Can Statistical Zero Knowledge Be Made Non-Interactive? Or on The
Can Statistical Zero Knowledge b e made Non�Interactive�
or
�
On the Relationship of SZK and N ISZK
y z x
Oded Goldreich Amit Sahai Salil Vadhan
May ��� ����
Abstract
We extend the study of non�interactive statistical zero�knowledge pro ofs� Our main fo cus is
to compare the class NISZK of problems p ossessing such non�interactive pro ofs to the class
SZK of problems p ossessing interactive statistical zero�knowledge pro ofs� Along these lines� we
�rst show that if statistical zero knowledge is non�trivial then so is non�interactive statistical
zero knowledge� where by non�trivial we mean that the class includes problems which are not
solvable in probabilistic p olynomial�time� �The hypothesis holds under various assumptions�
such as the intractability of the Discrete Logarithm Problem�� Furthermore� we show that if
NISZK is closed under complement� then in fact SZK � NISZK � i�e� all statistical zero�
knowledge pro ofs can b e made non�interactive�
The main to ols in our analysis are two promise problems that are natural restrictions of
promise problems known to b e complete for SZK � We show that these restricted problems
are in fact complete for NISZK and use this relationship to derive our results comparing the
two classes� The two problems refer to the statistical di�erence� and di�erence in entropy�
resp ectively� of a given distribution from the uniform one� We also consider a weak form of
NISZK � in which only requires that for every inverse p olynomial ��p�n�� there exists a simulator
which achieves simulator deviation ��p�n�� and show that this weak form of NISZK actually
equals NISZK �
Keywords� Statistical Zero�Knowledge Pro ofs� Non�Interactive Zero�Knowledge Pro ofs�
�
An extended abstract of this work app ears in CRYPTO ��� �GSV����
y
Department of Computer Science� Weizmann Institute of Science� Rehovot� Israel� E�mail� oded�wisdom�weizmann�ac�il�
Work done while visiting LCS� MIT� Supp orted by DARPA grant DABT������C������
z
Lab oratory for Computer Science� Massachusetts Institute of Technology� Cambridge� MA ������ E�mail�
amits�theory�lcs�mit�edu� Supp orted by DOD�NDSEG fellowship and DARPA grant DABT������C������
x
Lab oratory for Computer Science� Massachusetts Institute of Technology� Cambridge� MA ������ E�mail�
salil�theory�lcs�mit�edu� Supp orted by DOD�NDSEG fellowship and in part by DARPA grant DABT������ C������
� Introduction
Zero�Knowledge pro ofs� introduced by Goldwasser� Micali and Racko� �GMR�� �� are fascinating
and extremely useful constructs� Their fascinating nature is due to their seemingly contradictory
nature� they are b oth convincing and yet yield nothing b eyond the validity of the assertion b eing
proven� Their applicability in the domain of cryptography is vast� they are typically used to
force malicious parties to b ehave according to a predetermined proto col �which requires parties to
provide pro ofs of the correctness of their secret�based actions without revealing these secrets�� Zero�
knowledge pro ofs come in many �avors� and in this pap er we fo cus on two parameters� The �rst
parameter is the underlying communication model� and the second is the type of the zero�knowledge
guarantee�
The communication mo del� When Goldwasser� Micali� and Racko� prop osed the de�nition of
zero�knowledge pro ofs� it seemed that interaction was crucial to achieving zero knowledge � that the
p ossibility of zero knowledge arose through the p ower of interaction� Indeed� it was not unexp ected
when �GO�� � showed zero knowledge to b e trivial �i�e�� only exists for pro ofs of BPP statements�
in the most straightforward non�interactive mo dels� Surprisingly� however� Blum� Feldman� and
Micali �BFM�� �� showed that by changing the mo del slightly� it is p ossible to achieve zero knowledge
in a non�interactive setting �i�e� where only unidirectional communication can o ccur�� Sp eci�cally�
they assume that b oth Prover and Veri�er have access to a shared truly random string� called
the reference string� Aside from this assumption� all communication consists of one message� the
�pro of�� which is generated by the Prover �based on the assertion b eing proved and the reference
string� and sent from the Prover to the Veri�er�
Non�interactive zero�knowledge pro ofs� on top of b eing more communication�e�cient by de��
nition� have several applications not o�ered by ordinary interactive zero�knowledge pro ofs� They
have b een used� among other things� to build digital signature schemes secure against adaptive
chosen message attack �BG�� �� public�key cryptosystems secure against chosen�ciphertext attack
�NY�� � DDN�� �� and non�malleable cryptosystems �DDN�� ��
The zero�knowledge guarantee� For ordinary interactive zero�knowledge pro ofs� the zero�
knoweldege requirement is formulated by saying that the transcript of the Veri�er�s interaction
with the Prover can b e simulated by the Veri�er itself� Similarly� for the non�interactive setting
describ ed ab ove� the zero�knowledge condition is formulated by requiring that one can pro duce�
knowing only the statement of the assertion� a random reference string along with a �pro of � that
works for the reference string� More precisely� we require that there exists an e�cient pro cedure
that on input a valid assertion pro duces a distribution which is �similar� to the joint distribu�
tion of random reference strings and pro ofs generated by the Prover� The key parameter is the
interpretation of �similarity�� Two notions have b een commonly considered in the literature �cf��
�GMR�� � GMW�� � For��� BDMP�� � BR�� ��� Statistical zero know ledge requires that these distribu�
tions b e statistically close �i�e�� the statistical di�erence b etween them is negligible�� Computational
zero know ledge instead requires that these distributions are computationally indistinguishable �cf��
�GM�� � Yao����� In this work� we fo cus on the stronger security requirement of statistical zero
knowledge�
Since its introduction in �BFM�� �� most work on non�interactive zero knowledge has fo cused
on the computational type �cf�� �BFM�� � DMP�� � DMP�� � BDMP�� � FLS�� � KP�� ��� With non�
interactive statistical zero knowledge� the main ob jects of investigation have b een the sp eci�c pro of �
�
system for Quadratic Nonresiduosity and variants �BDMP�� � DDP�� � DDP�� �� Recently� De
Santis et� al� �DDPY�� � op ened the do or to a general study of non�interactive statistical zero�
�
knowledge by showing that it contains a complete �promise � problem�
Notation� Throughout the pap er� SZK denotes the class of promise problems having statistical
zero�knowledge interactive pro of systems �de�ned in App endix A�� and NISZK denotes the class
of promise problems having non�interactive statistical zero�knowledge pro of systems �de�ned in
Section �����
Our Contribution�
In this work� we seek to understand what� if any� additional p ower interaction gives in the con�
text of statistical zero knowledge� Thus� we continue the investigation of NISZK � fo cusing on
its relationship with SZK � Our �rst result is that the non�triviality of SZK implies non�triviality
of NISZK� where by non�trivial we mean that a class includes problems which are not solv�
able in probabilistic p olynomial�time� The hypothesis holds under various assumptions� such as
the intractability of Discrete Logarithm Problem �GK�� � �or Quadratic Residuosity �GMR�� � or
Graph Isomorphism �GMW�� ��� but variants of these last two problems are already known to b e
in NISZK �BDMP�� � BR�� ���
Furthermore� we show that if NISZK is closed under complement� then in fact SZK �
NISZK � i�e�� all statistical zero�knowledge pro ofs can b e made non�interactive� We note that
�DDPY�� � have claimed that NISZK is closed under complement �and OR�� but these claims have
b een retracted �DDPY�� ��
We also show the equivalence of NISZK with a variant in which the statistical zero knowledge
requirement is weakened somewhat�
Complete Problems� Central to our metho dology is the use of simple and natural complete
problems to understand classes� such as SZK and NISZK � whose de�nitions are rather compli�
cated� In particular� we exhibit two natural promise problems and prove that they are complete for
NISZK � The two problems refer to the �distance� �in two di�erent senses� of a given distribution
