Post on 28-Mar-2015
Perfect Non-Perfect Non-interactive Zero-interactive Zero-
Knowledge for NPKnowledge for NP
Jens GrothJens Groth
Rafail OstrovskyRafail Ostrovsky
Amit SahaiAmit Sahai
University of California Los University of California Los AngelesAngeles
MotivationMotivation
I’m a woman.
Prove it!OK, I will make a zero-knowledge
proof
Circuit C = ”I’m a woman”
Proof π
CompletenessCompleteness
Perfect completeness: Pr[Accept] = 1
Proof π
Accept
K(1k)Common reference string
Circuit C
Witness wso C(w)=1 Prover Verifier
SoundnessSoundness
Perfect soundness: Pr[Reject] = 1
Unsatisfiable CProof π
Reject
Adversary Verifier
K(1k)Common reference string
Zero-knowledgeZero-knowledge
Computational zero-knowledge:Pr[A1|Simulated proofs (S1,S2)]
≈ Pr[A1|Real proofs (K,P)]
Proof π
sk
S1(1k
)Circuit CWitness w
”Common reference string”
0/1S2(crs, sk, C)
Simulator Adversary
State of affairsState of affairs
Computational NIZK proofs known but Computational NIZK proofs known but not practicalnot practical
Kilian-Petrank:Kilian-Petrank:O(|C|kO(|C|k22)-bit common reference string)-bit common reference stringO(|C|kO(|C|k22)-bit proofs)-bit proofs
Statistical/perfect NIZK arguments not Statistical/perfect NIZK arguments not knownknown
No non-interactive UC ZK arguments No non-interactive UC ZK arguments secure against adaptive adversaries secure against adaptive adversaries knownknown
Our contributionsOur contributions NIZK proof for Circuit SATNIZK proof for Circuit SAT
- Perfect completeness, perfect - Perfect completeness, perfect soundness, perfect proof of knowledge, soundness, perfect proof of knowledge, computational zero-knowledgecomputational zero-knowledge- O(k)-bit common reference string- O(k)-bit common reference string- O(|C|k)-bit proofs- O(|C|k)-bit proofs
Perfect NIZK argument for Circuit SATPerfect NIZK argument for Circuit SAT- Perfect completeness, computational - Perfect completeness, computational coNP soundness, perfect zero-coNP soundness, perfect zero-knowledgeknowledge
UC NIZK argument for Circuit SAT with UC NIZK argument for Circuit SAT with perfect zero-knowledge secure against perfect zero-knowledge secure against adaptive adversariesadaptive adversaries
Bilinear group of order nBilinear group of order n
G, G1 cyclic groups of order n = pq
g generator for G
bilinear map e: G G G1
e(ua, vb) = e(u, v)ab
e(g, g) generates G1
Decision subgroup problem
ord(h) = q or ord(h) = n ?
Boneh-Goh-Nissim Boneh-Goh-Nissim cryptosystemcryptosystem
Key generation
pk = (n, G, G1, e, g, h) ord(g) = n, ord(h) = q
sk = (pk, p, q)
Encryption of m |m|=O(log k)
E(m; r) = gmhr where r Zn
Decryption
(gmhr)q = (gq)m find m by polynomial time
exhaustive search
Homomorphic propertiesHomomorphic properties
Additively homomorphic
gm1hr1 gm2hr2 = gm1+m2hr1+r2
Multiplication-mapping
e(gm1hr1, gm2hr2) = e(g, g)m1m2 e(h, gm1r2+m2r1hr1r2)
NIZK proof for Circuit NIZK proof for Circuit SATSAT
1
w1
w4
w3w2
Circuit SAT is NP complete
NAND
NAND
NIZK proof for Circuit NIZK proof for Circuit SATSATg1
gw1hr
1
gw2hr
2
gw4hr
4
gw3hr
3
NIZK proof c1 encrypts 0 or 1
NIZK proof c2 encrypts 0 or 1
NIZK proof c3 encrypts 0 or 1
NIZK proof c4 encrypts 0 or 1
NIZK proof w4 = (w1w2)
