Can Statistical Zero Knowledge Be Made Non-Interactive?

Can Statistical Zero Knowledge be made Non-Interactive?

or NISZK

On the Relationship of SZK and

y z Oded Goldreich Amit Sahai Salil Vadhan October 7, 1998

Abstract We further extend the study, recently initiated by De-Santis et. al. (ICALP98) of non-interactive

statistical zero-knowledge proofs. Our main focus is to compare the class NISZK of problems pos-

sessing such non-interactive proofs to the class SZK of problems possessing interactive statistical zero- knowledgeproofs. Alongthese lines, we ®rst show that ifstatistical zero-knowledge is non-trivialthen so is non-interactive statistical zero-knowledge, where by non-trivial we mean that the class includes problems which are not solvable in probabilistic polynomial-time. (The hypothesis holds under various as-

sumptions, such as the intractability of the Discrete Logarithm Problem.) Furthermore, we show that

SZK = NISZK if NISZK is closed under complementation, then in fact , i.e. all statistical zero- knowledge proofs can be made non-interactive. The main toolsin our analysis are two promise problems that are natural restrictions of promise prob-

lems known to be complete for SZK . We show that these restricted problems are in fact complete for

NISZK, and using thisrelationship we derive our results comparing the two classes. The two problems refer to the statistical difference, and difference in entropy, respectively, of a given distribution from the

uniform one. We also consider a weak form of NISZK , in which only requires that for every inverse

p(n) 1p(n)

polynomial 1 , there exists a simulator which achieves simulator deviation , and show that NISZK this weak form of NISZK actually equals .

Keywords: Complexity and Cryptography.

DepartmentofComputerScience,WeizmannInstitute ofScience,Rehovot, ISRAEL. E-mail: [email protected]. Work done while visiting LCS, MIT. Supported by DARPA grant DABT63-96-C-0018. y Laboratoryfor ComputerScience,MassachusettsInstitute of Technology,Cambridge, MA02139. E-mail: [email protected]. Supported by DOD/NDSEG fellowship and DARPA grant DABT63-96-C-0018. z Laboratoryfor ComputerScience,MassachusettsInstitute of Technology,Cambridge, MA02139. E-mail: [email protected]. Supported by DOD/NDSEG fellowship and in part by DARPA grant DABT63-96-C-0018. 1 Introduction

Zero-Knowledge proofs, introduced by Goldwasser, Micali and Rackoff [23], are fascinating and extremely useful constructs. Their fascinating nature is due to their seemingly contradictory nature; they are both con- vincing and yet yield nothing beyond the validity of the assertion being proven. Their applicability in the domain of cryptography is vast; they are typically used to force malicious parties to behave according to a predetermined protocol (which requires parties to provide proofs of the correctness of their secret-based ac- tions without revealing these secrets). Zero-knowledge proofs come in many ¯avors, and in this paper we focus on two parameters: The ®rst parameter is the underlying communication model, and the second is the type of the zero-knowledge guarantee.

The communication model. When Goldwasser, Micali, and Rackoff proposed the de®nition of zero-knowledge proofs, it seemed that interaction was crucial to achieving zero-knowledge ± that the possibility of zero- knowledge arose through the power of interaction. Indeed, it was not unexpected when [19] showed zero-

knowledge to be trivial (i.e., only exists for proofs of BPP statements) in the most straightforward non- interactive models. Surprisingly, however, Blum, Feldman, and Micali [5], showed that by changing the model slightly, it is possible to achieve zero-knowledge in a non-interactive setting (i.e. where only unidi- rectional communication can occur). Speci®cally, they assume that both Prover and Veri®er have access to a shared truly random string, called the reference string. Aside from this assumption, all communication con- sistsof one message, the ªproof,º which is generated by the Prover (based on the assertion being proved and the reference string) and sent from the Prover to the Veri®er. Non-interactive zero-knowledge proofs, on top of being more communication-ef®cient by de®nition, have several applications not offered by orndinary interactive zero-knowledge proofs. They have been used, among other things, to build digital signature schemes secure against adaptive chosen message attack [3], public-key cryptosystems secure against chosen-ciphertext attack [28, 13], and non-malleable cryptosystems [13].

The zero-knowledge guarantee. For ordinary interactive zero-knowledge proofs, the zero-knoweldege requirement is formulated by saying that the transcript of the Veri®er's interaction with the Prover can be sim- ulated by the Veri®er itself. Similarly, for the non-interactive setting described above, the zero-knowledge conditionis formulated by requiringthat one can produce, knowingonly thestatement of theassertion, a random reference string along with a ªproofº that works for the reference string. More precisely, we require that there exists an ef®cient procedure that on input a valid assertion produces a distribution which is ªsimilarº to the joint distribution of random reference strings and proofs generated by the Prover. The key parameter is the interpretation of ªsimilarity.º Two notions have been commonly considered in the literature (cf., [23, 18, 16, 6, 4]). Statistical zero-knowledge requires that these distributions be statistically close (i.e., the statistical difference between them is negligible). Computational zero-knowledge instead requires that these distributions are computationally indistinguishable (cf., [22, 35]). In this work, we focus on the stronger security requirement of statistical zero-knowledge. Until recently, most work on non-interactive zero-knowledge has focused on the computational type (cf., [5, 6, 15, 25]). The study of non-interactive statistical zero-knowledge has been recently initiated by De-

Santis et. al. [11]. Theirmain result is theexistenceof a completepromiseproblemfor theclass of problems

possessing non-interactive statistical zero-knowledge proofs (hereafter denoted NISZK). This was similar to the work of [32], where a complete promise problem was given for the class of problems possessing

interactive statistical zero-knowledge proofs (denoted SZK).

1 Actually, [6] did de®ne non-interactive perfect zero-knowledge proofs (which is a slightly stricter notion that statistical zero-knowledge) and prove that a variant of Quadratic Residuosity has such proofs, and non-interactive statistical zero- knowledge was considered in [4], but later works all focused on the computational version.

1 Our Contribution. In thiswork, weseek to understandwhat,ifany, additionalpowerinteractiongivesin the contextof statistical

zero-knowledge. Thus, we continue the investigation of NISZK, focusing on the relationship between the

interactive and non-interactivevariants of statistical zero-knowledge. Our ®rst result is that the non-triviality NISZK of SZK implies non-triviality of , where by non-trivial we mean that a class includes problems which are not solvable in probabilistic polynomial-time. The hypothesis holds under various assumptions, such as the intractability of Discrete Logarithm Problem [17] (or Quadratic Residuosity [23] or Graph Iso-

morphism [18]), but variants of these last two problems are already known to be in NISZK [6, 4]).

