new techniques for nizk jens groth rafail ostrovsky amit sahai university of california los angeles
Post on 14-Jan-2016
235 Views
Preview:
TRANSCRIPT
New Techniques New Techniques for NIZKfor NIZK
Jens GrothJens Groth
Rafail OstrovskyRafail Ostrovsky
Amit SahaiAmit Sahai
University of California Los University of California Los AngelesAngeles
MotivationMotivation
I’m a woman.
Prove it!OK, I will make a zero-knowledge
proof
Circuit C = ”I’m a woman”
Proof π
CompletenessCompleteness
Perfect completeness: Pr[Accept] = 1
Proof π
Accept
K(1k)Common reference string
Circuit C
Witness wso C(w)=1 Prover Verifier
SoundnessSoundness
Perfect soundness: Pr[Reject] = 1
Unsatisfiable CProof π
Reject
Adversary Verifier
K(1k)Common reference string
Zero-knowledgeZero-knowledge
Computational zero-knowledge:Pr[A1|Simulated proofs (S1,S2)]
≈ Pr[A1|Real proofs (K,P)]
Proof π
sk
S1(1k
)Circuit CWitness w
”Common reference string”
0/1S2(crs, sk, C)
Simulator Adversary
NIZK proof for Circuit NIZK proof for Circuit SATSAT
1
w1
w4
w3w2
Circuit SAT is NP complete
NAND
NAND
Homomorphic proof Homomorphic proof commitmentcommitment
Two types of indistinguishable public keys:Two types of indistinguishable public keys: Perfect trapdoor Perfect trapdoor (pk, tk) (pk, tk) ← K← Khidinghiding(1(1kk)) Perfect bindingPerfect binding pk pk ← K← Kbindingbinding(1(1kk))
HomomorphicHomomorphicMessage space size at least 4 (3 also ok)Message space size at least 4 (3 also ok)Witness indistinguishable proof that Witness indistinguishable proof that
commitment contains 0 or 1commitment contains 0 or 1 Perfect soundness on perfect binding Perfect soundness on perfect binding
keykey Perfect WI on perfect trapdoor keyPerfect WI on perfect trapdoor key
Bilinear group of order nBilinear group of order n
G, GT cyclic groups of order n = pq
g generator for G
bilinear map e: G G GT
e(ua, vb) = e(u, v)ab
e(g, g) generates GT
Decision subgroup problem
ord(h) = q or ord(h) = n ?
BGN-based commitmentBGN-based commitmentPerfect binding key:
ord(g) = n, ord(h) = q
Perfect hiding key:ord(g) = ord(h) = n and g=hx
Commitment:Com(m; r) = gmhr where r Zn
Homomorphic:gm+Mhr+R = gmhr gMhR
WI proof for commit to 0 WI proof for commit to 0 or 1or 1
Wish to prove c commitment to 0 or 1Write c = gmhr (m mod p unique if h order q)
e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr)
= e(h, (g2m-1hr)r ) = e(h,π)Proof is: π = (g2m-1hr)r
Soundness when h has order q: e(g, g)m(m-1) e(hr, g2m-1hr) = e(h,π) so m = 0,1 mod p
Witness indistinguishability when h has order n:Unique π so e(c, g-1c) = e(h,π)
NIZK proof for Circuit NIZK proof for Circuit SATSATcom(1
)
c1 = com(w1) c2 = com(w2)
c4 = com(w4)
c3 = com(w3)
WI proof c1 commit to 0 or 1
WI proof c2 commit to 0 or 1
WI proof c3 commit to 0 or 1
WI proof c4 commit to 0 or 1
WI proof w4 = (w1w2)
WI proof 1 = (w4w3)
NAND
NAND
WI proof for NAND-gateWI proof for NAND-gate
Given c0, c1, c2 commitments containing bits b0, b1, b2 wish to prove b2 = (b0b1)
b2 = (b0b1)
if and only if b0 + b1 + 2b2 - 2 {0,1}
WI proof c0c1c22com(-2) commitment to 0 or
1
NIZK proof for Circuit NIZK proof for Circuit SATSAT
Commit to all wires wCommit to all wires wii as c as cii = com(w = com(wii))
For each i make WI proof that cFor each i make WI proof that cii contains 0 contains 0 or 1or 1
For each NAND-gate make WI proof that For each NAND-gate make WI proof that cc00cc11cc22
22com(-2) contains 0 or 1com(-2) contains 0 or 1
Perfect completenessPerfect completeness
Perfect binding key - perfect soundnessPerfect binding key - perfect soundness
Perfect trapdoor key - perfect zero-Perfect trapdoor key - perfect zero-knowledgeknowledge
Perfect NIZK on perfect Perfect NIZK on perfect trapdoor keytrapdoor key
Simulation:Simulation:Make trapdoor commitmentsMake trapdoor commitmentsTrapdoor-open relevant commitments to 0 and WI Trapdoor-open relevant commitments to 0 and WI proveprove
Proof that simulation works on C with w so C(w)=1:Proof that simulation works on C with w so C(w)=1:
Can trapdoor-open commitments to wCan trapdoor-open commitments to wii’s and WI ’s and WI proveprove By perfect witness-indistinguishability of the By perfect witness-indistinguishability of the WI WI proofs indistinguishable from simulationproofs indistinguishable from simulation
Can from the start make commitments to wCan from the start make commitments to wii’s’sBy perfect hiding of the commitments By perfect hiding of the commitments
