1. Statistical Zero-Knowledge:
A survey of recent
developments
Amit Sahai
MIT

2. Zero-knowledge Proofs [GMR85]
One party (“the prover”) convinces another
party (“the verifier”) that some assertion is true,
The verifier learns nothing except that the assertion
is true!
Statistical zero-knowledge: variant in which
“learns nothing” is interpreted in a very strong information-theoretic sense.

3. Organization Motivation What is statistical zero-knowledge?
Complete Problems
Honest verifier vs. any verifier
Noninteractive statistical zero-knowledge
Will not address works on power of the prover [BP92] or
knowledge complexity [GMR85,GP91,GOP94,ABV95,PT96]

4. Motivation from Cryptography
Zero-knowledge  cryptographic protocols [GMW87]
But statistical ZK proofs not as expressive as computational
ZK or ZK arguments [GMW86,BCC87,F87,AH87]
Still study of statistical ZK useful:
Statistical ZK proofs: strongest security guarantee
Identification schemes [GMR85,FFS87]
“Cleanest” model of ZK:
allows for unconditional results (eg., [Oka96, GSV98])
most suitable for initial study, later generalize techniques to other types of ZK (eg., [Ost91,OW93,GSV98]).

5. Motivation from Complexity
Contains “hard” problems:
QUADRATIC (NON)RESIDUOSITY [GMR85],
GRAPH (NON)ISOMORPHISM [GMW86]
DISCRETE LOG [GK88],
APPROX SHORTEST AND CLOSEST VECTOR [GG97]
Yet SZK  AM  coAM [F87,AH87], so unlikely to contain NP-hard problems [BHZ87,Sch88]
Has natural complete problems.

6. What is Statistical Zero-Knowledge?

7. Promise Problems [ESY84]
YES NO
YES NO
Language
Promise Problem
excluded inputs
Example: UNIQUE SAT [VV86]

8. Statistical Zero-Knowledge Proof [GMR85] for a promise problem v1 p1 v2 pk
accept/reject
Prover
Verifier
Interactive protocol in which computationally unbounded Prover tries to convince probabilistic poly-time Verifier that a string x is a YES instance.
When x is a YES instance, Verifier accepts w.h.p.
When x is a NO instance, Verifier rejects w.h.p. no matter what strategy Prover uses.

9. Statistical Zero-Knowledge Proof (cont.)v1 p1 v2 pk
accept/reject
When x is a YES instance, Verifier can simulate her view of the interaction on her own.
Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.
Note: ZK for “honest verifier” only.
HVSZK = {promise problems possessing such proofs}

10. Example: GRAPH ISOMORPHISM [GMW86]
Prover
Verifier
Recall that to prove main thm, need to show that SD is in SZK --- ie just need to give an SZK proof for it.
Protocol modelled on those for QNR and GNI.
Input: pair of circuits.
Prover wants to convince Verifier that Stat dif > 2/3; she wants to reject if sd < 1/3.
Step 1: Both parties amplify stat difference using parameter = length of input
=> Gives new circuits (D0,D1)satisfying... (OTHER SLIDE!)
Step 2: Verifier flips to choose one of two distributions.
takes sample from chosen distribution, sends it to Prover
Step 3: Prover tries to guess coin. Does it by choose higher likelihood response. Specifically...
Step 4: Verfier accepts if Prover’s guess is right.
Soundness: Intuitively, if stat close, no matter what Pat does shouldn’t have much better than 50% chance of guessing correctly.
Completeness: If stat. far apart, then Pat should be able to guess correctly w.p. exponentially close to 1
ZK: On YES instances, Prover is sending Verifier value of her coin w.p. near 1, so she doesn’t learn anything.
Simulator follow’s Verifier’s protocol and assumes P gives right answer.
Not hard to turn this into a proof...
Conclude: honest verifier SZK 1. 2. 3. 4.
Claim: Protocol is an (honest ver) SZK proof.

11. Correctness of GRAPH ISO. SZK Proof
Completeness:
Soundness:
What about zero-knowledgeness?

12. Zero-knowledgeness of GRAPH ISO. Proof
Simulator on input (G0,G1):
Analysis: If G0  G1, then, in both simulator & protocol,
H is a random isomorphic copy of G0 (equivalently, G1).
coin is random & independent of H.
 is a random isomorphism between Gcoin and H.
 distributions are identical.

