge,honest-verifier=any-verifier for constant-round public-coin proofs [Dam93,DGW94] [GSV98]

(+ [Oka96]) honest-ver SZK=any-ver SZK

Conditional Results:

• honest-ver CZK=any-ver CZK=IP=PSPACE

[GMW86,IY87,BGG+88,Sha90]

If one-way functions exist,

• honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]

Unconditional Results:

• For both computational and statistical zero-knowledge,honest-verifier=any-verifier for constant-round public-coin proofs [Dam93,DGW94][GSV98]

(+ [Oka96]) honest-ver SZK=any-ver SZK

Results on honest verifier vs. any verifier

The Transformationrandom coins 1

answer 1random coins 2

answer kaccept/reject

answer 1

answer kaccept/reject

Random SelectionProtocol

1

Random SelectionProtocol

2

Honest-verifier Proof System

Any-verifier Proof System

Prover Verifier

Prover Verifier

Desired Properties of Random Selection Protocol

• Dishonest prover:

Sdensity2Pr nS

S

Outcome

, messages verifier of setany For

(OK for soundness by parallel repetition of original proof system)

• Dishonest verifier:

– Outcome distributed almost uniformly.

– Simulability: For (almost) every , can simulate RS protocol transcripts yielding output .

• [GSV98] give a public-coin protocol with these properties(building on [DGW94]).

Noninteractive Statistical Zero-Knowledge


proof

accept/reject

Prover(unbounded)

Verifier(poly-time)






Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.


proof





[BFM88,BG89,NY90,DDN91]

• Examples of NISZK proofs and some initial study in [BDMP91,BR90,DDP94,DDP97].




circuitby encoded

ondistributi


C

CC

CC

N

Y

ID

:ID

[GSV98]: STATISTICAL DIFFERENCE FROM UNIFORM (SDU)and ENTROPY APPROXIMATION (EA)

1)H(,EA

1)H(,EA

kCkC

kCkC

N

Y

: :

nUCC

nUCC

N

Y

11SDU

1SDU

:

:





3

1,SD

32,SD

1010

1010

CCCC

CCCC

N

Y

:

: 1)H()H(,ED

1)H()H(,ED

0110

1010

CCCC

CCCC

N

Y

:

:




• Thm [GSV98]: SZKBPP NISZKBPP.

• Thm [GSV98]: SZK=NISZK NISZK closed under complement.

Summary

• Recent work has refined our understanding of statisticalzero-knowledge.

• Main tools: – focus on public-coin proofs (via [Oka96])– complete problems [SV97]

• Questions addressed:– closure properties– honest verifier vs. any verifier– interactive vs. noninteractive

Open Problems

5. Does SZK=PZK (“Perfect” zero-knowledge)?

3. Is it necessary that power of prover must increase whentransforming private-coin proofs to public-coin ones?

2. Does SZK=NISZK?

1. Generalize more results/techniques to computational zero-knowledge or arguments.

4. Show that SZKBPP if one-way functions exist (“converse” to [Ost91]).

Documents

Can Statistical Zero-Knowledge be made Non-Interactive?