non-interactive zaps and new techniques for nizk jens groth rafail ostrovsky amit sahai university...

Non-interactive Non-interactive Zaps and New Zaps and New

Techniques for Techniques for NIZKNIZKJens GrothJens Groth

Rafail OstrovskyRafail Ostrovsky

Amit SahaiAmit Sahai

University of California Los University of California Los AngelesAngeles

Witness-Witness-indistinguishabilityindistinguishability

Burglar

Potential witnesses


Witness


One of the witnesses,but which one?

Non-interactive zaps for Non-interactive zaps for Circuit SATCircuit SAT

Poly-time algorithms P (prover) and V Poly-time algorithms P (prover) and V (verifier)(verifier)

No common reference stringNo common reference string Perfect completeness:Perfect completeness:

(C, w) so C(w)=1(C, w) so C(w)=1

ππ ←← P(1 P(1kk, C, w) : V(1, C, w) : V(1kk, C , , C , ππ)=1)=1 Perfect soundness:Perfect soundness:

(C, (C, ππ) with C unsatisfiable V(1) with C unsatisfiable V(1kk, C, , C, ππ)=0)=0 Computational witness-Computational witness-

indistinguishability:indistinguishability:(C, w(C, w00, w, w11) so C(w) so C(w00)=1 and C(w)=1 and C(w11)=1)=1

P(1P(1kk, C, w, C, w00) ≈ P(1) ≈ P(1kk, C, w, C, w11))

ComparisonComparison Dwork and Naor, FOCS 2000:Dwork and Naor, FOCS 2000:

2-round zaps from trapdoor 2-round zaps from trapdoor permutationspermutations

Barak, Ong and Vadhan, Crypto 2003:Barak, Ong and Vadhan, Crypto 2003:Non-interactive zaps by Non-interactive zaps by derandomizing Dwork-Naor zaps derandomizing Dwork-Naor zaps (non-polynomial assumption)(non-polynomial assumption)

This talk:This talk:Non-interactive zaps based on Non-interactive zaps based on decisional linear assumptiondecisional linear assumptionProof size O(|C|k) bitsProof size O(|C|k) bits

Bilinear groupsBilinear groupsG, GT cyclic groups of prime order p

g generator for G

bilinear map e: G G GT

e(ga, gb) = e(g, g)ab

e(g, g) generator for GT

Decisional linear problem [Boneh et al. 04]

f, h, g, u = fR, v = hS, w = gT

T = R+S or T random ?

Commitment schemeCommitment schemePublic key

f = gx, h = gy, u = fR, v = hS, w = gT

pk = (p, G, GT, e, g, f, h, u, v, w)

Commitment to m Zp

c = (umfr, vmhs, wmgr+s)

Perfect hiding trapdoor if T = R+S

= (fmR+r, hmS+s, gm(R+S)+r+s)

Commitment schemeCommitment schemeCommitment to m Zp


Perfect binding if T ≠ R+S

= (c1, c2, c3)

because c3c2-1/xc1

-1/y = (wu-1/xv-1/y)m

= g(T/(R+S))m

uniquely defines m

Commitment schemeCommitment schemeCommitment to m Zp


Homomorphic

(umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S)

= (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S)

Witness indistinguishable proof of commitment to message 0 or 1

- Perfect sound on perfect binding key

- Perfect WI on perfect trapdoor key

Commitment schemeCommitment scheme HomomorphicHomomorphic Two types of indistinguishable public keys:Two types of indistinguishable public keys:

Perfect trapdoorPerfect trapdoor Perfect bindingPerfect binding

Witness indistinguishable proof that Witness indistinguishable proof that commitment contains 0 or 1commitment contains 0 or 1 Perfect soundness on perfect binding keyPerfect soundness on perfect binding key Perfect WI on perfect trapdoor keyPerfect WI on perfect trapdoor key

NIZK proof for Circuit NIZK proof for Circuit SATSAT

1

w1

w4

w3w2

Circuit SAT is NP complete

NAND

NAND

NIZK proof for Circuit NIZK proof for Circuit SATSATcom(1

)

c1 = com(w1) c2 = com(w2)

c4 = com(w4)

c3 = com(w3)

WI proof c1 commit to 0 or 1




WI proof w4 = (w1w2)

WI proof 1 = (w4w3)

NAND

NAND

WI proof for NAND-gateWI proof for NAND-gate

Given c0, c1, c2 commitments containing bits b0, b1, b2 wish to prove b2 = (b0b1)

b2 = (b0b1)

if and only if b0 + b1 + 2b2 - 2 {0,1}

WI proof c0c1c22com(-2) commitment to 0 or

1

NIZK proof for Circuit NIZK proof for Circuit SATSAT

Commit to all wires wCommit to all wires wii as c as cii = com(w = com(wii))

