Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

Motivation We can only accept correctly formatted votes Attaching encrypted vote to this e-mail We can only accept correctly formatted votes Voter Official

Ok, we will count your vote Non-interactive zero-knowledge proof Attaching encrypted vote to this e-mail + NIZK argument that correctly formatted Ok, we will count your vote Voter Official Zero-knowledge: Vote remains secret Soundness: Vote is correct

Non-interactive zero-knowledge argument Common reference string Statement: xL (x,w)RL Proof:  Prover Verifier Zero-knowledge: Nothing but truth revealed Soundness: Statement is true

Applications of NIZK arguments Ring signatures Group signatures Anonymous credentials Verifiable encryption Voting ...

Our contribution Common reference string with special distribution Statement: C is satisfiable circuit Very efficient verifier Sub-linear (constant) size NIZK argument Not Fiat-Shamir heuristic (no random oracle) Perfect completeness Computational soundness Perfect zero-knowledge Adaptive soundness: Adversary sees CRS before attempting to cheat with false (C,)

Pairings G, GT groups of prime order p Bilinear map e: G G  GT e(ax,by) = e(a,b)xy e(g,g) generates GT if g is non-trivial Group operations, deciding group membership, computing bilinear map are efficiently computable

Assumptions Power knowledge of exponent assumption (q-PKE): Given (g,gx,…,gxq,g,gx,…,gxq) hard to compute (c,c) without knowing a0,…,aq such that c = ga0ga1x…gaqxq Computational power Diffie-Hellman (q-CPDH): For all j hard to compute gxj given (g,gx,…,gxq,g,gx,…,gxj-1,gxj+1,…,gxq) Both assumptions hold in generic group model

Comparison CRS Size Prover comp. Verifier comp. Kilian-Petrank (Nk) group (Nk) expo (Nk) mult Trapdoor permutations Stat. Sound Comp. ZK GOS O(1) group O(N) group O(N) expo O(N) pairing Subgroup decision Perfect sound Abe-Fehr Dlog & knowledge of expo. Comp. sound Perfect ZK This work O(N2) group O(N2) mult O(N) mult q-PKE and q-CPDH O(N2/3) group O(N4/3) mult Interactive + O(√N) group Fiat-Shamir Dlog and random oracle

Knowledge commitments Commitment key: ck=(g,gx,…,gxq,g,gx,…,gxq) Commitment to (a1,…,aq) using randomness rZp c = (g)r(gx)a1…(gxq)aq ĉ = (g)r(gx)a1…(gxq)aq Verifying commitment: e(c,g) = e(ĉ,g) Knowledge: q-PKE assumption says impossible to create valid (c,ĉ) without knowing r,a1,…,aq

Homomorphic property c = (g)r(gx)a1…(gxq)aq log(c) = r+a1x+…+aqxq Homomorphic commit(a1,…,aq;r) ∙ commit(b1,…,bq;s) = commit(a1+b1,…,aq+bq;r+s) (r+aixi) + (s+bixi) = r+s+(ai+bi)xi

Tools Constant size knowledge commitments for tuples of elements (a1,…,aq)  (Zp)q Homomorphic so we can add committed tuples com(a1,…,aq)∙com(b1,…,bq) = com(a1+b1,…,aq+bq) NIZK argument for multiplicative relationship com(a1,…,aq) com(b1,…,bq) com(a1b1,…,aqbq) NIZK argument for known permutation  com(a1,…,aq) com(a(1),…,a(q))

Circuit with NAND-gates b1 a2 b2 commit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…..,0) commit(u1,…,uN,0,…..,0) NIZK argument for uN = 1 NIZK argument for everything else consistent u1 u2 a3 b3 u3 a4 b4 u4

Consistency Need to show valid inputs a1,…,aN,b1,…bN{0,1} NIZK argument for multiplicative relationship commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN) shows a1a1=a1, …, aNaN=aN, b1b1=b1, …, bNbN=bN Only possible if a1{0,1}, …, aN{0,1}, b1{0,1}, …, bN{0,1}

Consistency Homomorphic property gives commit(1,…,1,0,…,0) / commit(u1,…,uN,0,…,0) = commit(1-u1,…,1-uN,0,…,0) NIZK argument for multiplicative relationship in commit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…,0) commit(1-u1,…,1-uN,0,…,0) shows 1-u1=a1b1,…,1-uN=aNbN This proves all NAND-gates are respected u1=(a1b1),…,uN=(aNbN)

Consistency Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever ai and bj correspond to the same wire ai = bj We refer to the full paper for the details

Circuit with NAND-gates b1 a2 b2 commit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…..,0) commit(u1,…,uN,0,…..,0) NIZK argument for uN = 1 NIZK argument for everything else consistent u1 u2 a3 b3 u3 a4 b4 u4

Conclusion NIZK argument of knowledge Short and efficient to verify perfect completeness perfect zero-knowledge computational soundness Short and efficient to verify q-PKE and q-CPDH CRS Argument Prover comp. Verifier comp. Minimal argument O(N2) O(1) O(N2) mults O(N) mults Balanced sizes O(N2/3) O(N4/3) mults CRS O(N2(1-ε)) and argument O(Nε)

Thanks Full paper available at www.cs.ucl.ac.uk/staff/J.Groth