13. Other types of zero-knowledge proofs
Different quality of simulation:
HVPZK — “Perfect” : distributions identical
HVSZK — “Statistical”: statistically close (negligible deviation)
HVCZK — “Computational”: computationally indistinguishable.
Cheating-verifier versions: PZK,SZK,CZK
Complexity:
CZK=IP=PSPACE  NP if one-way functions exist
[GMW86,IY87,BGG+88,LFKN90,Sha90]
but SZK unlikely to contain NP-hard problems [F87,AH87,BHZ87,Sch88]

14. Other types of zero-knowledge proofs
Different quality of simulation:
HVPZK — “Perfect” : distributions identical
HVSZK — “Statistical”: statistically close (negligible deviation)
HVCZK — “Computational”: computationally indistinguishable.
Cheating-verifier versions: PZK,SZK,CZK
Private coins vs. Public coins:
Private coins: No restrictions on Verifier.
Public coins: Verifier only sends random bits.
different -- added public vs private coins

15. [Mostly joint work with Oded Goldreich and Salil Vadhan]
Results
[Mostly joint work with Oded Goldreich and Salil Vadhan]
Complete problem for HVSZK [SV97]
New characterization of statistical zero-knowledge.
Simplify study of entire class.
Applications of complete problems [SV97]
Very efficient HVSZK proofs.
Strong closure properties of HVSZK.
Simpler proofs of most previously known results.
Manipulating statistical properties of efficiently sampleable distributions.
Knowledge complexity.

16. Results (cont.) Private coins vs. public coins [GV99]
Transform any HVSZK proof system into a “public coin” one
(i.e., verifier’s messages are just random coins flips)
Originally proved by Okamoto [Oka96]; new proof much simpler
Honest verifiers vs. cheating verifiers [GSV98]
Transform public-coin honest-verifier ZK proofs to cheating-verifier ZK proofs.
Combining w/previous result, HVSZK=SZK.
Honest-verifier ZK results translate to cheating-verifier ZK.
“Noninteractive” SZK [GSV99]
Complete problems related to those for SZK
Use these to compare the two classes.

17. Complete Problems for HVSZK

18. The Complexity of SZK
SZK contains “hard” problems [GMR85,GMW86,GK93,GG98]
Fortnow’s Methodology [F87]:
1. Find properties of simulator’s output that distinguish
between YES and NO instances.
2. Show that these properties can be decided in low
complexity.
Using this: SZK  AM  coAM. [F87,AH87]
Obtain upper-bound on complexity of SZK, but
does not give a characterization of SZK.

19. Refinement of Fortnow Methodology [SV97]
1. Find properties of simulator’s output that distinguish
between YES and NO instances.
2. Show that these properties can be decided in
low complexity.
2. Embed these properties in a natural computational
problem P.
3. Exhibit a statistical zero-knowledge proof for P.
Changed!
  is a complete problem for SZK, i.e
every problem in SZK reduces to  (via 1,2).
SZK (by 3).

20. A Complete Problem
Def: STATISTICAL DIFFERENCE (SD) is the following promise problem:
Thm [SV97]: SD is complete for SZK.

21. Statistical Difference between distributions
How circuits define distributions
circuit

22. Meaning of Completeness Thm
“The assertions that can be proven in statistical zero knowledge are exactly those that can be cast as comparing the statistical difference between two sampleable distributions.”
Characterizes HVSZK with no reference to interaction or zero knowledge.
Tool for proving general theorems about HVSZK.
Results about HVSZK  Techniques for manipulating sampleable distributions

23. Refinement of Fortnow Methodology [SV97]
1. Find properties of simulator’s output that distinguish
between YES and NO instances.
2. Show that these properties can be decided in
low complexity.
2. Embed these properties in a natural computational
problem P.
3. Exhibit a statistical zero-knowledge proof for P.
Changed!
  is a complete problem for SZK, i.e
every problem in SZK reduces to  (via 1,2).
SZK (by 3).

24. Proof Ideas: Analyzing the simulator
We know: For a YES instance,
1. Simulator outputs accepting conversations w.h.p., and
2. Simulated verifier “behaves like” real verifier.
Claim: For a NO instance, cannot have both conditions.
“Pf:” If both hold, contradict soundness of proof system by
prover strategy which mimics simulated prover.
Easy to distinguish between simulator outputting accepting
conversations with high probability vs. low probability.
Main challenge: how to quantify “behaves like.”
Slight change!
After proof:
So this means that it *is* possibleto decide whether we have a YES instance or a NO instance just by looking at the simulator’s output.

25. Proof Ideas (cont.) Thm I [Oka96]: SZK=public-coin SZK.
(i.e. can transform any SZK proof into one where
verifier’s messages are just random coin flips)
Now examine condition:
2. Simulated verifier “behaves like” real verifier.
In a public-coin proof, simulated verifier “behaves like”
real verifier iff simulated verifier’s coins are
nearly uniform, and
nearly independent of conversation history.
Key observation: Both properties can be captured by
statistical difference between samplable distributions!

