Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens Groth and Mary Maller University College London

Published byΕυτέρπη ΞœΞ·Ο„ΟƒΞΏΟ„Ξ¬ΞΊΞ·Ο‚ Modified over 4 years ago

Similar presentations

Presentation on theme: "Jens Groth and Mary Maller University College London"β€” Presentation transcript:

1 Jens Groth and Mary Maller University College London
Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth and Mary Maller University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

2 Digital signature π‘π‘˜,π‘ π‘˜ ∈ 𝑅 key Public key π‘π‘˜ OK Message π‘š Signature 𝜎
sEUF-CMA security: Adversary sees signatures 𝜎 𝑖 on adaptively chosen messages π‘š 𝑖 , cannot forge valid message-signature pair (π‘š,𝜎) except by copying earlier pair ( π‘š 𝑖 , 𝜎 𝑖 ) Signer Verifier

3 Schnorr signatures π‘π‘˜,π‘ π‘˜ ∈ 𝑅 key Public key π‘π‘˜ Message π‘š Signature 𝜎
Here is a proof that I know the secret key π‘ π‘˜ associated with π‘π‘˜ and I want to sign message π‘š Knowledges soundness: Really knows π‘ π‘˜ Zero-knowledge: Does not disclose enough about π‘ π‘˜ to enable others to sign messages Signer Verifier

4 Signatures of knowledge
πœ™,𝑀 ∈ 𝑅 NP Instance πœ™βˆˆ 𝐿 𝑅 Message π‘š Signature 𝜎 Signer Verifier Here is a proof that I know a witness 𝑀 for πœ™βˆˆ 𝐿 𝑅 and I want to sign message π‘š

5 Signature of knowledge algorithms
Relation generator 𝑹 1 πœ† →𝑅 Security parameter πœ† NP-relations 𝑅 of pairs (πœ™,𝑀) Setup 𝑅 : Generate public parameters 𝑝𝑝 Sign(𝑝𝑝,πœ™,𝑀,π‘š): Given πœ™,𝑀 βˆˆπ‘… return signature of knowledge 𝜎 on π‘š Vfy 𝑝𝑝,πœ™,π‘š,𝜎 : Return 1 (accept) or 0 (reject)

6 Correctness πœ™,𝑀 βˆˆπ‘… Instance πœ™ OK Message π‘š Signature 𝜎
For all πœ†βˆˆπ‘΅,𝑅←𝑹 1 πœ† , πœ™,𝑀 βˆˆπ‘…,π‘šβˆˆ 0,1 βˆ— Pr 𝑝𝑝←Setup 𝑅 ;πœŽβ†Sign 𝑝𝑝,πœ™,𝑀,π‘š :Vfy 𝑝𝑝,πœ™,π‘š,𝜎 =1 =1

7 What you prove Standard signatures Signatures of knowledge
Public key π‘π‘˜ Secret key π‘ π‘˜ Example π‘π‘˜= 𝐺,π‘Œ π‘ π‘˜=π‘₯ such that π‘Œ= 𝐺 π‘₯ π‘₯ 1 ∧ π‘₯ 2 ∧¬ π‘₯ 3 ∨( π‘₯ 2 ∧ x 4 ∧ π‘₯ 5 ) SAT 1 Hamiltonian cycle Circuit SAT Randomly chosen keys π‘π‘˜,π‘ π‘˜ ←KeyGen 1 πœ† Often used repeatedly Arbitrary statements Two instances πœ™,πœ™β€² may be related, say, 𝑀 β€² =𝑀+1

8 Simulatability Damned, I did not learn the witness πœ™,𝑀 βˆˆπ‘… Instance πœ™
Message π‘š Signature 𝜎 For all πœ†βˆˆπ‘,𝑅←𝑹 1 πœ† and all adversaries 𝐴 selecting πœ™,𝑀 βˆˆπ‘… Pr⁑[ 𝑝𝑝,𝜏 ←SimSetup 𝑅 ; πœ™,𝑀,π‘š ←𝐴 𝑝𝑝 ;πœŽβ†SimSign 𝜏,πœ™,π‘š :𝐴 𝜎 =1] = Pr 𝑝𝑝←Setup 𝑅 ; πœ™,𝑀,π‘š ←𝐴 𝑝𝑝 ;πœŽβ†Sign 𝑝𝑝,πœ™,𝑀,π‘š :𝐴 𝜎 =1

