Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Slides:



Advertisements
Similar presentations
Perfect Non-interactive Zero-Knowledge for NP
Advertisements

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Short Non-interactive Zero-Knowledge Proofs
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Sublinear Algorithms … Lecture 23: April 20.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Computability and Complexity
By Claudia Fiorini, Enrico Martinelli, Fabio Massacci
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically Checkable Proofs Madhu Sudan MIT CSAIL 09/23/20091Probabilistic Checking of Proofs TexPoint fonts used in EMF. Read the TexPoint manual.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Complexity ©D.Moshkovits 1 Hardness of Approximation.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts.
1 Adapted from Oded Goldreich’s course lecture notes.
Zero-Knowledge Proof System Slides by Ouzy Hadad, Yair Gazelle & Gil Ben-Artzi Adapted from Ely Porat course lecture notes.
Complexity 19-1 Complexity Andrei Bulatov More Probabilistic Algorithms.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
Sub-linear Size Pairing-Based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
Some 3CNF Properties are Hard to Test Eli Ben-Sasson Harvard & MIT Prahladh Harsha MIT Sofya Raskhodnikova MIT.
Linear Algebra with Sub-linear Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before.
Lecture 12 Commitment Schemes and Zero-Knowledge Protocols Stefan Dziembowski University of Rome La Sapienza critto09.googlepages.com.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.
How to play ANY mental game
Efficient Zero-Knowledge Proofs Jens Groth University College London.
Cryptography Lecture 9 Stefan Dziembowski
CS151 Complexity Theory Lecture 13 May 11, Outline proof systems interactive proofs and their power Arthur-Merlin games.
Interactive proof systems Section 10.4 Giorgi Japaridze Theory of Computability.
Zero-Knowledge Argument for Polynomial Evaluation with Applications to Blacklists Stephanie Bayer Jens Groth University College London TexPoint fonts used.
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
NP ⊆ PCP(n 3, 1) Theory of Computation. NP ⊆ PCP(n 3,1) What is that? NP ⊆ PCP(n 3,1) What is that?
Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.
Dr. Saatchi, Seyed Mohsen 1 Arab Open University - AOU T209 Information and Communication Technologies: People and Interactions Sixth Session.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Problem Set 1: Cryptography.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
SSE-2 Step1: keygen(1 k ):s {0,1} k,output K=s Step2:Buildindex(K,D): 建立 table T, p=word bit+max bit R 假設 w 1 出現在 D 1,D 3 T[π s (w 1 ||1)]=D 1 T[π s (w.
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.
IP, (NON)ISOGRAPH and Zero Knowledge Protocol COSC 6111 Advanced Algorithm Design and Analysis Daniel Stübig.
Topic 36: Zero-Knowledge Proofs
Probabilistic Algorithms
On the Size of Pairing-based Non-interactive Arguments
Jens Groth, University College London
Linear Algebra with Sub-linear Zero-Knowledge Arguments
Perfect Non-interactive Zero-Knowledge for NP
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Fiat-Shamir for Highly Sound Protocols is Instantiable
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Short Pairing-based Non-interactive Zero-Knowledge Arguments
Jens Groth and Mary Maller University College London
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

Non-interactive zero-knowledge proof ProverVerifier Soundness: Statement is true Zero-knowledge: Nothing but truth revealed Statement: x  L Proof:  (x,w)  R L Common reference string: 0100…11010

Non-interactive zero-knowledge proofs Statement C is satisfiable circuit Perfect completeness Statistical soundness Computational zero-knowledge Uniformly random common reference string Efficient prover – probabilistic polynomial time Deterministic polynomial time verifier Adaptive soundness: Adversary sees CRS before attempting to cheat with false (C,  )

Our results Security level: 2 -k Trapdoor perm size: k T = poly(k) Circuit size: |C| = poly(k) Witness size: |w|  |C| CRS in bitsProof in bitsAssumption Kilian-Petrank |C|∙k T ∙k∙  (log k) Trapdoor perms This talk|C|∙k T ∙polylog(k) Trapdoor perms CRS in bitsProof in bitsAssumption Gentrypoly(k)|w|∙poly(k)Lattice-based + NIZK G-Ostrovsky-Sahaik 3 /polylog(k)|C|∙k 3 /polylog(k)Pairing-based This talk|C|∙polylog(k) Naccache-Stern Other workpoly(k)|w| + poly(k)FHE + NIZK

