Statistical Zero-Knowledge Arguments for NP

from Any One-Way Function

Salil Vadhan

Minh Nguyen Shien Jin Ong

Harvard University

Assumptions for Cryptography

One-way functions )– Pseudorandom generators [Hastad-Impagliazzo-Levin-Luby].– Pseudorandom functions & private-key cryptography

[Goldreich-Goldwasser-Micali]

– Commitment schemes [Naor].– Zero-knowledge proofs for NP [Goldreich-Micali-Wigderson].– Digital signatures [Rompel].

Almost all cryptographic tasks ) one-way functions.[Impagliazzo-Luby, Ostrovsky-Wigderson]

Some tasks not “black-box reducible” to one-way fns.– Public-key encryption [Impagliazzo-Rudich]– Collision-resistant hashing [Simon]

Main Result

One-Way Functions ) Statistical Zero-Knowledge Arguments for NP

– Resolves an open problem posed by [Naor-Ostrovsky-Venkatesan-Yung92].

– OWF is essentially the minimal complexity assumption for ZK [Ostrovsky-Wigderson].

Notions of Zero Knowledge

Zero Knowledge– statistical– computational

Soundness– statistical (proofs)– computational (arguments)

[Brassard-Chaum-Crepeau]

Completeness

[Goldwasser-Micali-Rackoff]

Verifier learnsnothing

Verifier learnsnothing

Prover cannot convince Verifier offalse statements

Prover cannot convince Verifier offalse statements

Notions of Zero Knowledge

Zero Knowledge– statistical– computational

Soundness– statistical (proofs)– computational (arguments)

[Brassard-Chaum-Crepeau]

[Goldwasser-Micali-Rackoff]

Verifier learnsnothing

Verifier learnsnothing

Prover cannot convince Verifier offalse statements

Prover cannot convince Verifier offalse statements

Thm [Fortnow,Aiello-Hastad]: Only languages in AMÅ co-AM have statistical ZK proofs.

Notions of Zero Knowledge

Zero Knowledge– statistical– computational

Soundness– statistical (proofs)– computational (arguments)

[Brassard-Chaum-Crepeau]

[Goldwasser-Micali-Rackoff]

Verifier learnsnothing

Verifier learnsnothing

Prover cannot convince Verifier offalse statements

Prover cannot convince Verifier offalse statements

Thm [1980’s]: one-way functions ) all of NP has computational ZK proofs.

Notions of Zero Knowledge

Zero Knowledge– statistical– computational

Soundness– statistical (proofs)– computational (arguments)

[Brassard-Chaum-Crepeau]

[Goldwasser-Micali-Rackoff]

Verifier learnsnothing

Verifier learnsnothing

Prover cannot convince Verifier offalse statements

Prover cannot convince Verifier offalse statements

Thm [today]: one-way functions ) all of NP has statistical ZK arguments.

Zero Knowledge for NP

One-WayFunctions

CommitmentSchemes

ZK for NP[Goldreich-Micali-Wigderson]

[Hastad-Impagliazzo-Levin-Luby], [Naor]

computational zero-knowledge

proofs

Commitment Schemes

Polynomial time algorithm Com(b; K) s.t.

– HidingFor random K, Com(0; K) ¼ Com(1; K)

– BindingCom(b; K) cannot be opened to b’, where b’ b.

S R

Commit:c = Com(b;K)

Reveal:(b,K)

K Ã {0,1}*

b2{0,1}

Zero Knowledge for NP:Graph 3-Coloring Protocol

[Goldreich-Micali-Wigderson]

12

3

4

5

6P V

1. Randomly permutecoloring & commit to colors.

2. Pick random edge. (1,4)

4. Accept if colors different.

3. Send keys forendpoints.

Completeness: Graph 3-colorable ) V always accepts.

