Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai.

Published byScarlett Henderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai."— Presentation transcript:

1 Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai

2 Agenda Motivation –Zero-knowledge proofs useful when designing schemes Modules with bilinear maps –Generalizes groups with pairings Non-interactive proofs for modules with bilinear maps –Witness-indistinguishable –Zero-knowledge in some cases Efficient non-interactive privacy-preserving proofs that can be used in groups with pairings

3 Gen(1 k ) generates (p,G,H,T,e,g,h) G,H,T finite cyclic groups of order p Bilinear map e: G  H → T –e(g a,h b ) = e(g,h) ab G =  g , H =  h , T=  e(g,h)  Deciding group membership, group operations, and bilinear map efficiently computable Choices: –Order p prime or composite, G = H or G  H, etc. Groups with bilinear map

4 Constructions in bilinear groups a,c  G, h  H, b,d  Z p t = b+yd (mod p) t G = x y a y c t t T = e(t G,h b ) y  Z p x  G

5 Non-interactive proof for correctness t = b+yd (mod p) t G = x y a y c t t T = e(t G,ct G b ) Are the constructions correct? I do not know your secret x, y.  Yes, here is a proof.

6 Non-interactive zero-knowledge proof ProverVerifier Soundness: Statement is true Zero-knowledge: Nothing but truth revealed Common reference string Proof:  Witness for statement being true Statement

7 Verifiably encrypted signature ElGamal encryption of Boneh-Boyen signature (h r,y r s) such that e(vg m,s) = e(g,h) Statement: y,c,d,v,m Witness: r,s such that c = h r, d = y r s, e(vg m,s)=e(g,h) Non-interactive zero-knowledge proof convinces verifier but keeps witness r,s private

8 Applications of non-interactive zero- knowledge proofs Verifiable encryption Ring signatures Group signatures Voting Digital credentials E-cash …

9 Module An abelian group (A,+,0) is a Z p -module if Z p acts on A such that for all r,s  Z p x,y  A: –1x = x –(r+s)x = rx + sx –r(x+y) = rx + ry –(rs)x = r(sx) If p is a prime, then A is a vector space Examples: Z p, G, H, T, G 2, H 2, T 4 are Z p -modules

10 Modules with bilinear map We will be interested in finite Z p -modules A, B, T with a bilinear map f: A  B  T Examples: –e: G  H  T(x,y)  e(x,y) –exp: G  Z p  G(x,y)  x y –exp: Z p  H  H(x,y)  y x –mult: Z p  Z p  Z p (x,y)  xy (mod p)

11 Equations in modules with bilinear map Given f: A  B  T we are interested in equations  f(a j,y j ) +  f(x i,b i ) +  m ij f(x i,y j ) = t Examples t = b+yd (mod p) t G = x y a y c t t T = e(t G,ct G b )

12 Equations in modules with bilinear map Given f: A  B  T we are interested in equations  f(a j,y j ) +  f(x i,b i ) +  m ij f(x i,y j ) = t Define x ∙ y =  f(x i,y i ) Rewrite equations as a ∙ y + x ∙ b + x ∙ My = t

13 Statements and witnesses Setup: (p, A, B, T, f) Statement: N equations of the form (a i,b i,M i,t i ) with the claim that there exists x, y such that for all i: a i ∙ y + x ∙ b i + x ∙ M i y = t i Witness: x  A m, y  B n that satisfy all equations

14 Non-interactive proofs Common reference string: K(p,A,B,T,f)   Prover: P( ,{(a i,b i,M i,t i )} i,x,y)   Verifier: V( ,{(a i,b i,M i,t i )} i,  )  accept/reject Completeness: Given witness x,y for simultaneous satisfiability of equations the prover outputs accepting proof  Soundness: If statement is false, i.e., no such x,y exists, then impossible to construct accepting 

15 Privacy Zero-knowledge: Proof  reveals nothing about x, y Witness-indistinguishability: Proof  does not reveal which witness x, y out of many possible witnesses was used Zero-knowledge implies witness-indistinguishability Witness-indistinguishability weaker than ZK –May leak partial information (e.g. all witnesses have x 1 = 0) –May leak entire witness when only one witness exists