SZK NISZK Furthermore, we show that if NISZK is closed under complementation, then in fact Ð i.e., all statistical zero-knowledge proofs can be made non-interactive. We note that [11] does in fact claim

that NISZK is closed under complementation; however, we were not able to verify this claim. NISZK We also show the equivalence of a weakened form of NISZK and .

Complete Problems. Central to our methodology is the use of simple and natural complete problems to NISZK understand classes with rather complicated de®nitions, such as SZK and . In particular, we exhibit

two natural promise problems and prove that they are complete for NISZK. The two problems refer to the ªdistanceº (in two different senses) of a given distribution from the uniform one. These two problems

are natural restrictions of two promise problems shown complete for SZK, in [32] and [21], respectively. NISZK Indeed, our results about the relationshipbetween SZK and come from relating the corresponding complete problems. This general theme of using completeness to simplify the study of a class, rather than as

evidence for computational intractability (as is the traditional use of NP -completeness) has been evidenced in a number of recent works (cf., [18, 27, 34, 1, 2]) and has been particularlyuseful in understandingstatistical zero-knowledge (cf., [32, 33, 11, 21]).

1.1 The non-interactive model

Let us recall the de®nition of a non-interactive statistical zero-knowledge proof system from [6]. We will adapt the de®nition to promise problems. Note that our de®nitionwill capture what [6] call a bounded proof system, in that each shared reference string can only be used once. In contrast to non-interactive computational zero-knowledge (cf., [6, 15]), it is unknown whether any problem that has such a (bounded) non- interactive statistical zero-knowledge proof system also has one in which the shared reference string can be used an unbounded (polynomial) number of times.

A non-interactive statistical zero-knowledge proof system for a promise problem is de®ned by a poly-

nomial r , which willgive the size of the random reference string , and a triple of probabilisticmachines

S V V S

P , , and , where and are polynomial-time, such that:

x V x P x

1. (Completeness:) For all yes , the probability that accepts is at least .

x V x P x

2. (Soundness:) For all no , the probability that accepts is at most .

3. (Zero-Knowledge:) For all yes , the statistical deviation between the followingtwo distributions

jxj

is at most :

r jxj

A p f g p P x

B S x

where is a negligiblefunction, termed the simulatordeviation,andtheprobabilitiesinConditions1and 2

r n

P f g are taken over the random coins of V and , and the choice of uniformly from . Note that non- interactive statistical zero-knowledge is closed under parallel repetition, so the completeness and soundness

2 Actually, only non-interactive perfect and computational zero-knowledge proofs were de®ned in [6]. The de®nition we are

using, previously given in [4, 11], is the natural non-interactive analogue of (interactive) statistical zero-knowledge [23].

g (n) g Recall that a function is negligible if it is eventually less than 1 for any polynomial .

2 no

errors (i.e. the probability of rejection (resp., acceptance) for yes (resp., ) instances) can be made expo-

xj nentially small in j .

We also de®ne a weaker notion of zero-knowledge, known as a weak non-interactive statistical zero-

knowledge proof system, where we askonlythatforevery polynomial g ,there existsa probabilisticpolynomial-

S g

time simulator g (whose running time may depend on ), such that the simulatordeviation as de®ned above

g jxj is at most . This is the natural analogue of a notion de®ned in the interactive setting for statistical zero-knowledge [12] as well as concurrent zero-knowledge [14].

The class of promise problems that possess non-interactive statistical zero-knowledge proof systems is

weak NISZK

denoted NISZK, and we denote by - the class of promise problems that possess weak non-

weak NISZK interactive statistical zero-knowledge proof systems. Note that by de®nition, N I S Z K - .

De Santis et. al. [11] recently began investigating NISZK. They introduced a promise problem, called

Image Density, and claimed that is complete for NISZK andthatthelatterclassisclosedunderORand

complementation. We were able to verify that some variants of Image Density are NISZK-complete, and indeed the ideas used towards this goal are important to our work. However, we were not able to verify

the claim that NISZK is closed under OR and/or complementation, and for this reason, do not rely on this claim in our work.

Inthispaper, inadditiontoexamining NISZK onitsown, we alsoconsidertherelationshipnon-interactive statistical zero-knowledge proofs have with interactive statistical zero-knowledge proofs. In the context of interactive zero-knowledge proofs, another issue that arises in the zero-knowledge condition is the behavior of the veri®er. The general de®nition of zero-knowledge requires that the zero-knowledge requirement hold for any probabilisticpolynomial-time veri®er. A weaker requirement, called honest veri®er zero-knowledge, requires the zero-knowledgeconditiontohold onlyif the veri®erbehaves honestly. However, itis knownthat these two conditions are equivalent for statistical zero-knowledge, in the sense that every statistical zero- knowledge proof against the honest veri®er can be transformed into one that is statistical zero-knowledge

against any veri®er [20]. Thus, we write SZK for the class of promise problems possessing statistical zero- knowledge proofs (against any polynomial-time veri®er or, equivalently, against just the honest veri®er). Note that in the case of non-interactive zero-knowledge, the issue of honest veri®ers does not arise since the veri®er does not interact with the prover. Also, note that we can always transform a non-interactive zero- knowledgeproof into an honest veri®er zero-knowledgeproof, sincewe couldhavethehonestveri®er supply

a random string which can replace the common reference string required for non-interactive zero-knowledge.

SZK SZK That is, N I S Z K S Z K (recalling the equivalence of with honest-veri®er ).

1.2 Our Results NISZK The primary toolswe use in our investigationare promise problems that are complete for SZK or .

In [32], a promise problem called Statistical Difference (SD) was introduced and proved complete for SZK,

providing the ®rst completeness result for SZK. Recently, it was shown in [21] that another natural prob-

lem, called Entropy Difference (ED), is complete for SZK as well. In this work, we show that ªone-sidedº versions of these problems, which we call Statistical Difference from Uniform (SDU) and Entropy Ap-

proximation (EA), are complete for NISZK. To de®ne these problems more precisely, we ®rst recall that

Y D X Y that statistical difference between two random variables X and on a ®nite set , denoted , is

de®ned to be

def

X Y max jPr X S Pr Y S j j Pr X Pr Y j

S D

All the promise problems we consider involve distributions which are encoded by circuits which sam-

m n

f g f g X

ple from them. That is, if X is a circuit mapping to , we identify with the probability

n m

g X f g distribution induced on f by feeding the uniform distribution on .

De®nition 1.1 (Problems involving statistical difference): The promise problem Statistical Difference, de-

SD SD SD no

noted yes , consists of

def

SD fX Y X Y g

yes

def

SD fX Y X Y g

no Y

where X and are distributionsencoded as circuits which sample from them. The promise problem Statis-

SDU SDU SDU no

tical Difference from Uniform, denoted yes , consists of

def

SDU fX X U ng

yes

def

SDU fX X U ng

n U n where X is a distribution encoded as a circuit outputing bits, and is the uniform distribution on bits.

