1 Introduction

Consider a “computationally-weak” client, Alice, which holds an input \(x\in {\{0,1\}}^n\) to a language, or promise problem, \(\varPi \) which is beyond her computational power. We will be interested in the following two related scenarios.

  • Alice contacts a computationally-strong server Bob, and asks him to prove that x is a yes-instance of \(\varPi \). The server wishes to do so without revealing any additional information about x that Alice cannot compute by herself. That is, we are interested in an interactive proof system in which, for every yes-instance, the client is able to simulate her view without any interaction with the server.

  • Alice would like to send to the server Bob a single (randomized) message \(\mathsf {Enc} (x)\) which allows Bob to tell whether x is a yes-instance or a no-instance but hides any other information about x. That is, the message \(\mathsf {Enc} (x)\) should be private in the sense that all yes-instances (resp., no-instances) are mapped by \(\mathsf {Enc} (x)\) to the same universal yes-distribution \(\mathsf {Sim} _{\textsc {yes}}\) (resp., no-distribution \(\mathsf {Sim} _{\textsc {no}}\)); In addition, \(\mathsf {Enc} (x)\) should be correct (i.e., it should be possible to decode membership in \(\varPi \)) and so the yes-distribution is required to be statistically-far from the no-distribution.

The first setting is captured by the notion of zero-knowledge (ZK) proofs introduced in [GMR89], while the second is captured by the notion of randomized encoding (RE) of functions [IK00, AIK04]. In this paper, we model the client as a polynomial-time machine, the server as a computationally-unbounded party, and ask for information-theoretic security.Footnote 1 Problems that admit such a statistical zero-knowledge proofs (resp., such statistical randomized encodings) give rise to the complexity class \(\mathcal {SZK} \) (resp., \(\mathcal {SRE} \)).

The class \(\mathcal {SZK} \) and its variants were extensively studied and we have relatively rich insights about its power and structure including non-trivial upper-bounds (e.g., \(\mathcal {SZK} \subseteq {\mathcal {AM}} \cap \text {co-}{\mathcal {AM}}\) [AH87]), complete problems [SV03, GV99], and closure properties [Oka00, Vad99]. Unfortunately, the status of \(\mathcal {SRE} \) is very different. Although randomized encoding are extensively used in cryptography (see the surveys [App11, Ish13]), the class \(\mathcal {SRE} \) was left relatively unexplored. The main known result (observed in [App14]) is that

$$\begin{aligned} \mathcal {SRE} \subseteq \mathcal {SZK}. \end{aligned}$$

That is, a statistical randomized encoding for a problem \(\varPi \) can be transformed into a statistical zero knowledge proof system for the same problem. The exact relation between \(\mathcal {SRE} \) and \(\mathcal {SZK} \), and, in particular, the intriguing possibility that these two classes are actually equivalent was left as an open problem. This question was recently addressed by Agrawal et al. [AIKP15] who provided an oracle separation between the two classes, in addition to candidates for problems in \(\mathcal {SRE} \) that are not solvable in (non-uniform) polynomial-time. As usual, an oracle separation tells us that equivalence cannot be established via relativized techniques, and so it essentially addresses the proof of equivalence (or technical barriers against it). However, such separations tell us very little on the statement itself (\(\mathcal {SRE} = \mathcal {SZK} \)) and its potential implications on the landscape of computational complexity.Footnote 2

1.1 Our Results

In this paper, we continue the complexity theoretic study of \(\mathcal {SRE} \), as advocated by [AIKP15], and further explore the exact relationship between \(\mathcal {SRE} \) and \(\mathcal {SZK} \). We study variants of these classes, prove their equivalence, and sharpen the difference between \(\mathcal {SRE} \) and \(\mathcal {SZK} \). We also point out several interesting complexity-theoretic implications of an equivalence between \(\mathcal {SRE} \) and \(\mathcal {SZK} \). Overall, we believe that our results shed light on the causes for which \(\mathcal {SZK} \) is (seemingly) more powerful than \(\mathcal {SRE} \).

Non-interactive ZK is Equivalent to Semi-private RE. Zero-knowledge proofs differ from randomized-encoding in many aspects. Most notably, the flow of information is reversed (Server-to-Client for ZK-proofs vs. Client-to-Sever for encodings). Let us ignore this major difference and focus on two seemingly less important syntactic differences. First, recall that REs are non-interactive while zero-knowledge proofs are allowed to use interaction. Secondly, the privacy condition of REs should hold for both yes and no-instances, whereas the ZK condition is defined only with respect to yes-instances. In an attempt to make a “fair” comparison between these two notions, we consider non-interactive zero-knowledge proofs (\(\mathsf {NISZK} \)) [BFM88] and statistical randomized encoding with one-sided privacy (\(\mathsf {1RE} \)) [AIK04, AIK15].

The \(\mathsf {NISZK} \) model, introduced by Blum et al. [BFM88], restricts the prover to send a single message to the verifier at the expense of allowing the parties to share a common reference string that was pre-sampled by a trusted (efficient) dealer.Footnote 3 The notion of statistical randomized encoding with one-sided privacy was introduced by Applebaum et al. [AIK04] (under the term semi-private encoding) as a relaxation of REs in which the privacy condition should hold only for yes-instances.

We show that the corresponding complexity classes \(\mathcal {NISZK} ^\textsc {pub}\) and \(\textit{1}\mathcal {RE} \) are essentially equivalent.

Theorem 1

It holds that \(\mathcal {NISZK} ^\textsc {pub}\subseteq \textit{1}\mathcal {RE} \) and, in the non-uniform setting, \(\textit{1}\mathcal {RE} \subseteq \mathcal {NISZK} ^\textsc {pub}\).

The “non-uniform” setting refers to the case where all efficient entities (the client, the dealer, and the RE/SZK simulators) are modeled by polynomial-size circuits. The theorem shows that, non-uniformly, the class \(\mathcal {NISZK} ^\textsc {pub}\) is equivalent to the class \(\textit{1}\mathcal {RE} \). It is known that \(\mathcal {NISZK} ^\textsc {pub}\subseteq \mathcal {SZK} \) [PS05] and, by definition, we have that \(\mathcal {SRE} \subseteq \textit{1}\mathcal {RE} \). Hence, together with Theorem 1, we derive the following interesting picture (in the non-uniform setting):

$$\begin{aligned} \mathcal {SRE} \subseteq \textit{1}\mathcal {RE} = \mathcal {NISZK} ^\textsc {pub}\subseteq \mathcal {SZK}. \end{aligned}$$

Note that if \(\mathcal {SZK} \) collapses to \(\mathcal {SRE} \) then all intermediate classes also collapse. This means that the question of putting \(\mathcal {SZK} \) inside \(\mathcal {SRE} \) boils down to two separate questions: “Can statistical zero-knowledge be made non-interactive?” (\(\mathcal {NISZK} ^\textsc {pub}= \mathcal {SZK} \)?) and “Can one-side privacy be upgraded to full privacy?” (\(\mathcal {SRE} = \textit{1}\mathcal {RE} \)?). Nicely, each of these well motivated questions is “pure” in the sense that it only addresses one object (either randomized encoding or zero-knowledge proofs). We further mention that the first question (\(\mathcal {NISZK} = \mathcal {SZK} \)?) is a well-known open problem that was studied before by [GSV99].Footnote 4

Consequences of Randomized Encoding for Intractable Problems. Another way to compare \(\mathcal {SZK} \) to \(\mathcal {SRE} \) is by asking what are the consequences of the existence of computationally-intractable problems in the class. For example, the following theorem was proven by Ostrovsky.

Theorem 2

[Ost91]. If \(\mathcal {SZK} \) is not in \(\mathcal {BPP} \), then Auxiliary-Input One-way functions exist.Footnote 5

Auxiliary-input one-way functions (ai-OWF) are keyed functions that achieve a very weak form of one-wayness. Roughly speaking, for each adversary there exists a set of hard keys on which the adversary fails to invert the function. (See [Gol01] for definition.) However, it may be the case that there is no universal set of keys which is simultaneously hard for all efficient adversaries.

For \(\mathcal {SRE} \) we prove (Sect. 6) the following stronger implication:

Theorem 3

If \(\mathcal {SRE} \) is not in \(\mathcal {BPP} \), then infinitely-often one-way functions exist.

Infinitely-often one-way functions (io-OWFs) are essentially standard one-way functions except that their hardness holds over a (universal) set of infinitely many input lengths. This notion is considered to be significantly stronger than ai-OWFs. For example, while it is possible to construct ai-OWFs based on the worst-case hardness of graph-isomorphism (GI), it is unknown how to obtain io-OWF from such an assumption. By Theorem 3, such a GI-based io-OWF would follow from the equivalence of \(\mathcal {SZK} \) and \(\mathcal {SRE} \). More generally, a proof of such an equivalence would allow us to base io-OWFs on worst-case hardness in \(\mathcal {SZK} \) improving the 25-year old classical result of [Ost91].

Theorem 3 also explains why all the candidates of Agrawal et al. [AIKP15] for computationally-hard problems in \(\mathcal {SRE} \) imply the existence of one-way functions – Such an assumption is inherently necessary to separate \(\mathcal {SRE} \) from \(\mathcal {BPP} \).

We can further ask what are the implications of an average-case hard problem in these complexity classes. Roughly speaking, a promise problem \(\varPi \) is average-case hard if it is equipped with a probability distribution D such that no efficient algorithm can classify correctly an instance x sampled from D with probability significantly better than 1/2. Ostrovsky’s result can be used to prove that the existence of an average-case hard language in \(\mathcal {SZK} \) implies the existence of a one-way function. The following (stronger) theorem is implicit in the work of Ong and Vadhan [OV08].

Theorem 4

(implicit in [OV08]). If there exists an average-case hard language in \(\mathcal {SZK} \) then a constant-round statistically-hiding commitments (CRSC) exists.

As a general primitive, CRCS implies the existence of one-way functions, and is believed to be strictly stronger due to the black-box separation of [HHRS15]. We derive a stronger implication if we have randomized encoding for an average-case hard problem. Specifically, we consider the class \(\mathcal {PRE} \) of problems that admit perfect randomized encoding [AIK04] – a stronger variant of \(\mathcal {SRE} \) which achieves perfect correctness (zero-decoding error), perfect privacy (the simulators perfectly simulate the encoding) and enjoys some additional syntactic properties. (See Sect. 4 for a formal definition.)

Theorem 5

If there exists an average-case hard language in \(\mathcal {PRE} \) then collision-resistance hash functions (CRH) exist.

The proof of the theorem is sketched in Sect. 7. CRH imply CRSC but the converse is not known to be true. Hence, this implication is seemingly stronger than the one proven in [OV08]. Extending this theorem to the case of \(\mathcal {SRE} \) is left as an interesting open problem.

