New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles

Motivation I’m a woman.Prove it! OK, I will make a zero- knowledge proof Circuit C = ”I’m a woman” Proof π

Completeness Perfect completeness: Pr[Accept] = 1 Proof π Accept K(1 k ) Common reference string Circuit C Witness w so C(w)=1 Prover Verifier

Soundness Perfect soundness: Pr[Reject] = 1 Unsatisfiable C Proof π Reject Adversary Verifier K(1 k ) Common reference string

Zero-knowledge Computational zero-knowledge: Pr[A  1|Simulated proofs (S 1,S 2 )] ≈ Pr[A  1|Real proofs (K,P)] Proof π sk S 1 (1 k ) Circuit C Witness w ”Common reference string” 0/1 S 2 (crs, sk, C) Simulator Adversary

NIZK proof for Circuit SAT 1 w1w1 w4w4 w3w3 w2w2 Circuit SAT is NP complete NAND

Homomorphic proof commitment Two types of indistinguishable public keys: Perfect trapdoor (pk, tk) ← K hiding (1 k ) Perfect trapdoor (pk, tk) ← K hiding (1 k ) Perfect binding pk ← K binding (1 k ) Perfect binding pk ← K binding (1 k )Homomorphic Message space size at least 4 (3 also ok) Witness indistinguishable proof that commitment contains 0 or 1 Perfect soundness on perfect binding key Perfect soundness on perfect binding key Perfect WI on perfect trapdoor key Perfect WI on perfect trapdoor key

Bilinear group of order n G, G T cyclic groups of order n = pq g generator for G bilinear map e: G  G  G T e(u a, v b ) = e(u, v) ab e(g, g) generates G T Decision subgroup problem ord(h) = q or ord(h) = n ?

BGN-based commitment Perfect binding key: ord(g) = n, ord(h) = q Perfect hiding key: ord(g) = ord(h) = n and g=h x Commitment: Com(m; r) = g m h r where r  Z n Homomorphic: g m+M h r+R = g m h r g M h R

WI proof for commit to 0 or 1 Wish to prove c commitment to 0 or 1 Write c = g m h r (m mod p unique if h order q) e(c, g -1 c) = e(g m h r, g m-1 h r ) = e(g, g) m(m-1) e(h r, g 2m-1 h r ) = e(h, (g 2m-1 h r ) r ) = e(h,π) Proof is: π = (g 2m-1 h r ) r Soundness when h has order q: e(g, g) m(m-1) e(h r, g 2m-1 h r ) = e(h,π) so m = 0,1 mod p Witness indistinguishability when h has order n: Unique π so e(c, g -1 c) = e(h,π)

NIZK proof for Circuit SAT com(1) c 1 = com(w 1 ) c 2 = com(w 2 ) c 4 = com(w 4 ) c 3 = com(w 3 ) WI proof c 1 commit to 0 or 1 WI proof c 2 commit to 0 or 1 WI proof c 3 commit to 0 or 1 WI proof c 4 commit to 0 or 1 WI proof w 4 =  (w 1  w 2 ) WI proof 1 =  (w 4  w 3 ) NAND

WI proof for NAND-gate Given c 0, c 1, c 2 commitments containing bits b 0, b 1, b 2 wish to prove b 2 =  (b 0  b 1 ) b 2 =  (b 0  b 1 ) if and only if b 0 + b 1 + 2b  {0,1} WI proof c 0 c 1 c 2 2 com(-2) commitment to 0 or 1

NIZK proof for Circuit SAT Commit to all wires w i as c i = com(w i ) Commit to all wires w i as c i = com(w i ) For each i make WI proof that c i contains 0 or 1 For each i make WI proof that c i contains 0 or 1 For each NAND-gate make WI proof that c 0 c 1 c 2 2 com(-2) contains 0 or 1 For each NAND-gate make WI proof that c 0 c 1 c 2 2 com(-2) contains 0 or 1 Perfect completeness Perfect binding key - perfect soundness Perfect trapdoor key - perfect zero-knowledge

Perfect NIZK on perfect trapdoor key Simulation: Make trapdoor commitments Trapdoor-open relevant commitments to 0 and WI prove Proof that simulation works on C with w so C(w)=1: Can trapdoor-open commitments to w i ’s and WI prove By perfect witness-indistinguishability of the WI proofs indistinguishable from simulation By perfect witness-indistinguishability of the WI proofs indistinguishable from simulation Can from the start make commitments to w i ’s By perfect hiding of the commitments indistinguishable from previous method Corresponds to real proof on trapdoor key

First result Use K binding to generate pk NIZK proof with perfect completeness perfect soundness computational ZK CRS size: O(k) bits Proof size: O(|C|k) bits Compare with: O(|C|k 2 ) proofs [KP]

