Download presentation

Presentation is loading. Please wait.

Published bySamantha Newton Modified over 4 years ago

1
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAAAA A A A A A A

2
Motivation VoterOfficial We can only accept correctly formatted votes Attaching encrypted vote to this e-mail

3
Non-interactive zero-knowledge proof VoterOfficial Ok, we will count your vote Attaching encrypted vote to this e-mail + NIZK argument that correctly formatted Soundness: Vote is correct Zero-knowledge: Vote remains secret

4
Non-interactive zero-knowledge argument ProverVerifier Soundness: Statement is true Zero-knowledge: Nothing but truth revealed Common reference string Proof: (x,w) R L Statement: x L

5
Applications of NIZK arguments Ring signatures Group signatures Anonymous credentials Verifiable encryption Voting...

6
Our contribution Common reference string with special distribution Statement: C is satisfiable circuit Very efficient verifier Sub-linear (constant) size NIZK argument Not Fiat-Shamir heuristic (no random oracle) Perfect completeness Computational soundness Perfect zero-knowledge Adaptive soundness: Adversary sees CRS before attempting to cheat with false (C, )

7
Pairings G, G T groups of prime order p Bilinear map e: G G G T –e(a x,b y ) = e(a,b) xy –e(g,g) generates G T if g is non-trivial Group operations, deciding group membership, computing bilinear map are efficiently computable

8
Assumptions Power knowledge of exponent assumption (q-PKE): Given (g,g x,…,g x q,g,g x,…,g x q ) hard to compute (c,c ) without knowing a 0,…,a q such that c = g a 0 g a 1 x …g a q x q Computational power Diffie-Hellman (q-CPDH): For all j hard to compute g x j given (g,g x,…,g x q,g,g x,…,g x j-1,g x j+1,…,g x q ) Both assumptions hold in generic group model

9
Comparison CRSSizeProver comp.Verifier comp. Kilian-Petrank (Nk) group (Nk) expo (Nk) mult Trapdoor permutationsStat. SoundComp. ZK GOSO(1) groupO(N) groupO(N) expoO(N) pairing Subgroup decisionPerfect soundComp. ZK Abe-FehrO(1) groupO(N) groupO(N) expoO(N) pairing Dlog & knowledge of expo.Comp. soundPerfect ZK This workO(N 2 ) groupO(1) groupO(N 2 ) multO(N) mult q-PKE and q-CPDHComp. soundPerfect ZK This workO(N 2/3 ) group O(N 4/3 ) multO(N) mult q-PKE and q-CPDHComp. soundPerfect ZK Interactive +O(N) group O(N) mult Fiat-ShamirDlog and random oracleComp. soundPerfect ZK

10
Knowledge commitments Commitment key: ck=(g,g x,…,g x q,g,g x,…,g x q ) Commitment to (a 1,…,a q ) using randomness r Z p c = (g) r (g x ) a 1 …(g x q ) a q ĉ = (g ) r (g x ) a 1 …(g x q ) a q Verifying commitment: e(c,g ) = e(ĉ,g) Knowledge: q-PKE assumption says impossible to create valid (c,ĉ) without knowing r,a 1,…,a q

11
Homomorphic property c = (g) r (g x ) a 1 …(g x q ) a q log(c) = r+a 1 x+…+a q x q Homomorphic commit(a 1,…,a q ;r) commit(b 1,…,b q ;s) = commit(a 1 +b 1,…,a q +b q ;r+s) (r+ a i x i ) + (s+ b i x i ) = r+s+ (a i +b i )x i

12
Tools Constant size knowledge commitments for tuples of elements (a 1,…,a q ) (Z p ) q Homomorphic so we can add committed tuples com(a 1,…,a q )com(b 1,…,b q ) = com(a 1 +b 1,…,a q +b q ) NIZK argument for multiplicative relationship com(a 1,…,a q ) com(b 1,…,b q ) com(a 1 b 1,…,a q b q ) NIZK argument for known permutation com(a 1,…,a q ) com(a (1),…,a (q) )

13
Circuit with NAND-gates commit(a 1,…,a N,b 1,…,b N ) commit(b 1,…,b N,0,…..,0) commit(u 1,…,u N,0,…..,0) NIZK argument for u N = 1 NIZK argument for everything else consistent a1a1 a2a2 a3a3 a4a4 b1b1 b2b2 b3b3 b4b4 u1u1 u3u3 u2u2 u4u4

14
Consistency Need to show valid inputs a 1,…,a N,b 1,…b N {0,1} NIZK argument for multiplicative relationship commit(a 1,…,a N,b 1,…b N ) commit(a 1,…,a N,b 1,…b N ) commit(a 1,…,a N,b 1,…b N ) shows a 1 a 1 =a 1, …, a N a N =a N, b 1 b 1 =b 1, …, b N b N =b N Only possible if a 1 {0,1}, …, a N {0,1}, b 1 {0,1}, …, b N {0,1}

15
Consistency Homomorphic property gives commit(1,…,1,0,…,0) / commit(u 1,…,u N,0,…,0) = commit(1-u 1,…,1-u N,0,…,0) NIZK argument for multiplicative relationship in commit(a 1,…,a N,b 1,…,b N ) commit(b 1,…,b N,0,…,0) commit(1-u 1,…,1-u N,0,…,0) shows 1-u 1 =a 1 b 1,…,1-u N =a N b N This proves all NAND-gates are respected u 1 = (a 1 b 1 ),…,u N = (a N b N )

16
Consistency Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever a i and b j correspond to the same wire a i = b j We refer to the full paper for the details

17
Circuit with NAND-gates commit(a 1,…,a N,b 1,…,b N ) commit(b 1,…,b N,0,…..,0) commit(u 1,…,u N,0,…..,0) NIZK argument for u N = 1 NIZK argument for everything else consistent a1a1 a2a2 a3a3 a4a4 b1b1 b2b2 b3b3 b4b4 u1u1 u3u3 u2u2 u4u4

18
Conclusion NIZK argument of knowledge –perfect completeness –perfect zero-knowledge –computational soundness Short and efficient to verify CRSArgumentProver comp.Verifier comp. Minimal argumentO(N 2 )O(1)O(N 2 ) multsO(N) mults Balanced sizesO(N 2/3 ) O(N 4/3 ) multsO(N) mults CRS O(N 2(1-ε) ) and argument O(N ε ) q-PKE and q-CPDH

19
Thanks Full paper available at www.cs.ucl.ac.uk/staff/J.Groth

Similar presentations

OK

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google

Ppt on orphans and orphanages in india Ppt on railway track maps Ppt on transportation in plants for class 7 Ppt on inertial frame of reference Ppt on paintings and photographs related to colonial period food Gastrointestinal anatomy and physiology ppt on cells Ppt on traction rolling stock trains Ppt on eddy current suppression Led based moving message display ppt on ipad Ppt on history of islam