Download presentation
Presentation is loading. Please wait.
Published byAdrian Yeaw Modified over 10 years ago
1
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of Tartu, University of Athens,
2
Motivation: Secure Computation E(x1),…,E(xn) E(f(x1,…,xn)) Add NIZK proof pk
3
Motivation: Secure Computation (2) E(S) E(f(S)) E(T) E(g(T)) Add NIZK proof pk
4
Proofs for Set Operations
5
Non-Interactive Zero-Knowledge Proofs E(x1),…,E(xn) Proof of Correctness CompleteSoundZero-Knowledge Proof can be constructed without knowing inputs Contradiction? pk
6
Common Reference String Model E(x1),…,E(xn) Proof of Correctness pk,sk crs td
7
Our results CRS lengthProof lengthProver comp.Verifier comp. Θ(|S|)Θ(1)Θ(|S|)Θ(1)
8
Cryptographic Building Block: Pairings ›Bilinear operation –e(f1+f2,f3) = e(f1,f3) + e(f2,f3) –e(f1,f2+f3) = e(f1,f2) + e(f1,f3) ›With Hardness Assumptions –Given e(f1,f2), it is hard to compute f1 –…–… ›Much wow
9
Commitments We use a concrete succinct commitment scheme from 2013
10
Multiset Commitment Too costly!
11
Multiset Commitment
12
Main Idea iff Commitments are randomized Proof = a crib E that compensates for randomness Enables to perform verification on commitments
13
Additional Obstacles ›Soundness: –We use knowledge assumptions ›Guarantee that prover knows committed values –Common in succinct NIZK construction –[Gentry Wichs 2011]: also necessary ›Zero Knowledge: –Simulator needs to create proof for given commitments ›Not created by simulator –We let prover to create new random commitments for all sets ›Add a NIZK proof of correctness –Simulator creates fake commitments ›Uses trapdoor to simulate
14
Applications
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.