Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Published byScot Glenn Modified over 9 years ago

Similar presentations

Presentation on theme: "Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014."— Presentation transcript:

1 Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014

2 Round complexity Interactive zero-knowledge proof Non-interactive zero-knowledge proof  Useful for non- interactive tasks Signatures Encryption … 2

3 Non-interactive proofs Prover Verifier Statement: x  L OK, x  L Witness w (x,w)  R L Proof  L language in NP defined by R L 3

4 Non-interactive zero-knowledge (NIZK) proofs Completeness –Can prove a true statement Soundness –Cannot prove false statement Zero-knowledge –Proof reveals nothing (except truth of statement) 4

5 Zero-knowledge = Simulation Prover Verifier Statement: x  L Witness w (x,w)  R L  5 Problem If proofs can be simulated, then anybody can create convincing proofs!

6 Non-interactive zero-knowledge proof [BFM88] ProverVerifier Statement: x  L Proof:  (x,w)  R L Common reference string 0100…11010 6

7 Common reference string (CRS) Can be uniform random or specific distribution –Key generation algorithm K for generating CRS Trusted generation –Trusted party –Secure multi-party computation –Multi-string model with majority of strings honest [GO07] 0110110101000101110100101 7

8 Zero-knowledge simulation ProverVerifier Statement: x  L (x,w)  R L Common reference string 0100…11010  K  S   Simulation trapdoor S( ,x)   8

9 Publicly verifiable NIZK proofs NP language L –Statement x  L if there is witness w so that (x,w)  R L An NIZK proof system for R L consists of three probabilistic polynomial time algorithms (K,P,V) –K(1 k ): Generates common reference string σ –P(σ,x,w): Generates a proof  –V(σ,x,  ): Outputs 1 (accept) or 0 (reject) 9

10 Public vs. private verification Publicly verifiable –K generates CRS  –V checks proof given input ( ,x,  ) Privately verifiable –K generates CRS  and private verification key  –V checks proof given input ( ,x,  ) Designated verifier with  can check proof Anybody can check the proof 10

11 Public vs. private verifiability Public verifiability Sometimes required –Signatures –Universally verifiable voting Reusability –Proof can be copied and sent to somebody else –Prover only needs to run once to create proof  that convinces everybody Hard to construct Private verifiability Sometimes suffices –CCA-secure public-key encryption, e.g., Cramer- Shoup encryption Cannot be transferred –For designated verifier only Easier to construct 11

12 Completeness Perfect completeness: Pr[Accept] = 1 P(σ,x,w) →  V(σ,x,  ) → Accept/reject K(1 k ) Common reference string σ Statement x  L Witness w so (x,w)  R 12

13 Soundness Perfect soundness:  Adv: Pr[Reject] = 1 Statistical soundness:  Adv: Pr[Reject]  1 Computational soundness:  poly-time Adv: Pr[Reject]  1  V(σ,x,  ) → Accept/reject K(1 k ) Common reference string σ Statement x  L Adaptive soundness: The adversary first sees CRS and then cheats 13

14 Zero-knowledge Perfect ZK: Pr[Adv →1|Real ] = Pr[Adv→1|Simulation] Computational ZK:  poly-time Adv: Pr[Adv →1|Real ]  Pr[Adv→1|Simulation] P(σ,x,w) →  K(1 k ) → σ 0/1 (x,w)  R L S 2 (σ, ,x) →    S 1 (1 k ) → σ 0/1 (x,w)  R L

15 Fiat-Shamir heuristic [FS86] Take an interactive ZK argument where verifier’s messages are random bits (public coin argument) Let the CRS describe a hash-function H Replace the verifier’s messages with hash-values from the current transcript NIZK argument  = (a,z) H(x,a) a a z z 15

16 Fiat-Shamir heuristic Efficient NIZK arguments that work well in practice Hopefully they are secure –Can argue heuristically that they are computationally sound in the random oracle model [BR93], where we pretend H is a truly random function –But in real life H is a deterministic function and there are instantiations of the Fiat-Shamir heuristic [GK03] that yields insecure real-life schemes 16

17 Encrypted random bits Statement x  L CRS (x,w)  R L 01...0 11…1 00…1 10…0 K(1 k )  (pk,sk) c 1 c 2 c 3 c 4 E pk (0;r 1 ) E pk (1;r 2 ) E pk (0;r 3 ) E pk (1;r 4 ) c 1 1 ; r 2 c 3 0 ; r 4 17 pk

18 1 1 0 00 0 1 1 Statistical sampling Random bits not useful Use statistical sampling to get hidden bits with structure Give proof by revealing certain structures related to different parts of statement Probably remaining pairs of encrypted bits are 00 and 11 CRS 18

19 NIZK proofs Circuit SATPractical statements Inefficient Efficient Statistical sampling techniques Groth-Ostrovsky- Sahai 2012 (2006) Groth 2006 Groth-Sahai 2012 (2008) 1 GB 1 KB Statement: Here is a ciphertext and a document. The ciphertext contains a digital signature on the document. 19

20 Boneh-Goh-Nissim encryption Pairing-based cryptography –Algebraic geometry and elliptic curves Double-homomorphic public key encryption Additively homomorphic Multiplicatively homomorphic (one-time only) 20 a b  a+b a b  a∙ba∙b

21 Circuit SAT is NP complete NAND Circuit SAT 21

22 NAND NIZK proof for circuit SAT 22

23 23 w w-1  w ∙ (w-1) w  w-1 r 0  w ∙ (w-1) r

24 NAND NIZK proof for circuit SAT 24 Proof size 2|W|+|C| ciphertexts

25 NIZK proofs for Circuit SAT Security level: 2 -k Trapdoor perm size: k T = poly(k) Group element size: k G ≈ k 3 Circuit size: |C| = poly(k) Witness size: |w|  |C| CRS in bitsProof in bitsAssumption G-Ostrovsky-Sahai 12O(k G )O(|C|∙k G )Pairing-based Groth 10|C|∙k T ∙polylog(k) Trapdoor perms Groth 10|C|∙polylog(k) Naccache-Stern Gentry et al. 14poly(k)|w|+poly(k)FHE + NIZK 25

26 Sublinear non-interactive zero-knowledge Commitments instead of encryption Parallel additive homomorphism Parallel multiplication proofs –Complicated… Split circuit into many parts and prove in parallel 26 

27 NIZK Arguments for Circuit SAT Bitansky, Canetti, Chiesa and Tromer 2013 –Techniques to make both CRS size and argument size independent of circuit size 27 Reference string in group elements Argument in group elements Groth 2010O(|C| 2 )O(1) Lipmaa 2012O(|C| 1+o(1) )O(1) Gennaro, Gentry, Parno, Raykova 2013O(|C| log 2 |C|)O(1)

28 Verifiable computation Client is weak –Want small argument size and low cost of verification Prover is powerful –Accept higher computation for prover, but must still be low enough for outsourcing to be economically viable 28 Computation Result

29 Proof carrying data 29

30 Pinnochio [PHGR13] Argument size –288 bytes Verifier time –12ms (depends on statement) 30 Program in C (reduced instruction set) Circuit Quadratic arithmetic program Proof system

31 Thank you Questions? 31

Download ppt "Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Similar presentations

Ads by Google