The Complexity of Zero Knowledge Salil Vadhan Harvard University
A Successful Marriage Complexity Theory: Which problems are “computationally hard” to solve? Cryptography: Design protocols that are “computationally hard” to break. hard problems, techniques revisit notions, adversarial view
Two Areas of Interaction Pseudorandomness: generating objects that “look random” despite being constructed with little or no randomness. –Cryptography: many unpredictable bits from short key –Complexity: power of randomized algs (RP vs. P, RL vs. L) Zero-knowledge proofs: interactive proofs that reveal nothing other than validity of assertion being proven –Cryptography: central in study of crypto protocols –Complexity: augments NP $ “efficiently verifiable proofs”
Cryptography Zero Knowledge Complexity Protocols [B82,...] Def of ZK, IP [GMR85] IP=PSPACE [LFKN90,S90] NP µ ZK [GMW86 ] NP-completeness [C71,L73,K72] Secure Computation [Yao86,GMW87, BGW88,CCD88] Multiprover ZK [BGKW88] MIP=NEXP PCP Theorem [BFL91...ALMSS92] Polylog-eff ZK Args [K92,M94] Random Oracle Model [FS86,BR93,CGH98] Concurrency [F90,DNS98] Diagonalization [T36] Non-BB Simulation [B01] ?
This Talk Complexity-theoretic study of zero-knowledge proofs: Characterize the expressiveness of ZK. Prove general theorems about ZK. Minimize or eliminate complexity assumptions.
ZK Complexity Classes SZKP SZKA CZKP CZKA Zero Knowledge statisticalcomputational statistical (“proofs”) computational (“arguments”) Soundness Verifier learns nothing Prover cannot convince Verifier of false statements [GMR85] [BCC86]
Conditional Results on ZK SZKP SZKA CZKP CZKA Zero Knowledge statisticalcomputational statistical (“proofs”) computational (“arguments”) Soundness Complexity assumptions ) understand CZKP, SZKA, CZKA very well
NP µ ZK [GMW86] ZK pf for G RAPH 3-C OLORING poly-time Verifier unbounded Prover 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) Accept if colors different. 3. Send keys for endpoints. Com( )…Com( ) (,K 1 ),(,K 4 )
Commitment Schemes Bit-commitment: Hiding: Com( ) & Com( ) indistinguishable. ( ) zero knowledge) Binding: W.h.p. z can be opened to only one value 2 {0,1}. ) soundness Sender Receiver commit stage: reveal stage: ( ,K) K z accept/ reject
Assuming one-way functions exist... Conditional Results on CZKP 9 comp. hiding, stat. binding commitments [HILL90,N91] NP µ CZKP [GMW86] CZKP=IP=PSPACE [IY87,BGG+88,LFKN90,S90] CZKP = CZKP w/ public coins, perfect completeness [GS86,FGMSZ87] CZKP = honest-verifier CZKP CZKP closed under union, complement... CZKP Å NP has ZK pfs w/ poly-time prover (given witness) and O(1) rounds Thms:
Conditional Results on SZKA 9 stat. hiding, comp. 1-out-of-2-binding commitments […,NOV06] NP µ SZKA [GMW86,BCC86] SZKA=MA (randomized NP) SZKA=SZKA w/ public coins, perfect completeness [GS86,FGMSZ87] SZKA=honest-verifier SZKA SZKA closed under union,… where SZKA=statistical ZK arguments w/poly-time prover Thms: Q: What can we prove about ZK unconditionally? Assuming one-way functions exist...
Unconditional Results on ZK SZKP SZKA CZKP CZKA Zero Knowledge statisticalcomputational statistical (“proofs”) computational (“arguments”) Soundness Complexity assumptions don’t seem useful for SZKP (stat hiding, stat binding commitments impossible)
Unconditional Results on SZKP SZKP contains Q UADRATIC R ESIDUOSITY [GMR85], G RAPH I SOMORPHISM [GMW86],... SZKP=SZKP w/public coins, perfect completeness [O96] SZKP closed under complement, union [O96] Complete Problems [SV97,GV99] SZKP=honest-verifier SZKP [DGW94,DOY97,GSV98] SZKP Å NP has SZKP pfs w/poly-time prover [NV06] And more [DDPY98,DSY00...] But more constrained: SZKP µ AM Å coAM [F86,AH87] ) unlikely to contain NP. Thms:
Unconditional Results on CZKP New characterizations of CZKP CZKP = CZKP with public coins, perfect completeness CZKP = honest-verifier CZKP CZKP closed under union CZKP \ NP has CZKP proofs w/poly-time prover... Thm [V04,NV06]: Assuming one-way functions exist...
