Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science General We investigate how quickly (number of rounds) is it possible to perform.
Download ReportTranscript Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science General We investigate how quickly (number of rounds) is it possible to perform.
Zaps and Apps
Cynthia Dwork
Microsoft Research
Moni Naor
Weizmann Institute of Science 1
General
We investigate how quickly (number of rounds) is it possible to perform zero-knowledge and witness protection proofs.
• Introduce and construct – Zaps – Verifiable pseudo-random sequences • Timing and zero-knowledge 2
• What are zaps • Background • Constructions • Existentialism • Applications Plan
3
What Zaps Are Not An acronym
4
What Are Zaps
A zap for a language
L
is a witness indistinguishable proof system for showing that X
L
With some special properties • Number of rounds • When and how random choices are made 5
Witness Protection Programs
A witness indistinguishable proof system for X
L
prover verifier • Completeness: if prover has witness W - can construct effective proof that makes verifier accept.
• Soundness: if X
L
no probability to make verifier prover can succeed with high accept.
• Witness protection: for every witnesses W
1
and W
2
V’ and any two : distributions on transcripts are computationally indistinguishable.
6
Zero Knowledge
• Each (cheating) verifier transcripts V ’ induces a distribution on • For all (efficient) verifiers simulator S such that for all X
L
transcripts that V’ indistinguishable V’ there exists an (efficient) the distributions on induces and that S produces are 7
Witness Indistinguishability (WI)
• Introduced by Feige and Shamir to speed up zero knowledge proof • ``Natural 3-round zk proof system” - can show WI • In contrast - no black-box 3-round zero-knowledge – 4-round general constructions achievable • Is preserved under composition – both parallel and concurrent • In some applications - provides sufficient protection – Identification 8
What Are Zaps II
A zap for a language
L
is a • Two-round witness indistinguishable proof system for showing X
L
1.
verifier prover 2. prover verifier • First round message can be fixed ``once and for all” (before X is chosen) • The verifier uses public coins – Single round non-constructively 9
Real World Vs.
Shared String World
• Shared string world: prover ``deus ex machina” such that and verifier – Guaranteed to be random share a string – Simulator has control over string (transcript includes shared string) – Good for increasing resistance to attacks in PKC • Real world: all such strings have to be generated by blood, toil, tears and sweat – Requires several rounds 10
``Non-interactive” Zero-knowledge
• Operates in the shared string model [BDMP] • Given s protocol is single round: Prover verifier • Simulator gets to choose convenient string s • NIZK for any
L
NP
can be based on any trapdoor permutation [FLS][KP] Certifiable 11
NIZKs and Zaps
Theorem: NIZK for
L
for
L
exists (in the shared world) iff zaps exist (in the real world) (Bad? ) Idea: let the verifier choose the common string s Endangers witness: can choose s that will make the prover leak information about witness Correction: prover Xors it with its own random strings Endangers soundness: prover simulator can choose result as in 12
Compromise
• Repeat many times • Each time • Prover verifier chooses a fresh string B 1 , B 2 , … ,B m repeats the same string C • • The proof is given using B 1 C, B 2 C, … ,B m C Verifier accepts iff accepts for all m proofs Soundness?!
WI?!
13
Verifiable Pseudo-randomness
A verifiable p.r. sequence generator (VPRG): on seed s {0,1} n produces public verification key
VK
and sequence s.t: Binding: there is only one sequence consistent with
VK
Verifiability: for any seed come up with proof p s and I for {a i | i
Passing the
i th bit test: for all 1 guess a i {1...K} i I} with non-negligible advantage.
possible to k , given
VK
, p and no poly-time adversary can Special case of VPRF [MRS] 14
Approximate VPRGs
Relaxation
• Relaxed binding: limited number of possible opening • Two round communication: zaps style Can construct (approximate) VPRGs from trapdoors Theorem: zaps exist iff approximate VPRGs (with certain parameters) exist.
Open problem: does small expansion in VPRG imply large expansion?
15
Hidden Random Strings – A `Physical’ proof
• Prover is dealt ℓ binary cards with random values – Can reveal any subset of them.
