Presentation is loading. Please wait.

Presentation is loading. Please wait.

Short Non-interactive Zero-Knowledge Proofs Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Similar presentations


Presentation on theme: "Short Non-interactive Zero-Knowledge Proofs Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete."— Presentation transcript:

1 Short Non-interactive Zero-Knowledge Proofs Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAAAA A A A A A A

2 Non-interactive zero-knowledge proof ProverVerifier Soundness: Statement is true Zero-knowledge: Nothing but truth revealed CRS:0100…11010 Statement: x L Proof: (x,w) R L

3 Non-interactive zero-knowledge proofs Statement C is satisfiable circuit Perfect completeness Statistical soundness Computational zero-knowledge Uniformly random common reference string Efficient prover – probabilistic polynomial time Deterministic polynomial time verifier Adaptive soundness: Adversary sees CRS before attempting to cheat with false (C, )

4 Our results Security level: 2 -k Trapdoor perm size: k T = poly(k) Circuit size: |C| = poly(k) Witness size: |w| |C| CRS in bitsProof in bitsAssumption Kilian-Petrank |C|k T k (log k) Trapdoor perms This work|C|k T polylog(k) Trapdoor perms CRS in bitsProof in bitsAssumption Gentrypoly(k)|w|poly(k)Lattice-based G-Ostrovsky-Sahaik 3 /polylog(k)|C|k 3 /polylog(k)Pairing-based This work|C|polylog(k) Naccache-Stern

5 Hidden random string - soundness Statement: x L (x,w) R L

6 Hidden random string – zero-knowledge Statement: x L 0 1

7 Two new techniques More efficient use of hidden random bits –Kilian-Petrank:|C|k (log(k)) hidden random bits –This work: |C|polylog(k) hidden random bits More efficient implementation of hidden bits –Trapdoor permutations: k T = poly(k)bits per hidden random bit –Naccache-Stern encryption: O(log k) bits per hidden random bit

8 Implementing the hidden random bits model Statement: x L (x,w) R L …1 00…1 10…0 K(1 k ) (pk,sk) c 1 c 2 c 3 c 4 E pk (0;r 1 ) E pk (1;r 2 ) E pk (0;r 3 ) E pk (1;r 4 ) c 1 1 ; r 2 c 3 0 ; r 4

9 Naccache-Stern encryption pk = (M,P,g)sk = (M) –M is an RSA modulus –P = p 1 p 2 …p d where p 1,…,p d are O(log k) bit primes –P | ord(g) = (M)/4 and |P| = O(|M|) E pk (m;r) = g m r P mod M D sk (c):For each p i compute m mod p i c (M)/p i = (g (M)/p i ) m Chinese remainder gives m mod P

10 Naccache-Stern implementation of hidden bits Statement: x L (x,w) R L …1 00…1 10…0 K(1 k ) (pk,sk) c 1 c 2 c 3 c 4 E pk (010;r 1 ) E pk (101;r 2 ) E pk (011;r 3 ) E pk (110;r 4 ) ?1? ; 1 10? ; 2 ??1 ; 3 ??? ; 4 0 if m mod p i even 1 if m mod p i odd if m mod p i is -1

11 Revealing part of Naccache-Stern plaintext Ciphertext c = g m r P How to prove that m = x mod p i ? Prover reveals such that P = (cg -x ) P/p i Shows (M) = (g m-x r P ) (M)/p i = (g (M)/p i ) m-x Can compute the proof as = (cg -x ) (P -1 mod (M)/P)P/p i Can randomize proof by multiplying with s (M)/P Generalizes to reveal m mod i S p i with a proof consisting of one group element

12 Zero-knowledge Simulator sets up pk = (M,P,g) such that ord(g) = (M)/4P and g = h P mod M Simulator also sets up the CRS such that it only contains ciphertexts of the form g t mod M For any m Z P we can compute r = h t-m mod M such that g t = g m (g t-m ) = g m r P mod M This means the simulator can open each ciphertext to arbitrary hidden bits

13 Efficient use of the hidden random bits Statement: x L (x,w) R L

14 Kilian-Petrank Random bits not useful; need bits with structure Use statistical sampling to get good blocks Probably hidden pairs are 00 and 11

15 Kilian-Petrank continued Reveal blocks of bits so remaining good blocks of bits have a particular structure (statistically) Reduce C to a 3SAT formula Assign remaining good blocks to variables in For each clause reveal some bits in the blocks assigned to the literals of the clause An unsatisfied clause has some probability of the revealed bits not satisfying certain criterion Repeat many times to make the probability of cheating negligible for each clause

16 Probabilistically checkable proofs Polynomial time algorithms f, f w : f: C belongs to gap-3SAT5 f w : w xif C(w)=1 then (x)=1 is a gap-3SAT5 formula –All variables appear in exactly 5 clauses – thrice as positive literal and twice as negative –Either all clauses are simultaneously satisfiable or a constant fraction are unsatisfiable

17 Strategy Compute = f(C) and prove that it is satisfiable With the most efficient probabilistically checkable proofs (Dinur 07 combined with BenSasson- Sudan 08) we have | | = |C| polylog(k) Seems counterintuitive to make statement larger However, since allows for a constant fraction of errors less repetition is needed to make the overall soundness error negligible It is ok if the prover cheats on some clauses as long as cannot cheat on a constant fraction

18 Summary Technique 1: Reduce soundness error with probabilistically checkable proofs Technique 2: Implement hidden random bit string with Naccache-Stern encryption Hidden bitsProof in bitsAssumption Kilian-Petrank |C|k T k (log k) Trapdoor perms This work|C|k T polylog(k) Trapdoor perms CRS in bitsProof in bitsAssumption Gentrypoly(k)|w|poly(k)Lattice-based G-Ostrovsky-Sahaik 3 /polylog(k)|C|k 3 /polylog(k)Pairing-based This work|C|polylog(k) Nacache-Stern


Download ppt "Short Non-interactive Zero-Knowledge Proofs Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete."

Similar presentations


Ads by Google