Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pairing-Based Non-interactive Proofs Jens Groth University College London Joint work with Rafail Ostrovsky and Amit Sahai Thanks also to Brent Waters TexPoint.

Similar presentations


Presentation on theme: "Pairing-Based Non-interactive Proofs Jens Groth University College London Joint work with Rafail Ostrovsky and Amit Sahai Thanks also to Brent Waters TexPoint."— Presentation transcript:

1 Pairing-Based Non-interactive Proofs Jens Groth University College London Joint work with Rafail Ostrovsky and Amit Sahai Thanks also to Brent Waters TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A A A A A A

2 Motivation AliceBob Why does Bob want to know my password, bank statement, etc.? Did Alice honestly follow the protocol? Show me all your inputs! No!

3 History Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985 First the paper was rejected a couple of times...then they won the Gödel award for it

4 Interactive proof Prover Verifier Statement OK, statement is true

5 Statements Mathematical theorem: 2+2=4 Identification: I am me! Verification: I followed the protocol Anything: X belongs to NP-language L

6 Interactive proof Prover Verifier Statement: x  L OK, x  L Witness w (x,w)  R L

7 Zero-knowledge and witness indistinguishability Prover Verifier Statement: x  L OK, x  L Witness w (x,w)  R L Zero-knowledge: Verifier learns statement is true, but nothing else Witness-indistinguishable: Verifier does not learn which witness Prover has in mind

8 Zero-knowledge proofs in multi-party computation Function: f Input: xInput: y Output: f(x,y) I don’t trust you! Did you follow the protocol? Yes, I followed the protocol, but my input is secret! ZK proof OK, she followed the protocol

9 History Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985 Many actions are non-interactive –Signature –Encryption –...

10 Non-interactive proofs Prover Verifier Statement: x  L OK, x  L Witness w (x,w)  R L Proof 

11 Non-interactive zero-knowledge (NIZK) proofs Completeness –Can prove a true statement Soundness –Cannot prove false statement Zero-knowledge –Proof reveals nothing (except truth of statement)

12 NIZK proofs only for trivial languages (BPP) Sketch of proof: Decision algorithm for x in L: Learn nothing from proof = can simulate proof If x  L: ZK and complete so verifier algorithm accepts If x  L: Sound so verifier algorithm rejects

13 History Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985 Many actions are non-interactive –Signature –Encryption –... Blum, Feldman and Micali introduced non- interactive zero-knowledge proofs in the common reference string model in 1986

14 Common reference string Key generation algorithm K –Uniformly at random –Specific distribution Trusted generation –Trusted party –Secure multi-party computation –Multi-string model where t-out-of-n are trusted 0110110101000101110100101

15 CRS: 01101010101010101 NIZK and NIWI proofs Prover Verifier Statement: x  L OK, x  L Witness w (x,w)  R L NIZK: Verifier learns statement is true, but nothing else NIWI: Verifier does not learn which witness Prover has in mind Proof

16 Defining NIZK proofs NP language L: x  L if is witness w so (x,w)  R L NIZK proof consists of three probabilistic polynomial time algorithms (K,P,V) K(1 k ): Generates common reference string σ P(σ,x,w): Generates a proof  V(σ,x,  ): Verifies the proof (outputs 1 or 0)

17 Completeness Perfect completeness: Pr[Accept] = 1 P(σ,x,w) →  V(σ,x,  ) → Accept/reject K(1 k ) Common reference string σ Statement x  L Witness w so (x,w)  R

18 Soundness Perfect soundness:  Adv: Pr[Reject] = 1 Computational soundness:  poly-time Adv: Pr[Reject]  1  V(σ,x,  ) → Accept/reject K(1 k ) Common reference string σ Statement x  L

19 Witness indistinguishability Perfect witness-indistinguish.:  Adv: Pr[Guess = b] = ½ Computational WI:  poly-time Adv: Pr[Guess = b]  ½ P(σ,x,w b ) →  K(1 k ) Common reference string σ Statement x  L Witnesses w 0,w 1 (x,w 0 ),(x,w 1 )  R L b  {0,1} Guess  {0,1}

20 Zero-knowledge Perfect ZK: Pr[Adv →1|Real ] = Pr[Adv→1|Simulation] Computational ZK:  poly-time Adv: Pr[Adv →1|Real ]  Pr[Adv→1|Simulation] P(σ,x,w) →  K(1 k ) → σ 0/1 (x,w)  R L S 2 (σ, ,x) →  S 1 (1 k ) → σ 0/1 (x,w)  R L

21 Trade-off Perfect soundness and perfect zero-knowledge only possible for trivial languages –Sketch of proof: Perfect ZK implies real common reference string and simulated common reference string has same probability distribution To decide whether x in L simulate common reference string, simulate proof, run verifier on simulated proof If x  L: By perfect ZK and completeness verifier accepts If x  L: By perfect soundness verifier rejects Choice: –Perfect soundness and computational zero-knowledge –Computational soundness and perfect zero-knowledge

22 The world in 2005 Much research in NIZK proofs –Blum-Feldman-Micali 88 –Damgård 92 –Feige-Lapidot-Shamir 99 –Kilian-Petrank 98 –De Santis-Di Crescenzo-Persiano 02 Inefficient Alternatives –Fiat-Shamir heuristic transforms interactive zero-knowledge proof into non-interactive scheme, however, there are examples of insecure Fiat-Shamir transformation –Designated verifier proofs such as Damgård, Fazio, Nicolosi 05, however, the verification is not public

23 Applications Public-key encryption Mix-nets for anonymous broadcast Internet voting Group signatures Ring signatures Identification Verifying outsourced computation...

