Pairing-Based Non-interactive Proofs

Jens Groth

University College London

Joint work with Rafail Ostrovsky and Amit Sahai

Thanks also to Brent Waters

Motivation

Alice Bob

Why does Bob want to know my password,

bank statement, etc.?

Did Alice honestly follow the protocol?Show me all your inputs!

No!

History

• Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985

• First the paper was rejected a couple of times• ...then they won the Gödel award for it

Interactive proof

Prover Verifier

Statement OK, statement is true

Statements

• Mathematical theorem: 2+2=4• Identification: I am me!• Verification: I followed the protocol• Anything: X belongs to NP-language L

Interactive proof

Prover Verifier

Statement: xL OK, xL

Witness w (x,w) RL

Zero-knowledge and witness indistinguishability

Prover Verifier

Statement: xL OK, xL

Witness w (x,w) RL

Zero-knowledge:Verifier learns statement is

true, but nothing else

Witness-indistinguishable: Verifier does not learn which witness Prover has in mind

Zero-knowledge proofs in multi-party computation

Function: f

Input: x Input: y

Output: f(x,y)

I don’t trust you!Did you follow the

protocol?

Yes, I followed the protocol, but my input

is secret!

ZK proof

OK, she followed the protocol

History

• Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985

• Many actions are non-interactive– Signature– Encryption– ...

Non-interactive proofs

Prover Verifier

Statement: xL OK, xL

Witness w (x,w) RL

Proof

Non-interactive zero-knowledge (NIZK) proofs

• Completeness– Can prove a true statement

• Soundness– Cannot prove false statement

• Zero-knowledge– Proof reveals nothing (except truth of statement)

NIZK proofs only for trivial languages (BPP)

Sketch of proof:

Decision algorithm for x in L:• Learn nothing from proof = can simulate proof• If xL: ZK and complete so verifier algorithm accepts• If xL: Sound so verifier algorithm rejects

History

• Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985

• Many actions are non-interactive– Signature– Encryption– ...

• Blum, Feldman and Micali introduced non-interactive zero-knowledge proofs in the common reference string model in 1986

Common reference string

• Key generation algorithm K– Uniformly at random

– Specific distribution

• Trusted generation– Trusted party

– Secure multi-party computation

– Multi-string model where t-out-of-n are trusted

0110110101000101110100101

CRS: 01101010101010101

NIZK and NIWI proofs

Prover Verifier

Statement: xL OK, xL

Witness w (x,w) RL

NIZK:Verifier learns statement is

true, but nothing else

NIWI: Verifier does not learn which witness Prover has in mind

Proof

Defining NIZK proofs

• NP language L: xL if is witness w so (x,w)RL

• NIZK proof consists of three probabilistic polynomial time algorithms (K,P,V)

• K(1k): Generates common reference string σ• P(σ,x,w): Generates a proof • V(σ,x,): Verifies the proof (outputs 1 or 0)

Completeness

Perfect completeness: Pr[Accept] = 1

P(σ,x,w) → V(σ,x,) →Accept/reject

K(1k)Common reference string σ

Statement xL

Witness wso (x,w)R

Soundness

Perfect soundness: Adv: Pr[Reject] = 1

Computational soundness: poly-time Adv: Pr[Reject] 1

V(σ,x,) →Accept/reject

K(1k)Common reference string σ

Statement xL

Witness indistinguishability

Perfect witness-indistinguish.: Adv: Pr[Guess = b] = ½

Computational WI: poly-time Adv: Pr[Guess = b] ½

P(σ,x,wb) →

K(1k)Common reference string σ

Statement xL

Witnesses w0,w1 (x,w0),(x,w1)RL

b{0,1}

Guess{0,1}

Zero-knowledge

Perfect ZK: Pr[Adv →1|Real ] = Pr[Adv→1|Simulation]Computational ZK: poly-time Adv: Pr[Adv →1|Real ] Pr[Adv→1|Simulation]

P(σ,x,w) →

K(1k) → σ

0/1(x,w) RL

S2(σ,,x) →

S1(1k) → σ

0/1(x,w) RL

Trade-off

• Perfect soundness and perfect zero-knowledge only possible for trivial languages– Sketch of proof:

• Perfect ZK implies real common reference string and simulated common reference string has same probability distribution

• To decide whether x in L simulate common reference string, simulate proof, run verifier on simulated proof

• If xL: By perfect ZK and completeness verifier accepts• If xL: By perfect soundness verifier rejects

