- 91 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' New Techniques for NIZK' - mandek

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Motivation

OK, I will make a zero-knowledge proof

I’m a woman.

Prove it!

Circuit C = ”I’m a woman”

Proof π

Circuit C

Witness wso C(w)=1

Proof π

K(1k)

Common reference string

Accept

Prover Verifier

Perfect completeness: Pr[Accept] = 1

Unsatisfiable CProof π

K(1k)

Common reference string

Reject

Adversary Verifier

Perfect soundness: Pr[Reject] = 1

Zero-knowledge

S1(1k)

”Common reference string”

sk

Circuit CWitness w

S2(crs, sk, C)

0/1

Simulator Adversary

Computational zero-knowledge: Pr[A1|Simulated proofs (S1,S2)] ≈ Pr[A1|Real proofs (K,P)]

Two types of indistinguishable public keys:

- Perfect trapdoor (pk, tk) ← Khiding(1k)
- Perfect binding pk ← Kbinding(1k)

Homomorphic

Message space size at least 4 (3 also ok)

Witness indistinguishable proof that commitment contains 0 or 1

- Perfect soundness on perfect binding key
- Perfect WI on perfect trapdoor key

Bilinear group of order n

G, GT cyclic groups of order n = pq

g generator for G

bilinear map e: G G GT

e(ua, vb) = e(u, v)ab

e(g, g) generates GT

Decision subgroup problem

ord(h) = q or ord(h) = n ?

BGN-based commitment

Perfect binding key: ord(g) = n, ord(h) = q

Perfect hiding key: ord(g) = ord(h) = n and g=hx

Commitment: Com(m; r) = gmhr where r Zn

Homomorphic: gm+Mhr+R = gmhr gMhR

WI proof for commit to 0 or 1

Wish to prove c commitment to 0 or 1

Write c = gmhr (m mod p unique if h order q)

e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr) = e(h, (g2m-1hr)r ) = e(h,π)

Proof is: π = (g2m-1hr)r

Soundness when h has order q:

e(g, g)m(m-1) e(hr, g2m-1hr) = e(h,π) so m = 0,1 mod p

Witness indistinguishability when h has order n:Unique π so e(c, g-1c) = e(h,π)

com(1)

WI proof c1 commit to 0 or 1

WI proof c2 commit to 0 or 1

WI proof c3 commit to 0 or 1

WI proof c4 commit to 0 or 1

WI proof w4 = (w1w2)

WI proof 1 = (w4w3)

NAND

c4 = com(w4)

NAND

c1 = com(w1)

c3 = com(w3)

c2 = com(w2)

Given c0, c1, c2 commitments containing bits b0, b1, b2 wish to prove b2 = (b0b1)

b2 = (b0b1)

if and only if

b0 + b1 + 2b2 - 2 {0,1}

WI proof c0c1c22com(-2) commitment to 0 or 1

- Commit to all wires wi as ci = com(wi)
- For each i make WI proof that ci contains 0 or 1
- For each NAND-gate make WI proof that c0c1c22com(-2) contains 0 or 1

Perfect completeness

Perfect binding key - perfect soundness

Perfect trapdoor key - perfect zero-knowledge

Perfect NIZK on perfect trapdoor key

Simulation:

Make trapdoor commitments

Trapdoor-open relevant commitments to 0 and WI prove

Proof that simulation works on C with w so C(w)=1:

Can trapdoor-open commitments to wi’s and WI prove

By perfect witness-indistinguishability of the WI proofs indistinguishable from simulation

Can from the start make commitments to wi’s

By perfect hiding of the commitments indistinguishable from previous method

Corresponds to real proof on trapdoor key

First result

Use Kbinding to generate pk

NIZK proof with perfect completeness perfect soundness computational ZK

CRS size: O(k) bits

Proof size: O(|C|k) bits

Compare with: O(|C|k2) proofs [KP]