from the uniform one� These two problems are natural restrictions of two promise problems shown
complete for SZK � in �SV�� � and �GV�� �� resp ectively� Indeed� our results ab out the relationship
b etween SZK and NISZK come from relating the corresp onding complete problems� This general
theme of using completeness to simplify the study of a class� rather than as evidence for computa�
tional intractability �as is the traditional use of NP �completeness�� has b een evidenced in a number
�
of recent works �cf�� �GMW�� � LFKN�� � Sha��� ALM �� � AS�� �� and has b een particularly useful
in understanding statistical zero knowledge �cf�� �SV�� � SV�� � DDPY�� � GV�� ���
��� The non�interactive mo del
�
Let us recall the de�nition of a non�interactive statistical zero�knowledge pro of system from �BDMP�� ��
We will adapt the de�nition to promise problems� Note that our de�nition will capture what
1
The only exception is an unpublished manuscript of Bellare and Rogaway �BR�� � who proved some basic results
ab out non�interactive p erfect zero�knowledge and showed a non�interactive p erfect zero�knowledge pro of for the
language of graphs with trivial automorphism group�
2
A promise problem � is a pair � � �� � � � of disjoint sets of strings� corresp onding to yes and no instances
yes no
of a decision problem�
3
Actually� only non�interactive perfect and computational zero�knowledge pro ofs were de�ned in �BDMP�� �� The
de�nition we are using� previously given in �BR�� � DDPY���� is the natural non�interactive analogue of �interactive� �
�BDMP�� � call a bounded proof system� in that each shared reference string can only b e used once�
In contrast to non�interactive computational zero knowledge �cf�� �BDMP�� � FLS����� it is unknown
whether every problem that has such a �b ounded� non�interactive statistical zero�knowledge pro of
system also has one in which the shared reference string can b e used an unbounded �p olynomial�
number of times�
A non�interactive statistical zero�knowledge pro of system for a promise problem � is de�ned
by a triple of probabilistic machines P � V � and S � where V and S are p olynomial�time and P is
computationally unbounded� and a p olynomial r �n� �which will give the size of the random reference
string � �� such that�
�� �Completeness�� For all x � � � the probability that V �x� �� P �x� � �� accepts is at least
yes
����
�� �Soundness�� For all x � � � the probability that V �x� �� P �x� � �� accepts is at most ����
no
�� �Zero Knowledge�� For all x � � � the statistical deviation b etween the following two
yes
distributions is at most � �jxj��
r �jxj�
�A� Cho ose � uniformly from f�� �g � sample p from P �x� � �� and output �p� � ��
�B� S �x� �where the coins for S are chosen uniformly at random��
�
where � �n� is a negligible function� termed the simulator deviation� and the probabilities in Con�
ditions � and � are taken over the random coins of V and P � and the choice of � uniformly from
r �n�
f�� �g � Note that non�interactive statistical zero knowledge is closed under parallel rep etition�
so the completeness and soundness errors �i�e� the probability of rejection �resp�� acceptance� for
yes �resp�� no� instances� can b e made exp onentially small in jxj�
We also de�ne a weaker notion of zero knowledge� known as a weak non�interactive statistical
zero�knowledge proof system� where we ask only that for every p olynomial g �n�� there exists a
probabilistic p olynomial�time simulator S �whose running time may dep end on g �� such that the
g
simulator deviation as de�ned ab ove is at most ��g �jxj�� This is the natural analogue of a notion
de�ned in the interactive setting for statistical zero knowledge �DOY��� as well as concurrent zero
knowledge �DNS�� ��
The class of promise problems that p ossess non�interactive statistical zero�knowledge pro of
systems is denoted NISZK� and we denote by weak � NISZK the class of promise problems that
p ossess weak non�interactive statistical zero�knowledge pro of systems� Note that by de�nition�
NISZK � weak �NISZK � De Santis et� al� �DDPY�� � recently b egan a general investigation of
the class NISZK� They introduced a promise problem� called Image Density� and claimed that
is complete for NISZK and that the latter class is closed under OR and complement� We were
able to verify that some variants of Image Density are NISZK �complete� and indeed the ideas
used towards this goal are imp ortant to our work� However� they have retracted their claims that
NISZK is closed under OR and complement �DDPY�� ��
In this pap er� in addition to examining NISZK on its own� we also consider the relationship
non�interactive statistical zero�knowledge pro ofs have with interactive statistical zero�knowledge
pro ofs� In the context of interactive zero�knowledge pro ofs� another issue that arises in the zero�
knowledge condition is the b ehavior of the veri�er� The general de�nition of zero knowledge re�
quires that the zero�knowledge requirement hold for any probabilistic p olynomial�time veri�er� A
statistical zero knowledge �GMR�� ��
4
Recall that a function is negligible if it is eventually less than ��g �n� for any p olynomial g � �
weaker requirement� called honest�veri�er zero know ledge� requires the zero�knowledge condition
to hold only if the veri�er b ehaves honestly� However� it is known that these two conditions are
equivalent for statistical zero knowledge� in the sense that every statistical zero�knowledge pro of
against the honest veri�er can b e transformed into one that is statistical zero knowledge against
any veri�er �GSV�� �� Thus� we write SZK for the class of promise problems p ossessing statistical
zero�knowledge pro ofs �against any p olynomial�time veri�er or� equivalently� against just the honest
veri�er��
Note that in the case of non�interactive zero knowledge� the issue of honest veri�ers do es not
arise since the veri�er do es not interact with the prover� Also� note that we can always transform
a non�interactive zero�knowledge pro of into an honest veri�er zero�knowledge pro of� since we could
have the honest veri�er supply a random string which can replace the common reference string
required for non�interactive zero knowledge� That is� NISZK � SZK �recalling the equivalence
of SZK with honest�veri�er SZK ��
��� Our Results
The primary to ols we use in our investigation are promise problems that are complete for SZK
or NISZK� In �SV�� �� a promise problem called Statistical Di�erence �SD� was introduced and
proved complete for SZK � providing the �rst completeness result for SZK � Recently� it was shown
in �GV�� � that another natural problem� called Entropy Di�erence �ED�� is complete for SZK as
well� In this work� we show that �one�sided� versions of these problems� which we call Statistical
Di�erence from Uniform �SDU� and Entropy Approximation �EA�� are complete for NISZK � To de�ne
these problems more precisely� we �rst recall that that statistical di�erence b etween two random
variables X and Y on a �nite set D � denoted ��X � Y �� is de�ned to b e
X
�
def
� j Pr � X � �� � Pr �Y � �� j� ��X � Y � � max jPr �X � S � � Pr �Y � S �j �
S �D
�
�
All the promise problems we consider involve distributions which are enco ded by circuits which
m n
sample from them� That is� if X is a circuit mapping f�� �g to f�� �g � we identify X with
n m
the probability distribution induced on f�� �g by feeding X the uniform distribution on f�� �g �
Since circuits can b e evaluated in time p olynomial in their size� yet are rich enough to enco de
general �e�g�� Turing machine� computations� they e�ectively capture the notion of an �e�ciently
sampleable distribution��
De�nition ��� �Problems involving statistical di�erence�� The promise problem Statistical Di�er�
ence� denoted SD � �SD � SD �� consists of
yes no
def
� f�X � Y � � ��X � Y � � ���g SD
yes
def
SD � f�X � Y � � ��X � Y � � ���g
no
where X and Y are distributions encoded as circuits which sample from them� The promise problem
Statistical Di�erence from Uniform� denoted SDU � �SDU � SDU �� consists of
yes no
def
SDU � fX � ��X � U � � ��ng
yes
def
SDU � fX � ��X � U � � � � ��ng
no
where X is a distribution encoded as a circuit outputting n bits� and U is the uniform distribution
on n bits� �
For the two problems related to entropy� we recall that the �Shannon� entropy of a random
