1 / 34

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs. Jens Groth University College London. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A. Non-interactive zero-knowledge proof.

avon
Download Presentation

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

  2. Non-interactive zero-knowledge proof Common reference string: 0100…11010 (x,w)RL Statement: xL Proof:  Zero-knowledge: Nothing but truth revealed Soundness: Statement is true Prover Verifier

  3. Non-interactive zero-knowledge proofs Adaptive soundness:Adversary sees CRS before attempting to cheat with false (C,) • Statement C is satisfiable circuit • Perfect completeness • Statistical soundness • Computational zero-knowledge • Uniformly random common reference string • Efficient prover – probabilistic polynomial time • Deterministic polynomial time verifier

  4. Our results • Security level: 2-k • Trapdoor perm size: kT = poly(k) • Circuit size: |C| = poly(k) • Witness size: |w|  |C|

  5. Encrypted random bits Statement: xL CRS (x,w)RL Epk(0;r1) c1 01...0 c1 Epk(1;r2) c2 11…1 1 ; r2 Epk(0;r3) c3 00…1 c3 K(1k)  (pk,sk) Epk(1;r4) c4 10…0 0 ; r4

  6. Hidden random string - soundness Statement: xL (x,w)RL 0 1 0 1

  7. Hidden random string – zero-knowledge Statement: xL 0 1

  8. Using hidden random bits for NIZK Probably hidden pairs are 00 and 11 • Random bits not useful; need bits with structure • Use statistical sampling to get “good” blocks 10 11 00 01

  9. Statements || = O(|C|)

  10. Idea in Kilian-Petrank Zero-knowledge:Does ?1 correspond to T = 01 or F = 11? • Interpret pairs of bits as truth values • T = {01,10} F = {00,11} T 10 ?0 Soundness:F can only be opened one way F 11 1? F 00 0? Completeness:T can be opened as 0 or 1 T 01 ?1

  11. Completeness Reveal: ?0  1?  ?1 = 0 10  11  11 T  F  F

  12. Soundness • If not a satisfying assignment there is a clause where all literals are false • x1 x2  x3 gives F  F  F • There is 50% chance to catch a cheating prover • 11, 00, 00 has no opening to XOR = 0 so prover caught • 11, 00, 11 can be opened to XOR = 0 so prover lucky • Will use repetition to decrease prover’s chance

  13. Consistency problem • Cannot let prover designate truth-value pairs to literals because a cheating prover might choose an inconsistent assignment • Need to ensure prover chooses correct and consistent assignment

  14. I see many bad blocks. Statistically the remaining hidden blocks are good. Consistency • Interpret 12-blocks of bits as 6 truth values • Good block = TTTFFF or FFFTTT TTTFFF FTFTFF FFFTTT FTFFTF

  15. Consistency • Divide hidden random bit-string into 12-bit blocks • Call a block of 6 truth-value pairs for good if it is of one of these two forms TTTFFF or FFFTTT • Prover reveals all bits associated with bad blocks such that only good blocks remain

  16. Using blocks Unrevealed bit-pair shows positive/negative literals for variable x1 = F x2 = T x3 = F x4 = F • Remaining good blocks 10? 011 TTT FFF TT? FFF 01? 110 FFF TTT FF? TTT 111 10? FFF TTT FFF TT? Negative literals Positive literals 01? 110 TTT FFF TT? FFF

  17. Using blocks • After discarding bad blocks the remaining hidden blocks are statistically speaking mostly good • We assign each block to a variable xi in a deterministic way • Each block has 6 truth-values TTTFFF or FFFTTT • If xi = T reveal 5 bits in TTTFF? or FF?TTT • If xi = F reveal 5 bits in TT?FFF or FFFTT? • Revelations correspond to 5 appearances xi, xi, xi, xi, xi • The last unrevealed truth-value uniquely determines the assignment of truth-values to literals • The verifier now checks all clauses XOR to 0

  18. Soundness • The prover has several degrees of freedom • Can choose which false statement to prove • Can choose the public key for the encryption scheme, each one of which will give different hidden random bits • Can choose the truth-value assignment • May leave a few bad blocks unrevealed • Use repetition to lower risk of cheating • Instead of revealing single bits for each literal we will reveal several bit-strings and in each clause all bit-strings most XOR to 0 • Statistical analysis shows with sufficient repetition a prover has negligible chance of cheating

  19. Two new techniques • More efficient use of hidden random bits • Kilian-Petrank: |C|∙k∙(log(k)) hidden random bits • This work: |C|∙polylog(k) hidden random bits • More efficient implementation of hidden bits • Trapdoor permutations: kT = poly(k) bits per hidden random bit • Naccache-Stern encryption: O(log k) bits per hidden random bit