Second result Use K hiding to generate pk NIZK argument with perfect completeness computational co-soundness perfect zero-knowledge CRS size: O(k) bits Proof size: O(|C|k) bits Compare with: None

Adaptive co-soundness Computational co-soundness: Pr[Reject] ≈ 1 C, w co Proof π Reject K hiding common reference string w co witness for C unsatisfiable

Third result Protocol: Non-interactive Statistical ZK UC NIZK proof secure against adaptive adversary Compare with: Interactive UC ZK proofs [DN, CLOS] UC NIZK proofs secure against non- adaptive adversary [DDOPS]

Non-interactive zaps for Circuit SAT No common reference string No common reference string Perfect completeness:  (C, w) so C(w)=1 Perfect completeness:  (C, w) so C(w)=1 π ← P(1 k, C, w) : V(1 k, C, π)=1 Perfect soundness:  (C, π) with C unsatisfiable V(1 k, C, π)=0 Perfect soundness:  (C, π) with C unsatisfiable V(1 k, C, π)=0 Computational witness-indistinguishability:  (C, w 0, w 1 ) so C(w 0 )=1 and C(w 1 )=1 Computational witness-indistinguishability:  (C, w 0, w 1 ) so C(w 0 )=1 and C(w 1 )=1 P(1 k, C, w 0 ) ≈ P(1 k, C, w 1 ) P(1 k, C, w 0 ) ≈ P(1 k, C, w 1 )

Non-interactive zaps Naïve idea: Prover chooses public key and makes NIZK proof Problem: Can choose trapdoor key and prove anything Better idea: Prover chooses two public keys and makes an NIZK proof with each of them Makes choice so: One is trapdoor, one is perfect binding Verifiable that at least one key is perfect binding Verifier cannot tell which key is trapdoor

Witness-indistinguishability Circuit C and two witnesses w 0, w 1 Generate pk 0 perfect trapdoor and pk 1 perfect binding NIZK proof using w 0 on pk 0 NIZK proof using w 0 on pk 1 Simulate proof on trapdoor pk 0 NIZK proof using w 0 on pk 1 NIZK proof using w 1 on pk 0 NIZK proof using w 0 on pk 1 Switch to pk 0 perfect binding and pk 1 perfect trapdoor NIZK proof using w 1 on pk 0 Simulate proof on trapdoor pk 1 NIZK proof using w 1 on pk 0 NIZK proof using w 1 on pk 1 Switch back to pk 0 perfect trapdoor and pk 1 perfect binding

Fourth result Use verifiable pairs of public keys At least one of two keys is perfect binding The other is trapdoor Indistinguishable which one is trapdoor Non-interactive ZAP Proof size O(|C|k) bits Compare with: 2-move zaps [DN] Non-interactive zaps [BOV] huge proofs, non-standard assumption

Bilinear groups G, G T cyclic groups of prime order p g generator for G bilinear map e: G  G  G T e(g a, g b ) = e(g, g) ab e(g, g) generator for G T Decisional linear problem [BBS] f, h, g, u = f R, v = h S, w = g T T = R+S or T random ?

Commitment scheme Public key f = g x, h = g y, u = f R, v = h S, w = g T pk = (p, G, G T, e, g, f, h, u, v, w) Commitment to m  Z p c = (u m f r, v m h s, w m g r+s ) Perfect hiding trapdoor if T = R+S = (f mR+r, h mS+s, g m(R+S)+r+s )

Commitment scheme Commitment to m  Z p c = (u m f r, v m h s, w m g r+s ) Perfect binding if T ≠ R+S = (c 1, c 2, c 3 ) because c 3 c 2 -1/x c 1 -1/y = (wu -1/x v -1/y ) m = g (T/(R+S))m uniquely defines m

Commitment scheme Commitment to m  Z p c = (u m f r, v m h s, w m g r+s ) Homomorphic (u m f r, v m h s, w m g r+s ) (u M f R, v M h S, w M g R+S ) = (u m+M f r+R, v m+M h s+S, w m+M g r+R+s+S ) Witness indistinguishable proof of commitment to message 0 or 1 - Perfect sound on perfect binding key - Perfect WI on perfect trapdoor key

Choosing two keys Elliptic curve E: y 2 = x 3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, G T, e), easy to verify that g is order p point on curve. Choose x,y ← Z p *, R,S ← Z p and set f = g x, h = g y, u = f R, v = h S, w = g R+S Output two public keys (p, G, G T, e, g, f, h, u, v, w) (p, G, G T, e, g, f, h, u, v, wg) At least one must be perfectly binding, but by decisional linear assumption hard to tell which one