2 Our Techniques

Let us outline the main ideas behind the proofs of Theorems 1, 3 and 5.

Proof of Theorem 1 . We begin with the equivalence of \(\textit{1}\mathcal {RE} \) and \(\mathcal {NISZK} ^\textsc {pub}\). It is instructive to note that all the complexity classes \(\mathcal {SZK}, \mathcal {NISZK}, \textit{1}\mathcal {RE} \) and \(\mathcal {SRE} \) essentially capture different variants of “statistical-distance” problems. Indeed, as we already saw, for a \(\mathcal {SRE} \)-problem \(\varPi \), the membership of x boils down to determining whether the distribution \(\mathsf {Enc} (x)\) is close to one of two distributions \(\mathsf {Sim} _{\textsc {yes}}\) and \(\mathsf {Sim} _{\textsc {no}}\) which are statistically-far apart from each other. Notably, these distributions are universal and they depend only on the problem \(\varPi \) (and not on the input x). The work of [SV03] also shows that, for any \(\mathcal {SZK} \)-problem \(\varPi \), there exists an efficient mapping from an instance x to a pair of distributions \((A_x,B_x)\) which are statistically-close if x is a yes-instance and statistically-far otherwise. However, in contrast to the case of SREs, the distributions \((A_x,B_x)\) are instance dependent. In particular, two different yes-instances x and \(x'\) may be mapped to completely different pairs of distributions \((A_x,B_x)\) and \((A_{x'},B_{x'})\).

In the intermediate notion of \(\mathcal {NISZK} \), one of the distributions, say B, corresponds to the dealer’s distribution and so it becomes universal [SCPY98, GSV99].Footnote 6 Correspondingly, all yes-instances x are mapped to this single universal distribution, i.e., \(A_x\approx B\). (\(A_x\) essentially corresponds to the simulated version of the public-parameter). For no-instances, the distribution \(A_x\) may be instance-dependent. Similarly, for \(\textit{1}\mathcal {RE} \), only yes-instances are mapped by \(\mathsf {Enc} (x)\) to some universal yes-distribution \(\mathsf {Sim} _{\textsc {yes}}\), whereas the encoding of a no-instance \(\mathsf {Enc} (x)\) may be instance-dependent. Overall, the privacy properties of \(\textit{1}\mathcal {RE} \) and the zero-knowledge properties of \(\mathcal {NISZK} \) match nicely. Still, there is one technical difference with respect to the requirements on the distributions of no-instances.

In \(\textit{1}\mathcal {RE} \), correctness requires the existence of a single decoder that distinguishes between the yes-distribution \(\mathsf {Sim} _{\textsc {yes}}\) and all possible no-distributions \(\{\mathsf {Enc} (x)\}_{x\,\in \,\varPi _{\textsc {no}}}\). This means that \(\mathsf {Sim} _{\textsc {yes}}\) is “universally-far” from all the no-distributions. In contrast, the soundness property of \(\mathcal {NISZK} \) requires from every no-distribution \(A_x\) to be “disjoint” from B in the following sense: A random sample from the universal distribution \(b\mathop {\leftarrow }\limits ^{R}B\) should fall, with high probability, outside the support of \(A_x\). To prove Theorem 1 we should be able to move from “universal-farness” to “disjointness” and vice versa. While it is relatively straightforward to convert disjointness to universal-farness (e.g., via parallel-repetition), the converse direction requires some work.

As a concrete (and somewhat simplified) example, imagine the case where we have a single pair of distributions X and Y, where X outputs, with probability \(1-\varepsilon \), a random n-bit string whose first bit is 1, and, with probability \(\varepsilon \), a random n-bit string whose first bit is 0. Assume that Y does exactly the opposite. These distributions are \((1-2\varepsilon )\)-far in statistical distance, but they do not satisfy the disjointness property as their supports are equal. The key observation is to note that a typical \(y\mathop {\leftarrow }\limits ^{R}Y\) value, has much larger weight under Y compared to its weight under X. When these distributions are implemented by circuits that use m random bits as inputs, this means that the set of preimages \(Y^{-1}(y)\) is likely to be significantly larger than the set \(X^{-1}(y)\). In other words, the entropy \(e_1\) of the conditional distribution \([r|Y(r)=y]\) is larger than the entropy \(e_2\) of the conditional distribution \([r|X(r)=y]\). Following the approach of [GSV99], we can turn these distributions to be disjoint by hashing out about \(e_1 \ll e \ll e_2\) random bits from r, and appending the result h(r) to the output. That is, we define a pair of new distributions by \(X'=(X(r),h, h(r))\) and \(Y'=(Y(r),h,h(r))\) where h is sampled from a 2-universal family of hash functions.Footnote 7 One can now show that for a typical \(y\mathop {\leftarrow }\limits ^{R}Y\) (and most h’s), the conditional distribution \([h(r)|Y(r)=y]\) is almost uniform, whereas the conditional distribution \([h(r)|X(y)=y]\) has small support. This means that a random sample from \(Y'\) is likely to land out of the support of \(X'\), as required.

The actual construction introduces some additional technicalities. Most notably, it requires an estimation on the amount of entropy of the distribution which is sampled by \(\mathsf {Sim} _{\textsc {yes}}\), the simulator of the original encoding. We overcome this problem by treating this value as a non-uniform advice. We note that this advice is short (of logarithmic length) and so one may hope to simply try all possible values. The problem is that some of these values will violate the zero-knowledge property, while others would violate soundness. Unfortunately, we do not know how to “combine” together several faulty \(\mathsf {NISZK}\) protocol into a single good protocol. The question of finding a way around this problem and achieving a fully uniform reduction is left for future research.

Proof of Theorem 3 . Recall that Theorem 3 asserts that if infinitely-often one-way functions do not exist, then any language \(\varPi \) in \(\mathcal {SRE} \) can be decided by some \(\mathcal {BPP} \) algorithm A. The proof is based on the following observation: Given an instance x, one can probabilistically decide if \(x\in \varPi \) by first sampling an encoding \(y=\mathsf {Enc} (x)\), and then outputting “yes” if the weight of y under the distribution \(\mathsf {Sim} _\textsc {yes}\) is larger than its weight under \(\mathsf {Sim} _\textsc {no}\). Note that the latter problem can be reduced to the following “distributional inversion” problem. Define the function

$$ g(r,b)= {\left\{ \begin{array}{ll} \mathsf {Sim} _\textsc {no}(r), \text { if } b=0,\\ \mathsf {Sim} _{\textsc {yes}}(r), \text { if } b=1;\end{array}\right. }$$

sample a random preimage (rb) of y under g, and output the bit b. (I.e., when \(b=0\) the instance x is classified as a no-instance, and if \(b=1\) then x is classified as a yes-instance.) It can be shown, based on the privacy and the correctness guaranties of the encoding, that b is likely to classify x correctly. By the results of Impagliazzo and Luby [IL89], the distributional inversion problem can be efficiecntly solved (up to small, inverse-polynomial, deviation error), assuming that infinitely-often one-way functions do not exist.

It is instructive to compare the above to the \(\mathsf {SZK} \) setting. The RE simulators give rise to a universal function g (independent of the instance x) whose inversion is as hard as deciding \(\varPi \). In contrast, in the \(\mathsf {SZK} \) setting, the corresponding distributions depend on x, and so deciding \(x\in \varPi \) reduces to inverting an instance-dependent function \(g_x\). Correspondingly, the intractability of \(\varPi \) yields only auxiliary-input one-way functions.

Proof of Theorem 5 . In Theorem 5 we show that if an average-case hard language \(\varPi \) admits a prefect RE then CRH exist. The notion of perfect encoding guarantees that the image of the encoder \(\mathsf {Enc} \) can be partitioned into two equal sets Y and N and that for any yes-instance (resp., no-instance) x, the mapping \(\mathsf {Enc} (x;r)\) is a bijection from the randomness space to Y (resp., N). Similarly both simulators, \(\mathsf {Sim} _{\textsc {yes}}(r)\) and \(\mathsf {Sim} _{\textsc {no}}(r)\), form a bijective mapping from the randomness space to Y and N, respectively. Let us define a pair of functions, keyed by instances xy,

$$\begin{aligned} h^0_x(r,b)= {\left\{ \begin{array}{ll}g(x;r),\,{ if} b=0\text{, } \\ \mathsf {Sim} _{\textsc {no}}(r)\text{, } \text{ otherwise; }\end{array}\right. } ~~~~~ h_y^1(r,b)= {\left\{ \begin{array}{ll} g(y;r),\,{ if} b=0\text{, } \\ \mathsf {Sim} _{\textsc {yes}}(r)\text{, } \text{ otherwise; }\end{array}\right. } \end{aligned}$$

Since the encoding is perfect, \(h^0_x\) and \(h^1_y\) are permutations if x is a yes-instance and y is a no-instance; on the other hand, if x is a no-instance and y is a yes-instance the images of the functions are disjoint. Suppose that there exists an efficiently samplable distribution \(\mathcal {Y}\) over yes-instances which is indistinguishable from some efficiently samplable distribution \(\mathcal {N}\) over no-instances. Then, we can sample a pair of yes/no instances \((x,y)\mathop {\leftarrow }\limits ^{R}\mathcal {Y}\times \mathcal {N}\) which is indistinguishable from a pair of no/yes instances \((x',y')\mathop {\leftarrow }\limits ^{R}\mathcal {N}\times \mathcal {Y}\). This means that, although the functions \(h^0_x,h^1_y\) are permutations with identical images, it is computationally hard to find a pair (uv) which forms a “claw”, i.e., \(h^0_x(u)=h^1_y(u)\). (Indeed, a claw-finder can be used to distinguish (xy) from \((x',y')\).) Such claw-free permutations [Dam87, GMR88] imply the existence of CRH. The argument extends to the case where there exists only a single “hard” distribution over yes/no instances of \(\varPi \) (as opposed to a pair of “pure” distributions). In this case, we get claw-free pseudo-permutations [Rus95], whose existence still implies CRH.

2.1 A Broader Perspective

So far we emphasized the differences between \(\mathcal {SRE} \) and \(\mathcal {SZK} \), however, from a broader point of view, our results may be interpreted as saying that the two classes are actually close variants of each other. This is similar in spirit to a recent result [AR16] that reveals a close connection between private simultaneous message protocols (PSM) [FKN94] and Zero-Information Arthur-Merlin (ZAM) protocols [GPW15]. PSMs and ZAMs can be viewed as the communication-complexity analog of Randomized Encodings and Zero-Knowledge proofs, where instead of limiting the computational power of the client, we split it into two non-communicating (computationally-unbounded) parties Alice and Bob each holding different parts of the input \(x=(x_A,x_B)\). It is shown in [AR16] that the communication complexity of ZAM protocols is closely related to the randomness complexity of (variants of) PSMs, and vice versa. This is conceptually similar to some of the current results (e.g., \(\textit{1}\mathcal {RE} = \mathcal {NISZK} ^\textsc {pub}\)) though the computational setting introduces different technical challenges, and correspondingly it requires a significantly different approach.

