1 / 27

New Techniques for NIZK

New Techniques for NIZK. Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles. Motivation. OK, I will make a zero-knowledge proof. I’m a woman. Prove it!. Circuit C = ”I’m a woman” Proof π. Completeness. Circuit C. Witness w so C(w)=1. Proof π. K(1 k ).

viho
Download Presentation

New Techniques for NIZK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles

  2. Motivation OK, I will make a zero-knowledge proof I’m a woman. Prove it! Circuit C = ”I’m a woman” Proof π

  3. Completeness Circuit C Witness wso C(w)=1 Proof π K(1k) Common reference string Accept Prover Verifier Perfect completeness: Pr[Accept] = 1

  4. Soundness Unsatisfiable CProof π K(1k) Common reference string Reject Adversary Verifier Perfect soundness: Pr[Reject] = 1

  5. Proof π Zero-knowledge S1(1k) ”Common reference string” sk Circuit CWitness w S2(crs, sk, C) 0/1 Simulator Adversary Computational zero-knowledge: Pr[A1|Simulated proofs (S1,S2)] ≈ Pr[A1|Real proofs (K,P)]

  6. NIZK proof for Circuit SAT 1 NAND Circuit SAT is NP complete w4 NAND w1 w2 w3

  7. Homomorphic proof commitment Two types of indistinguishable public keys: • Perfect trapdoor (pk, tk) ← Khiding(1k) • Perfect binding pk ← Kbinding(1k) Homomorphic Message space size at least 4 (3 also ok) Witness indistinguishable proof that commitment contains 0 or 1 • Perfect soundness on perfect binding key • Perfect WI on perfect trapdoor key

  8. Bilinear group of order n G, GT cyclic groups of order n = pq g generator for G bilinear map e: G  G  GT e(ua, vb) = e(u, v)ab e(g, g) generates GT Decision subgroup problem ord(h) = q or ord(h) = n ?

  9. BGN-based commitment Perfect binding key: ord(g) = n, ord(h) = q Perfect hiding key: ord(g) = ord(h) = n and g=hx Commitment: Com(m; r) = gmhr where r  Zn Homomorphic: gm+Mhr+R = gmhr gMhR

  10. WI proof for commit to 0 or 1 Wish to prove c commitment to 0 or 1 Write c = gmhr (m mod p unique if h order q) e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr) = e(h, (g2m-1hr)r ) = e(h,π) Proof is: π = (g2m-1hr)r Soundness when h has order q: e(g, g)m(m-1) e(hr, g2m-1hr) = e(h,π) so m = 0,1 mod p Witness indistinguishability when h has order n:Unique π so e(c, g-1c) = e(h,π)

  11. NIZK proof for Circuit SAT com(1) WI proof c1 commit to 0 or 1 WI proof c2 commit to 0 or 1 WI proof c3 commit to 0 or 1 WI proof c4 commit to 0 or 1 WI proof w4 = (w1w2) WI proof 1 = (w4w3) NAND c4 = com(w4) NAND c1 = com(w1) c3 = com(w3) c2 = com(w2)

  12. WI proof for NAND-gate Given c0, c1, c2 commitments containing bits b0, b1, b2 wish to prove b2 = (b0b1) b2 = (b0b1) if and only if b0 + b1 + 2b2 - 2  {0,1} WI proof c0c1c22com(-2) commitment to 0 or 1

  13. NIZK proof for Circuit SAT • Commit to all wires wi as ci = com(wi) • For each i make WI proof that ci contains 0 or 1 • For each NAND-gate make WI proof that c0c1c22com(-2) contains 0 or 1 Perfect completeness Perfect binding key - perfect soundness Perfect trapdoor key - perfect zero-knowledge

  14. Perfect NIZK on perfect trapdoor key Simulation: Make trapdoor commitments Trapdoor-open relevant commitments to 0 and WI prove Proof that simulation works on C with w so C(w)=1: Can trapdoor-open commitments to wi’s and WI prove By perfect witness-indistinguishability of the WI proofs indistinguishable from simulation Can from the start make commitments to wi’s By perfect hiding of the commitments indistinguishable from previous method Corresponds to real proof on trapdoor key