For the two problems related to entropy, we recall that the (Shannon) entropy of a random variable X ,

denoted H , is de®ned as

def

Pr X log Pr X HX

De®nition 1.2 (Problems involving entropy): The promise problem Entropy Difference, denoted ED

ED ED no

yes , consists of

def

ED fX Y HX HY g

yes

def

ED fX Y HY HX g

EA EA EA no

The promise problem Entropy Approximation, denoted yes , consists of

def

EA fX k HX k g

yes

def

EA fX k HX k g

X Y In these problems, k is a positive integer and and are distributions encoded as circuits which sample from them.

Our ®rst theorem, which is the starting point for our other results, is:

SDU NISZK EA SDU NISZK

Theorem 1.3 (EA and are -complete) The promiseproblems and arecompletefor .

SDU N I S Z K N I S Z K

That is, EA and for every promiseproblem , thereisa polynomialtimemany-

EA SDU to-one reduction from to and another from to .

From the proof of this theorem, we also deduce the equivalence of NISZK with its weakened form.

NISZK NISZK

Theorem 1.4 weak - = . NISZK

Armed with our complete problems, we then beginthe work of comparing SZK and . First we SZK

show that the non-triviality of NISZK is equivalant to the non-triviality of . This is shownby giving EA

a Cook reduction from ED to .

S Z K BPP N ISZK BPP Theorem 1.5 (non-triviality of NISZK) .

4 In this theorem (and throughout the paper), BPP denotes the class of promise problems solvable in proba- bilitic polynomial time.

Infact, itturnsoutthatthetypeof Cookreductionwe useisa special one, and by examining it further, we NISZK

are able to shed more light on the SZK vs. question. Speci®cally, we observe that the reduction

EA AC

we give from ED to is an truth-table reduction. That is, it is a nonadaptive Cook reduction in which

the postprocessingis done in AC . (Formal de®nitions are given in Section 4.2.) Further, we can provethat if

NISZK AC

NISZK is closed under complementation, then is closed under truth-table reductions. Thus

NISZK SZK we deduce that NISZK being closed under complementation implies that . In fact, we

can show that closure under complementation and a number of other natural conditions are equivalent to

NISZK

SZK :

NISZK

Theorem 1.6 (conditions for SZK ) The following are equivalent:

NISZK 1. SZK .

2. NISZK is closed under complementation.

3. NISZK is closed under truth-table reductions.

SD EA SDU

4. ED (resp., ) Karp-reduces to (resp., ). (ªgeneral versions reduce to one-sided onesº) SDU 5. EA (resp., ) Karp-reduces to its complement. (ªone-sided versions reduce to their complementsº)

Theorem 1.6 can be interpreted as saying that if NISZK has a relatively weak closure property (closure

under complementation), then the class is surprisingly rich (equals SZK) and has a much stronger closure property (closure under NC truth-tablereductions.) Moreover, the last two conditionsin Theorem 1.6 show that these questions about non-interactive versus interactive statistical zero-knowledge proofs are actually equivalent to basic, intriguing questions about relationships between natural computational problems whose de®nitionshave no a priori relationship to zero-knowledge proofs. Recall that [11] claim thattheseconditem above holds, and consequently if this claim is valid, then all items above hold. However, as stated above, we

were not able to verify this claim of [11].

NISZK NISZK

The equality of SZK and has interesting consequences not just for , but also for SZK

SZK. Currently, the best known generic protocol for requires a polynomial number of rounds [29, NISZK 21, 20]. For NISZK, however, by [10, 20], it is known that every problem in has a constant round statistical zero-knowledge proof system (against general, cheating veri®ers) with inverse polynomial

soundness error. Whether every problem in SZK has such a proof system is still an open question, which

NISZK would be resolved in the positive if SZK .

1.3 A wider perspective The study of non-interactive statistical (rather than computational) zero-knowledge proofs may be of inter- est for two reasons. Firstly, statistical zero-knowledge proofs provide an almost absolute level of security, whereas computational zero-knowledge proofs only provide security relative to computational abilities (and typically under complexity theoretic assumptions). Secondly, by analogy from the study of zero-knowledge interactive proofs, we believe that techniques developed for the ªcleanerº statistical model can be applied

or augmented to yield results for computational zero-knowledge: The proof that one-way functions are nec- CZK essary for SZK to be non-trivial [30] was later generalized to [31]. More recently, the transformations of honest-veri®er zero-knowledge to general zero-knowledge, presented in [8, 10, 9, 20], apply both to statistical and computational zero-knowledge (whereas the original motivation was the study of statistical

zero-knowledge). It is our hope that the current study of NISZK will eventually lead to a better under- NP standing of NICZK, where there are still important open questionssuch as the conditions under which

has NICZK proofs.

5 NISZK 2 EA is in

In this section, we show that EA has a non-interactive statistical zero-knowledge proof system. Our proof

essentially follows the line of reasoning used by [11] to show that Image Density is in NISZK.

NISZK Lemma 2.1 EA . Moreover, there is a non-interactive statistical zero-knowledge proof system

for EA in which the completeness error, soundness error, and simulator deviation are all exponentially van- ishing.

The transformation given by the following lemma will be applied at the start of the proof system:

X k EA

Lemma 2.2 There is a polynomial-time computable function that takes an instance of and a pa-

Z f g rameter s (in unary) and produces a distribution on (encoded by a circuit which samples from it)

such that

X k Z

1. If H , then has statistical difference at most from the uniform distribution on

f , and

X k Z f g 2. If H , then the support of is at most a fraction of .

The proof of Lemma 2.2, though somewhat technical, uses standard techniques which are implicit in many works. For this reason, the proof is deferred to Appendix C. Given this transformation, it is straight-

forward to give a noninteractive statistical zero-knowledge proof system for EA:

X k

Non-interactive proof system for EA, on input

f g X k s

1. Let Z be the distribution on obtained from as in Lemma 2.2 taking to be the total

X k f g

description length of in bits. Let be the reference string.

r fr Z r g r V

2. P selects uniformly among and sends to .

Z r 3. V accept if and rejects otherwise.

It is immediate from Lemma 2.2 that the completeness error and soundness error of this proof system are

. For zero-knowledgeness, we consider the following probabilistic polynomial-time simulator:

X k

Simulator for EA proof system, on input

X k

1. Let Z be obtained from as in the proof system.

Z Z r

2. Select an input r to uniformly at random and let .

3. Output .

It follows from Part 1 of Lemma 2.2 that this simulator has statistical difference at most from

P V

the distribution of transcripts of . Thus, assuming Lemma 2.2, we have established Lemma 2.1. In

X k s fact, we need not require that s be the length of . Instead, can be taken to be an arbitrary security

parameter, and the completeness, soundness, and simulation error will be exponentiallysmall in s, while the

running time of the protocol only depends polynomially on s. We can use this to prove the following,which

will be useful to us later. EA

Proposition 1 If any promise problem reduces to by a Karp (i.e. many-one) reduction (even if it is N I S Z K length-reducing), then .

