Presentation is loading. Please wait.

Presentation is loading. Please wait.

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles."— Presentation transcript:

1 Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles

2 Witness-indistinguishability Burglar Potential witnesses

3 Witness-indistinguishability Witness

4 Witness-indistinguishability One of the witnesses, but which one?

5 Non-interactive zaps for Circuit SAT Poly-time algorithms P (prover) and V (verifier) Poly-time algorithms P (prover) and V (verifier) No common reference string No common reference string Perfect completeness:  (C, w) so C(w)=1 Perfect completeness:  (C, w) so C(w)=1 π ← P(1 k, C, w) : V(1 k, C, π)=1 Perfect soundness:  (C, π) with C unsatisfiable V(1 k, C, π)=0 Perfect soundness:  (C, π) with C unsatisfiable V(1 k, C, π)=0 Computational witness-indistinguishability:  (C, w 0, w 1 ) so C(w 0 )=1 and C(w 1 )=1 Computational witness-indistinguishability:  (C, w 0, w 1 ) so C(w 0 )=1 and C(w 1 )=1 P(1 k, C, w 0 ) ≈ P(1 k, C, w 1 ) P(1 k, C, w 0 ) ≈ P(1 k, C, w 1 )

6 Comparison Dwork and Naor, FOCS 2000: 2-round zaps from trapdoor permutations Dwork and Naor, FOCS 2000: 2-round zaps from trapdoor permutations Barak, Ong and Vadhan, Crypto 2003: Non-interactive zaps by derandomizing Dwork- Naor zaps (non-polynomial assumption) Barak, Ong and Vadhan, Crypto 2003: Non-interactive zaps by derandomizing Dwork- Naor zaps (non-polynomial assumption) This talk: Non-interactive zaps based on decisional linear assumption Proof size O(|C|k) bits This talk: Non-interactive zaps based on decisional linear assumption Proof size O(|C|k) bits

7 Bilinear groups G, G T cyclic groups of prime order p g generator for G bilinear map e: G  G  G T e(g a, g b ) = e(g, g) ab e(g, g) generator for G T Decisional linear problem [Boneh et al. 04] f, h, g, u = f R, v = h S, w = g T T = R+S or T random ?

8 Commitment scheme Public key f = g x, h = g y, u = f R, v = h S, w = g T pk = (p, G, G T, e, g, f, h, u, v, w) Commitment to m  Z p c = (u m f r, v m h s, w m g r+s ) Perfect hiding trapdoor if T = R+S = (f mR+r, h mS+s, g m(R+S)+r+s )

9 Commitment scheme Commitment to m  Z p c = (u m f r, v m h s, w m g r+s ) Perfect binding if T ≠ R+S = (c 1, c 2, c 3 ) because c 3 c 2 -1/x c 1 -1/y = (wu -1/x v -1/y ) m = g (T/(R+S))m uniquely defines m

10 Commitment scheme Commitment to m  Z p c = (u m f r, v m h s, w m g r+s ) Homomorphic (u m f r, v m h s, w m g r+s ) (u M f R, v M h S, w M g R+S ) = (u m+M f r+R, v m+M h s+S, w m+M g r+R+s+S ) Witness indistinguishable proof of commitment to message 0 or 1 - Perfect sound on perfect binding key - Perfect WI on perfect trapdoor key

11 Commitment scheme Homomorphic Homomorphic Two types of indistinguishable public keys: Two types of indistinguishable public keys: Perfect trapdoor Perfect trapdoor Perfect binding Perfect binding Witness indistinguishable proof that commitment contains 0 or 1 Witness indistinguishable proof that commitment contains 0 or 1 Perfect soundness on perfect binding key Perfect soundness on perfect binding key Perfect WI on perfect trapdoor key Perfect WI on perfect trapdoor key

12 NIZK proof for Circuit SAT 1 w1w1 w4w4 w3w3 w2w2 Circuit SAT is NP complete NAND

13 NIZK proof for Circuit SAT com(1) c 1 = com(w 1 ) c 2 = com(w 2 ) c 4 = com(w 4 ) c 3 = com(w 3 ) WI proof c 1 commit to 0 or 1 WI proof c 2 commit to 0 or 1 WI proof c 3 commit to 0 or 1 WI proof c 4 commit to 0 or 1 WI proof w 4 =  (w 1  w 2 ) WI proof 1 =  (w 4  w 3 ) NAND

14 WI proof for NAND-gate Given c 0, c 1, c 2 commitments containing bits b 0, b 1, b 2 wish to prove b 2 =  (b 0  b 1 ) b 2 =  (b 0  b 1 ) if and only if b 0 + b 1 + 2b 2 - 2  {0,1} WI proof c 0 c 1 c 2 2 com(-2) commitment to 0 or 1

