Short Pairingbased Noninteractive ZeroKnowledge Arguments Jens Groth University
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London
Motivation Attaching encrypted vote to this e-mail Voter We can only accept correctly formatted votes Official
Non-interactive zero-knowledge proof Attaching encrypted vote to this e-mail + NIZK argument that correctly formatted Zero-knowledge: Voter Vote remains secret Ok, we will count your vote Soundness: Official Vote is correct
Non-interactive zero-knowledge argument Common reference string Statement: x L (x, w) RL Proof: Zero-knowledge: Prover Nothing but truth revealed Soundness: Verifier Statement is true
Applications of NIZK arguments • • • Ring signatures Group signatures Anonymous credentials Verifiable encryption Voting. . .
Our contribution • • • Common reference string with special distribution Statement: C is satisfiable circuit Very efficient verifier Sub-linear (constant) size NIZK argument Not Fiat-Shamir heuristic (no random oracle) • Perfect completeness • Computational soundness • Perfect zero-knowledge Adaptive soundness: Adversary sees CRS before attempting to cheat with false (C, )
Pairings • G, GT groups of prime order p • Bilinear map e: G G GT – e(ax, by) = e(a, b)xy – e(g, g) generates GT if g is non-trivial • Group operations, deciding group membership, computing bilinear map are efficiently computable
Assumptions • Power knowledge of exponent assumption (q-PKE): Given (g, gx, …, gxq, g x, …, g xq) hard to compute (c, c ) without knowing a 0, …, aq such that q a a x 0 1 q c = g g …g • Computational power Diffie-Hellman (q-CPDH): j x For all j hard to compute g given (g, gx, …, gxq, g x, …, g xj-1, g xj+1, …, g xq) • Both assumptions hold in generic group model
Comparison Kilian-Petrank GOS Abe-Fehr This work CRS Size Prover comp. Verifier comp. (Nk) group (Nk) expo (Nk) mult Trapdoor permutations Stat. Sound Comp. ZK O(1) group O(N) expo O(N) pairing Subgroup decision Perfect sound Comp. ZK O(1) group O(N) expo O(N) pairing Dlog & knowledge of expo. Comp. sound Perfect ZK O(N 2) group O(N 2) mult O(N) mult Comp. sound Perfect ZK O(N) group O(1) group q-PKE and q-CPDH This work O(N 2/3) group O(N 4/3) mult O(N) mult q-PKE and q-CPDH Comp. sound Perfect ZK Interactive + O(√N) group O(N) mult Fiat-Shamir Dlog and random oracle Comp. sound Perfect ZK O(√N) group
Knowledge commitments q x q x x x ck=(g, g , …, g ) • Commitment key: • Commitment to (a 1, …, aq) using randomness r Zp q a r x a x 1 (g) (g ) …(g ) q c= ĉ = (g )r(g x)a 1…(g xq)aq • Verifying commitment: e(c, g ) = e(ĉ, g) • Knowledge: q-PKE assumption says impossible to create valid (c, ĉ) without knowing r, a 1, …, aq
Homomorphic property • c= q a r x a x 1 (g) (g ) …(g ) q log(c) = r+a 1 x+…+aqxq • Homomorphic = commit(a 1, …, aq; r) ∙ commit(b 1, …, bq; s) commit(a 1+b 1, …, aq+bq; r+s) (r+ aixi) + (s+ bixi) = r+s+ (ai+bi)xi
Tools • Constant size knowledge commitments for tuples of elements (a 1, …, aq) (Zp)q • Homomorphic so we can add committed tuples com(a 1, …, aq)∙com(b 1, …, bq) = com(a 1+b 1, …, aq+bq) • NIZK argument for multiplicative relationship com(a 1, …, aq) com(b 1, …, bq) com(a 1 b 1, …, aqbq) • NIZK argument for known permutation com(a 1, …, aq) com(a (1), …, a (q))
Circuit with NAND-gates b 1 a 2 a 1 u 1 a 3 b 3 u 3 a 4 b 4 u 4 b 2 u 2 • commit(a 1, …, a. N, b 1, …, b. N) • commit(b 1, …, b. N, 0, …. . , 0) • commit(u 1, …, u. N, 0, …. . , 0) • NIZK argument for u. N = 1 • NIZK argument for everything else consistent
Consistency • Need to show valid inputs a 1, …, a. N, b 1, …b. N {0, 1} • NIZK argument for multiplicative relationship commit(a 1, …, a. N, b 1, …b. N) shows a 1 a 1=a 1, …, a. N=a. N, b 1 b 1=b 1, …, b. N=b. N • Only possible if a 1 {0, 1}, …, a. N {0, 1}, b 1 {0, 1}, …, b. N {0, 1}
Consistency • Homomorphic property gives commit(1, …, 1, 0, …, 0) / commit(u 1, …, u. N, 0, …, 0) = commit(1 -u 1, …, 1 -u. N, 0, …, 0) • NIZK argument for multiplicative relationship in commit(a 1, …, a. N, b 1, …, b. N) commit(b 1, …, b. N, 0, …, 0) commit(1 -u 1, …, 1 -u. N, 0, …, 0) shows 1 -u 1=a 1 b 1, …, 1 -u. N=a. Nb. N • This proves all NAND-gates are respected u 1= (a 1 b 1), …, u. N= (a. N b. N)
Consistency • Using NIZK arguments for permutation we prove consistency of wires, i. e. , whenever ai and bj correspond to the same wire ai = bj • We refer to the full paper for the details
Circuit with NAND-gates b 1 a 2 a 1 u 1 a 3 b 3 u 3 a 4 b 4 u 4 b 2 u 2 • commit(a 1, …, a. N, b 1, …, b. N) • commit(b 1, …, b. N, 0, …. . , 0) • commit(u 1, …, u. N, 0, …. . , 0) • NIZK argument for u. N = 1 • NIZK argument for everything else consistent
Conclusion • NIZK argument of knowledge – perfect completeness – perfect zero-knowledge – computational soundness q-PKE and q-CPDH • Short and efficient to verify CRS Argument Prover comp. Verifier comp. Minimal argument O(N 2) O(1) O(N 2) mults O(N) mults Balanced sizes O(N 2/3) O(N 4/3) mults O(N) mults CRS O(N 2(1 -ε)) and argument O(Nε)
Thanks Full paper available at www. cs. ucl. ac. uk/staff/J. Groth
- Slides: 19