Download presentation

Presentation is loading. Please wait.

Published byGabriella Brady Modified over 2 years ago

1
Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles

2
Motivation Im a woman.Prove it! OK, I will make a zero- knowledge proof Circuit C = Im a woman Proof π

3
Completeness Perfect completeness: Pr[Accept] = 1 Proof π Accept K(1 k ) Common reference string Circuit C Witness w so C(w)=1 Prover Verifier

4
Soundness Perfect soundness: Pr[Reject] = 1 Unsatisfiable C Proof π Reject Adversary Verifier K(1 k ) Common reference string

5
Zero-knowledge Computational zero-knowledge: Pr[A 1|Simulated proofs (S 1,S 2 )] Pr[A 1|Real proofs (K,P)] Proof π sk S 1 (1 k ) Circuit C Witness w Common reference string 0/1 S 2 (crs, sk, C) Simulator Adversary

6
State of affairs Computational NIZK proofs known but not practical Kilian-Petrank: O(|C|k 2 )-bit common reference string O(|C|k 2 )-bit proofs Computational NIZK proofs known but not practical Kilian-Petrank: O(|C|k 2 )-bit common reference string O(|C|k 2 )-bit proofs Statistical/perfect NIZK arguments not known Statistical/perfect NIZK arguments not known No non-interactive UC ZK arguments secure against adaptive adversaries known No non-interactive UC ZK arguments secure against adaptive adversaries known

7
Our contributions NIZK proof for Circuit SAT - Perfect completeness, perfect soundness, perfect proof of knowledge, computational zero- knowledge - O(k)-bit common reference string - O(|C|k)-bit proofs NIZK proof for Circuit SAT - Perfect completeness, perfect soundness, perfect proof of knowledge, computational zero- knowledge - O(k)-bit common reference string - O(|C|k)-bit proofs Perfect NIZK argument for Circuit SAT - Perfect completeness, computational coNP soundness, perfect zero-knowledge Perfect NIZK argument for Circuit SAT - Perfect completeness, computational coNP soundness, perfect zero-knowledge UC NIZK argument for Circuit SAT with perfect zero-knowledge secure against adaptive adversaries UC NIZK argument for Circuit SAT with perfect zero-knowledge secure against adaptive adversaries

8
Bilinear group of order n G, G 1 cyclic groups of order n = pq g generator for G bilinear map e: G G G 1 e(u a, v b ) = e(u, v) ab e(g, g) generates G 1 Decision subgroup problem ord(h) = q or ord(h) = n ?

9
Boneh-Goh-Nissim cryptosystem Key generation pk = (n, G, G 1, e, g, h) ord(g) = n, ord(h) = q sk = (pk, p, q) Encryption of m|m|=O(log k) E(m; r) = g m h r where r Z n Decryption (g m h r ) q = (g q ) m find m by polynomial time exhaustive search

10
Homomorphic properties Additively homomorphic g m 1 h r 1 g m 2 h r 2 = g m 1 +m 2 h r 1 +r 2 Multiplication-mapping e(g m 1 h r 1, g m 2 h r 2 ) = e(g, g) m 1 m 2 e(h, g m 1 r 2 +m 2 r 1 h r 1 r 2 )

11
NIZK proof for Circuit SAT 1 w1w1 w4w4 w3w3 w2w2 Circuit SAT is NP complete NAND

12
NIZK proof for Circuit SAT g1g1 gw1hr1gw1hr1 gw2hr2gw2hr2 gw4hr4gw4hr4 gw3hr3gw3hr3 NIZK proof c 1 encrypts 0 or 1 NIZK proof c 2 encrypts 0 or 1 NIZK proof c 3 encrypts 0 or 1 NIZK proof c 4 encrypts 0 or 1 NIZK proof w 4 = (w 1 w 2 ) NIZK proof 1 = (w 4 w 3 ) NAND

13
NIZK proof for encryption of 0 or 1 Wish to prove c encrypts 0 or 1 Write c = g m h r (m uniquely determined mod p) e(c, g -1 c) = e(g m h r, g m-1 h r ) = e(g, g) m(m-1) e(h r, g 2m-1 h r ) has order q if and only if m = 0 mod p or m = 1 mod p We wish to prove e(c, g -1 c) has order q

14
NIZK proof for encryption of 0 or 1 Prover chooses s Z n * e(c, g -1 c) = e(g m h r, g m-1 h r ) = e(h r, g 2m-1 h r ) = e(h s, (g 2m-1 h r ) r/s ) Reveal π = (π 1, π 2, π 3 ) π 1 = h s π 2 = (g 2m-1 h r ) r/s π 3 = g s Verifier checks e(π 1, g) = e(h, π 3 ) and e(c, g -1 c) = e(π 1, π 2 )

15
NIZK proof for encryption of 0 or 1 Perfect soundness h has order q e(h, π 3 ) has order q e(π 1, g) = e(h, π 3 ) e(π 1, g) has order q π 1 has order q e(π 1, π 2 ) has order q e(c, g -1 c) = e(π 1, π 2 ) e(c, g -1 c) has order q m = 0 mod p or m = 1 mod p Computational zero-knowledge ord(h) = ng = h γ simulation key: γ

16
NIZK proof for NAND-gate Given c 0, c 1, c 2 ciphertexts containing bits b 0, b 1, b 2 wish to prove b 2 = (b 0 b 1 ) b 2 = (b 0 b 1 ) if and only if b 0 + b 1 + 2b {0,1} Make NIZK proof for c 0 c 1 c 2 2 g -2 encrypting 0 or 1

17
NIZK proof for Circuit SAT Encrypt all wires w i as c i = g w i h r i Encrypt all wires w i as c i = g w i h r i For each i make NIZK that c i contains 0 or 1 For each i make NIZK that c i contains 0 or 1 For each NAND-gate make NIZK proof that c 0 c 1 c 2 2 g -2 contains 0 or 1 For each NAND-gate make NIZK proof that c 0 c 1 c 2 2 g -2 contains 0 or 1 Perfect completeness Perfect soundness Computational zero-knowledge Perfect knowledge extraction – decrypt ciphertexts

18
Perfect NIZK Common reference string (g, h) Choose g, h so ord(g) = ord(h) = n Perfect completeness Perfect zero-knowledge Ciphertexts c i are perfectly hiding commitments NIZK argument for 0/1 plaintexts perfect ZK

19
Adaptive coNP soundness Computational coNP soundness: Pr[Reject] 1 C, w co Proof π Reject K(1 k ) Common reference string w co witness for C unsatisfiable

20
F NIZK (prove, C, w) (proof, π) (verify, C, π) (verification, 0/1) If C(w)=1 give C to S and get π store (C,π) If (C,π) not stored give (C,π) to S and get w if C(w)=1 store (C,π) Return 1 if (C,π) stored

21
UC NIZK There exists non-interactive protocol UC NIZK such that 1. UC NIZK securely realizes F NIZK against adaptive adversaries in the common reference string model 2. UC NIZK is perfect zero-knowledge

22
Conclusion New technique for NIZK proofs 1. Very efficient NIZK proofs with perfect soundness 2. First construction of perfect zero- knowledge NIZK argument with coNP soundness 3. First construction of UC NIZK argument secure against adaptive adversaries

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google