Can Statistical Zero Knowledge Be Made Non-Interactive? Or on The

Can Statistical Zero Knowledge Be Made Non-Interactive? Or on The

Can Statistical Zero Knowledge b e made NonInteractive or On the Relationship of SZK and N ISZK y z x Oded Goldreich Amit Sahai Salil Vadhan May Abstract We extend the study of noninteractive statistical zeroknowledge pro ofs Our main fo cus is to compare the class NISZK of problems p ossessing such noninteractive pro ofs to the class SZK of problems p ossessing interactive statistical zeroknowledge pro ofs Along these lines we rst show that if statistical zero knowledge is nontrivial then so is noninteractive statistical zero knowledge where by nontrivial we mean that the class includes problems which are not solvable in probabilistic p olynomialtime The hypothesis holds under various assumptions such as the intractability of the Discrete Logarithm Problem Furthermore we show that if NISZK is closed under complement then in fact SZK NISZK ie all statistical zero knowledge pro ofs can b e made noninteractive The main to ols in our analysis are two promise problems that are natural restrictions of promise problems known to b e complete for SZK We show that these restricted problems are in fact complete for NISZK and use this relationship to derive our results comparing the two classes The two problems refer to the statistical dierence and dierence in entropy resp ectively of a given distribution from the uniform one We also consider a weak form of NISZK in which only requires that for every inverse p olynomial pn there exists a simulator which achieves simulator deviation pn and show that this weak form of NISZK actually equals NISZK Keywords Statistical ZeroKnowledge Pro ofs NonInteractive ZeroKnowledge Pro ofs An extended abstract of this work app ears in CRYPTO GSV y Department of Computer Science Weizmann Institute of Science Rehovot Israel Email odedwisdomweizmannacil Work done while visiting LCS MIT Supp orted by DARPA grant DABTC z Lab oratory for Computer Science Massachusetts Institute of Technology Cambridge MA Email amitstheorylcsmitedu Supp orted by DODNDSEG fellowship and DARPA grant DABTC x Lab oratory for Computer Science Massachusetts Institute of Technology Cambridge MA Email saliltheorylcsmitedu Supp orted by DODNDSEG fellowship and in part by DARPA grant DABT C Introduction ZeroKnowledge pro ofs introduced by Goldwasser Micali and Racko GMR are fascinating and extremely useful constructs Their fascinating nature is due to their seemingly contradictory nature they are b oth convincing and yet yield nothing b eyond the validity of the assertion b eing proven Their applicability in the domain of cryptography is vast they are typically used to force malicious parties to b ehave according to a predetermined proto col which requires parties to provide pro ofs of the correctness of their secretbased actions without revealing these secrets Zero knowledge pro ofs come in many avors and in this pap er we fo cus on two parameters The rst parameter is the underlying communication model and the second is the type of the zeroknowledge guarantee The communication mo del When Goldwasser Micali and Racko prop osed the denition of zeroknowledge pro ofs it seemed that interaction was crucial to achieving zero knowledge that the p ossibility of zero knowledge arose through the p ower of interaction Indeed it was not unexp ected when GO showed zero knowledge to b e trivial ie only exists for pro ofs of BPP statements in the most straightforward noninteractive mo dels Surprisingly however Blum Feldman and Micali BFM showed that by changing the mo del slightly it is p ossible to achieve zero knowledge in a noninteractive setting ie where only unidirectional communication can o ccur Sp ecically they assume that b oth Prover and Verier have access to a shared truly random string called the reference string Aside from this assumption all communication consists of one message the pro of which is generated by the Prover based on the assertion b eing proved and the reference string and sent from the Prover to the Verier Noninteractive zeroknowledge pro ofs on top of b eing more communicationecient by de nition have several applications not oered by ordinary interactive zeroknowledge pro ofs They have b een used among other things to build digital signature schemes secure against adaptive chosen message attack BG publickey cryptosystems secure against chosenciphertext attack NY DDN and nonmalleable cryptosystems DDN The zeroknowledge guarantee For ordinary interactive zeroknowledge pro ofs the zero knoweldege requirement is formulated by saying that the transcript of the Veriers interaction with the Prover can b e simulated by the Verier itself Similarly for the noninteractive setting describ ed ab ove the zeroknowledge condition is formulated by requiring that one can pro