24 Practice Circuit SATPractical statements Inefficient Efficient Kilian-Petrank 98 Groth-Ostrovsky- Sahai 06 Groth 06 Groth-Sahai 08 1 GB 1 KB Statement: Here is a ciphertext and a document. The ciphertext contains a digital signature on the document.

25 Known for all of NP? Computational zero-knowledge Perfect zero-knowledge (everlasting privacy) Interactive proof Non- interactive proof ? Yes [Goldreich- Micali- Wigderson 1986] Yes [Brassard- Crepeau 1986] Yes [Blum-Feldman- Micali 1988] Yes [G-Ostrovsky -Sahai 2006]

26 CRS-free proofs for all of NP? Zero- knowledge Witness- indistinguishability Interactive proofs Non-interactive proof ? 4 rounds2 rounds ImpossibleYes

27 Goals Efficient NIZK and NIWI proofs Perfect zero-knowledge –Computational soundness Eliminating the common reference string –NIWI proofs (non-interactive zaps) New techniques from pairing based cryptography

28 Groth-Ostrovsky-Sahai 06 NIZK proof for Circuit SAT Perfect completeness, perfect soundness, computational zero-knowledge Common reference string size: O(k) bits Proof size: O(|C|k) bits

29 Composite order bilinear group Gen(1 k ) generates (p,q,G,G T,e,g) G, G T finite cyclic groups of order n=pq G has generator g Pairing e: G  G → G T –e(g,g) generates G T –e(g a,g b ) = e(g,g) ab Deciding group membership, group operations, and bilinear pairing efficiently computable

30 Elliptic curves

31 Becoming familiar with the pairing Pairing e: G  G → G T –g generates G and has order n=pq –e(g,g) generates G T –e(g a,g b ) = e(g,g) ab implies e(u,v)=e(v,u) and e(u x,v)=e(u,v) x =e(u,v x ) Questions with answers: e(u x,v y )e(u z,w) = e(u,v xy w z ) e(u,v x )e(v y,u) = e(u,v x+y ) e(u -x,v)e(u,v) -1 e(u -1,v y ) z = e(u,v -1-x-yz ) If u q =1 then e(u,v) q =e(u q,v)=e(1,v)=e(g 0,v)=e(g,v) 0 =1 If e(g,v)=e(h,u) then h=g x and v=u x (if ord(h)=n)

32 Subgroup decision problem Given h  G decide whether h has order q or order n Subgroup decision assumption:  poly-time Adv: Pr[ (p,q,G,G T,e,g)←Gen(1 k ); h ← G * : Adv(n,G,G T,e,g,h)=1]  Pr[ (p,q,G,G T,e,g)←Gen(1 k ); h ← G q * : Adv(n,G,G T,e,g,h)=1]

33 BGN encryption [Boneh-Goh-Nissim 05] Public key:g, h  G h order q Secret key:p, qn=pq Encryption:c = g a h r r ← Z n Decryption:c q = (g a h r ) q = g qa h qr = (g q ) a IND-CPA secure: Without secret key, ciphertext does not reveal poly-time computable information about plaintext. Sketch of proof: By subgroup decision assumption public key looks the same as if h had order n. But if h had order n, ciphertext would have no information about the plaintext a.

34 BGN Commitment Public key:g, h  G h order q Commitment:g a h r r ← Z n Perfectly binding:Unique a mod p Computationally hiding: Indistinguishable from h order n Addition:(g a h r )(g b h s ) = g a+b h r+s Multiplication:e(g a h r,g b h s ) = e(g a,g b ) e(h r,g b ) e(g a,h s ) e(h r,h s ) = e(g,g) ab e(h,g as+rb h rs )

35 NIZK proof for Circuit SAT 1 w1w1 w4w4 w3w3 w2w2 Circuit SAT is NP complete NAND

36 NIZK proof for Circuit SAT g 1 c 1 := g w 1 h r 1 c 2 := g w 2 h r 2 c 4 := g w 4 h r 4 c 3 := g w 3 h r 3 Prove w 1  {0,1} Prove w 2  {0,1} Prove w 3  {0,1} Prove w 4  {0,1} Prove w 4 =  (w 1  w 2 ) Prove 1 =  (w 4  w 3 ) NAND

37 Proof for c containing 0 or 1 Write c = g w h r (unique w mod p since h has order q) e(c,g -1 c) = e(g w h r,g w-1 h r ) =e(g w,g w-1 )e(h r,g w-1 )e(g w,h r )e(h r,h r ) =e(g,g) w(w-1) e(h,(g 2w-1 h r ) r ) Proof  := (g 2w-1 h r ) r Verifier checks: e(c,g -1 c) = e(h,  ) →e(g,g) w(w-1) e(h,(g 2w-1 h r ) r ) = e(h,  ) →w = 0 or w = 1 (mod p)

38 Observation b 2 =  (b 0  b 1 ) if and only if b 0 + b 1 + 2b 2 - 2  {0,1} b0b0 b1b1 b2b2 b 0 +b 1 +2b 2 -2 000-2 0010 010 0111 100 1011 1100 1112

39 Proof for NAND-gate Given c 0, c 1, c 2 containing bits b 0, b 1, b 2 wish to prove b 2 =  (b 0  b 1 ) b 2 =  (b 0  b 1 ) if b 0 + b 1 + 2b 2 - 2  {0,1} c 0 c 1 c 2 2 g -2 = (g b 0 h r 0 )(g b 1 h r 1 )(g b 2 h r 2 ) 2 g -2 = g b 0 +b 1 +2b 2 -2 h r 0 +r 1 +2r 2 Prove c 0 c 1 c 2 2 g -2 contains 0 or 1

