1 / 32

Zaps and Apps

Zaps and Apps. Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science. General. We investigate how quickly ( number of rounds ) is it possible to perform zero-knowledge and witness protection proofs. Introduce and construct Zaps Verifiable pseudo-random sequences

reuel
Download Presentation

Zaps and Apps

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science

  2. General We investigate how quickly (number of rounds) is it possible to perform zero-knowledge and witness protection proofs. • Introduce and construct • Zaps • Verifiable pseudo-random sequences • Timing and zero-knowledge

  3. Plan • What are zaps • Background • Constructions • Existentialism • Applications

  4. What Zaps Are Not An acronym

  5. What Are Zaps A zap for a language L is a witness indistinguishable proof system for showing thatXL With some special properties • Number of rounds • When and how random choices are made

  6. Witness Protection Programs A witness indistinguishable proof system for XL proververifier • Completeness: if prover has witness W - can construct effective proof that makes verifier accept. • Soundness: if XLno prover can succeed with high probability to make verifier accept. • Witness protection: for every V’ and any two witnesses W1and W2: distributions on transcripts are computationally indistinguishable.

  7. Zero Knowledge • Each (cheating) verifierV’ induces a distribution on transcripts • For all (efficient) verifiersV’there exists an (efficient) simulator S such that for all XLthe distributions on transcripts that V’induces and that S produces are indistinguishable

  8. Witness Indistinguishability (WI) • Introduced by Feige and Shamir to speed up zero-knowledge proof • ``Natural 3-round zk proof system” - can show WI • In contrast - no black-box 3-round zero-knowledge • 4-round general constructions achievable • Is preserved under composition • both parallel and concurrent • In some applications - provides sufficient protection • Identification

  9. What Are Zaps II A zap for a language L is a • Two-round witness indistinguishable proof system for showing XL 1.verifier prover 2.prover verifier • First round message can be fixed ``once and for all” (before X is chosen) • The verifier uses public coins • Single round non-constructively

  10. Real World Vs.Shared String World • Shared string world: prover and verifier share a string ``deus ex machina” such that • Guaranteed to be random • Simulator has control over string (transcript includes shared string) • Good for increasing resistance to attacks in PKC • Real world: all such strings have to be generated by blood, toil, tears and sweat - • Requires several rounds

  11. ``Non-interactive” Zero-knowledge • Operates in the shared string model [BDMP] • Given s protocol is single round: Prover verifier • Simulator gets to choose convenient string s • NIZK for any LNPcan be based on any trapdoor permutation [FLS][KP] Certifiable

  12. NIZKs and Zaps Theorem: NIZK for L exists (in the shared world) iff zaps for L exist (in the real world) (Bad? ) Idea: let the verifier choose the common string s Endangers witness: can choose s that will make the prover leak information about witness Correction: proverXors it with its own random strings Endangers soundness: prover can choose result as in simulator

  13. Compromise • Repeat many times • Each time verifier chooses a fresh string B1, B2 , … ,Bm • Prover repeats the same string C • The proof is given using B1C, B2C, … ,BmC • Verifier accepts iff accepts for all mproofs Soundness?! WI?!

  14. Verifiable Pseudo-randomness A verifiable p.r. sequence generator (VPRG): on seed s{0,1}nproduces public verification keyVK and sequence <a1, a2, …, ak>s.t: Binding: there is only one sequence consistent with VK Verifiability: for any seed s and I{1...K} possible to come up with proof p for {ai | iI} Passing theithbit test: for all 1 i  k, given VK, p and <a1, a2 ,… ai-1, ai+1 ,…,ak >no poly-time adversary can guessaiwith non-negligible advantage. Special case of VPRF [MRS]

  15. Approximate VPRGs Relaxation • Relaxed binding: limited number of possible opening • Two round communication: zaps style Can construct (approximate) VPRGs from trapdoors Theorem: zaps exist iff approximate VPRGs (with certain parameters) exist. Open problem: does small expansion in VPRG imply large expansion?

