Presentation is loading. Please wait.

Presentation is loading. Please wait.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Published bySamantha Newton Modified over 10 years ago

Similar presentations

Presentation on theme: "Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual."— Presentation transcript:

1 Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAAAA A A A A A A

2 Motivation VoterOfficial We can only accept correctly formatted votes Attaching encrypted vote to this e-mail

3 Non-interactive zero-knowledge proof VoterOfficial Ok, we will count your vote Attaching encrypted vote to this e-mail + NIZK argument that correctly formatted Soundness: Vote is correct Zero-knowledge: Vote remains secret

4 Non-interactive zero-knowledge argument ProverVerifier Soundness: Statement is true Zero-knowledge: Nothing but truth revealed Common reference string Proof: (x,w) R L Statement: x L

5 Applications of NIZK arguments Ring signatures Group signatures Anonymous credentials Verifiable encryption Voting...

6 Our contribution Common reference string with special distribution Statement: C is satisfiable circuit Very efficient verifier Sub-linear (constant) size NIZK argument Not Fiat-Shamir heuristic (no random oracle) Perfect completeness Computational soundness Perfect zero-knowledge Adaptive soundness: Adversary sees CRS before attempting to cheat with false (C, )

7 Pairings G, G T groups of prime order p Bilinear map e: G G G T –e(a x,b y ) = e(a,b) xy –e(g,g) generates G T if g is non-trivial Group operations, deciding group membership, computing bilinear map are efficiently computable

8 Assumptions Power knowledge of exponent assumption (q-PKE): Given (g,g x,…,g x q,g,g x,…,g x q ) hard to compute (c,c ) without knowing a 0,…,a q such that c = g a 0 g a 1 x …g a q x q Computational power Diffie-Hellman (q-CPDH): For all j hard to compute g x j given (g,g x,…,g x q,g,g x,…,g x j-1,g x j+1,…,g x q ) Both assumptions hold in generic group model

9 Comparison CRSSizeProver comp.Verifier comp. Kilian-Petrank (Nk) group (Nk) expo (Nk) mult Trapdoor permutationsStat. SoundComp. ZK GOSO(1) groupO(N) groupO(N) expoO(N) pairing Subgroup decisionPerfect soundComp. ZK Abe-FehrO(1) groupO(N) groupO(N) expoO(N) pairing Dlog & knowledge of expo.Comp. soundPerfect ZK This workO(N 2 ) groupO(1) groupO(N 2 ) multO(N) mult q-PKE and q-CPDHComp. soundPerfect ZK This workO(N 2/3 ) group O(N 4/3 ) multO(N) mult q-PKE and q-CPDHComp. soundPerfect ZK Interactive +O(N) group O(N) mult Fiat-ShamirDlog and random oracleComp. soundPerfect ZK

10 Knowledge commitments Commitment key: ck=(g,g x,…,g x q,g,g x,…,g x q ) Commitment to (a 1,…,a q ) using randomness r Z p c = (g) r (g x ) a 1 …(g x q ) a q ĉ = (g ) r (g x ) a 1 …(g x q ) a q Verifying commitment: e(c,g ) = e(ĉ,g) Knowledge: q-PKE assumption says impossible to create valid (c,ĉ) without knowing r,a 1,…,a q

11 Homomorphic property c = (g) r (g x ) a 1 …(g x q ) a q log(c) = r+a 1 x+…+a q x q Homomorphic commit(a 1,…,a q ;r) commit(b 1,…,b q ;s) = commit(a 1 +b 1,…,a q +b q ;r+s) (r+ a i x i ) + (s+ b i x i ) = r+s+ (a i +b i )x i

12 Tools Constant size knowledge commitments for tuples of elements (a 1,…,a q ) (Z p ) q Homomorphic so we can add committed tuples com(a 1,…,a q )com(b 1,…,b q ) = com(a 1 +b 1,…,a q +b q ) NIZK argument for multiplicative relationship com(a 1,…,a q ) com(b 1,…,b q ) com(a 1 b 1,…,a q b q ) NIZK argument for known permutation com(a 1,…,a q ) com(a (1),…,a (q) )

13 Circuit with NAND-gates commit(a 1,…,a N,b 1,…,b N ) commit(b 1,…,b N,0,…..,0) commit(u 1,…,u N,0,…..,0) NIZK argument for u N = 1 NIZK argument for everything else consistent a1a1 a2a2 a3a3 a4a4 b1b1 b2b2 b3b3 b4b4 u1u1 u3u3 u2u2 u4u4

14 Consistency Need to show valid inputs a 1,…,a N,b 1,…b N {0,1} NIZK argument for multiplicative relationship commit(a 1,…,a N,b 1,…b N ) commit(a 1,…,a N,b 1,…b N ) commit(a 1,…,a N,b 1,…b N ) shows a 1 a 1 =a 1, …, a N a N =a N, b 1 b 1 =b 1, …, b N b N =b N Only possible if a 1 {0,1}, …, a N {0,1}, b 1 {0,1}, …, b N {0,1}

15 Consistency Homomorphic property gives commit(1,…,1,0,…,0) / commit(u 1,…,u N,0,…,0) = commit(1-u 1,…,1-u N,0,…,0) NIZK argument for multiplicative relationship in commit(a 1,…,a N,b 1,…,b N ) commit(b 1,…,b N,0,…,0) commit(1-u 1,…,1-u N,0,…,0) shows 1-u 1 =a 1 b 1,…,1-u N =a N b N This proves all NAND-gates are respected u 1 = (a 1 b 1 ),…,u N = (a N b N )

16 Consistency Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever a i and b j correspond to the same wire a i = b j We refer to the full paper for the details

17 Circuit with NAND-gates commit(a 1,…,a N,b 1,…,b N ) commit(b 1,…,b N,0,…..,0) commit(u 1,…,u N,0,…..,0) NIZK argument for u N = 1 NIZK argument for everything else consistent a1a1 a2a2 a3a3 a4a4 b1b1 b2b2 b3b3 b4b4 u1u1 u3u3 u2u2 u4u4

18 Conclusion NIZK argument of knowledge –perfect completeness –perfect zero-knowledge –computational soundness Short and efficient to verify CRSArgumentProver comp.Verifier comp. Minimal argumentO(N 2 )O(1)O(N 2 ) multsO(N) mults Balanced sizesO(N 2/3 ) O(N 4/3 ) multsO(N) mults CRS O(N 2(1-ε) ) and argument O(N ε ) q-PKE and q-CPDH

19 Thanks Full paper available at www.cs.ucl.ac.uk/staff/J.Groth

Download ppt "Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual."

Similar presentations

Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.

Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Similar presentations

Ads by Google