Proof: A noninteractive statistical zero-knowledge proof system for can be given as follows: On an in-

x X k x EA

stance of , both parties compute the image of under the reduction Karp and execute the

X k s jxj

proof system for EA on , taking tobe the lengthof . Hence, the completeness and soundness errors

xj jX k j and simulator deviation of this proof system are exponentially small in j (rather than which could

be shorter than x).

SDU NISZK

3 EA and are -complete N I S Z K

In this section, we complete the proof of Theorem 1.3. First, we establish that SDU by showing:

SDU EA

Lemma 3.1 Karp .

SDU log n n

Proof: Let X be an instance of . We assume that , where is the output length of the circuit

X yes no SDU

X (otherwise, once can decide in probabilistic polynomial time whether is a or instance of

n X X n by random sampling). Let U denote the uniform distribution on bits. We claim the map

is the reduction required by the lemma.

X SDU X U n X

If yes , then , so is very close to the uniform distribution, which has

entropy n. An argument given in Appendix B allows us to bound difference in entropy in terms of statistical

X n

difference. Applying Fact B.1, we immediately conclude that H .

X SDU X U n

If no , then . By the de®niton of statistical difference, this implies the

f g Pr X S Pr U S n

existence of a set S such that This implies that

X S n Pr U S n

Pr and

X Pr X S log jS j Pr X S n n log n n n n

Thus, H , and we have

X n EA

that no .

Now, we establishbothTheorem1.3 andTheorem1.4byshowing that all promise problems in weak- NISZK

SDU EA

(and hence all promise problems in NISZK) are reducible to (and hence by the previous lemma to ).

weak NISZK SDU

Lemma 3.2 For all promise problems - , we have that Karp .

weak NISZK weak NISZK

Proof: Let be any promise problem in - . As - is preserved under parallel

weak NISZK P V

repetition, we may assume that has a - proof system with completeness and sound-

n r n p oly n

ness errors at most on inputs of length . Let be the length of the random reference

P V S S

string in , and let be a randomized polynomial-time simulator such that the statistical difference

P r n

between the output distributionof S and the distributionof true transcripts of is at most . (Such

weak NISZK U r n

an S is guaranteed by the - property.) Let denote the uniform distribution on bits.

x M s

Let be an instance of . De®ne x to be a circuit which does the following on input :

M s S x s p V p

x : Simulate with randomness to obtain a transcript . If accepts, then output , else

r n

output .

x M x yes

We claim that the map x is the reduction required by the lemma. Suppose . In this case,

S r n

we know that the random reference string in the output of has statistical difference less than

P S x

from U . In addition, since the completeness error of protocol is at most , can output rejecting

r n r n M U r n

transcripts with probability at most . Hence, x

M SDU r n r n yes

, and x .

n n

x P

Suppose no . Since the soundnesserror of protocol is bounded by , for at most a fraction

p M

of reference strings does there exist an accepting transcript . Since x only outputs reference strings

r n n r n

M U r n

corresponding to accepting transcripts or , x . Thus,

M SDU no x .

Clearly, Lemmas 2.1, 3.1, and 3.2 combine to prove Theorem 1.3. Lemmas 3.2 and 3.1 show that any promise

NISZK EA N I S Z K problem in weak- reduces to ; byProposition1, thisimpliesthat and establishes

Theorem 1.4. SZK 4 Comparing NISZK and

Now that we are armed with NISZK-completeness results for promise problems so closely related to prob-

lems known to be complete for SZK, we can quickly begin relating the two classes.

7 4.1 Nontriviality of NISZK

First, we establish Theorem 1.5 by giving a Cook reduction from Entropy Difference (ED), complete for

EA NISZK

SZK, to Entropy Approximation ( ), complete for .

X Y ED X X Y Y

Lemma 4.1 Suppose is an instance of . Let (resp., ) consist of 4 indepen-

Y n X Y

dent copies of X (resp., ), and let denote the maximum of the output sizes of and . Then,

X Y ED X k EA Y k EA

yes yes no

X Y ED X k EA Y k EA

no no yes

X Y ED H X H Y k bH X c H X

Proof: Suppose yes , so that . Let . Hence,

k H X H Y H Y k X Y ED k

. But , and hence . Supposeinstead no ,so that

Y H X k dH X e H X k k dH X e

H . Thenforall , wehave . Butforall ,

H X H Y

we have k .

BPP NISZK BPP From this reduction, we conclude that SZK , which is Theorem 1.5.

Again, by BPP we mean the class of promise problems solvable in probabilistic polynomial time.

SZK SZK SZK

Proof of Theorem 1.5. By de®nition, NISZK (recall that equals honest-veri®er

BPP NISZK BPP

[20]). Hence if SZK , then .

BPP M

Now suppose NISZK , so in particular there is a probabilistic polynomial-time machine

SZK BPP

which decides EA (with exponentially small error probability). To show , it suf®ces to show

BPP ED SZK ED X Y

that ED since is -complete. We now describe how to decide instances of : Let

X Y M X k M Y k

be an instance of ED. Letting and be as stated in Lemma 4.1, we run and for all

n k M X k M Y k

k . If for some , we see that and , we output 1. Otherwise, we output ED

0. By Lemma 4.1, this is a correct BPP algorithm for deciding . .

= SZK 4.2 Conditions under which NISZK

Although the reduction given in Lemma 4.1 is a Cook reduction, it is a very special type of Cook reduction,

which we call an AC truth-table reduction. We use the special properties of this reduction to show that if

NISZK SZK NISZK is closed under complement, then in fact . We now precisely de®ne the types of reductions we are using, taking care how we de®ne them for promise problems.

De®nition 4.2 (truth-table reduction [26]): We say a promise problem truth-table reduces to a promise

problem , written tt , if there exists a (deterministic) polynomial-time computable function , which

x x x x C

on input produces a tuple and a circuit , such that

x b b b C b b b

k k

1. If yes then for all valid settings of , , and

x b b b C b b b

k k

2. If no then for all valid settings of , .

b b x b x b

i i yes i i no i

where a setting for i is considered valid when if and if (and is x

unrestricted when i violates the promise).

