DOCSLIB.ORG

A Study of Statistical Zero-Knowledge Proofs Salil Pravin

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Study of Statistical Zero-Knowledge Proofs Salil Pravin A Study of Statistical Zero-Knowledge Proofs by Salil Pravin Vadhan A.B., Mathematics and Computer Science, Harvard University (1995) Certificate of Advanced Study in Mathematics, Cambridge University (1996) Submitted to the Department of Mathematics in partial fulfillment of the requirements for the degree of Doctor of Philosophy at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 1999 @ Salil Pravin Vadhan, 1999. All rights reserved. The author hereby grants to MIT permission to reproduce and distribute publicly paper and electronic copies of this thesis document in whole or in part. A uthor ........... .'v --~-- g -. - --- ---. - .---------------------------- Dtopartment of Mathematics August 6, 1999 ,/1 I; Certified by ....... .. .. - .. -. .... - ...- .. .-- fi Gold asser RSA Professor of Computer Science Thesis Supervisor .. V... ...... V J .. ................ Accepted by ......... c alS p. e Michael Sipser Chairman, Applied Mathematics Committee A A ccepted by ................. ...--.. - -- -- - Tomasz Mrowka Chairman, Departmental Committee on Graduate Students MASSACHUSETTS INSTITUTE LIBRARIES A Study of Statistical Zero-Knowledge Proofs by Sail Pravin Vadhan Submitted to the Department of Mathematics on August 6, 1999, in partial fulfillment of the requirements for the degree of Doctor of Philosophy Abstract Zero-knowledge interactive proofs, introduced by Goldwasser, Micali, and Rackoff, are fas- cinating constructs which enable one party (the "prover") to convince another party (the "verifier") of an assertion, with the property that the verifier learns nothing other than the fact that the assertion being proven is true. In addition to being powerful tools for construct- ing secure cryptographic protocols, zero-knowledge proofs yield rich classes of computational problems that are of both complexity-theoretic and cryptographic interest. This thesis is a detailed investigation of statisticalzero-knowledge proofs, which are zero- knowledge proofs in which the condition that the verifier "learns nothing" is interpreted in a strong statistical sense. We begin by showing that the class SZK of problems possessing such proofs has two natural complete problems. These problems essentially amount to approximating the statistical difference or the difference in entropies between two "efficiently sampleable" distributions. Thus, they give a new characterization of SZK which makes no reference to interaction or zero knowledge. They also simplify the study of statistical zero knowledge, as questions about the entire class SZK can be reduced to examining these two particular complete problems. Using these complete problems as tools, we proceed to answer a number of fundamental questions about zero-knowledge proofs, including: " Transforming any statistical zero-knowledge proof against an honest verifier (i.e., a verifier that follows the specified protocol) into one which is zero knowledge even against cheating verifiers that deviate arbitrarily from the specified protocol. This transformation applies to public-coin computational zero-knowledge proofs as well. " Constructing statistical zero-knowledge proofs for complex assertions built out of sim- pler assertions already shown to be in SZK. Via the complete problems, these closure properties translate to new methods for manipulating "efficiently sampleable" distri- butions, which may be of independent interest. " Obtaining simpler proofs of most previously known results about