Transcript Interactive & Zero

The Complexity of Zero Knowledge
Salil Vadhan
Harvard University
A Successful Marriage
hard problems,
techniques
Complexity Theory:
Cryptography:
Which problems are
“computationally hard”
to solve?
Design protocols that are
“computationally hard”
to break.
revisit notions,
adversarial view
Two Areas of Interaction
• Pseudorandomness:
generating objects that “look random” despite being
constructed with little or no randomness.
– Cryptography: many unpredictable bits from short key
– Complexity: power of randomized algs (RP vs. P, RL vs. L)
• Zero-knowledge proofs:
interactive proofs that reveal nothing other than
validity of assertion being proven
– Cryptography: central in study of crypto protocols
– Complexity: augments NP $ “efficiently verifiable proofs”
Cryptography
Zero Knowledge
Protocols
[B82,...]
Def of ZK, IP
[GMR85]
Secure Computation
[Yao86,GMW87,
BGW88,CCD88]
[FS86,BR93,CGH98]
NP-completeness
[C71,L73,K72]
NPµZK
IP=PSPACE
[GMW86]
[LFKN90,S90]
Multiprover ZK
[BGKW88]
Random Oracle Model
Complexity
Polylog-eff
ZK Args
[K92,M94]
Concurrency
[F90,DNS98]
Non-BB Simulation
[B01]
MIP=NEXP
PCP Theorem
[BFL91...ALMSS92]
Diagonalization
[T36]
?
This Talk
Complexity-theoretic study of zero-knowledge proofs:
• Characterize the expressiveness of ZK.
• Prove general theorems about ZK.
• Minimize or eliminate complexity assumptions.
ZK Complexity Classes
Prover cannot convince
Verifier of false statements
Zero Knowledge
Verifier learns
nothing
statistical
computational
statistical
(“proofs”)
SZKP
CZKP
[GMR85]
computational
(“arguments”)
SZKA
CZKA
[BCC86]
Soundness

αZKβ    :

can prove “x is a YES instance of  

w/correspo nding kind of ZK protocol 
Conditional Results on ZK
Zero Knowledge
statistical
computational
statistical
(“proofs”)
SZKP
CZKP
computational
(“arguments”)
SZKA
CZKA
Soundness
Complexity assumptions )
understand CZKP, SZKA, CZKA very well
NPµ ZK [GMW86]
ZK pf for GRAPH 3-COLORING
poly-time
Verifier
1
6
2
5
3
unbounded
Prover
4
2. Pick random edge.
Com( )…Com( )
(1,4)
4. Accept if colors different.

( ,K1),( ,K4)
1. Randomly permute
coloring & send in
locked boxes.
3. Send keys for
endpoints.
Commitment Schemes
Bit-commitment:
• Hiding:
Sender
Receiver
commit stage:
Com(0) & Com(1)

indistinguishable.
() zero knowledge)
K
z
• Binding:
W.h.p. z can be opened to
only one value 2 {0,1}.
() soundness)
accept/
reject
reveal stage:
(,K)
Conditional Results on CZKP
Thms:
Assuming one-way functions exist...
•
•
•
•
•
9 comp. hiding, stat. binding commitments [HILL90,N91]
NP µ CZKP [GMW86]
CZKP=IP=PSPACE [IY87,BGG+88,LFKN90,S90]
CZKP = CZKP w/ public coins, perfect completeness [GS86,FGMSZ87]
CZKP = honest-verifier CZKP
• CZKP closed under union, complement...
• CZKPÅNP has ZK pfs w/ poly-time prover (given witness) and
O(1) rounds
Conditional Results on SZKA
Thms:
Assuming one-way functions exist...
•
•
•
•
•
9 stat. hiding, comp. 1-out-of-2-binding commitments […,NOV06]
NP µ SZKA [GMW86,BCC86]
SZKA=MA (randomized NP)
SZKA=SZKA w/ public coins, perfect completeness [GS86,FGMSZ87]
SZKA=honest-verifier SZKA
• SZKA closed under union,…
where SZKA=statistical ZK arguments w/poly-time prover
Q: What can we prove about ZK unconditionally?
Unconditional Results on ZK
Zero Knowledge
statistical
computational
statistical
(“proofs”)
SZKP
CZKP
computational
(“arguments”)
SZKA
CZKA
Soundness
Complexity assumptions don’t seem useful for SZKP
(stat hiding, stat binding commitments impossible)
Unconditional Results on SZKP
Thms:
• SZKP contains QUADRATIC RESIDUOSITY [GMR85],
GRAPH ISOMORPHISM [GMW86],...
• SZKP=SZKP w/public coins, perfect completeness [O96]
• SZKP closed under complement, union [O96]
• Complete Problems [SV97,GV99]
• SZKP=honest-verifier SZKP [DGW94,DOY97,GSV98]
• SZKPÅNP has SZKP pfs w/poly-time prover [NV06]
• And more [DDPY98,DSY00...]
But more constrained: SZKP µ AM Å coAM [F86,AH87]
) unlikely to contain NP.
Unconditional Results on CZKP
Thm [V04,NV06]:
Assuming one-way functions exist...
•
•
•
•
•
•
New characterizations of CZKP
CZKP = CZKP with public coins, perfect completeness
CZKP = honest-verifier CZKP
CZKP closed under union
CZKP \ NP has CZKP proofs w/poly-time prover
...
Unconditional Results on CZKA
Thm [OV06]:
Assuming one-way functions exist...
•
•
•
•
•
•
New characterizations of CZKA
CZKA = CZKA with public coins, perfect completeness
CZKA = honest-verifier CZKA
CZKA closed under union
CZKA Å coMA closed under complement
...
Unconditional Results on SZKA
Thm [OV06]:
Assuming one-way functions exist...
•
•
•
•
•
•
New characterizations of SZKA
SZKA = SZKA with public coins, perfect completeness
SZKA = honest-verifier SZKA
SZKA closed under union
SZKA = coCZKP Å MA
...
How to get unconditional results on ZK?
• Thm [OW93]: If CZKA  BPP, then a “weak form” of oneway functions exist.
• Idea: Case analysis.
– Case I: CZKA=BPP. Everything trivial.
– Case II: CZKABPP. Use above OWF in conditional results.
• Problem: “Weak form” of OWF not enough (cf. [DOY97])
• Our approach:
– replace BPP by SZKP
– case analysis on input-by-input basis
– combine OWF-based results w/unconditional results on SZKP
Promise Problems [ESY84]
 0,1 *
 0,1 *
YES
NO
YES
Language
NO
Promise Problem
excluded inputs
• Example: UNIQUE SAT [VV86]
US
   :  has exactly 1 satisfying
Y
US
N