In other words, a truth-table reduction for promise problems is a non-adaptive Cook reduction which is allowed to make queries which violate the promise, but must be able to tolerate both yes and no answers in response to queries that violate the promise. We further consider the case where we restrict the complexity of computing the output of the reduction from the queries:

NC f

De®nition 4.3 (AC and truth-table reductions): A truth-table reduction between promise problems

NC C x

is an AC (resp., ) truth-table reduction if the circuit produced by the reduction on input has depth

c x c log jxj AC f

bounded by a constant f independent of (resp., has depth bounded by ). Ifthereisan (resp.,

0 1

NC ) truth-table reduction from to , we write (resp., ).

AC tt NC tt

0 EA

Withthisde®nition,weobservethat Lemma 4.1 infact showsthat ED , sincethe formula given

AC tt in the lemma can be expressed as an AC circuit, and the statement of the lemma shows that the reduction

has the robustness properties against promise violations that are required in De®nition 4.3.

We say that a class of promise problems is closed under a class of reductions if and

C NISZK AC ED

C implies that . By the above, if is closed under truth-table reductions, then

NISZK SZK

NISZK and hence . Thus, we would like to capture the minimal conditions necessary for a promise class to be closed under AC truth-table reductions. Here, care must be taken to because of the possibility of promise violations. Keeping this in mind, we de®ne the following operator on promise

problems to capture the notion of an unbounded fan-in AND gate for promise problems:

AND

De®nition 4.4 (unboundedAND): For any promiseproblem , we de®ne tobe thepromiseproblem:

def

AND fx x x k i k x g

yes k i yes

def

AND fx x x k i k x g

no k i no

C AND C We say a class of promiseproblems C is closed under unbounded AND iffor all , onehas .

We have de®ned AND so that it has the weakest promise condition possible to remain well-de®ned. In

AND x i

particular, we see that no is de®ned to include 's that violate 's promise, as long as just one of

C AND C

them is in no . , . We also need a way of combining two promise problems:

De®nition 4.5 (disjoint union): For any pair of promise problems and , we de®ne the disjoint union of

DisjUn

and to be the promise problem de®ned as follows:

def

DisjUn fg fg

yes yes

yes

def

DisjUn fg fg

no no

C DisjUn C Wesay a classof promiseproblems C is closed under selection ifforall ,onehas .

With these de®nitions, we can give the following lemma which gives some conditions suf®cient to give

closure under AC truth-table reductions.

AC Lemma 4.6 A promise class C is closed under truth-table reductions if the following conditions hold:

1. C is closed under Karp (i.e., many-one) reductions.

2. C is closed under unbounded AND.

3. C is closed under selection.

4. C is closed under complementation.

Lemma 4.6 can be proven by a straightforward induction on the depth of the circuits. Details are in Ap-

pendix E. Which of the conditions of Lemma 4.6 does NISZK satisfy? We argue that Conditions 1, 2,

and 3 are satis®ed by NISZK:

Lemma 4.7 NISZK is closed under Karp reductions.

N I S Z K EA NISZK EA Karp

Proof: Suppose , and Karp . Since is complete for , we have . By

EA N I S Z K

composing reductions, we see that Karp . By Lemma 2.1 and Proposition 1, .

Lemma 4.8 NISZK is closed under unbounded AND.

EA N I S Z K NISZK ANDEA

Proof: First, we argue that AND by describing a proof system for : Let

X k X k ANDEA

m m

be an instance of , and say is the total length of the instance. Arti®cially

X Y i

pad each circuit i tobe of descriptionsize (by addingunusedgates) andlet be the resultingcircuit. Now

NISZK EA Y k i

execute the proof system for given by Lemma 2.1 on each pair i in parallel, and have the

EA EA

AND -veri®er accept if the -veri®er would have accepted on each pair.

X k yes EA ANDEA i

If every pair i is a instance of , the veri®er will accept with probability at least

m EA

, as the completeness error of the proof system is at most . Similarly,

m ANDEA

running the simulator for the EA proof system times independently will give a simulation for the

m X k no i

proof system with simulator deviation . Finally, if just one pair i is a instance

of EA (even if the others violate the promise), the veri®er will accept with probability at most in the

EA ANDEA

i'th execution of the protocol, and so the veri®er will accept with probability at most .

EA NISZK NISZK EA

This shows that AND . Now let be any promise problem in . Since is

f EA AND

complete for NISZK, there isa Karp reduction from to . This induces a Karp reduction from

ANDEA x x f x f x ANDEA NISZK

k k

to in the obvious way (i.e. ). As is in and

AND N I S Z K NISZK is closed under Karp reductions, .

Lemma 4.9 NISZK is closed under disjoint union.

DisjUnEA EA EA

Proof: Clearly, Karp (by dropping the extra bit.) Now, for any two promise problem

NISZK f EA f EA

and in , the Karp reductions from to and from to induce a Karp reduction from

DisjUn DisjUnEA EA x f x DisjUn DisjUnEA EA EA

Karp

to givenby . Using Karp

NISZK N I S Z K

, and applying closure under Karp reductions, we get DisjUn .

NISZK

Combining everything, we can give a condition under which SZK .

SZK NISZK Proposition 2 If NISZK is closed under complementation, then .

Proof: Suppose NISZK is closed under complementation. Combining this with Lemmas 4.6, 4.7, 4.8,

and 4.9, it follows that NISZK is closed under truth-table reductions. Applying Lemma 4.1 and

N I S Z K ED SZK NISZK

Lemma 2.1, we conclude that ED . Since is complete for [21] and is closed

NISZK NISZK SZK

under Karp reductions, we have SZK . As is true from the de®nition of

NISZK SZK

NISZK, we conclude that .

SZK Finally, we deduce Theorem 1.6, which gives a number of conditions equivalent to NISZK .

Proof of Theorem 1.6:

SZK NC

1 3. This follows from the result of [33] that is closed under truth-table reductions.

3 2 1. The ®rst is trivial and the second is Proposition 2.

EA SDU NISZK

1 4. This follows from Theorem 1.3 (which asserts that that and are complete for ), the

SD SZK NISZK fact that ED and are complete for [32, 21], and Lemma 4.7 (that is closed under Karp

reductions).

EA SDU NISZK 1 5. This follows from Theorem 1.3 (that and are complete for ) and Lemma 4.7 (that

NISZK is closed under Karp reductions).

