Skip to main content
Book cover

Theory of Cryptography Conference

TCC 2020: Theory of Cryptography pp 139–167Cite as

Batch Verification for Statistical Zero Knowledge Proofs

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12551)

Abstract

A statistical zero-knowledge proof (\(\mathsf {SZK}\)) for a problem \(\varPi \) enables a computationally unbounded prover to convince a polynomial-time verifier that \(x \in \varPi \) without revealing any additional information about x to the verifier, in a strong information-theoretic sense.

Suppose, however, that the prover wishes to convince the verifier that k separate inputs \(x_1,\dots ,x_k\) all belong to \(\varPi \) (without revealing anything else). A naive way of doing so is to simply run the \(\mathsf {SZK}\) protocol separately for each input. In this work we ask whether one can do better – that is, is efficient batch verification possible for \(\mathsf {SZK}\)?

We give a partial positive answer to this question by constructing a batch verification protocol for a natural and important subclass of \(\mathsf {SZK}\) – all problems \(\varPi \) that have a non-interactive \(\mathsf {SZK}\) protocol (in the common random string model). More specifically, we show that, for every such problem \(\varPi \), there exists an honest-verifier \(\mathsf {SZK}\) protocol for batch verification of k instances, with communication complexity \(\mathsf {poly}(n) + k \cdot \mathsf {poly}(\log {n},\log {k})\), where \(\mathsf {poly}\) refers to a fixed polynomial that depends only on \(\varPi \) (and not on k). This result should be contrasted with the naive solution, which has communication complexity \(k\cdot \mathsf {poly}(n)\).

Our proof leverages a new \(\mathsf {NISZK}\)-complete problem, called Approximate Injectivity, that we find to be of independent interest. The goal in this problem is to distinguish circuits that are nearly injective, from those that are non-injective on almost all inputs.

The full version is available on ECCC [KRR+20].

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-64378-2_6
  • Chapter length: 29 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-64378-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.

Notes

  1. 1.

    Recall that a promise problem \(\varPi \) consists of two ensembles of sets \(\mathrm {YES}= (\mathrm {YES}_{n})_{n \in \mathbb {N}}\) and \((\mathrm {NO}_{n})_{n \in \mathbb {N}}\), such that the \(\mathrm {YES}_{n}\)’s and \(\mathrm {NO}_{n}\)’s are disjoint. Instances in \(\mathrm {YES}\) are called YES instances and those in \(\mathrm {NO}\) are called NO instances.

  2. 2.

    The resulting protocol can be shown to be zero-knowledge (analogously to the fact that sequential repetition preserves statistical zero-knowledge).

  3. 3.

    This notion of composition is to be contrasted with that employed in the closure theorems for \(\mathsf {SZK}\) under composition with formulas [SV03]. There, a composite problem similar to \(\varPi ^{\otimes k}\) is considered that does not require in its NO sets that all k instances satisfy the promise, but instead just that at least one of the instances is a NO instance of \(\varPi \).

  4. 4.

    \(\mathsf {PERM}\) can be thought of as a variant of the collision problem (see [Aar04, Chapter 6]) in which the goal is to distinguish a permutation from a 2-to-1 function.

  5. 5.

    A two round public-coin honest-verifier perfect zero-knowledge protocol for \(\mathsf {PERM}\) can be constructed as follows. The verifier sends a random string \(y \in \left\{ 0,1 \right\} ^n\) and the prover sends \(x = C^{-1}(y)\). The verifier needs to check that indeed \(y=C(x)\). It is straightforward to check that this protocol is honest-verifier perfect zero-knowledge and has soundness 1/2, which can be amplified by parallel repetition (while noting that honest-verifier zero-knowledge is preserved under parallel repetition).

    This protocol can be viewed as a \(\mathsf {NIPZK}\) by viewing the verifier’s coins as the common random string. On the other hand, assuming that \(\mathsf {NISZK}\ne \mathsf {NIPZK}\), \(\mathsf {PERM}\) is not \(\mathsf {NISZK}\)-complete.

  6. 6.

    A related but slightly different protocol, which will be less useful in our eventual construction, can be obtained by observing that (1) the mapping \((C_1,\dots ,C_k) \mapsto C_k \circ \cdots \circ C_1\) is a Karp-reduction from an instance of \(\mathsf {PERM}^{\otimes k}\) to an instance of \(\mathsf {PERM}\) with n input/output bits, and (2) that \(\mathsf {PERM}\) has an \(\mathsf {NISZK}\) protocol with communication complexity that depends only on n.

  7. 7.

    In fact, we also show that \(\mathsf {AI}_\delta \) is in \(\mathsf {NISZK}\), and thus is \(\mathsf {NISZK}\)-complete, by reducing back from it to \(\mathsf {EA}\).