  :  is unsatisfia
assignment

ble 
• Generalize all definitions (eg IP,CZKA) in natural way.
SZKP/OWF TRIPLETS
Def: (, I, J) with IµY, JµN, is an
SZKP/OWF TRIPLET
if 9 poly-time {fx(y)}x2 {0,1}* s.t.
J
Y
I
1. Ignoring I and J,  is in SZKP.
N

Y
N
in SZKP
2. When x2 I[J, fx is hard to invert.
8 (nonuniform) poly-time A, x2I[J
Pr[A inverts fx(Upoly(|x|))] · negl(|x|)
instances yield OWF
Note: 9 OWF ) every problem satisfies above.
CZKP Characterization Theorem
Y
Thm [V04]:
2 CZKP
m
2 IP and
9 I s.t. (, I, ;) is a
SZKP/OWF TRIPLET
I
J
N

Y
N
in SZKP
instances yield OWF
CZKA Characterization Theorem
Y
Thm [OV06]:
2 CZKA
m
2 MA and
9 I, J s.t. (, I, J) is a
SZKP/OWF TRIPLET
I
J
N

Y
N
in SZKP
instances yield OWF
SZKA Characterization Theorem
Y
Thm [OV06]:
2 SZKA
m
2 MA and
9 J s.t. (, ;, J) is a
SZKP/OWF TRIPLET
J
N

Y
N
in SZKP
instances yield OWF
SZKP/OWF Triplets:
Summary
J
Y
Zero Knowledge I
Soundness
statistical
(“proofs”)
computational
(“arguments”)
statistical
computational
SZKP
CZKP
I=;, J=;
J=;
SZKA
N

Y
N
in SZKP
CZKA
I=;
instances yield OWF
“Zero Knowledge & Soundness are Symmetric”
CZKA Characterization Theorem
Y
Thm [OV06]:
2 CZKA
m
2 MA and
9 I, J s.t. (, I, J) is a
SZKP/OWF TRIPLET
I
J
N

Y
N
in SZKP
instances yield OWF
Proof of the Characterization Thms
 2 honest-verifier CZKA
even w/inefficient prover
9 I, J s.t. (, I, J) is
SZKP/OWF TRIPLET.
proof system
statistical ZK
J=;
I=;
proof system
statistical ZK
+2 MA
 2 CZKA
w/public coins,
perfect completeness,
poly-time prover
From ZK to SZKP/OWF TRIPLETS
Lemma: If  has an honest-verifier CZKA system
(even w/inefficient prover), then
9 I, J s.t. (, I, J) is an SZKP/OWF TRIPLET.
Proof:
• Let (P,V) = honest-verifier CZKA system
S = simulator
• Know:
– x2 Y ) S(x) comp. indistinguishable from (P,V)(x)
– x2 N ) no poly-time P* makes V accept w/nonnegl. prob.
– WLOG S always outputs accepting transcripts.
Analyzing the Simulator
[F87,AH88,O91,PT96,SV97,GV99,…]
• S(x)  (inefficient) strategies PS(x) and VS(x)
Respond mi+1 to history (m1,…,mi) w.p.
Pr[S(x)i+1=mi+1 | S(x)1…i=(m1,…,mi)]
• Measure (statistical) “similarity” between
VS(x) and V(x).
Constructing the Triplet
• I = {x2 Y : VS(x) not “similar” to V(x)}
• J = {x2 N : VS(x) not “far” from V(x)}
• (YnI, NnJ)2SZKP:
Distinguishing whether two
samplable distributions are
statistically “similar” vs. “far”
is complete for SZKP [SV97,GV99]
I
J
Y
N

