Zaps and their applications

A zap is a two-round, witness-indistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed “once-and-for-all” and applied to any instance, and where the verifier does not use any private coins. We present a zap for every language in NP, based on the existence of non-interactive zero-knowledge proofs in the shared random string model. The zap is in the standard model, and hence requires no common guaranteed random string. We introduce and construct verifiable pseudo-random bit generators (VPRGs), and give a complete existential characterization of both noninteractive zero-knowledge proofs and zaps in terms of approximate VPRGs. We present several applications for zaps; In the timing model of C. Dwork et al. (1998) and using moderately hard functions, we obtain 3-round concurrent zero knowledge and 2-round concurrent deniable authentication (the latter protocol also operates in the resettable model of R. Canetti et al. (2000)). In the standard model we obtain 2-round oblivious transfer using public keys (3-round otherwise). We note that any zap yields resettable 2-round witness-indistinguishability and obtain a 3-round timing-based resettable zero-knowledge argument system for any language in NP