Statistical Zero-Knowledge Amit Sahai MIT Laboratory for Computer Science

2 Zero-knowledge Proofs [GMR85] Protocol in which one party (“the prover”) convinces another party (“the verifier”) that some assertion is true Verifier learns nothing except that the assertion is true Statistical Zero Knowledge: Interpret condition that Verifier “learns nothing” in a strong information-theoretic sense

Example: G RAPH I SOMORPHISM Are these graphs the same under a relabeling of vertices? YES Relabeling: G 0  G G0G0 G1G1

Protocol for G RAPH I SOMORPHISM [GMW86] 2. Flip coin  {0,1} 4. Check  (G coin ) = H Prover Verifier 3. Let  be relabeling mapping G coin to H 1. Let H be randomly relabeled copy of G 0 coin  H =H = Input: Graphs (G 0, G 1 )

Intuition for G RAPH I SOMORPHISM Why is it convincing? – Suppose Prover is lying, i.e. G 0 and G 1 are NOT isomorphic: Then H cannot be relabeling of both G 0 and G 1 : If H is relabeling of G 0, Prover fails when coin = 1 If H is relabeling of G 1, Prover fails when coin = 0  Prover fails with probability  1/2 Repeat protocol k times  Prover fails at least once with probability  ( k )

Intuition for G RAPH I SOMORPHISM (cont.) Why does Verifier “learn nothing”? – At end, Verifier has transcript of protocol – Intuition: Verifier can generate transcript of protocol completely on her own: – Choose coin  {0,1} first – Choose random relabeling . – Let H =  (G coin ). – Produce transcript: 1. H 2. coin 3. 

Intuition for G RAPH I SOMORPHISM (cont.) Why does Verifier “learn nothing”? – Intuition: Anything Verifier learns from Prover, she could learn completely on her own: – At end, Verifier has transcript of protocol – We show: Verifier can generate transcript on her own: – Choose coin  {0,1} first – Choose random relabeling . – Let H =  (G coin ). – Produce transcript: 1. H 2. coin 3. 

8 Motivation from Complexity “Hard” problems admit statistical ZK proofs: –Q UADRATIC (N ON ) RESIDUOSITY [GMR85], –G RAPH (N ON ) ISOMORPHISM [GMW86] –D ISCRETE L OG [GK88], –A PPROX S HORTEST AND C LOSEST V ECTOR [GG97] Yet NP-hard problems cannot have statistical ZK proofs (unless analogue of P=NP holds) [F87,AH87, BHZ87]

Complexity Picture P SZK NP -Hard Problems NPco-NP NP HARD co-NP HARD

10 Motivation from Complexity P SZK QUADRATIC (NON-)RESIDUOSITY[GMR85] NP-Hard Problems GRAPH (NON-)ISOMORPHISM[GMW86] DISCRETE LOG[GK88] APPROX SHORTEST & CLOSEST VECTOR[GG97] Separate by [F,AH,BHZ]

11 Motivation from Cryptography Statistical ZK proofs: strongest security guarantee Identification schemes [GMR85,FFS87] Theoretical Point of View: –Can prove results without any unproven assumptions (Contrast with most security results in cryptography) –Can generalize results about Statistical ZK to other types of zero knowledge. Zero-knowledge  cryptographic protocols [GMW87]

12 Previous Work Important results, but fragmented, often incomplete, understanding [GMR85] Specific Problems [GMW86] [GK88] [GG97] Complexity [For87] [AH87] [PT96] Robustness [BMO90] [OVY93] [Dam93] [DGW94] [Oka96] Closure Properties [DDPY94] [Oka96] Knowledge Complexity [GP91] [ABV95] [PT96] [GOP98] Power of Prover [OVY90] [Ost91] [BP92]

13 Our Goal Results: – A Complete Problem for the class of assertions that admit Statistical Zero Knowledge proofs – Transformation that fortifies Statistical Zero Knowledge Proofs against abuse by cheating Verifiers Unified, Simpler, Deeper Understanding of Statistical Zero Knowledge

14 Our Results A Complete Problem for Statistical Zero Knowledge – New characterization of Statistical ZK – Simplifies and unifies study of entire class – Applications: Simple Statistical ZK Proof Systems Simpler proofs of nearly all previous results Statistical ZK Proofs for Complex Assertions

15 Our Results (cont.) Fortifying Zero Knowledge Proofs against Cheating Verifiers – Show how to transform: Any proof that is ZK only for Honest Verifier into proof that is ZK for Any Verifier. – Requires no unproven assumptions – Extends to other forms of ZK as well

16 Based On Joint work with Oded Goldreich and Salil Vadhan: [Sahai Vadhan -- FOCS ‘97] [Goldreich Sahai Vadhan -- STOC ‘98] [Sahai Vadhan -- Randomization Methods ‘99] [Goldreich Sahai Vadhan -- CRYPTO ‘99]

What is Statistical Zero-Knowledge?