• To prove that X
L
holding witness W holding witness reveal a subset of them – a and additional information – b Soundness: if X
L
with probability at least 1-q there are no ( a , b ) for which the verifier accepts Witness Indistinguishability: simulator on input X
L
generates ( a , b ) – Identically distributed to real ones – Given witness W can complete the remaining cards to fit W 16
Using HRS and VPRGs to Get Zaps
Let m = k/ ℓ. HRS proof is repeated m times • Verifier sends b 1 , b 2 , …, b k • Prover: – Chooses random string C 2 • Sequence is a 1 , a 2 , … ,a k – Sends C and VK . • Bit i of HRS is a i b i – For each opened bit in a consistency c {0,1} ℓ i mod ℓ +1 ℓ and seed s … for VPRG prover sends a k and proof of • Verifier checks the m of the opened bits HRS proofs and the consistency 17 ℓ
Constructing VPRGs from Trapdoor Permutations
• Choose f 1 , f 2 , … ,f r permutations - certifiable trapdoor – Each f i : D n → • Choose • VK = • Entry (
Concurrent and Resettable Composition
WI compose concurrently - so do zaps. In contrast: no black-box composition of zero-knowledge proofs in constant number of rounds [KPR][R][CKPR] Resettable adversary - can rerun the protocol with new random bits [CGGM] Zaps are immune to resettable adversaries New: 2-round resettable WI proofs 19
Applications
• Oblivious transfer - 2 1 / 2 rounds (PK) • Using time in the design of protocols [DNS] : Timing based ( a , b ) assumption for a
<
b : If one
processor measures finishes after
a
.
a
, the second
b
, then
b New results using zaps: • 3-round zk (in contrast - impossible in regular mode) • 2-round deniable authentication • 3-round resettable zero-knowledge 20
Tool: Timed Commitments [BN]
• Regular commitment
X
Sender Receiver • Potential forced opening phase 21
Commit Phase
Sender
Regular Commitments
X
Receiver Sender is bound to
X Reveal Phase
r Sende Receiver can verify
X X
Receiver 22
Potential
Forced Opening
Forced Open Phase
r Sende
X
Receiver Receiver extracts
X
(+proof) in time T
Commitment is secure
only
for time
t
<
T 23
Requirements
• Future recoverability - verifiable following commit phase • Decommitment value + proof. Ditto for forcibly recovered values.
Can act as genuine proof of knowledge to committed value
• Immunity to parallel attacks Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN]. We will substitute with a zap.
24
The Power Function
g 22k mod N N=P•Q - Blum integer, g - a generator Unknown factorization - repeated squaring g 2i+1 = Takes 2 k squarings g 2i • g 2i mod N 25
...Power Function
Factors known - random access property of BBS PRG: – compute x = 2 2k mod – compute g x mod N Used before: • Uncheatable Benchmarks [ CLSY ] • Time-locks for documents [ RSW ] 26
The Commitment
• Select N subgroup - Blum Integer - and g - generator of large • Set Y k g 22k mod N • Base committed value on Z k g 22k - 1 mod N
Y k
27
Committing using
Z k Several options: • Xor with hardcore predicate of Z k : – LSB of Z k – Inner product with random R • Xor with pseudo-random sequence with seed Z k .
28
The Commitment - Proofs…
• Sender generates and send < g, Y 0 , Y 1 , … , Y k
= < >
g, g 2 , g 4 , … , g 22i , … , g 22k > mod N • Proves consistency of < Y 0 , Y 1 , … , Y k For all 1 i k show:
> -
< g, Y i , Y i+1
>
is of the form < g, g x , g x2
>
29
The Commitment - Proofs…
Key point: Efficient ZK protocols for consistency of < g, g x , g x2
>
Similar to proving Diffie-Hellman triple Slightly different in Z N * than in Z P * 30
3-round Timed Concurrent ZK
To prove X
L
• Prover verifier: string s 1 for zaps • Verifier prover: time commit to x 1 , x 2 . Give zap of consistency of at least one of them using s 1 . String s 2 for zaps • Prover verifier: commit with knowledge to random z . Give zap of consistency using s 2 that either (i) X
L
or (ii) z = x 1 or (iii) z = x 2 Timing requirement: verifier receives response within a 31
Open Problems
Efficiency : • Zaps for specific problems – Are x or y quadratic residues mod N – Zaps for timed commitment VPRGs • Do VPRGs compose? VPRF from VPRG?
• VPRGs based on Diffie-Hellman?
Round optimal zap?
- 2 round zk possible? Explicit 1 round 32