40 NIZK proof for Circuit SAT g 1 c 1 := g w 1 h r 1 c 2 := g w 2 h r 2 c 4 := g w 4 h r 4 c 3 := g w 3 h r 3 Prove w 1  {0,1} Prove w 2  {0,1} Prove w 3  {0,1} Prove w 4  {0,1} Prove w 4 =  (w 1  w 2 ) Prove 1 =  (w 4  w 3 ) NAND CRS = (n,G,G T,e,g,h) CRS size 3k Proof size (2|W|+|C|)k

41 Zero-Knowledge Subgroup decision assumption: It is hard to distinguish random h of order q from random h of order n Simulated common reference string h order n by choosing g = h   ← Z n * The simulation trapdoor is  Commitments are now perfectly hiding trapdoor commitments g 0 h r = g 1 h r- 

42 Simulation g 1 c 1 := g 1 h r 1 c 2 := g 1 h r 2 c 4 := g 1 h r 4 c 3 := g 1 h r 3 Simulate proofs for w 1  {0,1} w 2  {0,1} w 3  {0,1} w 4  {0,1} Simulate proofs for w 4 =  (w 1  w 2 ) 1 =  (w 4  w 3 ) NAND

43 Witness-indistinguishable 0/1-proof Write c = g 1 h r (possible since we committed this way) e(c,g -1 c) = e(g 1 h r,g 0 h r ) =e(h,(g 1 h r ) r ) Proof  := (g 1 h r ) r Verifier checks: e(c,g -1 c) = e(h,  ) Perfect witness-indistinguishable when h has order n since there is unique  satisfying equation, no matter whether c contains 0 or 1

44 Witness-indistinguishability Write c = g 0 h r+  (possible since we know trapdoor  ) e(c,g -1 c) = e(g 0 h r+ ,g -1 h r+  ) =e(h,(g -1 h r+  ) r+  ) Proof  := (g -1 h r+  ) r+  = (g -1 h  ) r+  (h r+  ) r = (g 1 h r ) r Verifier checks: e(c,g -1 c) = e(h,  ) Perfect witness-indistinguishable since both the witness (1,r) and the witness (0,r+  ) lead to exactly the same proof 

45 Witness-indistinguishable NAND-proof Given c 0, c 1, c 2 containing wish to simulate proof for b 2 =  (b 0  b 1 )(simulator committed to b 0 =b 1 =b 2 =1) b 2 =  (b 0  b 1 ) if b 0 + b 1 + 2b 2 - 2  {0,1} c 0 c 1 c 2 2 g -2 = (g 1 h r 0 )(g 1 h r 1 )(g 1 h r 2 ) 2 g -2 = g 2 h r 0 +r 1 +2r 2 = g 1 h  +r 0 +r 1 +2r 2 Proof for c 0 c 1 c 2 2 g -2 containing 0 or 1

46 Zero-knowledge Sketch of proof: Pr[Adv→1|Real proof]  Pr[Adv→1|Real proof on h with order n] = Pr[Adv→1|Hybrid proof where h has order n and commitments to 1 trapdoor opened to witness and then real proofs] = Pr[Adv→1|Hybrid proof where h has order n and commitments to 1 and trapdoor opening when making 0/1-proofs] = Pr[Adv→1|Simulated proof]

47 Composable zero-knowledge Real common reference string computationally indistinguishable from simulated common reference string Real proof on simulated common reference string perfectly indistinguishable from simulated proof on simulated common reference string

48 NIZK proof for Circuit SAT Commit to all wires w i as c i := g w i h r i For each i prove c i contains 0 or 1 For each NAND-gate prove c 0 c 1 c 2 2 g -2 contains 0 or 1 Total size: 2|W|+|C| group elements Perfect completeness, perfect soundness, composable zero-knowledge Also, perfect proof of knowledge c q = (g w h r ) q = (g wq )(h rq ) = (g q ) w (h q ) r = (g q ) w

49 Known for all of NP? Computational zero-knowledge Perfect zero-knowledge (everlasting privacy) Interactive proof Non- interactive proof ? Yes [Goldreich- Micali- Wigderson 1986] Yes [Brassard- Crepeau 1986] Yes [Blum-Feldman- Micali 1988] Yes (as we shall see now)

50 Perfect zero-knowledge Instead of h with order q, use h with order n Easy to verify that we have perfect completeness As argued earlier we have perfect zero-knowledge What about soundness?

51 ”Natural” computational soundness fails Natural way to prove soundness fails Start with h of order n and Adv that produces false statement and valid proof Switch to h of order q, which Adv cannot distinguish from order n. Here Adv cannot produce false statement and valid proof Problem: Consider the statement ”h has order q”

52 Adaptive co-soundness Computational co-soundness:  poly-time Adv: Pr[Reject] ≈ 1 C, w co Proof  K(1 k ) Common reference string w co witness for C unsatisfiable

53 Computational co-soundness Sketch of proof: Imagine poly-time Adv could break co-soundness. I.e., after seeing CRS = (n,G,G T,e,g,h) where h has order n, Adv produces valid (C,w co,  ). By subgroup decision assumption approximately same success probability for Adv producing valid (C,w co,  ) when h has order q. But w co guarantees C is unsatisfiable and when h has order q the perfect soundness guarantees C is satisfiable.