Y
N
in SZKP
instances yield OWF
Constructing the Triplet
• I = {x2 Y : VS(x) not “similar” to V(x)}
• J = {x2 N : VS(x) not “far” from V(x)}
• OWF on I:
S and (P,V)(x) computationally
indistinguishable but statistically far
) OWF [HILL90,G90]
I
J
Y
N

Y
N
in SZKP
• Difficulty: (P,V)(x) not sampable given x
instances yield OWF
Constructing the Triplet
• I = {x2 Y : VS(x) not “similar” to V(x)}
• J = {x2 N : VS(x) not “far” from V(x)}
• OWF on J:
I
J
Y
N

Y
N
PS makes VS accept w.p. 1
) PS makes V accept w.p. .01
in SZKP
) PS hard to approximate
) Simulator hard to invert [O91]
instances yield OWF
Analyzing the Simulator
[F87,AH88,O91,PT96,SV97,GV99,…]
• S(x)  (inefficient) strategies PS(x) and VS(x)
Respond mi+1 to history (m1,…,mi) w.p.
Pr[S(x)i+1=mi+1 | S(x)1…i=(m1,…,mi)]
• Measure (statistical) “similarity” between
VS(x) and V(x).
D(x) = entropy of V’s msgs – entropy of VS’s msgs
= #coins(V) - i H( S(x)2i | S(x)1…2i-1)
(WLOG V sends even-numbered msgs, reveals coins at end.)
Proof of the Characterization Thms
 2 honest-verifier CZKA
even w/inefficient prover
9 I, J s.t. (, I, J) is
SZKP/OWF TRIPLET.
proof system
statistical ZK
J=;
I=;
proof system
statistical ZK
+2 MA
 2 CZKA
w/public coins,
perfect completeness,
poly-time prover
From SZKP/OWF to ZK
Lemma: If 9 I, J s.t. (, I, J) is an SZKP/OWF TRIPLET and
2 NP, then  has a CZKA system with public
coins, perfect completeness, and a poly-time prover.
SZKP
Y
I
J
N
OWF
•
Idea: Use SZKP proof when xI[J,
use NP proof system when x2I[J (with fx as OWF)
•
Problem: cannot efficiently decide whether x2I[J.
Sol’n: Instance-dependent Commitments
• Def [IOS94,MV03]: In an I.D. commitment scheme for ,
sender & receiver receive auxiliary input x s.t.
– x2 Y ) hiding
– x2 N ) binding
H
B
• Example [BMO90]: GRAPH ISOMORPHISM
– aux. input = (G0,G1)
– commitment to  = random isomorphic copy of G
– perfectly hiding and perfectly binding!
Usefulness of I.D. Commitments
– x2 Y ) hiding
– x2 N ) binding
H
B
• Many ZK pfs only use hiding on YES instances (for ZK),
binding on NO instances (for soundness).
• Example: Convoluted ZK proof for GRAPH ISOMORPHISM
– Reduce (G0,G1) to instance G of 3-COLORING.
– Run [GMW86] protocol on G.
– Using (G0,G1) to do the commitments.
I.D. Commitments from SZKP/OWF
• SZKP has stat. hiding,
stat. 1-out-of-2-binding
i.d. commitments [NV06]
ComSZKP
• OWF ) comp. hiding,
stat. binding
commitments [HILL90,N91]
ComI
• OWF ) stat. hiding,
comp. 1-out-of-2-binding
commitments [NOV06]
• SZKP/OWF Triplet )
comp. hiding
comp. 1-out-of-2-binding
i.d. commitments
ComJ
ComSZKP(b©r),
ComI(r),
ComJ(b)
H
B
H
H
B
B
H
B
Putting it Together
Lemma: If 9 I, J s.t. (, I, J) is an SZKP/OWF TRIPLET and
2 NP, then  has a CZKA system with public
coins, perfect completeness, and a poly-time prover.
Proof:
• 9 I, J s.t. (, I, J) is an SZKP/OWF TRIPLET
)  has instance-dependent commitment
•
Run generic NP protocol for  with instancedependent commitment.
Putting it Together
x
poly-time
Verifier
1
6
2
5
3
Prover
4
2. Pick random edge.
Comx( )…Comx( )
(1,4)
4. Accept if colors different.

( ,K1),( ,K4)
1. Randomly permute
coloring & send in
locked boxes.
3. Send keys for
endpoints.
Conclusions
• ZK continues to be an lively interface between
cryptography and complexity theory.
• SZKP/OWF Characterizations of ZK
) unconditional results
• Variations on commitments
– Instance-dependent commitments
– 1-out-of-2-binding commitments (next talk!)