1 zaps and apps cynthia dwork microsoft research moni naor weizmann institute of science
Post on 21-Dec-2015
213 views
TRANSCRIPT
![Page 1: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/1.jpg)
1
Zaps and Apps
Cynthia DworkMicrosoft Research
Moni NaorWeizmann Institute of Science
![Page 2: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/2.jpg)
2
GeneralWe investigate how quickly (number of rounds) is it
possible to perform zero-knowledge and witness protection proofs.
• Introduce and construct – Zaps – Verifiable pseudo-random sequences
• Timing and zero-knowledge
![Page 3: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/3.jpg)
3
Plan
• What are zaps• Background• Constructions• Existentialism• Applications
![Page 4: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/4.jpg)
4
What Zaps Are Not
An acronym
![Page 5: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/5.jpg)
5
What Are Zaps
A zap for a language L is a witness indistinguishable proof system for showing that XL
With some special properties• Number of rounds• When and how random choices are made
![Page 6: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/6.jpg)
6
Witness Protection Programs
A witness indistinguishable proof system for XL
prover verifier• Completeness: if prover has witness W - can construct
effective proof that makes verifier accept.• Soundness: if XL no prover can succeed with high
probability to make verifier accept.• Witness protection: for every V’ and any two witnesses
W1 and W2: distributions on transcripts are computationally indistinguishable.
![Page 7: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/7.jpg)
7
Zero Knowledge
• Each (cheating) verifier V’ induces a distribution on transcripts
• For all (efficient) verifiers V’ there exists an (efficient) simulator S such that for all XL the distributions on transcripts that V’ induces and that S produces are indistinguishable
![Page 8: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/8.jpg)
8
Witness Indistinguishability (WI)
• Introduced by Feige and Shamir to speed up zero-knowledge proof
• ``Natural 3-round zk proof system” - can show WI• In contrast - no black-box 3-round zero-knowledge
– 4-round general constructions achievable• Is preserved under composition
– both parallel and concurrent
• In some applications - provides sufficient protection– Identification
![Page 9: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/9.jpg)
9
What Are Zaps II
A zap for a language L is a• Two-round witness indistinguishable proof system for
showing XL 1. verifier prover2. prover verifier
• First round message can be fixed ``once and for all” (before X is chosen)
• The verifier uses public coins– Single round non-constructively
![Page 10: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/10.jpg)
10
Real World Vs.Shared String World
• Shared string world: prover and verifier share a string ``deus ex machina” such that– Guaranteed to be random – Simulator has control over string (transcript includes shared
string)– Good for increasing resistance to attacks in PKC
• Real world: all such strings have to be generated by blood, toil, tears and sweat - – Requires several rounds
![Page 11: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/11.jpg)
11
``Non-interactive” Zero-knowledge
• Operates in the shared string model [BDMP]• Given protocol is single round:
Prover verifier• Simulator gets to choose convenient string
• NIZK for any LNP can be based on any trapdoor permutation [FLS][KP]
Certifiable
![Page 12: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/12.jpg)
12
NIZKs and Zaps
Theorem: NIZK for L exists (in the shared world) iff zaps for L exist (in the real world)
(Bad? ) Idea: let the verifier choose the common string Endangers witness: can choose that will make the prover leak information about witness
Correction: prover Xors it with its own random strings Endangers soundness: prover can choose result as in
simulator
![Page 13: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/13.jpg)
13
Compromise
• Repeat many times• Each time verifier chooses a fresh string B1, B2 , … ,Bm
• Prover repeats the same string C• The proof is given using B1C, B2C, … ,BmC
• Verifier accepts iff accepts for all m proofs
Soundness?!WI?!
![Page 14: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/14.jpg)
14
Verifiable Pseudo-randomnessA verifiable p.r. sequence generator (VPRG): on seed
s{0,1}n produces public verification key VK and sequence <a1, a2, …, ak> s.t:
Binding: there is only one sequence consistent with VKVerifiability: for any seed s and I {1...K} possible to
come up with proof for {ai | i I}
Passing the ith bit test: for all 1 i k, given VK, and <a1, a2 ,… ai-1, ai+1 ,…,ak > no poly-time adversary can guess ai with non-negligible advantage.
Special case of VPRF [MRS]
![Page 15: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/15.jpg)
15
Approximate VPRGsRelaxation • Relaxed binding: limited number of possible opening• Two round communication: zaps styleCan construct (approximate) VPRGs from trapdoors
Theorem: zaps exist iff approximate VPRGs (with certain parameters) exist.
Open problem: does small expansion in VPRG imply large expansion?
![Page 16: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/16.jpg)
16
Hidden Random Strings – A `Physical’ proof
• Prover is dealt ℓ binary cards with random values– Can reveal any subset of them.
