Presentation is loading. Please wait.

Presentation is loading. Please wait.

Short Non-interactive Zero-Knowledge Proofs

Published byEric McDonough Modified over 10 years ago

Similar presentations

Presentation on theme: "Short Non-interactive Zero-Knowledge Proofs"— Presentation transcript:

1 Short Non-interactive Zero-Knowledge Proofs
Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

2 Non-interactive zero-knowledge proof
CRS: 0100…11010 Statement: xL (x,w)RL Proof:  Prover Verifier Zero-knowledge: Nothing but truth revealed Soundness: Statement is true

3 Non-interactive zero-knowledge proofs
Adaptive soundness: Adversary sees CRS before attempting to cheat with false (C,) Statement C is satisfiable circuit Perfect completeness Statistical soundness Computational zero-knowledge Uniformly random common reference string Efficient prover – probabilistic polynomial time Deterministic polynomial time verifier

4 Our results Security level: 2-k Trapdoor perm size: kT = poly(k)
Circuit size: |C| = poly(k) Witness size: |w|  |C| CRS in bits Proof in bits Assumption Kilian-Petrank |C|∙kT∙k∙(log k) Trapdoor perms This work |C|∙kT∙polylog(k) CRS in bits Proof in bits Assumption Gentry poly(k) |w|∙poly(k) Lattice-based G-Ostrovsky-Sahai k3/polylog(k) |C|∙k3/polylog(k) Pairing-based This work |C|∙polylog(k) Naccache-Stern

5 Hidden random string - soundness
Statement: xL (x,w)RL 1 1

6 Hidden random string – zero-knowledge
Statement: xL 1

7 Two new techniques More efficient use of hidden random bits
Kilian-Petrank: |C|∙k∙(log(k)) hidden random bits This work: |C|∙polylog(k) hidden random bits More efficient implementation of hidden bits Trapdoor permutations: kT = poly(k) bits per hidden random bit Naccache-Stern encryption: O(log k) bits per hidden random bit

8 Implementing the hidden random bits model
Statement: xL (x,w)RL c1 Epk(0;r1) 01...0 c1 Epk(1;r2) 1 ; r2 11…1 c2 Epk(0;r3) c3 00…1 c3 K(1k)  (pk,sk) 0 ; r4 Epk(1;r4) 10…0 c4

9 Naccache-Stern encryption
pk = (M,P,g) sk = (M) M is an RSA modulus P = p1p2…pd where p1,…,pd are O(log k) bit primes P | ord(g) = (M)/4 and |P| = O(|M|) Epk(m;r) = gmrP mod M Dsk(c): For each pi compute m mod pi c(M)/pi = (g(M)/pi)m Chinese remainder gives m mod P

10 Naccache-Stern implementation of hidden bits
0 if m mod pi even 1 if m mod pi odd  if m mod pi is -1 Statement: xL (x,w)RL ?1? ; 1 Epk(010;r1) 01...0 c1 Epk(101;r2) 10? ; 2 11…1 c2 Epk(011;r3) ??1 ; 3 00…1 c3 K(1k)  (pk,sk) ??? ; 4 Epk(110;r4) 10…0 c4

11 Revealing part of Naccache-Stern plaintext
Ciphertext c = gmrP How to prove that m = x mod pi? Prover reveals  such that P = (cg-x)P/pi Shows (M) = (gm-xrP)(M)/pi = (g(M)/pi)m-x Can compute the proof as  = (cg-x)(P-1 mod (M)/P)P/pi Can randomize proof by multiplying with s(M)/P Generalizes to reveal m mod iSpi with a proof consisting of one group element

12 Zero-knowledge Simulator sets up pk = (M,P,g) such that ord(g) = (M)/4P and g = hP mod M Simulator also sets up the CRS such that it only contains ciphertexts of the form gt mod M For any m  ZP we can compute r = ht-m mod M such that gt = gm(gt-m) = gmrP mod M This means the simulator can open each ciphertext to arbitrary hidden bits

13 Efficient use of the hidden random bits
Statement: xL (x,w)RL 1 1

14 Probably hidden pairs are 00 and 11
Kilian-Petrank Probably hidden pairs are 00 and 11 Random bits not useful; need bits with structure Use statistical sampling to get “good” blocks 10 11 00 01

15 Kilian-Petrank continued
Reveal blocks of bits so remaining “good” blocks of bits have a particular structure (statistically) Reduce C to a 3SAT formula  Assign remaining “good” blocks to variables in  For each clause reveal some bits in the blocks assigned to the literals of the clause An unsatisfied clause has some probability of the revealed bits not satisfying certain criterion Repeat many times to make the probability of cheating negligible for each clause

16 Probabilistically checkable proofs
Polynomial time algorithms f, fw: f: C    belongs to gap-3SAT5 fw: w  x if C(w)=1 then (x)=1  is a gap-3SAT5 formula All variables appear in exactly 5 clauses – thrice as positive literal and twice as negative Either all clauses are simultaneously satisfiable or a constant fraction are unsatisfiable

17 Strategy Compute  = f(C) and prove that it is satisfiable
With the most efficient probabilistically checkable proofs (Dinur 07 combined with BenSasson-Sudan 08) we have || = |C| polylog(k) Seems counterintuitive to make statement larger However, since  allows for a constant fraction of “errors” less repetition is needed to make the overall soundness error negligible It is ok if the prover cheats on some clauses as long as cannot cheat on a constant fraction

18 Summary Technique 1: Reduce soundness error with probabilistically checkable proofs Technique 2: Implement hidden random bit string with Naccache-Stern encryption Hidden bits Proof in bits Assumption Kilian-Petrank |C|∙kT∙k∙(log k) Trapdoor perms This work |C|∙kT∙polylog(k) CRS in bits Proof in bits Assumption Gentry poly(k) |w|∙poly(k) Lattice-based G-Ostrovsky-Sahai k3/polylog(k) |C|∙k3/polylog(k) Pairing-based This work |C|∙polylog(k) Nacache-Stern

Download ppt "Short Non-interactive Zero-Knowledge Proofs"

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Sublinear Algorithms 1 3 2 … Lecture 23: April 20.

Sublinear Algorithms … Lecture 23: April 20.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
INHERENT LIMITATIONS OF COMPUTER PROGRAMS CSci 4011.

INHERENT LIMITATIONS OF COMPUTER PROGRAMS CSci 4011.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
A threshold of ln(n) for approximating set cover By Uriel Feige Lecturer: Ariel Procaccia.

A threshold of ln(n) for approximating set cover By Uriel Feige Lecturer: Ariel Procaccia.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Similar presentations

Ads by Google