• Choice:– Perfect soundness and computational zero-knowledge– Computational soundness and perfect zero-knowledge

The world in 2005

• Much research in NIZK proofs– Blum-Feldman-Micali 88– Damgård 92– Feige-Lapidot-Shamir 99– Kilian-Petrank 98– De Santis-Di Crescenzo-Persiano 02

• Inefficient

• Alternatives– Fiat-Shamir heuristic transforms interactive zero-knowledge proof

into non-interactive scheme, however, there are examples of insecure Fiat-Shamir transformation

– Designated verifier proofs such as Damgård, Fazio, Nicolosi 05, however, the verification is not public

Applications

• Public-key encryption• Mix-nets for anonymous broadcast• Internet voting• Group signatures• Ring signatures• Identification• Verifying outsourced computation• ...

Practice

Circuit SAT Practical statements

Inefficient

Efficient

Kilian-Petrank 98

Groth-Ostrovsky-Sahai 06

Groth 06

Groth-Sahai 08

1 GB

1 KB

Statement: Here is a ciphertext and a document. The ciphertext contains a digital signature on the document.

Known for all

of NP?

Computational

zero-knowledge

Perfectzero-knowledge

(everlasting privacy)

Interactive proof

Non-interactive

proof ?

Yes[Goldreich-

Micali-Wigderson

1986]

Yes[Brassard-Crepeau

1986]

Yes[Blum-

Feldman-Micali 1988]

Yes[G-

Ostrovsky-Sahai 2006]

CRS-free proofs for all

of NP?Zero-

knowledgeWitness-

indistinguishability

Interactive proofs

Non-interactive proof ?

4 rounds 2 rounds

Impossible Yes

Goals

• Efficient NIZK and NIWI proofs• Perfect zero-knowledge

– Computational soundness

• Eliminating the common reference string– NIWI proofs (non-interactive zaps)

• New techniques from pairing based cryptography

Groth-Ostrovsky-Sahai 06

• NIZK proof for Circuit SAT• Perfect completeness, perfect soundness,

computational zero-knowledge• Common reference string size: O(k) bits• Proof size: O(|C|k) bits

Composite order bilinear group

• Gen(1k) generates (p,q,G,GT,e,g)

• G, GT finite cyclic groups of order n=pq

• G has generator g

• Pairing e: G G → GT

– e(g,g) generates GT

– e(ga,gb) = e(g,g)ab

• Deciding group membership, group operations, and bilinear pairing efficiently computable

Elliptic curves

Becoming familiar with the pairing

• Pairing e: G G → GT

– g generates G and has order n=pq

– e(g,g) generates GT

– e(ga,gb) = e(g,g)ab implies e(u,v)=e(v,u) and e(ux,v)=e(u,v)x=e(u,vx)

• Questions with answers:

e(ux,vy)e(uz,w) = e(u,vxywz)

e(u,vx)e(vy,u) = e(u,vx+y)

e(u-x,v)e(u,v)-1e(u-1,vy)z = e(u,v-1-x-yz)

If uq=1 then e(u,v)q=e(uq,v)=e(1,v)=e(g0,v)=e(g,v)0=1

If e(g,v)=e(h,u) then h=gx and v=ux (if ord(h)=n)

Subgroup decision problem

• Given hG decide whether h has order q or order n

• Subgroup decision assumption:

poly-time Adv:

Pr[ (p,q,G,GT,e,g)←Gen(1k); h ← G* : Adv(n,G,GT,e,g,h)=1]

Pr[ (p,q,G,GT,e,g)←Gen(1k); h ← Gq*: Adv(n,G,GT,e,g,h)=1]

BGN encryption [Boneh-Goh-Nissim 05]

Public key: g, h G h order q

Secret key: p, q n=pq

Encryption: c = gahr r ← Zn

Decryption: cq = (gahr)q = gqahqr = (gq)a

IND-CPA secure: Without secret key, ciphertext does not reveal poly-time computable information about plaintext.

Sketch of proof: By subgroup decision assumption public key looks the same as if h had order n. But if h had order n, ciphertext would have no information about the plaintext a.