indistinguishable indistinguishable from previous methodfrom previous methodCorresponds to real proof on trapdoor keyCorresponds to real proof on trapdoor key
First resultFirst result
Use KUse Kbindingbinding to generate pk to generate pk
NIZK proof withNIZK proof withperfect completenessperfect completenessperfect soundnessperfect soundnesscomputational ZKcomputational ZK
CRS size: O(k) bitsCRS size: O(k) bits
Proof size: O(|C|k) bitsProof size: O(|C|k) bits
Compare with: O(|C|kCompare with: O(|C|k22) proofs [KP]) proofs [KP]
Second resultSecond result
Use KUse Khidinghiding to generate pk to generate pk
NIZK argument withNIZK argument withperfect completenessperfect completenesscomputational co-soundnesscomputational co-soundnessperfect zero-knowledgeperfect zero-knowledge
CRS size: O(k) bitsCRS size: O(k) bits
Proof size: O(|C|k) bitsProof size: O(|C|k) bits
Compare with: NoneCompare with: None
Adaptive co-soundnessAdaptive co-soundness
Computational co-soundness: Pr[Reject] ≈ 1
C, wco
Proof π Reject
Khidingcommon reference string
wco witness for C unsatisfiable
Third resultThird resultProtocol:
Non-interactiveStatistical ZKUC NIZK proof secure against adaptive adversary
Compare with:Interactive UC ZK proofs [DN,
CLOS]UC NIZK proofs secure against
non-adaptive adversary [DDOPS]
Non-interactive zaps for Non-interactive zaps for Circuit SATCircuit SAT
No common reference stringNo common reference string Perfect completeness:Perfect completeness:
(C, w) so C(w)=1(C, w) so C(w)=1
ππ ←← P(1 P(1kk, C, w) : V(1, C, w) : V(1kk, C , , C , ππ)=1)=1 Perfect soundness:Perfect soundness:
(C, (C, ππ) with C unsatisfiable V(1) with C unsatisfiable V(1kk, C, , C, ππ)=0)=0
Computational witness-Computational witness-indistinguishability:indistinguishability:(C, w(C, w00, w, w11) so C(w) so C(w00)=1 and C(w)=1 and C(w11)=1)=1
P(1P(1kk, C, w, C, w00) ≈ P(1) ≈ P(1kk, C, w, C, w11))
Non-interactive zapsNon-interactive zapsNaïve idea:
Prover chooses public key and makes NIZK proof
Problem: Can choose trapdoor key and prove anything
Better idea:
Prover chooses two public keys and makes an NIZK proof with each of them
Makes choice so:
One is trapdoor, one is perfect binding
Verifiable that at least one key is perfect binding
Verifier cannot tell which key is trapdoor
Witness-Witness-indistinguishabilityindistinguishability
Circuit C and two witnesses w0, w1
• Generate pk0 perfect trapdoor and pk1 perfect binding
• NIZK proof using w0 on pk0 NIZK proof using w0 on pk1
• Simulate proof on trapdoor pk0 NIZK proof using w0 on pk1
• NIZK proof using w1 on pk0 NIZK proof using w0 on pk1
• Switch to pk0 perfect binding and pk1 perfect trapdoor
• NIZK proof using w1 on pk0 Simulate proof on trapdoor pk1
• NIZK proof using w1 on pk0 NIZK proof using w1 on pk1
• Switch back to pk0 perfect trapdoor and pk1 perfect binding
Fourth resultFourth resultUse verifiable pairs of public keys
At least one of two keys is perfect binding
The other is trapdoorIndistinguishable which one is
trapdoor
Non-interactive ZAPProof size O(|C|k) bits
Compare with:2-move zaps [DN]Non-interactive zaps [BOV] huge proofs, non-standard
assumption
Bilinear groupsBilinear groupsG, GT cyclic groups of prime order p
g generator for G
bilinear map e: G G GT
e(ga, gb) = e(g, g)ab
e(g, g) generator for GT
Decisional linear problem [BBS]
f, h, g, u = fR, v = hS, w = gT
T = R+S or T random ?
Commitment schemeCommitment schemePublic key
f = gx, h = gy, u = fR, v = hS, w = gT
pk = (p, G, GT, e, g, f, h, u, v, w)
Commitment to m Zp
c = (umfr, vmhs, wmgr+s)
Perfect hiding trapdoor if T = R+S
= (fmR+r, hmS+s, gm(R+S)+r+s)
Commitment schemeCommitment schemeCommitment to m Zp
c = (umfr, vmhs, wmgr+s)
Perfect binding if T ≠ R+S
= (c1, c2, c3)
because c3c2-1/xc1
-1/y = (wu-1/xv-1/y)m
= g(T/(R+S))m
uniquely defines m
Commitment schemeCommitment schemeCommitment to m Zp
c = (umfr, vmhs, wmgr+s)
Homomorphic
(umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S)
= (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S)
Witness indistinguishable proof of commitment to message 0 or 1
- Perfect sound on perfect binding key
- Perfect WI on perfect trapdoor key
Choosing two keysChoosing two keysElliptic curve E: y2 = x3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, GT, e), easy to verify that g is order p point on curve.
Choose x,y ← Zp*, R,S ← Zp and set
f = gx, h = gy, u = fR, v = hS, w = gR+S
Output two public keys
(p, G, GT, e, g, f, h, u, v, w)
(p, G, GT, e, g, f, h, u, v, wg)
At least one must be perfectly binding, but by decisional linear assumption hard to tell which one
top related