  16. Hidden Random Strings – A `Physical’ proof • Prover is dealt ℓbinary cards with random values • Can reveal any subset of them. • To prove that XLholding witness W holding witness - reveal a subset of them – a and additional information – b Soundness: if XLwith probability at least 1-q there are no (a,b) for which the verifier accepts Witness Indistinguishability: simulator on input XLgenerates (a,b) • Identically distributed to real ones • Given witness Wcan complete the remaining cards to fit W

  17. Using HRS and VPRGs to Get Zaps … Let m = k/ℓ. HRS proof is repeated m times • Verifier sends b1, b2, …, bk • Prover: • Chooses random string C 2 {0,1}ℓand seed s for VPRG • Sequence is a1, a2, … ,ak • Sends C and VK. • Bit i of HRS is ai bi ci mod ℓ +1 • For each opened bit in a prover sends akand proof of consistency • Verifier checks the m HRS proofs and the consistency of the opened bits ℓ ℓ

  18. Constructing VPRGs from Trapdoor Permutations • Choose f1, f2 , … ,fr - certifiable trapdoor permutations • Each fi : Dn → Dn • Choose y1, y2 , … ,yc - from Dn • VK =<f1, f2, …, fr >, <y1, y2, …, yc> • Entry (i,j) hardcore predicate of fi-1(yj) y1 y2 yc f1 f2 fr

  19. Concurrent and Resettable Composition WI compose concurrently - so do zaps. In contrast: no black-box composition of zero-knowledge proofs in constant number of rounds [KPR][R][CKPR] Resettable adversary - can rerun the protocol with new random bits [CGGM] Zaps are immune to resettable adversaries - New: 2-round resettable WI proofs

  20. Applications • Oblivious transfer - 21/2 rounds (PK) • Using time in the design of protocols [DNS]: Timing based (,) assumption for <: If one processor measures , the second , then  finishes after . New results using zaps: • 3-round zk (in contrast - impossible in regular mode) • 2-round deniable authentication • 3-round resettable zero-knowledge

  21. Tool: Timed Commitments [BN] • Regular commitment • Potential forced opening phase X Receiver Sender

  22. Regular Commitments Commit Phase X Sender Receiver Sender is bound to X Reveal Phase X Sender Receiver Receiver can verify X

  23. PotentialForcedOpening Forced Open Phase X Receiver Sender Receiver extracts X (+proof) in time T Commitment is secureonly for time t < T

  24. Requirements • Future recoverability - verifiable following commit phase • Decommitment - value + proof. Ditto for forcibly recovered values. Can act as genuine proof of knowledge to committed value • Immunity toparallel attacks Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN]. We will substitute with a zap.

  25. The Power Function g22k mod N N=P•Q - Blum integer, g -a generator Unknown factorization - repeated squaring g2i+1 = g2i• g2i mod N Takes 2ksquarings

  26. ...Power Function Factors known - random access property of BBS PRG: • compute x =22k mod  • computegx mod N Used before: • Uncheatable Benchmarks [CLSY] • Time-locks for documents [RSW]

  27. The Commitment • Select N - Blum Integer - and g - generator of large subgroup • Set Yk g22k mod N • Base committed value on Zk   g22k - 1 mod N

  28. Committing using Zk Several options: • Xor with hardcore predicate of Zk: • LSB of Zk • Inner product with random R • Xor with pseudo-random sequence with seed Zk.

  29. The Commitment - Proofs… • Sender generates and send < g, Y0, Y1, … , Yk> =<g, g2, g4, … , g22i, … , g22k> mod N • Proves consistency of < Y0, Y1, … , Yk> - For all 1  i  k show: < g, Yi, Yi+1> is of the form < g, gx, gx2>

  30. The Commitment - Proofs… Key point:  Efficient ZK protocols for consistency of < g, gx, gx2> Similar to proving Diffie-Hellman triple Slightly different in ZN* than in ZP*

  31. 3-round Timed Concurrent ZK To prove XL • Prover verifier: string s1 for zaps • Verifier prover: time commit to x1, x2. Give zap of consistency of at least one of them using s1. String s2 for zaps • Prover verifier: commit with knowledge to random z. Give zap of consistency using s2 that either (i) XL or (ii) z=x1 or (iii) z=x2 Timing requirement: verifier receives response within 

  32. Open Problems Efficiency: • Zaps for specific problems • Are x or y quadratic residues mod N • Zaps for timed commitment VPRGs • Do VPRGs compose? VPRF from VPRG? • VPRGs based on Diffie-Hellman? Round optimal - 2 round zk possible? Explicit 1 round zap?

More Related