Presentation is loading. Please wait.

Presentation is loading. Please wait.

Short Pairing-based Non-interactive Zero-Knowledge Arguments

Published byEnzo Pinna Modified over 5 years ago

Similar presentations

Presentation on theme: "Short Pairing-based Non-interactive Zero-Knowledge Arguments"— Presentation transcript:

1 Short Pairing-based Non-interactive Zero-Knowledge Arguments
Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

2 Motivation We can only accept correctly formatted votes
Attaching encrypted vote to this We can only accept correctly formatted votes Voter Official

3 Ok, we will count your vote
Non-interactive zero-knowledge proof Attaching encrypted vote to this + NIZK argument that correctly formatted Ok, we will count your vote Voter Official Zero-knowledge: Vote remains secret Soundness: Vote is correct

4 Non-interactive zero-knowledge argument
Common reference string Statement: xL (x,w)RL Proof:  Prover Verifier Zero-knowledge: Nothing but truth revealed Soundness: Statement is true

5 Applications of NIZK arguments
Ring signatures Group signatures Anonymous credentials Verifiable encryption Voting ...

6 Our contribution Common reference string with special distribution
Statement: C is satisfiable circuit Very efficient verifier Sub-linear (constant) size NIZK argument Not Fiat-Shamir heuristic (no random oracle) Perfect completeness Computational soundness Perfect zero-knowledge Adaptive soundness: Adversary sees CRS before attempting to cheat with false (C,)

7 Pairings G, GT groups of prime order p Bilinear map e: G G  GT
e(ax,by) = e(a,b)xy e(g,g) generates GT if g is non-trivial Group operations, deciding group membership, computing bilinear map are efficiently computable

8 Assumptions Power knowledge of exponent assumption (q-PKE): Given (g,gx,…,gxq,g,gx,…,gxq) hard to compute (c,c) without knowing a0,…,aq such that c = ga0ga1x…gaqxq Computational power Diffie-Hellman (q-CPDH): For all j hard to compute gxj given (g,gx,…,gxq,g,gx,…,gxj-1,gxj+1,…,gxq) Both assumptions hold in generic group model

9 Comparison CRS Size Prover comp. Verifier comp. Kilian-Petrank
(Nk) group (Nk) expo (Nk) mult Trapdoor permutations Stat. Sound Comp. ZK GOS O(1) group O(N) group O(N) expo O(N) pairing Subgroup decision Perfect sound Abe-Fehr Dlog & knowledge of expo. Comp. sound Perfect ZK This work O(N2) group O(N2) mult O(N) mult q-PKE and q-CPDH O(N2/3) group O(N4/3) mult Interactive + O(√N) group Fiat-Shamir Dlog and random oracle

10 Knowledge commitments
Commitment key: ck=(g,gx,…,gxq,g,gx,…,gxq) Commitment to (a1,…,aq) using randomness rZp c = (g)r(gx)a1…(gxq)aq ĉ = (g)r(gx)a1…(gxq)aq Verifying commitment: e(c,g) = e(ĉ,g) Knowledge: q-PKE assumption says impossible to create valid (c,ĉ) without knowing r,a1,…,aq

11 Homomorphic property c = (g)r(gx)a1…(gxq)aq log(c) = r+a1x+…+aqxq
Homomorphic commit(a1,…,aq;r) ∙ commit(b1,…,bq;s) = commit(a1+b1,…,aq+bq;r+s) (r+aixi) + (s+bixi) = r+s+(ai+bi)xi

12 Tools Constant size knowledge commitments for tuples of elements (a1,…,aq)  (Zp)q Homomorphic so we can add committed tuples com(a1,…,aq)∙com(b1,…,bq) = com(a1+b1,…,aq+bq) NIZK argument for multiplicative relationship com(a1,…,aq) com(b1,…,bq) com(a1b1,…,aqbq) NIZK argument for known permutation  com(a1,…,aq) com(a(1),…,a(q))

13 Circuit with NAND-gates
b1 a2 b2 commit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…..,0) commit(u1,…,uN,0,…..,0) NIZK argument for uN = 1 NIZK argument for everything else consistent u1 u2 a3 b3 u3 a4 b4 u4

14 Consistency Need to show valid inputs a1,…,aN,b1,…bN{0,1}
NIZK argument for multiplicative relationship commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN) shows a1a1=a1, …, aNaN=aN, b1b1=b1, …, bNbN=bN Only possible if a1{0,1}, …, aN{0,1}, b1{0,1}, …, bN{0,1}

15 Consistency Homomorphic property gives commit(1,…,1,0,…,0) / commit(u1,…,uN,0,…,0) = commit(1-u1,…,1-uN,0,…,0) NIZK argument for multiplicative relationship in commit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…,0) commit(1-u1,…,1-uN,0,…,0) shows 1-u1=a1b1,…,1-uN=aNbN This proves all NAND-gates are respected u1=(a1b1),…,uN=(aNbN)

16 Consistency Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever ai and bj correspond to the same wire ai = bj We refer to the full paper for the details

17 Circuit with NAND-gates
b1 a2 b2 commit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…..,0) commit(u1,…,uN,0,…..,0) NIZK argument for uN = 1 NIZK argument for everything else consistent u1 u2 a3 b3 u3 a4 b4 u4

18 Conclusion NIZK argument of knowledge Short and efficient to verify
perfect completeness perfect zero-knowledge computational soundness Short and efficient to verify q-PKE and q-CPDH CRS Argument Prover comp. Verifier comp. Minimal argument O(N2) O(1) O(N2) mults O(N) mults Balanced sizes O(N2/3) O(N4/3) mults CRS O(N2(1-ε)) and argument O(Nε)

19 Thanks Full paper available at

Download ppt "Short Pairing-based Non-interactive Zero-Knowledge Arguments"

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Similar presentations

Ads by Google