variable X � denoted H�X �� is de�ned as
X
def
H�X � � Pr �X � �� � log ��� Pr �X � �� �
�
�
De�nition ��� �Problems involving entropy�� The promise problem Entropy Di�erence� denoted
ED � �ED � ED �� consists of
yes no
def
ED � f�X � Y � � H�X � � H�Y � � �g
yes
def
ED � f�X � Y � � H�Y � � H�X � � �g
no
The promise problem Entropy Approximation� denoted EA � �EA � EA �� consists of
yes no
def
� f�X � k � � H�X � � k � �g EA
yes
def
EA � f�X � k � � H�X � � k � �g
no
In these problems� k is a positive integer and X and Y are distributions encoded as circuits which
sample from them�
Our �rst theorem� which is the starting p oint for our other results� is�
Theorem ��� �EA and SDU are NISZK �complete� The promise problems EA and SDU are complete
for NISZK � That is� EA� SDU � NISZK and for every promise problem � � NISZK � there is a
polynomial�time Karp �many�one� reduction from � to EA and another from � to SDU�
From the pro of of this theorem� we also obtain a metho d for transforming weak non�interactive
statistical zero knowledge pro ofs into standard ones�
Theorem ��� weak �NISZK � NISZK�
Armed with our complete problems� we then b egin the work of comparing SZK and NISZK �
First we show that the non�triviality of NISZK is equivalant to the non�triviality of SZK � This
is shown by giving a Co ok reduction from ED to EA�
Theorem ��� �non�triviality of NISZK � SZK � BPP �� NISZK � BPP �
In this theorem �and throughout the pap er�� BPP denotes the class of promise problems solvable
in probabilistic p olynomial time�
In fact� it turns out that the type of Co ok reduction we use is a sp ecial one� and by examining
it further� we are able to shed more light on the SZK vs� NISZK question� Sp eci�cally� we
�
observe that the reduction we give from ED to EA is an AC truth�table reduction� That is� it is
�
a nonadaptive Co ok reduction in which the p ostpro cessing is done in AC � �Formal de�nitions
are given in Section ����� Further� we can prove that if NISZK is closed under complement�
�
then NISZK is closed under AC truth�table reductions� Thus we deduce that NISZK b eing
closed under complement implies that NISZK � SZK � In fact� we can show that closure under
complement and a number of other natural conditions are equivalent to SZK � NISZK �
Theorem ��� �conditions for SZK � NISZK � The fol lowing are equivalent� �
�� SZK � NISZK �
�� NISZK is closed under complement�
�
�� NISZK is closed under NC truth�table reductions�
�� ED �resp�� SD� Karp�reduces to EA �resp�� SDU�� ��general versions reduce to one�sided ones��
�� EA �resp�� SDU� Karp�reduces to its complement� ��one�sided versions reduce to their com�
plements��
Theorem ��� can b e interpreted as saying that if NISZK has a relatively weak closure prop erty
�closure under complement�� then the class is surprisingly rich �equals SZK � and has a much
�
stronger closure prop erty �closure under NC truth�table reductions�� At �rst� it might seem
implausible that a class like NISZK with such an assymetric de�nition would b e closed under
complement� But SZK � which has a similarly assymetric de�nition� is known to b e closed under
complement �Oka���� In light of this� the closure of NISZK under complement would not b e quite
as unexp ected� and Theorem ��� illustrates that proving it would have wider consequences�
The last two conditions in Theorem ��� show that these questions ab out non�interactive versus
interactive statistical zero�knowledge pro ofs are actually equivalent to basic questions ab out rela�
tionships b etween natural computational problems whose de�nitions have no a priori relationship
to zero�knowledge pro ofs�
The equality of SZK and NISZK has interesting consequences not just for NISZK � but also
for SZK � Currently� the b est known generic proto col for SZK �against cheating veri�ers� making
�
no computational assumptions� requires a p olynomial number of rounds �Oka��� GSV�� �� For
NISZK � however� by �DGW�� �� it is known that every problem in NISZK has a constant round
statistical zero�knowledge pro of system �against general� cheating veri�ers� with inverse p olynomial
soundness error� Whether every problem in SZK has such a pro of system is still an op en question�
which would b e resolved in the p ositive if SZK � NISZK �
��� A wider p ersp ective
The study of non�interactive statistical �rather than computational� zero�knowledge pro ofs may
b e of interest for two reasons� Firstly� statistical zero�knowledge pro ofs provide an almost abso�
lute level of security� whereas computational zero�knowledge pro ofs only provide security relative
to computational abilities �and typically under complexity theoretic assumptions�� Secondly� by
analogy from the study of zero�knowledge interactive pro ofs� we b elieve that techniques developed
for the �cleaner� statistical mo del can b e applied or augmented to yield results for computational
zero�knowledge� The pro of that one�way functions are necessary for SZK to b e non�trivial �Ost�� �
was later generalized to CZK �OW���� More recently� the transformations of honest�veri�er zero
knowledge to general zero knowledge� presented in �Dam�� � DGW�� � DGOW��� GSV�� �� apply
b oth to statistical and computational zero knowledge �whereas the original motivation was the
study of statistical zero knowledge�� It is our hop e that the current study of NISZK will even�
tually lead to a b etter understanding of NICZK � where there are still imp ortant op en questions
such as the minimal conditions under which NP has NICZK pro ofs�
5
Under the assumption that the Discrete Logarithm is hard� however� there is a constant round� cheating veri�er
SZK pro of system with inverse p olynomial soundness error for all of SZK �Oka��� BMO�� �� �
� Preliminaries
Recall that a promise problem � is a pair � � �� � � � of disjoint sets of strings� corresp onding
yes no
to the following decision problem� Given a string x � � � � � decide whether it is in �
yes no yes
�i�e� is a yes instance� or in � �i�e� is a no instance�� A string in � � � is said to satisfy
no yes no
the promise� and all other strings are said to violate the promise� A function f is said to b e a Karp
�or polynomial�time many�one� reduction from a promise problem � to a promise problem � if f
is p olynomial�time computable� x � � � f �x� � � � and x � � � f �x� � � � If such a
yes yes no no
reduction exists� we write �� ��
Karp
Recall that all the promise problems we are considering involve distributions which are enco ded
m n
by circuits which sample from them� That is� if X is a circuit mapping f�� �g to f�� �g � we identify
n
X with the probability distribution induced on f�� �g by feeding X the uniform distribution on
m n
f�� �g � The support of X is the set of strings in f�� �g which have nonzero probability under X �
n m k
i�e� fy � f�� �g � �r � f�� �g s�t� X �r � � y g� For any distribution X on a set D � we write � X
k
to denote the distribution on D consisting of k independent copies of X �
� EA is in N ISZK
In this section� we show that EA has a non�interactive statistical zero�knowledge pro of system� The
pro of is given in Subsection ���� assuming a certain lemma �Lemma ����� Subsections ��� to ��� are
devoted to the pro of Lemma ���� which is technically somehwat involved� Therefore� the reader is
encouraged to read only Subsection ��� from this section on �rst reading�
��� The pro of system
Our aim in this section is the prove the following�
Lemma ��� EA � NISZK� Moreover� there is a non�interactive statistical zero�knowledge proof
system for EA in which the completeness error� soundness error� and simulator deviation are al l
�s
exponentially vanishing �speci�cally � � where s is the length of the input��
The transformation given by the following lemma �proved in Subsection ���� will b e applied at
the start of the pro of system�
Lemma ��� There is a polynomial�time computable function that takes an instance �X � k � of EA
�
and a parameter s �in unary� and produces a distribution Z on f�� �g �encoded by a circuit which
samples from it� such that
�s
�� If H�X � � k � �� then Z has statistical di�erence at most � from the uniform distribution
�
on f�� �g � and
�s �
�� If H�X � � k � �� then the support of Z is at most a � fraction of f�� �g �
Lemma ��� essentially transforms an instance of Entropy Approximation into an instance of
