Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

Non-interactive zero-knowledge proof ProverVerifier Soundness: Statement is true Zero-knowledge: Nothing but truth revealed Statement: x  L Proof:  (x,w)  R L Common reference string: 0100…11010

Non-interactive zero-knowledge proofs Statement C is satisfiable circuit Perfect completeness Statistical soundness Computational zero-knowledge Uniformly random common reference string Efficient prover – probabilistic polynomial time Deterministic polynomial time verifier Adaptive soundness: Adversary sees CRS before attempting to cheat with false (C,  )

Our results Security level: 2 -k Trapdoor perm size: k T = poly(k) Circuit size: |C| = poly(k) Witness size: |w|  |C| CRS in bitsProof in bitsAssumption Kilian-Petrank |C|∙k T ∙k∙  (log k) Trapdoor perms This talk|C|∙k T ∙polylog(k) Trapdoor perms CRS in bitsProof in bitsAssumption Gentrypoly(k)|w|∙poly(k)Lattice-based + NIZK G-Ostrovsky-Sahaik 3 /polylog(k)|C|∙k 3 /polylog(k)Pairing-based This talk|C|∙polylog(k) Naccache-Stern Other workpoly(k)|w| + poly(k)FHE + NIZK

Encrypted random bits Statement: x  L CRS (x,w)  R L …1 00…1 10…0 K(1 k )  (pk,sk) c 1 c 2 c 3 c 4 E pk (0;r 1 ) E pk (1;r 2 ) E pk (0;r 3 ) E pk (1;r 4 ) c 1 1 ; r 2 c 3 0 ; r 4

Hidden random string - soundness Statement: x  L (x,w)  R L

Hidden random string – zero-knowledge Statement: x  L 0 1

Using hidden random bits for NIZK Random bits not useful; need bits with structure Use statistical sampling to get “good” blocks Probably hidden pairs are 00 and 11

Statements |  | = O(|C|)

Idea in Kilian-Petrank Interpret pairs of bits as truth values –T = {01,10}F = {00,11} T F F T ?0 1? 0? ?1 Zero-knowledge: Does ?1 correspond to T = 01 or F = 11? Soundness: F can only be opened one way Completeness: T can be opened as 0 or 1

T  F  F Completeness Reveal: ?0  1?  ?1 = 0 10  11  11

Soundness If not a satisfying assignment there is a clause where all literals are false –x 1   x 2  x 3 gives F  F  F There is 50% chance to catch a cheating prover –11, 00, 00 has no opening to XOR = 0 so prover caught –11, 00, 11 can be opened to XOR = 0 so prover lucky Will use repetition to decrease prover’s chance

Consistency problem Cannot let prover designate truth-value pairs to literals because a cheating prover might choose an inconsistent assignment Need to ensure prover chooses correct and consistent assignment

Consistency Interpret 12-blocks of bits as 6 truth values –Good block = TTTFFF or FFFTTT TTTFFF FTFTFF FFFTTT FTFFTF I see many bad blocks. Statistically the remaining hidden blocks are good.

Consistency Divide hidden random bit-string into 12-bit blocks Call a block of 6 truth-value pairs for good if it is of one of these two forms TTTFFF or FFFTTT Prover reveals all bits associated with bad blocks such that only good blocks remain

Using blocks Remaining good blocks TTT FFF FFF TTT TTT FFF x 1 = F x 2 = T x 3 = F x 4 = F TT? FFF FF? TTT FFF TT? TT? FFF 10? ? ? 01? 110 Unrevealed bit-pair shows positive/negative literals for variable Positive literals Negative literals

Using blocks After discarding bad blocks the remaining hidden blocks are statistically speaking mostly good We assign each block to a variable x i in a deterministic way Each block has 6 truth-values TTTFFF or FFFTTT –If x i = T reveal 5 bits in TTTFF? or FF?TTT –If x i = F reveal 5 bits in TT?FFF or FFFTT? –Revelations correspond to 5 appearances x i, x i, x i,  x i,  x i The last unrevealed truth-value uniquely determines the assignment of truth-values to literals The verifier now checks all clauses XOR to 0

Soundness The prover has several degrees of freedom –Can choose which false statement to prove –Can choose the public key for the encryption scheme, each one of which will give different hidden random bits –Can choose the truth-value assignment –May leave a few bad blocks unrevealed Use repetition to lower risk of cheating –Instead of revealing single bits for each literal we will reveal several bit-strings and in each clause all bit- strings most XOR to 0 Statistical analysis shows with sufficient repetition a prover has negligible chance of cheating

Two new techniques More efficient use of hidden random bits –Kilian-Petrank:|C|∙k∙  (log(k)) hidden random bits –This work: |C|∙polylog(k) hidden random bits More efficient implementation of hidden bits –Trapdoor permutations: k T = poly(k)bits per hidden random bit –Naccache-Stern encryption: O(log k) bits per hidden random bit

Traditional proofs Statement: x  L (x,w)  R L Proof: The statement is true because bla bla bla bla bla bla bla bla. QED I’d better read it very carefully

