New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
-
Upload
ami-barrett -
Category
Documents
-
view
231 -
download
7
Transcript of New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
![Page 1: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/1.jpg)
New Techniques New Techniques for NIZKfor NIZK
Jens GrothJens Groth
Rafail OstrovskyRafail Ostrovsky
Amit SahaiAmit Sahai
University of California Los University of California Los AngelesAngeles
![Page 2: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/2.jpg)
MotivationMotivation
I’m a woman.
Prove it!OK, I will make a zero-knowledge
proof
Circuit C = ”I’m a woman”
Proof π
![Page 3: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/3.jpg)
CompletenessCompleteness
Perfect completeness: Pr[Accept] = 1
Proof π
Accept
K(1k)Common reference string
Circuit C
Witness wso C(w)=1 Prover Verifier
![Page 4: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/4.jpg)
SoundnessSoundness
Perfect soundness: Pr[Reject] = 1
Unsatisfiable CProof π
Reject
Adversary Verifier
K(1k)Common reference string
![Page 5: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/5.jpg)
Zero-knowledgeZero-knowledge
Computational zero-knowledge:Pr[A1|Simulated proofs (S1,S2)]
≈ Pr[A1|Real proofs (K,P)]
Proof π
sk
S1(1k
)Circuit CWitness w
”Common reference string”
0/1S2(crs, sk, C)
Simulator Adversary
![Page 6: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/6.jpg)
NIZK proof for Circuit NIZK proof for Circuit SATSAT
1
w1
w4
w3w2
Circuit SAT is NP complete
NAND
NAND
![Page 7: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/7.jpg)
Homomorphic proof Homomorphic proof commitmentcommitment
Two types of indistinguishable public keys:Two types of indistinguishable public keys: Perfect trapdoor Perfect trapdoor (pk, tk) (pk, tk) ← K← Khidinghiding(1(1kk)) Perfect bindingPerfect binding pk pk ← K← Kbindingbinding(1(1kk))
HomomorphicHomomorphicMessage space size at least 4 (3 also ok)Message space size at least 4 (3 also ok)Witness indistinguishable proof that Witness indistinguishable proof that
commitment contains 0 or 1commitment contains 0 or 1 Perfect soundness on perfect binding Perfect soundness on perfect binding
keykey Perfect WI on perfect trapdoor keyPerfect WI on perfect trapdoor key
![Page 8: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/8.jpg)
Bilinear group of order nBilinear group of order n
G, GT cyclic groups of order n = pq
g generator for G
bilinear map e: G G GT
e(ua, vb) = e(u, v)ab
e(g, g) generates GT
Decision subgroup problem
ord(h) = q or ord(h) = n ?
![Page 9: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/9.jpg)
BGN-based commitmentBGN-based commitmentPerfect binding key:
ord(g) = n, ord(h) = q
Perfect hiding key:ord(g) = ord(h) = n and g=hx
Commitment:Com(m; r) = gmhr where r Zn
Homomorphic:gm+Mhr+R = gmhr gMhR
![Page 10: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/10.jpg)
WI proof for commit to 0 WI proof for commit to 0 or 1or 1
Wish to prove c commitment to 0 or 1Write c = gmhr (m mod p unique if h order q)
e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr)
= e(h, (g2m-1hr)r ) = e(h,π)Proof is: π = (g2m-1hr)r
Soundness when h has order q: e(g, g)m(m-1) e(hr, g2m-1hr) = e(h,π) so m = 0,1 mod p
Witness indistinguishability when h has order n:Unique π so e(c, g-1c) = e(h,π)
![Page 11: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/11.jpg)
NIZK proof for Circuit NIZK proof for Circuit SATSATcom(1
)
c1 = com(w1) c2 = com(w2)
c4 = com(w4)
c3 = com(w3)
WI proof c1 commit to 0 or 1
WI proof c2 commit to 0 or 1
WI proof c3 commit to 0 or 1
WI proof c4 commit to 0 or 1
WI proof w4 = (w1w2)
WI proof 1 = (w4w3)
NAND
NAND
