1 zaps and apps cynthia dwork microsoft research moni naor weizmann institute of science
Post on 21-Dec-2015
216 views
TRANSCRIPT
1
Zaps and Apps
Cynthia DworkMicrosoft Research
Moni NaorWeizmann Institute of Science
2
GeneralWe investigate how quickly (number of rounds) is it
possible to perform zero-knowledge and witness protection proofs.
• Introduce and construct – Zaps – Verifiable pseudo-random sequences
• Timing and zero-knowledge
3
Plan
• What are zaps• Background• Constructions• Existentialism• Applications
4
What Zaps Are Not
An acronym
5
What Are Zaps
A zap for a language L is a witness indistinguishable proof system for showing that XL
With some special properties• Number of rounds• When and how random choices are made
6
Witness Protection Programs
A witness indistinguishable proof system for XL
prover verifier• Completeness: if prover has witness W - can construct
effective proof that makes verifier accept.• Soundness: if XL no prover can succeed with high
probability to make verifier accept.• Witness protection: for every V’ and any two witnesses
W1 and W2: distributions on transcripts are computationally indistinguishable.
7
Zero Knowledge
• Each (cheating) verifier V’ induces a distribution on transcripts
• For all (efficient) verifiers V’ there exists an (efficient) simulator S such that for all XL the distributions on transcripts that V’ induces and that S produces are indistinguishable
8
Witness Indistinguishability (WI)
• Introduced by Feige and Shamir to speed up zero-knowledge proof
• ``Natural 3-round zk proof system” - can show WI• In contrast - no black-box 3-round zero-knowledge
– 4-round general constructions achievable• Is preserved under composition
– both parallel and concurrent
• In some applications - provides sufficient protection– Identification
9
What Are Zaps II
A zap for a language L is a• Two-round witness indistinguishable proof system for
showing XL 1. verifier prover2. prover verifier
• First round message can be fixed ``once and for all” (before X is chosen)
• The verifier uses public coins– Single round non-constructively
10
Real World Vs.Shared String World
• Shared string world: prover and verifier share a string ``deus ex machina” such that– Guaranteed to be random – Simulator has control over string (transcript includes shared
string)– Good for increasing resistance to attacks in PKC
• Real world: all such strings have to be generated by blood, toil, tears and sweat - – Requires several rounds
11
``Non-interactive” Zero-knowledge
• Operates in the shared string model [BDMP]• Given protocol is single round:
Prover verifier• Simulator gets to choose convenient string
• NIZK for any LNP can be based on any trapdoor permutation [FLS][KP]
Certifiable
12
NIZKs and Zaps
Theorem: NIZK for L exists (in the shared world) iff zaps for L exist (in the real world)
(Bad? ) Idea: let the verifier choose the common string Endangers witness: can choose that will make the prover leak information about witness
Correction: prover Xors it with its own random strings Endangers soundness: prover can choose result as in
simulator
13
Compromise
• Repeat many times• Each time verifier chooses a fresh string B1, B2 , … ,Bm
• Prover repeats the same string C• The proof is given using B1C, B2C, … ,BmC
• Verifier accepts iff accepts for all m proofs
Soundness?!WI?!
14
Verifiable Pseudo-randomnessA verifiable p.r. sequence generator (VPRG): on seed
s{0,1}n produces public verification key VK and sequence <a1, a2, …, ak> s.t:
Binding: there is only one sequence consistent with VKVerifiability: for any seed s and I {1...K} possible to
come up with proof for {ai | i I}
Passing the ith bit test: for all 1 i k, given VK, and <a1, a2 ,… ai-1, ai+1 ,…,ak > no poly-time adversary can guess ai with non-negligible advantage.
Special case of VPRF [MRS]
15
Approximate VPRGsRelaxation • Relaxed binding: limited number of possible opening• Two round communication: zaps styleCan construct (approximate) VPRGs from trapdoors
Theorem: zaps exist iff approximate VPRGs (with certain parameters) exist.
Open problem: does small expansion in VPRG imply large expansion?
16
Hidden Random Strings – A `Physical’ proof
• Prover is dealt ℓ binary cards with random values– Can reveal any subset of them.