Encrypted random bits Statement: x  L CRS (x,w)  R L …1 00…1 10…0 K(1 k )  (pk,sk) c 1 c 2 c 3 c 4 E pk (0;r 1 ) E pk (1;r 2 ) E pk (0;r 3 ) E pk (1;r 4 ) c 1 1 ; r 2 c 3 0 ; r 4

Hidden random string - soundness Statement: x  L (x,w)  R L

Hidden random string – zero-knowledge Statement: x  L 0 1

Using hidden random bits for NIZK Random bits not useful; need bits with structure Use statistical sampling to get “good” blocks Probably hidden pairs are 00 and 11

Statements |  | = O(|C|)

Idea in Kilian-Petrank Interpret pairs of bits as truth values –T = {01,10}F = {00,11} T F F T ?0 1? 0? ?1 Zero-knowledge: Does ?1 correspond to T = 01 or F = 11? Soundness: F can only be opened one way Completeness: T can be opened as 0 or 1

T  F  F Completeness Reveal: ?0  1?  ?1 = 0 10  11  11

Soundness If not a satisfying assignment there is a clause where all literals are false –x 1   x 2  x 3 gives F  F  F There is 50% chance to catch a cheating prover –11, 00, 00 has no opening to XOR = 0 so prover caught –11, 00, 11 can be opened to XOR = 0 so prover lucky Will use repetition to decrease prover’s chance

Consistency problem Cannot let prover designate truth-value pairs to literals because a cheating prover might choose an inconsistent assignment Need to ensure prover chooses correct and consistent assignment

Consistency Interpret 12-blocks of bits as 6 truth values –Good block = TTTFFF or FFFTTT TTTFFF FTFTFF FFFTTT FTFFTF I see many bad blocks. Statistically the remaining hidden blocks are good.

Consistency Divide hidden random bit-string into 12-bit blocks Call a block of 6 truth-value pairs for good if it is of one of these two forms TTTFFF or FFFTTT Prover reveals all bits associated with bad blocks such that only good blocks remain

Using blocks Remaining good blocks TTT FFF FFF TTT TTT FFF x 1 = F x 2 = T x 3 = F x 4 = F TT? FFF FF? TTT FFF TT? TT? FFF 10? ? ? 01? 110 Unrevealed bit-pair shows positive/negative literals for variable Positive literals Negative literals

Using blocks After discarding bad blocks the remaining hidden blocks are statistically speaking mostly good We assign each block to a variable x i in a deterministic way Each block has 6 truth-values TTTFFF or FFFTTT –If x i = T reveal 5 bits in TTTFF? or FF?TTT –If x i = F reveal 5 bits in TT?FFF or FFFTT? –Revelations correspond to 5 appearances x i, x i, x i,  x i,  x i The last unrevealed truth-value uniquely determines the assignment of truth-values to literals The verifier now checks all clauses XOR to 0

Soundness The prover has several degrees of freedom –Can choose which false statement to prove –Can choose the public key for the encryption scheme, each one of which will give different hidden random bits –Can choose the truth-value assignment –May leave a few bad blocks unrevealed Use repetition to lower risk of cheating –Instead of revealing single bits for each literal we will reveal several bit-strings and in each clause all bit- strings most XOR to 0 Statistical analysis shows with sufficient repetition a prover has negligible chance of cheating

Two new techniques More efficient use of hidden random bits –Kilian-Petrank:|C|∙k∙  (log(k)) hidden random bits –This work: |C|∙polylog(k) hidden random bits More efficient implementation of hidden bits –Trapdoor permutations: k T = poly(k)bits per hidden random bit –Naccache-Stern encryption: O(log k) bits per hidden random bit

Traditional proofs Statement: x  L (x,w)  R L Proof: The statement is true because bla bla bla bla bla bla bla bla. QED I’d better read it very carefully

Probabilistically checkable proofs Statement: x  L (x,w)  R L Proof: The statement is true because bla bla bla bla bla bla bla bla. QED Ok, let me spot check in random places

Satisfiability of 3SAT5 formula

Satisfiability of gap-3SAT5 formula

Witness-preserving assignment tester Polynomial time algorithms f, f w : f: C    belongs to gap-3SAT5 f w : w  xif C(w)=1 then  (x)=1 With the most efficient probabilistically checkable proofs (Dinur 07 combined with BenSasson- Sudan 08) we have |  | = |C| polylog(k)