Unconditional Results on CZKA New characterizations of CZKA CZKA = CZKA with public coins, perfect completeness CZKA = honest-verifier CZKA CZKA closed under union CZKA Å coMA closed under complement... Thm [OV06]: Assuming one-way functions exist...
Unconditional Results on SZKA New characterizations of SZKA SZKA = SZKA with public coins, perfect completeness SZKA = honest-verifier SZKA SZKA closed under union SZKA = coCZKP Å MA... Thm [OV06]: Assuming one-way functions exist...
How to get unconditional results on ZK? Thm [OW93]: If CZKA BPP, then a “weak form” of one- way functions exist. Idea: Case analysis. –Case I: CZKA=BPP. Everything trivial. –Case II: CZKA BPP. Use above OWF in conditional results. Problem: “Weak form” of OWF not enough (cf. [DOY97]) Our approach: –replace BPP by SZKP –case analysis on input-by-input basis –combine OWF-based results w/unconditional results on SZKP
YESNOYESNO LanguagePromise Problem Example: U NIQUE S AT [VV86] excluded inputs Promise Problems [ESY84] Generalize all definitions (eg IP,CZKA) in natural way.
SZKP/OWF T RIPLETS Def: ( J) with I µ Y, J µ N, is an SZKP/OWF T RIPLET if 9 poly-time { f x (y)} x 2 {0,1} * s.t. 1.Ignoring I and J, is in SZKP. 2.When x 2 I [ J, f x is hard to invert. 8 (nonuniform) poly-time A, x 2 I [ J Pr[A inverts f x (U poly(|x|) )] · negl(|x|) Y N I in SZKP instances yield OWF Note: 9 OWF ) every problem satisfies above. J Y N
CZKP Characterization Theorem Thm [V04]: 2 CZKP m 2 IP and 9 I s.t. ( , I, ; ) is a SZKP/OWF T RIPLET Y N I in SZKP instances yield OWF J Y N
CZKA Characterization Theorem Thm [OV06]: 2 CZKA m 2 MA and 9 I, J s.t. ( , I, J) is a SZKP/OWF T RIPLET Y N I in SZKP instances yield OWF J Y N
SZKA Characterization Theorem Thm [OV06]: 2 SZKA m 2 MA and 9 J s.t. ( , ;, J) is a SZKP/OWF T RIPLET Y N in SZKP instances yield OWF J Y N
SZKP/OWF Triplets: Summary SZKP SZKA CZKP CZKA Zero Knowledge statisticalcomputational statistical (“proofs”) computational (“arguments”) Soundness I= ;, J= ; I= ; J= ; Y N I in SZKP instances yield OWF J Y N “Zero Knowledge & Soundness are Symmetric”
CZKA Characterization Theorem Thm [OV06]: 2 CZKA m 2 MA and 9 I, J s.t. ( , I, J) is a SZKP/OWF T RIPLET Y N I in SZKP instances yield OWF J Y N
Proof of the Characterization Thms 2 honest-verifier CZKA even w/inefficient prover 9 I, J s.t. ( , I, J) is SZKP/OWF T RIPLET. 2 CZKA w/public coins, perfect completeness, poly-time prover proof system J= ; statistical ZK I= ; + 2 MA
From ZK to SZKP/OWF T RIPLETS Lemma: If has an honest-verifier CZKA system (even w/inefficient prover), then 9 I, J s.t. ( , I, J) is an SZKP/OWF T RIPLET. Proof: Let (P,V) = honest-verifier CZKA system S = simulator Know: –x 2 Y ) S(x) comp. indistinguishable from (P,V)(x) –x 2 N ) no poly-time P * makes V accept w/nonnegl. prob. –WLOG S always outputs accepting transcripts.
Analyzing the Simulator [F87,AH88,O91,PT96,SV97,GV99,…] S(x) (inefficient) strategies P S (x) and V S (x) Respond m i+1 to history (m 1,…,m i ) w.p. Pr[S(x) i+1 =m i+1 | S(x) 1…i =(m 1,…,m i )] Measure (statistical) “similarity” between V S (x) and V(x).
