Zaps and Apps

1
Zaps and Apps

• Cynthia Dwork
• Microsoft Research
• Moni Naor
• Weizmann Institute of Science

2
General

• We investigate how quickly (number of rounds) is
  it possible to perform zero-knowledge and witness
  protection proofs.
• Introduce and construct
• Zaps
• Verifiable pseudo-random sequences
• Timing and zero-knowledge

3
Plan

• What are zaps
• Background
• Constructions
• Existentialism
• Applications

4
What Zaps Are Not

• An acronym

5
What Are Zaps

• A zap for a language L is a witness
  indistinguishable proof system for showing that
  X?L
• With some special properties
• Number of rounds
• When and how random choices are made

6
Witness Protection Programs

• A witness indistinguishable proof system for X?L
• prover ?verifier
• Completeness if prover has witness W - can
  construct effective proof that makes verifier
  accept.
• Soundness if X?L no prover can succeed with
  high probability to make verifier accept.
• Witness protection for every V and any
  witnesses W1 and W2 distributions on transcripts
  are computationally indistinguishable.

7
Zero Knowledge

• Each (cheating) verifier V induces a
  distribution on transcripts
• For all verifiers V there exists a simulator S
  such that for all X?L the distributions on
  transcripts that V induces and that S produces
  are indistinguishable

8
Witness Indistinguishability (WI)

• Introduced by Feige and Shamir to speed up
  zero-knowledge proof
• Natural 3 round zk proof system - can show WI
• In contrast - no black-box 3-round zero-knowledge
• 4-round general constructions achievable
• Is preserved under composition (both parallel and
  concurrent)
• In some applications - provides sufficient
  protection
• Identification

9
What Are Zaps II

• A zap for a language L is a
• Two-round witness indistinguishable proof system
  for showing X?L
• 1. verifier ? prover
• 2. prover ? verifier
• First round message can be fixed once and for
  all (before X is chosen)
• The verifier uses public coins
• Single round non-constructively

10
Real World Vs.Shared String World

• Shared string world prover and verifier share a
  string deus ex machina such that
• Guaranteed to be random
• Simulator has control over string (transcript
  includes shared string)
• Good for increasing resistance to attacks in PKC
• Real world all such strings have to be generated
  by blood, toil, tears and sweat -
• Requires several rounds

11
Non-interactive Zero-knowledge

• Operates in the shared string model BDMP
• Given s protocol is single round
• Prover ? verifier
• Simulator gets to choose convenient string s
• NIZK for any L?NP can be based on any trapdoor
  permutation FLSKP

12
NIZKs and Zaps

• Theorem NIZK for L exists (in the shared world)
  iff zaps for L exist (in the real world)
• (Bad? ) Idea let the verifier choose the common
  string s Endangers witness can choose s that
  will make the prover leak information about
  witness
• Correction prover Xors it with its own random
  strings
• Endangers soundness prover can choose result as
  in simulator

13
Compromise

• Repeat many times
• Each time verifier chooses a fresh string B1, B2
  , ,Bm
• Prover repeats the same string C
• The proof is given using B1?C , B2?C ,Bm?C
• Verifier accepts iff accepts for all m proofs
• Soundness?!
• WI?!

14
Verifiable Pseudo-randomness

• A verifiable p.r. sequence generator (VPRG) on
  seed s?0,1n produces public verification key
  VK and sequence lta1, a2 , ,ak gt s.t
• Binding there is only one sequence consistent
  with VK
• Verifiability for any seed S and I ?1..K
  possible to come up with proof p for ai i ?
  I
• Passing the ith bit test for all 1 ? i ? k,
  given VK, p and lta1, a2 , ai-1, ai1 ,,ak gt
  no poly-time adversary can guess ai with
  non-negligible advantage.
• Special case of VPRF MRS

15
Approximate VPRGs

• Relaxation
• Relaxed binding limited number of possible
  opening
• Two round communication zaps style
• Can construct (approximate) VPRGs from trapdoors
• Theorem zaps exist iff approximate VPRGs (with
  certain parameters) exist.
• Open problem does small expansion in VPRG imply
  large expansion?