26. Public-coin proofs [Bab85]
random coins
answer
Prover
Verifier
random coins
answer
accept/reject

27. Proving that SD is complete for SZK (cont.)
Have argued: Every problem in SZK reduces to SD.
Still need: SD SZK.

28. A Polarization Lemma
Lemma: There exists a poly-time computable function such that
Not just Chernoff bounds!
Chernoff bounds only yield:
In order to prove main thm, useful to have a tranformation that amplifies the gap between YES and NO instances.
Lemma states that given a pair of circuits and a parameter k, we can construct in poly timea new pair of circuits) such that
old have sd > 2/3, the new have stat dif at least 1-2^{-k}
old have sd < 1/3, the new have stat dif at most 2^{-k}
looks like a standard chernoff argument, but is not.
Chernoff-like arguments only show how to prove bounds like this: that statistical difference goes to 1 exponentially fast when take m independent copies of each dist.
We need to drive small values to 0 while driving large values to 1.
Chernoff step in right direction. We need a complementary technique...

29. Claim: Protocol is an (honest ver) SZK proof for SD.
A Protocol for SD
Prover
Verifier
Recall that to prove main thm, need to show that SD is in SZK --- ie just need to give an SZK proof for it.
Protocol modelled on those for QNR and GNI.
Input: pair of circuits.
Prover wants to convince Verifier that Stat dif > 2/3; she wants to reject if sd < 1/3.
Step 1: Both parties amplify stat difference using parameter = length of input
=> Gives new circuits (D0,D1)satisfying... (OTHER SLIDE!)
Step 2: Verifier flips to choose one of two distributions.
takes sample from chosen distribution, sends it to Prover
Step 3: Prover tries to guess coin. Does it by choose higher likelihood response. Specifically...
Step 4: Verfier accepts if Prover’s guess is right.
Soundness: Intuitively, if stat close, no matter what Pat does shouldn’t have much better than 50% chance of guessing correctly.
Completeness: If stat. far apart, then Pat should be able to guess correctly w.p. exponentially close to 1
ZK: On YES instances, Prover is sending Verifier value of her coin w.p. near 1, so she doesn’t learn anything.
Simulator follow’s Verifier’s protocol and assumes P gives right answer.
Not hard to turn this into a proof...
Conclude: honest verifier SZK 1. 2. 3. 4.
Claim: Protocol is an (honest ver) SZK proof for SD.

30. Properties of D0 and D1
TAKE DOWN WHEN DONE!

31. Applications of Complete Problem Methodology

32. Efficient HVSZK proof systems
Cor: Every problem in HVSZK has an honest-verifier statistical zero-knowledge proof system with:
2 messages
1 bit of prover-to-verifier communication.
soundness error 1/2+2-k
completeness error & simulator deviation 2-k
deterministic prover
(where k is a “security parameter” independent of input length)

33. Other Benefits of Complete Problem [SV97]
Simpler proofs of known results (e.g., [Ost91,Oka96-Thm II] )
Closure properties:
Previous results focused on specific problems
or subclasses of SZK [DDPY94,DC95].
Can apply techniques of [DDPY94] to
STATISTICAL DIFFERENCE to obtain results
about all of SZK.

34. Closure Properties of SZK
Thm [SV97]: LSZK  (L) SZK, where
 = k-ary boolean formula
L= characteristic fn of L
e.g. can prove “exactly k/2 of (x1, x2,..., xk) are in L” in SZK.
Equivalently, SZK is closed under NC1-truth table reductions.

35. Simplifying Okamoto’s Thm I [GV98]
Use the “complete problem methodology”:
Consider promise problem ENTROPY DIFFERENCE (ED):
Main steps in proof:
Reduce every problem in SZK to ED.
(Uses analysis of simulator from [AH87].)
Show that ED has a public-coin SZK proof system.
(Employs two subprotocols of [Oka96].)

36. Simplifying Okamoto’s Thm I (cont.)
This gives:
Simpler, modular proof that all of SZK has
public-coins SZK proofs.
ED is complete for SZK.
(Yet another) proof that SZK is closed under
complement.
“weak-SZK” equals SZK.

37. Honest verifier vs. any verifier

38. Honest verifier vs. any verifier
So far: zero-knowledge only vs. honest verifier, i.e. verifier that follows specified protocol.
Cryptographic applications need zero-knowledge
even vs. cheating verifiers.
Main question: Does honest-verifier ZK=any-verifier ZK?
Motivation?
honest verifier classes suitable for study
(e.g. complete problem, closure properties)
methodology: design honest-verifier proof and
convert to any-verifier proof.