10 References

[1] Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy. Proof veri®cation and hardness of approximation problems. In Proceedings of the Thirty Third Annual Symposium on Foundations of Computer Science, pages 14±23, 1992. [2] Sanjeev Arora and Shmuel Safra. Probabilistic checking of proofs. In Proceedings of the Thirty Third Annual Symposium on Foundations of Computer Science, pages 2±13, 1992. [3] Mihir Bellare and Sha® Goldwasser. New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs. In G. Brassard, editor, Advances in CryptologyÐ CRYPTO '89, volume 435 of Lecture Notes in Computer Science, pages 194±211. Springer-Verlag, 1990, 20±24 August 1989. [4] Mihir Bellare and Phillip Rogaway. Non-interactive perfect zero-knowledge. Unpublished manuscript, June 1990. [5] Manuel Blum, Paul Feldman, and Silvio Micali. Non-interactive zero-knowledge and its applications (extended abstract). In Proceedingsof the Twentieth AnnualACM Symposiumon Theory of Computing, pages 103±112, Chicago, Illinois, 2±4 May 1988. [6] Manuel Blum, Alfredo De Santis, Silvio Micali, and Giuseppe Persiano. Noninteractive zero- knowledge. SIAM Journal on Computing, 20(6):1084±1118, December 1991. [7] Thomas M. Cover and Joy A. Thomas. Elements of Information Theory. Wiley Series in Telecommu- nications. John Wiley & Sons, Inc., 2nd edition, 1991. [8] Ivan DamgÊard. Interactive hashing can simplify zero-knowledge protocol design. In Proceedings of Crypto `95, Lecture Notes in Computer Science, volume 403, pages 100±109. Springer-Verlag, 1994. [9] Ivan DamgÊard, Oded Goldreich, Tatsuaki Okamoto, and Avi Wigderson. Honest veri®er vs. dishonest veri®er inpubliccoin zero-knowledgeproofs. In Proceedingsof Crypto `95, Lecture Notes inComputer Science, volume 403. Springer-Verlag, 1995. [10] Ivan DamgÊard, Oded Goldreich, and Avi Wigderson. Hashing functions can simplify zero-knowledge protocol design (too). Technical Report RS-94±39, BRICS, November 1994. See Part 1 of [9]. [11] Alfredo De Santis, Giovanni Di Crescenzo, Giuseppe Persiano, and Moti Yung. Image Density is complete for non-interactive-SZK. In Automata, Languages and Programming, 25th International Col- loquium, Lecture Notes in Computer Science, pages 784±795, Aalborg, Denmark, 13±17 July 1998. Springer-Verlag. [12] Giovanni Di Crescenzo, Tatsuaki Okamoto, and Moti Yung. Keeping the SZK-veri®er honest uncon- ditionally. In Advances in CryptologyÐCRYPTO '97, pages 31±45, 1997. [13] Danny Dolev, Cynthia Dwork, and Moni Naor. Non-malleable cryptography (extended abstract). In Proceedings of the Twenty Third Annual ACM Symposium on Theory of Computing, pages 542±552, New Orleans, Louisiana, 6±8 May 1991. [14] Cynthia Dwork, Moni Naor, and Amit Sahai. Concurrent zero-knowledge. In Proceedings of the Thir- tieth Annual ACM Symposium on the Theory of Computing, pages 409±418, 1998. [15] Uriel Feige, Dror Lapidot, and Adi Shamir. Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In 31st Annual Symposium on Foundations of Computer Science, volume I, pages 308±317, St. Louis, Missouri, 22±24 October 1990. IEEE.

11 [16] Lance Fortnow. The complexity of perfect zero-knowledge. In Silvio Micali, editor, Advances in Com- puting Research, volume 5, pages 327±343. JAC Press, Inc., 1989. [17] Oded Goldreich and Eyal Kushilevitz. A perfect zero-knowledge proofsystem fora problem equivalent to the discrete logarithm. Journal of Cryptology, 6:97±116, 1993. [18] Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. Journal of the Association for Computing Ma- chinery, 38(1):691±729, 1991. [19] Oded Goldreich and Yair Oren. De®nitions and properties of zero-knowledge proof systems. Journal of Cryptology, 7(1):1±32, Winter 1994. [20] Oded Goldreich, Amit Sahai, and Salil Vadhan. Honest-veri®er statistical zero-knowledge equals general statistical zero-knowledge. In Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing, pages 399±408, 1998. [21] Oded Goldreich and Salil Vadhan. Comparing entropies in statistical zero-knowledgewith applications to the structure of SZK. Available from http://www-math.mit.edu/Äsalil, October 1998. [22] Sha® Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sci- ences, 28(2):270±299, 1984. [23] Sha® Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18(1):186±208, February 1989. [24] Russell Impagliazzo, Leonid A. Levin, and Michael Luby. Pseudo-random generation from one-way functions (extended abstracts). In Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, pages 12±24, Seattle, Washington, 15±17 May 1989. [25] Joe Kilian and Erez Petrank. An ef®cient noninteractive zero-knowledge proof system for NP with general assumptions. Journal of Cryptology, 11(1):1±27, Winter 1998. [26] R. E. Ladner, N. A. Lynch, and A. L. Selman. A comparison of polynomial time reducibilities. Theo- retical Computer Science, 1(2):103±123, December 1975. [27] Carsten Lund, Lance Fortnow, Howard Karloff, and Noam Nisan. Algebraic methods for interactive proofs. In Proceedings of the Thirty First Annual Symposium on Foundations of Computer Science, pages 1±10, 1990. [28] Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext at- tacks. In Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, pages 427±437, Baltimore, Maryland, 14±16 May 1990. [29] Tatsuaki Okamoto. On relationships between statistical zero-knowledge proofs. In Proceedings of the Twenty Eighth Annual ACM Symposium on the Theory of Computing, 1996. See also preprint of full version, Oct. 1997. [30] Rafail Ostrovsky. One-way functions, hard on average problems, and statistical zero-knowledge proofs. In Proceedings of the Thirty Second Annual Symposium on Foundations of Computer Science, pages 133±138, 1991. [31] Rafail Ostrovsky and Avi Wigderson. One-way functions are essential for non-trivial zero-knowledge. In Proceedings of the Second Israel Symposium on Theory of Computing and Systems, 1993.

12 [32] Amit Sahai and Salil Vadhan. A complete promise problem for statistical zero-knowledge. In Proceed- ings of the Thirty Eighth Annual Symposium on Foundations of Computer Science, pages 448±457, 1997. [33] Amit Sahai and Salil Vadhan. Manipulating statistical difference. In Panos Pardalos, Sanguthevar Ra- jaseekaran, and Jose Rolim, editors, Proceedings of the DIMACS Workshop on RandomizationMethods in Algorithm Design, Princeton, NJ, 1998. American Mathematical Society. To appear. Available from http://www-math.mit.edu/Äsalil/. [34] Adi Shamir. IP=PSPACE. In Proceedings of the Thirty First Annual Symposium on Foundations of Computer Science, pages 11±15, 1990. [35] Andrew C. Yao. Theory and application of trapdoor functions. In Proceedings of the Twenty Third Annual Symposium on Foundations of Computer Science, pages 80±91, 1982.