16 Witness-indistinguishability Simulated common reference string: S(p,A,B,T,f)  –Computationally indistinguishable from real CRS On simulated common reference string  : –Given any satisfiable statement {(a i,b i,M i,t i )} i and any two possible witnesses x 0,y 0 or x 1,y 1 the proofs using either witness have identical probability distributions { P( ,{(a i,b i,M i,t i )} i,x 0,y 0 )   } ={ P( ,{(a i,b i,M i,t i )} i,x 1,y 1 )   }

17 Modules and maps defined by setup and CRS Modules with linear and bilinear maps f A  B  T i C  p A i D  p B i W  p T C  D  W F Non-trivial: p A (i C (x)) = x, p B (i D (y)) = y, p T (i W (z)) = z Commutative: F(i C (x),i D (y)) = i W (f(x,y)) f(p A (c),p B (d)) = p T (F(c,d))

18 A simple equation Want to prove  x  A  y  B: f(x,y) = t The prover computes c = i C (x) and d = i D (y) The verifier checks F(c,d) = i W (t) Completeness: f x,y  t i C  i D  i W  i C (x), i D (y)  i W (t) F

19 Soundness Soundness: f p A (c), p B (d)  t  p A  p B  p T c,d  i W (t) F Given proof c,d define x = p A (c) and y = p B (d) to get a solution to the equation f(x,y) = t

20 Sets of equations Define i C (x) = (i C (x 1 ),…,i C (x m ))similar for i D (y) Define p A (c) = (p A (c 1 ),…,p A (c n ))similar for p B (d) Define c  d = F(c 1,d 1 )+…+F(c n,d n ) Want to prove  x  A m  y  B n satisfying N equations of the form a ∙ y + x ∙ b + x ∙ My = t Prover with x,y can compute c = i C (x), d = i D (y) Verifier checks for each equation i C (a)  d + c  i D (b) + c  Md = i W (t)

21 Completeness and soundness a, x b, y ∙t A  B  T i C  p A i D  p B i W  p T C  D  W i C (a), c i D (b), d  i W (t) Completeness comes from linearity, bilinearity and the commutative property F(i C (x),i D (y)) = i W (f(x,y)) Soundness comes from linearity, bilinearity, non- triviality p A (i C (a)) = a, p B (i D (b)) = b, p T (i W (t)) = t and the commutative property f(p A (c),p B (d)) = p T (F(c,d))

22 Example Modules with linear and bilinear maps xyet G  H  T i C  p A i D  p B i W  p T G 2  H 2  T 4 (1,x) (1,y)E (1,1,1,t) p A (c,x) = c -  x, p B (d,y) = d -  y, p T (u,v,w,t) = u -  v -  w -  t E((c,x),(d,y)) = (e(c,d),e(c,y),e(x,d),e(x,y)) Commutative: E(i C (x),i D (y)) = i W (e(x,y)) e(p A (c,x),p B (d,y)) = p T (E((c,x),(d,y)))

23 Witness-indistinguishable? The example has no privacy at all Given i C (x) = ((1,x 1 ),…,(1,x m )) and i D (y) = ((1,y 1 ),…,(1,y n )) easy to compute x, y What if in the general case i A, i B, i W are one-way functions and p A, p B, p T are hard to compute? Still not witness-indistinguishable Given two witnesses (x 0, y 0 ) and (x 1,y 1 ) it is easy to test whether i C (x) = i C (x 0 ) and i D (y) = i D (y 0 )

24 Randomization No deterministic witness-indistinguishable proofs Need to randomize the maps x  c, y  d Common reference string: u  C m, v  D n such that p A (u) = 0 and p B (v) = 0 Compute c = i C (x) + Ru and d = i D (y) + Sv with random R  Mat m  m (Z p ), S  Mat n  n (Z p ) Observe: p A (c) = p A (i C (x)+Ru) = p A (i C (x)) = x Example:If u = (g,g  ) then c = i C (x)u r = (g r,g  r x)