9 I don’t know 𝑀, but maybe I can cheat
Simulation-extractability Non-black-box extractor because we want succinctness! I don’t know 𝑀, but maybe I can cheat Instance πœ™ Message π‘š Signature 𝜎 For all PPT adversaries 𝐴 there is a PPT extractor πœ’ 𝐴 s.t. Pr 𝑅←𝑹 1 πœ† ; 𝑝𝑝,𝜏 ←SimSetup 𝑅 ; πœ™,π‘š,𝜎 ← 𝐴 SimSign 𝜏,β‹…,β‹… 𝑝𝑝 ; 𝑀← πœ’ 𝐴 tran script 𝐴 :Vfy 𝑝𝑝,πœ™,π‘š,𝜎 =1 ∧ πœ™,π‘š,𝜎 βˆ‰π‘„βˆ§ πœ™,𝑀 βˆ‰π‘… β‰ˆ0

10 Non-interactive zero-knowledge argument
πœ™,𝑀 βˆˆπ‘… Common reference string OK Instance πœ™ Proof  Prover Verifier Zero-knowledge: Nothing but truth revealed Soundness: Statement is true

11 NIZK argument algorithms
Relation generator 𝑹 1 πœ† →𝑅 Security parameter πœ† NP-relations 𝑅 of pairs (πœ™,𝑀) Setup 𝑅 : Generate common reference string π‘π‘Ÿπ‘  Prove(π‘π‘Ÿπ‘ ,πœ™,𝑀): Given πœ™,𝑀 βˆˆπ‘… return proof πœ‹ Vfy π‘π‘Ÿπ‘ ,πœ™,πœ‹ : Return 1 (accept) or 0 (reject)

12 Completeness πœ™,𝑀 βˆˆπ‘… OK Common reference string Instance πœ™ Proof πœ‹
For all πœ†βˆˆπ‘΅,𝑅←𝑹 1 πœ† , πœ™,𝑀 βˆˆπ‘… Pr π‘π‘Ÿπ‘ β†Setup 𝑅 ;πœ‹β†Prove π‘π‘Ÿπ‘ ,πœ™,𝑀 :Vfy π‘π‘Ÿπ‘ ,πœ™,πœ‹ =1 =1

13 Zero-knowledge Damned, I did not learn the witness πœ™,𝑀 βˆˆπ‘…
Common reference string Instance πœ™ Proof πœ‹ For all πœ†βˆˆπ‘,𝑅←𝑹 1 πœ† and all adversaries 𝐴 selecting πœ™,𝑀 βˆˆπ‘… Pr⁑[ π‘π‘Ÿπ‘ ,𝜏 ←SimSetup 𝑅 ; πœ™,𝑀 ←𝐴(π‘π‘Ÿπ‘ );πœŽβ†SimProve 𝜏,πœ™ :𝐴 𝜎 =1] = Pr π‘π‘Ÿπ‘ β†Setup 𝑅 ; πœ™,𝑀 ←𝐴 π‘π‘Ÿπ‘  ;πœ‹β†Prove π‘π‘Ÿπ‘ ,πœ™,𝑀 :𝐴 𝜎 =1

14 I don’t know 𝑀, but maybe I can cheat
Simulation-extractability I don’t know 𝑀, but maybe I can cheat Common reference string Instance πœ™ Proof πœ‹ For all PPT adversaries 𝐴 there is a PPT extractor πœ’ 𝐴 s.t. Pr 𝑅←𝑹 1 πœ† ; π‘π‘Ÿπ‘ ,𝜏 ←SimSetup 𝑅 ; πœ™,πœ‹ ← 𝐴 SimProve 𝜏,β‹… π‘π‘Ÿπ‘  ; 𝑀← πœ’ 𝐴 tran script 𝐴 :Vfy π‘π‘Ÿπ‘ ,πœ™,πœ‹ =0 or πœ™,πœ‹ βˆˆπ‘„ or πœ™,𝑀 βˆˆπ‘… β‰ˆ1

15 Signatures of knowledge imply simulation-extractable NIZK arguments
Completeness follows from correctness Zero-knowledge follows from simulatability Simulation-extractability follows from simulation-extractability ZSetup 𝑅 Return π‘π‘Ÿπ‘ =𝑝𝑝←SSetup(𝑅) ZProve(π‘π‘Ÿπ‘ ,πœ™,𝑀) Set π‘š=0 Return πœ‹=πœŽβ†SSign(π‘π‘Ÿπ‘ ,πœ™,𝑀,π‘š) ZVfy π‘π‘Ÿπ‘ ,πœ™,πœ‹ Return SVfy π‘π‘Ÿπ‘ ,πœ™,π‘š,πœ‹