NIZK proof 1 = (w4w3)
NAND
NAND
NIZK proof for encryption NIZK proof for encryption of 0 or 1of 0 or 1
Wish to prove c encrypts 0 or 1Write c = gmhr (m uniquely
determined mod p)e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr)
has order q if and only if m = 0 mod p or m = 1 mod p
We wish to prove e(c, g-1c) has order q
NIZK proof for encryption NIZK proof for encryption of 0 or 1of 0 or 1
Prover chooses s Zn*
e(c, g-1c) = e(gmhr, gm-1hr) = e(hr, g2m-1hr) = e(hs, (g2m-1hr)r/s)
Reveal π = (π1, π2, π3)
π1 = hs π2 = (g2m-1hr)r/s π3 = gs
Verifier checks e(π1, g) = e(h, π3) and e(c, g-1c) = e(π1, π2)
NIZK proof for encryption NIZK proof for encryption of 0 or 1of 0 or 1
Perfect soundnessh has order q e(h, π3) has order q
e(π1, g) = e(h, π3) e(π1, g) has order q
π1 has order q e(π1, π2) has order q
e(c, g-1c) = e(π1, π2) e(c, g-1c) has order q
m = 0 mod p or m = 1 mod pComputational zero-knowledge
ord(h) = n g = hγ simulation key: γ
NIZK proof for NAND-NIZK proof for NAND-gategate
Given c0, c1, c2 ciphertexts containing bits b0, b1, b2 wish to prove b2 = (b0b1)
b2 = (b0b1)
if and only if b0 + b1 + 2b2 - 2 {0,1}
Make NIZK proof for c0c1c22g-2 encrypting 0
or 1
NIZK proof for Circuit NIZK proof for Circuit SATSAT
Encrypt all wires wEncrypt all wires wii as c as cii = g = gwwiihhrrii
For each i make NIZK that cFor each i make NIZK that cii contains 0 or contains 0 or 11
For each NAND-gate make NIZK proof that For each NAND-gate make NIZK proof that cc00cc11cc22
22gg-2-2 contains 0 or 1 contains 0 or 1
Perfect completenessPerfect completenessPerfect soundnessPerfect soundnessComputational zero-knowledgeComputational zero-knowledgePerfect knowledge extraction – decrypt Perfect knowledge extraction – decrypt
ciphertextsciphertexts
Perfect NIZKPerfect NIZK
Common reference string (g, h)Common reference string (g, h)
Choose g, h so ord(g) = ord(h) = nChoose g, h so ord(g) = ord(h) = n
Perfect completenessPerfect completeness
Perfect zero-knowledgePerfect zero-knowledge
Ciphertexts cCiphertexts cii are perfectly hiding are perfectly hiding commitmentscommitments
NIZK argument for 0/1 plaintexts NIZK argument for 0/1 plaintexts perfect ZKperfect ZK
Adaptive coNP Adaptive coNP soundnesssoundness
Computational coNP soundness: Pr[Reject] ≈ 1
C, wco
Proof π Reject
K(1k)Common reference string
wco witness for C unsatisfiable
FFNIZKNIZK
(prove, C, w)(proof, π)
(verify, C, π)(verification, 0/1)
If C(w)=1give C to S and get
πstore (C,π)
If (C,π) not stored give (C,π) to S and get
w if C(w)=1 store (C,π)Return 1 if (C,π) stored
UC NIZKUC NIZK
There exists non-interactive protocol There exists non-interactive protocol UC NIZK such thatUC NIZK such that
1.1. UC NIZK securely realizes FUC NIZK securely realizes FNIZKNIZK against adaptive adversaries in the against adaptive adversaries in the common reference string model common reference string model
2.2. UC NIZK is perfect zero-knowledgeUC NIZK is perfect zero-knowledge
ConclusionConclusion
New technique for NIZK proofs
1. Very efficient NIZK proofs with perfect soundness
2. First construction of perfect zero-knowledge NIZK argument with coNP soundness
3. First construction of UC NIZK argument secure against adaptive adversaries