18 YESNOYESNO LanguagePromise Problem Example: U NIQUE S AT [VV86] excluded inputs Promise Problems [ESY84] US Y = { formulas with exactly 1 satisfying assignment } US N = { formulas that are unsatisfiable }

19 Statistical Zero-Knowledge Proof [GMR85] for a promise problem  v1v1 p1p1 v2v2 pkpk accept/reject ProverVerifier Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance. When x is a YES instance, Verifier accepts w.h.p. When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.

20 Statistical Zero-Knowledge Proof (cont.) v1v1 p1p1 v2v2 pkpk accept/reject When assertion is true, Verifier can simulate her view of the interaction on her own. Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically almost identical to Verifier’s view of interaction with Prover. Note: Definition assumes “honest verifier” SZK = {promise problems possessing such proofs}

Protocol for G RAPH I SOMORPHISM [GMW86] 2. Flip coin  {0,1} 4. Check  (G coin ) = H Prover Verifier 3. Let  be relabeling mapping G coin to H 1. Let H be randomly relabeled copy of G 0 coin  H =H = Input: Graphs (G 0, G 1 )

22 Simulator : 1. Choose coin  {0,1} first 2. Choose random relabeling . 3. Let H =  (G coin ). Simulator H: rdm relabeling of G coin coin: random bit  : relabeling G coin  H Protocol H: rdm relabeling of G 0 coin: random bit  : relabeling G coin  H Zero-knowledgeness of G RAPH I SO. Proof

H G0G0 G1G1  Simulation is identical to actual protocol.

24 Simulator : 1. Choose coin  {0,1} first 2. Choose random relabeling . 3. Let H =  (G coin ). Simulator H: rdm relabeling of G coin coin: random bit  : relabeling G coin  H Protocol H: rdm relabeling of G 0 coin: random bit  : relabeling G coin  H Zero-knowledgeness of G RAPH I SO. Proof H G0G0 G1G1  Simulation is identical to actual protocol.

A Complete Problem for SZK

26 Complete Problems NP-completeness: – S ATISFIABILITY (SAT) is NP-complete since: All problems in NP reduce to SAT SAT  NP – Negative View: NP-complete means “hard!” – Positive View: NP-complete means single problem characterizes all of NP! – Questions about NP  Questions about SAT Our Goal: Find problem complete for SZK.

27 The Complexity of SZK SZK contains “hard” problems [GMR85,GMW86,GK93,GG98] Fortnow [F87] : First to argue about all problems in SZK – Tried to argue: If problem has Statistical Zero Knowledge proof, can’t be “too” hard: – i.e. SZK cannot contain NP-hard problems (unless analogue of P=NP holds) Obtain upper-bound on complexity of SZK, but does not give a characterization of SZK.

Statistical Difference between distributions Samplable distributions Circuit

Statistical Difference between distributions Samplable distributions Circuit StatDiff ( X, Y ) =   | Pr[X = z] - Pr[Y = z] | z

30 A Complete Problem Def: S TATISTICAL D IFFERENCE (SD) is the following promise problem: Thm : SD is complete for SZK. C 0 and C 1 are sampleable distributions SD Y = { ( C 0, C 1 ) : StatDiff ( C 0, C 1 ) > 2/3 } SD N = { ( C 0, C 1 ) : StatDiff ( C 0, C 1 ) < 1/3 }

31 Completeness Theorem The assertions provable in statistical zero knowledge are exactly those that can be cast as comparing the statistical difference between two sampleable distributions. Characterizes Statistical Zero Knowledge with no reference to interaction or zero knowledge. Tool for proving general theorems about SZK.