54 Co-soundness the ”right” definition Abe-Fehr 07 show that impossible to achieve ”natural” soundness definition with standard direct black-box methods In many scenarios a co-witness exists. –Consider for instance verifiable encryption, where the secret key can be a co-NP witness for false statement Computational co-soundness sufficient for constructing universally composable NIZK proofs

55 Perfect NIZK argument for Circuit SAT Common reference string with h of order n Commit to all wires w i as c i := g w i h r i For each i prove c i contains 0 or 1 For each NAND-gate prove c 0 c 1 c 2 2 g -2 contains 0 or 1 Total size: 2|W|+|C| group elements Perfect completeness, computational co- soundness, perfect zero-knowledge

56 Groth-Ostrovsky-Sahai 06 NIZK proof for Circuit SAT Perfect binding key: –Perfect completeness –Perfect soundness –Computational zero-knowledge Perfect hiding key: –Perfect completeness –Computational co-soundness –Perfect zero-knowledge  = (n,G,G T,e,g,h) where ord(h) = q  = (n,G,G T,e,g,h) where ord(h) = n ?

57 Non-interactive proofs in the plain model NIZK proofs rely on trusted setup of common reference string. What if no such setup exists? Well, NIZK proofs do not exist in the plain model. OK, how much privacy can we get in plain model? NIWI proofs do exist in the plain model!

58 CRS-free proofs for all of NP? Zero- knowledge Witness- indistinguishability Interactive proofs Non-interactive proofs ? 4 rounds2 rounds ImpossibleYes

59 Intuition Naive idea: Let the prover choose the CRS. Bad idea: The prover can just pick a simulation CRS. Better idea: Let the prover choose two related CRS’s –One CRS perfect sound, the other CRS perfect ZK –Verifiable that at least one is perfectly sound –Verifier cannot tell which one is sound

60 NIWI proof in plain model Statement: C Proof: (  0,  1,  0 )  K related (1 k )  0  P(  0,C,w)  1  P(  1,C,w) The proof is  = (  0,  1,  0,  1 ) Verification: Check (  0,  1 ) related so at least one is sound Check (  0,C,  0 ) is valid proof Check (  1,C,  1 ) is valid proof

61 Security NIWI proof in the plain model has perfect completeness, perfect soundness and computational witness-indistinguishability Perfect completeness: –Perfect completeness of NIZK proofs and perfectly complete related CRS generation. Perfect soundness: –Related CRS generation implies at least one NIZK proof has perfect soundness

62 Computational witness-indistinguishability  {C,w 0,w 1 } k  poly-time Adv: Pr[b  {0,1} ;   P(1 k,C,w b ) : Adv(C,w 0,w 1,  )=1]  ½ Equivalently Pr[(  0,  1,  0,  1 )  P(1 k,C,w 0 ): Adv(C,w 0,w 1,  )=1]  Pr[(  0,  1,  0,  1 )  P(1 k,C,w 1 ): Adv(C,w 0,w 1,  )=1]

63 Witness-indistinguishability Given circuit C and two witnesses w 0, w 1 Generate  0 perfect ZK and  1 perfect sound NIZK proof using w 0 on  0 NIZK proof using w 0 on  1 Simulate proof on  0 NIZK proof using w 0 on  1 NIZK proof using w 1 on  0 NIZK proof using w 0 on  1 Switch to  0 perfect sound and  1 perfect ZK NIZK proof using w 1 on  0 Simulate proof on  1 NIZK proof using w 1 on  0 NIZK proof using w 1 on  1 Switch back to  0 perfect ZK and  1 perfect sound Adversary knows C,w 0,w 1 and sees (  0,  1,  0,  1 )

64 Verifiability of common reference string All that is left is to construct related common reference strings such that guarantee that one is sound and we get NIWI proofs in the plain model! How? –Does h have order q? –Is n even a product of two primes? Use NIZK proof based on prime order groups.

65 Prime order bilinear group Gen(1 k ) generates (p,G,G T,e,g) G, G T finite cyclic groups of prime order p Generator g for G Pairing e: G  G → G T –e(g,g) generates G T –e(g a,g b ) = e(g,g) ab Deciding group membership, group operations, and bilinear pairing efficiently computable Publicly verifiable that is valid bilinear group

66 Decision Linear assumption The DLIN problem is to distinguish (f,h,g,f r,h s,g r+s ) from (f,h,g,f r,h s,R) The DLIN assumption for Gen:  poly-time Adv: Pr[(p,G,G T,e,g)  Gen(1 k ) ; f,h  G * ; r,s,t  Z p : Adv(p,G,G T,e,f,h,g,f r,h s,g r+s )=1]  Pr[(p,G,G T,e,g)  Gen(1 k ) ; f,h  G * ; r,s,t  Z p : Adv(p,G,G T,e,f,h,g,f r,h s,g t )=1]

67 Linear encryption [Boneh-Boyen-Shacham 04] Public key:f,h,gf,h,g  G * Secret key:x,yf=g x, h=g y Encryption:(u,v,w) = (f r,h s,g r+s m)r,s  Z p Decryption:m = wu -1/x v -1/y IND-CPA security: The ciphertext contains no poly-time computable information about plaintext Sketch of proof: Look at public key and ciphertext (f,h,g,f r,h s,g r+s m)  (f,h,g,f r,h s,g t m) = (f,h,g,f r,h s,R)