  15. First result Use Kbinding to generate pk NIZK proof with perfect completeness perfect soundness computational ZK CRS size: O(k) bits Proof size: O(|C|k) bits Compare with: O(|C|k2) proofs [KP]

  16. Second result Use Khiding to generate pk NIZK argument with perfect completeness computational co-soundness perfect zero-knowledge CRS size: O(k) bits Proof size: O(|C|k) bits Compare with: None

  17. Adaptive co-soundness C, wcoProof π Khiding common reference string Reject wco witness for C unsatisfiable Computational co-soundness: Pr[Reject] ≈ 1

  18. Third result Protocol: Non-interactive Statistical ZK UC NIZK proof secure against adaptive adversary Compare with: Interactive UC ZK proofs [DN, CLOS] UC NIZK proofs secure against non- adaptive adversary [DDOPS]

  19. Non-interactive zaps for Circuit SAT • No common reference string • Perfect completeness:(C, w) so C(w)=1 π← P(1k, C, w) : V(1k, C , π)=1 • Perfect soundness:(C, π) with C unsatisfiable V(1k, C, π)=0 • Computational witness-indistinguishability:(C, w0, w1) so C(w0)=1 and C(w1)=1 P(1k, C, w0) ≈ P(1k, C, w1)

  20. Non-interactive zaps Naïve idea: Prover chooses public key and makes NIZK proof Problem: Can choose trapdoor key and prove anything Better idea: Prover chooses two public keys and makes an NIZK proof with each of them Makes choice so: One is trapdoor, one is perfect binding Verifiable that at least one key is perfect binding Verifier cannot tell which key is trapdoor

  21. Witness-indistinguishability • Circuit C and two witnesses w0, w1 • Generate pk0 perfect trapdoor and pk1 perfect binding • NIZK proof using w0 on pk0 NIZK proof using w0 on pk1 • Simulate proof on trapdoor pk0 NIZK proof using w0 on pk1 • NIZK proof using w1 on pk0 NIZK proof using w0 on pk1 • Switch to pk0 perfect binding and pk1 perfect trapdoor • NIZK proof using w1 on pk0 Simulate proof on trapdoor pk1 • NIZK proof using w1 on pk0 NIZK proof using w1 on pk1 • Switch back to pk0 perfect trapdoor and pk1 perfect binding

  22. Fourth result Use verifiable pairs of public keys At least one of two keys is perfect binding The other is trapdoor Indistinguishable which one is trapdoor Non-interactive ZAP Proof size O(|C|k) bits Compare with: 2-move zaps [DN] Non-interactive zaps [BOV] huge proofs, non-standard assumption

  23. Bilinear groups G, GT cyclic groups of prime order p g generator for G bilinear map e: G  G  GT e(ga, gb) = e(g, g)ab e(g, g) generator for GT Decisional linear problem [BBS] f, h, g, u = fR, v = hS, w = gT T = R+S or T random ?

  24. Commitment scheme Public key f = gx, h = gy, u = fR, v = hS, w = gT pk = (p, G, GT, e, g, f, h, u, v, w) Commitment to m  Zp c = (umfr, vmhs, wmgr+s) Perfect hiding trapdoor if T = R+S = (fmR+r, hmS+s, gm(R+S)+r+s)

  25. Commitment scheme Commitment to m  Zp c = (umfr, vmhs, wmgr+s) Perfect binding if T ≠ R+S = (c1, c2, c3) because c3c2-1/xc1-1/y = (wu-1/xv-1/y)m = g(T/(R+S))m uniquely defines m

  26. Commitment scheme Commitment to m  Zp c = (umfr, vmhs, wmgr+s) Homomorphic (umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S) = (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S) Witness indistinguishable proof of commitment to message 0 or 1 - Perfect sound on perfect binding key - Perfect WI on perfect trapdoor key

  27. Choosing two keys Elliptic curve E: y2 = x3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, GT, e), easy to verify that g is order p point on curve. Choose x,y ←Zp*, R,S ← Zp and set f = gx, h = gy, u = fR, v = hS, w = gR+S Output two public keys (p, G, GT, e, g, f, h, u, v, w) (p, G, GT, e, g, f, h, u, v, wg) At least one must be perfectly binding, but by decisional linear assumption hard to tell which one

More Related