15 NIZK proof for Circuit SAT Commit to all wires w i as c i = com(w i ) Commit to all wires w i as c i = com(w i ) For each i make WI proof that c i contains 0 or 1 For each i make WI proof that c i contains 0 or 1 For each NAND-gate make WI proof that c 0 c 1 c 2 2 com(-2) contains 0 or 1 For each NAND-gate make WI proof that c 0 c 1 c 2 2 com(-2) contains 0 or 1 Perfect completeness Perfect binding key - perfect soundness Perfect trapdoor key - perfect zero-knowledge

16 Perfect NIZK on perfect trapdoor key Simulation: Make trapdoor commitments Trapdoor-open relevant commitments to 0 and WI prove Proof that simulation works on C with w so C(w)=1: Can trapdoor-open commitments to w i ’s and WI prove By perfect witness-indistinguishability of the WI proofs indistinguishable from simulation By perfect witness-indistinguishability of the WI proofs indistinguishable from simulation Can from the start make commitments to w i ’s By perfect hiding of the commitments indistinguishable from previous method Corresponds to real proof on trapdoor key

17 Non-interactive zaps Naïve idea: Prover chooses public key and makes NIZK proof Problem: Can choose trapdoor key and prove anything Better idea: Prover chooses two public keys and makes an NIZK proof with each of them Makes choice so: One is trapdoor, one is perfect binding Verifiable that at least one key is perfect binding Verifier cannot tell which key is trapdoor

18 Choosing two keys Generate group (p, G, G T, e, g) E.g., elliptic curve E: y 2 = x 3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, G T, e), easy to verify that g is order p point on curve. Choose x,y ← Z p *, R,S ← Z p and set f = g x, h = g y, u = f R, v = h S, w = g R+S Output two public keys (p, G, G T, e, g, f, h, u, v, w) (p, G, G T, e, g, f, h, u, v, wg) At least one must be perfectly binding, but by decisional linear assumption hard to tell which one

19 Witness-indistinguishability Circuit C and two witnesses w 0, w 1 Generate pk 0 perfect trapdoor and pk 1 perfect binding NIZK proof using w 0 on pk 0 NIZK proof using w 0 on pk 1 Simulate proof on trapdoor pk 0 NIZK proof using w 0 on pk 1 NIZK proof using w 1 on pk 0 NIZK proof using w 0 on pk 1 Switch to pk 0 perfect binding and pk 1 perfect trapdoor NIZK proof using w 1 on pk 0 Simulate proof on trapdoor pk 1 NIZK proof using w 1 on pk 0 NIZK proof using w 1 on pk 1 Switch back to pk 0 perfect trapdoor and pk 1 perfect binding

20 WI proof for message 0 or 1 (c 1, c 2, c 3 ) = (u m f r, v m h s, w m g r+s ) (c 1, c 2, c 3 ) is commitment to 0 or 1 if and only if (c 1, c 2, c 3 ) or (c 1 /u, c 2 /v, c 3 /w) contain 0 (c 1, c 2, c 3 ) contains 0 if and only if (c 1, c 2, c 3 -1 ) = (f r, h s, g -(r+s) ) Similarly for (c 1 /u, c 2 /v, c 3 /w) We’ll present a general proof that given (A=f a, B=h b, C=g c ) and (X=f x, Y=h y, Z=g z ) then (a+b+c)(x+y+z)=0

21 WI proof for message 0 or 1 Examine matrix: Note that verifier can generate this matrix e(A, X)e(A, Y)e(A, Z) e(B, X)e(B, Y)e(B, Z) e(C, X)e(C, Y)e(C, Z)

22 WI proof for message 0 or 1 Suppose prover knows (a, b, c) The right-hand entries convince the verifier that a+b+c =0 (each column multiplies to 1) Similarly, if prover knows (x, y, z) can reveal left-hand entries and rows multiply to 1 Bad: Tells verifier which witness used e(f, X a )e(f, Y a )e(f, Z a ) e(h, X b )e(h, Y b )e(h, Z b ) e(g, X c )e(g, Y c )e(g, Z c )

23 WI proof for message 0 or 1 Blind across diagonal If both a+b+c = 0 and x+y+z=0 then matrix is distributed identical to its transpose It hides perfectly whether we are looking at rows or columns e(f, X a )e(f, h t Y a )e(f, g -t Z a ) e(h, f -t X b )e(h, Y b )e(h, g t Z b ) e(g, f t X c )e(g, h -t Y c )e(g, Z c )

24 Summary Homomorphic commitments with indistinguishable trapdoor/binding keys and WI proofs for message 0 or 1 NIZK proofs from such commitments Simple and efficient O(|C|k) bit-size non- interactive zaps Perfect completeness Perfect soundness Computational WI

Download ppt "Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Similar presentations

Ads by Google