A De®nitions

Following [17], we extend the standard de®nition of interactive proof systems to promise problems ±

De®nition A.1 (Interactive Proof systems ± IP [23]): Let c s be polynomial-time computable

n cn sn pn

functions so that for some positive polynomial p and all positive integers 's, .

c s no An interactive proof system with two-sided error for a promise problem yes is a two-

party game, between a veri®er executing a probabilisticpolynomial-timestrategy (denoted V ) and a prover

which executes a computationally unbounded strategy (denoted P ), satisfying

x V cjxj

Completeness: For every yes , the veri®er with probability at least accepts after x

interacting with the prover P on common input .

x P V

Soundness: For every no and every potentialstrategy , the veri®er accepts with probability

jxj P x

at most s , after interacting with on common input . s

In such a case, we say that the proof system has completeness error c and soundness error . The error

fc sg of the proof system is de®ned as max .

We are mainly concerned with interactive proof systems having the following zero-knowledge property [23]:

De®nition A.2 (Statistical zero-knowledge Ð SZK):

The view of an interactive machine consists of the common input, its internal coin tosses, and all mes-

P V ix V P sages it has received. We denote by h the view of the veri®er while interacting with on

common input x.

N p

A function is called negligible if for every positive polynomial and all suf®ciently

N n pn

large n , .

P V no

An interactive proof system for a promise problem yes is (general) statistical

zero-knowledge if for every probabilisticpolynomial-time V , there existsa probabilisticpolynomial-

time machine (called a simulator), S , and a negligible function (called the simulator

x S x hP V ix

deviation) so that for every yes the statisticaldifference between and isat most

jxj

. SZK denotes the class of promise problems having statistical zero-knowledge interactive proof systems.

13 Honest-veri®er statistical zero-knowledge proof systems are such where the zero-knowledge requirement is

only required to hold for the prescribed/honest veri®er V , rather than for every polynomial-time computable

V . every honest-veri®er statistical zero-knowledge proof system can be transformed into a general statistical zero-knowledge proof system (actually meeting an even stronger zero-knowledge requirement) [20].

B Statistical Inequalities

Y D

Fact B.1 For any two random variables, X and , ranging over a domain it holds that

jHX HY j logjD j H

def

X Y where .

This fact can be inferred from Fano's Inequality (cf., [7, Thm. 2.11.1]). A more direct proof follows.

def def

px Pr X x q x Pr X x

Proof: Assume or elsetheclaim isobvious. Let and . De®ne

def

mx min fpx q xg Z X Y x

. Then m . De®ne random variables , and so that

def

mx Pr Z x m x

def

px mx Pr X x p x

def

Pr Y x q x q x mx

Y Z X Y Think of X (resp., ) as being generated by picking with probability and (resp., ) otherwise.

Then

HX HZ HX H

HY HZ

X x x D HX logjD j Observing that Pr on at least one , it follows that , and the fact

follows.

D X e Y

Comment: The above bound is tight. Let e and consider which is identically , and which

e D n feg X Y

with probability equals and otherwise is uniform over . Clearly, and

HY HX log jD j H

C Proof of Lemma 2.2 C.1 Flat distributions and the Leftover Hash Lemma Here, we discuss some standard notions and techniques that will be useful in the proof of Lemma 2.2. We

use the clean formulations of these tools given in [21].

X X

A distribution X is called ¯at if all strings inthe supportof have the same probability. Notice that if

X x x X is ¯at, then by the de®nition of entropy, Pr for every in the support of . We quantify

deviation from ¯atness as follows: x

De®nition C.1 (heavy, light and typical elements): Let X be a distribution, an element possibly in its

x Pr X x

support,and a positiverealnumber. Wesaythat is -heavy (resp., -light) if

X x x (resp., Pr ). Otherwise, we say that is -typical.

14 A natural relaxed de®nitionof ¯atness follows. The de®nition linksthe amount of slackness allowed in ªtyp-

icalº elements with the probability mass assigned to non-typical elements.

De®nition C.2 (¯at distributions): A distribution X is called -¯at if for every , the probability that

t an element chosen from X is -typical is at least .

By straightforward application of Hoefding Inequality (cf., Appendix D), we have

k X

Lemma C.3 (¯attening lemma): Let X be a distribution, a positive integer, and denote the distri-

X x X

bution composed of k independent copies of . Suppose that for all in the support of it holds that

m k

X x X k m

Pr . Then is -¯at.

X k

The key point is that the entropy of grows linearly with , whereas its deviation from ¯atness grows

p k signi®cantly slower (i.e., linear in k ) as a function of . The othermain tool we will use is:

Lemma C.4 (Leftover Hash Lemma [24]) Let H be a2-universalfamilyofhashfunctionsmappinga domain

R X D x

D to a range . Suppose is a distribution on such that with probability at least over selected

Pr X x jRj

from X , . Then the statistical difference between the following two distributions is at

most O :

H x X h hx

(A) Choose h uniformly from and according to . Output .

H y R h y

(B) Choose h uniformly from and uniformly from . Output .

s t X

In particular, notice that if X is a -¯at distribution, then for any parameters , satis®es the

HX ts t s

hypothesis of the Leftover Hash Lemma with j , , and . As we willbe

k H

applying Lemma C.4 to sets of strings, we de®ne, for any pair of positive integers and , k to be one

g f g GF of the standard 2-universal families of hash functions mapping f to (e.g., af®ne -linear transformations).

C.2 Overview of the transformation

The transformation proceeds in four stages, which are roughly described below:

X yes no 1. Let X consist of many copies of so that the entropy gap between and instances increases,

and the distribution becomes quite ¯at relative to its entropy.

yes no

2. Hash X so that instances become close to the uniform distributionwhile instances have much

h hX h smaller entropy than the uniform distribution. That is, let Y be of the form , where is

uniformly distributed in a 2-universal family with appropriate parameters.

Y no

3. Let Y consist ofmany copies of so that for instances, the entropy de®ciency (as compared to the

yes uniform distribution) becomes large and yet Y becomes quite ¯at relative to its entropy; while

instances remain close to uniform.

4. Hash the inputs to Y so that instances have small support (rather than just small entropy), while

Z Y r h hr h keeping yes instances close to uniform. That is, let be of the form where is uniformly distributed in a 2-universal family with appropriate parameters.

C.3 The formal construction and proof

X k EA m n X s

Let be an instance of , let (resp., ) denote the number of input and output gates to , and let s

be the extra parameter in the transformation. By increasing s if necessary, we may assume that is greater

X k p oly s than the total descriptionlengthof . Thus,all the intermediatecircuitswe buildwill beof size .