Zero Knowledge for NP:Graph 3-Coloring Protocol

[Goldreich- Micali-Wigderson]

12

3

4

5

6P V

1. Randomly permutecoloring & commit to colors.

2. Pick random edge. (1,4)

4. Accept if colors different.

3. Send keys forendpoints.

Soundness: Graph not 3-colorable ) V rejects w.p. ¸ 1/(# edges) because commitment binding

Zero Knowledge for NP:Graph 3-Coloring Protocol

[Goldreich- Micali-Wigderson]

12

3

4

5

6P V

1. Randomly permutecoloring & commit to colors.

2. Pick random edge. (1,4)

4. Accept if colors different.

3. Send keys forendpoints.

Zero knowledge: Graph 3-colorable ) Verifier learns nothing because commitment hiding

Zero Knowledge for NP

One-WayFunctions

CommitmentSchemes

ZK for NP[Goldreich-Micali-Wigderson]

[Hastad-Impagliazzo-Levin-Luby], [Naor]

computational zero-knowledge

proofs

computationally hiding,statistically binding

Zero Knowledge for NP

One-WayFunctions

CommitmentSchemes

ZK for NP[Brassard-Chaum-Crepeau]

statistical zero-knowledge

arguments

statistically hiding,computationally binding

???

Complexity of SZK Arguments for NP

number-theoreticassumptions

claw-free perm

SZK argumentsstat. hiding

comp. bindingcommitments

[BCC] [BCC]

[GMR,BKK]

[NY]

collision-resistanthash functions

[GMR, Damgard]

[GK]

Complexity of SZK arguments for NP

number-theoreticassumptions

claw-free perm

one-way perm

regular OWF

SZK argumentsstat. hiding

comp. bindingcommitments

[HHK

+ 05][N

OVY 92]

[BCC] [BCC]

[GMR,BKK]

[NY]

collision-resistanthash functions

[GK]

Complexity of SZK arguments for NP

number-theoreticassumptions

claw-free perm

one-way perm

regular OWF

one-way function

SZK argumentsstat. hiding

comp. bindingcommitments

[HHK

+ 05][N

OVY 92]

[BCC] [BCC]

[NY]

collision-resistanthash functions

[GMR,BKK] [GK]

Complexity of SZK Arguments for NP

number-theoreticassumptions

claw-free perm

one-way perm

regular OWF

one-way function

SZK arguments

stat. hiding1-out-of-2 comp. binding

commitments

stat. hidingcomp. bindingcommitments

[HHK

+ 05][N

OVY 92]

[BCC] [BCC]

[NY]

collision-resistanthash functions

[GMR,BKK] [GK]

1-out-of-2 binding commitments

Commitment in 2 phases.

Statistically hiding in both phases.

Computational binding in at least one phase.

[Nguyen-Vadhan06]

S RPhase 1 commit:c = Com(1)(b;K)

Phase 1 reveal:(b,K)

Phase 2 commit:c’ = Com(2)(b’;K’)

Phase 2 reveal:(b’,K’)

Zero Knowledge for NP

One-WayFunctions

CommitmentSchemes

ZK for NP[Nguyen-Vadhan06]

statistical zero-knowledge

arguments

statistically hiding,1-out-of-2 binding

Main Thm

Overview of our constructionfrom one-way functions

One-wayfunction

(1/n)-hiding1-out-of-2binding

1)-hiding1-out-of-2binding

stat hiding1-out-of-2binding

StatisticalZK argumentfor NP

OWF ) (1/n)-hiding

Starting Point:OWF w/ “approximable preimage size” ) stat. hiding commitments [HHK+05]

Idea: sender “guess” preimage size) hiding w.p. 1/n

Problem: sender sends overestimate.

Solution: use second phase to “prove” estimate correct [NV06]

– Main tool: interactive hashing [OVY]

(1/n)-hiding ) (1)-hiding

Amplify in O(log n) stages– Each time -hiding 2-hiding– Inspired by [Reingold05,Dinur06]

Each Stage– O(1) repetitions of basic protocol– Combine using interactive hashing [OVY]– Analyze with nonstandard measures.

Future Work

Standard statistically hiding commitments from OWF.– Useful for verifier commitments.– Many applications beyond ZK.

Better (sub-polynomial) round complexity– Open even for one-way permutations [NOVY].

Simplify the construction.