statistical zero knowledge, such as: Okamoto's result that SZK is closed under complement; Fortnow, Aiello, and Histad's upper bounds on the complexity of SZK; and Okamoto's result that every statistical zero-knowledge proof can be transformed into a public-coin one. Thesis Supervisor: Shafi Goldwasser Title: RSA Professor of Computer Science 4 Acknowledgments The most daunting task facing a new graduate student is to find a research topic which is interesting yet approachable. I was rescued from this very early on by my advisor, Shafi Goldwasser. One month into graduate school, Shafi started me on a research problem that led to all the work in this thesis. (Alas, I still do not know the answer to the question she asked.) For that and her endless supply of other exciting research problems; for the way she always helped me think about research from a wider perspective; and for all her down-to-earth advice and encouragement, I will be forever grateful. I was very lucky to start my Ph.D. when Oded Goldreich was visiting MIT. Much of the work in this thesis is joint work with Oded, and from him I learned a tremendous amount about both doing research and presenting it. Oded's trust in me has given me confidence as a researcher, and I am deeply indebted to him. I also thank Amit Sahai, with whom I shared my first research experiences in graduate school and collaborated on much of the work in this thesis. In the course of this research, I discussed these topics with many different people. These conversations not only affected my perspective on the area, but also helped refocus my research efforts. In this regard, I thank Sanjeev Arora, Mihir Bellare, Danny Gutfreund, Moni Naor, Erez Petrank, Madhu Sudan, Luca Trevisan, and Avi Wigderson, though un- doubtedly I have forgotten a few. There are many other people who have made my educational experience to this point so exciting and pleasurable, and who have helped shape my view of mathematics and computer science. There are too many to name individually, so I will be content to send my thanks to a few important groups. First, to my fellow students, the faculty, and the postdocs in the MIT Theory of Computation group for making it such a fun and inspiring place to be a graduate student. Second, to all my collaborators on research endeavors not described in this thesis, for all they have taught me. Third, to some wonderful teachers and engaging fellow students at Oceanside High School and Harvard College, for sparking my interest in mathematics and computer science well before I came to MIT. My most important acknowledgment is to my family and friends, who have filled my non- academic life with happiness. Most significantly, I refer to my parents, who have always lovingly encouraged me to pursue my passions; my brother, Nehal, who always makes sure that I am having fun along the way; and my wife, Jen, who has given me a lifetime to look forward to. My graduate studies were supported primarily by a Department of Defense National Defense Science and Engineering Graduate Fellowship and partially by DARPA grant DABT63-96- C-0018. 6 To Jen 8 Contents 1 Introduction 11 1.1 The magic of zero-knowledge proofs .. ... ... ... .. ... ... .. 11 1.2 Informal definitions. .. ... ... ... ... ... ... ... ... ... .. 12 1.3 Motivation for our study ... ... ... ... ... ... ... ... ... .. 14 1.4 Results & structure of this thesis ... ... .... ... ... .... ... 16 2 Definitions 19 2.1 An example . ... ... ... ... ... ... ... ... ... ... .. 19 2.2 Notation and preliminaries . ... ... ... ... ... ... ... ... .. 22 2.3 Zero-knowledge proofs . .. ... ... ... .. ... ... .. ... ... .. 