68 Commitments from Linear encryption Public key:(n,G,G T,e,f,h,g,u,v,w) Commitment:(u a f r,v a h s,w a g r+s )r,s  Z p Additively homomorphic: commit(a;r,s)  commit(b;R,S) =(u a f r,v a h s,w a g r+s )  (u b f R,v b h S,w b g R+S ) =(u a+b f r+R,v a+b h s+S,w a+b g r+R+s+S ) =commit(a+b;r+S,s+S)

69 Binding and hiding keys Perfectly binding key: (u,v,w) = (f R,h S,g R+S+T ) (u a f r,v a h r,w a g r+s ) = (f Ra+r,h Sa+s,g (R+S)a+(r+s) g Ta ) Perfectly hiding key: (u,v,w) = (f R,h S,g R+S ) (u 1 f r,v 1 h s,w 1 g r+s ) = (u 0 f r+R,v 0 h s+S,w 0 g r+R+s+S ) Hard to distinguish perfect binding keys from perfect hiding keys by the DLIN assumption

70 Related keys Relation:  0 = (u,v,w) and  1 = (u,v,wg) Either  0 = (f R,h S,g R+S ) and  1 = (f R,h S,g R+S+1 ) or  0 = (f R,h S,g R+S-1 ) and  1 = (f R,h S,g R+S ) or  0 = (f R,h S,g R+S+T ) and  1 = (f R,h S,g R+S+T+1 ) Verifiable that at least one perfectly binding key Hard to tell which of the keys is perfectly hiding

71 NIZK proof for Circuit SAT NIZK proof in common reference string model, which is perfectly complete, perfectly sound and composable zero-knowledge. Efficient: 9|w|+6|C| group elements Observe: Prime order group elements may be smaller than composite order group elements, so may be more efficient than composite order proof

72 NIZK proof for Circuit SAT (u 1,v 1,w 1) c 1  commit(w 1 ) c 2  commit(w 2 ) c 4  commit(w 4 ) c 3  commit(w 3 ) Prove w 1  {0,1} Prove w 2  {0,1} Prove w 3  {0,1} Prove w 4  {0,1} Prove w 4 =  (w 1  w 2 ) Prove 1 =  (w 4  w 3 ) NAND

73 Observation b 2 =  (b 0  b 1 ) if and only if b 0 + b 1 + 2b 2 - 2  {0,1} b0b0 b1b1 b2b2 b 0 +b 1 +2b 2 -2 000-2 0010 010 0111 100 1011 1100 1112

74 Proof for NAND-gate Given c 0, c 1, c 2 containing bits b 0, b 1, b 2 wish to prove b 2 =  (b 0  b 1 ) b 2 =  (b 0  b 1 ) if b 0 + b 1 + 2b 2 - 2  {0,1} Additively homomorphic commitments so c 0 c 1 c 2 2 commit(-2) = commit(b 0 +b 1 +2b 2 -2) Prove c 0 c 1 c 2 2 g -2 contains 0 or 1

75 Proof for 0-commitment Commitment to 0: (u 0 f r,v 0 h s,w 0 g r+s ) = (f r,h s,g r+s ) Proof for (c 1,c 2,c 3 ) = (f r,h s,g t ) satisfying t=r+s mod p (  1,  2 ) = (Z r, Z s )for known Z≠1 Verification: e(Z,c 1 )=e(f,  1 ) e(Z,c 2 )=e(h,  2 ) e(Z,c 3 )=e(g,  1  2 )

76 Proof for 0/1-commitment Commitment (c 1,c 2,c 3 ) of the form (u a f r,v a h r,w a g r+s ) with a  {0,1} Idea: –Show (c 1,c 2,c 3 ) or (u -1 c 1,v -1 c 2,w -1 c 3 ) contains 0 –Do this by showing a(a-1)=0 mod p Problem: We do not have a pairing G 3  G 3  ??? Solution: Build one!

77 Meta-pairing To avoid notational clutter define (A,B,C) = (c 1,c 2,c 3 ) and (X,Y,Z)=(u -1 c 1,v -1 c 2,w -1 c 3 ) Look at map E:G 3  G 3  G T 9 e(A,X)e(A,Y)e(A,Z) e(B,X)e(B,Y)e(B,Z) e(C,X)e(C,Y)e(C,Z)

78 Naive proof if a=0 Suppose (A,B,C)=(f r,h s,g r+s ) e(f,X r )e(f,Y r )e(f,Z r ) e(h,X s )e(h,Y s )e(h,Z s ) e(g,X r+s )e(g,Y r+s )e(g,Z r+s ) Give proof  = (X r,X s,Y r,Y s,Z r,Z s )

79 Naive proof if a=1 Suppose (X,Y,Z)=(f r,h s,g r+s ) e(f,A r )e(h,A s )e(g,A r+s ) e(f,B r )e(h,B s )e(g,B r+s ) e(f,C r )e(h,C s )e(g,C r+s ) Give proof  = (A r,A s,B r,B s,C r,C s )

80 Problem Easy to see whether proof verifies down the columns (a=0) or across the rows (a=1) so not witness-indistinguishable This was not a problem in the composite order case because the proof (a single group element) was symmetric. Ok, so let us try with a symmetric meta-pairing

81 Meta-pairing II Try the symmetric map E:G 3  G 3  G T 6 e(A,X)e(X,A)e(A,Y)e(X,B)e(A,Z)e(X,C) e(B,X)e(Y,A)e(B,Y)e(Y,B)e(B,Z)e(Y,C) e(C,X)e(Z,A)e(C,Y)e(Z,B)e(C,Z)e(Z,C)