39. Any-verifier Statistical Zero-Knowledge
When x is a YES instance, Verifier can simulate her view of the interaction on her own. p1 v2 pk
accept/reject
Formally, for every poly-time verifier, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view of interaction with Prover.
Computational Zero-Knowledge (CZK): require simulator
distribution to be computationally indistinguishable rather
than statistically close.

40. Results on honest verifier vs. any verifier
Conditional Results:
If one-way functions exist,
honest-ver CZK=any-ver CZK=IP=PSPACE
[GMW86,IY87,BGG+88,Sha90]
honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]
Unconditional Results:
For both computational and statistical zero-knowledge,
honest-verifier=any-verifier for constant-round
public-coin proofs [Dam93,DGW94]

41. For both computational and statistical zero-knowledge,
honest-verifier=any-verifier for constant-round
public-coin proofs [Dam93,DGW94] [GSV98]
(+ [Oka96])  honest-ver SZK=any-ver SZK

42. Results on honest verifier vs. any verifier
Conditional Results:
If one-way functions exist,
honest-ver CZK=any-ver CZK=IP=PSPACE
[GMW86,IY87,BGG+88,Sha90]
honest-ver SZK=any-ver SZK [BMO90,OVY93,Oka96]
Unconditional Results:
For both computational and statistical zero-knowledge,
honest-verifier=any-verifier for constant-round
public-coin proofs [Dam93,DGW94][GSV98]
(+ [Oka96])  honest-ver SZK=any-ver SZK

43. The Transformation Any-verifier Proof System
Prover
random coins 1
Verifier
answer 1
random coins 2
answer k
Any-verifier Proof System
accept/reject
Random Selection
Protocol
Honest-verifier Proof System
Prover 1
Verifier
answer 1
Random Selection
Protocol 2
answer k
accept/reject

44. Simulating the Transformed Pf System
1. Use honest-verifier simulator
to generate a transcript 1 1 2 k
accept/reject 1
answer 1 2
2. “Fill in” transcripts of
Random Selection
protocols
answer k
accept/reject

45. Desired Properties of Random Selection Protocol
Dishonest verifier:
Outcome  distributed almost uniformly.
Simulability: For (almost) every , can simulate
RS protocol transcripts yielding output .
Dishonest prover:
(OK for soundness by parallel repetition of
original proof system)
[GSV98] give a public-coin protocol with these properties
(building on [DGW94]).

46. Noninteractive Statistical Zero-Knowledge

47. Noninteractive Statistical Zero-Knowledge [BFM88,BDMP91]
shared
random string
Prover
(unbounded)
proof
Verifier
(poly-time)
accept/reject
On input x (instance of promise problem):
When x is a YES instance, Verifier accepts w.h.p.
When x is a NO instance, Verifier rejects w.h.p. no matter what proof Prover sends.

48. Noninteractive Statistical ZK (cont.)
When x is a YES instance, Verifier can simulate her view on her own.
shared
random string
proof
Formally, there is probabilistic poly-time simulator such that, when x is a YES instance, its output distribution is statistically close to Verifier’s view.
Note: above is “one proof” version.

49. Study of Noninteractive ZK
Motivation:
communication-efficient.
cryptography vs. active adversaries [BFM88,BG89,NY90,DDN91]
Examples of NISZK proofs and some initial study in
[BDMP91,BR90,DDP94,DDP97].
But most attention focused on NICZK, e.g. [FLS90,KP95].
[DDPY98] apply “complete problem methodology”
to show IMAGE DENSITY complete for NISZK.

50. Complete Problems for NISZK [GSV99]
Thm: The following problems are complete for NISZK:
STATISTICAL DIFFERENCE FROM UNIFORM (SDU):
ENTROPY APPROXIMATION (EA):

51. Relating SZK and NISZK Recall complete problems for SZK:
NISZK’s complete problems are natural restrictions of these.
 can use complete problems to relate SZK and NISZK.
Thm [GSV98]: SZKBPP  NISZKBPP.
Thm [GSV98]:
SZK=NISZK  NISZK closed under complement.

52. Summary Recent work has refined our understanding of statistical
zero-knowledge.
Main tools:
focus on public-coin proofs (via [Oka96])
complete problems [SV97]
Questions addressed:
closure properties
honest verifier vs. any verifier
interactive vs. noninteractive

53. Open Problems 1. Generalize more results/techniques to computational
zero-knowledge or arguments.
2. Combinatorial or number-theoretic complete problems?
3. Does SZK=NISZK?
4. Show that SZKBPP if one-way functions exist
(“converse” to [Ost91]).
5. Does SZK=PZK (“Perfect” zero-knowledge)?