Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAAAA A A A A A A

Motivation VoterOfficial We can only accept correctly formatted votes Attaching encrypted vote to this

Non-interactive zero-knowledge proof VoterOfficial Ok, we will count your vote Attaching encrypted vote to this + NIZK argument that correctly formatted Soundness: Vote is correct Zero-knowledge: Vote remains secret

Non-interactive zero-knowledge argument ProverVerifier Soundness: Statement is true Zero-knowledge: Nothing but truth revealed Common reference string Proof: (x,w) R L Statement: x L

Applications of NIZK arguments Ring signatures Group signatures Anonymous credentials Verifiable encryption Voting...

Our contribution Common reference string with special distribution Statement: C is satisfiable circuit Very efficient verifier Sub-linear (constant) size NIZK argument Not Fiat-Shamir heuristic (no random oracle) Perfect completeness Computational soundness Perfect zero-knowledge Adaptive soundness: Adversary sees CRS before attempting to cheat with false (C, )

Pairings G, G T groups of prime order p Bilinear map e: G G G T –e(a x,b y ) = e(a,b) xy –e(g,g) generates G T if g is non-trivial Group operations, deciding group membership, computing bilinear map are efficiently computable

Assumptions Power knowledge of exponent assumption (q-PKE): Given (g,g x,…,g x q,g,g x,…,g x q ) hard to compute (c,c ) without knowing a 0,…,a q such that c = g a 0 g a 1 x …g a q x q Computational power Diffie-Hellman (q-CPDH): For all j hard to compute g x j given (g,g x,…,g x q,g,g x,…,g x j-1,g x j+1,…,g x q ) Both assumptions hold in generic group model

Comparison CRSSizeProver comp.Verifier comp. Kilian-Petrank (Nk) group (Nk) expo (Nk) mult Trapdoor permutationsStat. SoundComp. ZK GOSO(1) groupO(N) groupO(N) expoO(N) pairing Subgroup decisionPerfect soundComp. ZK Abe-FehrO(1) groupO(N) groupO(N) expoO(N) pairing Dlog & knowledge of expo.Comp. soundPerfect ZK This workO(N 2 ) groupO(1) groupO(N 2 ) multO(N) mult q-PKE and q-CPDHComp. soundPerfect ZK This workO(N 2/3 ) group O(N 4/3 ) multO(N) mult q-PKE and q-CPDHComp. soundPerfect ZK Interactive +O(N) group O(N) mult Fiat-ShamirDlog and random oracleComp. soundPerfect ZK

Knowledge commitments Commitment key: ck=(g,g x,…,g x q,g,g x,…,g x q ) Commitment to (a 1,…,a q ) using randomness r Z p c = (g) r (g x ) a 1 …(g x q ) a q ĉ = (g ) r (g x ) a 1 …(g x q ) a q Verifying commitment: e(c,g ) = e(ĉ,g) Knowledge: q-PKE assumption says impossible to create valid (c,ĉ) without knowing r,a 1,…,a q

Homomorphic property c = (g) r (g x ) a 1 …(g x q ) a q log(c) = r+a 1 x+…+a q x q Homomorphic commit(a 1,…,a q ;r) commit(b 1,…,b q ;s) = commit(a 1 +b 1,…,a q +b q ;r+s) (r+ a i x i ) + (s+ b i x i ) = r+s+ (a i +b i )x i

Tools Constant size knowledge commitments for tuples of elements (a 1,…,a q ) (Z p ) q Homomorphic so we can add committed tuples com(a 1,…,a q )com(b 1,…,b q ) = com(a 1 +b 1,…,a q +b q ) NIZK argument for multiplicative relationship com(a 1,…,a q ) com(b 1,…,b q ) com(a 1 b 1,…,a q b q ) NIZK argument for known permutation com(a 1,…,a q ) com(a (1),…,a (q) )

Circuit with NAND-gates commit(a 1,…,a N,b 1,…,b N ) commit(b 1,…,b N,0,…..,0) commit(u 1,…,u N,0,…..,0) NIZK argument for u N = 1 NIZK argument for everything else consistent a1a1 a2a2 a3a3 a4a4 b1b1 b2b2 b3b3 b4b4 u1u1 u3u3 u2u2 u4u4

Consistency Need to show valid inputs a 1,…,a N,b 1,…b N {0,1} NIZK argument for multiplicative relationship commit(a 1,…,a N,b 1,…b N ) commit(a 1,…,a N,b 1,…b N ) commit(a 1,…,a N,b 1,…b N ) shows a 1 a 1 =a 1, …, a N a N =a N, b 1 b 1 =b 1, …, b N b N =b N Only possible if a 1 {0,1}, …, a N {0,1}, b 1 {0,1}, …, b N {0,1}

Consistency Homomorphic property gives commit(1,…,1,0,…,0) / commit(u 1,…,u N,0,…,0) = commit(1-u 1,…,1-u N,0,…,0) NIZK argument for multiplicative relationship in commit(a 1,…,a N,b 1,…,b N ) commit(b 1,…,b N,0,…,0) commit(1-u 1,…,1-u N,0,…,0) shows 1-u 1 =a 1 b 1,…,1-u N =a N b N This proves all NAND-gates are respected u 1 = (a 1 b 1 ),…,u N = (a N b N )

Consistency Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever a i and b j correspond to the same wire a i = b j We refer to the full paper for the details

Circuit with NAND-gates commit(a 1,…,a N,b 1,…,b N ) commit(b 1,…,b N,0,…..,0) commit(u 1,…,u N,0,…..,0) NIZK argument for u N = 1 NIZK argument for everything else consistent a1a1 a2a2 a3a3 a4a4 b1b1 b2b2 b3b3 b4b4 u1u1 u3u3 u2u2 u4u4

Conclusion NIZK argument of knowledge –perfect completeness –perfect zero-knowledge –computational soundness Short and efficient to verify CRSArgumentProver comp.Verifier comp. Minimal argumentO(N 2 )O(1)O(N 2 ) multsO(N) mults Balanced sizesO(N 2/3 ) O(N 4/3 ) multsO(N) mults CRS O(N 2(1-ε) ) and argument O(N ε ) q-PKE and q-CPDH

Thanks Full paper available at