New techniques for nizk
Download
1 / 27

New Techniques for NIZK - PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on

New Techniques for NIZK. Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles. Motivation. OK, I will make a zero-knowledge proof. I’m a woman. Prove it!. Circuit C = ”I’m a woman” Proof π. Completeness. Circuit C. Witness w so C(w)=1. Proof π. K(1 k ).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' New Techniques for NIZK' - mandek


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
New techniques for nizk

New Techniques for NIZK

Jens Groth

Rafail Ostrovsky

Amit Sahai

University of California Los Angeles


Motivation
Motivation

OK, I will make a zero-knowledge proof

I’m a woman.

Prove it!

Circuit C = ”I’m a woman”

Proof π


Completeness

Circuit C

Witness wso C(w)=1

Proof π

K(1k)

Common reference string

Accept

Prover Verifier

Perfect completeness: Pr[Accept] = 1


Soundness

Unsatisfiable CProof π

K(1k)

Common reference string

Reject

Adversary Verifier

Perfect soundness: Pr[Reject] = 1


Zero knowledge

Proof π

Zero-knowledge

S1(1k)

”Common reference string”

sk

Circuit CWitness w

S2(crs, sk, C)

0/1

Simulator Adversary

Computational zero-knowledge: Pr[A1|Simulated proofs (S1,S2)] ≈ Pr[A1|Real proofs (K,P)]


NIZK proof for Circuit SAT

1

NAND

Circuit SAT is NP complete

w4

NAND

w1

w2

w3


Homomorphic proof commitment

Two types of indistinguishable public keys:

  • Perfect trapdoor (pk, tk) ← Khiding(1k)

  • Perfect binding pk ← Kbinding(1k)

    Homomorphic

    Message space size at least 4 (3 also ok)

    Witness indistinguishable proof that commitment contains 0 or 1

  • Perfect soundness on perfect binding key

  • Perfect WI on perfect trapdoor key


Bilinear group of order n
Bilinear group of order n

G, GT cyclic groups of order n = pq

g generator for G

bilinear map e: G  G  GT

e(ua, vb) = e(u, v)ab

e(g, g) generates GT

Decision subgroup problem

ord(h) = q or ord(h) = n ?


Bgn based commitment
BGN-based commitment

Perfect binding key: ord(g) = n, ord(h) = q

Perfect hiding key: ord(g) = ord(h) = n and g=hx

Commitment: Com(m; r) = gmhr where r  Zn

Homomorphic: gm+Mhr+R = gmhr gMhR


Wi proof for commit to 0 or 1
WI proof for commit to 0 or 1

Wish to prove c commitment to 0 or 1

Write c = gmhr (m mod p unique if h order q)

e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr) = e(h, (g2m-1hr)r ) = e(h,π)

Proof is: π = (g2m-1hr)r

Soundness when h has order q:

e(g, g)m(m-1) e(hr, g2m-1hr) = e(h,π) so m = 0,1 mod p

Witness indistinguishability when h has order n:Unique π so e(c, g-1c) = e(h,π)


NIZK proof for Circuit SAT

com(1)

WI proof c1 commit to 0 or 1

WI proof c2 commit to 0 or 1

WI proof c3 commit to 0 or 1

WI proof c4 commit to 0 or 1

WI proof w4 = (w1w2)

WI proof 1 = (w4w3)

NAND

c4 = com(w4)

NAND

c1 = com(w1)

c3 = com(w3)

c2 = com(w2)


WI proof for NAND-gate

Given c0, c1, c2 commitments containing bits b0, b1, b2 wish to prove b2 = (b0b1)

b2 = (b0b1)

if and only if

b0 + b1 + 2b2 - 2  {0,1}

WI proof c0c1c22com(-2) commitment to 0 or 1


NIZK proof for Circuit SAT

  • Commit to all wires wi as ci = com(wi)

  • For each i make WI proof that ci contains 0 or 1

  • For each NAND-gate make WI proof that c0c1c22com(-2) contains 0 or 1

    Perfect completeness

    Perfect binding key - perfect soundness

    Perfect trapdoor key - perfect zero-knowledge


Perfect NIZK on perfect trapdoor key

Simulation:

Make trapdoor commitments

Trapdoor-open relevant commitments to 0 and WI prove

Proof that simulation works on C with w so C(w)=1:

Can trapdoor-open commitments to wi’s and WI prove

By perfect witness-indistinguishability of the WI proofs indistinguishable from simulation