  8. 8.

    In the standard definition of \(\mathsf {EA}\) [GSV99], the promise is that H(C) is either more than \(k+1\) or less than \(k-1\), but this gap can be amplified easily by repetition of C.

  9. 9.

    Actually the protocol as described achieves perfect completeness and perfect honest-verifier zero-knowledge. However, the more general \(\mathsf {AI}_\delta \) problem will introduce some (negligible) statistical errors.

  10. 10.

    This observation is simple in hindsight but we nevertheless find it somewhat surprising. In particular, it cannot be shown by bounding the expected number of collisions and applying Markov’s inequality since the expected number of collisions in \(\text {\textsf {Ext}}\) is very large (see [Vad12, Problem 6.4]).

  11. 11.

    While a linear dependence on k seems potentially avoidable, we note that a polynomial dependence on n seems inherent (even for just a single instance, i.e., when \(k=1\)).

  12. 12.

    We remark that the choice of 7/8 is somewhat but not entirely arbitrary. In particular, in case u is very small (e.g., \(u=2\)) there may very well be a hash value that has \(50\%\) of the probability mass.

References

  1. Aaronson, S.: Limits on efficient computation in the physical world. CoRR, abs/quant-ph/0412143 (2004)

    Google Scholar 

  2. Aiello, W., Hastad, J.: Statistical zero-knowledge languages can be recognized in two rounds. J. Comput. Syst. Sci. 42(3), 327–345 (1991)

    MathSciNet  CrossRef  Google Scholar 

  3. Alamati, N., Peikert, C., Stephens-Davidowitz, N.: New (and Old) Proof Systems for Lattice Problems. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part II. LNCS, vol. 10770, pp. 619–643. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_21

    CrossRef  Google Scholar 

  4. Ball, M., et al.: Cryptography from information loss. In: Vidick, T. (ed.) 11th Innovations in Theoretical Computer Science Conference, ITCS 2020, Seattle, Washington, USA, 12–14 January 2020. LIPIcs, vol. 151, pp. 81:1–81:27. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2020)

    Google Scholar 

  5. Berman, I., Degwekar, A., Rothblum, R.D., Vasudevan, P.N.: From laconic zero-knowledge to public-key cryptography. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 674–697. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_23

    CrossRef  Google Scholar 

  6. Berman, I., Degwekar, A., Rothblum, R.D., Vasudevan, P.N.: Multi-collision resistant hash functions and their applications. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 133–161. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_5

    CrossRef  Google Scholar 

  7. Berman, I., Degwekar, A., Rothblum, R.D., Vasudevan, P.N.: Statistical difference beyond the polarizing regime. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 311–332. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_12

    CrossRef  Google Scholar 

  8. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, Chicago, Illinois, USA, 2–4 May 1988, pp. 103–112 (1988)

    Google Scholar 

  9. Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 236–250. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054130

    CrossRef  Google Scholar 

  10. Brakerski, Z., Holmgren, J., Kalai, Y.: Non-interactive delegation and batch NP verification from standard computational assumptions. In: Hatami, H., McKenzie, P., King, V. (eds.) Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017, Montreal, QC, Canada, 19–23 June 2017, pp. 474–482. ACM (2017)

    Google Scholar 

  11. Bogdanov, A., Lee, C.H.: Limits of provable security for homomorphic encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 111–128. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_7

    CrossRef  Google Scholar 

  12. Blum, M., De Santis, A., Micali, S., Persiano, G.: Noninteractive zero-knowledge. SIAM J. Comput. 20(6), 1084–1118 (1991)

    MathSciNet  CrossRef  Google Scholar 

  13. Camenisch, J., Hohenberger, S., Pedersen, M.Ø.: Batch verification of short signatures. J. Cryptol. 25(4), 723–747 (2012)

    MathSciNet  CrossRef  Google Scholar 

  14. Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7

    CrossRef  Google Scholar 

  15. Drucker, A.: New limits to classical and quantum instance compression. SIAM J. Comput. 44(5), 1443–1479 (2015)

    MathSciNet  CrossRef  Google Scholar 

  16. De Santis, A., Di Crescenzo, G., Persiano, G.: The knowledge complexity of quadratic residuosity languages. Theor. Comput. Sci. 132(2), 291–317 (1994)

    MathSciNet  CrossRef  Google Scholar 

  17. Fortnow, L.J.: Complexity-theoretic aspects of interactive proof systems. Ph.D. thesis, Massachusetts Institute of Technology (1989)

    Google Scholar 

  18. Goldreich, O., Goldwasser, S.: On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci. 60(3), 540–563 (2000)

    MathSciNet  CrossRef  Google Scholar 

  19. Goldreich, O., Kushilevitz, E.: A perfect zero-knowledge proof system for a problem equivalent to the discrete logarithm. J. Cryptol. 6(2), 97–116 (1993)

