On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Slides:



Advertisements
Similar presentations
Optimal Bounds for Johnson- Lindenstrauss Transforms and Streaming Problems with Sub- Constant Error T.S. Jayram David Woodruff IBM Almaden.
Advertisements

Perfect Non-interactive Zero-Knowledge for NP
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Sublinear Algorithms … Lecture 23: April 20.
Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
4.1 Introduction to Matrices
Shortest Vector In A Lattice is NP-Hard to approximate
Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Computability and Complexity
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
7. Asymmetric encryption-
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Eigenvalues and Eigenvectors
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Department of Computer Science & Engineering University of Washington
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Introduction to Modern Cryptography Homework assignments.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Linear Algebra with Sub-linear Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Eigenvalues and Eigenvectors
Lecture note 8: Quantum Algorithms
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
MA/CSSE 473 Day 11 Primality testing summary Data Encryption RSA.
Quantum Computing MAS 725 Hartmut Klauck NTU
Public key ciphers 2 Session 6.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
The Paillier Cryptosystem
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even.
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.
Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.
Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.
Topic 36: Zero-Knowledge Proofs
Probabilistic Algorithms
ECE 3301 General Electrical Engineering
On the Size of Pairing-based Non-interactive Arguments
MPC and Verifiable Computation on Committed Data
Linear Algebra with Sub-linear Zero-Knowledge Arguments
Background: Lattices and the Learning-with-Errors problem
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Zero-Knowledge Proofs
Cryptography Lecture 26.
Eigenvalues and Eigenvectors
Jens Groth and Mary Maller University College London
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University

Classic Zero-Knowledge Protocols - for, e.g., discrete log or quadratic residuosity, are of form ProverVerifier x= f(w) e = 0 or 1 a z Some constructions do much better: O(k+n) bits. Schnorr: only for groups of public and prime order. Guillou-Quisquater: only for q’th roots mod a composite, q a large prime. Okamoto-Fujisaki: discrete log in RSA groups, but only under strong RSA assumption and for special moduli. No better general method known for amplifying error. w Has error probability ½. Can be amplified to 2 -n by iterating n times. Means proof has size O(kn) bits, k size of problem instance.

Results of this paper For a large class of problems, we show how to do a zero-knowledge proof for n problem instances simultaneously, such that: the complexity per instance proved is O(n+k) bits, and the error probability is 2 -n. Construction is unconditional. Result works for any function f that has certain homomorphic properties (f is a ”zero-knowledge friendly” function): Given x 1,...,x n, the prover shows he knows w 1,...,w n such that f(w i ) = x i Includes Discrete log in any group, Quadratic residuosity, improves also classic protocol for quadratic non- residues Goldwasser-Micali encryptions and similar cryptosystems, Integer commitment schemes based on discrete log mod a composite.

Results cont’d Result extends to show relations between preimages under f, such as multiplicative relations. We obtain a Σ–protocol, a 3-move honest verifier zero-knowledge protocol. Honest-verifier zero-knowledge is enough for many applications. Upcoming work (Cramer, Damgård and Keller): for same class of problems, can get constant-round proof of knowledge that is zero- knowledge against any verifier, proof has same size as ours up to a constant factor, and properties are unconditional. Related Work Ishai et al. (STOC 07) have a construction of zero-knowledge protocols from multiparty computation that can give similar complexity as ours for some, but not all problems and requires a complexity assumption.

The Construction, preliminaries Let e be an n-bit string. We will need an efficiently computable function: takes e as input and outputs matrix M e, with integer entries. n columns, m rows. In this example m=2n-1. Other dimensions possible as well. Details on the function later. e MeMe

Idea of construction - for discrete logarithm in any group ProverVerifier h 1 = g w1,..., h n = g wn e= e 1,..., e n z 1,..., z m How to compute z 1,..., z m : Let W, R, Z be columns vectors containing the wi’s, ri’s and zi’s. Then prover sets Z= R + M e ·W How to check Z is correct: Let (t i1,..., t in ) be i’th row of M e must be the case that for i=1... m: g zi = a i · h 1 ti1 ·... · h n tin = g ri + w1·ti wn·tin w1,...,wn a 1 = g r1,..., a m = g rm Z = · + MeMe W R

Why is this (honest-verifer) zero-knowledge? If entries in R chosen uniformly in a large enough interval (compared to entries in M e ·W ) Z will have essentially uniform entries. Hence, to simulate, choose z 1,..., z m and e uniformly, compute M e, and compute a 1,…,a m such that g zi = a i · h 1 ti1 ·... · h n tin is true. ProverVerifier h 1 = g w1,..., h n = g wn e= e 1,..., e n Z= R + M e ·W w1,...,wn a 1 = g r1,..., a m = g rm Check that g zi = a i · h 1 ti1 ·... · h n tin

Why is this sound? We show that if, after sending first message, the prover can answer two different challenges e,e’, then he could compute w 1,...,w n, so error probability is 2 -n. Intuition on this: if prover can produce Z= R + M e ·W and Z’= R + M e’ ·W, then he can also compute Z - Z’ = (M e -M e’ )W So if we can construct M e from e such that this equation can always be solved for W, we are done. ProverVerifier h 1 = g w1,..., h n = g wn e= e 1,..., e n Z= R + M e ·W w1,...,wn a 1 = g r1,..., a m = g rm

Construction of M e from e Write e as an n-bit column vector Form the matrix.. eeeee.... Me=Me= We will get m= 2n-1 rows. Observation: any difference M e –M e’ is an upper triangular matrix with either +1 or -1 on the diagonal Why? focus on ”lowest” position where e is different from e’. This implies M e –M e’ is invertible. e’ = = ≠ 0’s

Complexity Communication Per instance proved, we have sent m/n group elements and numbers. m/n< 2, so same complexity per instance as Schnorr up to a factor 2. Computation Entries in M e are 0, 1, or -1, so computations involving M e are dominated by the exponentiations. Hence also computation per instance same as Schnorr up to a factor 2. ProverVerifier h 1 = g w1,..., h n = g wn e= e 1,..., e n Z= R + M e ·W w1,...,wn a 1 = g r1,..., a m = g rm Check that g zi = a i · h 1 ti1 ·... · h n tin

In general.. The homomorphic property of the function w  g w is what makes this work. Many other functions are fine as well, see paper for general framework. Examples: Not limited to one base, can do proofs of knowledge for (w,s)  g w h s. Covers several known cryptosystems (Goldwasser-Micali, Groth, Damgård- Geisler-Krøigaard) - And commitment schemes for committing to integers (Fujisaki Okamoto)

More Examples The function w  w 2 mod N Here special purpose construction of M e makes it even more efficent: Consider that n-bit string e can be thought of as an element in GF(2 n ). GF(2 n ) is a vector space over GF(2), and multiplication by e is a linear mapping. So fix some basis and let M e be the matrix of this mapping. Then any M e –M e’ is invertible because it corresponds to multiplication by e-e’ ≠ 0. Leads to protocol for proving you know square roots mod N of x1,...,xn. Size of proof per instance is exactly equal to one run of the classic GMR protocol.

Also in Paper.. Interesting connection between construction of M e and black-box secret sharing. Most known efficent protocols (Schnorr, G-Q, ours) can be thought of as being based on a 2 out of T secret sharing scheme, for very large T: PV a e z P commits to randomness for s.s. V asks for e’th share of secret Prover reveals requested share, V checks share is correct x w w: secret, x: commitment to secret Zero-knowledge because one share does reveal the secret. Sound because given two correct shares, secret can be computed.