1 / 15

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations. Prastudy Fauzi , Helger Lipmaa, Bingsheng Zhang University of Tartu, University of Tartu, University of Athens, . Motivation: Secure Computation. Add NIZK proof. pk. E(x1),…,E( xn ). Ok if (x1,…, xn ) S.

morse
Download Presentation

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Non-Interactive Zero Knowledge Argumentsfor Set Operations PrastudyFauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of Tartu, University of Athens,

  2. Motivation: Secure Computation Add NIZK proof pk E(x1),…,E(xn) Ok if (x1,…,xn)S E(f(x1,…,xn))

  3. Motivation: Secure Computation (2) Add NIZK proof pk E(S) Ok if ST E(f(S)) E(T) E(g(T))

  4. Proofs for Set Operations • Encrypted inputs satisfy certain set relations => security against malicious adversaries • Or even multiset relations • …

  5. Non-Interactive Zero-Knowledge Proofs pk E(x1),…,E(xn) Proof of Correctness Proof can be constructed without knowing inputs Contradiction? Complete Sound Zero-Knowledge

  6. Common Reference String Model td E(x1),…,E(xn) pk,sk crs Proof of Correctness

  7. Our results • NIZK proof for one particular multiset operation • (PMSET) • Applications to other (multi)set operations • Non-interactive • No random oracle • Efficient

  8. Cryptographic Building Block: Pairings • Bilinear operation • e(f1+f2,f3) = e(f1,f3) + e(f2,f3) • e(f1,f2+f3) = e(f1,f2) + e(f1,f3) • With Hardness Assumptions • Given e(f1,f2), it is hard to compute f1 • … • Much wow

  9. Commitments We use a concrete succinct commitment scheme from 2013

  10. Multiset Commitment Too costly!

  11. Multiset Commitment • S => • polynomial that has S as null-set • Including multiplicities • => • is secret key

  12. Main Idea iff • Commitments are randomized • Proof = a crib E that compensates for randomness • Enables to perform verification on commitments

  13. Additional Obstacles • Soundness: • We use knowledge assumptions • Guarantee that proverknows committed values • Common in succinct NIZK construction • [Gentry Wichs 2011]: also necessary • Zero Knowledge: • Simulator needs to create proof for given commitments • Not created by simulator • We let prover to create new random commitments for all sets • Add a NIZK proof of correctness • Simulator creates fake commitments • Uses trapdoor to simulate

  14. Applications • Mostly use very simple set arithmetic • Is-a-Sub(multi)set: • iff exists C such that • Is-a-Set: • MultisetA is a set if for universal set U • In many applications, U is small • Set-Intersection-And-Union: • and iff , ,and A, B, and D are sets • See paper for more…

More Related