Perfect Noninteractive ZeroKnowledge for NP Jens Groth Rafail
- Slides: 22
Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles
Motivation OK, I will make a I’m azero-knowledge woman. Prove it! proof Circuit C = ”I’m a woman” Proof π
Completeness Common reference string Circuit C Witness w so C(w)=1 Proof π K(1 k) Accept Prover Verifier Perfect completeness: Pr[Accept] = 1
Soundness Common reference string K(1 k) Unsatisfiable C Proof π Adversary Verifier Perfect soundness: Pr[Reject] = 1 Reject
S 1(1 k ) Zero-knowledge sk S 2(crs, sk, C) Simulator ”Common reference string” Circuit C Witness w Proof π Adversary Computational zero-knowledge: Pr[A 1|Simulated proofs (S 1, S 2)] ≈ Pr[A 1|Real proofs (K, P)] 0/1
State of affairs Computational NIZK proofs known but not practical Kilian-Petrank: O(|C|k 2)-bit common reference string O(|C|k 2)-bit proofs n Statistical/perfect NIZK arguments not known n No non-interactive UC ZK arguments secure against adaptive adversaries known n
Our contributions NIZK proof for Circuit SAT - Perfect completeness, perfect soundness, perfect proof of knowledge, computational zero-knowledge - O(k)-bit common reference string - O(|C|k)-bit proofs n Perfect NIZK argument for Circuit SAT - Perfect completeness, computational co. NP soundness, perfect zero-knowledge n UC NIZK argument for Circuit SAT with perfect zero-knowledge secure against adaptive adversaries n
Bilinear group of order n G, G 1 cyclic groups of order n = pq g generator for G bilinear map e: G G G 1 e(ua, vb) = e(u, v)ab e(g, g) generates G 1 Decision subgroup problem ord(h) = q or ord(h) = n ?
Boneh-Goh-Nissim cryptosystem Key generation pk = (n, G, G 1, e, g, h) ord(h) = q ord(g) = n, sk = (pk, p, q) Encryption of m E(m; r) = gmhr |m|=O(log k) where r Zn Decryption (gmhr)q = (gq)m find m by polynomial time
Homomorphic properties Additively homomorphic gm 1 hr 1 gm 2 hr 2 = gm 1+m 2 hr 1+r 2 Multiplication-mapping e(gm 1 hr 1, gm 2 hr 2) = e(g, g)m 1 m 2 e(h, gm 1 r 2+m 2 r 1 hr 1 r 2)
NIZK proof for Circuit SAT 1 NAND Circuit SAT is NP complete w 4 NAND w 1 w 2 w 3
NIZK proof for Circuit SAT NIZK proof w 4 = (w 1 w 2) g 1 NIZK proof c 1 encrypts 0 or 1 NAND NIZK proof c 2 encrypts 0 or 1 NIZK proof g w 4 h r 4 1 = (w 4 w 3) NAND g w 1 h r 1 g w 2 h r 2 g w 3 h r 3 NIZK proof c 3 encrypts 0 or 1 NIZK proof c 4 encrypts 0 or 1
NIZK proof for encryption of 0 or 1 Wish to prove c encrypts 0 or 1 Write c = gmhr (m uniquely determined mod p) e(c, g-1 c) = e(gmhr, gm-1 hr) = e(g, g)m(m-1) e(hr, g 2 m-1 hr) has order q if and only if m = 0 mod p or m = 1 mod p We wish to prove e(c, g-1 c) has order q
NIZK proof for encryption of 0 or 1 Prover chooses s Zn* e(c, g-1 c) = e(gmhr, gm-1 hr) = e(hr, g 2 m-1 hr) = e(hs, (g 2 m-1 hr)r/s) Reveal π = (π1, π2, π3) π1 = hs π2 = (g 2 m-1 hr)r/s π3 = gs Verifier checks e(π1, g) = e(h, π3) and e(c, g-1 c) = e(π1, π 2)
NIZK proof for encryption of 0 or 1 Perfect soundness h has order q e(h, π3) has order q e(π1, g) = e(h, π3) e(π1, g) has order q π1 has order q e(π1, π2) has order q e(c, g-1 c) = e(π1, π2) e(c, g-1 c) has order q m = 0 mod p or m = 1 mod p Computational zero-knowledge
NIZK proof for NAND-gate Given c 0, c 1, c 2 ciphertexts containing bits b 0, b 1, b 2 wish to prove b 2 = (b 0 b 1) if and only if b 0 + b 1 + 2 b 2 - 2 {0, 1} Make NIZK proof for c 0 c 1 c 22 g-2 encrypting 0 or 1
NIZK proof for Circuit SAT Encrypt all wires wi as ci = gwihri n For each i make NIZK that ci contains 0 or 1 n For each NAND-gate make NIZK proof that c 0 c 1 c 22 g-2 contains 0 or 1 n Perfect completeness Perfect soundness Computational zero-knowledge Perfect knowledge extraction – decrypt ciphertexts
Perfect NIZK Common reference string (g, h) Choose g, h so ord(g) = ord(h) = n Perfect completeness Perfect zero-knowledge Ciphertexts ci are perfectly hiding commitments NIZK argument for 0/1 plaintexts perfect ZK
Adaptive co. NP soundness Common reference string C, wco Proof π K(1 k) Reject wco witness for C unsatisfiable Computational co. NP soundness: Pr[Reject] ≈ 1
FNIZK (prove, C, w) (proof, π) (verify, C, π) (verification, 0/1) If C(w)=1 give C to S and get π store (C, π) If (C, π) not stored give (C, π) to S and get w if C(w)=1 store (C, π) Return 1 if (C, π) stored
UC NIZK There exists non-interactive protocol UC NIZK such that 1. 2. UC NIZK securely realizes FNIZK against adaptive adversaries in the common reference string model UC NIZK is perfect zero-knowledge
Conclusion New technique for NIZK proofs 1. Very efficient NIZK proofs with perfect soundness 2. First construction of perfect zeroknowledge NIZK argument with co. NP soundness 3. First construction of UC NIZK argument secure against adaptive adversaries
- Jens groth
- Logarithm
- Jens groth
- Sandra groth
- Christer groth
- Groth's typology
- Timothy groth
- Cortar present perfect
- Jens grell
- Jens peter friis
- Jens kurschat
- Emelding
- Jens reddersen
- Jens eggers
- Jens lindström
- Jens de sme
- Sis 300
- Jens horbach
- Geofon mic
- Sis 18.com
- Jens martensson
- Tekst hvor du sætter din fod
- Perkins geology museum