Download presentation

Presentation is loading. Please wait.

Published byAdrian Yeaw Modified about 1 year ago

1
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of Tartu, University of Athens,

2
Motivation: Secure Computation E(x1),…,E(xn) E(f(x1,…,xn)) Add NIZK proof pk

3
Motivation: Secure Computation (2) E(S) E(f(S)) E(T) E(g(T)) Add NIZK proof pk

4
Proofs for Set Operations

5
Non-Interactive Zero-Knowledge Proofs E(x1),…,E(xn) Proof of Correctness CompleteSoundZero-Knowledge Proof can be constructed without knowing inputs Contradiction? pk

6
Common Reference String Model E(x1),…,E(xn) Proof of Correctness pk,sk crs td

7
Our results CRS lengthProof lengthProver comp.Verifier comp. Θ(|S|)Θ(1)Θ(|S|)Θ(1)

8
Cryptographic Building Block: Pairings ›Bilinear operation –e(f1+f2,f3) = e(f1,f3) + e(f2,f3) –e(f1,f2+f3) = e(f1,f2) + e(f1,f3) ›With Hardness Assumptions –Given e(f1,f2), it is hard to compute f1 –…–… ›Much wow

9
Commitments We use a concrete succinct commitment scheme from 2013

10
Multiset Commitment Too costly!

11
Multiset Commitment

12
Main Idea iff Commitments are randomized Proof = a crib E that compensates for randomness Enables to perform verification on commitments

13
Additional Obstacles ›Soundness: –We use knowledge assumptions ›Guarantee that prover knows committed values –Common in succinct NIZK construction –[Gentry Wichs 2011]: also necessary ›Zero Knowledge: –Simulator needs to create proof for given commitments ›Not created by simulator –We let prover to create new random commitments for all sets ›Add a NIZK proof of correctness –Simulator creates fake commitments ›Uses trapdoor to simulate

14
Applications

15

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google