Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science."— Presentation transcript:

1 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science

2 2 General We investigate how quickly ( number of rounds ) is it possible to perform zero-knowledge and witness protection proofs. Introduce and construct –Zaps –Verifiable pseudo-random sequences Timing and zero-knowledge

3 3 Plan What are zaps Background Constructions Existentialism Applications

4 4 What Zaps Are Not An acronym

5 5 What Are Zaps A zap for a language L is a witness indistinguishable proof system for showing that X  L With some special properties Number of rounds When and how random choices are made

6 6 Witness Protection Programs A witness indistinguishable proof system for X  L prover  verifier Completeness : if prover has witness W - can construct effective proof that makes verifier accept. Soundness : if X  L no prover can succeed with high probability to make verifier accept. Witness protection : for every V’ and any two witnesses W 1 and W 2 : distributions on transcripts are computationally indistinguishable.

7 7 Zero Knowledge Each (cheating) verifier V ’ induces a distribution on transcripts For all (efficient) verifiers V’ there exists an (efficient) simulator S such that for all X  L the distributions on transcripts that V’ induces and that S produces are indistinguishable

8 8 Witness Indistinguishability (WI) Introduced by Feige and Shamir to speed up zero- knowledge proof `` Natural 3-round zk proof system” - can show WI In contrast - no black-box 3-round zero-knowledge –4-round general constructions achievable Is preserved under composition –both parallel and concurrent In some applications - provides sufficient protection – Identification

9 9 What Are Zaps II A zap for a language L is a Two-round witness indistinguishable proof system for showing X  L 1. verifier  prover 2. prover  verifier First round message can be fixed `` once and for all ” (before X is chosen) The verifier uses public coins – Single round non-constructively

10 10 Real World Vs. Shared String World Shared string world : prover and verifier share a string `` deus ex machina ” such that –Guaranteed to be random –Simulator has control over string (transcript includes shared string) –Good for increasing resistance to attacks in PKC Real world : all such strings have to be generated by blood, toil, tears and sweat - –Requires several rounds

11 11 ``Non-interactive” Zero-knowledge Operates in the shared string model [BDMP] Given  protocol is single round: Prover  verifier Simulator gets to choose convenient string  NIZK for any L  NP can be based on any trapdoor permutation [FLS][KP] Certifiable

12 12 NIZKs and Zaps Theorem : NIZK for L exists (in the shared world) iff zaps for L exist (in the real world) (Bad? ) Idea: let the verifier choose the common string  Endangers witness: can choose  that will make the prover leak information about witness Correction: prover Xors it with its own random strings Endangers soundness: prover can choose result as in simulator

13 13 Compromise Repeat many times Each time verifier chooses a fresh string B 1, B 2, …,B m Prover repeats the same string C The proof is given using B 1  C, B 2  C, …,B m  C Verifier accepts iff accepts for all m proofs Soundness?! WI?!

14 14 Verifiable Pseudo-randomness A verifiable p.r. sequence generator (VPRG): on seed s  {0,1} n produces public verification key VK and sequence s.t: Binding : there is only one sequence consistent with VK Verifiability : for any seed s and I  {1...K} possible to come up with proof  for {a i | i  I} Passing the i th bit test : for all 1  i  k, given VK,  and no poly-time adversary can guess a i with non-negligible advantage. Special case of VPRF [MRS]

15 15 Approximate VPRGs Relaxation Relaxed binding: limited number of possible opening Two round communication: zaps style Can construct (approximate) VPRGs from trapdoors Theorem : zaps exist iff approximate VPRGs (with certain parameters) exist. Open problem: does small expansion in VPRG imply large expansion?