Organization. We begin with some standard preliminaries in Sect. 3. In Sect. 4 we provide formal definitions of statistical zero knowledge proofs, statistical randomized encoding and their variants. Theorem 1 is proved in Sect. 5, Theorem 3 in Sect. 6 and Theorem 5 in Sect. 7.

3 Preliminaries

Basic Definitions. For a finite set S, let \(s \mathop {\leftarrow }\limits ^{R}S\) denote an element that is sampled uniformly at random from S, and let U(S) denote the corresponding random variable. The uniform distribution over n-bit strings is denoted by \(U_n\). The support of a random variable X is the set \({ \text{ supp }}(X) := \{x\ |\ \Pr [X = x] > 0\}\). The Shannon entropy of X is \(H(X) := -\sum _z \Pr [X = z] \log \Pr [X = z].\) For a distribution D, we let \(\otimes ^k D\) be the probability distribution over k-tuples where each element is sampled independently according to D. Similarly, for a randomized algorithm F(x), we let \(\otimes ^k F(x)\) be a k-tuple of k independent samples of F(x). We sometimes make the coins of a randomized algorithm F explicit by writing F(xr) where \(r\mathop {\leftarrow }\limits ^{R}U_{s(x)}\) denotes the random coins used on an input x and s(x) denotes the randomness complexity of F on an input x, which, by default, is assumed to solely depend on the length of x.

Statistical Distance. The statistical distance between a pair of random variables X and Y distributed over the set Z is defined as

$$\begin{aligned} {\Delta }(X ; Y) := \frac{1}{2}\sum _{z\,\in \,Z} \left| {\Pr [X = z] - \Pr [Y=z]}\right| . \end{aligned}$$

Equivalently, \({\Delta }(X ; Y)= \max _A \left| {\Pr [A(X)=1]-\Pr [A(Y)=1]}\right| \) where the maximum ranges over all Boolean functions \(A:Z\rightarrow {\{0,1\}}\). We write

$$\begin{aligned} \mathop {\Delta }\limits _{x_1 \mathop {\leftarrow }\limits ^{R}D_1, \ldots , x_k \mathop {\leftarrow }\limits ^{R}D_k}(F(x_1,\ldots ,x_k) ; G(x_1,\ldots ,x_k)) \end{aligned}$$

to denote the statistical distance between two random variables obtained as a result of sampling \(x_i\)’s from \(D_i\)’s and applying the functions F and G to \((x_1,\ldots ,x_k)\), respectively. We will use the following properties of statistical distance and entropy.

Fact 1

Let X and Y be a pair of random variables. Then the following holds:

  1. 1.

    [Vad99, Fact 3.2.2] For every (possibly randomized) function F, we have that \({\Delta }(F(X);F(Y)) \le {\Delta }(X;Y)\).

  2. 2.

    [Vad99, Fact 3.3.9] Let D be the range of X and Y, then \(\left| {H(X) - H(Y)}\right| \le (\log |D|) \cdot {\Delta }(X;Y) + 1.\)

  3. 3.

    [Vad99, Lemma 3.1.15] For any integer \(q>0\), we have that \(1-2\exp (-q ({\Delta }(X;Y))^2 /2) \le {\Delta }(\otimes ^q X; \otimes ^q Y) \le q {\Delta }(X;Y).\)

  4. 4.

    [SV03, Fact 2.5] Suppose that \(X = (X_1,X_2)\) and \(Y = (Y_1,Y_2)\) are distributed over a set \(D \times E\) such that: (a) \(X_1\) and \(Y_1\) are identically distributed; and (b) with probability greater than \(1-\varepsilon \) over \(x \mathop {\leftarrow }\limits ^{R}X_1\), we have \({\Delta }(X_2|_{X_1\,=\,x},Y_2|_{Y_1\,=\,x})\le \delta \). Then \({\Delta }(X,Y)\le \varepsilon + \delta \).

  5. 5.

    (cf. Appendix A.1) If \({\Delta }(X;Y) \ge 1 - \varepsilon \), then, for any \(t > 1\), it holds that \(\Pr _{x \mathop {\leftarrow }\limits ^{R}X}[\Pr [X = x] < t \cdot \Pr [Y = x]] \le \varepsilon t\).

Flattening. We will use the following notion of \(\varDelta \)-flat distributions from [GSV99].

Definition 1

(Flat Distributions). Let X be a distribution. An element x of \({ \text{ supp }}(X)\) is called \(\varepsilon \)-typical if \(\left| {\log (1/\Pr [X = x]) - H(X)}\right| \le \varepsilon \). We say that X is \(\varDelta \)-flat if for every \(t > 0\) the probability that an element chosen from X is \((t \cdot \varDelta )\)-typical is at least \(1 - 2^{-t^2+1}\).

A 0-flat distribution is uniform on its support, and is simply referred to as a flat distribution. A natural way to flatten a distribution is via parallel repetition.

Lemma 1

(Flattening Lemma [Vad99, GSV99]). Let D be a distribution such that for all x from \({ \text{ supp }}(D)\) we have that \(D(x) \ge 2^{-m}\). Then, for any \(k \in \mathbb {N} \), the distribution \(\otimes ^k D\) is \((\sqrt{k} \cdot m)\)-flat.

Hashing. A family \(\mathcal {H} \) of functions mapping a domain \(\mathcal {D} \) to a range \(\mathcal {R} \) is 2-universal [CW79] if for every two elements \(x \ne y\) from \(\mathcal {D} \) and ab from \(\mathcal {R} \) it holds that \(\Pr _{h \mathop {\leftarrow }\limits ^{R}\mathcal {H}}[h(x)=a \wedge h(y)=b]= \frac{1}{|\mathcal {R} |^2}\). We write \(\mathcal {H} _{n,m}\) to denote a 2-universal family from \(\{0,1\}^n\) to \(\{0,1\}^m\). There are efficient constructions of 2-universal families of hash functions \(\mathcal {H} _{n,m}\) that can be evaluated and sampled in \({ \text{ poly }}(n,m)\) time [CW79].

Lemma 2

(Leftover Hash Lemma [ILL89, GSV99]). Let \(\mathcal {H} \) be a 2-universal family of hash functions mapping a domain \(\mathcal {D} \) to a range \(\mathcal {R} \). Let X be a flat distribution on \(\mathcal {D} \) such that for all \(x\,\in \,{ \text{ supp }}(X)\) we have that \(\Pr [X = x] \le \alpha /|\mathcal {R} |\). Then

$$\begin{aligned} \mathop {\Delta }\limits _{h \mathop {\leftarrow }\limits ^{R}\mathcal {H}}((h,h(X)) ; (h,U(\mathcal {R}))) \le O(\alpha ^{1/3}). \end{aligned}$$

Sampling Distributions via Circuits. Let X be a circuit with m input and n output gates. We will sometimes abuse notation and use X to denote the random variable \(X(U_m)\) which corresponds to the output distribution of the circuit induced by “feeding” a uniformly chosen n-bit input. We let \(X^{-1}(x)\) denote the set of preimages of x under X, i.e., \(X^{-1}(x) := \{r \in \{0,1\}^m\ |\ X(r) = x\}\). Observe that \(\Pr [X = x] = 2^{-m} \cdot |X^{-1}(x)|\).

4 \(\mathcal {NISZK}\) and \(\mathcal {SRE}\)

A promise problem [ESY84] \(\varPi \) is a pair of two non-intersecting sets of strings \((\varPi _\textsc {yes},\varPi _\textsc {no})\). The strings in \(\varPi _\textsc {yes}\) are called yes-instances and the strings in \(\varPi _\textsc {no}\) are called no-instances. Let \(\chi _\varPi (x)\) be the characteristic function of \(\varPi \) which outputs 1 on yes-instances and 0 on no-instances. Note that a promise problem is a generalization of a language \(L \subseteq \{0,1\}^*\), i.e., L is translated into a promise problem \(\varPi _L\) where L corresponds to the set of yes-instances and \(\{0,1\}^* \setminus L\) corresponds to the set of no-instances. (See [Gol06] for a survey.)

Definition 2

(Statistical Randomized Encoding [IK00, AIK04]). We say that an efficient randomized algorithm \(\mathsf {Enc} \) is a \(\varepsilon \)-private and \(\delta \)-correct statistical randomized encoding of a promise problem \(\varPi =(\varPi _\textsc {yes},\varPi _\textsc {no})\) (abbreviated \((\varepsilon ,\delta )\)-\(\mathsf {SRE}\)), if the following holds:

  • \(\varepsilon \) -privacy for yes-instances: There exists an efficient simulator \(\mathsf {Sim} _\textsc {yes}\) such that for every yes-instance \(x_\textsc {yes}\) of length n from \(\varPi \),

    $$\begin{aligned} {\Delta }(\mathsf {Sim} _\textsc {yes}(1^n) ; \mathsf {Enc} (x_\textsc {yes})) \le \varepsilon (n). \end{aligned}$$

  • \(\varepsilon \) -privacy for no-instances: There exists an efficient simulator \(\mathsf {Sim} _\textsc {no}\), such that for every no-instance \(x_\textsc {no}\) of length n from \(\varPi \),

    $$\begin{aligned} {\Delta }(\mathsf {Sim} _\textsc {no}(1^n) ; \mathsf {Enc} (x_\textsc {no})) \le \varepsilon (n). \end{aligned}$$

  • \(\delta \) -correctness: There exists a computationally-unbounded decoder \(\mathsf {Dec}\), such that for every instance \(x\in (\varPi _\textsc {yes}\cup \varPi _\textsc {no})\) of length n,

    $$\begin{aligned} \Pr [\mathsf {Dec} (\mathsf {Enc} (x)) \ne \chi _{\varPi }(x)] \le \delta (n). \end{aligned}$$

By default, \(\varepsilon (n)\) and \(\delta (n)\) are required to be negligible functions.

Perfect Encoding [AIK04]. A randomized encoding which is 0-private (resp., 0-correct) is called perfectly private (resp., perfectly correct). For an input of length n, let s(n) denote the length of the random strings used by \(\mathsf {Enc}\) and let t(n) be the output length of the encoding. A perfectly private and perfectly correct randomized encoding whose simulators \(\mathsf {Sim} _\textsc {yes}\) and \(\mathsf {Sim} _\textsc {no}\) use s(n) coins, \({ \text{ supp }}(\mathsf {Sim} _\textsc {yes}(1^n)) \cup { \text{ supp }}(\mathsf {Sim} _\textsc {no}(1^n)) = {\{0,1\}}^{t(n)}\), and \(1+s(n) = t(n)\) is called perfect. (See [AIK04] for an intuitive explanation of these requirements.)

