1

Zaps and Apps

Cynthia DworkMicrosoft Research

Moni NaorWeizmann Institute of Science

2

GeneralWe investigate how quickly (number of rounds) is it

possible to perform zero-knowledge and witness protection proofs.

• Introduce and construct – Zaps – Verifiable pseudo-random sequences

• Timing and zero-knowledge

3

Plan

• What are zaps• Background• Constructions• Existentialism• Applications

4

What Zaps Are Not

An acronym

5

What Are Zaps

A zap for a language L is a witness indistinguishable proof system for showing that XL

With some special properties• Number of rounds• When and how random choices are made

6

Witness Protection Programs

A witness indistinguishable proof system for XL

prover verifier• Completeness: if prover has witness W - can construct

effective proof that makes verifier accept.• Soundness: if XL no prover can succeed with high

probability to make verifier accept.• Witness protection: for every V’ and any two witnesses

W1 and W2: distributions on transcripts are computationally indistinguishable.

7

Zero Knowledge

• Each (cheating) verifier V’ induces a distribution on transcripts

• For all (efficient) verifiers V’ there exists an (efficient) simulator S such that for all XL the distributions on transcripts that V’ induces and that S produces are indistinguishable

8

Witness Indistinguishability (WI)

• Introduced by Feige and Shamir to speed up zero-knowledge proof

• ``Natural 3-round zk proof system” - can show WI• In contrast - no black-box 3-round zero-knowledge

– 4-round general constructions achievable• Is preserved under composition

– both parallel and concurrent

• In some applications - provides sufficient protection– Identification

9

What Are Zaps II

A zap for a language L is a• Two-round witness indistinguishable proof system for

showing XL 1. verifier prover2. prover verifier

• First round message can be fixed ``once and for all” (before X is chosen)

• The verifier uses public coins– Single round non-constructively

10

Real World Vs.Shared String World

• Shared string world: prover and verifier share a string ``deus ex machina” such that– Guaranteed to be random – Simulator has control over string (transcript includes shared

string)– Good for increasing resistance to attacks in PKC

• Real world: all such strings have to be generated by blood, toil, tears and sweat - – Requires several rounds

11

``Non-interactive” Zero-knowledge

• Operates in the shared string model [BDMP]• Given protocol is single round:

Prover verifier• Simulator gets to choose convenient string

• NIZK for any LNP can be based on any trapdoor permutation [FLS][KP]

Certifiable

12

NIZKs and Zaps

Theorem: NIZK for L exists (in the shared world) iff zaps for L exist (in the real world)

(Bad? ) Idea: let the verifier choose the common string Endangers witness: can choose that will make the prover leak information about witness

Correction: prover Xors it with its own random strings Endangers soundness: prover can choose result as in

simulator

13

Compromise

• Repeat many times• Each time verifier chooses a fresh string B1, B2 , … ,Bm

• Prover repeats the same string C• The proof is given using B1C, B2C, … ,BmC

• Verifier accepts iff accepts for all m proofs

Soundness?!WI?!

14

Verifiable Pseudo-randomnessA verifiable p.r. sequence generator (VPRG): on seed

s{0,1}n produces public verification key VK and sequence <a1, a2, …, ak> s.t:

Binding: there is only one sequence consistent with VKVerifiability: for any seed s and I {1...K} possible to

come up with proof for {ai | i I}

Passing the ith bit test: for all 1 i k, given VK, and <a1, a2 ,… ai-1, ai+1 ,…,ak > no poly-time adversary can guess ai with non-negligible advantage.

Special case of VPRF [MRS]

15

Approximate VPRGsRelaxation • Relaxed binding: limited number of possible opening• Two round communication: zaps styleCan construct (approximate) VPRGs from trapdoors

Theorem: zaps exist iff approximate VPRGs (with certain parameters) exist.

Open problem: does small expansion in VPRG imply large expansion?

16

Hidden Random Strings – A `Physical’ proof

• Prover is dealt ℓ binary cards with random values– Can reveal any subset of them.