82 Less naive proof if a=0 If (A,B,C)=(f r,h s,g r+s ) and (X,Y,Z)=(u -1 f r,v -1 h s,w -1 g r+s ) e(f,X r )e(X r,f)e(f,Y r )e(X s,h)e(f,Z)e(X r+s,g) e(h,X s )e(Y r,f)e(h,Y s )e(Y s,h)e(f,Z)e(Y r+s,g) e(g,X r+s )e(Z r,f)e(g,Y r+s )e(Z s,h)e(f,Z r+s )e(Z r+s,g) Give proof  = (X r,X s,Y r,Y s,Z r,Z s )

83 Less naive proof if a=1 If (A,B,C)=(u 1 f r,v 1 h s,w 1 g r+s ) and (X,Y,Z)=(f r,h s,g r+s ) e(A r,f)e(f,A r )e(A s,h)e(f,B r )e(A r+s,g)e(f,C r ) e(B r,f)e(h,A s )e(B s,h)e(h,B s )e(B r+s,g)e(h,C s ) e(C r,f)e(g,A r+s )e(C s,h)e(g,B r+s )e(C r+s,g)e(g,C r+s ) Give proof  = (A r,A s,B r,B s,C r,C s )

84 Verification Statement: (A,B,C) and (X,Y,Z)=(u -1 A,v -1 B,w -1 C) Proof:  = (  1,  2,  3,  4,  5,  6 ) Verification: Check that E((A,B,C),(X,Y,Z)) equals e(f,  1 )e(f,  1 ) e(h,  2 )e(f,  3 )e(g,  1  2 )e(f,  5 ) e(f,  3 )e(h,  2 )e(h,  4 )e(h,  4 )e(g,  3  4 )e(h,  6 ) e(f,  5 )e(g,  1  2 )e(h,  6 )e(g,  3  4 )e(g,  5  6 )e(g,  5  6 )

85 Witness-indistinguishable? Consider a perfectly hiding key with (u,v,w)=(f R,h S,g R+S ). We have two different witnesses because (A,B,C)=(f R+r,h S+s,g R+S+r+s ) and (X,Y,Z)=(f r,h s,g r+s ) The proofs are verified in the same way. Are they witness-indistinguishable?  = (X R+r,X S+s,Y R+r,Y S+s,Z R+r,Z S+s )  = (A r,A s,B r,B s,C r,C s ) Well,  1 = f r(R+r),  4 = h s(S+s),  5  6 = g (r+s)(R+S+r+s) But,  2 = f r(S+s) or  2 = f (R+r)s Which can be tested e(h,  2 )=e(B,X) or e(h,  2 )=e(A,Y)

86 Verification Statement: (A,B,C) and (X,Y,Z)=(u -1 A,v -1 B,w -1 C) Proof:  = (  1,  2,  3,  4,  5,  6 ) Verification: Check that E((A,B,C),(X,Y,Z)) equals e(f,  1 )e(f,  1 ) e(h,  2 )e(f,  3 )e(g,  1  2 )e(f,  5 ) -e(h,  4 )e(h,  4 )e(g,  3  4 )e(h,  6 ) --e(g,  5  6 )e(g,  5  6 )

87 Verification Statement: (A,B,C) and (X,Y,Z)=(u -1 A,v -1 B,w -1 C) Randomized proof:  = (  1,f t  2,h -t  3,  4,g -t  5,g t  6 ) Verification: Check that E((A,B,C),(X,Y,Z)) equals e(f,  1 )e(f,  1 ) e(h,f t  2 )e(f,h -t  3 )e(g,f t  1  2 )e(f,g -t  5 ) -e(h,  4 )e(h,  4 )e(g,h -t  3  4 )e(h,g t  6 ) --e(g,  5  6 )e(g,  5  6 )

88 Perfect witness-indistinguishability e(A,X)e(X,A) = e(f,  1 )e(f,  1 ) unique  1 e(B,Y)e(Y,B) = e(h,  4 )e(h,  4 ) unique  4 e(C,Z)e(Z,C) = e(g,  5  6 )e(g,  5  6 ) unique  5  6 e(B,Z)e(C,Y) = e(g,  3  4 )e(h,  6 ) e(A,Z)e(C,X) = e(g,  1  2 )e(f,  5 ) e(A,Y)e(B,X) = e(h,  2 )e(f,  3 ) Randomization chooses  6 at random by setting  6  g t  6 and then everything else is determined So either type of witness yields a uniformly random proof satisfying the above equations

89 Perfect soundness Write the commitments as (A,B,C) = (f a,h b,g c ) and (X,Y,Z) = (f x,h y,g z ) The verification equations imply (modulo p) a(x+y-z) + (x+y-z)a = d 1 +d 3 -d 5 b(x+y-z) + (x+y-z)b = d 2 +d 4 -d 6 c(x+y-z) + (x+y-z)c = d 1 +d 2 +d 3 +d 4 -d 5 -d 6 Giving us (a+b-c)(x+y-z) + (x+y-z)(a+b-c) = 0 Implying (a+b-c)(x+y-z)=0 so c=a+b or z=x+y

90 Choosing two common reference strings Generate bilinear group (p, G, G T, e, g) Choose x,y ← Z p *, R,S ← Z p and set f = g x, h = g y, u = f R, v = h S, w = g R+S Output two public keys (p, G, G T, e, f, h, g, u, v, w) (p, G, G T, e, f, h, g, u, v, wg) At least one must be perfectly binding, but by decisional linear assumption hard to tell which one

91 NIWI proof in plain model Statement: C Proof: (  0,  1 )  K related (1 k )  0  P(  0,C,w)  1  P(  1,C,w) The proof is  = (  0,  1,  0,  1 ) Verification: Check (  0,  1 ) related so at least one is sound Check (  0,C,  0 ) is valid proof Check (  1,C,  1 ) is valid proof Perfect completeness Perfect soundness Computational witness- indistinguishability

92 Groth-Ostrovsky-Sahai 06 NIZK proof for Circuit SAT Perfect binding key: –Perfect completeness –Perfect soundness –Computational zero-knowledge Perfect hiding key: –Perfect completeness –Computational co-soundness –Perfect zero-knowledge  = (n,G,G T,e,g,h) where ord(h) = q  = (n,G,G T,e,g,h) where ord(h) = n ?

