# Perfect Non-interactive Zero-Knowledge for NP

## Presentation on theme: "Perfect Non-interactive Zero-Knowledge for NP"— Presentation transcript:

Perfect Non-interactive Zero-Knowledge for NP
Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles

OK, I will make a zero-knowledge proof
Motivation OK, I will make a zero-knowledge proof I’m a woman. Prove it! Circuit C = ”I’m a woman” Proof π

Completeness K(1k) Common reference string Circuit C
Witness w so C(w)=1 Proof π Accept Prover Verifier Perfect completeness: Pr[Accept] = 1

Soundness K(1k) Common reference string Unsatisfiable C Proof π Reject
Adversary Verifier Perfect soundness: Pr[Reject] = 1

Zero-knowledge S1(1k) ”Common reference string” sk Circuit C Witness w
Proof π S2(crs, sk, C) 0/1 Simulator Adversary Computational zero-knowledge: Pr[A1|Simulated proofs (S1,S2)] ≈ Pr[A1|Real proofs (K,P)]

State of affairs Computational NIZK proofs known but not practical Kilian-Petrank: O(|C|k2)-bit common reference string O(|C|k2)-bit proofs Statistical/perfect NIZK arguments not known No non-interactive UC ZK arguments secure against adaptive adversaries known

Our contributions NIZK proof for Circuit SAT - Perfect completeness, perfect soundness, perfect proof of knowledge, computational zero-knowledge - O(k)-bit common reference string - O(|C|k)-bit proofs Perfect NIZK argument for Circuit SAT - Perfect completeness, computational coNP soundness, perfect zero-knowledge UC NIZK argument for Circuit SAT with perfect zero-knowledge secure against adaptive adversaries

Bilinear group of order n
G, G1 cyclic groups of order n = pq g generator for G bilinear map e: G  G  G1 e(ua, vb) = e(u, v)ab e(g, g) generates G1 Decision subgroup problem ord(h) = q or ord(h) = n ?

Boneh-Goh-Nissim cryptosystem
Key generation pk = (n, G, G1, e, g, h) ord(g) = n, ord(h) = q sk = (pk, p, q) Encryption of m |m|=O(log k) E(m; r) = gmhr where r  Zn Decryption (gmhr)q = (gq)m find m by polynomial time exhaustive search

Homomorphic properties
Additively homomorphic gm1hr1 gm2hr2 = gm1+m2hr1+r2 Multiplication-mapping e(gm1hr1, gm2hr2) = e(g, g)m1m2 e(h, gm1r2+m2r1hr1r2)

NIZK proof for Circuit SAT
1 NAND Circuit SAT is NP complete w4 NAND w1 w2 w3

NIZK proof for Circuit SAT
g1 NIZK proof c1 encrypts 0 or 1 NIZK proof c2 encrypts 0 or 1 NIZK proof c3 encrypts 0 or 1 NIZK proof c4 encrypts 0 or 1 NIZK proof w4 = (w1w2) NIZK proof 1 = (w4w3) NAND gw4hr4 NAND gw1hr1 gw2hr2 gw3hr3

NIZK proof for encryption of 0 or 1
Wish to prove c encrypts 0 or 1 Write c = gmhr (m uniquely determined mod p) e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr) has order q if and only if m = 0 mod p or m = 1 mod p We wish to prove e(c, g-1c) has order q

NIZK proof for encryption of 0 or 1
Prover chooses s  Zn* e(c, g-1c) = e(gmhr, gm-1hr) = e(hr, g2m-1hr) = e(hs, (g2m-1hr)r/s) Reveal π = (π1, π2, π3) π1 = hs π2 = (g2m-1hr)r/s π3 = gs Verifier checks e(π1, g) = e(h, π3) and e(c, g-1c) = e(π1, π2)

NIZK proof for encryption of 0 or 1
Perfect soundness h has order q  e(h, π3) has order q e(π1, g) = e(h, π3)  e(π1, g) has order q  π1 has order q  e(π1, π2) has order q e(c, g-1c) = e(π1, π2)  e(c, g-1c) has order q  m = 0 mod p or m = 1 mod p Computational zero-knowledge ord(h) = n g = hγ simulation key: γ

NIZK proof for NAND-gate
Given c0, c1, c2 ciphertexts containing bits b0, b1, b2 wish to prove b2 = (b0b1) b2 = (b0b1) if and only if b0 + b1 + 2b2 - 2  {0,1} Make NIZK proof for c0c1c22g-2 encrypting 0 or 1

NIZK proof for Circuit SAT
Encrypt all wires wi as ci = gwihri For each i make NIZK that ci contains 0 or 1 For each NAND-gate make NIZK proof that c0c1c22g-2 contains 0 or 1 Perfect completeness Perfect soundness Computational zero-knowledge Perfect knowledge extraction – decrypt ciphertexts

Perfect NIZK Common reference string (g, h)
Choose g, h so ord(g) = ord(h) = n Perfect completeness Perfect zero-knowledge Ciphertexts ci are perfectly hiding commitments NIZK argument for 0/1 plaintexts perfect ZK

K(1k) Common reference string C, wco Proof π Reject wco witness for C unsatisfiable Computational coNP soundness: Pr[Reject] ≈ 1

FNIZK (prove, C, w) (proof, π)
If C(w)=1 give C to S and get π store (C,π) If (C,π) not stored give (C,π) to S and get w if C(w)=1 store (C,π) Return 1 if (C,π) stored (verify, C, π) (verification, 0/1)

UC NIZK There exists non-interactive protocol UC NIZK such that
UC NIZK securely realizes FNIZK against adaptive adversaries in the common reference string model UC NIZK is perfect zero-knowledge

Conclusion New technique for NIZK proofs
1. Very efficient NIZK proofs with perfect soundness 2. First construction of perfect zero-knowledge NIZK argument with coNP soundness 3. First construction of UC NIZK argument secure against adaptive adversaries