32 Our Approach Must show: every problem in SZK reduces to SD Make reduction using Simulator: Find general properties of Simulator output that distinguish between YES and NO instances. Embed these properties in our problem SD. Finish completeness proof by exhibiting statistical zero-knowledge proof for SD.  SD  SZK

33 Our Approach  SD is a complete problem for SZK, i.e –every problem in SZK reduces to SD (via 1,2). –SD  SZK (by 3). 1. Examine simulator’s output: Find properties that distinguish between YES and NO instances. 2. Embed these properties in our natural computational problem SD. 3. Exhibit a statistical zero-knowledge proof for SD.

Statistical Zero-Knowledge Proof (cont.) v1v1 p1p1 v2v2 pkpk accept/reject When assertion is true, Verifier can simulate her view of the interaction on her own. Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically almost identical to Verifier’s view of interaction with Prover. Note: Definition assumes “honest verifier” SZK = {promise problems possessing such proofs}

Simulator : 1. Choose coin  {0,1} first 2. Choose random relabeling . 3. Let H =  (G coin ). Simulator H: rdm relabeling of G coin coin: random bit  : relabeling G coin  H Protocol H: rdm relabeling of G 0 coin: random bit  : relabeling G coin  H Zero-knowledgeness of G RAPH I SO. Proof H G0G0 G1G1  Simulation is identical to actual protocol.

36 Analyzing the Simulator Think of simulator output as interaction between a Virtual Prover & Virtual Verifier. We know: For a YES instance, 1. Virtual Prover makes Virtual Verifier accept w.h.p. 2. Virtual Verifier “behaves like” Real Verifier. Claim: For a NO instance, cannot have both conditions. “Pf:” If both hold, consider Prover strategy which mimics Virtual Prover. This convince Real Verifier to accept a NO instance w.h.p.  Main challenge: how to quantify “behaves like”

37 Public-coin proofs random coins answer random coins answer accept/reject ProverVerifier Thm [Oka96]: Can transform any SZK proof into one where Verifier’s messages are just random coin flips. (such proofs called Public-Coin Proofs)

38 Analyzing the Simulator (cont.) By [Oka96]: Can focus on Public-Coin Proofs. Now examine condition: 2. Virtual Verifier “behaves like” Real Verifier. In a Public-Coin Proof, Virtual Verifier “behaves like” Real Verifier  Virtual Verifier’s coins are: nearly uniform, and nearly independent of conversation history. Key observation: Both properties can be captured by statistical difference between samplable distributions!

39 Proving that SD is complete for SZK (cont.) Have argued: Every problem in SZK reduces to SD. Still need: SD  SZK. C 0 and C 1 are sampleable distributions SD Y = { ( C 0, C 1 ) : StatDiff ( C 0, C 1 ) > 2/3 } SD N = { ( C 0, C 1 ) : StatDiff ( C 0, C 1 ) < 1/3 } S TATISTICAL D IFFERENCE (SD):

40 Polarization Lemma Lemma: There exists an efficient transformation function ( C 0, C 1 )  ( D 0, D 1 ) such that: Independent repetition increases StatDiff (  1) Alternative method decreases StatDiff (  0) Prove Lemma by balancing both methods. StatDiff ( C 0, C 1 ) > 2/3  StatDiff ( D 0, D 1 ) > k StatDiff ( C 0, C 1 ) < 1/3  StatDiff ( D 0, D 1 ) < 2 -k

41 Statistical XOR Lemma Given ( C 0, C 1 ), Let X 0 = (C coin, C coin ) where coin  R  {0,1} Let X 1 = (C coin, C 1-coin ) where coin  R  {0,1} Then: StatDiff ( X 0, X 1 ) = ( StatDiff ( C 0, C 1 ) ) 2 This is “alternative method” used in Polarization Lemma to decrease StatDiff

42 A Protocol for S TATISTICAL D IFFERENCE 1. Both parties compute ( D 0, D 1 ) using Polarization Lemma. 2. Flip coin  {0,1}; sample  D coin 3. If sample more likely from D 0, let guess = 0 else guess = Accept iff guess = coin ProverVerifier Claim: Protocol is an SZK proof for SD. ( C 0, C 1 ) sample guess

43 Intuition for SD Protocol Why convincing? If ( C 0, C 1 )  SD N, then StatDiff ( D 0, D 1 ) < 2 -k  Prover gets caught with prob.  1/2 If ( C 0, C 1 )  SD Y, then StatDiff ( D 0, D 1 ) > 1-2 -k  Prover almost always guesses correctly Zero Knowledge is trivial in this case: Verifier only gets one bit (guess) from Prover When assertion is true, almost always guess = coin Verifier already knows coin!

