Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Published byAmi Barrett Modified over 9 years ago

Similar presentations

Presentation on theme: "New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles."— Presentation transcript:

1 New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles

2 Motivation I’m a woman.Prove it! OK, I will make a zero- knowledge proof Circuit C = ”I’m a woman” Proof π

3 Completeness Perfect completeness: Pr[Accept] = 1 Proof π Accept K(1 k ) Common reference string Circuit C Witness w so C(w)=1 Prover Verifier

4 Soundness Perfect soundness: Pr[Reject] = 1 Unsatisfiable C Proof π Reject Adversary Verifier K(1 k ) Common reference string

5 Zero-knowledge Computational zero-knowledge: Pr[A  1|Simulated proofs (S 1,S 2 )] ≈ Pr[A  1|Real proofs (K,P)] Proof π sk S 1 (1 k ) Circuit C Witness w ”Common reference string” 0/1 S 2 (crs, sk, C) Simulator Adversary

6 NIZK proof for Circuit SAT 1 w1w1 w4w4 w3w3 w2w2 Circuit SAT is NP complete NAND

7 Homomorphic proof commitment Two types of indistinguishable public keys: Perfect trapdoor (pk, tk) ← K hiding (1 k ) Perfect trapdoor (pk, tk) ← K hiding (1 k ) Perfect binding pk ← K binding (1 k ) Perfect binding pk ← K binding (1 k )Homomorphic Message space size at least 4 (3 also ok) Witness indistinguishable proof that commitment contains 0 or 1 Perfect soundness on perfect binding key Perfect soundness on perfect binding key Perfect WI on perfect trapdoor key Perfect WI on perfect trapdoor key

8 Bilinear group of order n G, G T cyclic groups of order n = pq g generator for G bilinear map e: G  G  G T e(u a, v b ) = e(u, v) ab e(g, g) generates G T Decision subgroup problem ord(h) = q or ord(h) = n ?

9 BGN-based commitment Perfect binding key: ord(g) = n, ord(h) = q Perfect hiding key: ord(g) = ord(h) = n and g=h x Commitment: Com(m; r) = g m h r where r  Z n Homomorphic: g m+M h r+R = g m h r g M h R

10 WI proof for commit to 0 or 1 Wish to prove c commitment to 0 or 1 Write c = g m h r (m mod p unique if h order q) e(c, g -1 c) = e(g m h r, g m-1 h r ) = e(g, g) m(m-1) e(h r, g 2m-1 h r ) = e(h, (g 2m-1 h r ) r ) = e(h,π) Proof is: π = (g 2m-1 h r ) r Soundness when h has order q: e(g, g) m(m-1) e(h r, g 2m-1 h r ) = e(h,π) so m = 0,1 mod p Witness indistinguishability when h has order n: Unique π so e(c, g -1 c) = e(h,π)

11 NIZK proof for Circuit SAT com(1) c 1 = com(w 1 ) c 2 = com(w 2 ) c 4 = com(w 4 ) c 3 = com(w 3 ) WI proof c 1 commit to 0 or 1 WI proof c 2 commit to 0 or 1 WI proof c 3 commit to 0 or 1 WI proof c 4 commit to 0 or 1 WI proof w 4 =  (w 1  w 2 ) WI proof 1 =  (w 4  w 3 ) NAND

12 WI proof for NAND-gate Given c 0, c 1, c 2 commitments containing bits b 0, b 1, b 2 wish to prove b 2 =  (b 0  b 1 ) b 2 =  (b 0  b 1 ) if and only if b 0 + b 1 + 2b 2 - 2  {0,1} WI proof c 0 c 1 c 2 2 com(-2) commitment to 0 or 1

13 NIZK proof for Circuit SAT Commit to all wires w i as c i = com(w i ) Commit to all wires w i as c i = com(w i ) For each i make WI proof that c i contains 0 or 1 For each i make WI proof that c i contains 0 or 1 For each NAND-gate make WI proof that c 0 c 1 c 2 2 com(-2) contains 0 or 1 For each NAND-gate make WI proof that c 0 c 1 c 2 2 com(-2) contains 0 or 1 Perfect completeness Perfect binding key - perfect soundness Perfect trapdoor key - perfect zero-knowledge

14 Perfect NIZK on perfect trapdoor key Simulation: Make trapdoor commitments Trapdoor-open relevant commitments to 0 and WI prove Proof that simulation works on C with w so C(w)=1: Can trapdoor-open commitments to w i ’s and WI prove By perfect witness-indistinguishability of the WI proofs indistinguishable from simulation By perfect witness-indistinguishability of the WI proofs indistinguishable from simulation Can from the start make commitments to w i ’s By perfect hiding of the commitments indistinguishable from previous method Corresponds to real proof on trapdoor key