One-Sided Encoding [AIK04, AIK15]. A randomized encoding which is \(\varepsilon \)-private on yes-instances and \(\delta \)-correct is called one-sided (or semi-private) randomized encoding (denoted with \((\varepsilon ,\delta )\)-\(\mathsf {1RE} \)) [AIK04, AIK15]. Clearly, any \((\varepsilon ,\delta )\)-\(\mathsf {SRE}\) is also \((\varepsilon ,\delta )\)-\(\mathsf {1RE} \), though the converse does not necessarily hold. A disjoint one-sided randomized encoding is an encoding which is \(\varepsilon \)-private on yes-instances and, instead of standard correctness, it satisfies the following \(\rho \)-disjointness property: For every no-instance \(x_\textsc {no}\) of length n from \(\varPi \), it holds that \(\Pr [\mathsf {Sim} _\textsc {yes}(1^n) \in { \text{ supp }}(\mathsf {Enc} (x_\textsc {no}))] \le \rho (n)\). We refer to such an encoding as \((\varepsilon ,\rho )\)-\(\mathsf {D1RE} \).

Definition 3

(Non-interactive Statistical Zero-Knowledge [BSMP91]). A non-interactive statistical zero-knowledge proof system (\(\mathsf {NISZK}\)) for a promise problem \(\varPi =(\varPi _{\textsc {yes}}, \varPi _{\textsc {no}})\) is defined by probabilistic algorithms \(\mathsf {Prov} \) (prover), \(\mathsf {Deal} \) (dealer), \(\mathsf {Sim} \) (simulator), and a deterministic algorithm \(\mathsf {Ver} \) (verifier), such that for every n-bit instance x the following holds

  • \(\alpha \) -Completeness: If \(x\in \varPi _\textsc {yes}\) then \(\Pr [\mathsf {Ver} (x, \sigma , \mathsf {Prov} (x, \sigma )) \ne 1] \le \alpha (n)\), where \(\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Deal} (1^{n})\).

  • \(\beta \) -Soundness: If \(x\in \varPi _\textsc {no}\) then \(\Pr [\exists p=p(x,\sigma ): \mathsf {Ver} (x, \sigma , p) = 1] \le \beta (n)\), where \(\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Deal} (1^{n})\).

  • \(\gamma \) -Zero-Knowledge: If \(x\in \varPi _\textsc {yes}\) then the pair \((\sigma ,p)\) is \(\gamma (n)\)-close in statistical distance to the pair \((\sigma ',p')\) where \(\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Deal} (1^{n}), p \mathop {\leftarrow }\limits ^{R}\mathsf {Prov} (x,\sigma ) \) and \((\sigma ',p') \mathop {\leftarrow }\limits ^{R}\mathsf {Sim} (x)\).

The algorithms \(\mathsf {Ver}, \mathsf {Deal} \), and \(\mathsf {Sim} \) are required to be efficient, while the prover’s algorithm \(\mathsf {Prov} \) is allowed to be computationally unbounded. By default, \(\alpha ,\beta \) and \(\gamma \) are assumed to be negligible in n.

Variants. In the special case where the dealer \(\mathsf {Deal} (1^n)\) samples \(\sigma \) uniformly from the set of all strings of length r(n) (for some polynomial \(r(\cdot )\)), the proof system is called an interactive zero-knowledge proof system in the common random string model and is denoted by \((\alpha ,\beta ,\gamma )\)-\(\mathsf {NISZK} ^{\textsc {crs}}\) [BFM88]. We will focus on the more general setting (defined above) where the dealer is allowed to use any arbitrary (polynomial-time samplable) distribution. This setting is referred to as the public parameter model and protocols in the model are denoted by \((\alpha ,\beta ,\gamma )\)-\(\mathsf {NISZK} ^{\textsc {pub}}\).Footnote 8

Remark 1

(Efficiency: Uniformity vs. Non-Uniformity). Randomized encodings and non-interactive statistical-zero knowledge proof systems can be defined either in the uniform setting where all efficient entities (encoder, RE-simulator, verifier, dealer, and NISZK-simulator) are assumed to be probabilistic polynomial-time algorithms, or in the non-uniform setting where these entities are represented by probabilistic polynomial-time algorithms which take a non-uniform advice. We will emphasize this distinction only when it matters (Theorem 6), and otherwise, (when the results are insensitive to the difference) ignore it.

Definition 4

(Complexity classes). The complexity class \(\mathcal {SRE}\) (resp., \(\textit{1}\mathcal {RE}\), \(\mathcal {NISZK} ^{\textsc {pub}}\)) is the set of all the promise problems that have an \(\mathsf {SRE}\) (resp., \(\mathsf {1RE}\), \(\mathsf {NISZK} ^{\textsc {pub}}\)).

5 \(\mathcal {NISZK} ^{\textsc {pub}} = \textit{1}\mathcal {RE} \)

In this section we will prove Theorem 1. We start by showing that the notions of \(\mathsf {1RE}\) and \(\mathsf {D1RE}\) are equivalent in Sect. 5.1. Then, based on this equivalence we prove that \(\mathcal {NISZK} ^{\textsc {pub}} = \textit{1}\mathcal {RE} \). In the first part of the proof we show that \(\mathcal {NISZK} ^{\textsc {pub}} \subseteq \textit{1}\mathcal {RE} \) (cf. Sect. 5.2). In the second part of the proof we show that \(\textit{1}\mathcal {RE} \subseteq \mathcal {NISZK} ^{\textsc {pub}}\) (cf. Sect. 5.3).

5.1 Equivalence of \(\mathsf {1RE} \) and \(\mathsf {D1RE} \)

We start by showing how to convert a \(\mathsf {1RE}\) F for a promise problem \(\varPi \) into a \(\mathsf {D1RE}\) G for the same problem. The construction is inspired by the techniques of [GSV99]. The encoding G consists of sufficiently many independent copies of F together with a hash of the randomness used to generate the copies. In order to achieve disjointness, while keeping privacy, the length of the hash is chosen such that for yes-instance the hash is close to uniform and in the case of no-instances the support of the hash output is relatively small.

We note that this construction is non-uniform. That is, the length of the hash is chosen using a non-uniform advice that depends on the entropy of the encoding distribution on yes-instances. It is an interesting open question whether one can give a uniform construction achieving disjointness.

Theorem 6

If the promise problem \(\varPi \) has a (possibly non-uniform) \(\mathsf {1RE} \) F, then it also has a non-uniform \(\mathsf {D1RE} \) G. Moreover, if F is uniform then G can be implemented based on F and an advice of \(O(\log n)\) bits.

Proof

Let \(\varPi \) be a promise problem that has an \(\varepsilon \)-private and \(\delta \)-correct \(\mathsf {1RE} \) F, where \(\varepsilon \) and \(\delta \) are negligible. Let \(\mathsf {Sim} _F\) be the simulator showing the privacy of F on yes-instances. For an input length of n, let \(m=m(n)={ \text{ poly }}(n)\) denote the maximum bit-length of the randomness used by \(\mathsf {Sim} _F\) and F. We define a \(\mathsf {D1RE}\) G(x) for \(\varPi \) as follows:

figure a

To simplify notation, we let \(J_x(r) = (F(x,r_1),\ldots ,F(x,r_q))\) and write \(J_x\) to denote the distribution induced by a uniform choice of \(r\mathop {\leftarrow }\limits ^{R}U_{m'}\). We let \(S_n = \otimes ^q \mathsf {Sim} _F(1^n)\), and let \(\mathcal {H} \) denote the family \(\mathcal {H} _{m',\ell }\).

We proceed with an analysis of the encoding G, starting with privacy. We define the simulator \(\mathsf {Sim} _G(1^n)\) to generate the random variable \((S_n,U({\mathcal {H}}),U_\ell )\). Fix some yes-instance x of length n from \(\varPi \). Our goal is to show that the statistical distance \(\varepsilon '(n)\) between \(\mathsf {Sim} _G(1^n)\) and G(x) is upper-bounded by some negligible function. First observe that, by the triangle inequality, \(\varepsilon '\) is upper-bounded by

$$\begin{aligned} {\Delta }(\mathsf {Sim} _G(1^n);\ (J_x,U(\mathcal {H}),U_\ell )) + {\Delta }((J_x,U(\mathcal {H}),U_\ell );\ G(x)). \end{aligned}$$
(1)

By the \(\varepsilon \)-privacy of the original encoding and by Fact 1 item 3, the first summand satisfies

$$\begin{aligned} {\Delta }(\mathsf {Sim} _G(1^n);\ (J_x,U(\mathcal {H}),U_\ell ))&= {\Delta }((S_n,U({\mathcal {H}}),U_\ell );\ (J_x,U(\mathcal {H}),U_\ell )) \\&\le {\Delta }(S_n,J_x) \\&\le q \varepsilon (n)={\mathrm {neg}}(n). \end{aligned}$$

It is left to analyze the second summand in (1), i.e., to upper-bound the quantity

$$\begin{aligned} \mathop {\Delta }\limits _{r\mathop {\leftarrow }\limits ^{R}{\{0,1\}}^{m'}, h\mathop {\leftarrow }\limits ^{R}\mathcal {H}}((J_x(r),h,U_\ell );\ (J_x(r),h,h(r)) ). \end{aligned}$$
(2)

Since the first entry is identically distributed in both distributions, it suffices to analyze the statistical distance between the two tuples conditioned on the outcome of the first entry \(J_x\). Indeed, we prove the following claim.

Claim 1

With probability \(1-2^{-\varOmega (n)}\) over \(z\mathop {\leftarrow }\limits ^{R}J_x\), it holds that

$$\begin{aligned} \mathop {\Delta }\limits _{r\mathop {\leftarrow }\limits ^{R}{\{0,1\}}^{m'}, h\mathop {\leftarrow }\limits ^{R}\mathcal {H}}([J_x(r),h,U_\ell |J_x(r)=z];\ [J_x(r),h,h(r)|J_x(r)=z] )<2^{-\varOmega (n)}. \end{aligned}$$
(3)

It follows (by Fact 1 item 4) that (2) is upper-bounded by \(2^{-\varOmega (n)}\).

Proof

(Proof of Claim 1 ). Recall that on any input x the encoding F uses at most m random bits, and so any element in its support has weight at least \(2^{-m}\). Hence, due to the Flattening Lemma 1, the distribution \(J_x\) is \(\varDelta \)-flat for \(\varDelta = \sqrt{q} m\). Since \(z\mathop {\leftarrow }\limits ^{R}J_x\) is \((\sqrt{n}\varDelta )\)-typical with probability at least \(1 - O(2^{-n})\), it suffices to show that (3) holds for every \((\sqrt{n}\varDelta )\)-typical z.