16 Simulation-extractable NIZK arguments and CRHFs imply signatures of knowledge
Hash-function 𝐻 𝐾 : 0,1 βˆ— β†’ 0,1 πœ† Define 𝑅 β€² = πœ™ β€² ,𝑀 : πœ™ β€² = β„Ž,πœ™ β„Žβˆˆ 0,1 πœ† πœ™,𝑀 βˆˆπ‘… Correctness from completeness Simulatability from zero-knowledge Simulation-extractability from collision-resistance and simulation-extractability SSetup 𝑅 Pick hash-function key 𝐾← 0,1 β„“(πœ†) Run π‘π‘Ÿπ‘ β†ZSetup(𝑅) Return 𝑝𝑝=(𝐾,π‘π‘Ÿπ‘ ) SSign(𝑝𝑝,πœ™,𝑀,π‘š) Set πœ™ β€² = 𝐻 𝐾 π‘š ,πœ™ Return 𝜎=πœ‹β†ZProve(π‘π‘Ÿπ‘ ,πœ™β€²,𝑀) SVfy π‘π‘Ÿπ‘ ,πœ™,π‘š,𝜎 Return ZVfy π‘π‘Ÿπ‘ ,πœ™β€²,𝜎

17 Our contribution SE-NIZK argument Efficiency
Perfect completeness Perfect zero-knowledge Simulation-extractable XPKE and Poly assumptions Efficiency Asymmetric (Type III) pairings 3 group element proofs Low computation SE-SNARK Simulation-extractable Succinct Non-interactive Argument of Knowledge

18 Example corresponds to quadratic equation 𝑠 1 + 𝑠 3 β‹… 𝑠 3 = 𝑠 2
In general arithmetic circuit can be written as a set of 𝑛 equations of the form (βˆ‘ 𝑠 𝑖 𝑒 𝑖 )β‹… βˆ‘ 𝑠 𝑖 𝑣 𝑖 =βˆ‘ 𝑠 𝑖 𝑀 𝑖 over variables 𝑠 1 ,…, 𝑠 π‘š and by convention 𝑠 0 =1 Arithmetic circuit defines an NP-language with instances ( 𝑠 1 ,…, 𝑠 β„“ ) and witnesses ( 𝑠 β„“+1 ,…, 𝑠 π‘š ) Arithmetic circuit 𝑠 2 𝑠 4 𝑠 1 𝑠 3

19 Set of squaring constraints
Go from 𝑛 equations over π‘š variables up to 2𝑛 equations over π‘š+𝑛 variables Consider a set of quadratic equations βˆ‘ 𝑠 𝑖 𝑒 𝑖 β‹… βˆ‘ 𝑠 𝑖 𝑣 𝑖 =βˆ‘ 𝑠 𝑖 𝑀 𝑖 over a field 𝒁 𝑝 with constants 𝑒 𝑖 , 𝑣 𝑖 , 𝑀 𝑖 and variables 𝑠 0 =1,πœ™= 𝑠 1 ,…, 𝑠 β„“ ,𝑀=( 𝑠 β„“+1 ,…, 𝑠 π‘š ) We can use the equality π‘Ž+𝑏 2 = π‘Žβˆ’π‘ 2 +4π‘Žπ‘ to rewrite them as a set of squaring equations βˆ‘ 𝑠 𝑖 ( 𝑒 𝑖 + 𝑣 𝑖 ) 2 = 𝑠 β€² +4βˆ‘ 𝑠 𝑖 𝑀 𝑖 βˆ‘ 𝑠 𝑖 ( 𝑒 𝑖 βˆ’ 𝑣 𝑖 ) 2 =𝑠′