25 Soundness Common reference string: u  C m, v  D n such that p A (u) = 0 and p B (v) = 0 Compute c = i C (x) + Ru and d = i D (y) + Sv For each equations a ∙ y + x ∙ b + x ∙ My = t somehow (next slide) compute proof   D m,   C n Verifier checks i C (a)  d + c  i D (b) + c  Md = i W (t) + u   +   v Soundness – apply projections to get a ∙ p B (d) + p A (c) ∙ b + p A (c) ∙ Mp B (d) = t + 0 + 0 So x = p A (c) and y = p B (d) satisfies all equations

26 Completeness Common reference string: u  C m, v  D n Compute c = i C (x) + Ru and d = i D (y) + Sv with random R  Mat m  m (Z p ), S  Mat n  n (Z p ) For each equations a ∙ y + x ∙ b + x ∙ My = t can use proof  = S T i C (a) + S T M T (i C (x)+Ru),  = R T i D (b) + R T Mi D (y) Verification always works when x, y satisfy equations i C (a)  d + c  i D (b) + c  Md = i C (a)  (i D (y)+Sv) + (i C (x)+Ru)  i D (b) + (i C (x)+Ru)  M(i D (y)+Sv) = i W (t) +   v + u  

27 Witness-indistinguishability Simulated common reference string hard to distinguish from real common reference string Simulated common reference string: u  C m, v  D n such that C =  u 1,…,u m  and D =  v 1,…,v n  Compute c = i C (x) + Ru and d = i D (y) + Sv with random R  Mat m  m (Z p ), S  Mat n  n (Z p ) On simulated common reference string c and d are perfectly hiding x, y Indeed, for any x, y we get uniformly random c, d

28 Example Common reference string includes u 1 = (g,g  ), u 2 = (g ,g  +  ), v 1 =(h,h  ), v 2 = (h ,h  +  ) –Real CRS:  = 0,  = 0 –Simulated CRS:   0,   0 –Indistinguishable: DDH in both G and H To commit to x pick (r 1,r 2 )  Mat 1  2 (Z p ) and set c = (c 1,c 2 ) = i C (x)u 1 r 1 u 2 r 2 = (1,x) (g,g  ) r 1 (g ,g  +  ) r 2 = (g r 1 +  r 2,g  (r 1 +  r 2 ) g  r 2 x) On real CRS we get ElGamal encryption of x –p A (c) = c 1 -  c 2 = xwhen  = 0 On simulated CRS perfectly hiding x –c = (c 1,c 2 ) random since u 1, u 2 linearly independent

29 Witness-indistinguishability The commitments c and d do not reveal x and y when using a simulated common reference string But maybe the proofs ,  reveal something Let us therefore randomize the proofs as well For each equation we will pick ,  uniformly at random among solutions to verification equation i C (a)  d + c  i D (b) + c  Md = i W (t) + u   +   v Given witness x 0, y 0 or x 1, y 1 we have uniformly random c, d and for each equation independent and uniformly random proofs , 

30 Randomizing the proofs Given u,v,c,d and a proof ,  such that i C (a)  d + c  i D (b) + c  Md = i W (t) + u  +  v Then there are other possible proofs i C (a)  d + c  i D (b) + c  Md = i W (t) + u  (  -v) + (  +u)  v More generally for any T  Mat n  m (Z p ) i C (a)  d+c  i D (b)+c  Md = i W (t) + u  (  -T T v) + (  +Tu)  v We may also have H  Mat m  n (Z p ) such that u  Hv = 0 Then we have i C (a)  d+c  i D (b)+c  Md = i W (t) + u  (  +Hv) +  v

31 Randomizing the proofs Given u,v,c,d and for each equation ,  such that i C (a)  d + c  i D (b) + c  Md = i W (t) + u  +  v Randomize each proof ,  as  ’ =  - T T v + Hv  ’ =  + Tu T is chosen at random from Mat n  m (Z p ) H chosen at random in Mat m  n (Z p ) such that u  Hv=0 We still have correct verification for each equation i W (t) + u  ’ +  v’ = i W (t) + u  (  -T T v+Hv) + (  +Tu)  v = i W (t) + u  + u  v = i C (a)  d + c  i D (b) + c  Md