Use Khiding to generate pk

NIZK argument with perfect completeness computational co-soundness perfect zero-knowledge

CRS size: O(k) bits

Proof size: O(|C|k) bits

Compare with: None

C, wcoProof π

Khiding

common reference string

Reject

wco witness for C unsatisfiable

Computational co-soundness: Pr[Reject] ≈ 1

Third result

Protocol: Non-interactive Statistical ZK UC NIZK proof secure against adaptive adversary

Compare with: Interactive UC ZK proofs [DN, CLOS] UC NIZK proofs secure against non- adaptive adversary [DDOPS]

Non-interactive zaps for Circuit SAT

- No common reference string
- Perfect completeness:(C, w) so C(w)=1

π← P(1k, C, w) : V(1k, C , π)=1

- Perfect soundness:(C, π) with C unsatisfiable V(1k, C, π)=0
- Computational witness-indistinguishability:(C, w0, w1) so C(w0)=1 and C(w1)=1

P(1k, C, w0) ≈ P(1k, C, w1)

Naïve idea:

Prover chooses public key and makes NIZK proof

Problem: Can choose trapdoor key and prove anything

Better idea:

Prover chooses two public keys and makes an NIZK proof with each of them

Makes choice so:

One is trapdoor, one is perfect binding

Verifiable that at least one key is perfect binding

Verifier cannot tell which key is trapdoor

- Circuit C and two witnesses w0, w1
- Generate pk0 perfect trapdoor and pk1 perfect binding
- NIZK proof using w0 on pk0 NIZK proof using w0 on pk1
- Simulate proof on trapdoor pk0 NIZK proof using w0 on pk1
- NIZK proof using w1 on pk0 NIZK proof using w0 on pk1
- Switch to pk0 perfect binding and pk1 perfect trapdoor
- NIZK proof using w1 on pk0 Simulate proof on trapdoor pk1
- NIZK proof using w1 on pk0 NIZK proof using w1 on pk1
- Switch back to pk0 perfect trapdoor and pk1 perfect binding

Fourth result

Use verifiable pairs of public keys At least one of two keys is perfect binding The other is trapdoor Indistinguishable which one is trapdoor

Non-interactive ZAP Proof size O(|C|k) bits

Compare with: 2-move zaps [DN] Non-interactive zaps [BOV] huge proofs, non-standard assumption

G, GT cyclic groups of prime order p

g generator for G

bilinear map e: G G GT

e(ga, gb) = e(g, g)ab

e(g, g) generator for GT

Decisional linear problem [BBS]

f, h, g, u = fR, v = hS, w = gT

T = R+S or T random ?

Public key

f = gx, h = gy, u = fR, v = hS, w = gT

pk = (p, G, GT, e, g, f, h, u, v, w)

Commitment to m Zp

c = (umfr, vmhs, wmgr+s)

Perfect hiding trapdoor if T = R+S

= (fmR+r, hmS+s, gm(R+S)+r+s)

Commitment to m Zp

c = (umfr, vmhs, wmgr+s)

Perfect binding if T ≠ R+S

= (c1, c2, c3)

because c3c2-1/xc1-1/y = (wu-1/xv-1/y)m

= g(T/(R+S))m

uniquely defines m

Commitment to m Zp

c = (umfr, vmhs, wmgr+s)

Homomorphic

(umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S)

= (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S)

Witness indistinguishable proof of commitment to message 0 or 1 - Perfect sound on perfect binding key - Perfect WI on perfect trapdoor key

Elliptic curve E: y2 = x3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, GT, e), easy to verify that g is order p point on curve.

Choose x,y ←Zp*, R,S ← Zp and set

f = gx, h = gy, u = fR, v = hS, w = gR+S

Output two public keys

(p, G, GT, e, g, f, h, u, v, w)

(p, G, GT, e, g, f, h, u, v, wg)

At least one must be perfectly binding, but by decisional linear assumption hard to tell which one

Download Presentation

Connecting to Server..