93 Efficiency problems with non-interactive zero-knowledge proofs Non-interactive proofs for general NP-complete language such as Circuit SAT. Any practical statement such as ”the ciphertext c contains a signature on this message m” must go through a size-increasing NP-reduction.

94 A brief history of non-interactive zero- knowledge proofs continued Circuit SATPractical statements Inefficient Efficient Kilian-Petrank 98 Groth-Ostrovsky- Sahai 06 Groth 06 Groth-Sahai 08 Coming next

95 Our goal We want high efficiency. Practical non-interactive proofs! We want non-interactive proofs for statements arising in practice such as ”the ciphertext c contains a signature on m”. No NP-reduction!

96 Constructions in bilinear groups a,c  G, b,d  Z n t = b+yd (mod n) t G = x y a y c t t T = e(t G,ct G b )

97 Non-interactive cryptographic proofs for correctness of constructions t = b+yd (mod n) t G = x y a y c t t T = e(t G,ct G b ) Are the constructions correct? I do not know your secret x, y. Proof Yes, here is a proof.

98 Cryptographic constructions Constructions can be built from –public exponents and public group elements –secret exponents and secret group elements Using any of the bilinear group operations –Addition and multiplication of exponents –Multiplication of elements in G –Bilinear map e –Multiplication in G T Our goal: Non-interactive cryptographic proofs for correctness of a set of bilinear group constructions (soundness holds for the order p subgroups of G and Z n )

99 Examples of statements we can prove Here is a ciphertext c and a signature s. They have been constructed such that s is a signature on the secret plaintext. Here are three commitments A,B and C to secret exponents a,b and c. They have been constructed such that c=ab mod p.

100 Applications of efficient NIWI and NIZK proofs Constant size group signatures Boyen-Waters 07 (independently of our work) Groth 07 Sub-linear size ring signatures Chandran-Groth-Sahai 07 Non-interactive NIZK proof for correctness of shuffle Groth-Lu 07 Non-interactive anonymous credentials Belienky-Chase-Kohlweiss-Lysyanskaya 08 …

101 Variables Pairing product equations Multi-scalar multiplication equations in G Quadratic equations in Z n Quadratic equations in the bilinear group

102 Efficient NIWI and NIZK proofs for bilinear groups Statement S = (eq 1,...,eq N ) quadratic bilinear group equations Efficient NIWI proofs for satisfiability of all equations in S Efficient NIZK proofs for satisfiability of all equations in S if all t T =1 Common reference string 3k bits Each variable and each equation costs k bits Each equation constant cost independent of number of public constants and secret variables. NIWI and NIZK proofs can have sub-linear size compared with statement!

103 Commitment to group elements Common reference string: (n,G,G T,e,g,h) –Real common reference string: h order q –Simulation common reference string: g = h  with  Z n * Commitment to x i  G: c i = x i h r i r i ← Z n * Commitment to y j  Z n *: d j = g y j h s j s j ← Z n * Real CRS: Perfect binding in order p subgroups Simulation CRS: Perfect hiding commitments –Perfect trapdoor for exponents: g 0 h s = g y h s-y 

104 Homomorphic properties Commitments are homomorphic –c i c j = (x i h r i ) (x j h r j ) = x i x j h r i +r i –d i d j = (g y i h s i ) (g y j h s j ) = g y i +y j h s i +s j Pairing commitments –e(c i,c j ) = e(x i h r i,x j h r j ) = e(x i,x j ) e(h,x i r j x j r i h r i r j ) –e(c i,d j ) = e(x i h r i,g y j h s j ) = e(x i y j,g) e(h,x i s j g y j r i h r i s j ) –e(d i,d j ) = e(g y i h s i,g y j h s j ) = e(g,g) y i y j e(h,g y j s i +y i s j h r i s j )

105 Quadratic equation in Z n

106 NIWI proof: Verifying the NIWI proof: Perfect completeness Perfect soundness modulo p when h has order q Perfect witness-indistinguishability when h has order n Quadratic equation in Z n

107 Multi-exponentiation equation

108 NIWI proof: Verifying the NIWI proof: Perfect completeness Perfect soundness in order p subgroup when h has order q Perfect witness-indistinguishability when h has order n Multiexponentiation equation

109 Pairing product equation

110 NIWI proof: Verifying the NIWI proof: Perfect completeness Perfect soundness in order p subgroup when h has order q Perfect witness-indistinguishability when h has order n Pairing product equation

111 Full NIWI proof for a set of equations Commit to each variable in G Commit to each variable in Z n Make NIWI proof for each quadratic equation Make NIWI proof for each multi-expo. equation Make NIWI proof for each pairing product equation Commitments and proofs each cost 1 group element