Constructing the Triplet I = {x 2 Y : V S (x) not “similar” to V(x)} J = {x 2 N : V S (x) not “far” from V(x)} ( Y n I, N n J ) 2 SZKP: Distinguishing whether two samplable distributions are statistically “similar” vs. “far” is complete for SZKP [SV97,GV99] Y N I in SZKP instances yield OWF J Y N
Constructing the Triplet I = {x 2 Y : V S (x) not “similar” to V(x)} J = {x 2 N : V S (x) not “far” from V(x)} OWF on I : S and (P,V)(x) computationally indistinguishable but statistically far ) OWF [HILL90,G90] Difficulty: (P,V)(x) not sampable given x Y N I in SZKP instances yield OWF J Y N
Constructing the Triplet I = {x 2 Y : V S (x) not “similar” to V(x)} J = {x 2 N : V S (x) not “far” from V(x)} OWF on J: P S makes V S accept w.p. 1 ) P S makes V accept w.p..01 ) P S hard to approximate ) Simulator hard to invert [O91] Y N I in SZKP instances yield OWF J Y N
Analyzing the Simulator [F87,AH88,O91,PT96,SV97,GV99,…] S(x) (inefficient) strategies P S (x) and V S (x) Respond m i+1 to history (m 1,…,m i ) w.p. Pr[S(x) i+1 =m i+1 | S(x) 1…i =(m 1,…,m i )] Measure (statistical) “similarity” between V S (x) and V(x). D(x) = entropy of V’s msgs – entropy of V S ’s msgs = #coins(V) - i H( S(x) 2i | S(x) 1…2i-1 ) (WLOG V sends even-numbered msgs, reveals coins at end.)
Proof of the Characterization Thms 2 honest-verifier CZKA even w/inefficient prover 9 I, J s.t. ( , I, J) is SZKP/OWF T RIPLET. 2 CZKA w/public coins, perfect completeness, poly-time prover proof system J= ; statistical ZK I= ; + 2 MA
From SZKP/OWF to ZK Idea: Use SZKP proof when x I [ J, use NP proof system when x 2 I [ J (with f x as OWF) Problem: cannot efficiently decide whether x 2 I [ J. Lemma: If 9 I, J s.t. ( , I, J) is an SZKP/OWF T RIPLET and 2 NP, then has a CZKA system with public coins, perfect completeness, and a poly-time prover. Y N I J SZKP OWF
Sol’n: Instance-dependent Commitments Def [IOS94,MV03]: In an I.D. commitment scheme for , sender & receiver receive auxiliary input x s.t. –x 2 Y ) hiding –x 2 N ) binding Example [BMO90]: G RAPH I SOMORPHISM –aux. input = (G 0,G 1 ) –commitment to = random isomorphic copy of G –perfectly hiding and perfectly binding! H B
Usefulness of I.D. Commitments –x 2 Y ) hiding –x 2 N ) binding Many ZK pfs only use hiding on YES instances (for ZK), binding on NO instances (for soundness). Example: Convoluted ZK proof for G RAPH I SOMORPHISM –Reduce (G 0,G 1 ) to instance G of 3-C OLORING. –Run [GMW86] protocol on G. –Using (G 0,G 1 ) to do the commitments. H B
I.D. Commitments from SZKP/OWF H B H B SZKP has stat. hiding, stat. 1-out-of-2-binding i.d. commitments [NV06] OWF ) comp. hiding, stat. binding commitments [HILL90,N91] OWF ) stat. hiding, comp. 1-out-of-2-binding commitments [NOV06] Com SZKP Com I Com J SZKP/OWF Triplet ) comp. hiding comp. 1-out-of-2-binding i.d. commitments Com SZKP (b © r), Com I (r), Com J (b) H B B H
Putting it Together Lemma: If 9 I, J s.t. ( , I, J) is an SZKP/OWF T RIPLET and 2 NP, then has a CZKA system with public coins, perfect completeness, and a poly-time prover. Proof: 9 I, J s.t. ( , I, J) is an SZKP/OWF T RIPLET ) has instance-dependent commitment Run generic NP protocol for with instance- dependent commitment.
poly-time Verifier Prover 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) Accept if colors different. 3. Send keys for endpoints. Com x ( )…Com x ( ) x (,K 1 ),(,K 4 ) Putting it Together
Conclusions ZK continues to be an lively interface between cryptography and complexity theory. SZKP/OWF Characterizations of ZK ) unconditional results Variations on commitments –Instance-dependent commitments –1-out-of-2-binding commitments (next talk!)