Fix some \((\sqrt{n}\varDelta )\)-typical z from \(J_x\) and consider the distribution \((J_x(r),h,h(r))\) conditioned on \(J_x(r)=z\). The conditional distribution of r is uniform over the set \(J^{-1}_x(z)\). We will show below that

$$\begin{aligned} \log (|J^{-1}_x(z)|) \ge \ell + n \end{aligned}$$
(4)

Therefore we can apply the Leftover Hash Lemma 2 to the distribution of \(r\mathop {\leftarrow }\limits ^{R}J_x^{-1}(z)\) with \(\mathcal {R} = {\{0,1\}}^{\ell }\) and \(\alpha = 2^{-n}\), and conclude that the distribution of \((J_x(r),h,h(r))\) conditioned on \(J_x(r)=z\) is \(O(2^{-n/3})\)-close to the distribution \((z,U(\mathcal {H}), U_\ell )\).

It remains to prove (4). First, we show that the entropies \(H(J_x)\) and \(H(S_n)\) are close. Indeed, by the privacy of F, we have that \({\Delta }(\mathsf {Sim} _F(1^n) ; F(x) ) \le \varepsilon (n)\) and therefore (by Fact 1 item 3) \({\Delta }(J_x;S_n) \le q \varepsilon (n)\). Hence, by Fact 1 item 2, we get that, for all sufficiently large n’s,

$$\begin{aligned} \left| {H(J_x) - H(S_n)}\right| \le m' q\varepsilon (n) + 1 \le 2, \end{aligned}$$
(5)

where the second inequality follows by noting that \(\varepsilon (n)\) is negligible in n, and \(m',q\) are polynomials in n. Now, recall that z is \((\sqrt{n}\varDelta )\)-typical, and therefore \(\log (|J^{-1}_x(z)|) \ge m'-H(J_x)-\sqrt{n}\varDelta \). Plugging in (5) we conclude that

$$\begin{aligned} \log (|J^{-1}_x(z)|)&\ge m' - H(S_n) - 2- \sqrt{n}\varDelta \\&\ge \underbrace{\lceil {m' - H(S_n) - \sqrt{n}\varDelta - 2 n}\rceil }_{=\ell } + (n - 3) + n \\&\ge \ell + n, \end{aligned}$$

where the last inequality holds for \(n \ge 3\).   \(\square \)

We move on to prove the disjointness property. Fix some no-instance x. Our goal is to upper-bound

$$\begin{aligned} \Pr \left[ \mathsf {Sim} _G(1^n) \in { \text{ supp }}(G(x))\right] = \Pr \left[ (S_n,U({\mathcal {H}}),U_{\ell }) \in { \text{ supp }}(G(x))\right] \end{aligned}$$
(6)

by some negligible function. For \(z \mathop {\leftarrow }\limits ^{R}S_n\), let \(\mathcal {E} =\mathcal {E} (z)\) be the event that \(|{J^{-1}_x}(z)| \le 2^{\ell - n}\). By marginalizing the probability, we can upper-bound (6) by

$$\begin{aligned} \mathop {\Pr }\limits _{z \mathop {\leftarrow }\limits ^{R}S_n, h\mathop {\leftarrow }\limits ^{R}\mathcal {H}, w\mathop {\leftarrow }\limits ^{R}{\{0,1\}}^{\ell }}\left[ (z,h,w) \in { \text{ supp }}(G(x))\ |\ \mathcal {E} (z) \right] + \Pr _{z\mathop {\leftarrow }\limits ^{R}S_n}[\lnot \mathcal {E} (z)]. \end{aligned}$$

We will show that both the first and second summand are negligible in n.

Claim 2

\(\Pr _{z \mathop {\leftarrow }\limits ^{R}S_n, h\mathop {\leftarrow }\limits ^{R}\mathcal {H}, w\mathop {\leftarrow }\limits ^{R}{\{0,1\}}^{\ell }}\left[ (z,h,w) \in { \text{ supp }}(G(x))\ |\ \mathcal {E} (z) \right] \le 2^{-n}\).

Proof

By definition \({ \text{ supp }}(G(x)) = \{(J_x(r),h,h(r))\ |\ r \in {\{0,1\}}^{m'},h \in \mathcal {H} \}\). Therefore, for any fixed z and h the probability, over \(w\mathop {\leftarrow }\limits ^{R}{\{0,1\}}^{\ell }\), that the triple (zhw) lands in \({ \text{ supp }}(G(x))\) is exactly

$$\begin{aligned} \frac{|h(J^{-1}_x(z))|}{2^{\ell }}\le \frac{|J^{-1}_x(z)|}{2^{\ell }}, \end{aligned}$$

which is upper-bounded by \(2^{\ell - n}/2^{\ell }=2^{-n}\) when we condition on \(\mathcal {E} (z)\).    \(\square \)

We conclude the proof by showing that for \(z\mathop {\leftarrow }\limits ^{R}S_n\) the event \(\mathcal {E} (z)\) happens almost surely.

Claim 3

\(\Pr _{z \mathop {\leftarrow }\limits ^{R}S_n}[\log |{J^{-1}_x}(z)| \le {\ell - n}] \ge 1 - 2^{-\varOmega (n)}\).

Proof

Call z good if

$$\begin{aligned} z \text { is } (\sqrt{n}\varDelta )\text {-typical}, \qquad \text {where } \varDelta = \sqrt{q} m, \end{aligned}$$
(7)

and

$$\begin{aligned} \Pr [S_n=z] \ge 2^{q/10}\Pr [J_x=z]. \end{aligned}$$
(8)

We begin by showing that, except with probability \(2^{-\varOmega (n)}\), a random \(z \mathop {\leftarrow }\limits ^{R}S_n\) is good. First, recall that \(\mathsf {Sim} _F(1^n)\) uses at most m random bits, and so any element in its support has weight at least \(2^{-m}\). Hence, due to the Flattening Lemma 1, the distribution \(S_n\) is \(\varDelta \)-flat for \(\varDelta = \sqrt{q} m\) which implies that a random \(z \mathop {\leftarrow }\limits ^{R}S_n\) satisfies (7) with probability at least \(1 - 2^{-\varOmega (n)}\). Next, we show that, except with probability \(2^{-\varOmega (n)}\), a random \(z \mathop {\leftarrow }\limits ^{R}S_n\) satisfies (8). Indeed, due to the correctness property of F, we have that \({\Delta }(\mathsf {Sim} _F(1^n) ; F(x)) \ge 1/2\) which implies (by Fact 1 item 3) that \({\Delta }(S_n,J_x) \ge 1 - 2\exp (-q/8)\). Applying Fact 1 item 5, we conclude that

$$\begin{aligned} \mathop {\Pr }\limits _{z \mathop {\leftarrow }\limits ^{R}S_n}[\Pr [S_n=z] < t \Pr [J_x=z]] \le t \cdot 2\exp (-q/8), \end{aligned}$$

for any \(t\ge 1\). Taking \(t := 2^{q/10}\), and noting that

$$\begin{aligned} t \cdot 2\exp (-q/8) \le 2t \cdot 2^{-q/8} = 2\cdot 2^{q/10} \cdot 2^{-q/8} = 2^{-q/40 + 1}=2^{-\varOmega (n)}, \end{aligned}$$

we conclude that (8) holds for all but \(2^{-\varOmega (n)}\)-fraction of the \(z \mathop {\leftarrow }\limits ^{R}S_n\). It follows, by a union-bound, that, except with probability \(2^{-\varOmega (n)}\), a random \(z \mathop {\leftarrow }\limits ^{R}S_n\) is good.

Finally, we prove that for any good z it holds that \(\log |{J^{-1}_x}(z)| \le {\ell - n}\). By definition

$$\begin{aligned} |{J^{-1}_x}(z)|=2^{m'} \cdot \Pr [J_x=z] \end{aligned}$$

and by (8) the latter is upper-bounded by

$$\begin{aligned} 2^{m'-q/10}\cdot \Pr [S_n=z]. \end{aligned}$$

Recalling that \(\Pr [S_n=z] \le 2^{-H(S_n)+\sqrt{n}\varDelta }\) (since z is \(\sqrt{n}\varDelta \)-typical) we conclude that

$$\begin{aligned} |{J^{-1}_x}(z)|\le 2^{m'-q/10 -H(S_n)+\sqrt{n}\varDelta }. \end{aligned}$$

Hence, we get that

$$\begin{aligned} \log |{J^{-1}_x}(z)|&\le m'-H(S_n) + \sqrt{n}\varDelta - q/10 \\&\le \underbrace{\lceil {(m' - H(S_n) - \sqrt{n}\varDelta - 2 n)}\rceil }_{=\ell } - n + \underbrace{(3n +3\sqrt{n}\varDelta - q/10)}_{T}. \end{aligned}$$

Since \(q = 10^6 n m^2\) the expression T is always negative, and the claim follows.   \(\square \)

This completes the proof of Theorem 6.

Now we show that if we repeat a \(\mathsf {D1RE} \) polynomially many times we preserve the privacy of the encoding on yes-instances and gain the correctness security property of \(\mathsf {1RE}\).

Theorem 7

Let \(\varPi \) be a promise problem that has an \(\varepsilon \)-private and \(\rho \)-disjoint \(\mathsf {D1RE} \) F, where \(\varepsilon \) and \(\rho \) are negligible. Then, there exists G a \(\mathsf {1RE} \) for \(\varPi \) that is \(\varepsilon '\)-private and \(\delta \)-correct, where \(\varepsilon '\) and \(\delta \) are negligible.

Proof

For an instance x of length n, we define a randomized encoding G(x) to be \(\otimes ^n F(x)\). Since F is efficient, the encoding G is also efficient. We prove that G is a \(\mathsf {1RE} \) for \(\varPi \).

  • privacy for yes-instances: Let \(\mathsf {Sim} _F\) be the simulator showing the privacy of F on yes-instances. Define \(\mathsf {Sim} _G(1^n) := \otimes ^n \mathsf {Sim} _F(1^n)\). Take any yes-instance x from \(\varPi \). We have that

    $$\begin{aligned} {\Delta }(\mathsf {Sim} _G(1^n) ; G(x)) = {\Delta }(\otimes ^n \mathsf {Sim} _F(1^n) ; \otimes ^n F(x)) \le n \cdot \varepsilon (n), \end{aligned}$$

    where the last inequality holds due to Fact 1 item 3. Since \(\varepsilon (n)\) is negligible, we have that \(\varepsilon '(n) := n \cdot \varepsilon (n)\) is also negligible.