24 2.4 Contrast with the GMR definition .. ... ... ... ... ... ... ... 28 2.5 Complexity aspects of interactive proofs .. ... ... .... ... .... 30 3 Complete Problems 33 3.1 STATISTICAL DIFFERENCE . ... .... ... ... .... ... ... .. 34 3.2 Analyzing public-coin HVSZK proofs . .. ... ... ... ... .. ... 43 3.3 Analyzing general HVSZK proofs . ... ... ... ... ... ... ... 52 3.4 ENTROPY DIFFERENCE reduces to STATISTICAL DIFFERENCE . ... .. 60 3.5 The Completeness Theorem . ... ... ... ... ... ... ... ... .. 66 4 Applications of the Complete Problems 67 4.1 Efficient HVSZK proof systems . ... ... ... ... ... ... ... .. 68 4.2 The complexity of SZK ... ... ... ... ... ... ... ... ... .. 69 4.3 Expected polynomial-time simulators . .. ... ... ... .. ... ... .. 71 4.4 Reversing statistical difference . ... .... ... ... .. ... .... ... 71 4.5 Closure properties . ... ... ... .. ... ... ... .. ... ... .. 73 4.6 Knowledge complexity .. ... ... ... ... ... ... ... ... ... 79 4.7 Perfect and computational zero knowledge . ... ... ... ... ... ... 89 4.8 Zero-knowledge proofs for hard problems imply one-way functions .. ... 92 5 Private Coins vs. Public Coins 97 5.1 Motivation and results .. ... ... ... ... ... ... ... ... ... 97 5.2 O verview .. ... ... ... ... ... ... ... ... ... .. .. 99 5.3 Subprotocol specifications . ... ... ... .. ... ... .. ... ... .. 106 5.4 The transformed proof system . ... ... ... .. ... ... .. ... ... 108 9 10 CONTENTS 5.5 Okamoto's subprotocols ....... ............................. 115 6 Coping with Cheating Verifiers 125 6.1 D efinitions . ... .. ... ... ... .. ... ... ... .. ... ... .. 126 6.2 A cheating-verifier SZK proof system for SD 2 ... .. ... .. ... .. 128 6.3 Transforming honest-verifier proofs to cheating-verifier ones .. ... ... 132 6.4 Random selection .. ... ... ... .... ... ... ... ... ... ... 141 6.5 Corollaries and open problems .... ... .... ... ... .... ... 146 7 Noninteractive SZK 149 7.1 The noninteractive model . .. ... .. ... .. .. ... .. ... .. ... 150 7.2 The Completeness Theorem . ... ... ... .. ... ... .. ... ... 154 7.3 ENTROPY APPROXIMATION is in NISZK .. .. .. ... .. ... .. ... 155 7.4 Proof of the Completeness Theorem .. ... .. ... ... .. ... ... 159 7.5 Comparing SZK and NISZK ... ... ... .. ... ... .. ... ... 161 7.6 Other applications of the Completeness Theorem ... ... .. ... ... 166 8 Conclusion 171 A Chernoff Bounds 173 B Hashing Lemmas 175 B.1 Proof of
Load more

Recommended publications
  • CS601 DTIME and DSPACE Lecture 5 Time and Space Functions: T, S
    CS601 DTIME and DSPACE Lecture 5 Time and Space functions: t, s : N → N+ Definition 5.1 A set A ⊆ U is in DTIME[t(n)] iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. A = L(M) ≡ w ∈ U M(w)=1 , and 2. ∀w ∈ U, M(w) halts within c · t(|w|) steps. Definition 5.2 A set A ⊆ U is in DSPACE[s(n)] iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. A = L(M), and 2. ∀w ∈ U, M(w) uses at most c · s(|w|) work-tape cells. (Input tape is “read-only” and not counted as space used.) Example: PALINDROMES ∈ DTIME[n], DSPACE[n]. In fact, PALINDROMES ∈ DSPACE[log n]. [Exercise] 1 CS601 F(DTIME) and F(DSPACE) Lecture 5 Definition 5.3 f : U → U is in F (DTIME[t(n)]) iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. f = M(·); 2. ∀w ∈ U, M(w) halts within c · t(|w|) steps; 3. |f(w)|≤|w|O(1), i.e., f is polynomially bounded. Definition 5.4 f : U → U is in F (DSPACE[s(n)]) iff there exists a deterministic, multi-tape TM, M, and a constant c, such that, 1. f = M(·); 2. ∀w ∈ U, M(w) uses at most c · s(|w|) work-tape cells; 3. |f(w)|≤|w|O(1), i.e., f is polynomially bounded. (Input tape is “read-only”; Output tape is “write-only”.
