Proceedings 41st Annual Symposium on Foundations of Computer Science (2000)
Redondo Beach, California
Nov. 12, 2000 to Nov. 14, 2000
C. Dwork , Compaq Syst. Res. Centre, Palo Alto, CA, USA
M. Naor , Compaq Syst. Res. Centre, Palo Alto, CA, USA
A zap is a two-round, witness-indistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed "once-and-for-all" and applied to any instance, and where the verifier does not use any private coins. We present a zap for every language in NP, based on the existence of non-interactive zero-knowledge proofs in the shared random string model. The zap is in the standard model, and hence requires no common guaranteed random string. We introduce and construct verifiable pseudo-random bit generators (VPRGs), and give a complete existential characterization of both noninteractive zero-knowledge proofs and zaps in terms of approximate VPRGs. We present several applications for zaps; In the timing model of C. Dwork et al. (2000) and using moderately hard functions, we obtain 3-round concurrent zero knowledge and 2-round concurrent deniable authentication (the latter protocol also operates in the resettable model of R. Canetti et al. (2000)). In the standard model we obtain 2-round oblivious transfer using public keys (3-round otherwise). We note that any zap yields resettable 2-round witness-indistinguishability and obtain a 3-round timing-based resettable zero-knowledge argument system for any language in NP.
cryptography; computational complexity; theorem proving; zap; witness-indistinguishable protocol; verifier; NP completeness; zero-knowledge proofs; shared random string model; verifiable pseudo-random bit generators; concurrent zero knowledge; concurrent deniable authentication; public keys
M. Naor and C. Dwork, "Zaps and their applications," Proceedings 41st Annual Symposium on Foundations of Computer Science(FOCS), Redondo Beach, California, 2000, pp. 283.