BGN Commitment

Public key: g, h G h order q

Commitment: gahr r ← Zn

Perfectly binding: Unique a mod p

Computationally hiding: Indistinguishable from h order n

Addition: (gahr)(gbhs) = ga+bhr+s

Multiplication: e(gahr,gbhs)

= e(ga,gb) e(hr,gb) e(ga,hs) e(hr,hs)

= e(g,g)ab e(h,gas+rbhrs)

NIZK proof for Circuit SAT

1

w1

w4

w3w2

Circuit SAT is NP complete

NAND

NAND

NIZK proof for Circuit SAT g1

c1 := gw1hr1

c2 := gw2hr2

c4 := gw4hr4

c3 := gw3hr3

Prove w1 {0,1}

Prove w2 {0,1}

Prove w3 {0,1}

Prove w4 {0,1}

Prove w4 = (w1w2)

Prove 1 = (w4w3)

NAND

NAND

Proof for c containing 0 or 1

Write c = gwhr (unique w mod p since h has order q)

e(c,g-1c) = e(gwhr,gw-1hr)= e(gw,gw-1)e(hr,gw-1)e(gw,hr)e(hr,hr)= e(g,g)w(w-1) e(h,(g2w-1hr)r)

Proof := (g2w-1hr)r

Verifier checks: e(c,g-1c) = e(h,) → e(g,g)w(w-1) e(h,(g2w-1hr)r) = e(h,)

→ w = 0 or w = 1 (mod p)

Observation

b2 = (b0b1)

if and only if

b0 + b1 + 2b2 - 2 {0,1}

b0 b1 b2 b0+b1+2b2-2

0 0 0 -2

0 0 1 0

0 1 0 -1

0 1 1 1

1 0 0 -1

1 0 1 1

1 1 0 0

1 1 1 2

Proof for NAND-gate

Given c0, c1, c2 containing bits b0, b1, b2

wish to prove b2 = (b0b1)

b2 = (b0b1) if b0 + b1 + 2b2 - 2 {0,1}

c0c1c22g-2 = (gb0hr0)(gb1hr1)(gb2hr2)2g-2

= gb0+b1+2b2-2hr0+r1+2r2

Prove c0c1c22g-2 contains 0 or 1

NIZK proof for Circuit SAT g1

c1 := gw1hr1

c2 := gw2hr2

c4 := gw4hr4

c3 := gw3hr3

Prove w1 {0,1}

Prove w2 {0,1}

Prove w3 {0,1}

Prove w4 {0,1}

Prove w4 = (w1w2)

Prove 1 = (w4w3)

NAND

NAND

CRS = (n,G,GT,e,g,h)CRS size 3kProof size (2|W|+|C|)k

Zero-Knowledge

Subgroup decision assumption:

It is hard to distinguish random h of order q from random h of order n

Simulated common reference string

h order n by choosing g = h ← Zn*

The simulation trapdoor is

Commitments are now perfectly hiding trapdoor commitments

g0hr = g1hr-

Simulation g1

c1 := g1hr1

c2 := g1hr2

c4 := g1hr4

c3 := g1hr3

Simulate proofs for

w1 {0,1}

w2 {0,1}

w3 {0,1}

w4 {0,1}

Simulate proofs for

w4 = (w1w2)

1 = (w4w3)

NAND

NAND

Witness-indistinguishable 0/1-proof

Write c = g1hr (possible since we committed this way)

e(c,g-1c) = e(g1hr,g0hr)= e(h,(g1hr)r)

Proof := (g1hr)r

Verifier checks: e(c,g-1c) = e(h,)

Perfect witness-indistinguishable when h has order n since there is unique satisfying equation, no matter whether c contains 0 or 1

Witness-indistinguishability

Write c = g0hr+ (possible since we know trapdoor )

e(c,g-1c) = e(g0hr+,g-1hr+)= e(h,(g-1hr+)r+)

Proof := (g-1hr+)r+ = (g-1h)r+ (hr+)r= (g1hr)r

Verifier checks: e(c,g-1c) = e(h,)

Perfect witness-indistinguishable since both the witness (1,r) and the witness (0,r+) lead to exactly the same proof

Witness-indistinguishable NAND-proof

Given c0, c1, c2 containing wish to simulate proof for b2 = (b0b1) (simulator committed to b0=b1=b2=1)

b2 = (b0b1) if b0 + b1 + 2b2 - 2 {0,1}

c0c1c22g-2 = (g1hr0)(g1hr1)(g1hr2)2g-2

= g2hr0+r1+2r2

= g1h+r0+r1+2r2

Proof for c0c1c22g-2 containing 0 or 1

Zero-knowledge

Sketch of proof:

Pr[Adv→1|Real proof]

Pr[Adv→1|Real proof on h with order n]

= Pr[Adv→1|Hybrid proof where h has order n and commitments to 1 trapdoor opened to witness and then real proofs]