    [Show full text]
  • Interactive Proof Systems and Alternating Time-Space Complexity
    Theoretical Computer Science 113 (1993) 55-73 55 Elsevier Interactive proof systems and alternating time-space complexity Lance Fortnow” and Carsten Lund** Department of Computer Science, Unicersity of Chicago. 1100 E. 58th Street, Chicago, IL 40637, USA Abstract Fortnow, L. and C. Lund, Interactive proof systems and alternating time-space complexity, Theoretical Computer Science 113 (1993) 55-73. We show a rough equivalence between alternating time-space complexity and a public-coin interactive proof system with the verifier having a polynomial-related time-space complexity. Special cases include the following: . All of NC has interactive proofs, with a log-space polynomial-time public-coin verifier vastly improving the best previous lower bound of LOGCFL for this model (Fortnow and Sipser, 1988). All languages in P have interactive proofs with a polynomial-time public-coin verifier using o(log’ n) space. l All exponential-time languages have interactive proof systems with public-coin polynomial-space exponential-time verifiers. To achieve better bounds, we show how to reduce a k-tape alternating Turing machine to a l-tape alternating Turing machine with only a constant factor increase in time and space. 1. Introduction In 1981, Chandra et al. [4] introduced alternating Turing machines, an extension of nondeterministic computation where the Turing machine can make both existential and universal moves. In 1985, Goldwasser et al. [lo] and Babai [l] introduced interactive proof systems, an extension of nondeterministic computation consisting of two players, an infinitely powerful prover and a probabilistic polynomial-time verifier. The prover will try to convince the verifier of the validity of some statement.
    [Show full text]
  • Arxiv:Quant-Ph/0202111V1 20 Feb 2002
    Quantum statistical zero-knowledge John Watrous Department of Computer Science University of Calgary Calgary, Alberta, Canada [email protected] February 19, 2002 Abstract In this paper we propose a definition for (honest verifier) quantum statistical zero-knowledge interactive proof systems and study the resulting complexity class, which we denote QSZK. We prove several facts regarding this class: The following natural problem is a complete promise problem for QSZK: given instructions • for preparing two mixed quantum states, are the states close together or far apart in the trace norm metric? By instructions for preparing a mixed quantum state we mean the description of a quantum circuit that produces the mixed state on some specified subset of its qubits, assuming all qubits are initially in the 0 state. This problem is a quantum generalization of the complete promise problem of Sahai| i and Vadhan [33] for (classical) statistical zero-knowledge. QSZK is closed under complement. • QSZK PSPACE. (At present it is not known if arbitrary quantum interactive proof • systems⊆ can be simulated in PSPACE, even for one-round proof systems.) Any honest verifier quantum statistical zero-knowledge proof system can be parallelized to • a two-message (i.e., one-round) honest verifier quantum statistical zero-knowledge proof arXiv:quant-ph/0202111v1 20 Feb 2002 system. (For arbitrary quantum interactive proof systems it is known how to parallelize to three messages, but not two.) Moreover, the one-round proof system can be taken to be such that the prover sends only one qubit to the verifier in order to achieve completeness and soundness error exponentially close to 0 and 1/2, respectively.
    [Show full text]
  • The Limits of Post-Selection Generalization
    The Limits of Post-Selection Generalization Kobbi Nissim∗ Adam Smithy Thomas Steinke Georgetown University Boston University IBM Research – Almaden [email protected] [email protected] [email protected] Uri Stemmerz Jonathan Ullmanx Ben-Gurion University Northeastern University [email protected] [email protected] Abstract While statistics and machine learning offers numerous methods for ensuring gener- alization, these methods often fail in the presence of post selection—the common practice in which the choice of analysis depends on previous interactions with the same dataset. A recent line of work has introduced powerful, general purpose algorithms that ensure a property called post hoc generalization (Cummings et al., COLT’16), which says that no person when given the output of the algorithm should be able to find any statistic for which the data differs significantly from the population it came from. In this work we show several limitations on the power of algorithms satisfying post hoc generalization. First, we show a tight lower bound on the error of any algorithm that satisfies post hoc generalization and answers adaptively chosen statistical queries, showing a strong barrier to progress in post selection data analysis. Second, we show that post hoc generalization is not closed under composition, despite many examples of such algorithms exhibiting strong composition properties. 1 Introduction Consider a dataset X consisting of n independent samples from some unknown population P. How can we ensure that the conclusions drawn from X generalize to the population P? Despite decades of research in statistics and machine learning on methods for ensuring generalization, there is an increased recognition that many scientific findings do not generalize, with some even declaring this to be a “statistical crisis in science” [14].
