Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Published byJulianna Strickland Modified over 9 years ago

Similar presentations

Presentation on theme: "Efficient Zero-Knowledge Proof Systems Jens Groth University College London."— Presentation transcript:

1 Efficient Zero-Knowledge Proof Systems Jens Groth University College London

2 3-move proof systems Complete Special soundness Special honest verifier zero-knowledge Σ-protocols Public coin: Random challenge, verifier does not store private information about challenge

3 Special soundness

4 Special soundness is a form of proof of knowledge Proof of knowledge –Not just that the statement is true, but that the prover “knows” the witness Defined through extraction –The prover “knows” the witness if we can extract the witness from the prover Extraction through rewinding –Consider prover in the state after the initial message has been sent. Rewind it many times to this state giving it different challenges. Once we have answers to two different challenges, we can extract the witness

5 Honest verifier zero-knowledge ZK HVZK

6 Special honest verifier zero-knowledge

7 Equivalence of discrete logarithms

8 Multiple Σ-protocols can be composed with each other using the same challenge

9 Non-interactive commitment

10 Pedersen commitments

11 ElGamal type commitments

12 Addition gates

13 Multiplication gates

14 Σ-protocol for arithmetic circuit Pedersen commitments Computational special soundness Perfect special honest verifier zero-knowledge Communication –1 group element per committed value –2 group elements and 3 field elements per multiplication gate –Addition gates for free ElGamal commitments Statistical special soundness Comp. special honest verifier zero-knowledge Communication –2 groups elements per committed value –4 group elements and 3 field elements per multiplication gate –Addition gates for free

15 Communication: O(|C|) commitments Prover computation: O(|C|) exponentiations Verifier computation: O(|C|) exponentiations

16 How efficient can arguments be? Zero-knowledge proofs in general have linear or superlinear communication in witness size –Unless SAT-solving has sublinear complexity Zero-knowledge arguments can have sublinear communication –Kilian 1992 gave a sublinear zero-knowledge argument for NP-complete language Commit to a probabilistically checkable proof using a hash-tree Verifier makes queries to probabilistically checkable proof Answer queries from verifier by revealing paths in hash-tree

17 Knowledge of opening of commitment to 0

18 Σ-protocol for commitment to 0

19 Batch-proof for commitments containing 0 Communication: O(1) elements Prover: O(n) multiplications Verifier: O(n) exponentiations

20 Generalized Pedersen commitment

21

22 Cost for N-gate arithmetic circuit Standard argument –O(N) elements –O(N) verifier expos –O(N) prover expos –3 rounds Batch argument –O(  N) elements –O(N) verifier mults –O(N) prover expos –7 rounds

Download ppt "Efficient Zero-Knowledge Proof Systems Jens Groth University College London."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

Similar presentations

Ads by Google