112 Properties of the NIWI proof Two types of common reference string –Real CRS: h has order q –Simulation CRS: h has order n –Real and simulation strings computationally indistinguishable Perfect completeness on both types of strings Perfect soundness in order p subgroups on real CRS –Commitments perfectly binding and equation proofs perfectly sound Perfect witness-indistinguishability on simulation CRS –Commitments perfectly hiding so can contain any valid witness –The equation proofs are perfectly witness-indistinguishable, so do not reveal anything about which witness is inside commitments

113 NIZK proofs Is our NIWI proof zero-knowledge? Problem: The simulator may not know a witness Answer: If all pairing product equations have t T =1, then the proof is perfect zero-knowledge on a simulation CRS where h has order n

114 Simulation common reference string The simulated CRS is set up so g = h  The simulation trapdoor is  We can now make perfectly hiding trapdoor commitments c = g y h s = g 0 h s+y  A particular case is g = g 1 h 0 = g 0 h 

115 Quadratic equations in Z n We verify Interpret g as a commitment to 1 The verification now corresponds to the equation On a real CRS, h has order q, so commitments are perfectly binding and we have soundness modulo p On a simulation CRS, we can commit to 0 for all exponents and trapdoor-open the commitment g to 0. This gives a satisfying witness for the equation, so we can simulate the proof.

116 Multi-exponentiation equations We verify Interpret g as a commitment to 1 The verification now corresponds to the equation On a real CRS, h has order q, so commitments are perfectly binding in the order p subgroup and we have soundness in the order p subgroup On a simulation CRS, we commit to x i =1 and y_i=0 and trapdoor open the commitment g to 0. This gives us a satisfying witness so we can simulate the proof.

117 Pairing product equations We restrict to pairing product equations with t T =1 This means (x 1 =1,...,x m =1) is a satisfying witness

118 Perfect zero-knowledge For all three types of equations, we use witness x i =1 and y j =0, so the three types of simulation fit together The perfect witness-indistinguishability of the NIWI proof implies perfect zero-knowledge; the real witness cannot be distinguished from the witness we get when trapdoor opening g to 0

119 Generalizing to other bilinear groups G 1, G 2, G T finite cyclic groups of order n g 1 generates G 1, g 2 generates G 2 e: G 1  G 2 → G T –e(g 1,g 2 ) generates G T –e(g 1 a,g 2 b ) = e(g 1,g 2 ) ab Deciding membership, group operations, bilinear map efficiently computable Prime order or composite order G 1 = G 2 or G 1 ≠ G 2 Many possible assumptions: Subgroup Decision, Symmetric External Diffie-Hellman, Decison Linear,...

120 Size of NIWI and NIZK proofs Cost of each variable/equation Subgroup Decision Symmetric External DH Decision Linear Variable in G 1, G 2 or Z n 123 Pairing product (NIZK all t T = 1) 189 Multiscalar mult.169 Quadratic in Z n 146 Each equation constant cost. Cost independent of number of public constants and secret variables. NIWI proofs can have sub-linear size compared statement!

121 Bilinear groups as bilinear modules View bilinear groups as special cases of modules with a bilinear map Commutative ring R R-modules A 1, A 2, A T Bilinear map f: A 1  A 2 → A T Map to another set of R-modules B 1, B 2, B T Bilinear map F: B 1  B 2 → B T

122 Bilinear groups as bilinear modules Make commitments to x i  A 1, y i  A 2 in B 1, B 2, B T Homomorphic properties carry over to B 1, B 2, B T

123 Example: Multi-exponentiation equations

124 Generality continued All four types of bilinear group equations can be seen as example of quadratic equations over modules with bilinear map The assumptions Subgroup Decision, Symmetric External Diffie-Hellman, Decision Linear, etc., can be interpreted as assumptions in modules with bilinear map as well

125 Summary Practical: –Efficient NIWI and NIZK proofs for practical statements arising in pairing-based cryptography Theoretical: –Perfect zero-knowledge –Witness-indistinguishability in the plain model Upcoming: –Quasi-linear size NIZK proofs without pairings –NIZK arguments with smaller size than circuit

126 Context Trapdoor permutations: |C| polylog |C| k + poly(k) Naccache-Stern: |C| polylog |C| + poly(k) Bilinear groups:|C| k Fully homomorphic crypto:|w| poly(k) Bilinear groups + KEA:|C| 2/3 k Random oracle model:polylog |C| k

127 Open problems Even more efficient NIZK proofs Efficient post-quantum NIZK proofs NIZK proofs from one-way functions Non-interactive witness-hiding proofs in plain model Construct cryptographically useful modules with bilinear map that are not based on bilinear groups Continuous NIZK arguments

128 References Chapman et al.: Life of Brian. BBC 1979. Groth, Sahai: Efficient Non-interactive Proofs for Bilinear Groups. EUROCRYPT 2008. Groth, Sahai, Ostrovsky: New Techniques for Non- interactive Zero-Knowledge. EWSCS 2010. Lipmaa: Collected works. Springer 1998 - Rhinehart: The Dice Man. HarperCollins 1971. Tolkien: Lord of the Rings. Allen and Unwin 1954-1955. Zhang: Fuzzy Private Matching and Privacy Preserving Information Retrieval. UCL MSc thesis 2008.

129 Thanks ? Any (more) questions?


Download ppt "Pairing-Based Non-interactive Proofs Jens Groth University College London Joint work with Rafail Ostrovsky and Amit Sahai Thanks also to Brent Waters TexPoint."

Similar presentations


Ads by Google