    [Show full text]
  • The Computational Complexity of Nash Equilibria in Concisely Represented Games∗
    The Computational Complexity of Nash Equilibria in Concisely Represented Games¤ Grant R. Schoenebeck y Salil P. Vadhanz August 26, 2009 Abstract Games may be represented in many di®erent ways, and di®erent representations of games a®ect the complexity of problems associated with games, such as ¯nding a Nash equilibrium. The traditional method of representing a game is to explicitly list all the payo®s, but this incurs an exponential blowup as the number of agents grows. We study two models of concisely represented games: circuit games, where the payo®s are computed by a given boolean circuit, and graph games, where each agent's payo® is a function of only the strategies played by its neighbors in a given graph. For these two models, we study the complexity of four questions: determining if a given strategy is a Nash equilibrium, ¯nding a Nash equilibrium, determining if there exists a pure Nash equilibrium, and determining if there exists a Nash equilibrium in which the payo®s to a player meet some given guarantees. In many cases, we obtain tight results, showing that the problems are complete for various complexity classes. 1 Introduction In recent years, there has been a surge of interest at the interface between computer science and game theory. On one hand, game theory and its notions of equilibria provide a rich framework for modeling the behavior of sel¯sh agents in the kinds of distributed or networked environments that often arise in computer science and o®er mechanisms to achieve e±cient and desirable global outcomes in spite of the sel¯sh behavior.
    [Show full text]
  • Spring 2020 (Provide Proofs for All Answers) (120 Points Total)
    Complexity Qual Spring 2020 (provide proofs for all answers) (120 Points Total) 1 Problem 1: Formal Languages (30 Points Total): For each of the following languages, state and prove whether: (i) the lan- guage is regular, (ii) the language is context-free but not regular, or (iii) the language is non-context-free. n n Problem 1a (10 Points): La = f0 1 jn ≥ 0g (that is, the set of all binary strings consisting of 0's and then 1's where the number of 0's and 1's are equal). ∗ Problem 1b (10 Points): Lb = fw 2 f0; 1g jw has an even number of 0's and at least two 1'sg (that is, the set of all binary strings with an even number, including zero, of 0's and at least two 1's). n 2n 3n Problem 1c (10 Points): Lc = f0 #0 #0 jn ≥ 0g (that is, the set of all strings of the form 0 repeated n times, followed by the # symbol, followed by 0 repeated 2n times, followed by the # symbol, followed by 0 repeated 3n times). Problem 2: NP-Hardness (30 Points Total): There are a set of n people who are the vertices of an undirected graph G. There's an undirected edge between two people if they are enemies. Problem 2a (15 Points): The people must be assigned to the seats around a single large circular table. There are exactly as many seats as people (both n). We would like to make sure that nobody ever sits next to one of their enemies.
    [Show full text]
  • Pseudodistributions That Beat All Pseudorandom Generators
    Electronic Colloquium on Computational Complexity, Report No. 19 (2021) Pseudodistributions That Beat All Pseudorandom Generators Edward Pyne∗ Salil Vadhany Harvard University Harvard University [email protected] [email protected] February 17, 2021 Abstract A recent paper of Braverman, Cohen, and Garg (STOC 2018) introduced the concept of a pseudorandom pseudodistribution generator (PRPG), which amounts to a pseudorandom gen- erator (PRG) whose outputs are accompanied with real coefficients that scale the acceptance probabilities of any potential distinguisher. They gave an explicit construction of PRPGs for ordered branching programs whose seed length has a better dependence on the error parameter " than the classic PRG construction of Nisan (STOC 1990 and Combinatorica 1992). In this work, we give an explicit construction of PRPGs that achieve parameters that are impossible to achieve by a PRG. In particular, we construct a PRPG for ordered permuta- tion branching programs of unbounded width with a single accept state that has seed length O~(log3=2 n) for error parameter " = 1= poly(n), where n is the input length. In contrast, re- cent work of Hoza et al. (ITCS 2021) shows that any PRG for this model requires seed length Ω(log2 n) to achieve error " = 1= poly(n). As a corollary, we obtain explicit PRPGs with seed length O~(log3=2 n) and error " = 1= poly(n) for ordered permutation branching programs of width w = poly(n) with an arbi- trary number of accept states. Previously, seed length o(log2 n) was only known when both the width and the reciprocal of the error are subpolynomial, i.e.