Image Density� the complete problem of �DDPY�� �� Given this transformation� it is straightfor�
ward to give a noninteractive statistical zero�knowledge pro of system for EA� �
Non�interactive pro of system for EA� on input �X � k �
�
�� Let Z b e the distribution on f�� �g obtained from �X � k � as in Lemma ��� taking s to b e the
�
total description length of �X � k � in bits� Let � � f�� �g b e the reference string�
� �
�� P selects r uniformly among fr � Z �r � � � g and sends r to V �
�� V accept if Z �r � � � and rejects otherwise�
It is immediate from Lemma ��� that the completeness error and soundness error of this pro of
�s
system are � � For zero�knowledgeness� we consider the following probabilistic p olynomial�time
simulator�
Simulator for EA pro of system� on input �X � k �
�� Let Z b e obtained from �X � k � as in the pro of system�
�� Select an input r to Z uniformly at random and let � � Z �r ��
�� Output ��� r ��
�s
It follows from Part � of Lemma ��� that this simulator has statistical di�erence at most �
from the distribution of transcripts of �P � V �� Thus� assuming Lemma ���� we have established
Lemma ���� In fact� we need not require that s b e the length of �X � k �� Instead� s can b e taken to
b e an arbitrary security parameter� and the completeness� soundness� and simulation error will b e
exp onentially small in s� while the running time of the proto col only dep ends p olynomially on s�
We can use this to prove the following� which will b e useful to us later�
Prop osition ��� If any promise problem � reduces to EA by a Karp �i�e� many�one� reduction
�even if it is length�reducing�� then � � NISZK�
Pro of� A noninteractive statistical zero�knowledge pro of system for � can b e given as follows� On
an instance x of �� b oth parties compute the image �X � k � of x under the reduction �� EA and
Karp
execute the pro of system for EA on �X � k �� except that we take s to b e the length of x� Hence� the
completeness and soundness errors and simulator deviation of this pro of system are exp onentially
small in jxj �rather than j�X � k �j which could b e shorter than x��
��� Flat distributions and the Leftover Hash Lemma
Here we discuss some standard notions and techniques that will b e useful in the pro of of Lemma ����
We use the clean formulations of these to ols given in �GV�� �� A distribution X is called �at if all
strings in the supp ort of X have the same probability� Notice that if X is �at� then by the
�H�X �
de�nition of entropy� Pr �X � x� � � for every x in the supp ort of X � We quantify deviation
from �atness as follows�
De�nition ��� �heavy� light and typical elements�� Let X be a distribution� x an element pos�
sibly in its support� and � a positive real number� We say that x is ��heavy �resp�� ��light� if
� �H�X � �� �H�X �
Pr �X � x� � � � � �resp�� Pr � X � x� � � � � �� Otherwise� we say that x is ��typical�
A natural relaxed de�nition of �atness follows� The de�nition links the amount of slackness allowed
in �typical� elements with the probability mass assigned to non�typical elements� �
De�nition ��� ��at distributions�� A distribution X is called ���at if for every t � �� the proba�
2
�t ��
bility that an element chosen from X is t � ��typical is at least � � � �
By straightforward application of Ho efding Inequality �cf�� App endix C�� we have
k
Lemma ��� ��attening lemma�� Let X be a distribution� k a positive integer� and � X denote
the distribution composed of k independent copies of X � Suppose that for al l x in the support of X
p
�m k
k � m��at� it holds that Pr � X � x� � � � Then � X is
k
The key p oint is that the entropy of � X grows linearly with k � whereas its deviation from �atness
p
grows signi�cantly slower �i�e�� linear in k � as a function of k � Note that if X is a distribution
��
de�ned by a circuit with � input gates� then Pr � X � x� � � for all x in the supp ort of X � so the
conclusion of Lemma ��� holds with m � �� The other main to ol we will use is�
Lemma ��� �Leftover Hash Lemma �ILL���� Let H be a ��universal family of hash functions
mapping a domain D to a range R � Suppose X is a distribution on D such that with probability at
least � � � over x selected from X � Pr �X � x� � ��jR j� Then the statistical di�erence between the
���
fol lowing two distributions is at most O �� � � ��
�A� Choose h uniformly from H and x according to X � Output �h� h�x���
�B� Choose h uniformly from H and y uniformly from R � Output �h� y ��
In particular� notice that if X is a ���at distribution� then for any parameters s� t � �� X
2
H�X ��t��s �t ��
satis�es the hypothesis of the Leftover Hash Lemma with jR j � � � � � � � and
�s
� � � � As we will b e applying Lemma ��� to sets of strings� we de�ne� for any pair of p ositive
integers a and b� H to b e one of the standard ��universal families of hash functions mapping
a�b
a b
f�� �g to f�� �g �e�g�� a�ne GF ����linear transformations��
��� Overview of Lemma ���
The transformation pro ceeds in four stages� which are roughly describ ed b elow�
�
�� Let X consist of many copies of X so that the entropy gap b etween yes and no instances
increases� and the distribution b ecomes quite �at relative to its entropy�
�
�� Hash X so that yes instances b ecome close to the uniform distribution while no instances
have much smaller entropy than the uniform distribution� That is� let Y b e of the form
�
�h� h�X ��� where h is uniformly distributed in a ��universal family with appropriate param�
eters�
�
�� Let Y consist of many copies of Y so that for no instances� the entropy de�ciency �as
�
compared to the uniform distribution� b ecomes large and yet Y b ecomes quite �at relative
to its entropy� while yes instances remain close to uniform�
�
�� Hash the inputs to Y so that no instances have small supp ort �rather than just small entropy��
�
while keeping yes instances close to uniform� That is� let Z b e of the form �Y �r �� h� h�r ��
where h is uniformly distributed in a ��universal family with appropriate parameters� �
��� Pro of of Lemma ���
Let �X � k � b e an instance of EA� let m �resp�� n� denote the number of input and output gates to
X � and let s b e the extra parameter in the transformation� By increasing s if necessary� we may
assume that s is greater than the total description length of �X � k �� Thus� all the intermediate
circuits we build will b e of size p oly�s�� Also note that it su�ces for the transformation to achieve
���s� �s
error parameters just � rather than � � as this can b e comp ensated for by �rst increasing s
by a linear factor�
Many copies I� The �rst step is to take many copies of each distribution� this has the e�ect of
increasing the entropy gap b etween yes and no instances relative to X �s deviation from �atness�
� � q �
Namely� let q � �sm and let X � � X �i�e�� X consists of q indep endent copies of X �� Then
p
p
� � �
�
�sm � m � � s � m � In particular� H�X � � q � H�X � and� by Lemma ���� X is ���at for � �
we have established
Claim ���
p
�
s� � s� �� If H�X � � k � �� then H�X � � q k � q � q k �
�
�� If H�X � � k � �� then H�X � � q k � q � q k �
Hashing I� Now consider the distribution Y on pairs �h� h�x�� induced by choosing h uniformly
�
from H and x according to X � Say that elements of H take u � p oly�q n� q k � �
q n�q k �� q n�q k ��
p oly�s� bits to represent� Then Y is represented by a circuit with inputs �resp�� outputs� of length
� �
m � u � q m �resp�� n � u � q k � ��� Y has the following prop erties�
Claim ���
���s�
�� If H�X � � k � �� then Y has statistical di�erence at most � from the uniform distribution
�
n
� on f�� �g
�
�� If H�X � � k � �� then the entropy of Y is less than n � ��
Pro of� Part � follows from the ���atness of X and the Leftover Hash Lemma� Part � follows
�
from the fact that the entropy of Y is at most the entropy of X �which is less than q k � plus the
entropy of the uniform distribution on H �which is u��
q n�q k ��
Many copies I I� We now take many copies of Y � so that the entropy de�ciency of no instances
b ecomes large relative to the �atness while yes instances remain close to uniform� Sp eci�cally� let
�
� � � � � � � � � q
Y � so that Y has M � m q input gates� N � n q output gates� q � �s � �m � and let Y � �
p
p
� � � � � �
� �
�s�m � � m � � s � �m � � Then we immediately have� and Y is � ��at for � �
Claim ����
� � ���s� ���s�
�� If H�X � � k � �� then Y has statistical di�erence at most q � � � � from the uniform
N
distribution on f�� �g �
p
� � �
�� If H�X � � k � �� then H�Y � � N � q � N � �s � � � s� ��
Hashing I I� The �nal step is to make a distribution which� for no instances� has small supp ort
�rather than just low entropy� in the case of no instances� while yes instances remain close to
M
uniform� Consider a circuit Z which takes as input r � f�� �g and a hash function h � H
M �M �N �s
�
and outputs �Y �r �� h� h�r ��� Then�
���s�
Claim ���� Z satis�es the requirements of Lemma ��� �with error parameters � rather than
�s
� �� That is�
���s�
�� If H�X � � k � �� then Z has statistical di�erence at most � from the uniform distribution
N M �N �s
on f�� �g � H � f�� �g � and
M �M �N �s
���s� N
�� If H�X � � k � �� then the support of Z is at most a � fraction of f�� �g � H �
M �M �N �s
M �N �s
f�� �g �
�
The intuition for this is the following� In the case of yes instances� Y is close to the uniform
N N M �N
distribution on f�� �g � so for almost all y � f�� �g � there will b e ab out � values of r such
�
that Y �r � � y � Thus� hashing r down to M � N � s bits will still result in a nearly uniform
distribution�
�
In the case of a no instance� Y has large entropy de�ciency and is nearly �at� From this�
� N
we can deduce that Y lands in some small subset T of f�� �g with very high probability� Thus�
�
p oints y �� T must have very low probability under Y � i�e� there are very few inputs r such that
�
Y �r � � y � So� for each y �� T � the pairs �h� h�r �� will only hit a small subset of the p ossible values�
�
Therefore� �Y �r �� h� h�r �� has small supp ort� b ecause either the �rst comp onent lands in a small
set �namely T � or the last two comp onents land in a small set�
� ���s�
Pro of� Supp ose H�X � � k � �� From the fact that Y has statistical di�erence at most �
���s� �
from uniform it follows that with probability at least � � � over y selected according to Y �
� �
� �
�
� � ��� Pr Y � y �
N
� �
� �
Fix any y satisfying Inequality �� Conditioned on Y �r � � y � r is selected uniformly from fr � Y �r � �
M �N ��
y g� which by Equation � is a set of size at least � � Thus� by the Leftover Hash Lemma�
� ���s�
conditioned on Y �r � � y � the distribution of �h� h�r �� has statistical di�erence at most � from
���s�
uniform� Therefore the total statistical di�erence of Z from uniform is � �
Now supp ose H�X � � k � �� We want to show that the supp ort S of Z is a small fraction of
N M �N �s
D � f�� �g � H � f�� �g � To do this� we divide S into three parts� dep ending
M �M �N �s
� �
on the probability mass given to the y comp onent by Y � Recall that a �typical� y for Y has
p
� �
�s�� �s �H�Y � �N �
� probability mass � � � �
� �N ��s
S � f�y � h� z � � S � Pr �Y � y � � � g ��much to o light��
�
�N ��s � �N �s
S � f�y � h� z � � S � � � Pr � Y � y � � � g ��to o light� but not much to o light��
�
�N �s �
S � f�y � h� z � � S � � � Pr �Y � y �g ��not to o light��
�
�s �s
Clearly� S � S � S � S � We will show that jS j�jD j � � for i � �� �� �� and so jS j�jD j � � � � �
� � � i
���s�
� �
� �N ��s M �N ��s
First we b ound jS j� For any y such that Pr �Y � y � � � � there are at most �
�
�
values of r such that Y �r � � y � Thus� for any such y and any h� the set of z such that �y � h� z � � S
�
M �N ��s
is of size at most � �b ecause each such z must b e of the form h�r � for some r such that
� M �N ��s M �N �s �s
Y �r � � y �� This implies that S is at most a � �� � � fraction of D �
� ��
�N ��s � �N �s
Now we b ound jS j� We show that the set A of y such that � � Pr �Y � y � � � is at
�
�s N �s
most a � fraction of f�� �g � From this� it follows that S is at most a � fraction of D � Every
�
p p
� � � � �
y � A is �s � � �light �since Y has entropy at most N � s � �s � � �� By the � ��atness of Y �
� ��s�� �N ��s �
Pr �Y � A� is at most � � Since every y in A has probability mass at least � under Y �
��s�� �N ��s N �s
jAj is at most � �� � � � as desired�
N �s �
Finally� we b ound jS j� Clearly� there can b e at most � values of y such that Pr �Y � y � �
�
�N �s N �s N �s
� � From this it follows that jS j�jD j � � �� � � �
�
� EA and SDU are N ISZK �complete
In this section� we complete the pro of of Theorem ���� First� we establish that SDU � NISZK by
showing�
Lemma ��� SDU� EA� In particular� SDU � NISZK �
Karp
Pro of� Let X b e an instance of SDU� We assume that log �n� � �� where n is the output length
of the circuit X �otherwise� once can decide in probabilistic p olynomial time whether X is a yes
or no instance of SDU by random sampling�� Let U denote the uniform distribution on n bits� We
claim the map X �� �X � n � �� is the reduction required by the lemma�
If X � SDU � then � � ��X � U � � ��n� Now we use the fact �cf�� App endix B� that for any
yes
two random variables� Y and Z � ranging over domain D it holds that
jH�Y � � H�Z �j � �log jD j� � ��Y � Z � � H ���Y � Z �� �
�
where H �� � denotes the entropy of a ��� random variable with mean � � Applying this with Y � U
�
and Z � X � we have
n � H�X � � n � ��n � H ���n� � ��
�
Hence �X � n � �� � EA �
yes
If X � SDU � then ��X � U � � � � ��n� By the de�niton of statistical di�erence� this implies
no
n
the existence of a set S � f�� �g such that Pr �X � S � � Pr �U � S � � � � ��n� This implies that
Pr �X � S � � � � ��n and Pr �U � S � � ��n�
Thus� H�X � � Pr � X � S � � log �jS j� � Pr � X �� S � � n � � � �n � log n� � ���n� � n � n � �� and we
have that �X � n � �� � EA �
no
The �in particular� part of Lemma ��� follows immediately from Prop osition ����
Now� we establish b oth Theorem ��� and Theorem ��� by showing that all promise problems in
weak�NISZK �and hence all promise problems in NISZK � are reducible to SDU �and hence by
the previous lemma to EA��
Lemma ��� Every promise problem in weak �NISZK Karp�reduces to SDU�
Pro of� Let � b e any promise problem in weak �NISZK � As weak �NISZK is preserved under
parallel rep etition� we may assume that � has a weak �NISZK pro of system �P � V � with complete�
�n
ness and soundness errors at most � on inputs of length n� Let r �n� � p oly�n� b e the length
of the random reference string in �P � V �� and let S b e a randomized p olynomial�time simulator S
such that the statistical di�erence b etween the output distribution of S and the distribution of true ��
transcripts of P is at most ����r �n��� �Such an S is guaranteed by the weak �NISZK prop erty��
Let U denote the uniform distribution on r �n� bits�
Let x b e an instance of �� De�ne M to b e a circuit which do es the following on input s�
x
M �s�� Simulate S �x� with randomness s to obtain a transcript ��� p�� If V �x� �� p� accepts� then
x
r �n�
output � � else output � �
We claim that the map x �� M is the reduction required by the lemma� Supp ose x � � � In
x
yes
this case� we know that the random reference string � in the output of S has statistical di�erence
�n
less than ���r �n� from U � In addition� since the completeness error of proto col P is at most � �
�n
S �x� can output rejecting transcripts with probability at most ����r �n�� � � � ����r �n��� Hence�
��M � U � � ����r �n�� � ����r �n�� � ��r �n�� and M � SDU �
x x
yes
�n �n
Supp ose x � � � Since the soundness error of proto col P is b ounded by � � for at most a �
no
fraction of reference strings � do es there exist an accepting transcript ��� p�� Since M only outputs
x
r �n� �n �r �n�
reference strings corresp onding to accepting transcripts or � � ��M � U � � � � �� � � � �
x
� � ��r �n�� Thus� M � SDU �
x
no
Clearly� Lemmas ���� ���� and ��� combine to prove Theorem ���� Lemmas ��� and ��� show
that any promise problem � in weak�NISZK reduces to EA� by Prop osition ���� this implies that
� � NISZK and establishes Theorem ����
� Comparing N ISZK and SZK
Armed with NISZK �complete promise problems so closely related to problems known to b e com�
plete for SZK � we can quickly b egin relating the two classes�
��� Nontriviality of NISZK
First� we establish Theorem ��� by giving a Co ok reduction from Entropy Difference �ED�� com�
plete for SZK � to Entropy Approximation �EA�� complete for NISZK �
� � � �
Lemma ��� Suppose �X � Y � is an instance of ED� Let X � � X �resp�� Y � � Y � consist of �
�
independent copies of X �resp�� Y �� and let n denote the maximum of the output sizes of X and
