Signature Redacted Department of Electrical Engineering and Computer Science Signature Redacted""'I May 23, 2019 C Ertified by
Total Page:16
File Type:pdf, Size:1020Kb
Information Theoretic Advances in Zero-Knowledge by Itay Berman B.Sc., Tel Aviv University (2012) M.Sc., Tel Aviv University (2014) Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY June 2019 @Massachusetts Institute of Technology 2019. All rights reserved. Author ................................... Signature redacted Department of Electrical Engineering and Computer Science Signature redacted""'I May 23, 2019 C ertified by .................. ............. Vinod Vaikuntanathan Associate Professor of Electrical Engineering and Computer Science Thesis Supervisor Signature redacted A ccepted by ......................... ..... MASSACHUSES INSTITUTE lteslVW'l Kolodziejski OF TECHNOLOGY rofessor of Electrical Engineering and Computer Science I UIQ ? ()In, Chair, Department Committee on Graduate Students L_ LIBRARIES ARCHIVES 2 Information Theoretic Advances in Zero-Knowledge by Itay Berman Submitted to the Department of Electrical Engineering and Computer Science on May 23, 2019, in partial fulfillment of the requirements for the degree of Doctor of Philosophy Abstract Zero-knowledge proofs have an intimate relation to notions from information theory. In particular, the class of all problems possessing statistical zero-knowledge proofs (SZK) was shown to have complete problems characterized by the statistical distance (Sahai and Vadhan [JACM, 20031) and entropy difference (Goldreich and Vadhan [CCC, 19991) of a pair of efficiently samplable distributions. This characterization has been extremely beneficial in understanding the computational complexity of languages with zero-knowledge proofs and deriving new applications from such languages. In this thesis, we further study the relation between zero-knowledge proofs and information theory. We show the following results: 1. Two additional complete problems for SZK characterized by other information theoretic notions-triangulardiscrimination and Jensen-Shannon divergence. These new complete problems further expand the regime of parameters for which the STATISTICAL DIFFERENCE PROBLEM is complete for SZK. We further show that the parameterized STATISTICAL DIFFERENCE PROBLEM, for a regime of parameters in which this problem is not known to be in SZK, still share many properties with SZK. Specifically, its hardness implies the existence of one-way functions, and it and its complement have a constant-round public coin interactive protocol (i.e., AM n coAM). 2. The hardness of a problem related to the ENTROPY DIFFERENCE PROBLEM implies the existence of multi-collision resistant hash functions (MCRH). We also demonstrate the usefulness of such hash functions by showing that the existence of MCRH implies the existence of constant-round statistically hiding (and computationally binding) commitment schemes. 3. We initiate the study of zero-knowledge in the model of interactive proofs of proximity (IPP). We show efficient zero-knowledge IPPs for several problems. We also show problems with efficient IPPs, for which every zero-knowledge IPP must be inefficient. Central in this study is showing that many of the statistical properties of SZK carry over to the IPP setting. Thesis Supervisor: Vinod Vaikuntanathan Title: Associate Professor of Electrical Engineering and Computer Science 3 4 Acknowledgments I would like to first thank my advisor, Vinod Vaikuntanathan, for his support, gui- dance and caring during my time at MIT. Vinod was always curious to hear about any topic, eager to solve any problem, and knew exactly where to look for answers. I have learned a lot from him about how to do research and also about the best ways to present this research. I am very grateful to Iftach Haitner, my advisor during my Master studies at Tel Aviv University. Iftach was the driving force behind my decision to pursue research in theory of computer science, particularly in cryptography. He always pushed me to achieve more, and his insights made even the most difficult problems seem appro- achable. I thank Iftach for his useful advice and support throughout my graduate studies. I was extremely lucky that Ron Rothblum was doing his post-doc at MIT during my Ph.D. studies. Ron's patience to explain and to listen, his ability to extract the essence and to simplify, and his intuition about how to approach a problem make him an ideal collaborator. Collaborating with Ron was a true delight and this entire thesis is a result of this collaboration. Most of all, I thank Ron for his friendship, advice, and willingness to always share his thoughts. I will be forever in his debt. A special thanks goes to Akshay Degwekar. I started collaborating with