    [Show full text]
  • Hardness of Non-Interactive Differential Privacy from One-Way
    Hardness of Non-Interactive Differential Privacy from One-Way Functions Lucas Kowalczyk* Tal Malkin† Jonathan Ullman‡ Daniel Wichs§ May 30, 2018 Abstract A central challenge in differential privacy is to design computationally efficient non-interactive algorithms that can answer large numbers of statistical queries on a sensitive dataset. That is, we would like to design a differentially private algorithm that takes a dataset D Xn consisting of 2 some small number of elements n from some large data universe X, and efficiently outputs a summary that allows a user to efficiently obtain an answer to any query in some large family Q. Ignoring computational constraints, this problem can be solved even when X and Q are exponentially large and n is just a small polynomial; however, all algorithms with remotely similar guarantees run in exponential time. There have been several results showing that, under the strong assumption of indistinguishability obfuscation (iO), no efficient differentially private algorithm exists when X and Q can be exponentially large. However, there are no strong separations between information-theoretic and computationally efficient differentially private algorithms under any standard complexity assumption. In this work we show that, if one-way functions exist, there is no general purpose differen- tially private algorithm that works when X and Q are exponentially large, and n is an arbitrary polynomial. In fact, we show that this result holds even if X is just subexponentially large (assuming only polynomially-hard one-way functions). This result solves an open problem posed by Vadhan in his recent survey [Vad16]. *Columbia University Department of Computer Science.
    [Show full text]
  • Some Hardness Escalation Results in Computational Complexity Theory Pritish Kamath
    Some Hardness Escalation Results in Computational Complexity Theory by Pritish Kamath B.Tech. Indian Institute of Technology Bombay (2012) S.M. Massachusetts Institute of Technology (2015) Submitted to Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Electrical Engineering & Computer Science at Massachusetts Institute of Technology February 2020 ⃝c Massachusetts Institute of Technology 2019. All rights reserved. Author: ............................................................. Department of Electrical Engineering and Computer Science September 16, 2019 Certified by: ............................................................. Ronitt Rubinfeld Professor of Electrical Engineering and Computer Science, MIT Thesis Supervisor Certified by: ............................................................. Madhu Sudan Gordon McKay Professor of Computer Science, Harvard University Thesis Supervisor Accepted by: ............................................................. Leslie A. Kolodziejski Professor of Electrical Engineering and Computer Science, MIT Chair, Department Committee on Graduate Students Some Hardness Escalation Results in Computational Complexity Theory by Pritish Kamath Submitted to Department of Electrical Engineering and Computer Science on September 16, 2019, in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science & Engineering Abstract In this thesis, we prove new hardness escalation results in computational complexity theory; a phenomenon where hardness results against seemingly weak models of computation for any problem can be lifted, in a black box manner, to much stronger models of computation by considering a simple gadget composed version of the original problem. For any unsatisfiable CNF formula F that is hard to refute in the Resolution proof system, we show that a gadget-composed version of F is hard to refute in any proof system whose lines are computed by efficient communication protocols.