For each i make WI proof that cFor each i make WI proof that cii contains 0 contains 0 or 1or 1

For each NAND-gate make WI proof that For each NAND-gate make WI proof that cc00cc11cc22

22com(-2) contains 0 or 1com(-2) contains 0 or 1

Perfect completenessPerfect completeness

Perfect binding key - perfect soundnessPerfect binding key - perfect soundness

Perfect trapdoor key - perfect zero-Perfect trapdoor key - perfect zero-knowledgeknowledge

Perfect NIZK on perfect Perfect NIZK on perfect trapdoor keytrapdoor key

Simulation:Simulation:Make trapdoor commitmentsMake trapdoor commitmentsTrapdoor-open relevant commitments to 0 and WI Trapdoor-open relevant commitments to 0 and WI proveprove

Proof that simulation works on C with w so C(w)=1:Proof that simulation works on C with w so C(w)=1:

Can trapdoor-open commitments to wCan trapdoor-open commitments to wii’s and WI ’s and WI proveprove By perfect witness-indistinguishability of the By perfect witness-indistinguishability of the WI WI proofs indistinguishable from simulationproofs indistinguishable from simulation

Can from the start make commitments to wCan from the start make commitments to wii’s’sBy perfect hiding of the commitments By perfect hiding of the commitments

indistinguishable indistinguishable from previous methodfrom previous methodCorresponds to real proof on trapdoor keyCorresponds to real proof on trapdoor key

Non-interactive zapsNon-interactive zapsNaïve idea:

Prover chooses public key and makes NIZK proof

Problem: Can choose trapdoor key and prove anything

Better idea:

Prover chooses two public keys and makes an NIZK proof with each of them

Makes choice so:

One is trapdoor, one is perfect binding

Verifiable that at least one key is perfect binding

Verifier cannot tell which key is trapdoor

Choosing two keysChoosing two keysGenerate group (p, G, GT, e, g)

E.g., elliptic curve E: y2 = x3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, GT, e), easy to verify that g is order p point on curve.

Choose x,y ← Zp*, R,S ← Zp and set

f = gx, h = gy, u = fR, v = hS, w = gR+S

Output two public keys

(p, G, GT, e, g, f, h, u, v, w)

(p, G, GT, e, g, f, h, u, v, wg)

At least one must be perfectly binding, but by decisional linear assumption hard to tell which one


Circuit C and two witnesses w0, w1

• Generate pk0 perfect trapdoor and pk1 perfect binding

• NIZK proof using w0 on pk0 NIZK proof using w0 on pk1

• Simulate proof on trapdoor pk0 NIZK proof using w0 on pk1


• Switch to pk0 perfect binding and pk1 perfect trapdoor

• NIZK proof using w1 on pk0 Simulate proof on trapdoor pk1


• Switch back to pk0 perfect trapdoor and pk1 perfect binding

WI proof for message 0 WI proof for message 0 or 1or 1

(c1, c2, c3) = (umfr, vmhs, wmgr+s)

(c1, c2, c3) is commitment to 0 or 1 if and only if(c1, c2, c3) or (c1/u, c2/v, c3/w) contain 0

(c1, c2, c3) contains 0 if and only if

(c1, c2, c3-1) = (fr, hs, g-(r+s))

Similarly for (c1/u, c2/v, c3/w)

We’ll present a general proof that given (A=fa, B=hb, C=gc) and (X=fx, Y=hy, Z=gz)then (a+b+c)(x+y+z)=0


Examine matrix:

Note that verifier can generate this matrix

e(A, X) e(A, Y) e(A, Z)

e(B, X) e(B, Y) e(B, Z)

e(C, X) e(C, Y) e(C, Z)


Suppose prover knows (a, b, c)

The right-hand entries convince the verifier that a+b+c =0 (each column multiplies to 1)

Similarly, if prover knows (x, y, z) can reveal left-hand entries and rows multiply to 1

Bad: Tells verifier which witness used

e(f, Xa) e(f, Ya) e(f, Za)

e(h, Xb) e(h, Yb) e(h, Zb)

e(g, Xc) e(g, Yc) e(g, Zc)


Blind across diagonal

If both a+b+c = 0 and x+y+z=0 then matrix is distributed identical to its transpose

It hides perfectly whether we are looking at rows or columns

e(f, Xa) e(f, htYa) e(f, g-tZa)

e(h, f-tXb) e(h, Yb) e(h, gtZb)

e(g, ftXc) e(g, h-tYc) e(g, Zc)

SummarySummary

Homomorphic commitments with indistinguishable trapdoor/binding keys and WI proofs for message 0 or 1

NIZK proofs from such commitments Simple and efficient O(|C|k) bit-size

non-interactive zapsPerfect completenessPerfect soundnessComputational WI

non-interactive zaps and new techniques for nizk jens groth rafail ostrovsky amit sahai university...

Documents