Strategy Want to prove C is satisfiable Compute  = f(C) and prove that it is satisfiable using Kilian-Petrank techniques from before With the most efficient assignment testers we have |  | = |C| polylog(k) so statement is larger However, since  allows for a constant fraction of “errors” less repetition is needed to make the overall soundness error negligible It is ok if the prover cheats on some clauses as long as cannot cheat on a constant fraction

Remarks Probabilistically checkable proofs have been used in interactive zero-knowledge proofs –Prover commits to PCP –Verifier chooses at random some parts to check –Prover opens and reveals those parts of the PCP We are using PCPs in a different way –The verifier will check all parts of the PCP –The checks have a small error probability –But unlikely that prover can cheat on a constant fraction

Implementing the hidden random bits model Statement: x  L CRS (x,w)  R L …1 00…1 10…0 K(1 k )  (pk,sk) c 1 c 2 c 3 c 4 E pk (0;r 1 ) E pk (1;r 2 ) E pk (0;r 3 ) E pk (1;r 4 ) c 1 1 ; r 2 c 3 0 ; r 4

Naccache-Stern encryption pk = (M,P,g)sk =  (M) –M is an RSA modulus –P = p 1 p 2 …p d where p 1,…,p d are O(log k) bit primes –P | ord(g) =  (M)/4 and |P| =  (|M|) E pk (m;r) = g m r P mod M D sk (c):For each p i compute m mod p i c  (M)/p i = (g m r P )  (M)/p i = (g m  (M)/p i )(r  (M)P/p i ) = (g  (M)/p i ) m Chinese remainder gives us m mod P

Naccache-Stern implementation of hidden bits Statement: x  L CRS (x,w)  R L …1 00…1 10…0 K(1 k )  (pk,sk) c 1 c 2 c 3 c 4 E pk (010;r 1 ) E pk (101;r 2 ) E pk (011;r 3 ) E pk (110;r 4 ) ?1? ;  1 10? ;  2 ??1 ;  3 ??? ;  4 0 if m mod p i even 1 if m mod p i odd  if m mod p i is -1

Revealing part of Naccache-Stern plaintext Ciphertext c = g m r P How to prove that m = x mod p i ? Prover reveals  such that  P = (cg -x ) P/p i We can raise both sides to  (M)/P Gives us   (M) = (g m-x r P )  (M)/p i = (g  (M)/p i ) m-x Implies 1 = (g  (M)/p i ) m-x Since the order of (g  (M)/p i ) is p i this shows m = x mod p i

Revealing part of Naccache-Stern plaintext Ciphertext c = g m r P How to prove that m = x mod p i ? Prover reveals  such that  P = (cg -x ) P/p i Can compute the proof as  = (cg -x ) (P -1 mod  (M)/P)P/p i Can randomize proof by multiplying with s  (M)/P Generalizes to reveal m = x mod  i  S p i with a proof consisting of one group element

Zero-knowledge Simulator sets up pk = (M,P,g) such that ord(g) =  (M)/4P and g = h P mod M Simulator also sets up the CRS such that it contains ciphertexts of the form c = s P mod M For any m  Z P we can compute r = h -m s mod M such that s P = g m (g -m )s P = g m h -mP s P = g m r P mod M This means the simulator can open each ciphertext to arbitrary hidden bits using  = r

Final step – showing the key is valid The public key is pk = (M,P,g) The verifier can easily check P is a product of small primes p 1,…,p d But needs to be convinced M and g are ok Can do this with trapdoor permutation based NIZK –Statement is small so it does not affect total cost –Trapdoor permutations implied by Naccache-Stern So we use a small seeder NIZK to build large scale NIZK from Naccache-Stern encryption

Summary Technique 1: Reduce soundness error with probabilistically checkable proofs Technique 2: Implement hidden random bit string with Naccache-Stern encryption Hidden bitsProof in bitsAssumption Kilian-Petrank |C|∙k T ∙k∙  (log k) Trapdoor perms This work|C|∙k T ∙polylog(k) Trapdoor perms CRS in bitsProof in bitsAssumption Gentrypoly(k)|w|∙poly(k)Lattice-based + NIZK G-Ostrovsky-Sahaik 3 /polylog(k)|C|∙k 3 /polylog(k)Pairing-based This talk|C|∙polylog(k) Naccache-Stern Other workpoly(k)|w| + poly(k)FHE + NIZK