Outline Review of Zero Knowledge “An Unconditional Study of Computational Zero Knowledge” (V., FOCS `04) “Zero Knowledge with Efficient Provers” (Nguyen-V., STOC `06) “Statistical Zero-Knowledge Arguments for NP from Any One-Way Function” (Nguyen-Ong-V. `06)
Efficient Provers Thm [Nguyen-V06]: Every 2 ZK Å NP has a zero- knowledge proof where prover poly-time w/NP witness. –SZK Å NP ! statistical zero-knowledge w/poly-time prover –Improves BPP NP in [BP92,V04] Proof idea: Construct instance-dependent 1-out-of-2-binding commitments for all of SZK & ZK. Show these suffice to construct ZK proofs for NP.
1-out-of-2-Binding Commitments Sender Receiver commit 1 : reveal 1 : ( ,K 1 ) K1K1 z1z1 commit 2 : reveal 2 : ( ,K 2 ) K2K2 z1z1 Hiding: Both phases hiding ) ZK Binding: Sender can change value at most once ) Soundness
1-out-of-2-binding Commitments ) ZK for NP Prover Verifier Commit 1 (coloring) Hiding: Both phases hiding ) ZK Binding: Sender can change value at most once ) Soundness Edge Reveal 1 Commit 2 (coloring) Edge Reveal 2 Intuitive idea: Run 3-coloring protocol twice
1-out-of-2 Binding Commitments b2b2 b1b1
b2b2 b1b1 Case 1: Change value of b 1 ) b 2 binding _
1-out-of-2 Binding Commitments b2b2 b1b1 Case 1: Change value of b 1 ) b 2 binding Case 2: Keep value of b 1 ) b 2 not nec. binding _
Efficient Provers Thm [Nguyen-V06]: Every 2 ZK Å NP has a zero- knowledge proof where prover poly-time w/NP witness. –SZK Å NP ! statistical zero-knowledge w/poly-time prover –Improves BPP NP in [BP92,V04] Proof idea: Construct instance-dependent 1-out-of-2-binding commitments for all of SZK & ZK. Show these suffice to construct ZK proofs for NP. (Std. I.D.-commitments still of interest, e.g. imply ZK=concurrent-ZK [MOPS05])
Outline Review of Zero Knowledge “An Unconditional Study of Computational Zero Knowledge” (V., FOCS `04) “Zero Knowledge with Efficient Provers” (Nguyen-V., STOC `06) “Statistical Zero-Knowledge Arguments for NP from Any One-Way Function” (Nguyen-Ong-V. `06)
commitments impossible! SZK Statistical ZK Arguments Soundness (Binding) ZK (Hiding) statistical computational statistical computational 9 commitments iff 9 one-way functions [HILL89,Nao89] 9 under various complexity assumptions (“proofs”) (“arguments”) ZK
Complexity of SZK arguments for NP number-theoretic assumptions claw-free perm SZK arguments stat. hiding comp. binding commitments [BCC] [GMR,BKK] [NY] collision-resistant hash functions [GMR, Damgard] [GK]
Complexity of SZK arguments for NP number-theoretic assumptions claw-free perm one-way perm regular OWF SZK arguments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [GMR,BKK] [NY] collision-resistant hash functions [GK]
Complexity of SZK arguments for NP [Nguyen-Ong-V06] number-theoretic assumptions claw-free perm one-way perm regular OWF one-way function SZK arguments stat. hiding comp.1-out-of-2-binding commitments stat. hiding comp. binding commitments [HHK + 05] [NOVY 92] [BCC] [NY] collision-resistant hash functions [GMR,BKK] [GK]
Conclusion ZK continues to be an exciting interface between cryptography and complexity theory. Future impacts on complexity theory? –Non-black-box reductions –SZK-completeness
Zero-Knowledge Proofs [GMR85] Interactive proofs that reveal nothing other than the validity of assertion being proven. Central tool in study of cryptographic protocols Major source of interaction between cryptography & complexity theory
Outline Zero Knowledge & the Complexity-Crypto Interface Non-Black-Box Zero Knowledge Unconditional Results on Zero Knowledge
NP µ ZK [GMW86] ZK pf for G RAPH 3-C OLORING poly-time Verifier unbounded Prover 1. Randomly permute coloring & send in locked boxes
NP µ ZK [GMW86] ZK pf for G RAPH 3-C OLORING poly-time Verifier unbounded Prover 1. Randomly permute coloring & send in locked boxes
NP µ ZK [GMW86] ZK pf for G RAPH 3-C OLORING poly-time Verifier unbounded Prover 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) Accept if colors different. 3. Send keys for endpoints. (Perfect) Completeness: graph 3-colorable ) V accepts w.p. 1
NP µ ZK [GMW86] ZK pf for G RAPH 3-C OLORING poly-time Verifier unbounded Prover 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) Soundness: graph not 3-colorable ) 8 P * V rejects w.p. ¸ 1/(#edges) 4. Accept if colors different. 3. Send keys for endpoints.
