Download presentation

Presentation is loading. Please wait.

1
**Perfect Non-interactive Zero-Knowledge for NP**

Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles

2
**OK, I will make a zero-knowledge proof**

Motivation OK, I will make a zero-knowledge proof I’m a woman. Prove it! Circuit C = ”I’m a woman” Proof π

3
**Completeness K(1k) Common reference string Circuit C**

Witness w so C(w)=1 Proof π Accept Prover Verifier Perfect completeness: Pr[Accept] = 1

4
**Soundness K(1k) Common reference string Unsatisfiable C Proof π Reject**

Adversary Verifier Perfect soundness: Pr[Reject] = 1

5
**Zero-knowledge S1(1k) ”Common reference string” sk Circuit C Witness w**

Proof π S2(crs, sk, C) 0/1 Simulator Adversary Computational zero-knowledge: Pr[A1|Simulated proofs (S1,S2)] ≈ Pr[A1|Real proofs (K,P)]

6
State of affairs Computational NIZK proofs known but not practical Kilian-Petrank: O(|C|k2)-bit common reference string O(|C|k2)-bit proofs Statistical/perfect NIZK arguments not known No non-interactive UC ZK arguments secure against adaptive adversaries known

7
Our contributions NIZK proof for Circuit SAT - Perfect completeness, perfect soundness, perfect proof of knowledge, computational zero-knowledge - O(k)-bit common reference string - O(|C|k)-bit proofs Perfect NIZK argument for Circuit SAT - Perfect completeness, computational coNP soundness, perfect zero-knowledge UC NIZK argument for Circuit SAT with perfect zero-knowledge secure against adaptive adversaries

8
**Bilinear group of order n**

G, G1 cyclic groups of order n = pq g generator for G bilinear map e: G G G1 e(ua, vb) = e(u, v)ab e(g, g) generates G1 Decision subgroup problem ord(h) = q or ord(h) = n ?

9
**Boneh-Goh-Nissim cryptosystem**

Key generation pk = (n, G, G1, e, g, h) ord(g) = n, ord(h) = q sk = (pk, p, q) Encryption of m |m|=O(log k) E(m; r) = gmhr where r Zn Decryption (gmhr)q = (gq)m find m by polynomial time exhaustive search

10
**Homomorphic properties**

Additively homomorphic gm1hr1 gm2hr2 = gm1+m2hr1+r2 Multiplication-mapping e(gm1hr1, gm2hr2) = e(g, g)m1m2 e(h, gm1r2+m2r1hr1r2)

11
**NIZK proof for Circuit SAT**

1 NAND Circuit SAT is NP complete w4 NAND w1 w2 w3

12
**NIZK proof for Circuit SAT**

g1 NIZK proof c1 encrypts 0 or 1 NIZK proof c2 encrypts 0 or 1 NIZK proof c3 encrypts 0 or 1 NIZK proof c4 encrypts 0 or 1 NIZK proof w4 = (w1w2) NIZK proof 1 = (w4w3) NAND gw4hr4 NAND gw1hr1 gw2hr2 gw3hr3

13
**NIZK proof for encryption of 0 or 1**

Wish to prove c encrypts 0 or 1 Write c = gmhr (m uniquely determined mod p) e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr) has order q if and only if m = 0 mod p or m = 1 mod p We wish to prove e(c, g-1c) has order q

14
**NIZK proof for encryption of 0 or 1**

Prover chooses s Zn* e(c, g-1c) = e(gmhr, gm-1hr) = e(hr, g2m-1hr) = e(hs, (g2m-1hr)r/s) Reveal π = (π1, π2, π3) π1 = hs π2 = (g2m-1hr)r/s π3 = gs Verifier checks e(π1, g) = e(h, π3) and e(c, g-1c) = e(π1, π2)

15
**NIZK proof for encryption of 0 or 1**

Perfect soundness h has order q e(h, π3) has order q e(π1, g) = e(h, π3) e(π1, g) has order q π1 has order q e(π1, π2) has order q e(c, g-1c) = e(π1, π2) e(c, g-1c) has order q m = 0 mod p or m = 1 mod p Computational zero-knowledge ord(h) = n g = hγ simulation key: γ

16
**NIZK proof for NAND-gate**

Given c0, c1, c2 ciphertexts containing bits b0, b1, b2 wish to prove b2 = (b0b1) b2 = (b0b1) if and only if b0 + b1 + 2b2 - 2 {0,1} Make NIZK proof for c0c1c22g-2 encrypting 0 or 1

17
**NIZK proof for Circuit SAT**

Encrypt all wires wi as ci = gwihri For each i make NIZK that ci contains 0 or 1 For each NAND-gate make NIZK proof that c0c1c22g-2 contains 0 or 1 Perfect completeness Perfect soundness Computational zero-knowledge Perfect knowledge extraction – decrypt ciphertexts

18
**Perfect NIZK Common reference string (g, h)**

Choose g, h so ord(g) = ord(h) = n Perfect completeness Perfect zero-knowledge Ciphertexts ci are perfectly hiding commitments NIZK argument for 0/1 plaintexts perfect ZK

19
**Adaptive coNP soundness**

K(1k) Common reference string C, wco Proof π Reject wco witness for C unsatisfiable Computational coNP soundness: Pr[Reject] ≈ 1

20
**FNIZK (prove, C, w) (proof, π)**

If C(w)=1 give C to S and get π store (C,π) If (C,π) not stored give (C,π) to S and get w if C(w)=1 store (C,π) Return 1 if (C,π) stored (verify, C, π) (verification, 0/1)

21
**UC NIZK There exists non-interactive protocol UC NIZK such that**

UC NIZK securely realizes FNIZK against adaptive adversaries in the common reference string model UC NIZK is perfect zero-knowledge

22
**Conclusion New technique for NIZK proofs**

1. Very efficient NIZK proofs with perfect soundness 2. First construction of perfect zero-knowledge NIZK argument with coNP soundness 3. First construction of UC NIZK argument secure against adaptive adversaries

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google