duce knowing only the statement of the assertion a random reference string along with a pro of that works for the reference string More precisely we require that there exists an ecient pro cedure that on input a valid assertion pro duces a distribution which is similar to the joint distribu tion of random reference strings and pro ofs generated by the Prover The key parameter is the interpretation of similarity Two notions have b een commonly considered in the literature cf GMR GMW For BDMP BR Statistical zero know ledge requires that these distribu tions b e statistically close ie the statistical dierence b etween them is negligible Computational zero know ledge instead requires that these distributions are computationally indistinguishable cf GM Yao In this work we fo cus on the stronger security requirement of statistical zero knowledge Since its introduction in BFM most work on noninteractive zero knowledge has fo cused on the computational type cf BFM DMP DMP BDMP FLS KP With non interactive statistical zero knowledge the main ob jects of investigation have b een the sp ecic pro of system for Quadratic Nonresiduosity and variants BDMP DDP DDP Recently De Santis et al DDPY op ened the do or to a general study of noninteractive statistical zero knowledge by showing that it contains a complete promise problem Notation Throughout the pap er SZK denotes the class of promise problems having statistical zeroknowledge interactive pro of systems dened in App endix A and NISZK denotes the class of promise problems having noninteractive statistical zeroknowledge pro of systems dened in Section Our Contribution In this work we seek to understand what if any additional p ower interaction gives in the con text of statistical zero knowledge Thus we continue the investigation of NISZK fo cusing on its relationship with SZK Our rst result is that the nontriviality of SZK implies nontriviality of NISZK where by nontrivial we mean that a class includes problems which are not solv able in probabilistic p olynomialtime The hypothesis holds under various assumptions such as the intractability of Discrete Logarithm Problem GK or Quadratic Residuosity GMR or Graph Isomorphism GMW but variants of these last two problems are already known to b e in NISZK BDMP BR Furthermore we show that if NISZK is closed under complement then in fact SZK NISZK ie all statistical zeroknowledge pro ofs can b e made noninteractive We note that DDPY have claimed that NISZK is closed under complement and OR but these claims have b een retracted DDPY We also show the equivalence of NISZK with a variant in which the statistical zero knowledge requirement is weakened somewhat Complete Problems Central to our metho dology is the use of simple and natural complete problems to understand classes such as SZK and NISZK whose denitions are rather compli cated In particular we exhibit two natural promise problems and prove that they are complete for NISZK The two problems refer to the distance in two dierent senses of a given distribution from the uniform one These two problems are natural restrictions of two promise problems shown complete for SZK in SV and GV resp ectively Indeed our results ab out the relationship b etween SZK and NISZK come from relating the corresp onding complete problems This general theme of using completeness to simplify the study of a class rather than as evidence for computa tional intractability as is the traditional use of NP completeness has b een evidenced in a number of recent works cf GMW LFKN Sha ALM AS and has b een particularly useful in understanding statistical zero knowledge cf SV SV DDPY GV The noninteractive mo del Let us recall the denition of a noninteractive statistical zeroknowledge pro of system from BDMP We will adapt the denition to promise problems Note that our denition will capture what 1 The only exception is an unpublished manuscript of Bellare and Rogaway BR who proved some basic results ab out noninteractive p erfect zeroknowledge and showed a noninteractive p erfect zeroknowledge pro of for the language of graphs with trivial automorphism group 2 A promise problem is a pair of disjoint sets of strings corresp onding to yes and no instances yes no of a decision problem 3 Actually only noninteractive perfect and computational zeroknowledge pro ofs were dened in BDMP The denition we are using previously given in BR DDPY is the natural noninteractive analogue of interactive BDMP call a bounded proof system in that each shared reference string can only b e used once In contrast to noninteractive computational zero knowledge cf BDMP FLS it is unknown whether every problem that has such a b ounded noninteractive statistical zeroknowledge pro of system also has one in which the shared

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    23 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us