Redondo Beach, California
Nov. 12, 2000 to Nov. 14, 2000
C. Dwork , Compaq Syst. Res. Centre, Palo Alto, CA, USA
A zap is a two-round, witness-indistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed "once-and-for-all" and applied to any instance, and where the verifier does not use any private coins. We present a zap for every language in NP, based on the existence of non-interactive zero-knowledge proofs in the shared random string model. The zap is in the standard model, and hence requires no common guaranteed random string. We introduce and construct verifiable pseudo-random bit generators (VPRGs), and give a complete existential characterization of both noninteractive zero-knowledge proofs and zaps in terms of approximate VPRGs. We present several applications for zaps; In the timing model of C. Dwork et al. (2000) and using moderately hard functions, we obtain 3-round concurrent zero knowledge and 2-round concurrent deniable authentication (the latter protocol also operates in the resettable model of R. Canetti et al. (2000)). In the standard model we obtain 2-round oblivious transfer using public keys (3-round otherwise). We note that any zap yields resettable 2-round witness-indistinguishability and obtain a 3-round timing-based resettable zero-knowledge argument system for any language in NP.
cryptography; computational complexity; theorem proving; zap; witness-indistinguishable protocol; verifier; NP completeness; zero-knowledge proofs; shared random string model; verifiable pseudo-random bit generators; concurrent zero knowledge; concurrent deniable authentication; public keys
C. Dwork, "Zaps and their applications", FOCS, 2000, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science 2000, pp. 283, doi:10.1109/SFCS.2000.892117