    [Show full text]
  • Computational Complexity Theory
    Computational Complexity Theory Markus Bl¨aser Universit¨atdes Saarlandes Draft|February 5, 2012 and forever 2 1 Simple lower bounds and gaps Lower bounds The hierarchy theorems of the previous chapter assure that there is, e.g., a language L 2 DTime(n6) that is not in DTime(n3). But this language is not natural.a But, for instance, we do not know how to show that 3SAT 2= DTime(n3). (Even worse, we do not know whether this is true.) The best we can show is that 3SAT cannot be decided by a O(n1:81) time bounded and simultaneously no(1) space bounded deterministic Turing machine. aThis, of course, depends on your interpretation of \natural" . In this chapter, we prove some simple lower bounds. The bounds in this section will be shown for natural problems. Furthermore, these bounds are unconditional. While showing the NP-hardness of some problem can be viewed as a lower bound, this bound relies on the assumption that P 6= NP. However, the bounds in this chapter will be rather weak. 1.1 A logarithmic space bound n n Let LEN = fa b j n 2 Ng. LEN is the language of all words that consists of a sequence of as followed by a sequence of b of equal length. This language is one of the examples for a context-free language that is not regular. We will show that LEN can be decided with logarithmic space and that this amount of space is also necessary. The first part is easy. Exercise 1.1 Prove: LEN 2 DSpace(log).
    [Show full text]
  • Zero Knowledge and Soundness Are Symmetric∗
    Zero Knowledge and Soundness are Symmetric∗ Shien Jin Ong Salil Vadhan Division of Engineering and Applied Sciences Harvard University Cambridge, Massachusetts, USA. E-mail: {shienjin,salil}@eecs.harvard.edu November 14, 2006 Abstract We give a complexity-theoretic characterization of the class of problems in NP having zero- knowledge argument systems that is symmetric in its treatment of the zero knowledge and the soundness conditions. From this, we deduce that the class of problems in NP ∩ coNP having zero-knowledge arguments is closed under complement. Furthermore, we show that a problem in NP has a statistical zero-knowledge argument system if and only if its complement has a computational zero-knowledge proof system. What is novel about these results is that they are unconditional, i.e. do not rely on unproven complexity assumptions such as the existence of one-way functions. Our characterization of zero-knowledge arguments also enables us to prove a variety of other unconditional results about the class of problems in NP having zero-knowledge arguments, such as equivalences between honest-verifier and malicious-verifier zero knowledge, private coins and public coins, inefficient provers and efficient provers, and non-black-box simulation and black-box simulation. Previously, such results were only known unconditionally for zero-knowledge proof systems, or under the assumption that one-way functions exist for zero-knowledge argument systems. Keywords: zero-knowledge argument systems, statistical zero knowledge, complexity classes, clo- sure under complement, distributional one-way functions. ∗Both the authors were supported by NSF grant CNS-0430336 and ONR grant N00014-04-1-0478.
    [Show full text]
  • Pseudorandomness and Combinatorial Constructions
    Pseudorandomness and Combinatorial Constructions Luca Trevisan∗ September 20, 2018 Abstract In combinatorics, the probabilistic method is a very powerful tool to prove the existence of combinatorial objects with interesting and useful properties. Explicit constructions of objects with such properties are often very difficult, or unknown. In computer science, probabilistic al- gorithms are sometimes simpler and more efficient than the best known deterministic algorithms for the same problem. Despite this evidence for the power of random choices, the computational theory of pseu- dorandomness shows that, under certain complexity-theoretic assumptions, every probabilistic algorithm has an efficient deterministic simulation and a large class of applications of the the probabilistic method can be converted into explicit constructions. In this survey paper we describe connections between the conditional “derandomization” re- sults of the computational theory of pseudorandomness and unconditional explicit constructions of certain combinatorial objects such as error-correcting codes and “randomness extractors.” 1 Introduction 1.1 The Probabilistic Method in Combinatorics In extremal combinatorics, the probabilistic method is the following approach to proving existence of objects with certain properties: prove that a random object has the property with positive probability. This simple idea has beem amazingly successful, and it gives the best known bounds for arXiv:cs/0601100v1 [cs.CC] 23 Jan 2006 most problems in extremal combinatorics. The idea was introduced (and, later, greatly developed) by Paul Erd˝os [18], who originally applied it to the following question: define R(k, k) to be the minimum value n such that every graph on n vertices has either an independent set of size at least k or a clique of size at least k;1 It was known that R(k, k) is finite and that it is at most 4k, and the question was to prove a lower bound.
    [Show full text]