  • Correctness: Let \(Z = \bigcup _{x \in \varPi _\textsc {no}}{ \text{ supp }}(G(x))\). The decoder \(\mathsf {Dec}\) on input s outputs 0 if \(s \in Z\); and outputs 1, otherwise. Clearly, a no-instance is always decoded correctly. For a yes-instance x, we upper-bound the decoding error by showing that \(\Pr [G(x) \in Z]\) is negligible. Since G is \(\varepsilon '\)-private on yes-instances, we have that

    $$\begin{aligned} \Pr [G(x) \in Z] \le \Pr [\mathsf {Sim} _G(1^n) \in Z] + \varepsilon '(n). \end{aligned}$$

    By \(\rho \)-disjointness, it holds that \(\Pr [\mathsf {Sim} _F(1^n) \in { \text{ supp }}(F(x_\textsc {no}))] \le \rho (n),\) for any no-instance \(x_\textsc {no}\). This implies that if we repeat this experiment n times we get that \(\Pr [\mathsf {Sim} _G(1^n) \in { \text{ supp }}(G(x_\textsc {no}))] \le \rho (n)^n\). By a union bound, we conclude that \(\Pr [\mathsf {Sim} _G(1^n) \in Z] \le 2^n\rho (n)^n\), which implies that

    $$\begin{aligned} \Pr [G(x) \in Z] \le 2^n\rho (n)^n + \varepsilon '(n)\le {\mathrm {neg}}(n). \end{aligned}$$

The theorem follows.   \(\square \)

5.2 From \(\mathsf {NISZK} ^{\textsc {pub}}\) to \(\mathsf {1RE} \)

In this section we prove that \(\mathcal {NISZK} ^{\textsc {pub}} \subseteq \textit{1}\mathcal {RE} \).

Theorem 8

\(\mathcal {NISZK} ^{\textsc {pub}} \subseteq \textit{1}\mathcal {RE} \).

Proof

Let \(\varPi \) be a promise problem with \((\alpha ,\beta ,\gamma )\)-\(\mathsf {NISZK} ^{\textsc {pub}}\) proof system consisting of \((\mathsf {Prov},\mathsf {Ver},\mathsf {Deal},\mathsf {Sim} _\textsc {zk})\), where \(\alpha ,\beta ,\gamma \) are negligible. By Theorem 7, it suffices to show that \(\varPi \) has a \((\varepsilon ,\rho )\)-\(\mathsf {D1RE} \) \(\mathsf {Enc} \) for some negligible \(\varepsilon \) and \(\rho \). For an n-bit string x, we define a randomized encoding \(\mathsf {Enc} (x)\) as followsFootnote 9:

figure b

Observe that \(\mathsf {Enc} \) is efficient because \(\mathsf {Sim} _\textsc {zk}\) and \(\mathsf {Ver} \) are efficient. We prove that \(\mathsf {Enc} \) is a \(\mathsf {D1RE} \).

  • Privacy: We define \(\mathsf {Sim} _\textsc {yes}(1^n) = \mathsf {Deal} (1^n)\) and prove that for any yes-instance x the distribution \(\mathsf {Sim} _\textsc {yes}(1^n)\) is \(\varepsilon (n)\)-close to \(\mathsf {Enc} (x)\) where \(\varepsilon (n)=\alpha (n)+2 \cdot \gamma (n)={\mathrm {neg}}(n)\). Fix some yes-instance x of length n. Due to the zero-knowledge property of \(\mathsf {NISZK}\), we have that

    $$\begin{aligned} \mathop {\Delta }\limits _{\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Deal} (1^n)} (\mathsf {Sim} _\textsc {zk}(x), (\sigma ,\mathsf {Prov} (x,\sigma ))) \le \gamma (n). \end{aligned}$$

    By the definition of the statistical distance, this implies that

    $$\left| {\mathop {\Pr }\limits _{\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Deal} (n)}[\mathsf {Ver} (\sigma ,x,\mathsf {Prov} (x,\sigma )) \ne 1] - \mathop {\Pr }\limits _{(\sigma ,p) \mathop {\leftarrow }\limits ^{R}\mathsf {Sim} _\textsc {zk}(x)}[\mathsf {Ver} (\sigma ,x,p) \ne 1] }\right| \le \gamma (n).$$

    Because of the correctness property of \(\mathsf {NISZK}\), we have that

    $$\begin{aligned} \mathop {\Pr }\limits _{\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Deal} (n)}[\mathsf {Ver} (\sigma ,x,\mathsf {Prov} (x,\sigma )) \ne 1] \le \alpha (n). \end{aligned}$$

    This implies that

    $$\begin{aligned} \mathop {\Pr }\limits _{(\sigma ,p) \mathop {\leftarrow }\limits ^{R}\mathsf {Sim} _\textsc {zk}(x)}[\mathsf {Ver} (\sigma ,x,p) \ne 1] \le \alpha (n) + \gamma (n). \end{aligned}$$

    The latter inequality means that in the execution of \(\mathsf {Enc} (x)\) the bit b equals to 1 except with the probability \(\alpha (n) + \gamma (n)\). Hence, \({\Delta }(\mathsf {Enc} (x) ; \mathsf {Sim} _\textsc {zk}(x)[1]) \le \alpha (n) + \gamma (n)\), where \(\mathsf {Sim} _\textsc {zk}(x)[1]\) denotes the first component of the tuple output by the simulator. Because of the zero-knowledge property of \(\mathsf {NISZK}\) and due to Fact 1 item 1, we have that \({\Delta }(\mathsf {Sim} _\textsc {zk}(x)[1];\mathsf {Deal} (1^n)) \le \gamma (n)\). Finally, combining the last two inequalities, we get that

    $$\begin{aligned} {\Delta }(\mathsf {Enc} (x) ; \mathsf {Deal} (1^n)) \le \alpha (n)+2 \cdot \gamma (n)={\mathrm {neg}}(n). \end{aligned}$$

  • Disjointness: Let x be a no-instance of \(\varPi \). Let \(E \subseteq { \text{ supp }}(\mathsf {Deal} (1^n))\) denote the set of the strings admitting a proof for the no-instance x, i.e., \(E := \{ \sigma \in { \text{ supp }}(\mathsf {Deal} (1^n))\ |\ \exists p: \mathsf {Ver} (\sigma ,x,p) = 1\}\). By \(\mathsf {Enc} \)’s construction we have that \( { \text{ supp }}(\mathsf {Enc} (x)) \subseteq E \cup \{z_n\}\). This implies that

    $$\begin{aligned} \Pr [\mathsf {Deal} (1^n) \in { \text{ supp }}(\mathsf {Enc} (x))]&\le \Pr [\mathsf {Deal} (1^n) \in E \cup \{z_n\}] \\&\overset{(\star )}{=} \Pr [\mathsf {Deal} (1^n) \in E] \\&\le \beta (n), \end{aligned}$$

    where the last inequality follows from the soundness property of \(\mathsf {NISZK}\), and the equality \((\star )\) holds because \(z_n \not \in { \text{ supp }}(\mathsf {Deal} (1^n))\).   \(\square \)

5.3 From \(\mathsf {1RE} \) to \(\mathsf {NISZK} ^\textsc {pub}\)

Theorem 9

If the promise problem \(\varPi \) has a (possibly non-uniform) \(\mathsf {1RE} \) F, then it also has a non-uniform \(\mathsf {NISZK} ^\textsc {pub}\) proof system. Moreover, if F is uniform then the \(\mathsf {NISZK} ^\textsc {pub}\) proof system can be implemented based on F and an advice of \(O(\log n)\) bits.

Proof

Let \(\varPi \in \textit{1}\mathcal {RE} \). Due to Theorem 6, there exists a non-uniform \((\varepsilon ,\rho )\)-\(\mathsf {D1RE} \) \(\mathsf {Enc}\) for \(\varPi \) such that \(\varepsilon \) and \(\rho \) are negligible. Let s(n) denote the randomness complexity of the encoding \(\mathsf {Enc} \) when it is applied to an n-bit input x, and let \(\mathsf {Sim} _\textsc {re}\) be the simulator showing the privacy of \(\mathsf {Enc} \) on yes-instances. We construct a proof system \((\mathsf {Prov},\mathsf {Ver},\mathsf {Deal},\mathsf {Sim} _\textsc {zk})\) for \(\varPi \) as follows:

figure c

We show that \((\mathsf {Prov},\mathsf {Ver},\mathsf {Deal},\mathsf {Sim} _\textsc {zk})\) forms a \(\mathsf {NISZK}\) for \(\varPi \).

  • Completeness: Consider some yes-instance x of length n. Recall that, by the privacy of \(\mathsf {D1RE} \), the simulator’s distribution \(\mathsf {Sim} _\textsc {re}(1^n)\) is \(\varepsilon (n)\)-close to \(\mathsf {Enc} (x)\), which implies that

    $$\begin{aligned} \Pr [\mathsf {Sim} _\textsc {re}(1^n) \in { \text{ supp }}(\mathsf {Enc} (x))] \ge 1 - \varepsilon (n). \end{aligned}$$

    Hence, except with probability \(\varepsilon (n)\), for a string \(\sigma \) generated by \(\mathsf {Sim} _\textsc {re}(1^n)\), the prover \(\mathsf {Prov} \) can find r, such that \(\mathsf {Enc} (x,r) = \sigma \).

  • Soundness: For all no-instances x of \(\varPi \), we have that

    $$\begin{aligned} \mathop {\Pr }\limits _{\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Deal} (1^n)}[\exists p: V(x, \sigma , p) = 1] = \mathop {\Pr }\limits _{\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Sim} _\textsc {re}(1^n)}[\sigma \in { \text{ supp }}(\mathsf {Enc} (x)) ] \le \delta (n), \end{aligned}$$

    where the last inequality follows from the disjointness property of \(\mathsf {Enc} \).

  • Zero Knowledge: For all yes-instances x of \(\varPi \), we have that

    $$\begin{aligned}&\mathop {{\Delta }}\limits _{\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Deal} (1^n)}(\mathsf {Sim} _\textsc {zk}(x);\ (\sigma ,\mathsf {Prov} (x,\sigma ))) =\\&\mathop {{\Delta }}\limits _{\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Sim} _\textsc {re}(1^n),r \mathop {\leftarrow }\limits ^{R}{\{0,1\}}^{s(n)}} ((\mathsf {Enc} (x,r),r);\ (\sigma ,\mathsf {Prov} (x,\sigma ))) =\\&\mathop {{\Delta }}\limits _{\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Sim} _\textsc {re}(1^n),r \mathop {\leftarrow }\limits ^{R}{\{0,1\}}^{s(n)}} ( (\mathsf {Enc} (x,r),\mathsf {Prov} (x,\mathsf {Enc} (x,r)));\ (\sigma ,\mathsf {Prov} (x,\sigma ))) \le \\&\mathop {{\Delta }}\limits _{\sigma \mathop {\leftarrow }\limits ^{R}\mathsf {Sim} _\textsc {re}(1^n),r \mathop {\leftarrow }\limits ^{R}{\{0,1\}}^{s(n)}}(\mathsf {Enc} (x,r); \sigma ) \le \\&\varepsilon (n), \end{aligned}$$

    where the second equality follows by recalling that \(\mathsf {Prov} (\sigma )\) samples a random r subject to \(\mathsf {Enc} (x,r) = \sigma \) and so \((\mathsf {Enc} (x,r),r)\) is identically distributed to \((\mathsf {Enc} (x,r),\mathsf {Prov} (x,\mathsf {Enc} (x,r)))\), and the first inequality follows from Fact 1 item 1   \(\square \).