20 Polynomial rewriting Consider 𝑛 squaring equations over π‘š variables βˆ‘ 𝑠 𝑖 𝑒 𝑖𝑗 2 =βˆ‘ 𝑠 𝑖 𝑀 𝑖𝑗 𝑗=1,…,𝑛 Pick distinct π‘Ÿ 1 ,…, π‘Ÿ 𝑛 ∈ 𝑍 𝑝 Let 𝑒 0 𝑋 ,…, 𝑒 π‘š 𝑋 and 𝑀 0 𝑋 ,…, 𝑀 π‘š (𝑋) be degree π‘›βˆ’1 polynomials such that 𝑒 𝑖 π‘Ÿ 𝑗 = 𝑒 𝑖𝑗 𝑀 𝑖 π‘Ÿ 𝑗 = 𝑀 𝑖𝑗 Key observation βˆ‘ 𝑠 𝑖 𝑒 𝑖 π‘Ÿ 𝑗 2 =βˆ‘ 𝑠 𝑖 𝑀 𝑖 π‘Ÿ 𝑗 𝑗=1,…,𝑛 Define 𝑑 𝑋 =∏ π‘‹βˆ’ π‘Ÿ 𝑗 Key observation can be rewritten as βˆ‘ 𝑠 𝑖 𝑒 𝑖 𝑋 2 =βˆ‘ 𝑠 𝑖 𝑀 𝑖 𝑋 mod 𝑑(𝑋)

21 Square arithmetic programs
Square arithmetic program described by Prime 𝑝, integers 1β‰€β„“β‰€π‘š and 1≀𝑛 Degree 𝑛 polys 𝑒 0 𝑋 ,…, 𝑒 π‘š 𝑋 , 𝑀 0 𝑋 ,…, 𝑀 π‘š 𝑋 ,𝑑(𝑋) Square arithmetic program relation 𝑅= πœ™,𝑀 𝑠 0 =1 , πœ™= 𝑠 1 ,…, 𝑠 β„“ ∈ 𝒁 𝑝 β„“ 𝑀= 𝑠 β„“+1 ,…, 𝑠 π‘š ∈ 𝒁 𝑝 π‘šβˆ’β„“+1 βˆ‘ 𝑠 𝑖 𝑒 𝑖 𝑋 2 =βˆ‘ 𝑠 𝑖 𝑀 𝑖 𝑋 mod 𝑑 𝑋

22 Prime order bilinear groups
Gen( 1 πœ† ) generates (𝑝, 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒,𝐺,𝐻) 𝐺 1 , 𝐺 2 , 𝐺 𝑇 finite cyclic groups of prime order 𝑝 generated by 𝐺,𝐻 and 𝑒(𝐺,𝐻) Bilinear map 𝑒 𝐺 π‘Ž , 𝐻 𝑏 =𝑒 𝐺,𝐻 π‘Žπ‘ Generic group operations efficiently computable Deciding group membership, group multiplications, pairing Asymmetric bilinear groups (Type III): No efficiently computable isomorphism between 𝐺 1 and 𝐺 2