• To prove that XL holding witness W holding witness - reveal a subset of them – and additional information –
Soundness: if XL with probability at least 1-q there are no (,) for which the verifier accepts
Witness Indistinguishability: simulator on input XL generates (,) – Identically distributed to real ones– Given witness W can complete the remaining cards to fit W
![Page 17: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/17.jpg)
17
Using HRS and VPRGs to Get ZapsLet m = k/ℓ. HRS proof is repeated m times• Verifier sends b1, b2, …, bk
• Prover:– Chooses random string C 2 {0,1}ℓ and seed s for VPRG
• Sequence is a1, a2, … ,ak
– Sends C and VK. • Bit i of HRS is ai bi ci mod ℓ +1
– For each opened bit in prover sends ak and proof of consistency
• Verifier checks the m HRS proofs and the consistency of the opened bits
ℓ ℓ
…
![Page 18: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/18.jpg)
18
Constructing VPRGs from Trapdoor Permutations
• Choose f1, f2 , … ,fr - certifiable trapdoor permutations– Each fi : Dn → Dn
• Choose y1, y2 , … ,yc - from Dn
• VK = <f1, f2, …, fr >, <y1, y2, …, yc >
• Entry (i,j) hardcore predicate of fi-1
(yj)
f2
f1
fr
y1 y2 yc
![Page 19: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/19.jpg)
19
Concurrent and Resettable Composition
WI compose concurrently - so do zaps. In contrast: no black-box composition of zero-knowledge
proofs in constant number of rounds [KPR][R][CKPR]
Resettable adversary - can rerun the protocol with new random bits [CGGM]
Zaps are immune to resettable adversaries - New: 2-round resettable WI proofs
![Page 20: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/20.jpg)
20
Applications
• Oblivious transfer - 21/2 rounds (PK)• Using time in the design of protocols [DNS]:Timing based (,) assumption for <: If one processor
measures , the second , then finishes after .
New results using zaps:• 3-round zk (in contrast - impossible in regular mode)• 2-round deniable authentication• 3-round resettable zero-knowledge
![Page 21: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/21.jpg)
21
Tool: Timed Commitments [BN]
• Regular commitment
• Potential forced opening phase
X ReceiverSender
![Page 22: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/22.jpg)
22
Sender Receiver
Commit Phase
Reveal Phase
Sender ReceiverX
Regular Commitments
Receiver can verify X
Sender is bound to X
X
![Page 23: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/23.jpg)
23
Forced Open Phase
SenderX
Receiver
Receiver extracts X (+proof) in time T
Commitment is secure only for time t < T
Potential ForcedForced OpeningOpening
![Page 24: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/24.jpg)
24
Requirements
• Future recoverability - verifiable following commit phase• Decommitment - value + proof. Ditto for forcibly recovered
values. Can act as genuine proof of knowledge to committed value• Immunity to parallel attacks
Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN].
We will substitute with a zap.
![Page 25: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/25.jpg)
25
The Power Function
g22k mod N
N=P•Q - Blum integer, g - a generator
Unknown factorization - repeated squaring
g2i+1 = g2i • g2i mod N
Takes 2k squarings
![Page 26: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/26.jpg)
26
...Power Function
Factors known - random access property of BBS PRG:– compute x = 22k mod – compute gx mod N
Used before: • Uncheatable Benchmarks [CLSY]• Time-locks for documents [RSW]
![Page 27: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/27.jpg)
27
The Commitment
• Select N - Blum Integer - and g - generator of large subgroup
• Set Yk g22k mod N
• Base committed value on
Zk g22k - 1 mod N
kY
![Page 28: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/28.jpg)
28
Committing using Zk
Several options:• Xor with hardcore predicate of Zk:
– LSB of Zk
– Inner product with random R
• Xor with pseudo-random sequence with seed Zk.
![Page 29: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/29.jpg)
29
The Commitment - Proofs…
• Sender generates and send < g, Y0, Y1, … , Yk >
= < g, g2, g4, … , g22i, … , g22k
> mod N• Proves consistency of < Y0, Y1, … , Yk > -
For all 1 i k show: < g, Yi, Yi+1 > is of the form < g, gx, gx2 >
![Page 30: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/30.jpg)
30
The Commitment - Proofs…
Key point: Efficient ZK protocols for consistency of < g, gx, gx2 >
Similar to proving Diffie-Hellman triple
Slightly different in ZN* than in ZP
*
![Page 31: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/31.jpg)
31
3-round Timed Concurrent ZK
To prove XL• Prover verifier: string for zaps
• Verifier prover: time commit to . Give zap of consistency of at least one of them using . String for zaps
• Prover verifier: commit with knowledge to random z. Give zap of consistency using that either (i) XL or (ii) z = or (iii) z =
Timing requirement: verifier receives response within
![Page 32: 1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649d585503460f94a37db6/html5/thumbnails/32.jpg)
32
Open Problems
Efficiency:• Zaps for specific problems
– Are x or y quadratic residues mod N– Zaps for timed commitment
VPRGs• Do VPRGs compose? VPRF from VPRG?• VPRGs based on Diffie-Hellman?Round optimal - 2 round zk possible? Explicit 1 round zap?