Honest-Verifier Statistical Zero-Knowledge Equals General Statistical Zero-Knowledge Oded Goldreich (Weizmann) Amit Sahai (MIT) Salil Vadhan (MIT)

 Zero-Knowledge means Verifier learns nothing except truth of assertion.  Two classes of Verifiers:  Honest - follows the protocol  General- employs any strategy Zero-Knowledge We give a transformation: Proof ZK for Honest Verifier Proof ZK for General Verifiers

Motivation Why would one want to show HVZK = General ZK?  Easier to prove statements about the honest-verifier model, e.g. HVSZK. By result, structural properties extend to General ZK as well.  Methodology:  Design an HVZK proof  Transform into General ZK proof

Zero-Knowledge Proof [GMR85] v1v1 p1p1 v2v2 pkpk accept/reject When assertion is true, Verifier can simulate her view of the interaction on her own. Formally, a proof system is Statistical ZK if for every Verifier, there is probabilistic poly-time simulator such that, when the assertion is true, its output distribution is statistically close to Verifier’s view of the interaction with Prover. Computational ZK : require simulator distribution to be computationally indistinguishable rather than statistically close.

Our Results For Public-Coin Proof Systems, for both Statistical ZK and Computational ZK: Show how to transform any proof ZK for Honest Verifier into proof ZK for Any Verifier.  For Statistical ZK, HVSZK = Public-Coin HVSZK [Oka96], so we show HVSZK = General SZK.  No computational assumptions  ZK condition holds even for computationally unbounded Verifiers

Public Coin Proofs [Babai85] ArthurMerlin Random Coins Response Random Coins Response Accept/Reject

Previous Work  For Computational Zero-Knowledge, assuming one-way functions exist, CZK = HVCZK = IP = PSPACE [GMW86, IY87, Ben-Or+88]  For Statistical Zero-Knowledge, assuming one-way functions exist, SZK = HVSZK [BMO90, OVY93, Oka96]  For both CZK and SZK, unconditionally, but restricted to constant round Public-Coin Proofs, Honest Verifier = General Verifier [Dam94, DGW94]

Techniques Main Ingredients:  A (Public-Coin) Random Selection Protocol, which will replace Arthur’s messages.  A new Hashing Lemma about 2-universal hash functions used to prove Simulability.

Random Selection ArthurMerlin   rr rr Random Selection   rr rr ArthurMerlin The Transformation

The Simulator Use the Honest-Verifier Simulator to generate transcript:   rr rr  rr rr 

Desired Properties of Random Selection (RS)  Dishonest Merlin: OK for Soundness by parallel repetition of Original Proof System.  Dishonest Arthur:  Outcome  almost uniform.  For every , can simulate RS to produce . i.e. Conditioned on a fixed , the simulator distribution is statistically close to distribution of actual RS transcripts that produce .

Random Selection [DGW] Arthur Merlin Cell  R partition  Dishonest Merlin can cause at most 1/ poly(n) statistical deviation.  For Dishonest Arthur: can simulate for only a 1/ poly(n) fraction of  ’s.  Yields result only for constant round.  We fix this. Arthur selects “random” partition of message space into cells of size poly(n).   R  Cell  Cell

Our Solution ArthurMerlin  Accept/Reject  Use [DGW] protocol to select randomly among sets of 2 n  ’s.  Any 1/ poly(n) fraction of such sets will cover the space of  ’s almost uniformly. [DGW] RS protocol Set S of 2 n  ’s  R S

Hash Functions Accept/Reject  We use hash functions to describe sets of  ’s.  For almost all h ’s, h -1 (0) is of size 2 n.  H is a 2-universal family of hash functions, so  ’s will be “well spread” over sets h -1 (0). We will use h -1 (0 ) to be our set of  ’s.

New Random Selection Arthur Merlin Cell  R partition Arthur selects “random” partition of H into cells of size poly(n). h  R  Cell h    R  h -1 (0) Cell

Simulation of Random Selection (RS)  The random tape of Arthur is already fixed; Arthur is deterministic.  Simulator, on input  :  Obtains Arthur’s partition p.  Chooses cell y randomly among cells containing some h such that h(   If Arthur picks h such that h( , output ( p,y,h,  Otherwise repeat. Why does this work?

Simulator, on input  :  Obtains Arthur’s partition p.  Chooses cell y randomly among cells intersecting   If Arthur picks h , output ( p,y,h,  Otherwise repeat. RS Protocol & Simulator Arthur Merlin Cell  R partition h  R  Cell h    R  h -1 (0) Cell

New Hashing Lemma Moreover, the statistical difference between the following two distributions is at most 2 -  n  : (Hence the simulation is polynomial time) (Hence the simulation is statistically close.) Let  H be any set of size

Conclusions  We transform Public-Coin proofs ZK for the Honest Verifer into proofs ZK for any Verifier.  HVSZK = SZK  Public-Coin HVCZK= Public-Coin CZK  We give a new Hashing Lemma which may be of independent interest.

Hello there, my friend. This is the beginning of the end, he said. There is no hope. What’s the use in going on? We’re all dead anyway… The door opened. Hello there, my friend. Test

 Zero-Knowledge means Verifier learns nothing except truth of assertion. Formally, can simulate interaction. Zero-Knowledge (ZK) We give a transformation: Proof ZK for Honest Verifier Proof ZK for General Verifiers Computational StatisticalGeneral Honest QualityScope

Definitions Black-Box Simulator: Random Tape SimulatorVerifier v1v1 p1p1 pkpk v k+1 vkvk Simulator Verifier Computational Zero-Knowledge: Require Simulator Distribution to be only Computationally Indistinguishable rather than statistically close.