23 SE-SNARK CRS size: π‘š+2𝑛 𝐺 1 ,𝑛 𝐺 2 Proof size: 2 𝐺 1 , 1 𝐺 2
Prover: π‘š+2π‘›βˆ’β„“ 𝐸 1 ,𝑛 𝐸 2 Verifier: β„“ 𝐸 1 , 5 𝑃 SE-SNARK Setup 𝑅 β†’π‘π‘Ÿπ‘  𝐺← 𝐺 1 βˆ— ,𝐻← 𝐺 2 βˆ— ,𝛼,𝛽,𝛾,π‘₯← 𝒁 𝑝 βˆ— such that 𝑑 π‘₯ β‰ 0 π‘π‘Ÿπ‘ = 𝑅, 𝐺 𝛼 , 𝐺 𝛽 , 𝐺 𝛾𝑑 π‘₯ , 𝐺 𝛾𝑑 π‘₯ 2 , 𝐺 𝛼+𝛽 𝛾𝑑 π‘₯ , 𝐺 𝛾 π‘₯ 𝑖 , 𝐻 𝛾 π‘₯ 𝑖 , 𝐺 𝛾 2 𝑑 π‘₯ π‘₯ 𝑖 𝑖=1 π‘›βˆ’1 𝐺 𝛾 𝑀 𝑖 π‘₯ + 𝛼+𝛽 𝑒 𝑖 π‘₯ 𝑖=0 β„“ , 𝐺 𝛾 2 𝑀 𝑖 π‘₯ + 𝛼+𝛽 𝛾 𝑒 𝑖 π‘₯ 𝑖=β„“+1 π‘š ,𝐻, 𝐻 𝛽 , 𝐻 𝛾𝑑 π‘₯ Prove π‘π‘Ÿπ‘ ,πœ™,𝑀 β†’πœ‹=(𝐴,𝐡,𝐢) π‘Ÿβ† 𝒁 𝑝 𝐴= 𝐺 𝛾 βˆ‘ 𝑠 𝑖 𝑒 𝑖 π‘₯ +π‘Ÿπ‘‘ π‘₯ 𝐡= 𝐻 𝛾 βˆ‘ 𝑠 𝑖 𝑒 𝑖 π‘₯ +π‘Ÿπ‘‘ π‘₯ 𝐢= 𝐺 𝑖>β„“ 𝑠 𝑖 ( 𝛾 2 𝑀 𝑖 π‘₯ + 𝛼+𝛽 𝛾 𝑒 𝑖 (π‘₯) + π‘Ÿ 2 𝛾 2 𝑑 π‘₯ 2 +π‘Ÿ 𝛼+𝛽 𝛾𝑑 π‘₯ β„Ž π‘₯ +2π‘Ÿβˆ‘ 𝑠 𝑖 𝑒 𝑖 π‘₯ Vfy π‘π‘Ÿπ‘ ,πœ™,πœ‹ β†’0/1 Return 1 if and only if 𝑒 𝐴, 𝐻 𝛾 =𝑒( 𝐺 𝛾 ,𝐡) and 𝑒 𝐴 𝐺 𝛼 ,𝐡 𝐻 𝛽 =𝑒 𝐺 𝛼 , 𝐻 𝛽 𝑒 𝐺 𝑖≀ℓ 𝑠 𝑖 𝛾 𝑀 𝑖 π‘₯ + 𝛼+𝛽 𝑒 𝑖 π‘₯ , 𝐻 𝛾 𝑒(𝐢,𝐻)

24 Assumptions Computational Polynomial Assumption
See paper Extended Power Knowledge of Exponent Assump. For all PPT 𝐴 there is PPT πœ’ 𝐴 s.t. Pr π‘”π‘˜= 𝑝, 𝐺 1 , 𝐺 2 , 𝐺 𝑇 ,𝑒,𝐺,𝐻 ←Gen 1 πœ† ;𝒛← 𝒁 𝑝 π‘ž 𝐺 π‘Ž , 𝐻 𝑏 ← 𝐴 𝑂 𝐺,𝒛 1 β‹… , 𝑂 𝐻,𝒛 2 β‹… π‘”π‘˜ ;πœΌβ† πœ’ 𝐴 (transcrip t 𝐴 ) π‘Ž=𝑏 π‘Žπ‘›π‘‘ π‘β‰ βˆ‘ πœ‚ 𝑖 β„Ž 𝑗 (𝒛) : β‰ˆ0 where on π‘ž-variate polynomials 𝑔 𝑗 or β„Ž 𝑗 𝑂 𝐺,𝒛 1 𝑔 𝑗 𝒁 returns 𝐺 𝑔 𝑗 𝒛 and 𝑂 𝐻,𝒛 2 β„Ž 𝑗 𝒁 returns 𝐻 β„Ž 𝑗 𝒛

25 Efficiency Lower bounds
Construction Proof size Prover Verifier Eq. [BCTV14] (zk-SNARK) 7 𝐺 1 , 1 𝐺 2 6π‘š+𝑛 𝐸 1 , π‘š 𝐸 2 β„“ 𝐸 1 , 12 𝑃 5 [Groth16] (zk-SNARK) 2 𝐺 1 , 1 𝐺 2 π‘š+3𝑛 𝐸 1 , 𝑛 𝐸 2 β„“ 𝐸 1 , 3 𝑃 1 This work (SE-SNARK) π‘š+4𝑛 𝐸 1 , 2𝑛 𝐸 2 β„“ 𝐸 1 , 5 𝑃 2 Arithmetic circuits with π‘š wires, 𝑛 gates, instance size β„“ (β„“β‰ͺ𝑛<π‘š) Group element 𝐺, exponentiation 𝐸, pairing 𝑃 Lower bounds [Groth16]: Pairing based zk-SNARKs cannot have 1 group element proofs This work: Pairing based SE-SNARKs cannot have 2 group element proofs or just 1 verification equation

Download ppt "Jens Groth and Mary Maller University College London"

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan DamgΓ₯rd, Γ…rhus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan DamgΓ₯rd, Γ…rhus University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Similar presentations

Ads by Google