Download presentation

Presentation is loading. Please wait.

1
**Perfect Non-interactive Zero-Knowledge for NP**

Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles

2
**OK, I will make a zero-knowledge proof**

Motivation OK, I will make a zero-knowledge proof I’m a woman. Prove it! Circuit C = ”I’m a woman” Proof π

3
**Completeness K(1k) Common reference string Circuit C**

Witness w so C(w)=1 Proof π Accept Prover Verifier Perfect completeness: Pr[Accept] = 1

4
**Soundness K(1k) Common reference string Unsatisfiable C Proof π Reject**

Adversary Verifier Perfect soundness: Pr[Reject] = 1

5
**Zero-knowledge S1(1k) ”Common reference string” sk Circuit C Witness w**

Proof π S2(crs, sk, C) 0/1 Simulator Adversary Computational zero-knowledge: Pr[A1|Simulated proofs (S1,S2)] ≈ Pr[A1|Real proofs (K,P)]

6
State of affairs Computational NIZK proofs known but not practical Kilian-Petrank: O(|C|k2)-bit common reference string O(|C|k2)-bit proofs Statistical/perfect NIZK arguments not known No non-interactive UC ZK arguments secure against adaptive adversaries known

7
Our contributions NIZK proof for Circuit SAT - Perfect completeness, perfect soundness, perfect proof of knowledge, computational zero-knowledge - O(k)-bit common reference string - O(|C|k)-bit proofs Perfect NIZK argument for Circuit SAT - Perfect completeness, computational coNP soundness, perfect zero-knowledge UC NIZK argument for Circuit SAT with perfect zero-knowledge secure against adaptive adversaries

8
**Bilinear group of order n**

G, G1 cyclic groups of order n = pq g generator for G bilinear map e: G G G1 e(ua, vb) = e(u, v)ab e(g, g) generates G1 Decision subgroup problem ord(h) = q or ord(h) = n ?

9
**Boneh-Goh-Nissim cryptosystem**

Key generation pk = (n, G, G1, e, g, h) ord(g) = n, ord(h) = q sk = (pk, p, q) Encryption of m |m|=O(log k) E(m; r) = gmhr where r Zn Decryption (gmhr)q = (gq)m find m by polynomial time exhaustive search

10
**Homomorphic properties**

Additively homomorphic gm1hr1 gm2hr2 = gm1+m2hr1+r2 Multiplication-mapping e(gm1hr1, gm2hr2) = e(g, g)m1m2 e(h, gm1r2+m2r1hr1r2)

11
**NIZK proof for Circuit SAT**

1 NAND Circuit SAT is NP complete w4 NAND w1 w2 w3

12
**NIZK proof for Circuit SAT**

g1 NIZK proof c1 encrypts 0 or 1 NIZK proof c2 encrypts 0 or 1 NIZK proof c3 encrypts 0 or 1 NIZK proof c4 encrypts 0 or 1 NIZK proof w4 = (w1w2) NIZK proof 1 = (w4w3) NAND gw4hr4 NAND gw1hr1 gw2hr2 gw3hr3

13
**NIZK proof for encryption of 0 or 1**

Wish to prove c encrypts 0 or 1 Write c = gmhr (m uniquely determined mod p) e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr) has order q if and only if m = 0 mod p or m = 1 mod p We wish to prove e(c, g-1c) has order q

14
**NIZK proof for encryption of 0 or 1**

Prover chooses s Zn* e(c, g-1c) = e(gmhr, gm-1hr) = e(hr, g2m-1hr) = e(hs, (g2m-1hr)r/s) Reveal π = (π1, π2, π3) π1 = hs π2 = (g2m-1hr)r/s π3 = gs Verifier checks e(π1, g) = e(h, π3) and e(c, g-1c) = e(π1, π2)

15
**NIZK proof for encryption of 0 or 1**

Perfect soundness h has order q e(h, π3) has order q e(π1, g) = e(h, π3) e(π1, g) has order q π1 has order q e(π1, π2) has order q e(c, g-1c) = e(π1, π2) e(c, g-1c) has order q m = 0 mod p or m = 1 mod p Computational zero-knowledge ord(h) = n g = hγ simulation key: γ

16
**NIZK proof for NAND-gate**

Given c0, c1, c2 ciphertexts containing bits b0, b1, b2 wish to prove b2 = (b0b1) b2 = (b0b1) if and only if b0 + b1 + 2b2 - 2 {0,1} Make NIZK proof for c0c1c22g-2 encrypting 0 or 1

17
**NIZK proof for Circuit SAT**

Encrypt all wires wi as ci = gwihri For each i make NIZK that ci contains 0 or 1 For each NAND-gate make NIZK proof that c0c1c22g-2 contains 0 or 1 Perfect completeness Perfect soundness Computational zero-knowledge Perfect knowledge extraction – decrypt ciphertexts

18
**Perfect NIZK Common reference string (g, h)**

Choose g, h so ord(g) = ord(h) = n Perfect completeness Perfect zero-knowledge Ciphertexts ci are perfectly hiding commitments NIZK argument for 0/1 plaintexts perfect ZK

19
**Adaptive coNP soundness**

K(1k) Common reference string C, wco Proof π Reject wco witness for C unsatisfiable Computational coNP soundness: Pr[Reject] ≈ 1

20
**FNIZK (prove, C, w) (proof, π)**

If C(w)=1 give C to S and get π store (C,π) If (C,π) not stored give (C,π) to S and get w if C(w)=1 store (C,π) Return 1 if (C,π) stored (verify, C, π) (verification, 0/1)

21
**UC NIZK There exists non-interactive protocol UC NIZK such that**

UC NIZK securely realizes FNIZK against adaptive adversaries in the common reference string model UC NIZK is perfect zero-knowledge

22
**Conclusion New technique for NIZK proofs**

1. Very efficient NIZK proofs with perfect soundness 2. First construction of perfect zero-knowledge NIZK argument with coNP soundness 3. First construction of UC NIZK argument secure against adaptive adversaries

Similar presentations

OK

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google