Probabilistically checkable proofs Statement: x  L (x,w)  R L Proof: The statement is true because bla bla bla bla bla bla bla bla. QED Ok, let me spot check in random places

Satisfiability of 3SAT5 formula

Satisfiability of gap-3SAT5 formula

Witness-preserving assignment tester Polynomial time algorithms f, f w : f: C    belongs to gap-3SAT5 f w : w  xif C(w)=1 then  (x)=1 With the most efficient probabilistically checkable proofs (Dinur 07 combined with BenSasson- Sudan 08) we have |  | = |C| polylog(k)

Strategy Want to prove C is satisfiable Compute  = f(C) and prove that it is satisfiable using Kilian-Petrank techniques from before With the most efficient assignment testers we have |  | = |C| polylog(k) so statement is larger However, since  allows for a constant fraction of “errors” less repetition is needed to make the overall soundness error negligible It is ok if the prover cheats on some clauses as long as cannot cheat on a constant fraction

Remarks Probabilistically checkable proofs have been used in interactive zero-knowledge proofs –Prover commits to PCP –Verifier chooses at random some parts to check –Prover opens and reveals those parts of the PCP We are using PCPs in a different way –The verifier will check all parts of the PCP –The checks have a small error probability –But unlikely that prover can cheat on a constant fraction

Implementing the hidden random bits model Statement: x  L CRS (x,w)  R L …1 00…1 10…0 K(1 k )  (pk,sk) c 1 c 2 c 3 c 4 E pk (0;r 1 ) E pk (1;r 2 ) E pk (0;r 3 ) E pk (1;r 4 ) c 1 1 ; r 2 c 3 0 ; r 4

Naccache-Stern encryption pk = (M,P,g)sk =  (M) –M is an RSA modulus –P = p 1 p 2 …p d where p 1,…,p d are O(log k) bit primes –P | ord(g) =  (M)/4 and |P| =  (|M|) E pk (m;r) = g m r P mod M D sk (c):For each p i compute m mod p i c  (M)/p i = (g m r P )  (M)/p i = (g m  (M)/p i )(r  (M)P/p i ) = (g  (M)/p i ) m Chinese remainder gives us m mod P

Naccache-Stern implementation of hidden bits Statement: x  L CRS (x,w)  R L …1 00…1 10…0 K(1 k )  (pk,sk) c 1 c 2 c 3 c 4 E pk (010;r 1 ) E pk (101;r 2 ) E pk (011;r 3 ) E pk (110;r 4 ) ?1? ;  1 10? ;  2 ??1 ;  3 ??? ;  4 0 if m mod p i even 1 if m mod p i odd  if m mod p i is -1

Revealing part of Naccache-Stern plaintext Ciphertext c = g m r P How to prove that m = x mod p i ? Prover reveals  such that  P = (cg -x ) P/p i We can raise both sides to  (M)/P Gives us   (M) = (g m-x r P )  (M)/p i = (g  (M)/p i ) m-x Implies 1 = (g  (M)/p i ) m-x Since the order of (g  (M)/p i ) is p i this shows m = x mod p i

Revealing part of Naccache-Stern plaintext Ciphertext c = g m r P How to prove that m = x mod p i ? Prover reveals  such that  P = (cg -x ) P/p i Can compute the proof as  = (cg -x ) (P -1 mod  (M)/P)P/p i Can randomize proof by multiplying with s  (M)/P Generalizes to reveal m = x mod  i  S p i with a proof consisting of one group element

Zero-knowledge Simulator sets up pk = (M,P,g) such that ord(g) =  (M)/4P and g = h P mod M Simulator also sets up the CRS such that it contains ciphertexts of the form c = s P mod M For any m  Z P we can compute r = h -m s mod M such that s P = g m (g -m )s P = g m h -mP s P = g m r P mod M This means the simulator can open each ciphertext to arbitrary hidden bits using  = r

Final step – showing the key is valid The public key is pk = (M,P,g) The verifier can easily check P is a product of small primes p 1,…,p d But needs to be convinced M and g are ok Can do this with trapdoor permutation based NIZK –Statement is small so it does not affect total cost –Trapdoor permutations implied by Naccache-Stern So we use a small seeder NIZK to build large scale NIZK from Naccache-Stern encryption

Summary Technique 1: Reduce soundness error with probabilistically checkable proofs Technique 2: Implement hidden random bit string with Naccache-Stern encryption Hidden bitsProof in bitsAssumption Kilian-Petrank |C|∙k T ∙k∙  (log k) Trapdoor perms This work|C|∙k T ∙polylog(k) Trapdoor perms CRS in bitsProof in bitsAssumption Gentrypoly(k)|w|∙poly(k)Lattice-based + NIZK G-Ostrovsky-Sahaik 3 /polylog(k)|C|∙k 3 /polylog(k)Pairing-based This talk|C|∙polylog(k) Naccache-Stern Other workpoly(k)|w| + poly(k)FHE + NIZK