  20. Traditional proofs I’d better read it very carefully Proof: The statement is true because bla bla bla bla bla bla bla bla. QED Statement: xL (x,w)RL

  21. Probabilistically checkable proofs Proof: The statement is true because bla bla bla bla bla bla bla bla. QED Ok, let me spot check in random places Statement: xL (x,w)RL

  22. Satisfiability of 3SAT5 formula

  23. Satisfiability of gap-3SAT5 formula

  24. Witness-preserving assignment tester • Polynomial time algorithms f, fw: f: C    belongs to gap-3SAT5 fw: w  x if C(w)=1 then (x)=1 • With the most efficient probabilistically checkable proofs (Dinur 07 combined with BenSasson-Sudan 08) we have || = |C| polylog(k)

  25. Strategy • Want to prove C is satisfiable • Compute  = f(C) and prove that it is satisfiable using Kilian-Petrank techniques from before • With the most efficient assignment testers we have || = |C| polylog(k) so statement is larger • However, since  allows for a constant fraction of “errors” less repetition is needed to make the overall soundness error negligible • It is ok if the prover cheats on some clauses as long as cannot cheat on a constant fraction

  26. Remarks • Probabilistically checkable proofs have been used in interactive zero-knowledge proofs • Prover commits to PCP • Verifier chooses at random some parts to check • Prover opens and reveals those parts of the PCP • We are using PCPs in a different way • The verifier will check all parts of the PCP • The checks have a small error probability • But unlikely that prover can cheat on a constant fraction

  27. Implementing the hidden random bits model Statement: xL CRS (x,w)RL Epk(0;r1) c1 01...0 c1 Epk(1;r2) c2 11…1 1 ; r2 Epk(0;r3) c3 00…1 c3 K(1k)  (pk,sk) Epk(1;r4) c4 10…0 0 ; r4

  28. Naccache-Stern encryption • pk = (M,P,g) sk = (M) • M is an RSA modulus • P = p1p2…pd where p1,…,pd are O(log k) bit primes • P | ord(g) = (M)/4 and |P| = (|M|) • Epk(m;r) = gmrP mod M • Dsk(c): For each pi compute m mod pi c(M)/pi = (gmrP)(M)/pi = (gm(M)/pi)(r(M)P/pi) = (g(M)/pi)mChinese remainder gives us m mod P

  29. Naccache-Stern implementation of hidden bits Statement: xL CRS 0 if m mod pi even 1 if m mod pi odd  if m mod pi is -1 (x,w)RL ?1? ; 1 Epk(010;r1) c1 01...0 10? ; 2 Epk(101;r2) c2 11…1 ??1 ; 3 Epk(011;r3) c3 00…1 K(1k)  (pk,sk) ??? ; 4 Epk(110;r4) 10…0 c4

  30. Revealing part of Naccache-Stern plaintext • Ciphertext c = gmrP • How to prove that m = x mod pi? • Prover reveals  such that P = (cg-x)P/pi • We can raise both sides to (M)/P • Gives us (M) = (gm-xrP)(M)/pi = (g(M)/pi)m-x • Implies 1 = (g(M)/pi)m-x • Since the order of (g(M)/pi) is pi this shows m = x mod pi

  31. Revealing part of Naccache-Stern plaintext • Ciphertext c = gmrP • How to prove that m = x mod pi? • Prover reveals  such that P = (cg-x)P/pi • Can compute the proof as  = (cg-x)(P-1 mod (M)/P)P/pi • Can randomize proof by multiplying with s(M)/P • Generalizes to reveal m = x mod iSpi with a proof consisting of one group element

  32. Zero-knowledge • Simulator sets up pk = (M,P,g) such that ord(g) = (M)/4P and g = hP mod M • Simulator also sets up the CRS such that it contains ciphertexts of the form c = sP mod M • For any m  ZP we can compute r = h-ms mod M such that sP = gm(g-m)sP = gmh-mPsP = gmrP mod M • This means the simulator can open each ciphertext to arbitrary hidden bits using  = r

  33. Final step – showing the key is valid • The public key is pk = (M,P,g) • The verifier can easily check P is a product of small primes p1,…,pd • But needs to be convinced M and g are ok • Can do this with trapdoor permutation based NIZK • Statement is small so it does not affect total cost • Trapdoor permutations implied by Naccache-Stern • So we use a small seeder NIZK to build large scale NIZK from Naccache-Stern encryption

  34. Summary • Technique 1: Reduce soundness error with probabilistically checkable proofs • Technique 2: Implement hidden random bit string with Naccache-Stern encryption

More Related