Can from the start make commitments to wi’s

By perfect hiding of the commitments indistinguishable from previous method

Corresponds to real proof on trapdoor key


First result
First result

Use Kbinding to generate pk

NIZK proof with perfect completeness perfect soundness computational ZK

CRS size: O(k) bits

Proof size: O(|C|k) bits

Compare with: O(|C|k2) proofs [KP]


Second result

Use Khiding to generate pk

NIZK argument with perfect completeness computational co-soundness perfect zero-knowledge

CRS size: O(k) bits

Proof size: O(|C|k) bits

Compare with: None


Adaptive co-soundness

C, wcoProof π

Khiding

common reference string

Reject

wco witness for C unsatisfiable

Computational co-soundness: Pr[Reject] ≈ 1


Third result
Third result

Protocol: Non-interactive Statistical ZK UC NIZK proof secure against adaptive adversary

Compare with: Interactive UC ZK proofs [DN, CLOS] UC NIZK proofs secure against non- adaptive adversary [DDOPS]


Non-interactive zaps for Circuit SAT

  • No common reference string

  • Perfect completeness:(C, w) so C(w)=1

    π← P(1k, C, w) : V(1k, C , π)=1

  • Perfect soundness:(C, π) with C unsatisfiable V(1k, C, π)=0

  • Computational witness-indistinguishability:(C, w0, w1) so C(w0)=1 and C(w1)=1

    P(1k, C, w0) ≈ P(1k, C, w1)


Non-interactive zaps

Naïve idea:

Prover chooses public key and makes NIZK proof

Problem: Can choose trapdoor key and prove anything

Better idea:

Prover chooses two public keys and makes an NIZK proof with each of them

Makes choice so:

One is trapdoor, one is perfect binding

Verifiable that at least one key is perfect binding

Verifier cannot tell which key is trapdoor


Witness-indistinguishability

  • Circuit C and two witnesses w0, w1

  • Generate pk0 perfect trapdoor and pk1 perfect binding

  • NIZK proof using w0 on pk0 NIZK proof using w0 on pk1

  • Simulate proof on trapdoor pk0 NIZK proof using w0 on pk1

  • NIZK proof using w1 on pk0 NIZK proof using w0 on pk1

  • Switch to pk0 perfect binding and pk1 perfect trapdoor

  • NIZK proof using w1 on pk0 Simulate proof on trapdoor pk1

  • NIZK proof using w1 on pk0 NIZK proof using w1 on pk1

  • Switch back to pk0 perfect trapdoor and pk1 perfect binding


Fourth result
Fourth result

Use verifiable pairs of public keys At least one of two keys is perfect binding The other is trapdoor Indistinguishable which one is trapdoor

Non-interactive ZAP Proof size O(|C|k) bits

Compare with: 2-move zaps [DN] Non-interactive zaps [BOV] huge proofs, non-standard assumption


Bilinear groups

G, GT cyclic groups of prime order p

g generator for G

bilinear map e: G  G  GT

e(ga, gb) = e(g, g)ab

e(g, g) generator for GT

Decisional linear problem [BBS]

f, h, g, u = fR, v = hS, w = gT

T = R+S or T random ?


Commitment scheme

Public key

f = gx, h = gy, u = fR, v = hS, w = gT

pk = (p, G, GT, e, g, f, h, u, v, w)

Commitment to m  Zp

c = (umfr, vmhs, wmgr+s)

Perfect hiding trapdoor if T = R+S

= (fmR+r, hmS+s, gm(R+S)+r+s)


Commitment scheme

Commitment to m  Zp

c = (umfr, vmhs, wmgr+s)

Perfect binding if T ≠ R+S

= (c1, c2, c3)

because c3c2-1/xc1-1/y = (wu-1/xv-1/y)m

= g(T/(R+S))m

uniquely defines m


Commitment scheme

Commitment to m  Zp

c = (umfr, vmhs, wmgr+s)

Homomorphic

(umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S)

= (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S)

Witness indistinguishable proof of commitment to message 0 or 1 - Perfect sound on perfect binding key - Perfect WI on perfect trapdoor key


Choosing two keys

Elliptic curve E: y2 = x3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, GT, e), easy to verify that g is order p point on curve.

Choose x,y ←Zp*, R,S ← Zp and set

f = gx, h = gy, u = fR, v = hS, w = gR+S

Output two public keys

(p, G, GT, e, g, f, h, u, v, w)

(p, G, GT, e, g, f, h, u, v, wg)

At least one must be perfectly binding, but by decisional linear assumption hard to tell which one


ad