6 If \(\mathcal {SRE}\) Is Non-trivial Then One-Way Functions Exist

In this section we prove Theorem 3:

Theorem 3

(Restated). If \(\mathcal {SRE} \) is non-trivial (not in \(\mathcal {BPP} \)), then infinitely-often one-way functions exist.

Proof

Assume that infinitely-often one-way functions do not exist. Impagliazzo and Luby [IL89] showed that in this case every efficiently computable function g(x) can be “distributionally-inverted” in the following sense: For every inverse polynomial \(\alpha (\cdot )\), there exists an efficient adversary A such that, for random \(x\in {\{0,1\}}^n\), the pair (xg(x)) is \(\alpha (n)\)-close to the pair (A(g(x)), g(x)). In other words, for most x’s, A finds an almost uniform preimage of g(x). We refer to \(\alpha \) as the deviation of the inverter and set it to 1/10.

We will show that such an inverter allows to put \(\mathcal {SRE}\) in \(\mathcal {BPP}\). Let \(\varPi \) be a promise problem in \(\mathcal {SRE}\) with \(\varepsilon \)-private \(\delta \)-correct statistical encoding \(\mathsf {Enc} \) for some negligible \(\varepsilon \) and \(\delta \). Let \(\mathsf {Sim} _{\textsc {yes}}\) and \(\mathsf {Sim} _{\textsc {no}}\) be the simulators of the encoding and define \(\mathsf {Sim} (b,r)\) to be a “joint” simulator which takes as an input a single bit \(b\in {\{0,1\}}\) and random string r and outputs a sample from \(\mathsf {Sim} _{\textsc {yes}}(r)\) if \(b=1\) and from \(\mathsf {Sim} _{\textsc {no}}(r)\) if \(b=0\).Footnote 10 We decide \(\varPi \) via the following \(\mathcal {BPP}\) procedure B: Given a string \(x\in {\{0,1\}}^n\), sample an encoding \(y\mathop {\leftarrow }\limits ^{R}\mathsf {Enc} (x)\) and \(\alpha \)-distributionally invert the simulator \(\mathsf {Sim} \) on the string y. Take the resulting preimage (br) (where r is the coins of the simulator) and output the bit b. We analyze the success probability of deciding \(\varPi \) with this procedure.

Claim 4

The procedure B decides \(\varPi \) with error probability of at most \(1/6 + 5\delta + \varepsilon + \alpha \).

Proof

Let us focus on the case where \(x\in {\{0,1\}}^n\) is a yes-instance (the other case is symmetric). First consider an “ideal” version \(B'\) of the algorithm B in which (1) the string y is sampled from \(\mathsf {Sim} _{\textsc {yes}}(r)\) and (2) the distributional inversion algorithm is perfect and has zero deviation. Observe that the gap between the error probability of the real algorithm B to the error probability of the ideal algorithm \(B'\) is at most \(\varepsilon +\alpha \) (this is due to \(\varepsilon \)-privacy and to \(\alpha \)-deviation of the actual inverter). Hence, it suffices to show that the ideal version errs with probability of at most \(1/6+5\delta \).

For a given encoding y, the ideal algorithm outputs the right answer \(b=1\) with probability \(\frac{p_1(y)}{p_0(y)+p_1(y)}\) where \(p_0(y)\) denotes the weight of y under the distribution sampled by \(\mathsf {Sim} _{\textsc {no}}\) and \(p_1(y)\) denotes the weight of y under \(\mathsf {Sim} _{\textsc {yes}}\). By the \(\delta \)-correctness of the encoding and by Fact 1 item 5 (instantiated with \(t = 5\)), it holds that, except with probability at most \(5\delta \) over \(y\mathop {\leftarrow }\limits ^{R}\mathsf {Sim} _{\textsc {yes}}\), we have that \(p_1(y)\ge 5p_0(y)\). It follows, by a union bound, that the ideal algorithm errs with probability of at most \(5\delta + 1/6\), as required.   \(\square \)

It remains to notice, that since \(\delta \) and \(\varepsilon \) are negligible and \(\alpha \) is an inverse polynomial, we have that \(\varPi \) can be decided with success probability at least 2/3.

7 If \(\mathcal {PRE} \) Is Hard on the Average Then CRH Exist

In this section we will study the consequences of the existence of an average-case hard problem \(\varPi \in \mathcal {PRE} \).

Definition 5

We say that a promise problem \(\varPi =(\varPi _\textsc {yes}, \varPi _\textsc {no})\) is hard on average if there exists an efficient sampler S that given \(1^n\) outputs an n-bit instance of \(\varPi \) such that for every non-uniform efficient algorithm A,

$$\begin{aligned} \left| {\mathop {\Pr }\limits _{x \mathop {\leftarrow }\limits ^{R}S(1^n)}[A(x)= \chi _{\varPi }(x)] - 1/2}\right| < {\mathrm {neg}}(n). \end{aligned}$$

We say that the problem has efficient Yes/No samplers if it is possible to efficiently sample from the conditional Yes distribution \(Y_n=[S(1^n)|S(1^n)\in \varPi _\textsc {yes}]\) and from the conditional No distribution \(N_n=[S(1^n)|S(1^n)\in \varPi _\textsc {no}]\).

A collection of claw-free pseudo-permutations (CFPP) [Dam87, GMR88, Rus95] is a set of pairs of efficiently computable functions \(f^0,f^1:{\{0,1\}}^n\rightarrow {\{0,1\}}^n\) for which it is hard to find a pair (uv) which forms a claw, i.e., \(f^0(u)=f^1(v)\), or a collapse, i.e., \(f^b(u)=f^b(v)\) and \(u\ne v\) for some bit b. Collections of claw-free permutations (CFPs) correspond to the special case where \(f_0\) and \(f_1\) are permutations and so collapses simply do not exist.

Definition 6

(Claw-free Functions). A collection of pairs of functions consists of an infinite set of indices, denoted \(\overline{I}\), finite sets \(D_i\) for each \(i \in \overline{I}\), and two functions \(f^0_i\) and \(f^1_i\) mapping \(D_i\) to \(D_i\), respectively. Such a collection is called a claw-free pseudo-permutations if there exist three probabilistic polynomial-time algorithms I, D, and F such that the following conditions hold:

  • Easy to sample and compute: The random variable \(I(1^n)\) is assigned values in the set \(\overline{I}\cap {\{0,1\}}^{p(n)}\) for some polynomial \(p(\cdot )\). For each \(i \in \overline{I}\), the random variable D(i) is distributed uniformly over \(D_i\). For each \(i \in \overline{I}\), \(b \in {\{0,1\}}\) and \(x \in D_i\), \(F(b, i, x) = f_i^b (x)\).

  • Hard to form claws: A pair (xy) satisfying \(f_i^0(x) = f_i^1(y)\) is called a claw for index i. Let \(C_i\) denote the set of claws for index i. It is required that for every probabilistic polynomial-time algorithm A,

    $$\begin{aligned} \mathop {\Pr }\limits _{i \mathop {\leftarrow }\limits ^{R}I(1^n)}[A(i) \in C_{i} ] < {\mathrm {neg}}(n). \end{aligned}$$

  • Hard to form collapses: A pair (xy) satisfying \(f_i^b(x) = f_i^b(y)\) is called a collapse for an index i and a bit b. Let \(T_{i,b}\) denote the set of collapses for (ib). It is required that for every probabilistic polynomial-time algorithm A and every \(b\in {\{0,1\}}\),

    $$\begin{aligned} \mathop {\Pr }\limits _{i \mathop {\leftarrow }\limits ^{R}I(1^n)}[A(i) \in T_{i,b} ] < {\mathrm {neg}}(n). \end{aligned}$$

If the last item holds for unbounded adversaries, i.e., \(f_i^0\) and \(f_i^1\) are permutations over \(D_i\), then the collection is called a collection of claw-free permutations.

It is known that CFPP’s imply Collision-Resistant Hash functions (CRH) [Rus95]. We will show that the existence of an average-case hard problem \(\varPi \in \mathcal {PRE} \) implies the existence of CFPPs. We begin with the simpler case in which \(\varPi \) has an efficient Yes/No samplers and show that, in this case, we obtain a collection of claw-free permutations.

Theorem 10

If there exists an average-case hard language in \(\mathcal {PRE} \) with efficient Yes/No samplers then CFPs exist.

We will need the following simple claim.

Claim 5

Let \(\varPi \) be a promise problem with perfect randomized encoding g whose simulators are \(\mathsf {Sim} _{\textsc {yes}}\) and \(\mathsf {Sim} _{\textsc {no}}\). Define the functions \(h^0_x,h^1_y\) which are indexed by a pair of instances (xy) of \(\varPi \) as follows:

$$\begin{aligned} h^0_x(r,b)= {\left\{ \begin{array}{ll}g(x;r),\,{ if} b=0\text{, } \\ \mathsf {Sim} _{\textsc {no}}(r)\text{, } \text{ otherwise; }\end{array}\right. } ~~~~~ h_y^1(r,b)= {\left\{ \begin{array}{ll} g(y;r),\,{ if} b=0\text{, } \\ \mathsf {Sim} _{\textsc {yes}}(r)\text{, } \text{ otherwise; }\end{array}\right. } \end{aligned}$$
(9)

Then the following holds for any n-bit strings x and y:

  1. 1.

    If \(x \in \varPi _\textsc {yes}\), then \(h^0_x\) is a permutation.

  2. 2.

    If \(y \in \varPi _\textsc {no}\), then \(h^1_y\) is a permutation.

  3. 3.

    If \((x,y) \in \varPi _\textsc {no}\times \varPi _\textsc {yes}\) then \({{\mathrm{Im}}}\left( {h^0_x}\right) \cap {{\mathrm{Im}}}\left( {h^1_y}\right) = \emptyset \).