• To prove that XL holding witness W holding witness - reveal a subset of them – and additional information –
Soundness: if XL with probability at least 1-q there are no (,) for which the verifier accepts
Witness Indistinguishability: simulator on input XL generates (,) – Identically distributed to real ones– Given witness W can complete the remaining cards to fit W
17
Using HRS and VPRGs to Get ZapsLet m = k/ℓ. HRS proof is repeated m times• Verifier sends b1, b2, …, bk
• Prover:– Chooses random string C 2 {0,1}ℓ and seed s for VPRG
• Sequence is a1, a2, … ,ak
– Sends C and VK. • Bit i of HRS is ai bi ci mod ℓ +1
– For each opened bit in prover sends ak and proof of consistency
• Verifier checks the m HRS proofs and the consistency of the opened bits
ℓ ℓ
…
18
Constructing VPRGs from Trapdoor Permutations
• Choose f1, f2 , … ,fr - certifiable trapdoor permutations– Each fi : Dn → Dn
• Choose y1, y2 , … ,yc - from Dn
• VK = <f1, f2, …, fr >, <y1, y2, …, yc >
• Entry (i,j) hardcore predicate of fi-1
(yj)
f2
f1
fr
y1 y2 yc
19
Concurrent and Resettable Composition
WI compose concurrently - so do zaps. In contrast: no black-box composition of zero-knowledge
proofs in constant number of rounds [KPR][R][CKPR]
Resettable adversary - can rerun the protocol with new random bits [CGGM]
Zaps are immune to resettable adversaries - New: 2-round resettable WI proofs
20
Applications
• Oblivious transfer - 21/2 rounds (PK)• Using time in the design of protocols [DNS]:Timing based (,) assumption for <: If one processor
measures , the second , then finishes after .
New results using zaps:• 3-round zk (in contrast - impossible in regular mode)• 2-round deniable authentication• 3-round resettable zero-knowledge
21
Tool: Timed Commitments [BN]
• Regular commitment
• Potential forced opening phase
X ReceiverSender
22
Sender Receiver
Commit Phase
Reveal Phase
Sender ReceiverX
Regular Commitments
Receiver can verify X
Sender is bound to X
X
23
Forced Open Phase
SenderX
Receiver
Receiver extracts X (+proof) in time T
Commitment is secure only for time t < T
Potential ForcedForced OpeningOpening
24
Requirements
• Future recoverability - verifiable following commit phase• Decommitment - value + proof. Ditto for forcibly recovered
values. Can act as genuine proof of knowledge to committed value• Immunity to parallel attacks
Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN].
We will substitute with a zap.
25
The Power Function
g22k mod N
N=P•Q - Blum integer, g - a generator
Unknown factorization - repeated squaring
g2i+1 = g2i • g2i mod N
Takes 2k squarings
26
...Power Function
Factors known - random access property of BBS PRG:– compute x = 22k mod – compute gx mod N
Used before: • Uncheatable Benchmarks [CLSY]• Time-locks for documents [RSW]
27
The Commitment
• Select N - Blum Integer - and g - generator of large subgroup
• Set Yk g22k mod N
• Base committed value on
Zk g22k - 1 mod N
kY
28
Committing using Zk
Several options:• Xor with hardcore predicate of Zk:
– LSB of Zk
– Inner product with random R
• Xor with pseudo-random sequence with seed Zk.
29
The Commitment - Proofs…
• Sender generates and send < g, Y0, Y1, … , Yk >
= < g, g2, g4, … , g22i, … , g22k
> mod N• Proves consistency of < Y0, Y1, … , Yk > -
For all 1 i k show: < g, Yi, Yi+1 > is of the form < g, gx, gx2 >
30
The Commitment - Proofs…
Key point: Efficient ZK protocols for consistency of < g, gx, gx2 >
Similar to proving Diffie-Hellman triple
Slightly different in ZN* than in ZP
*
31
3-round Timed Concurrent ZK
To prove XL• Prover verifier: string for zaps
• Verifier prover: time commit to . Give zap of consistency of at least one of them using . String for zaps
• Prover verifier: commit with knowledge to random z. Give zap of consistency using that either (i) XL or (ii) z = or (iii) z =
Timing requirement: verifier receives response within
32
Open Problems
Efficiency:• Zaps for specific problems
– Are x or y quadratic residues mod N– Zaps for timed commitment
VPRGs• Do VPRGs compose? VPRF from VPRG?• VPRGs based on Diffie-Hellman?Round optimal - 2 round zk possible? Explicit 1 round zap?