16
Hidden Random Strings A Physical proof

• Prover is dealt l binary cards with random values
• Can reveal any subset of them.
• To prove that X?L holding witness W holding
  witness - reveal a subset of them a and
  additional information b
• Soundness if X?L with probability at least 1-q
  there are no (a,b) for which the verifier accepts
• Witness Indistinguishability simulator on input
  X?L generates (a,b)
• Identically distributed to real ones
• Given witness W can complete the remaining cards
  to fit W

17
Using HRS and VPRGs to Get Zaps

• Let m k/l HRS proof is reapeted m times
• Verifier sends b1, b2 , ,bk
• Prover Choses an l bits string C strand seed s
  for VPRG
• Sends C and VK. Sequence is a1, a2 , ,ak
• Bit i of HRS is ai ? bi ? ci mod l 1
• For each opened bit prover sends ak and proof of
  consistency
• Verifier checks the m HRS proofs and the
  consistency of the opened bits

18
Constructing VPRGs from Trapdoor Permutations

• Choose f1, f2 , ,fr - certifiable trapdoor
  permutations
• Each fi Dn ? Dn
• Choose y1, y2 , ,yc - from Dn
• VK f1, f2 , ,fr , y1, y2 , ,yc
• Entry (i,j) hardcore predicate of fi-1 (yj)

y1
y2
yc
f1
f2
fr
19
Concurrent and Resettable Composition

• WI compose concurrently - so do zaps.
• In contrast no black-box composition of
  zero-knowledge proofs in constant number of
  rounds KPRRCKPR
• Resettable adversary - can rerun the protocol
  with new random bits CGGM
• Zaps are immune to resettable adversaries -
• New 2-round resettable WI proofs

20
Applications

• Oblivious transfer - 21/2 rounds (PK)
• Using time in the design of protocols DNS
• Timing based (?,?) assumption for ?lt? If one
  processor measures ?, the second ?, then ?
  finishes after ?.
• New results using zaps
• 3-round zk (in contrast - impossible in regular
  mode)
• 2-round deniable authentication
• 3-round resettable zero-knowledge

21
Tool Timed Commitments BN

• Regular commitment
• Potential forced opening phase

X
Receiver
Sender
22
Regular Commitments
Commit Phase
X

Sender
Receiver
Sender is bound to X
Reveal Phase
X
Sender
Receiver
Receiver can verify X
23

Potential Forced Opening
Forced Open Phase

X
Receiver
Sender
Receiver extracts X (proof) in time T
Commitment is secure only for time t lt T
24
Requirements

• Future recoverability - verifiable following
  commit phase
• Decommitment - value proof. Ditto for forcibly
  recovered values.
• Can act as genuine proof of knowledge to
  committed value
• Immunity to parallel attacks
• Construction based on generalized BBS. Uses
  several rounds to prove consistency of commitment
  BN.
• We will substitute with a zap.

25
The Power Function

• g22k mod N
• NPQ - Blum integer, g - a generator
• Unknown factorization - repeated squaring
• g2i1 g2i g2i mod N
• Takes 2k squarings

26
...Power Function

• Factors known - random access property of BBS
  PRG
• compute x 22k mod ????
• compute gx mod N
• Used before
• Uncheatable Benchmarks CLSY
• Time-locks for documents RSW

27
The Commitment

• Select N - Blum Integer - and g - generator of
  large subgroup
• Set Yk ? g22k mod N
• Base committed value on
• Zk ? ? g22k - 1
  mod N

28
Committing using Zk

• Several options
• Xor with hardcore predicate of Zk
• LSB of Zk
• Inner product with random R
• Xor with pseudo-random sequence with seed Zk.

29
The Commitment - Proofs

• Sender generates and send
• lt g, Y0, Y1, , Yk gt
• lt g, g2, g4, , g22i, , g22k gt mod N
• Proves consistency of lt Y0, Y1, , Yk gt -
• For all 1 ? i ? k show
• lt g, Yi, Yi1 gt is of the form lt g, gx, gx2 gt

30
The Commitment - Proofs

• Key point ? Efficient ZK protocols for
  consistency of lt g, gx, gx2 gt
• Similar to proving Diffie-Hellman triple
• Slightly different in ZN than in ZP

31
3-round Timed Concurrent ZK

• To prove X?L
• Prover ? verifier string s1 for zaps
• Verifier ? prover time commit to x1, x2. Give
  zap of consistency of at least one of them using
  s1. String s2 for zaps
• Prover ? verifier commit with knowledge to
  random z. Give zap of consistency using s2 that
  either (i) X?L or (ii) z x1 or (iii) z x2
• Timing requirement verifier receives response
  within ?

32
Open Problems

• Efficiency
• Zaps for specific problems
• Are x or y quadratic residues mod N
• Zaps for timed commitment
• VPRGs
• Do VPRGs compose? VPRF from VPRG?
• VPRGs based on Diffie-Hellman?
• Round optimal - 2 round zk possible? Explicit 1
  round zap?