44 Proving that SD is complete for SZK (cont.) Have argued: Every problem in SZK reduces to SD. Have argued: SD  SZK.  SD is complete for SZK

Consequences of Our Complete Problem

46 Consequences: Simple Protocols Every problem in SZK can be reduced to SD.  Every problem in SZK has proof system with: –2 messages –only 1 bit of prover-to-verifier communication

47 Consequences: Simpler proofs Can simplify proofs of previously known results: –e.g. SZK cannot have NP-hard problems unless analogue of P=NP holds [F87,AH87] –e.g. SZK is closed under complementation [Oka96] : If  has Stat. ZK proof, so does . –many others...

48 Consequences: Complex Assertions In fact, can show SZK enjoys powerful closure properties. e.g. Can prove in statistical zero knowledge: All made possible by focusing on single complete problem. “Exactly n/2 of the graphs G 1, G 2,..., G n are isomorphic to each other!”

Defending Against Cheating Verifiers

50 Cheating Verifiers So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol. Cryptographic applications: need protection from parties that do not follow protocol. Main Question: How much cheating can we tolerate?

51 Our Result Answer: tolerate Any Verifier! We show transformation: Any Proof that is ZK only for Honest Verifier  Proof that is ZK for Any Verifier No unproven assumptions. Consequences: – All our results about SZK apply to Any-Verifier SZK. – Gives design methodology: Design honest-verifier proof Apply transformation to get Any-Verifier Proof

52 Any-Verifier Statistical Zero-Knowledge v1v1 p1p1 v2v2 pkpk accept/reject When x is a YES instance, for every Verifier, can simulate Verifier’s view of the interaction. Formally, for every Verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically almost identical to Verifier’s view of interaction with Prover.

53 Results with assumptions: If one-way functions exist, Can transform Honest-Verifier SZK  (almost) Any-Verifier SZK [BMO90,OVY93,Oka96] Results with no assumptions: Can transform Honest-Verifier SZK  Any-Verifier SZK but only for Constant-Round Public-Coin Proofs [Dam93,DGW94] Previous Results on Any-Verifier SZK

54 We show, with no assumptions: Can transform Honest-Verifier SZK  Any-Verifier SZK for all Public-coin proofs In fact, our transformation extends to other types of ZK too. (Computational Zero Knowledge) [Oka96] : Public-Coin is W.L.O.G. for SZK  Our transformation works for all of SZK. Our Approach

55 The Transformation random coins  1 answer  1 random coins  2 answer  k accept/reject answer  1 answer  k accept/reject Random Selection Protocol 11 Random Selection Protocol 22 Honest-verifier Proof System Any-verifier Proof System Prover Verifier Prover Verifier

56 Simulating the Transformed Pf System answer  1 answer  k accept/reject 11 22 1. Use honest-verifier simulator to generate a transcript 11 11 22 kk accept/reject 2. “Fill in” transcripts of Random Selection protocols

57 Desired Properties of Random Selection Protocol No matter what Verifier does: – Output distribution of RS protocol is almost uniform – Moreover, given desired output  (chosen uniformly), can simulate RS protocol to force  to be output! On the other hand, Prover can’t control output too much (otherwise Prover might be able to prove false assertions) Key: Technical Lemma about Universal Hash Functions.

58 Desired Properties of Random Selection Protocol No matter what Verifier does: – Output distribution of RS protocol is almost uniform – Moreover, given desired output  (chosen uniformly), can simulate RS protocol to force  to be output! On the other hand, Prover can’t control output too much (otherwise Prover might be able to prove false assertions) Key: Technical Lemma about Universal Hash Functions. Can be seen as extracting randomness (  ) from weak random source (cheating verifier)

59Summary Before our work: Many isolated results on SZK. Our Work: – A Complete Problem for SZK Simplifies and unifies previous results New results – Transform Any Proof that is ZK only for Honest Verifier  Proof that is ZK for Any Verifier Coherent Picture of Statistical Zero Knowledge

60 Research Directions Two main directions: – Deeper understanding of fundamental notions (e.g. this work) – Extend theory to handle new challenges: Concurrent Coordinated Multi-Party Attacks [STOC ‘98, CRYPTO ‘98, FOCS ‘99, ongoing work] Key Exposure [Eurocrypt 2000] Interests outside Cryptography: Algorithms, Learning Theory, Error-Correcting Codes

