The (true) complexity of statistical zero knowledge

Statistical zero-knowledge is a very strong privacy constraint which is not dependent on computational limitations. In this paper we show that given a complexity assumption a much weaker condition suffices to attain statistical zeroknowledge. As a result we are able to simplify statistical zero-knowledge and to better characterize, on many counts, the class of languages that possess statistical zero-knowledge proofs. 1 I n t r o d u c t i o n An interactive proof involves two parties, a prover and a verifier, who talk back and forth. The prover, who is computationally unbounded, tries to convince the probabilistic polynomial time verifier that a given theorem is true. A zero-knowledge proof is an interactive proof with an additional privacy constraint: the verifier does not learn why the theorem is true [12]. Tha t is, whatever the polynomiM-time verifier sees in a zero-knowledge proof with the unbounded prover of a true theorem x, can be approximated by a probabilistic, polynomial-time machine working solely on input x. A statistical zero-knowledge proof (SZK proof) is one for which this approximate view cannot be distinguished from the true view even when given unbounded computational resources (This will be made more precise in §2). * Suppor t ed in pa r t by NSF grant CCR-87-19689. I Suppor t ed in pa r t by NSF gran t DCR-84-13577 and ARO grant DAALO3-86-K-0171. Par t of this work was done at Bos ton University, Depa r tmen t of C o m p u t e r Science, part ial ly suppo r t ed by NSF grant DCR-8607492. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. Statistical zero-knowledge is indeed a strong privacy requirement and designing protocols to meet it is a formidable task. In fact, we do not have too many examples of languages possessing SZK proofs. Moreover, only few properties of this class of languages are known; most notably the ones proved in [9],[1]. As a consequence, the class of languages possessing SZK proofs is poorly understood. In this paper, we, under a complexity assumption, (1) Present a simpler condition on a language L which guarantees that L has a SZK proof, and thus reduce the complexity of designing SZK proofs, and (2) Use this to prove various properties of the class of languages that possess SZK proofs. The second result has the form that if some function is hard to compute, something about SZK proofs becomes easier. The argument thus has the flavor of a reduction "against-the-flow" (an argument of similar flavor is the one of Yao: if the discrete log problem is hard then RP is contained in sub-exponential time). Given that statistical zero-knowledge is a computationally independent notion, it is somewhat strange that properties about it could be proved under a computational intractability assumption. We discuss this point in ~3.3. In proving the second result above, we actually exhibit a general paradigm for proving that the class of languages possessing SZK proofs has a given property. This paradigm is described in §4 and may be of independent interest. 2 D e f i n i t i o n s 2 .1 P r o b a b i l i t y S p a c e s a n d A l g o r i t h m s These notations and conventions for probabilistic algorithms are derived from [13] and further extended. We emphasize the number of inputs received by an algorithm as follows. If algorithm A receives only one in© 1990 ACM 089791-361-2/90/0005/0494 $1.50 494 put we write "A(.)";if it receives two we write "A(., .)", and so on. If A is a probabilistic algorithm then, for any input i the notation A(i) refers to the probability space which to the string cr assigns the probability that A, on input i, outputs ~r. If S is a probability space we denote by Ps (A ) the probability that S associates to the set A. If A consists of the single element e we write Ps (e ) rather than Ps({e}) . We denote by [S] the set of elements to which S assigns positive probability. If f ( . ) and g( . , . . . ) are probabilistic algorithms then f (g( . , . . . )) is the probabilistic algorithm obtained by composing f and g (i.e. running f on g's output) . For any inputs x , y , . . , the associated probability space is denoted f(g(x, y,. . .)). If S is a probability space then x ~-S denotes the algorithm which assigns to x an element randomly selected according to S (that is, x is assigned the value e with probability P s ( e ) ) (in the case that IS] consists of only one element e we write x ~-e rather than x ~-{e}). For probability spaces S, T , . . . , the notation P ( p ( x , y , . . . ) : x ~ S ; y ~-T ; . . . ) denotes the "probability that the predicate p(x ,y , . . . ) is true after the (ordered) execution of the algorithms x ~-S, y *-T, etc. The notation { f ( x , y , . . . ) : x ~-S;y ~T ; . . . } denotes the probability space which to the string a assigns the probability P(~r = f ( x , y , . . . ) : x ~-S;y ~ T; . . . ) , f being some function. If S is a finite set we will identify it with the probability space which assigns to each element of S the uniform probability ~ . (Then x ~ S denotes the operation of selecting an element of S uniformly at random). We let P P T denote the set of probabilistic (expected) polynomial time algorithms. 2 . 2 S t a s t i c a l I n d i s t i n g u i s h a b i l i t y o f E n -