    MathSciNet  CrossRef  Google Scholar 

  20. Goldreich, O., Krawczyk, H., Luby, M.: On the existence of pseudorandom generators. SIAM J. Comput. 22(6), 1163–1175 (1993)

    MathSciNet  CrossRef  Google Scholar 

  21. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)

    MathSciNet  CrossRef  Google Scholar 

  22. Gennaro, R., Micciancio, D., Rabin, T.: An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. In: Gong, L., Reiter, M.K. (eds.) CCS 1998, Proceedings of the 5th ACM Conference on Computer and Communications Security, San Francisco, CA, USA, 3–5 November 1998, pp. 67–72. ACM (1998)

    Google Scholar 

  23. Goldreich, O., Sahai, A., Vadhan, S.: Honest-verifier statistical zero-knowledge equals general statistical zero-knowledge. In: STOC (1998)

    Google Scholar 

  24. Goldreich, O., Sahai, A., Vadhan, S.: Can statistical zero knowledge be made non-interactive? or on the relationship of SZK and NISZK. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 467–484. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_30

    CrossRef  Google Scholar 

  25. Guruswami, V., Umans, C., Vadhan, S.P.: Unbalanced expanders and randomness extractors from parvaresh-vardy codes. In: 22nd Annual IEEE Conference on Computational Complexity (CCC 2007), San Diego, California, USA, 13–16 June 2007, pp. 96–108. IEEE Computer Society (2007)

    Google Scholar 

  26. Goldreich, O., Vadhan, S.P.: Comparing entropies in statistical zero knowledge with applications to the structure of SZK. In: CCC (1999)

    Google Scholar 

  27. Haitner, I., Harnik, D., Reingold, O.: On the power of the randomized iterate. SIAM J. Comput. 40(6), 1486–1528 (2011)

    MathSciNet  CrossRef  Google Scholar 

  28. Holenstein, T., Renner, R.: One-way secret-key agreement and applications to circuit polarization and immunization of public-key encryption. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 478–493. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_29

    CrossRef  Google Scholar 

  29. Ishai, Y.: Zero-knowledge proofs from information-theoretic proof systems. https://zkproof.org/2020/08/12/information-theoretic-proof-systems/

  30. Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: Kosaraju, S.R., Fellows, M., Wigderson, A., Ellis, J.A. (eds.) Proceedings of the 24th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, 4–6 May 1992, pp. 723–732. ACM (1992)

    Google Scholar 

  31. Komargodski, I., Moran, T., Naor, M., Pass, R., Rosen, A., Yogev, E.: One-way functions and (im)perfect obfuscation. In: 55th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2014, Philadelphia, PA, USA, 18–21 October 2014, pp. 374–383. IEEE Computer Society (2014)

    Google Scholar 

  32. Kaslasi, I., Rothblum, G.N., Rothblum, R.D., Sealfon, A., Vasudevan, P.N.: Batch verification for statistical zero knowledge proofs. In: Electronic Colloquium on Computational Complexity (ECCC) (2020)

    Google Scholar 

  33. Komargodski, I., Yogev, E.: On distributional collision resistant hashing. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 303–327. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_11

    CrossRef  Google Scholar 

  34. Lund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. J. ACM 39(4), 859–868 (1992)

    MathSciNet  CrossRef  Google Scholar 

  35. Liu, T., Vaikuntanathan, V.: On Basing Private Information Retrieval on NP-Hardness. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part I. LNCS, vol. 9562, pp. 372–386. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_16

    CrossRef  Google Scholar 

  36. Micciancio, D., Vadhan, S.P.: Statistical zero-knowledge proofs with efficient provers: lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_17

    CrossRef  Google Scholar 

  37. Naccache, D., M’RaÏhi, D., Vaudenay, S., Raphaeli, D.: Can D.S.A. be improved? — complexity trade-offs with the digital signature standard. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 77–85. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053426

    CrossRef  Google Scholar 

  38. Naor, J., Naor, M.: Small-bias probability spaces: Efficient constructions and applications. SIAM J. Comput. 22(4), 838–856 (1993)

    MathSciNet  CrossRef  Google Scholar 

  39. Nguyen, M.-H., Vadhan, S.P.: Zero knowledge with efficient provers. In: Proceedings of the 38th Annual ACM Symposium on Theory of Computing, Seattle, WA, USA, 21–23 May 2006, pp. 287–295 (2006)

    Google Scholar 

  40. Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996)

    MathSciNet  CrossRef  Google Scholar 

  41. Okamoto, T.: On relationships between statistical zero-knowledge proofs. J. Comput. Syst. Sci. 60(1), 47–108 (2000)

    MathSciNet  CrossRef  Google Scholar 

  42. Ostrovsky, R.: One-way functions, hard on average problems, and statistical zero-knowledge proofs. In: Structure in Complexity Theory Conference, pp. 133–138 (1991)

