Download presentation
Presentation is loading. Please wait.
1
Perfect Non-interactive Zero-Knowledge for NP
Jens Groth Rafail Ostrovsky Amit Sahai UCLA Will appear on ePrint archive shortly
2
Non-Interactive Zero-Knowledge
common reference string σ C(w)=1 circuit C P V proof/argument π Problems even computational NIZK inefficient no statistical NIZK arguments for NP no UC NIZK arguments for NP
3
Our contributions Computational NIZK proof for Circuit SAT - O(k)-bit common reference string - O(|C|k)-bit proofs Perfect NIZK argument for Circuit SAT - non-adaptive soundness - adaptive soundness (restrictions) Perfect zero-knowledge UC NIZK argument for Circuit SAT
4
BGN cryptosystem (TCC 2005)
Setup G group of order n = pq bilinear map e: G G G1 pk = (n, G, G1, e, g, h) ord(g) = n, ord(h) = q Additively homomorphic gm1hr1 gm2hr2 = gm1+m2hr1+r2 Multiplication-mapping e(gm1hr1, gm2hr2) = e(g,g)m1m2e(h,gm1r2+m2r1hr1r2) Decision subgroup problem ord(h) = q or ord(h) = n ?
5
NIZK proof NIZK for Circuit SAT (NAND-gates) BGN-encrypt all wires
NIZK proof 0 or 1 plaintexts * - e(c, cg-1) encrypts 0 NIZK proof encrypted bits respect NAND-gates Zero-knowledge simulation ord(g) = ord(h) = n gmhr is perfectly hiding
6
Perfect zero-knowledge
Perfect NIZK argument ord(g) = ord(h) = n Adaptive soundness problem - C satisfiable on ord(h) = q reference string - C unsatisfiable on ord(h) = n ref. string Solution restrict ourselves to circuits of small size so 2|C|log|C|Adv-SD(k) is negligible
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.