![Page 12: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/12.jpg)
WI proof for NAND-gateWI proof for NAND-gate
Given c0, c1, c2 commitments containing bits b0, b1, b2 wish to prove b2 = (b0b1)
b2 = (b0b1)
if and only if b0 + b1 + 2b2 - 2 {0,1}
WI proof c0c1c22com(-2) commitment to 0 or
1
![Page 13: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/13.jpg)
NIZK proof for Circuit NIZK proof for Circuit SATSAT
Commit to all wires wCommit to all wires wii as c as cii = com(w = com(wii))
For each i make WI proof that cFor each i make WI proof that cii contains 0 contains 0 or 1or 1
For each NAND-gate make WI proof that For each NAND-gate make WI proof that cc00cc11cc22
22com(-2) contains 0 or 1com(-2) contains 0 or 1
Perfect completenessPerfect completeness
Perfect binding key - perfect soundnessPerfect binding key - perfect soundness
Perfect trapdoor key - perfect zero-Perfect trapdoor key - perfect zero-knowledgeknowledge
![Page 14: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/14.jpg)
Perfect NIZK on perfect Perfect NIZK on perfect trapdoor keytrapdoor key
Simulation:Simulation:Make trapdoor commitmentsMake trapdoor commitmentsTrapdoor-open relevant commitments to 0 and WI Trapdoor-open relevant commitments to 0 and WI proveprove
Proof that simulation works on C with w so C(w)=1:Proof that simulation works on C with w so C(w)=1:
Can trapdoor-open commitments to wCan trapdoor-open commitments to wii’s and WI ’s and WI proveprove By perfect witness-indistinguishability of the By perfect witness-indistinguishability of the WI WI proofs indistinguishable from simulationproofs indistinguishable from simulation
Can from the start make commitments to wCan from the start make commitments to wii’s’sBy perfect hiding of the commitments By perfect hiding of the commitments
indistinguishable indistinguishable from previous methodfrom previous methodCorresponds to real proof on trapdoor keyCorresponds to real proof on trapdoor key
![Page 15: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/15.jpg)
First resultFirst result
Use KUse Kbindingbinding to generate pk to generate pk
NIZK proof withNIZK proof withperfect completenessperfect completenessperfect soundnessperfect soundnesscomputational ZKcomputational ZK
CRS size: O(k) bitsCRS size: O(k) bits
Proof size: O(|C|k) bitsProof size: O(|C|k) bits
Compare with: O(|C|kCompare with: O(|C|k22) proofs [KP]) proofs [KP]
![Page 16: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/16.jpg)
Second resultSecond result
Use KUse Khidinghiding to generate pk to generate pk
NIZK argument withNIZK argument withperfect completenessperfect completenesscomputational co-soundnesscomputational co-soundnessperfect zero-knowledgeperfect zero-knowledge
CRS size: O(k) bitsCRS size: O(k) bits
Proof size: O(|C|k) bitsProof size: O(|C|k) bits
Compare with: NoneCompare with: None
![Page 17: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/17.jpg)
Adaptive co-soundnessAdaptive co-soundness
Computational co-soundness: Pr[Reject] ≈ 1
C, wco
Proof π Reject
Khidingcommon reference string
wco witness for C unsatisfiable
![Page 18: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/18.jpg)
Third resultThird resultProtocol:
Non-interactiveStatistical ZKUC NIZK proof secure against adaptive adversary
Compare with:Interactive UC ZK proofs [DN,
CLOS]UC NIZK proofs secure against
non-adaptive adversary [DDOPS]
![Page 19: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/19.jpg)
Non-interactive zaps for Non-interactive zaps for Circuit SATCircuit SAT
No common reference stringNo common reference string Perfect completeness:Perfect completeness:
(C, w) so C(w)=1(C, w) so C(w)=1
ππ ←← P(1 P(1kk, C, w) : V(1, C, w) : V(1kk, C , , C , ππ)=1)=1 Perfect soundness:Perfect soundness:
(C, (C, ππ) with C unsatisfiable V(1) with C unsatisfiable V(1kk, C, , C, ππ)=0)=0
Computational witness-Computational witness-indistinguishability:indistinguishability:(C, w(C, w00, w, w11) so C(w) so C(w00)=1 and C(w)=1 and C(w11)=1)=1
P(1P(1kk, C, w, C, w00) ≈ P(1) ≈ P(1kk, C, w, C, w11))
![Page 20: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/20.jpg)
Non-interactive zapsNon-interactive zapsNaïve idea:
Prover chooses public key and makes NIZK proof
Problem: Can choose trapdoor key and prove anything
Better idea:
Prover chooses two public keys and makes an NIZK proof with each of them
Makes choice so:
One is trapdoor, one is perfect binding
Verifiable that at least one key is perfect binding
Verifier cannot tell which key is trapdoor
![Page 21: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/21.jpg)
Witness-Witness-indistinguishabilityindistinguishability
Circuit C and two witnesses w0, w1
• Generate pk0 perfect trapdoor and pk1 perfect binding
• NIZK proof using w0 on pk0 NIZK proof using w0 on pk1
• Simulate proof on trapdoor pk0 NIZK proof using w0 on pk1
• NIZK proof using w1 on pk0 NIZK proof using w0 on pk1
• Switch to pk0 perfect binding and pk1 perfect trapdoor
• NIZK proof using w1 on pk0 Simulate proof on trapdoor pk1
• NIZK proof using w1 on pk0 NIZK proof using w1 on pk1
• Switch back to pk0 perfect trapdoor and pk1 perfect binding
![Page 22: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/22.jpg)
Fourth resultFourth resultUse verifiable pairs of public keys
At least one of two keys is perfect binding
The other is trapdoorIndistinguishable which one is
trapdoor
Non-interactive ZAPProof size O(|C|k) bits
Compare with:2-move zaps [DN]Non-interactive zaps [BOV] huge proofs, non-standard
assumption
![Page 23: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/23.jpg)
Bilinear groupsBilinear groupsG, GT cyclic groups of prime order p
g generator for G
bilinear map e: G G GT
e(ga, gb) = e(g, g)ab
e(g, g) generator for GT
Decisional linear problem [BBS]
f, h, g, u = fR, v = hS, w = gT
T = R+S or T random ?
![Page 24: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/24.jpg)
Commitment schemeCommitment schemePublic key
f = gx, h = gy, u = fR, v = hS, w = gT
pk = (p, G, GT, e, g, f, h, u, v, w)
Commitment to m Zp
c = (umfr, vmhs, wmgr+s)
Perfect hiding trapdoor if T = R+S
= (fmR+r, hmS+s, gm(R+S)+r+s)
![Page 25: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/25.jpg)
Commitment schemeCommitment schemeCommitment to m Zp
c = (umfr, vmhs, wmgr+s)
Perfect binding if T ≠ R+S
= (c1, c2, c3)
because c3c2-1/xc1
-1/y = (wu-1/xv-1/y)m
= g(T/(R+S))m
uniquely defines m
![Page 26: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/26.jpg)
Commitment schemeCommitment schemeCommitment to m Zp
c = (umfr, vmhs, wmgr+s)
Homomorphic
(umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S)
= (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S)
Witness indistinguishable proof of commitment to message 0 or 1
- Perfect sound on perfect binding key
- Perfect WI on perfect trapdoor key
![Page 27: New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.](https://reader036.fdocument.pub/reader036/viewer/2022081506/56649f465503460f94c6896c/html5/thumbnails/27.jpg)
Choosing two keysChoosing two keysElliptic curve E: y2 = x3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, GT, e), easy to verify that g is order p point on curve.
Choose x,y ← Zp*, R,S ← Zp and set
f = gx, h = gy, u = fR, v = hS, w = gR+S
Output two public keys
(p, G, GT, e, g, f, h, u, v, w)
(p, G, GT, e, g, f, h, u, v, wg)
At least one must be perfectly binding, but by decisional linear assumption hard to tell which one