Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Slides:



Advertisements
Similar presentations
Perfect Non-interactive Zero-Knowledge for NP
Advertisements

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Adapted from Oded Goldreich’s course lecture notes.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Foundations of Cryptography Lecture 13: Zero-Knowledge Variants and Applications Lecturer: Moni Naor.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
Digital Envelopes, Zero Knowledge, and other wonders of modern cryptography (How computational complexity enables digital security & privacy) Guy Rothblum.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Zero-Knowledge Proofs And Their Applications in Cryptographic Systems ICS 555 Cryptography and Data Security Sultan Almuhammadi.
PRESENTED BY CHRIS ANDERSON JULY 29, 2009 Using Zero Knowledge Proofs to Validate Electronic Votes.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
Efficient Zero-Knowledge Proofs Jens Groth University College London.
Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Zero-Knowledge Proofs And Their Applications in Cryptographic Systems ICS 555 Cryptography and Data Security Sultan Almuhammadi.
Statistical Zero-Knowledge:
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
Non-interactive quantum zero-knowledge proofs
CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai.
Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.
Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:
IP, (NON)ISOGRAPH and Zero Knowledge Protocol COSC 6111 Advanced Algorithm Design and Analysis Daniel Stübig.
Topic 36: Zero-Knowledge Proofs
On the Size of Pairing-based Non-interactive Arguments
Zero Knowledge Anupam Datta CMU Fall 2017
Linear Algebra with Sub-linear Zero-Knowledge Arguments
Helger Lipmaa University of Tartu, Estonia
Short Pairing-based Non-interactive Zero-Knowledge Arguments
09 Zero Knowledge Proof Hi All, One more topic to go!
Impossibility of SNARGs
Jens Groth and Mary Maller University College London
Presentation transcript:

Efficient Zero-Knowledge Proof Systems Jens Groth University College London

Privacy and verifiability Hedge fundInvestor No! It is a trade secret. Did I lose all my money? Show me the current portfolio!

Zero-knowledge proof Statement ProverVerifier Witness  Soundness: Statement is true Zero-knowledge: Nothing but truth revealed

Internet voting VoterElection authorities Ciphertext Vote Encrypts vote to keep it private Tally without decrypting individual votes 4

Election fraud VoterElection authorities Ciphertext Not Bob Encrypts -100 votes for Bob Is the encrypted vote valid? 5

Zero-knowledge proof as solution VoterElection authorities Ciphertext Soundness: Vote is valid Zero-knowledge proof for valid vote encrypted Zero-knowledge: Vote is secret 6

Mix-net: Anonymous message broadcast m π (1) m π (2) m π (N) … π1π1 π2π2 π = π 1 ◦ π 2 m1m1 m2m2 mNmN Threshold decryption

Problem: Corrupt mix-server m π (1) m π (2) m´ π (N) … π1π1 π2π2 π = π 1 ◦ π 2 m1m1 m2m2 mNmN Threshold decryption

Solution: Zero-knowledge proof m π (1) m π (2) m π (N) … π1π1 π2π2 π = π 1 ◦ π 2 m1m1 m2m2 mNmN Threshold decryption Server 1 ZK proof No message changed (soundness) Server 2 ZK proof Permutation still secret (zero-knowledge)

Preventing deviation (active attacks) by keeping people honest AliceBob Yes, here is a zero- knowledge proof that everything is correct Did you follow the protocol honestly without deviation?

Cryptography 11 Problems typically arise when attackers deviate from a protocol (active attack) Zero-knowledge proofs prevent deviation and give security against active attacks

Fundamental building block 12 encryption signatures zero-knowledge Доверяй, но проверяй - Trust but verify

Zero-knowledge proofs Completeness –Prover can convince verifier when statement is true Soundness –Cannot convince verifier when statement is false Zero-knowledge –No leakage of information (except truth of statement) even if interacting with a cheating verifier 13

Parameters Efficiency –Communication (bits) –Prover’s computation (seconds) –Verifier’s computation (seconds) –Round complexity (number of messages) Security –Setup –Cryptographic assumptions

Round complexity Interactive zero-knowledge proof Non-interactive zero-knowledge proof 15 

Zero-knowledge proof efficiency cost interactive zero-knowledge proofs rest of the protocol non-interactive zero-knowledge proofs

Vision Main goal –Efficient and versatile zero-knowledge proofs Vision –Negligible overhead from using zero-knowledge proofs –Security against active attacks standard feature 17 zero-knowledge core

Statements Circuit SAT Hamiltonian Encrypted valid vote

Proof system 19

Graph isomorphism 20

Exercise Argue the GI proof system is complete What is the probability of the prover cheating the verifier? (soundness) Argue the GI proof system is witness indistinguishable, i.e., when there are several isomorphisms between the two graphs it is not possible to know which one the prover has in mind 21

Perfect completeness: Pr[Accept] = 1 Accept or reject Statement x  L Witness w so (x,w)  R Completeness 22

Computational soundness: For ppt adversary Pr[Reject] ≈ 1 Statistical soundness: For any adversary Pr[Reject] ≈ 1 Perfect soundness: Pr[Reject] = 1 Accept or reject Statement x  L Soundness 23

Arguments and proofs Argument (or computationally sound proof) –Computational soundness, holds against polynomial time adversary, relies on cryptographic assumptions Proof –Unconditional soundness, holds against unbounded adversary, and in particular without relying on cryptographic assumptions 24 Arguments can be more efficient than proofs

0/1 Witness indistinguishability

Zero-knowledge Zero-knowledge: –The proof only reveals the statement is true, it does not reveal anything else Defined by simulation: –The adversary could have simulated the proof without knowing the prover’s witness

view Zero-knowledge Simulator’s advantage: Can rewind adversary

Exercises Show the GI proof is perfect zero-knowledge Argue why zero-knowledge implies witness indistinguishability Give an example of a language and a proof system that is witness indistinguishable but not zero-knowledge (under reasonable assumptions) 28