Akshay from the moment I arrived at MIT, and since it was so much fun I never stopped. Akshay's ability to so quickly understand the point, and his abstract thinking and simplifications never cease to amaze me. I thank Akshay for sharing with me his knowledge about things I knew nothing about, and for navigating together our paths in Ph.D. studies and beyond. Another special thank you goes to Prashant Vasudevan. The willingness to share, deep insights, and relentless curiosity make it immensely enjoyable to collaborate with Prashant. His ability to present the most difficult technique in the most understan- dable way has always astonished me. A large part of this thesis is a result of the collaboration with Akshay and Prashant. I thank all my other co-authors throughout my graduate studies: Ilan Komar- godski, Moni Naor, Aris Tentes, and Eliad Tsfadia. I am grateful to Nir Bitansky and Omer Paneth for sharing with me their views about research and life. I am also grateful to other researchers from which I have learned a lot; in particular, Benny Applebaum, Yuval Ishai, Yael Kalai, and Alon Rosen. Yael Kalai and Ronitt Rubinfeld served as my thesis committee and for that I thank them. I also thank Ronitt and Michael Sipser for being great instructors; I enjoyed being their teaching assistant a lot. I am grateful for the guidance Piotr Indyk gave me as my academic advisor at MIT. My passion and excitement for information theory stem from a wonderful course taught by Yury Polyanskiy. Yury is a fantastic teacher and his ability to explain difficult proofs is unmatched. I would also like to thank my fellow students in the Theory of Computation group at MIT. Govind Ramnarayan for our countless talks during lunch about anything but research. Saleet Mossel and Tal Wagner for making me feel like I am in Israel 5 for at least a few hours every week. Nishanth Dikkala for reminding me how much I enjoy playing ping pong. Madalina Persu for long and meaningful conversations. I also thank Sitan Chen, Aloni Cohen, Daniel Grier, Pritish Kamath, Sam Park, Adam Sealfon, and all other students that I had the privilege to interact with while at MIT. Last but not least, I would like to thank Tiana. She is the reason I went to MIT and this thesis would not have come to light without her love and support. 6 Contents 1 Introduction 9 1.1 O ur R esults ................................ 11 1.2 Outline of this Thesis ........................... 15 2 Preliminaries 17 2.1 N otations ........ ......................... 17 2.2 Information Theory Preliminaries .................... 18 2.3 Statistical Zero-Knowledge Interactive Proofs .............. 24 3 Statistical Difference Beyond the Polarizing Regime 31 3.1 O verview .............. .................... 31 3.2 Techniques .. ............. ............ ...... 39 3.3 Complete Problems for SZK ...... .......... ....... 48 3.4 One Way Functions from SDI" with Any Noticeable Gap ...... 60 3.5 Estimating Statistical Distance in AM n coAM ............. 68 3.6 Triangular Discrimination Inequalities ... ............... 79 4 Multi-Collision Resistant Hash Functions 81 4.1 O verview .... ......................... ..... 81 4.2 Constructing MCRH Families ...................... 95 4.3 Statistically IHiding Comnitments .................... 103 4.4 Black-Box Separation ............ ............... 113 5 Zero-Knowledge Interactive Proofs of Proximity 117 5.1 O verview ........ ............. ............ 117 5.2 ZKPP - Model and Definitions ........... .......... 128 5.3 The Power of ZKPP: The Statistical Case ............... 135 5.4 Limitations of SZKPP ..... ............. ........ 149 5.5 Computational ZK Proofs and Statistical ZK Arguments of Proximity 157 5.6 Deferred Proofs ......................... ..... 161 7 8 Chapter 1 Introduction Zero-knowledge proofs, introduced by Goldwasser, Micali, and Rackoff [GMR89], achieve an almost unbelievable task-giving each party what it wants. The parties in question are a (typically) computationally unbounded prover and a computatio- nally limited verifier. The prover and the verifier exchange messages according to an agreed upon protocol-known as an interactive proof-in order for the verifier to be convinced in the validity of a shared statement. At the end of the interaction, the verifier is protected from being convinced that a false statement is true. At the same time, the prover knows that if the statement is true, the verifier learns nothing other than that. One of the cornerstones contributed to the foundations of cryptography by the seminal work of [GMR89]-together with the definition of interactive proof that by itself has had vast implications in computational complexity theory-is how to for- mally define zero-knowledge. That is, what does it mean for the prover to know