�
Y � Then�
n
�
�� � � ��
� �
� �Y � k � � EA �X � k � � EA �X � Y � � ED ��
no yes yes
k ��
n
�
�� � � ��
� �
� �Y � k � � EA �X � k � � EA �X � Y � � ED ��
yes no no
k ��
� � �
Pro of� Supp ose �X � Y � � ED � so that H �X � � H �Y � � �� Let k � bH �X �c � �� Then
yes
� � � �
H �X � � k � �� On the other hand� k � � � H �X � � H �Y � � �� and hence H �Y � � k � ��
� � �
Supp ose instead �X � Y � � ED � so that H �Y � � H �X � � �� Then for all k � dH �X �e � �� we
no
� � � �
have H �X � � k � �� So� for all k � dH �X �e � �� we have k � � � H �X � � � � H �Y ��
From this reduction� we conclude that SZK � BPP �� NISZK � BPP � which is Theo�
rem ���� Again� by BPP we mean the class of promise problems solvable in probabilistic p olynomial
time� ��
Pro of of Theorem ���� By de�nition� NISZK � SZK �recall that SZK equals honest�veri�er
SZK �GSV�� ��� Hence if SZK � BPP � then NISZK � BPP �
Now supp ose NISZK � BPP � so in particular there is a probabilistic p olynomial�time machine
M which decides EA �with exp onentially small error probability�� To show SZK � BPP � it su�ces
to show that ED � BPP since ED is SZK �complete� We now describ e how to decide instances of ED�
� � �
Let �X � Y � b e an instance of ED� Letting X and Y b e as stated in Lemma ���� we run M �X � k �
� � �
and M �Y � k � for all k � ��� n�� If for some k � we see that M �X � k � � � and M �Y � k � � �� we
output �� Otherwise� we output �� By Lemma ���� this is a correct BPP algorithm for deciding
� ED�
��� Conditions under which NISZK � SZK
�
The reduction given by Lemma ��� is a very sp ecial type of Co ok reduction� which we call an AC
truth�table reduction� In this section� we use the sp ecial prop erties of this reduction to show that
if NISZK is closed under complement� then in fact NISZK � SZK � We now precisely de�ne
the types of reductions we are using� taking care how they are de�ned for promise problems�
De�nition ��� �truth�table reduction �LLS�� ��� We say a promise problem � truth�table reduces
to a promise problem �� written �� �� if there exists a �deterministic� polynomial�time computable
tt
function f � which on input x produces a tuple �x � x � � � � � x � and a circuit C � such that
� �
k
�� If x � � then for al l valid settings of b � b � � � � � b � C �b � b � � � � � b � � �� and
� � � �
k k
yes
�� If x � � then for al l valid settings of b � b � � � � � b � C �b � b � � � � � b � � ��
� � � �
no k k
where a setting for b is considered valid when b � � if x � � and b � � if x � � �and b
i i i i i i
yes no
is unrestricted when x violates the promise��
i
In other words� a truth�table reduction for promise problems is a non�adaptive Co ok reduction
which is allowed to make queries which violate the promise� but must b e able to tolerate b oth yes
and no answers in resp onse to queries that violate the promise� We further consider the case where
we restrict the complexity of computing the output of the reduction from the queries�
� �
De�nition ��� �AC and NC truth�table reductions�� A truth�table reduction f between promise
� �
problems is an AC �resp�� NC � truth�table reduction if the circuit C produced by the reduction
on input x has depth bounded by a constant c independent of x �resp�� has depth bounded by
f
� �
0
c log jxj�� If there is an AC �resp�� NC � truth�table reduction from � to �� we write �� �
f
AC �tt
1
�resp�� �� ���
NC �tt
�
With this de�nition� we observe that Lemma ��� in fact gives an AC truth�table reduction�
�
since the formula given in the lemma can b e expressed as an AC circuit� and the statement of the
lemma shows that the reduction has the robustness prop erties against promise violations that are
required in De�nition ���� Thus� we have�
0
Prop osition ��� ED� EA�
AC �tt
We say that a class C of promise problems is closed under a class of reductions � if �� � and
� �
�
� � C implies that � � C � By the ab ove� if NISZK is closed under AC truth�table reductions�
then ED � NISZK and hence NISZK � SZK � Thus� we would like to capture the minimal
�
conditions necessary for a promise class to b e closed under AC truth�table reductions� Here� care ��
must b e taken to b ecause of the p ossibility of promise violations� Keeping this in mind� we de�ne
the following op erator on promise problems to capture the notion of an unbounded fan�in AND
gate for promise problems�
De�nition ��� �unbounded AND�� For any promise problem �� we de�ne AND��� to be the promise
problem�
def
AND ��� � f�x � x � � � � � x � � k � �� �i � ��� k �x � � g
� � i
yes k yes
def
AND ��� � f�x � x � � � � � x � � k � �� �i � ��� k �x � � g
� � i
k
no no
We say a class of promise problems C is closed under unbounded AND if � � C implies that
AND��� � C �
We have de�ned AND so that it has the weakest promise condition p ossible to remain well�
de�ned� In particular� we see that AND ��� is de�ned to include x �s that violate ��s promise� as
i
no
long as just one of them is in � � � � C � AND��� � C � We also need a way of combining two
no
promise problems�
De�nition ��� �disjoint union�� For any pair of promise problems � and �� we de�ne the disjoint
union of � and � to be the promise problem DisjUn��� �� de�ned as fol lows�
def
DisjUn ��� �� � f�g � � � f�g � �
yes yes
yes
def
DisjUn ��� �� � f�g � � � f�g � �
no no
no
We say a class of promise problems C is closed under disjoint union if �� � � C implies that
DisjUn��� �� � C �
With these de�nitions� we can give the following lemma which gives some conditions su�cient
�
to give closure under AC truth�table reductions�
�
Lemma ��� A promise class C is closed under AC truth�table reductions if the fol lowing conditions
hold�
�� C is closed under Karp �i�e�� many�one� reductions�
�� C is closed under unbounded AND�
�� C is closed under disjoint union�
�� C is closed under complementation�
Pro of� First note that any unbounded fan�in circuit can b e e�ciently converted into a circuit
with only unbounded fan�in NAND gates �allowing also unary NAND gates�� with only a constant
factor blowup in depth� So� as a �rst step� we observe that C is closed under unbounded NAND�
def
AND��� � C � by closure under unbounded AND and for any promise problem �� NAND��� �
complementation� To generalize this to constant depth circuits with unbounded fan�in NAND
gates� we �rst need a de�nition� ��
d
De�nition ��� For any promise problem �� and for al l natural numbers d � � we de�ne Depth ���
to be the promise problem whose instances are tuples �C � �x � x � � � � � x ��� where C is a circuit of
� �
k
depth at most d �using unbounded fan�in NAND gates only�� The yes instances are those such
that for al l valid settings of b � b � � � � � b � C �b � b � � � � � b � � �� whereas the no instances are those
� � � � m
k
tuples such that for al l valid settings of b � b � � � � � b � C �b � b � � � � � b � � �� Here� a setting for b is
� � � � i
k k
considered valid when b � � if x � � and b � � if x � � �and b is unrestricted when x
i i i i i i
yes no
violates the promise��
�
Using the fact that every AC circuit can b e e�ciently transformed into one with only NAND
d
0
gates� we see that �� � means that there exists some d such that �� Depth ��� under a
Karp
AC �tt
d
Karp reduction� Hence if we can show that for all d � � and promise problems �� Depth ��� � C �
the lemma will b e established� We will prove this by induction on d�
First� observe that a depth � circuit is simply a variable �negations of variables are achieved
�
with one unary NAND gate� so count as depth ��� Hence� Depth ���� � � C � Now assume that
Karp
d
Depth ��� � C � Observe that a depth d � � circuit is simply a NAND of some number of depth d
circuits� Using this observation� we will argue that that
d�� d d
Depth ���� DisjUn�Depth ���� NAND�Depth ������
Karp
d��
By the hypothesized closure prop erties of C � this implies that Depth ��� � C � The reduction
works as follows� The input to the reduction is a tuple �C � x� � where x� � �x � x � � � � x �� If C is
� �
k
actually a depth d circuit� then it simply outputs ��� �C � x� ��� If not� then it extracts from C the
circuits C � C � � � � � C that provide input to the topmost NAND gate� Then the reduction outputs
� � s
d��
��� ��C � x� �� �C � x� �� � � � � �C � x� ���� It is clear that map gives a Karp reduction from Depth ��� to
� � s
d d