15 First result Use K binding to generate pk NIZK proof with perfect completeness perfect soundness computational ZK CRS size: O(k) bits Proof size: O(|C|k) bits Compare with: O(|C|k 2 ) proofs [KP]

16 Second result Use K hiding to generate pk NIZK argument with perfect completeness computational co-soundness perfect zero-knowledge CRS size: O(k) bits Proof size: O(|C|k) bits Compare with: None

17 Adaptive co-soundness Computational co-soundness: Pr[Reject] ≈ 1 C, w co Proof π Reject K hiding common reference string w co witness for C unsatisfiable

18 Third result Protocol: Non-interactive Statistical ZK UC NIZK proof secure against adaptive adversary Compare with: Interactive UC ZK proofs [DN, CLOS] UC NIZK proofs secure against non- adaptive adversary [DDOPS]

19 Non-interactive zaps for Circuit SAT No common reference string No common reference string Perfect completeness:  (C, w) so C(w)=1 Perfect completeness:  (C, w) so C(w)=1 π ← P(1 k, C, w) : V(1 k, C, π)=1 Perfect soundness:  (C, π) with C unsatisfiable V(1 k, C, π)=0 Perfect soundness:  (C, π) with C unsatisfiable V(1 k, C, π)=0 Computational witness-indistinguishability:  (C, w 0, w 1 ) so C(w 0 )=1 and C(w 1 )=1 Computational witness-indistinguishability:  (C, w 0, w 1 ) so C(w 0 )=1 and C(w 1 )=1 P(1 k, C, w 0 ) ≈ P(1 k, C, w 1 ) P(1 k, C, w 0 ) ≈ P(1 k, C, w 1 )

20 Non-interactive zaps Naïve idea: Prover chooses public key and makes NIZK proof Problem: Can choose trapdoor key and prove anything Better idea: Prover chooses two public keys and makes an NIZK proof with each of them Makes choice so: One is trapdoor, one is perfect binding Verifiable that at least one key is perfect binding Verifier cannot tell which key is trapdoor

21 Witness-indistinguishability Circuit C and two witnesses w 0, w 1 Generate pk 0 perfect trapdoor and pk 1 perfect binding NIZK proof using w 0 on pk 0 NIZK proof using w 0 on pk 1 Simulate proof on trapdoor pk 0 NIZK proof using w 0 on pk 1 NIZK proof using w 1 on pk 0 NIZK proof using w 0 on pk 1 Switch to pk 0 perfect binding and pk 1 perfect trapdoor NIZK proof using w 1 on pk 0 Simulate proof on trapdoor pk 1 NIZK proof using w 1 on pk 0 NIZK proof using w 1 on pk 1 Switch back to pk 0 perfect trapdoor and pk 1 perfect binding

22 Fourth result Use verifiable pairs of public keys At least one of two keys is perfect binding The other is trapdoor Indistinguishable which one is trapdoor Non-interactive ZAP Proof size O(|C|k) bits Compare with: 2-move zaps [DN] Non-interactive zaps [BOV] huge proofs, non-standard assumption

23 Bilinear groups G, G T cyclic groups of prime order p g generator for G bilinear map e: G  G  G T e(g a, g b ) = e(g, g) ab e(g, g) generator for G T Decisional linear problem [BBS] f, h, g, u = f R, v = h S, w = g T T = R+S or T random ?

24 Commitment scheme Public key f = g x, h = g y, u = f R, v = h S, w = g T pk = (p, G, G T, e, g, f, h, u, v, w) Commitment to m  Z p c = (u m f r, v m h s, w m g r+s ) Perfect hiding trapdoor if T = R+S = (f mR+r, h mS+s, g m(R+S)+r+s )

25 Commitment scheme Commitment to m  Z p c = (u m f r, v m h s, w m g r+s ) Perfect binding if T ≠ R+S = (c 1, c 2, c 3 ) because c 3 c 2 -1/x c 1 -1/y = (wu -1/x v -1/y ) m = g (T/(R+S))m uniquely defines m

26 Commitment scheme Commitment to m  Z p c = (u m f r, v m h s, w m g r+s ) Homomorphic (u m f r, v m h s, w m g r+s ) (u M f R, v M h S, w M g R+S ) = (u m+M f r+R, v m+M h s+S, w m+M g r+R+s+S ) Witness indistinguishable proof of commitment to message 0 or 1 - Perfect sound on perfect binding key - Perfect WI on perfect trapdoor key

27 Choosing two keys Elliptic curve E: y 2 = x 3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, G T, e), easy to verify that g is order p point on curve. Choose x,y ← Z p *, R,S ← Z p and set f = g x, h = g y, u = f R, v = h S, w = g R+S Output two public keys (p, G, G T, e, g, f, h, u, v, w) (p, G, G T, e, g, f, h, u, v, wg) At least one must be perfectly binding, but by decisional linear assumption hard to tell which one

Download ppt "New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Similar presentations

Ads by Google