1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science
2 General We investigate how quickly ( number of rounds ) is it possible to perform zero-knowledge and witness protection proofs. Introduce and construct –Zaps –Verifiable pseudo-random sequences Timing and zero-knowledge
3 Plan What are zaps Background Constructions Existentialism Applications
4 What Zaps Are Not An acronym
5 What Are Zaps A zap for a language L is a witness indistinguishable proof system for showing that X L With some special properties Number of rounds When and how random choices are made
6 Witness Protection Programs A witness indistinguishable proof system for X L prover verifier Completeness : if prover has witness W - can construct effective proof that makes verifier accept. Soundness : if X L no prover can succeed with high probability to make verifier accept. Witness protection : for every V’ and any two witnesses W 1 and W 2 : distributions on transcripts are computationally indistinguishable.
7 Zero Knowledge Each (cheating) verifier V ’ induces a distribution on transcripts For all (efficient) verifiers V’ there exists an (efficient) simulator S such that for all X L the distributions on transcripts that V’ induces and that S produces are indistinguishable
8 Witness Indistinguishability (WI) Introduced by Feige and Shamir to speed up zero- knowledge proof `` Natural 3-round zk proof system” - can show WI In contrast - no black-box 3-round zero-knowledge –4-round general constructions achievable Is preserved under composition –both parallel and concurrent In some applications - provides sufficient protection – Identification
9 What Are Zaps II A zap for a language L is a Two-round witness indistinguishable proof system for showing X L 1. verifier prover 2. prover verifier First round message can be fixed `` once and for all ” (before X is chosen) The verifier uses public coins – Single round non-constructively
10 Real World Vs. Shared String World Shared string world : prover and verifier share a string `` deus ex machina ” such that –Guaranteed to be random –Simulator has control over string (transcript includes shared string) –Good for increasing resistance to attacks in PKC Real world : all such strings have to be generated by blood, toil, tears and sweat - –Requires several rounds
11 ``Non-interactive” Zero-knowledge Operates in the shared string model [BDMP] Given protocol is single round: Prover verifier Simulator gets to choose convenient string NIZK for any L NP can be based on any trapdoor permutation [FLS][KP] Certifiable
12 NIZKs and Zaps Theorem : NIZK for L exists (in the shared world) iff zaps for L exist (in the real world) (Bad? ) Idea: let the verifier choose the common string Endangers witness: can choose that will make the prover leak information about witness Correction: prover Xors it with its own random strings Endangers soundness: prover can choose result as in simulator
13 Compromise Repeat many times Each time verifier chooses a fresh string B 1, B 2, …,B m Prover repeats the same string C The proof is given using B 1 C, B 2 C, …,B m C Verifier accepts iff accepts for all m proofs Soundness?! WI?!
14 Verifiable Pseudo-randomness A verifiable p.r. sequence generator (VPRG): on seed s {0,1} n produces public verification key VK and sequence s.t: Binding : there is only one sequence consistent with VK Verifiability : for any seed s and I {1...K} possible to come up with proof for {a i | i I} Passing the i th bit test : for all 1 i k, given VK, and no poly-time adversary can guess a i with non-negligible advantage. Special case of VPRF [MRS]
15 Approximate VPRGs Relaxation Relaxed binding: limited number of possible opening Two round communication: zaps style Can construct (approximate) VPRGs from trapdoors Theorem : zaps exist iff approximate VPRGs (with certain parameters) exist. Open problem: does small expansion in VPRG imply large expansion?
16 Hidden Random Strings – A `Physical’ proof Prover is dealt ℓ binary cards with random values –Can reveal any subset of them. To prove that X L holding witness W holding witness - reveal a subset of them – and additional information – Soundness : if X L with probability at least 1-q there are no ( , ) for which the verifier accepts Witness Indistinguishability : simulator on input X L generates ( , ) –Identically distributed to real ones –Given witness W can complete the remaining cards to fit W
17 Using HRS and VPRGs to Get Zaps Let m = k/ ℓ. HRS proof is repeated m times Verifier sends b 1, b 2, …, b k Prover: –Chooses random string C 2 {0,1} ℓ and seed s for VPRG Sequence is a 1, a 2, …,a k –Sends C and VK. Bit i of HRS is a i b i c i mod ℓ +1 –For each opened bit in prover sends a k and proof of consistency Verifier checks the m HRS proofs and the consistency of the opened bits ℓ ℓ …
18 Constructing VPRGs from Trapdoor Permutations Choose f 1, f 2, …,f r - certifiable trapdoor permutations –Each f i : D n → D n Choose y 1, y 2, …,y c - from D n VK =, Entry ( i,j ) hardcore predicate of f i -1 (y j ) f2f2 f1f1 frfr y1y1 y2y2 ycyc
19 Concurrent and Resettable Composition WI compose concurrently - so do zaps. In contrast : no black-box composition of zero-knowledge proofs in constant number of rounds [KPR][R][CKPR] Resettable adversary - can rerun the protocol with new random bits [CGGM] Zaps are immune to resettable adversaries - New: 2-round resettable WI proofs
20 Applications Oblivious transfer / 2 rounds (PK) Using time in the design of protocols [DNS]: Timing based ( , ) assumption for < : If one processor measures , the second , then finishes after . New results using zaps: 3-round zk (in contrast - impossible in regular mode) 2-round deniable authentication 3-round resettable zero-knowledge
21 Tool: Timed Commitments [BN] Regular commitment Potential forced opening phase X Receiver Sender
22 SenderReceiver Commit Phase Reveal Phase Sende r Receiver X Regular Commitments Receiver can verify X Sender is bound to X X
23 Forced Open Phase Sende r X Receiver Receiver extracts X (+proof) in time T Commitment is secure only for time t < T ForcedOpening Potential Forced Opening
24 Requirements Future recoverability - verifiable following commit phase Decommitment - value + proof. Ditto for forcibly recovered values. Can act as genuine proof of knowledge to committed value Immunity to parallel attacks Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN]. We will substitute with a zap.
25 The Power Function g 2 2 k mod N N=PQ - Blum integer, g - a generator Unknown factorization - repeated squaring g 2 i+1 = g 2 i g 2 i mod N Takes 2 k squarings
26...Power Function Factors known - random access property of BBS PRG: –compute x = 2 2 k mod –compute g x mod N Used before: Uncheatable Benchmarks [CLSY] Time-locks for documents [RSW]
27 The Commitment Select N - Blum Integer - and g - generator of large subgroup Set Y k g 2 2 k mod N Base committed value on Z k g 2 2 k - 1 mod N
28 Committing using Z k Several options: Xor with hardcore predicate of Z k : –LSB of Z k –Inner product with random R Xor with pseudo-random sequence with seed Z k.
29 The Commitment - Proofs… Sender generates and send = mod N Proves consistency of - For all 1 i k show: is of the form
30 The Commitment - Proofs… Key point: Efficient ZK protocols for consistency of Similar to proving Diffie-Hellman triple Slightly different in Z N * than in Z P *
31 3-round Timed Concurrent ZK To prove X L Prover verifier: string for zaps Verifier prover: time commit to . Give zap of consistency of at least one of them using . String for zaps Prover verifier: commit with knowledge to random z. Give zap of consistency using that either (i) X L or (ii) z = or (iii) z = Timing requirement: verifier receives response within
32 Open Problems Efficiency: Zaps for specific problems –Are x or y quadratic residues mod N –Zaps for timed commitment VPRGs Do VPRGs compose? VPRF from VPRG? VPRGs based on Diffie-Hellman? Round optimal - 2 round zk possible? Explicit 1 round zap?