61 Previous Work Many interesting results using diverse techniques: Specific Problems: [GMR85, GK93, GMW86, GG97] Complexity: [GMR85, F89, BMO90, AH91, BP92] Closure Properties: [DDPY94, Oka96] Robustness: [BMO90, OVY93, D93, DGW94, Oka96] Knowledge Complexity: [GP91, ABV95, PT96, GOP98] Power of Prover: [BMO90, Ost91, OVY90, BP92] Other: [BR90, BFM88, BDMP91, FGM+89] Fragmented, often incomplete view.

Noninteractive Statistical Zero-Knowledge

63 Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91] proof accept/reject Prover (unbounded) Verifier (poly-time) shared random string On input x (instance of promise problem): When x is a YES instance, Verifier accepts w.h.p. When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.

64 Noninteractive Statistical ZK (cont.) When x is a YES instance, Verifier can simulate her view on her own. Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view. proof shared random string Note: above is “one proof” version.

65 Study of Noninteractive ZK Motivation: –communication-efficient. –cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91] Examples of NISZK proofs and some initial study in [BDMP91,BR90,DDP94,DDP97]. But most attention focused on NICZK, e.g. [FLS90,KP95]. [DDPY98] apply “complete problem methodology” to show I MAGE D ENSITY complete for NISZK.

66 Complete Problems for NISZK [GSV99] S TATISTICAL D IFFERENCE FROM U NIFORM (SDU): Thm: The following problems are complete for NISZK: E NTROPY A PPROXIMATION (EA):

67 Relating SZK and NISZK Recall complete problems for SZK: NISZK’s complete problems are natural restrictions of these.  can use complete problems to relate SZK and NISZK. Thm [GSV98]: SZK  BPP  NISZK  BPP. Thm [GSV98]: SZK=NISZK  NISZK closed under complement.

68 Summary Recent work has refined our understanding of statistical zero-knowledge. Main tools: – focus on public-coin proofs (via [Oka96] ) – complete problems [SV97] Questions addressed: – closure properties – honest verifier vs. any verifier – interactive vs. noninteractive

69 Open Problems 5. Does SZK=PZK (“Perfect” zero-knowledge)? 3. Does SZK=NISZK? 2. Combinatorial or number-theoretic complete problems? 1. Generalize more results/techniques to computational zero-knowledge or arguments. 4. Show that SZK  BPP if one-way functions exist (“converse” to [Ost91]).

70 Proof Ideas: Analyzing the simulator We know: For a YES instance, 1. Simulator outputs accepting conversations w.h.p., and 2. Simulated verifier “behaves like” real verifier. Claim: For a NO instance, cannot have both conditions. “Pf:” If both hold, contradict soundness of proof system by prover strategy which mimics simulated prover. Easy to distinguish between simulator outputting accepting conversations with high probability vs. low probability. Main challenge: how to quantify “behaves like.”

71 Intuition for G RAPH I SOMORPHISM Why is it convincing? Suppose G 0 and G 1 are NOT isomorphic.  H cannot be relabeling of both G 0 and G 1.  Prover succeeds with probability at most 1/2. Why is it “zero knowledge”? At end, what does Verifier have? Just random relabeling applied to G coin. Could have generated that herself.  Could not have learned anything!

72Cryptography Zero-knowledge  secure cryptographic protocols: – Identification / Authentication Protocols: Prove knowledge of “password” without revealing it. – Higher Level Protocols: Key Escrow Electronic Elections Anonymous Credentials

73 Cryptography (cont.) General Paradigm: – Protocols require certain behavior – Problem: Malicious Parties deviate from protocol – Solution: Force all parties to provide Zero-Knowledge Proofs that they acted correctly Proofs  only parties that acted correctly succeed Zero Knowledge  honest parties lose no secrets in process

74 Cryptography (cont.) Statistical Zero-Knowledge Proofs: –Strongest security guarantee –Theoretical Point of View: Can prove results without any unproven assumptions (Contrast with most security results in cryptography) Can often generalize results about Statistical ZK to other types of zero knowledge.

75 Complexity Picture P SZKNP -Hard Problems NPco-NP

76Outline 1. Definition of Statistical Zero Knowledge 2. A Complete Problem for Statistical ZK 3. Applications of the Complete Problem 4.