32 Witness-indistinguishability On simulation common reference string we now have perfect witness-indistinguishability; given x 0, y 0 or x 1, y 1 satisfying the equations we get the same distribution of commitments c, d and proofs Actually, every x, y satisfying all equations gives uniform random distribution on c, d and proofs Proof: –We already know c, d are uniformly random –For each equation  ’ =  + Tu random since C =  u  –For each equation  ’ =  -T T v+Hv uniformly random over  ’ satisfying i C (a)  d+c  i D (b)+c  Md=i W (t)+u  ’+  ’  v due to H uniformly random over u  Hv=0 and D =  v 

33 The setup and common reference string Setup and common reference string describes non-trivial linear and bilinear maps that commute f A  B  T i C  p A i D  p B i W  p T C  D  W F Common reference string also describes u, v Real CRS: p A (u) = 0, p B (v) = 0 Simulated CRS: C =  u , D =  v 

34 The proof system Statement: N equations of the form a ∙ y + x ∙ b + x ∙ My = t Witness: x, y satisfying all N equations Proof: c = i C (x) + Ru and d = i D (y) + Sv For each equation a ∙ y + x ∙ b + x ∙ My = t set  = S T i C (a) + S T M T (i C (x)+Ru) + Tu and  = R T i D (b) + R T Mi D (y) - T T v + Hv Verification: For each eq. a ∙ y + x ∙ b + x ∙ My = t check i C (a)  d + c  i D (b) + c  Md = i W (t) + u  +  v

35 Size of NIWI proofs Cost of each variable/equation Subgroup Decision DDH in both groups Decision Linear Variable in G, H or Z p 123 Pairing product189 Multi-exponentiation169 Quadratic in Z p 146 Each equation constant cost. independently of number of public constants and secret variables. NIWI proofs can have sub-linear size compared to statement!

36 Zero-knowledge Are the NIWI proofs also zero-knowledge? Proof is zero-knowledge if there is a simulator that given the statement can simulate a proof Problem: The simulator does not know a witness Zero-knowledge in special case where all N equations are of the form a ∙ y + x ∙ b + x ∙ My = 0 Now the simulator can use x = 0, y = 0 as witness

37 A more interesting special case If A = Z p and T = B then possible to rewrite a ∙ y + x ∙ b + x ∙ My = t as a ∙ y + (-1) ∙ t + x ∙ b + x ∙ My = 0 Using c 0 = i C (-1) + 0u as a commitment to x 0 = -1 we can give NIWI proofs with witness (x 0,x),y Soundness on a real CRS shows that for each equation we have a ∙ y - 1 ∙ t + x ∙ b + x ∙ My = 0

38 A more interesting special case Simulated CRS generation: Setup CRS such that i C (-1) = i C (0) +  T u for  Z p m Simulating proofs: Give NIWI proofs for equations of the form a ∙ y - x 0 ∙ t + x ∙ b + x ∙ My = 0 In NIWI proofs interpret c 0 = i C (0) +  T u as a commitment to x 0 = 0, which enables the prover to use the witness x = 0, y = 0 in all equations Zero-knowledge: Simulated proofs using x 0 = 0 are uniformly distributed just as real proofs using x 0 = -1 are

39 Size of NIZK proofs Cost of each variable/equation Subgroup Decision DDH in both groups Decision Linear Variable in G, H or Z p 123 Pairing product (t=1)189 Multi-exponentiation169 Quadratic in Z p 146

40 Summary Modules with commuting linear and bilinear maps f A  B  T i C  p A i D  p B i W  p T C  D  W F Randomized commitments and proofs in C, D Efficient NIWI and NIZK proofs that can be used when constructing pairing-based schemes

41 Open problems Modules with bilinear maps useful elsewhere? –Groups: Simplicity, possible to use special properties –Modules: Generality, many assumptions at once –What is the right level of abstraction? Other instantiations of modules with bilinear map? –Known constructions based on groups with bilinear map –Other ways to construct them?

Download ppt "Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Algebra Problems… Solutions Algebra Problems… Solutions © 2007 Herbert I. Gross Set 22 By Herbert I. Gross and Richard A. Medeiros next.

Algebra Problems… Solutions Algebra Problems… Solutions © 2007 Herbert I. Gross Set 22 By Herbert I. Gross and Richard A. Medeiros next.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Similar presentations

Ads by Google