DisjUn�Depth ���� NAND�Depth ������ completing the induction step and the pro of�
Which of the conditions of Lemma ��� do es NISZK satisfy� We argue that Conditions �� ��
and � are satis�ed by NISZK �
Lemma ��� NISZK is closed under Karp reductions�
Pro of� Supp ose � � NISZK � and �� �� Since EA is complete for NISZK � we have �� EA�
Karp Karp
By comp osing reductions� we see that �� EA� By Prop osition ���� � � NISZK�
Karp
Lemma ���� NISZK is closed under unbounded AND�
Pro of� First� we argue that AND�EA� � NISZK by describing a NISZK pro of system for AND�EA��
Let ��X � k �� � � � � �X � k �� b e an instance of AND�EA�� and say � is the total length of the instance�
� � m m
Arti�cially pad each circuit X to b e of description size � �by adding unused gates� and let Y b e
i i
the resulting circuit� Now execute the NISZK pro of system for EA given by Lemma ��� on each
pair �Y � k � in parallel� and have the AND�EA��veri�er accept if the EA�veri�er would have accepted
i i
on each pair�
If every pair �X � k � is a yes instance of EA� the AND�EA� veri�er will accept with probability
i i
�� �����
at least � � m � � � � � � � as the completeness error of the EA pro of system is at most
��
� � Similarly� running the simulator for the EA pro of system m times indep endently will give a
�� �����
simulation for the AND�EA� pro of system with simulator deviation at most m � � � � � Finally�
if just one pair �X � k � is a no instance of EA �even if the others violate the promise�� the veri�er
i i
��
will accept with probability at most � in the i�th execution of the EA proto col� and so the AND�EA�
��
veri�er will accept with probability at most � � ��
This shows that AND�EA� � NISZK � Now let � b e any promise problem in NISZK � Since EA
is complete for NISZK � there is a Karp reduction f from � to EA� This induces a Karp reduction
from AND��� to AND�EA� in the obvious way �i�e� �x � � � � � x � �� �f �x �� � � � � f �x ���� As AND�EA� is
� �
k k
in NISZK and NISZK is closed under Karp reductions� AND��� � NISZK�
Lemma ���� NISZK is closed under disjoint union�
Pro of� For any two promise problem � and � in NISZK� the Karp reductions f from � to EA
�
and f from � to EA induce a Karp reduction from DisjUn��� �� to EA given by ��� x� �� f �x�� By
� �
Prop osition ���� DisjUn��� �� � NISZK�
Combining everything� we can give a condition under which SZK � NISZK�
Prop osition ���� If NISZK is closed under complementation� then SZK � NISZK �
Pro of� Supp ose NISZK is closed under complementation� Combining this with Lemmas ����
�
���� ����� and ����� it follows that NISZK is closed under AC truth�table reductions� Applying
0
Prop osition ��� �ED� EA� and Lemma ��� �EA � NISZK �� we conclude that ED � NISZK �
AC �tt
Since ED is complete for SZK �GV�� � and NISZK is closed under Karp reductions �Lemma �����
we have SZK � NISZK � As NISZK � SZK is true from the de�nition of NISZK � we conclude
that NISZK � SZK �
Finally� we deduce Theorem ���� which gives a number of conditions equivalent to NISZK �
SZK �
Pro of of Theorem ����
�
� � �� This follows from the result of �SV�� � that SZK is closed under NC truth�table reductions�
� � � � �� The �rst is trivial and the second is Prop osition �����
� � �� This follows from Theorem ��� �which asserts that that EA and SDU are complete for
NISZK �� the fact that ED and SD are complete for SZK �SV�� � GV�� �� and Lemma ��� �that
NISZK is closed under Karp reductions��
� � �� This follows from Theorem ��� �that EA and SDU are complete for NISZK � and Lemma ���
�that NISZK is closed under Karp reductions��
Acknowledgments
We thank the CRYPTO ��� program committee and reviewers for helpful comments on the pre�
sentation�
References
�
�ALM ��� Sanjeev Arora� Carsten Lund� Ra jeev Motwani� Madhu Sudan� and Mario Szegedy�
Pro of veri�cation and hardness of approximation problems� In Proceedings of the Thirty
Third Annual Symposium on Foundations of Computer Science� pages ������ ����� ��
�AS��� Sanjeev Arora and Shmuel Safra� Probabilistic checking of pro ofs� In Proceedings of
the Thirty Third Annual Symposium on Foundations of Computer Science� pages �����
�����
�BDMP��� Manuel Blum� Alfredo De Santis� Silvio Micali� and Giusepp e Persiano� Noninteractive
zero�knowledge� SIAM Journal on Computing� ��������������� � December �����
�BFM��� Manuel Blum� Paul Feldman� and Silvio Micali� Non�interactive zero�knowledge and
its applications �extended abstract�� In Proceedings of the Twentieth Annual ACM
Symposium on Theory of Computing� pages �������� Chicago� Illinois� ��� May �����
�BG��� Mihir Bellare and Sha� Goldwasser� New paradigms for digital signatures and message
authentication based on non�interactive zero knowledge pro ofs� In G� Brassard� editor�
Advances in Cryptology�CRYPTO ���� volume ��� of Lecture Notes in Computer
Science� pages �������� Springer�Verlag� ����� ����� August �����
�BMO��� Mihir Bellare� Silvio Micali� and Rafail Ostrovsky� Perfect zero�knowledge in constant
rounds� In Proceedings of the Twenty Second Annual ACM Symposium on Theory of
Computing� pages �������� �����
�BR��� Mihir Bellare and Phillip Rogaway� Non�interactive p erfect zero�knowledge� Unpub�
lished manuscript� June �����
�CT��� Thomas M� Cover and Joy A� Thomas� Elements of Information Theory� Wiley Series
in Telecommunications� John Wiley � Sons� Inc�� �nd edition� �����
�Dam��� Ivan Damg�ard� Interactive hashing can simplify zero�knowledge proto col design� In
Proceedings of Crypto ���� Lecture Notes in Computer Science� volume ���� pages
�������� Springer�Verlag� �����
�DDN��� Danny Dolev� Cynthia Dwork� and Moni Naor� Non�malleable cryptography �extended
abstract�� In Proceedings of the Twenty Third Annual ACM Symposium on Theory of
Computing� pages �������� New Orleans� Louisiana� ��� May �����
�DDP��� Alfredo De Santis� Giovanni Di Crescenzo� and Guisepp e Persiano� The knowledge
complexity of quadratic residuosity languages� Theoretical Computer Science� ������
����������� �� September �����
�DDP��� Alfredo De Santis� Giovanni Di Crescenzo� and Giusepp e Persiano� Randomness�
e�cient non�interactive zero�knowledge �extended abstract�� In Pierpaolo Degano�
Rob ert Gorrieri� and Alb erto Marchetti�Spaccamela� editors� Automata� Languages
and Programming� ��th International Col loquium� volume ���� of Lecture Notes in
Computer Science� pages �������� Bologna� Italy� ���� July ����� Springer�Verlag�
�DDPY��� Alfredo De Santis� Giovanni Di Crescenzo� Giusepp e Persiano� and Moti Yung� Im�
age Density is complete for non�interactive�SZK� In Automata� Languages and Pro�
gramming� ��th International Col loquium� Lecture Notes in Computer Science� pages
�������� Aalb org� Denmark� ����� July ����� Springer�Verlag� See �DDPY�� ��
�DDPY��� Alfredo De Santis� Giovanni Di Crescenzo� Giusepp e Persiano� and Moti Yung� Im�
age Density is complete for non�interactive�SZK� May ����� Preliminary draft of full
version� ��
�DGOW��� Ivan Damg�ard� Oded Goldreich� Tatsuaki Okamoto� and Avi Wigderson� Honest veri�
�er vs� dishonest veri�er in public coin zero�knowledge pro ofs� In Proceedings of Crypto
���� Lecture Notes in Computer Science� volume ���� Springer�Verlag� �����
�DGW��� Ivan Damg�ard� Oded Goldreich� and Avi Wigderson� Hashing functions can simplify
zero�knowledge proto col design �to o�� Technical Rep ort RS������� BRICS� November
����� See Part � of �DGOW����
�DMP��� Alfredo De Santis� Silvio Micali� and Giusepp e Persiano� Non�interactive zero�
knowledge pro of systems� In Carl Pomerance� editor� Advances in Cryptology�
CRYPTO ���� volume ��� of Lecture Notes in Computer Science� pages ������
Springer�Verlag� ����� ����� August �����
�DMP��� Alfredo De Santis� Silvio Micali� and Giusepp e Persiano� Non�interactive zero�
knowledge with prepro cessing� In S� Goldwasser� editor� Advances in Cryptology�
CRYPTO ���� volume ��� of Lecture Notes in Computer Science� pages ��������
Springer�Verlag� ����� ����� August �����
�DNS��� Cynthia Dwork� Moni Naor� and Amit Sahai� Concurrent zero�knowledge� In Pro�
ceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing� pages
�������� �����
�DOY��� Giovanni Di Crescenzo� Tatsuaki Okamoto� and Moti Yung� Keeping the SZK�veri�er
honest unconditionally� In Advances in Cryptology�CRYPTO ���� pages ������ �����
�FLS��� Uriel Feige� Dror Lapidot� and Adi Shamir� Multiple non�interactive zero knowledge