• To prove that XL holding witness W holding witness - reveal a subset of them – and additional information –

Soundness: if XL with probability at least 1-q there are no (,) for which the verifier accepts

Witness Indistinguishability: simulator on input XL generates (,) – Identically distributed to real ones– Given witness W can complete the remaining cards to fit W

17

Using HRS and VPRGs to Get ZapsLet m = k/ℓ. HRS proof is repeated m times• Verifier sends b1, b2, …, bk

• Prover:– Chooses random string C 2 {0,1}ℓ and seed s for VPRG

• Sequence is a1, a2, … ,ak

– Sends C and VK. • Bit i of HRS is ai bi ci mod ℓ +1

– For each opened bit in prover sends ak and proof of consistency

• Verifier checks the m HRS proofs and the consistency of the opened bits

ℓ ℓ

…

18

Constructing VPRGs from Trapdoor Permutations

• Choose f1, f2 , … ,fr - certifiable trapdoor permutations– Each fi : Dn → Dn

• Choose y1, y2 , … ,yc - from Dn

• VK = <f1, f2, …, fr >, <y1, y2, …, yc >

• Entry (i,j) hardcore predicate of fi-1

(yj)

f2

f1

fr

y1 y2 yc

19

Concurrent and Resettable Composition

WI compose concurrently - so do zaps. In contrast: no black-box composition of zero-knowledge

proofs in constant number of rounds [KPR][R][CKPR]

Resettable adversary - can rerun the protocol with new random bits [CGGM]

Zaps are immune to resettable adversaries - New: 2-round resettable WI proofs

20

Applications

• Oblivious transfer - 21/2 rounds (PK)• Using time in the design of protocols [DNS]:Timing based (,) assumption for <: If one processor

measures , the second , then finishes after .

New results using zaps:• 3-round zk (in contrast - impossible in regular mode)• 2-round deniable authentication• 3-round resettable zero-knowledge

21

Tool: Timed Commitments [BN]

• Regular commitment

• Potential forced opening phase

X ReceiverSender

22

Sender Receiver

Commit Phase

Reveal Phase

Sender ReceiverX

Regular Commitments

Receiver can verify X

Sender is bound to X

X

23

Forced Open Phase

SenderX

Receiver

Receiver extracts X (+proof) in time T

Commitment is secure only for time t < T

Potential ForcedForced OpeningOpening

24

Requirements

• Future recoverability - verifiable following commit phase• Decommitment - value + proof. Ditto for forcibly recovered

values. Can act as genuine proof of knowledge to committed value• Immunity to parallel attacks

Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN].

We will substitute with a zap.

25

The Power Function

g22k mod N

N=P•Q - Blum integer, g - a generator

Unknown factorization - repeated squaring

g2i+1 = g2i • g2i mod N

Takes 2k squarings

26

...Power Function

Factors known - random access property of BBS PRG:– compute x = 22k mod – compute gx mod N

Used before: • Uncheatable Benchmarks [CLSY]• Time-locks for documents [RSW]

27

The Commitment

• Select N - Blum Integer - and g - generator of large subgroup

• Set Yk g22k mod N

• Base committed value on

Zk g22k - 1 mod N

kY

28

Committing using Zk

Several options:• Xor with hardcore predicate of Zk:

– LSB of Zk

– Inner product with random R

• Xor with pseudo-random sequence with seed Zk.

29

The Commitment - Proofs…

• Sender generates and send < g, Y0, Y1, … , Yk >

= < g, g2, g4, … , g22i, … , g22k

> mod N• Proves consistency of < Y0, Y1, … , Yk > -

For all 1 i k show: < g, Yi, Yi+1 > is of the form < g, gx, gx2 >

30

The Commitment - Proofs…

Key point: Efficient ZK protocols for consistency of < g, gx, gx2 >

Similar to proving Diffie-Hellman triple

Slightly different in ZN* than in ZP

*

31

3-round Timed Concurrent ZK

To prove XL• Prover verifier: string for zaps

• Verifier prover: time commit to . Give zap of consistency of at least one of them using . String for zaps

• Prover verifier: commit with knowledge to random z. Give zap of consistency using that either (i) XL or (ii) z = or (iii) z =

Timing requirement: verifier receives response within

32

Open Problems

Efficiency:• Zaps for specific problems

– Are x or y quadratic residues mod N– Zaps for timed commitment

VPRGs• Do VPRGs compose? VPRF from VPRG?• VPRGs based on Diffie-Hellman?Round optimal - 2 round zk possible? Explicit 1 round zap?