Many copies I. The®rst step is totake many copies ofeach distribution;this has the effect of increasing the

no X q sm

entropy gap between yes and instances relative to 's deviation from ¯atness. Namely, let

X HX q HX X s m and let X . Then and, by Lemma C.3, is -¯at for . In particular, we have established

Claim C.5

X k HX q k q q k s s

1. If H , then .

X k HX q k q q k

2. If H , then .

h hx h

Hashing I. Now consider the distribution Y on pairs induced by choosing uniformly from

H x X H p oly q n q k p oly s

q nq k

q nq k and according to . Say that elements of take bits to

m q m n q k Y represent. Then Y has inputs (resp., outputs) of length (resp., ). satis®es the following properties.

Claim C.6

X k Y

1. If H , then has statistical difference at most from the uniform distribution on

f .

X k Y n

2. If H , then the entropy of is less than . X

Proof: Part 1 follows from the -¯atness of and the Leftover Hash Lemma. Part 2 follows from the

X q k

fact that the entropy of Y is at most the entropy of (which is less than ) plus the entropy of the uniform

distribution on H (which is ). no

Many copies II. We now take many copies of Y , so that the entropy de®ciency of instances becomes

q s m

large relative to the ¯atness while yes instances remain close to uniform. Speci®cally, let

Y Y M m q N n q Y

and let Y , so that has input gates, output gates, and is -¯at for

s m . Then we immediately have the following:

Claim C.7

s s

X k Y q

1. If H , then has statistical difference at most from the uniform

distribution on f .

X k HY N q N s s 2. If H , then .

Hashing II. The ®nal stepis to make a distributionwhich, for no instances, has small support (rather than yes

just low entropy) in the case of no instances, while instances remain close to uniform.

Z r f g h H

N s

Consider a distribution which takes as input and a hash function M M and

Y r h hr outputs . Then,

Claim C.8 Z satis®es the requirements of Lemma 2.2.

Theintuitionforthisisthe following: In thecase of yes instances, is close to the uniformdistribution

N N M N

g y f g r Y r y

on f , so for almost all , there will be about values of such that . Thus,

M N s

hashing r down to bits will still result in a uniform distribution.

In the case of a no instance, has large entropy de®ciency and is nearly ¯at. From this, we know that

T y T

Y lands in some small subset of the domain with very high probability. Thus, points must have

r y r Y y T

very low probability under Y , i.e. there are very few inputs such that . So, for each ,

h hr Y r h hr the pairs will only hit a small subset of the possible values. Therefore, has small

support, because either the ®rst component lands in a small set (namely T ) or the last two components land in a small set.

X k Y

Proof: Suppose H . From the fact that has statistical difference at most from uniform

y Y

it follows that with probability at least over selected according to ,

Pr Y y

(1)

Y r y r fr Y r y g

Fix any y satisfying Inequality 1. Conditioned on , is selected uniformly from ,

M N

which by Equation 1 is a set of size at least . Thus, by the Leftover Hash Lemma, conditioned on

r y h hr

Y , the distributionof has statistical difference at most from uniform. Therefore the

total statistical difference of Z from uniform is .

X k S Z D

Now suppose H . We want to show that the support of is a small fraction of

N M N s

S g H f g

f . To do this, we divide into three parts, depending on the probability mass

HY N ss

Y y Y

giventothe y component by . Recall that a ªtypicalº for has probabilitymass .

N s

S fy h z S Pr Y y g

(ªmuch too lightº)

N s N s

S fy h z S Pr Y y g

(ªtoo light, but not much too lightº)

N s

S fy h z S Pr Y y g

(ªnot too lightº)

s s

S S S S jS jjD j i jS jjD j

Clearly, . We willshow that for ,andso

N s M N s

jS j y Pr Y y r

First we bound . For any such that , there are at most values of

Y r y y h z y h z S

such that . Thus, for any such and any , the set of such that is of size at most

M N s s M N s s

f g S

(i.e., is at most a fraction of ). This implies that is at most a fraction of

D .

N s N s

jS j A y Pr Y y

Now we bound . We showthat theset of such that is at most a

s N s

f g S D y A s

fraction of . From this, it followsthat is at most a fraction of . Every is -

N s s Y Pr Y A

heavy (since Y has entropyat most ). By the -¯atness of , isatmost .

N s s N s N s

A Y jAj Since every y in has probability mass at least under , is at most ,

as desired.

N s N s

jS j y Pr Y y

Finally, we bound . Clearly, there can be at most values of such that .

jS jjD j

From this it follows that .

D Proof of the Flattening Lemma

X w x log Pr X x w X

For every x in the support of , we let . Then maps the support of , denoted

D m X X X t k

, to . Let be identical and independent copies of . The lemma asserts that for every

X p

k Pr w X k HX t m

E w X i Pr X x w x HX

Observe that i , for every . Thus, the lemma follows by a

w X i

straightforward application of Hoefding Inequality: Speci®cally, de®ne random variables i , let

E tm k

i and , and use

exp k Pr

k m

exp t

The lemma follows.

17 E Proof of Lemma 4.6

First note that any unbounded fan-in circuit can be ef®ciently converted into a circuit with only unbounded fan-in NAND gates (allowing also unary NAND gates), with only a constantfactor blowupin depth. to such

a circuit with only a constant factor blowup in depth. So, as a ®rst step, we observe that C is closed under

def

NAND AND C unbounded NAND. That is, for any promise problem , , by closure under unbounded AND and complementation. To generalize this to constant depth circuits with unbounded fan-in

NAND gates, we de®ne

d Depth

De®nition E.1 For any promise problem , and for all natural numbers we de®ne to be

C x x x C

the promise problem whose instances are tuples , where is a circuit of depth at most yes

d (using unbounded fan-in NAND gates only). The instances are those such that for all valid settings

b b b C b b b no

k m

of , ; whereas the instances are those tuples such that for all valid

b b b C b b b b b

k k i i

settings of , . Here, a setting for is considered valid when if

x b x b x

yes i i no i i

i and if (and is unrestricted when violates the promise).

Using the fact that every AC circuit can be ef®ciently transformed into one with only NAND gates, we

0 d Depth

see that means that there exists some such that under a Karp reduction. Hence

AC tt

Depth C if we can show that for all d and promise problems , , the lemma will be established. We will prove this by induction.

First, observe that a depth circuit is simply a variable (we can ignore constants as trivial). Hence,

C Depth C d Depth . Now assume that . Observe that a depth circuit is simply

a NAND of some number of depth d circuits. Using this observation, we will argue that that

d d d

Depth DisjUnDepth NANDDepth

Depth C

; by the closure properties of C , this implies that . The reduction works as follows. The

C x x x x x C d

input to the reduction is a tuple where . If is actually a depth circuit, then it

C x C C C C

simply outputs . If not, then it extracts from the circuits that provide input to

m C x C x C x

the topmost NAND gate. Then the reduction outputs . It is clear that

d d d

DisjUnDepth NANDDepth map gives a Karp reduction from Depth , completing the induction step and the proof.