NP µ ZK [GMW86] ZK pf for G RAPH 3-C OLORING poly-time Verifier unbounded Prover 1. Randomly permute coloring & send in locked boxes. 2. Pick random edge. (1,4) Zero Knowledge: graph 3-colorable ) can simulate interaction w/o prover 4. Accept if colors different. 3. Send keys for endpoints.
Flavors of Commitments & ZK Binding ( ) Soundness) Hiding ( ) ZK) statistical computational statistical computational iff 9 one-way functions [HILL89,Nao89] (“proofs”) (“arguments”) ZK poly-time f : {0,1} * ! {0,1} * is a one-way function if 8 nonuniform poly-time A 8 n Pr[A inverts f(U n )] · negl(n)
Flavors of Zero-Knowledge Proofs Quality of ZK/Simulation: –Perfect (PZK) –Statistical (SZK) –Computational (ZK) Verifier strategies considered: –Honest-verifier zero knowledge (HVZK) –General zero knowledge (ZK) Prover strategies considered in Soundness: –Proof systems: unbounded provers –Arguments: poly-time provers
Complexity Issues Soundness error –Can be reduced by sequential repetitions –ZK not preserved under parallel repetition [FS90,GK90] Round complexity –Constant rounds with negligible error? [FS89,GK88] Communication complexity –Can be reduced to polylog for arguments [K92,M94], using PCP Theorem Computational complexity –Prover polynomial time given NP witness Minimizing assumptions Public coins (aka Arthur-Merlin [B85]) vs. private coins (cf. [GS86])
Complexity-theoretic interest in ZK NP: What can be proven to an efficient verifier? IP: Do randomness & interaction add power? ZK: What can be proven with secrecy?
Outline Zero Knowledge & the Complexity-Crypto Interface Non-Black-Box Zero Knowledge Unconditional Results on Zero Knowledge
Cryptography Zero Knowledge Complexity Protocols [B82,...] Def of ZK, IP [GMR85] IP=PSPACE [LFKN90,S90] NP µ ZK [GMW86 ] NP-completeness [C71,L73,K72] Secure Computation [Yao86,GMW87, BGW88,CCD88] Multiprover ZK [BGKW88] MIP=NEXP PCP Theorem [BFL91...ALMSS92] Polylog-eff ZK Args [K92,M94] Random Oracle Model [FS86,BR93,CGH98] Concurrency [F90,DNS98] Diagonalization [T36] Non-BB Simulation [B01] ?
Non-black-box Simulation Thm [Barak01]: Assuming 9 collision-resistant hash functions, NP has ZK arguments with 1.O(1) rounds 2.Negligible soundness error 3.Public coins 4.“Bounded-concurrent” ZK Impossible w/simulators that use (malicious) verifier as a “black-box” [GK90] Tool: Witness-Indistinguishable Proofs [FS90] – 8 w 1,w 2,V * (P(w 1 ),V * ) ´ (P(w 2 ),V * ) –Preserved under parallel & concurrent composition
Barak’s Protocol Verifier Prover Completeness: prover uses (A) w/real NP witness x B) “I know V’s program & coin tosses” z=Com( ) r à {0,1} n B) 9 s.t. z=Com( ), (z)=r WI Proof that A) x 2 L OR Soundness: (B) ) z “predicts” r or commitment broken ) negligible prob. Zero Knowledge: simulate malicious V* using ( ¢ ) = V * ( ¢ ;r) V* non-bb! V*(z;r)
Barak’s Protocol Verifier Prover x z=Com( ) r à {0,1} n B) 9 s.t. z=Com( ), (z)=r WI Proof that A) x 2 L OR V* V*(z;r) Problem: running time of V* not bounded by a fixed poly. Solution: Use WI arguments for NTIME(t) with running time poly(log(t),n). constructed in [K92,M94] using PCP Theorem.
Back to Complexity Theory Standard def: P reduces to Q if can solve P in poly- time given a black-box for Q. Have non-BB “reductions” in complexity: –SAT 2 P ) PH=P What else can we do with them? –Derandomization [IW98] –Worst-case/avg-case connections for NP [GST05] –Non-relativizing separations?