    Google Scholar 

  43. Ong, S.J., Vadhan, S.: An equivalence between zero knowledge and commitments. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 482–500. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_27

    CrossRef  Google Scholar 

  44. Ostrovsky, R., Wigderson, A.: One-way fuctions are essential for non-trivial zero-knowledge. In: ISTCS, pp. 3–17 (1993)

    Google Scholar 

  45. Pandey, O., Prabhakaran, M., Sahai, A.: Obfuscation-based non-black-box simulation and four message concurrent zero knowledge for NP. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 638–667. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_25

    CrossRef  Google Scholar 

  46. Peikert, C., Vaikuntanathan, V.: Noninteractive statistical zero-knowledge proofs for lattice problems. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 536–553. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_30

    CrossRef  Google Scholar 

  47. Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: Proceedings of the 48th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2016, Cambridge, MA, USA, 18–21 June 2016, pp. 49–62 (2016)

    Google Scholar 

  48. Reingold, O., Rothblum, G.N., Rothblum, R.D.: Efficient batch verification for UP. In: 33rd Computational Complexity Conference, CCC 2018, San Diego, CA, USA, 22–24 June 2018, pp. 22:1–22:23 (2018)

    Google Scholar 

  49. De Santis, A., Di Crescenzo, G., Persiano, G., Yung, M.: Image density is complete for non-interactive-SZK. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, pp. 784–795. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055102

    CrossRef  Google Scholar 

  50. Shamir, A.: IP = PSPACE. J. ACM 39(4), 869–877 (1992)

    MathSciNet  CrossRef  Google Scholar 

  51. Sahai, A., Vadhan, S.: A complete problem for statistical zero knowledge. J. ACM (JACM) 50(2), 196–249 (2003)

    MathSciNet  CrossRef  Google Scholar 

  52. Vadhan, S.P.: Pseudorandomness. Found. Trends Theor. Comput. Sci. 7(1–3), 1–336 (2012)

    MathSciNet  CrossRef  Google Scholar 

  53. Yu, Yu., Gu, D., Li, X., Weng, J.: The randomized iterate, revisited - almost linear seed length PRGs from a broader class of one-way functions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 7–35. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_2

    CrossRef  Google Scholar 

Download references

Acknowledgments

We thank an anonymous TCC reviewer for pointing that our techniques fall outside the scope of the Holenstein-Renner [HR05] blackbox model (see Remark 1.4).

Inbar Kaslasi and Ron Rothblum were supported in part by a Milgrom family grant, by the Israeli Science Foundation (Grants No. 1262/18 and 2137/19), and the Technion Hiroshi Fujiwara cyber security research center and Israel cyber directorate.

Guy Rothblum has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No. 819702).

Adam Sealfon was a PhD student at MIT for part of the duration of this project, and was supported in part by NSF CNS-1413920, Sloan/NJIT 996698, MIT/IBM W1771646, and NSF CNS-1804794.

Prashant Vasudevan was supported in part by AFOSR Award FA9550-19-1-0200, AFOSR YIP Award, NSF CNS Award 1936826, DARPA and SPAWAR under contract N66001-15-C-4065, a Hellman Award and research grants by the Okawa Foundation, Visa Inc., and Center for Long-Term Cybersecurity (CLTC, UC Berkeley). The views expressed are those of the authors and do not reflect the official policy or position of the funding agencies.

Author information

Authors and Affiliations

  1. Technion - Israel Institute of Technology, Haifa, Israel

    Inbar Kaslasi & Ron D. Rothblum

  2. Weizmann Institute, Rehovot, Israel

    Guy N. Rothblum

  3. UC Berkeley, Berkeley, USA

    Adam Sealfon & Prashant Nalini Vasudevan

Authors
  1. Inbar Kaslasi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guy N. Rothblum
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ron D. Rothblum
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Adam Sealfon
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Prashant Nalini Vasudevan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Inbar Kaslasi .

Editor information

Editors and Affiliations

  1. Cornell Tech, New York, NY, USA

    Prof. Rafael Pass

  2. Institute of Science and Technology Austria, Klosterneuburg, Austria

    Krzysztof Pietrzak

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Kaslasi, I., Rothblum, G.N., Rothblum, R.D., Sealfon, A., Vasudevan, P.N. (2020). Batch Verification for Statistical Zero Knowledge Proofs. In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12551. Springer, Cham. https://doi.org/10.1007/978-3-030-64378-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64378-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64377-5

  • Online ISBN: 978-3-030-64378-2

  • eBook Packages: Computer ScienceComputer Science (R0)