16 16 Hidden Random Strings – A `Physical’ proof Prover is dealt ℓ binary cards with random values –Can reveal any subset of them. To prove that X  L holding witness W holding witness - reveal a subset of them –  and additional information –  Soundness : if X  L with probability at least 1-q there are no ( ,  ) for which the verifier accepts Witness Indistinguishability : simulator on input X  L generates ( ,  ) –Identically distributed to real ones –Given witness W can complete the remaining cards to fit W

17 17 Using HRS and VPRGs to Get Zaps Let m = k/ ℓ. HRS proof is repeated m times Verifier sends b 1, b 2, …, b k Prover: –Chooses random string C 2 {0,1} ℓ and seed s for VPRG Sequence is a 1, a 2, …,a k –Sends C and VK. Bit i of HRS is a i  b i  c i mod ℓ +1 –For each opened bit in  prover sends a k and proof of consistency Verifier checks the m HRS proofs and the consistency of the opened bits ℓ ℓ …

18 18 Constructing VPRGs from Trapdoor Permutations Choose f 1, f 2, …,f r - certifiable trapdoor permutations –Each f i : D n → D n Choose y 1, y 2, …,y c - from D n VK =, Entry ( i,j ) hardcore predicate of f i -1 (y j ) f2f2 f1f1 frfr y1y1 y2y2 ycyc

19 19 Concurrent and Resettable Composition WI compose concurrently - so do zaps. In contrast : no black-box composition of zero-knowledge proofs in constant number of rounds [KPR][R][CKPR] Resettable adversary - can rerun the protocol with new random bits [CGGM] Zaps are immune to resettable adversaries - New: 2-round resettable WI proofs

20 20 Applications Oblivious transfer - 2 1 / 2 rounds (PK) Using time in the design of protocols [DNS]: Timing based ( ,  ) assumption for  <  : If one processor measures , the second , then  finishes after . New results using zaps: 3-round zk (in contrast - impossible in regular mode) 2-round deniable authentication 3-round resettable zero-knowledge

21 21 Tool: Timed Commitments [BN] Regular commitment Potential forced opening phase X Receiver Sender

22 22 SenderReceiver Commit Phase Reveal Phase Sende r Receiver X Regular Commitments Receiver can verify X Sender is bound to X X

23 23 Forced Open Phase Sende r X Receiver Receiver extracts X (+proof) in time T Commitment is secure only for time t < T ForcedOpening Potential Forced Opening

24 24 Requirements Future recoverability - verifiable following commit phase Decommitment - value + proof. Ditto for forcibly recovered values. Can act as genuine proof of knowledge to committed value Immunity to parallel attacks Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN]. We will substitute with a zap.

25 25 The Power Function g 2 2 k mod N N=PQ - Blum integer, g - a generator Unknown factorization - repeated squaring g 2 i+1 = g 2 i g 2 i mod N Takes 2 k squarings

26 26...Power Function Factors known - random access property of BBS PRG: –compute x = 2 2 k mod  –compute g x mod N Used before: Uncheatable Benchmarks [CLSY] Time-locks for documents [RSW]

27 27 The Commitment Select N - Blum Integer - and g - generator of large subgroup Set Y k  g 2 2 k mod N Base committed value on Z k   g 2 2 k - 1 mod N

28 28 Committing using Z k Several options: Xor with hardcore predicate of Z k : –LSB of Z k –Inner product with random R Xor with pseudo-random sequence with seed Z k.

29 29 The Commitment - Proofs… Sender generates and send = mod N Proves consistency of - For all 1  i  k show: is of the form

30 30 The Commitment - Proofs… Key point:  Efficient ZK protocols for consistency of Similar to proving Diffie-Hellman triple Slightly different in Z N * than in Z P *

31 31 3-round Timed Concurrent ZK To prove X  L Prover  verifier: string   for zaps Verifier  prover: time commit to    . Give zap of consistency of at least one of them using  . String   for zaps Prover  verifier: commit with knowledge to random z. Give zap of consistency using   that either (i) X  L or (ii) z =   or (iii) z =   Timing requirement: verifier receives response within 

32 32 Open Problems Efficiency: Zaps for specific problems –Are x or y quadratic residues mod N –Zaps for timed commitment VPRGs Do VPRGs compose? VPRF from VPRG? VPRGs based on Diffie-Hellman? Round optimal - 2 round zk possible? Explicit 1 round zap?

Download ppt "1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
A threshold of ln(n) for approximating set cover By Uriel Feige Lecturer: Ariel Procaccia.

A threshold of ln(n) for approximating set cover By Uriel Feige Lecturer: Ariel Procaccia.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

Similar presentations

Ads by Google