Perfect non interactive zero knowledge for np
Download
1 / 6

Perfect Non-interactive Zero-Knowledge for NP - PowerPoint PPT Presentation


  • 114 Views
  • Uploaded on

Perfect Non-interactive Zero-Knowledge for NP. Jens Groth Rafail Ostrovsky Amit Sahai UCLA. Will appear on ePrint archive shortly. Non-Interactive Zero-Knowledge. common reference string σ. C ( w )=1 circuit C. P. V. proof/argument π. Problems

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Perfect Non-interactive Zero-Knowledge for NP' - nysa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Perfect non interactive zero knowledge for np

Perfect Non-interactive Zero-Knowledge for NP

Jens Groth

Rafail Ostrovsky

Amit Sahai

UCLA

Will appear on ePrint archive shortly


Non interactive zero knowledge
Non-Interactive Zero-Knowledge

common reference string σ

C(w)=1 circuit C

P

V

proof/argument π

  • Problems

  • even computational NIZK inefficient

  • no statistical NIZK arguments for NP

  • no UC NIZK arguments for NP


Our contributions
Our contributions

  • Computational NIZK proof for Circuit SAT- O(k)-bit common reference string- O(|C|k)-bit proofs

  • Perfect NIZK argument for Circuit SAT- non-adaptive soundness- adaptive soundness (restrictions)

  • Perfect zero-knowledge UC NIZK argument for Circuit SAT


Bgn cryptosystem tcc 2005
BGN cryptosystem (TCC 2005)

Setup

G group of order n = pq bilinear map e: G  G  G1

pk = (n, G, G1, e, g, h) ord(g) = n, ord(h) = q

Additively homomorphic

gm1hr1gm2hr2 = gm1+m2hr1+r2

Multiplication-mapping

e(gm1hr1, gm2hr2) = e(g,g)m1m2e(h,gm1r2+m2r1hr1r2)

Decision subgroup problem

ord(h) = q or ord(h) = n ?


Nizk proof
NIZK proof

NIZK for Circuit SAT (NAND-gates)

BGN-encrypt all wires

NIZK proof 0 or 1 plaintexts

* - e(c, cg-1) encrypts 0

NIZK proof encrypted bits respect NAND-gates

Zero-knowledge simulation

ord(g) = ord(h) = n

gmhr is perfectly hiding


Perfect zero knowledge
Perfect zero-knowledge

Perfect NIZK argument

ord(g) = ord(h) = n

Adaptive soundness problem

- C satisfiable on ord(h) = q reference string

- C unsatisfiable on ord(h) = n ref. string

Solution

restrict ourselves to circuits of small size so

2|C|log|C|Adv-SD(k) is negligible


ad