1. Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of Tartu, University of Athens,

2. Motivation: Secure Computation E(x1),…,E(xn) E(f(x1,…,xn)) Add NIZK proof pk

3. Motivation: Secure Computation (2) E(S) E(f(S)) E(T) E(g(T)) Add NIZK proof pk

4. Proofs for Set Operations

5. Non-Interactive Zero-Knowledge Proofs E(x1),…,E(xn) Proof of Correctness CompleteSoundZero-Knowledge Proof can be constructed without knowing inputs Contradiction? pk

6. Common Reference String Model E(x1),…,E(xn) Proof of Correctness pk,sk crs td

7. Our results CRS lengthProof lengthProver comp.Verifier comp. Θ(|S|)Θ(1)Θ(|S|)Θ(1)

8. Cryptographic Building Block: Pairings ›Bilinear operation –e(f1+f2,f3) = e(f1,f3) + e(f2,f3) –e(f1,f2+f3) = e(f1,f2) + e(f1,f3) ›With Hardness Assumptions –Given e(f1,f2), it is hard to compute f1 –…–… ›Much wow

9. Commitments We use a concrete succinct commitment scheme from 2013

10. Multiset Commitment Too costly!

11. Multiset Commitment

12. Main Idea iff Commitments are randomized Proof = a crib E that compensates for randomness Enables to perform verification on commitments

13. Additional Obstacles ›Soundness: –We use knowledge assumptions ›Guarantee that prover knows committed values –Common in succinct NIZK construction –[Gentry Wichs 2011]: also necessary ›Zero Knowledge: –Simulator needs to create proof for given commitments ›Not created by simulator –We let prover to create new random commitments for all sets ›Add a NIZK proof of correctness –Simulator creates fake commitments ›Uses trapdoor to simulate

14. Applications