1 / 22

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP. Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles. Motivation. OK, I will make a zero-knowledge proof. I’m a woman. Prove it!. Circuit C = ”I’m a woman” Proof π. Completeness. Circuit C. Witness w so C(w)=1.

samson
Download Presentation

Perfect Non-interactive Zero-Knowledge for NP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles

  2. Motivation OK, I will make a zero-knowledge proof I’m a woman. Prove it! Circuit C = ”I’m a woman” Proof π

  3. Completeness Circuit C Witness wso C(w)=1 Proof π K(1k) Common reference string Accept Prover Verifier Perfect completeness: Pr[Accept] = 1

  4. Soundness Unsatisfiable CProof π K(1k) Common reference string Reject Adversary Verifier Perfect soundness: Pr[Reject] = 1

  5. Proof π Zero-knowledge S1(1k) ”Common reference string” sk Circuit CWitness w S2(crs, sk, C) 0/1 Simulator Adversary Computational zero-knowledge: Pr[A1|Simulated proofs (S1,S2)] ≈ Pr[A1|Real proofs (K,P)]

  6. State of affairs • Computational NIZK proofs known but not practical Kilian-Petrank: O(|C|k2)-bit common reference string O(|C|k2)-bit proofs • Statistical/perfect NIZK arguments not known • No non-interactive UC ZK arguments secure against adaptive adversaries known

  7. Our contributions • NIZK proof for Circuit SAT- Perfect completeness, perfect soundness, perfect proof of knowledge, computational zero-knowledge- O(k)-bit common reference string- O(|C|k)-bit proofs • Perfect NIZK argument for Circuit SAT- Perfect completeness, computational coNP soundness, perfect zero-knowledge • UC NIZK argument for Circuit SAT with perfect zero-knowledge secure against adaptive adversaries

  8. Bilinear group of order n G, G1 cyclic groups of order n = pq g generator for G bilinear map e: G  G  G1 e(ua, vb) = e(u, v)ab e(g, g) generates G1 Decision subgroup problem ord(h) = q or ord(h) = n ?

  9. Boneh-Goh-Nissim cryptosystem Key generation pk = (n, G, G1, e, g, h) ord(g) = n, ord(h) = q sk = (pk, p, q) Encryption of m |m|=O(log k) E(m; r) = gmhr where r  Zn Decryption (gmhr)q = (gq)m find m by polynomial time exhaustive search

  10. Homomorphic properties Additively homomorphic gm1hr1gm2hr2 = gm1+m2hr1+r2 Multiplication-mapping e(gm1hr1, gm2hr2) = e(g, g)m1m2 e(h, gm1r2+m2r1hr1r2)

  11. NIZK proof for Circuit SAT 1 NAND Circuit SAT is NP complete w4 NAND w1 w2 w3

  12. NIZK proof for Circuit SAT g1 NIZK proof c1 encrypts 0 or 1 NIZK proof c2 encrypts 0 or 1 NIZK proof c3 encrypts 0 or 1 NIZK proof c4 encrypts 0 or 1 NIZK proof w4 = (w1w2) NIZK proof 1 = (w4w3) NAND gw4hr4 NAND gw1hr1 gw2hr2 gw3hr3

  13. NIZK proof for encryption of 0 or 1 Wish to prove c encrypts 0 or 1 Write c = gmhr (m uniquely determined mod p) e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr) has order q if and only if m = 0 mod p or m = 1 mod p We wish to prove e(c, g-1c) has order q

  14. NIZK proof for encryption of 0 or 1 Prover chooses s Zn* e(c, g-1c) = e(gmhr, gm-1hr) = e(hr, g2m-1hr) = e(hs, (g2m-1hr)r/s) Reveal π = (π1, π2, π3) π1 = hsπ2 = (g2m-1hr)r/sπ3 = gs Verifier checks e(π1, g) = e(h, π3) and e(c, g-1c) = e(π1, π2)

  15. NIZK proof for encryption of 0 or 1 Perfect soundness h has order q  e(h, π3) has order qe(π1, g) = e(h, π3)  e(π1, g) has order q  π1 has order q  e(π1, π2) has order qe(c, g-1c) = e(π1, π2)  e(c, g-1c) has order q  m = 0 mod p or m = 1 mod p Computational zero-knowledgeord(h) = n g = hγ simulation key: γ

  16. NIZK proof for NAND-gate Given c0, c1, c2 ciphertexts containing bits b0, b1, b2 wish to prove b2 = (b0b1) b2 = (b0b1) if and only if b0 + b1 + 2b2 - 2  {0,1} Make NIZK proof for c0c1c22g-2 encrypting 0 or 1

  17. NIZK proof for Circuit SAT • Encrypt all wires wi as ci = gwihri • For each i make NIZK that ci contains 0 or 1 • For each NAND-gate make NIZK proof that c0c1c22g-2 contains 0 or 1 Perfect completeness Perfect soundness Computational zero-knowledge Perfect knowledge extraction – decrypt ciphertexts

  18. Perfect NIZK Common reference string (g, h) Choose g, h so ord(g) = ord(h) = n Perfect completeness Perfect zero-knowledge Ciphertexts ci are perfectly hiding commitments NIZK argument for 0/1 plaintexts perfect ZK

  19. Adaptive coNP soundness C, wcoProof π K(1k) Common reference string Reject wco witness for C unsatisfiable Computational coNP soundness: Pr[Reject] ≈ 1

  20. FNIZK (prove, C, w)(proof, π) If C(w)=1 give C to S and get π store (C,π) If (C,π) not stored give (C,π) to S and get w if C(w)=1 store (C,π)Return 1 if (C,π) stored (verify, C, π)(verification, 0/1)

  21. UC NIZK There exists non-interactive protocol UC NIZK such that • UC NIZK securely realizes FNIZK against adaptive adversaries in the common reference string model • UC NIZK is perfect zero-knowledge

  22. Conclusion New technique for NIZK proofs 1. Very efficient NIZK proofs with perfect soundness 2. First construction of perfect zero-knowledge NIZK argument with coNP soundness 3. First construction of UC NIZK argument secure against adaptive adversaries

More Related