pro ofs based on a single random string �extended abstract�� In ��st Annual Symposium
on Foundations of Computer Science� volume I� pages �������� St� Louis� Missouri� ���
�� Octob er ����� IEEE�
�For��� Lance Fortnow� The complexity of p erfect zero�knowledge� In Silvio Micali� editor�
Advances in Computing Research� volume �� pages �������� JAC Press� Inc�� �����
�GK��� Oded Goldreich and Eyal Kushilevitz� A p erfect zero�knowledge pro of system for a
problem equivalent to the discrete logarithm� Journal of Cryptology� ��������� �����
�GM��� Sha� Goldwasser and Silvio Micali� Probabilistic encryption� Journal of Computer and
System Sciences� �������������� �����
�GMR��� Sha� Goldwasser� Silvio Micali� and Charles Racko�� The knowledge complexity of
interactive pro of systems� SIAM Journal on Computing� �������������� February �����
�GMW��� Oded Goldreich� Silvio Micali� and Avi Wigderson� Pro ofs that yield nothing but their
validity or all languages in NP have zero�knowledge pro of systems� Journal of the
Association for Computing Machinery� �������������� �����
�GO��� Oded Goldreich and Yair Oren� De�nitions and prop erties of zero�knowledge pro of
systems� Journal of Cryptology� ���������� Winter �����
�GSV��� Oded Goldreich� Amit Sahai� and Salil Vadhan� Honest�veri�er statistical zero�
knowledge equals general statistical zero�knowledge� In Proceedings of the Thirtieth
Annual ACM Symposium on the Theory of Computing� pages �������� ����� ��
�GSV��� Oded Goldreich� Amit Sahai� and Salil Vadhan� Can statistical zero knowledge b e
made non�interactive� or On the relationship of SZK and NISZK �extended abstract��
In Michael Wiener� editor� Advances in Cryptology�CRYPTO ���� Lecture Notes in
Computer Science� Springer�Verlag� ����� August �����
�GV��� Oded Goldreich and Salil Vadhan� Comparing entropies in statistical zero�knowledge
with applications to the structure of SZK� In Proceedings of the Fourteenth Annual
IEEE Conference on Computational Complexity� pages ������ Atlanta� GA� May �����
IEEE Computer So ciety Press�
�ILL��� Russell Impagliazzo� Leonid A� Levin� and Michael Luby� Pseudo�random generation
from one�way functions �extended abstracts�� In Proceedings of the Twenty�First An�
nual ACM Symposium on Theory of Computing� pages ������ Seattle� Washington�
����� May �����
�KP��� Jo e Kilian and Erez Petrank� An e�cient noninteractive zero�knowledge pro of system
for NP with general assumptions� Journal of Cryptology� ����������� Winter �����
�LFKN��� Carsten Lund� Lance Fortnow� Howard Karlo�� and Noam Nisan� Algebraic meth�
o ds for interactive pro ofs� In Proceedings of the Thirty First Annual Symposium on
Foundations of Computer Science� pages ����� �����
�LLS��� R� E� Ladner� N� A� Lynch� and A� L� Selman� A comparison of p olynomial time
reducibilities� Theoretical Computer Science� ������������� December �����
�NY��� Moni Naor and Moti Yung� Public�key cryptosystems provably secure against chosen
ciphertext attacks� In Proceedings of the Twenty Second Annual ACM Symposium on
Theory of Computing� pages �������� Baltimore� Maryland� ����� May �����
�Oka��� Tatsuaki Okamoto� On relationships b etween statistical zero�knowledge pro ofs� In Pro�
ceedings of the Twenty Eighth Annual ACM Symposium on the Theory of Computing�
����� See also preprint of full version� Oct� �����
�Ost��� Rafail Ostrovsky� One�way functions� hard on average problems� and statistical zero�
knowledge pro ofs� In Proceedings of the Thirty Second Annual Symposium on Founda�
tions of Computer Science� pages �������� �����
�OW��� Rafail Ostrovsky and Avi Wigderson� One�way functions are essential for non�trivial
zero�knowledge� In Proceedings of the Second Israel Symposium on Theory of Comput�
ing and Systems� �����
�Sha��� Adi Shamir� IP�PSPACE� In Proceedings of the Thirty First Annual Symposium on
Foundations of Computer Science� pages ������ �����
�SV��� Amit Sahai and Salil Vadhan� A complete promise problem for statistical zero�
knowledge� In Proceedings of the Thirty Eighth Annual Symposium on Foundations
of Computer Science� pages �������� �����
�SV��� Amit Sahai and Salil Vadhan� Manipulating statistical di�erence� In Panos Pardalos�
Sanguthevar Ra jasekaran� and Jos�e Rolim� editors� Randomization Methods in Algo�
rithm Design �DIMACS Workshop� December ������ volume �� of DIMACS Series ��
in Discrete Mathematics and Theoretical Computer Science� pages �������� American
Mathematical So ciety� �����
�Yao��� Andrew C� Yao� Theory and application of trap do or functions� In Proceedings of the
Twenty Third Annual Symposium on Foundations of Computer Science� pages ������
�����
A De�nitions
Following �GK�� �� we extend the standard de�nition of interactive pro of systems to promise prob�
lems � � �� � � �� That is� we require the completeness condition to hold for yes instances
yes no
�i�e�� x � � �� require the soundness condition to hold for no instances �i�e�� x � � �� and do
yes no
not require anything for inputs which violate the promise �i�e�� x �� � � � ��
yes no
We are mainly interested in such pro of systems which are statistical zero knowledge�
De�nition A�� �Statistical Zero Knowledge � SZK �� Let �P � V � be an interactive proof system
for a promise problem � � �� � � ��
yes no
� We denote by hP � V i�x� the view of the veri�er V while interacting with P on common input x�
this consists of the common input� V �s internal coin tosses� and al l messages it has received�
� �P � V � is said to be �general� statistical zero knowledge if� for every probabilistic polynomial�
�
time V � there exists a probabilistic polynomial�time machine �called a simulator�� S � and a
negligible function � � N �� ��� �� �called the simulator deviation� so that for every x � �
yes
�
the statistical di�erence between S �x� and hP � V i�x� is at most ��jxj��
� SZK denotes the class of promise problems having statistical zero�knowledge interactive proof
systems�
Honest�veri�er statistical zero�knowledge pro of systems are such where the zero�knowledge re�
quirement is only required to hold for the prescrib ed�honest veri�er V � rather than for every
�
p olynomial�time computable V � Every honest�veri�er statistical zero�knowledge pro of system can
b e transformed into a general statistical zero�knowledge pro of system �actually meeting an even
stronger zero�knowledge requirement� �GSV�� ��
B Statistical Inequalities
Fact B�� For any two random variables� X and Y � ranging over a domain D it holds that
jH�X � � H�Y �j � log �jD j � �� � � � H �� �
�
def
where � � ��X � Y ��
This fact can b e inferred from Fano�s Inequality �cf�� �CT��� Thm� ��������� and a slightly weaker
b ound can b e found in �CT��� Thm� �������� A more direct pro of follows�
def def
Pro of� Assume � � � or else the claim is obvious� Let p�x� � Pr � X � x� and q �x� � Pr �X � x��
P
def
� �
De�ne m�x� � minfp�x�� q �x�g� Then m�x� � � � � � De�ne random variables Z � X and
x�D ��
�
Y so that
� �
�
def
� �
� m�x� Pr Z � x � m �x� �
� � �
� �
�
def
� �
Pr X � x � p �x� � � �p�x� � m�x��
�
� �
�
def
� �
Pr Y � x � q �x� � � �q �x� � m�x��
�
� � �
Think of X �resp�� Y � as b eing generated by picking Z with probability � � � and X �resp�� Y �
otherwise� Then
� �
H�X � � �� � � � � H�Z � � � � H�X � � H �� �
�
�
H�Y � � �� � � � � H�Z �
� �
Observing that Pr �X � x� � � on at least one x � D � it follows that H�X � � log �jD j � ��� and
the fact follows�
Comment� The ab ove b ound is tight� Let e � D and consider X which is identically e� and Y
which with probability � � � equals e and otherwise is uniform over D n feg� Clearly� ��X � Y � � �
and H�Y � � H�X � � � log �jD j � �� � H �� � � ��
�
C Pro of of the Flattening Lemma
For every x in the supp ort of X � we let w �x� � � log Pr �X � x�� Then w maps the supp ort of X �
denoted D � to ��� m�� Let X � ���� X b e identical and indep endent copies of X � The lemma asserts
�
k
that for every t
� �
� �
k
� �
X
p
2
� �
�t ��
k � � � t � m w �X � � k � H�X � Pr
� �
i
� �
i��
P
Pr �X � x� w �x� � H�X �� for every i� Thus� the lemma follows by Observe that E �w �X �� �
i
x
a straightforward application of Ho efding Inequality� Sp eci�cally� de�ne random variables � �
i
p
k � and use w �X �� let � � E �� � and � � tm�
i i
� �
� �
P
� �
� k �
�
�
��
� �
i
i��
Pr � � � � exp � � � � � k
� �
�
� �
k m
� �
�
� � � exp ��t
The lemma follows� ��