AbstractStatistical Zero-knowledge proofs (Goldwasser et al. in SICOMP: SIAM J Comput, 1989) allow a computationally unbounded server to convince a computationally limited client that an input x is in a language $${\Pi}$$Π without revealing any additional information about x that the client cannot compute by herself. Randomized encoding (RE) of functions (Ishai & Kushilevitz in FOCS 2000) allows a computationally limited client to publish a single (randomized) message, $${{\rm Enc}(x)}$$Enc(x), from which the server learns whether x is in $${\Pi}$$Π and nothing else. It is known that $${\mathcal{SRE}}$$SRE, the class of problems that admit statistically private randomized encoding with polynomial-time client and computationally unbounded server, is contained in the class $${\mathcal{SZK}}$$SZK of problems that have statistical zero-knowledge proof. However, the exact relation between these two classes, and, in particular, the possibility of equivalence was left as an open problem. In this paper, we explore the relationship between $${\mathcal{SRE}}$$SRE and $${\mathcal{SZK}}$$SZK, and derive the following results: ○In a non-uniform setting, statistical randomized encoding with one-side privacy ($${\mathcal{1RE}}$$1RE) is equivalent to non-interactive statistical zero-knowledge ($${\mathcal{NISZK}}$$NISZK). These variants were studied in the past as natural relaxation/strengthening of the original notions. Our theorem shows that proving $$\mathcal{SRE}=\mathcal{SZK}$$SRE=SZKis equivalent to showing that $${\mathcal{1RE} = \mathcal{SRE}}$$1RE=SRE and $${\mathcal{SZK} = \mathcal{NISZK}}$$SZK=NISZK. The latter is a well-known open problem (Goldreich et al. in CCC 1999).○If $${\mathcal{SRE}}$$SRE is non-trivial (not in $${\mathcal{BPP}}$$BPP), then infinitely often one-way functions exist. The analog hypothesis for $${\mathcal{SZK}}$$SZK yields only auxiliary-input one-way functions (Ostrovsky in Sixth Annual Structure in Complexity Theory Conference 1991), which is believed to be a significantly weaker notion.○If there exists an average-case hard language with perfect randomized encoding, then collision-resistance hash functions (CRH) exist. Again, a similar assumption for $${\mathcal{SZK}}$$SZK implies only constant-round statistically hiding commitments, a primitive which seems weaker than CRH. We believe that our results sharpen the relationship between $${\mathcal{SRE}}$$SRE and $${\mathcal{SZK}}$$SZK and illuminates the core differences between these two classes.

中文翻译：

---

统计零知识与统计随机编码的关系

AbstractStatistical Zero-knowledge proofs (Goldwasser et al. in SICOMP: SIAM J Comput, 1989) 允许计算无限的服务器说服计算有限的客户端输入 x 是一种语言 $${\Pi}$$Π 而不会透露任何客户端无法自行计算的有关 x 的附加信息。函数的随机编码 (RE)（FOCS 2000 中的 Ishai 和 Kushilevitz）允许计算受限的客户端发布单个（随机）消息 $${{\rm Enc}(x)}$$Enc(x)，从中服务器知道 x 是否在 $${\Pi}$$Π 中，没有别的。众所周知，$${\mathcal{SRE}}$$SRE 是一类允许使用多项式时间客户端和计算无界服务器进行统计私有随机编码的问题，包含在具有统计零知识证明的问题的 $${\mathcal{SZK}}$$SZK 类中。然而，这两个类之间的确切关系，特别是等价的可能性，仍然是一个悬而未决的问题。在本文中，我们探讨了 $${\mathcal{SRE}}$$SRE 和 $${\mathcal{SZK}}$$SZK 之间的关系，并得出以下结果： ○在非均匀设置中，统计具有一侧隐私的随机编码（$${\mathcal{1RE}}$$1RE）相当于非交互式统计零知识（$${\mathcal{NISZK}}$$NISZK）。这些变体在过去被研究为原始概念的自然放松/强化。我们的定理表明证明 $$\mathcal{SRE}=\mathcal{SZK}$$SRE=SZK 等价于证明 $${\mathcal{1RE} = \mathcal{SRE}}$$1RE=SRE 和 $$ {\mathcal{SZK} = \mathcal{NISZK}}$$SZK=NISZK。后者是一个众所周知的开放问题（Goldreich et al. in CCC 1999）。○如果 $${\mathcal{SRE}}$$SRE 是非平凡的（不在 $${\mathcal{BPP}}$ $BPP)，那么单向函数无限常存在。$${\mathcal{SZK}}$$SZK 的模拟假设仅产生辅助输入单向函数（Ostrovsky 在 1991 年复杂性理论会议的第六届年度结构中），这被认为是一个明显较弱的概念。○如果存在具有完美随机编码的平均情况硬语言，然后存在抗碰撞散列函数（CRH）。再次，$${\mathcal{SZK}}$$SZK 的类似假设仅意味着恒定回合的统计隐藏承诺，这种原语似乎比 CRH 弱。我们相信我们的结果加强了 $${\mathcal{SRE}}$$SRE 和 $${\mathcal{SZK}}$$SZK 之间的关系，并阐明了这两个类之间的核心差异。