Paper 2016/519

On the Relationship between Statistical Zero-Knowledge and Statistical Randomized Encodings

Benny Applebaum and Pavel Raykov

Abstract

\emph{Statistical Zero-knowledge proofs} (Goldwasser, Micali and Rackoff, SICOMP 1989) allow a computationally-unbounded server to convince a computationally-limited client that an input $x$ is in a language $\Pi$ without revealing any additional information about $x$ that the client cannot compute by herself. \emph{Randomized encoding} (RE) of functions (Ishai and Kushilevitz, FOCS 2000) allows a computationally-limited client to publish a single (randomized) message, $\enc(x)$, from which the server learns whether $x$ is in $\Pi$ and nothing else. It is known that $SRE$, the class of problems that admit statistically private randomized encoding with polynomial-time client and computationally-unbounded server, is contained in the class $SZK$ of problems that have statistical zero-knowledge proof. However, the exact relation between these two classes, and, in particular, the possibility of equivalence was left as an open problem. In this paper, we explore the relationship between $\SRE$ and $\SZK$, and derive the following results: * In a non-uniform setting, statistical randomized encoding with one-side privacy ($1RE$) is equivalent to non-interactive statistical zero-knowledge ($NISZK$). These variants were studied in the past as natural relaxation/strengthening of the original notions. Our theorem shows that proving $SRE=SZK$ is equivalent to showing that $1RE=RE$ and $SZK=NISZK$. The latter is a well-known open problem (Goldreich, Sahai, Vadhan, CRYPTO 1999). * If $SRE$ is non-trivial (not in $BPP$), then infinitely-often one-way functions exist. The analog hypothesis for $SZK$ yields only \emph{auxiliary-input} one-way functions (Ostrovsky, Structure in Complexity Theory, 1991), which is believed to be a significantly weaker implication. * If there exists an average-case hard language with \emph{perfect randomized encoding}, then collision-resistance hash functions (CRH) exist. Again, a similar assumption for $SZK$ implies only constant-round statistically-hiding commitments, a primitive which seems weaker than CRH. We believe that our results sharpen the relationship between $SRE$ and $SZK$ and illuminates the core differences between these two classes.

Metadata
Available format(s)
PDF
Publication info
Published by the IACR in CRYPTO 2016
Keywords
CryptographyComplexityStatsitical Zero KnowldgeRandomized Encodings
Contact author(s)
raykov pavel @ gmail com
benny applebaum @ gmail com
History
2016-05-29: received
Short URL
https://ia.cr/2016/519
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/519,
      author = {Benny Applebaum and Pavel Raykov},
      title = {On the Relationship between Statistical Zero-Knowledge and Statistical Randomized Encodings},
      howpublished = {Cryptology ePrint Archive, Paper 2016/519},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/519}},
      url = {https://eprint.iacr.org/2016/519}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.