Proof

Let \(R_0\) and \(R_1\) denote \({{\mathrm{Im}}}(\mathsf {Sim} _\textsc {no})\) and \({{\mathrm{Im}}}(\mathsf {Sim} _\textsc {yes})\), respectively. Let s(n) denote the randomness complexity of g and let t(n) denote the output length of g. Since g is a perfect randomized encoding, we have that \(R_0 \cap R_1 = \emptyset \), \(R_0 \cup R_1 = {\{0,1\}}^{t(n)}\), and \(t(n) = s(n)+1\). Consider the case where \(x \in \varPi _\textsc {yes}\). Then \(h^0_x(\cdot ,0):{\{0,1\}}^{s(n)}\rightarrow R_1\) is a bijection and \(h^0_x(\cdot ,1):{\{0,1\}}^{s(n)}\rightarrow R_0\). Since \(R_0 \cap R_1 = \emptyset \), the function \(h^0_x(\cdot ,\cdot )\) is a permutation on \(R_0 \cup R_1 = {\{0,1\}}^{t(n)}\). Similarly, if \(y \in \varPi _\textsc {no}\), the function \(h^1_y(\cdot ,\cdot )\) is a permutation on \({\{0,1\}}^{t(n)}\).

In order to prove the third item, we observe that if \(x \in \varPi _\textsc {no}\), then \({{\mathrm{Im}}}\left( {h_x^0}\right) = R_0\); and if \(y \in \varPi _\textsc {yes}\), then \({{\mathrm{Im}}}\left( {h_y^1}\right) = R_1\). This implies that for all \((x,y) \in \varPi _\textsc {no}\times \varPi _\textsc {yes}\) it holds that \({{\mathrm{Im}}}\left( {h^0_x}\right) \cap {{\mathrm{Im}}}\left( {h^1_y}\right) = R_0 \cap R_1 = \emptyset \).   \(\square \)

We can now prove Theorem 10.

Proof

(Proof of Theorem 10 ). Let \(\varPi \) be an average-case hard language with efficient Yes/No samplers \((Y_n,N_n)\), and let g be a perfect randomized encoding for \(\varPi \). For a pair of inputs (xy) from \(\varPi \), we say that (xy) is a \((\textsc {yes},\textsc {no})\)-instance (resp., \((\textsc {no},\textsc {yes})\)), if x is a yes-instance and y is a no-instance (resp., if x is a no-instance and y is a yes-instance).

We construct a CFP family which is indexed by pairs \((x,y)\in \varPi _\textsc {yes}\times \varPi _\textsc {no}\). Given a security parameter \(1^n\), an index (xy) is chosen by sampling \(x \mathop {\leftarrow }\limits ^{R}Y_{n}\) and \(y \mathop {\leftarrow }\limits ^{R}N_{n}\). For each index (xy) we let \(f^0_{(x,y)} \equiv h^0_x\) and \(f^1_{(x,y)} \equiv h^1_y\), where \(h^0_x\) and \(h^1_x\) are defined as in (9). Recall that the domain and range of \(f_{x,y}^b\) are \({\{0,1\}}^{t(n)}\) where t(n) is the output length of g’s output. Clearly this collection is efficiently samplable and efficiently computable. Moreover, since our sampler always samples a \((\textsc {yes},\textsc {no})\)-instance (xy), it holds, due to Claim 5, that \(f^0_{(x,y)} \equiv h^0_x\) and \(f^1_{(x,y)} \equiv h^1_y\) are permutations on \({\{0,1\}}^{t(n)}\). We complete the proof by showing that claws are hard to find.

Recall that we assume that the distribution ensemble \(\{Y_n\}\) is computationally indistinguishable from \(\{N_n\}\). By a standard hybrid argument, it follows that the pair \((Y_n,N_n)\) is computationally indistinguishable from the pair \((Y_n,Y_n)\) which, in turn, is computationally indistinguishable from the pair \((N_n,Y_n)\). Now assume, for the sake of contradiction, that there exists an efficient algorithm A that given \((x,y) \mathop {\leftarrow }\limits ^{R}(Y_n,N_n)\) can find claws with non-negligible probability \(\varepsilon \). We can use A to distinguish \((Y_n,N_n)\) from \((N_n,Y_n)\) as follows: Given (xy) call A(xy) and output 1 if A’s output (uv) forms a collision under \(h_x^0\) and \(h_y^1\). By assumption, the resulting distinguisher outputs 1 when \((x,y)\mathop {\leftarrow }\limits ^{R}(Y_n,N_n)\) with probability \(\varepsilon \). In contrast, when \((x,y)\mathop {\leftarrow }\limits ^{R}(N_n,Y_n)\), the distinguisher never finds a claw since claws do not exist (due to Claim 5). Hence the distinguisher has a noticeable advantage of \(\varepsilon \), in contradiction to our assumption.    \(\square \)

We continue by considering the more general case where \(\varPi \) is hard on average but does not admit efficient Yes/No samplers, and obtain, in this case, claw-free pseudo-permutations (whose existence still implies collision-resistance hash functions).

Theorem 11

If there exists an average-case hard language in \(\mathcal {PRE} \) then claw-free pseudo-permutations (CFPP) exist.

Proof

The construction is identical to the one presented in Theorem 10, except that the index \((x,y)\in \varPi \times \varPi \) is chosen by sampling both x and y independently from the distribution \(S(1^n)\) over which \(\varPi \) is average-case hard. By definition, the collection \(f_{(x,y)}^b = h_x^b\), where h is defined as in (9), is efficiently samplable and efficiently computable. We verify that it is CFPP.

We begin by showing that \(f_{(x,y)}^0 = h_x^0\) is a pseudo-permutation (the case of \(f_{(x,y)}^1\) is analogous). Assume for the sake of contradiction that there is an algorithm A that can find collapses for \(f_{(x,y)}^0\) with a non-negligible probability \(\varepsilon \). Using A we construct a new algorithm \(A'\) that has a non-negligible advantage in guessing \(\chi _{\varPi }(x)\) for \(x \mathop {\leftarrow }\limits ^{R}S(1^n)\). Given an input \(x \mathop {\leftarrow }\limits ^{R}S(1^{n})\), the algorithm \(A'\) samples \(y \leftarrow S(1^n)\), and then invokes A(xy) to find a collapse (uv) for \(f_{(x,y)}^0 = h_x^0\). If A finds a valid collapse (i.e., \(u\ne v\) and \(h_x^0(u)=h_x^0(v)\)), the algorithm \(A'\) classifies the input x as a no-instance and outputs 0; otherwise \(A'\) outputs a random bit. Recall that when x is a yes-instance the function \(h_x^0\) is a permutation, and so it does not have collapses. Hence, \(A'\) outputs a correct answer whenever A finds a collapse. Also, when a collapse is not found, the success probability of \(A'\) is 1 / 2. Hence, the overall success probability of \(A'\) is

$$\begin{aligned} \mathop {\Pr }\limits _{x \mathop {\leftarrow }\limits ^{R}S(1^n)}[A'(x)= \chi _{\varPi }(x)] = 1/2 \cdot (1 - \varepsilon )+ 1 \cdot \varepsilon = 1/2 + \varepsilon /2, \end{aligned}$$

in contradiction to the average-case hardness of \(\varPi \).

We move on to show that it is hard to find claws. Assume for the sake of contradiction that there exists an efficient algorithm A that finds claws with a non-negligible probability \(\varepsilon \). We construct a new algorithm \(A'\) that has a non-negligible advantage in guessing \(\chi _{\varPi }(x)\) for \(x \mathop {\leftarrow }\limits ^{R}S(1^n)\). Let

$$\begin{aligned} p=\mathop {\Pr }\limits _{x\mathop {\leftarrow }\limits ^{R}S(1^n), y\mathop {\leftarrow }\limits ^{R}S(1^n)}[A(x,y) \text { finds a claw } | x\in \varPi _{\textsc {no}}]. \end{aligned}$$

We distinguish between two cases based on the value of p.

First, consider the case where \(p\ge \varepsilon /2\). Then, by an averaging argument, there exists some fixed no-instance \(x_0\) for which

$$\begin{aligned} \mathop {\Pr }\limits _y[A(x_0,y) \text { finds a claw }]\ge \varepsilon /2. \end{aligned}$$

Recall that when the index is a \((\textsc {no},\textsc {yes})\) pair there are no claws and so when A finds a claw, y must be a no-instance We can therefore construct a non-uniform algorithm that decides \(y\mathop {\leftarrow }\limits ^{R}S(1^n)\) as follows: Call \(A(x_0,y)\) and output zero (“no”) if a collision is found and otherwise toss a random coin. The success probability is at least \(\varepsilon /2+(1-\varepsilon /2)/2=1/2 + \varepsilon /4\).

Second, consider the case where \(p< \varepsilon /2\). In this case, we determine whether \(x\mathop {\leftarrow }\limits ^{R}S(1^n)\) is a yes-instance or a no-instance via the following procedure \(A'\). Sample \(y \mathop {\leftarrow }\limits ^{R}S(1^n)\), and call A(xy) if A returns a valid claw, outputs 1 (classify x as a yes-instance); otherwise, output a random bit. The success probability of \(A'\) can be marginalized as follows:

$$\begin{aligned} \mathop {\Pr }\limits _x[A'(x) \text { succeeds }]&= \mathop {\Pr }\limits _{x,y}[A'(x) \text { succeeds } | A(x,y) \text { finds a claw }]\cdot \varepsilon \\&\ \ \ + \mathop {\Pr }\limits _{x,y}[A'(x) \text { succeeds } | A(x,y) \text { doesn't find a claw }]\cdot (1-\varepsilon )\\&= \mathop {\Pr }\limits _{x}[x\in \varPi _{\textsc {yes}} | A(x,y) \text { finds a claw }]\cdot \varepsilon +(1-\varepsilon )/2, \end{aligned}$$

Therefore, it suffices to show that

$$\begin{aligned} \mathop {\Pr }\limits _{x}[x\in \varPi _{\textsc {yes}}| A(x,y) \text { finds a claw }]\ge 2/3 \end{aligned}$$
(10)

since this implies that \(A'\) succeeds with probability of at least \(2/3 \cdot \varepsilon + (1-\varepsilon )/2= 1/2 + \varepsilon /6\). To prove (10), we upper-bound by 1/3 the probability of the complementary event:

$$\begin{aligned}&\mathop {\Pr }\limits _{x}[x\in \varPi _{\textsc {no}}| A(x,y) \text { finds a claw}] = \\&\frac{\Pr _{x,y}[A(x,y) \text { finds a claw}| x\in \varPi _{\textsc {no}}] \cdot \Pr _{x}[x\in \varPi _{\textsc {no}}]}{\Pr [A(x,y) \text { finds a claw }]} \le \\&\frac{(\varepsilon /2)\cdot (2/3)}{\varepsilon } =\\&\frac{1}{3}, \end{aligned}$$

where the inequality follows by our assumption (\(p<\varepsilon /2\)) and by the fact that \(\Pr _x[x\in \varPi _{\textsc {no}}]<2/3\) (since otherwise the trivial adversary that always outputs 0 breaks the average-case hardness of \(\varPi \) over \(S(1^n)\)). The proof follows.    \(\square \)