Outline Zero Knowedge & the Complexity-Crypto Interface Non-Black-Box Zero Knowledge Unconditional Results on Zero Knowledge
commitments impossible! SZK Statistical Zero Knowledge Soundness (Binding) ZK (Hiding) statistical computational statistical computational 9 commitments iff 9 one-way functions [HILL89,Nao89] (“proofs”) (“arguments”) ZK
Outline Review of Zero Knowledge “An Unconditional Study of Computational Zero Knowledge” (V., FOCS `04) “Zero Knowledge with Efficient Provers” (Nguyen-V., STOC `06) “Statistical Zero-Knowledge Arguments for NP from Any One-Way Function” (Nguyen-Ong-V. `06)
Outline Review of Zero Knowledge “An Unconditional Study of Computational Zero Knowledge” (V., FOCS `04) “Zero Knowledge with Efficient Provers” (Nguyen-V., STOC `06) “Statistical Zero-Knowledge Arguments for NP from Any One-Way Function” (Nguyen-Ong-V. `06)
The SZK/OWF C HARACTERIZATION Def: satisfies the SZK/OWF C ONDITION if 9 I µ Y, poly-time { f x (y)} x 2 {0,1} *... Main Thm: 2 ZK if and only if 2 IP and satisfies the SZK/OWF C ONDITION. Y N I in SZK Y N OWF instances yield OWF
OWF vs all poly-time Comparison w/[OW93] Corollary: ZK SZK ) 9 poly-time { f x (y)} x 2 {0,1} * 9 infinite set I 8 PPT A, x 2 I Pr[A inverts f x (U poly(|x|) )] · negl(|x|) Theorem [OW93]: ZK BPP ) 9 poly-time { f x (y)} x 2 {0,1} * 8 PPT A 9 1 ’ly many x Pr[A inverts f x (U poly(|x|) )] · negl(|x|) OWF vs Time( n ) OWF vs Time( n 2 ) OWF vs Time( n 3 ) OWF vs Time( n 4 ) OWF vs Time( n 5 )
CZKA Characterization Theorem Thm [OV06]: For 2 MA, the following are equivalent: 2 CZKA 2 honest-verifier CZKA (even w/inefficient prover) 3. 9 I,J s.t. ( , I, J) is a SZKP/OWF T RIPLET has a CZKA protocol w/public coins, perfect completeness, and poly-time prover (if 2 MA) Y N I in SZKP instances yield OWF J Y N
SZKA Characterization Theorem Thm [OV06]: For 2 MA, the following are equivalent: 2 SZKA 2 honest-verifier SZKA (even w/inefficient prover) 3. 9 J s.t. ( , ;, J) is a SZKP/OWF T RIPLET has an SZKA protocol w/public coins, perfect completeness, and poly-time prover (if 2 MA) Y N I in SZKP instances yield OWF J Y N
I.D. commitments for SZK Thm: Every problem in SZK has an instance-dependent commitment scheme. +Public coins +Statistically hiding & statistically binding –Most technical part of paper, uses [SV97,GV99,O96] –Sender not poly-time, but BPP NP
I.D. commitments for ZK Thm: Every problem satisfying SZK/OWF C ONDITION has an instance-dependent commitment scheme. Public coins, BPP NP sender, computationally hiding Pf Sketch: To commit to , –Randomly decompose as = 1 © 2. –Commit to 1 w/ SZK commitment –Commit to 2 w/ OWF-commitment from f x. H B 1© 21© 2 11 H B H 22 B
Putting it Together Thm [V04]: Every 2 ZK has a ZK proof with public coins perfect completeness BPP NP prover, if 2 NP Proof: 2 ZK ) satisfies SZK/OWF C ONDITION ) has instance-dependent commitment Use general NP/IP-to-ZK construction ([GMW86,IY87,BGG+88]), but with instance-dependent commitment.
Proof of Characterization Thms Lemma: If has an honest-verifier CZKA system (even w/inefficient prover), then 9 I, J s.t. ( , I, J) is an SZKP/OWF T RIPLET. Moreover, proof system ) J= ;, statistical ZK ) I= ;. Lemma: If 9 I, J s.t. ( , I, J) is an SZKP/OWF T RIPLET and 2 MA, then has a CZKA system with public coins, perfect completeness, and a poly-time prover. Moreover, J= ; ) proof system, I= ; ) statistical ZK.