= Pr[Adv→1|Hybrid proof where h has order n and commitments to 1 and trapdoor opening

when making 0/1-proofs]

= Pr[Adv→1|Simulated proof]

Composable zero-knowledge

• Real common reference stringcomputationally indistinguishable fromsimulated common reference string

• Real proof on simulated common reference stringperfectly indistinguishable fromsimulated proof on simulated common reference string

NIZK proof for Circuit SAT

• Commit to all wires wi as ci := gwihri

• For each i prove ci contains 0 or 1

• For each NAND-gate prove c0c1c22g-2 contains 0

or 1• Total size: 2|W|+|C| group elements

• Perfect completeness, perfect soundness, composable zero-knowledge

• Also, perfect proof of knowledgecq = (gwhr)q = (gwq)(hrq) = (gq)w(hq)r = (gq)w

Known for all

of NP?

Computational

zero-knowledge

Perfectzero-knowledge

(everlasting privacy)

Interactive proof

Non-interactive

proof ?

Yes[Goldreich-

Micali-Wigderson

1986]

Yes[Brassard-Crepeau

1986]

Yes[Blum-

Feldman-Micali 1988]

Yes(as we

shall see now)

Perfect zero-knowledge

• Instead of h with order q, use h with order n

• Easy to verify that we have perfect completeness• As argued earlier we have perfect zero-knowledge• What about soundness?

”Natural” computational soundness fails

• Natural way to prove soundness fails• Start with h of order n and Adv that produces false

statement and valid proof• Switch to h of order q, which Adv cannot

distinguish from order n. Here Adv cannot produce false statement and valid proof

• Problem: Consider the statement ”h has order q”

Adaptive co-soundness

Computational co-soundness: poly-time Adv: Pr[Reject] ≈ 1

C, wco

Proof

K(1k)Common reference string

wco witness for C unsatisfiable

Computational co-soundness

Sketch of proof:• Imagine poly-time Adv could break co-soundness.

I.e., after seeing CRS = (n,G,GT,e,g,h) where h has order n, Adv produces valid (C,wco,).

• By subgroup decision assumption approximately same success probability for Adv producing valid (C,wco,) when h has order q.

• But wco guarantees C is unsatisfiable and when h has order q the perfect soundness guarantees C is satisfiable.

Co-soundness the ”right” definition

• Abe-Fehr 07 show that impossible to achieve ”natural” soundness definition with standard direct black-box methods

• In many scenarios a co-witness exists. – Consider for instance verifiable encryption, where the

secret key can be a co-NP witness for false statement

• Computational co-soundness sufficient for constructing universally composable NIZK proofs

Perfect NIZK argument for Circuit SAT

• Common reference string with h of order n

• Commit to all wires wi as ci := gwihri

• For each i prove ci contains 0 or 1

• For each NAND-gate prove c0c1c22g-2 contains 0

or 1• Total size: 2|W|+|C| group elements• Perfect completeness, computational co-

soundness, perfect zero-knowledge

Groth-Ostrovsky-Sahai 06

• NIZK proof for Circuit SAT• Perfect binding key:

– Perfect completeness– Perfect soundness– Computational zero-knowledge

• Perfect hiding key:– Perfect completeness– Computational co-soundness– Perfect zero-knowledge

= (n,G,GT,e,g,h)where ord(h) = q

= (n,G,GT,e,g,h)where ord(h) = n

?

Non-interactive proofs in the plain model

• NIZK proofs rely on trusted setup of common reference string.

• What if no such setup exists?• Well, NIZK proofs do not exist in the plain model.• OK, how much privacy can we get in plain model?• NIWI proofs do exist in the plain model!

CRS-free proofs for all

of NP?Zero-

knowledgeWitness-

indistinguishability

Interactive proofs

Non-interactive proofs

?

4 rounds 2 rounds

Impossible Yes

Intuition

• Naive idea: Let the prover choose the CRS.• Bad idea: The prover can just pick a simulation CRS.• Better idea: Let the prover choose two related CRS’s

– One CRS perfect sound, the other CRS perfect ZK– Verifiable that at least one is perfectly sound– Verifier cannot tell which one is sound

NIWI proof in plain model

• Statement: C• Proof:

(0,1,0) Krelated(1k)0 P(0,C,w)1 P(1,C,w)

The proof is = (0,1,0,1)

• Verification:Check (0,1) related so at least one is soundCheck (0,C,0) is valid proofCheck (1,C,1) is valid proof

Security

• NIWI proof in the plain model has perfect completeness, perfect soundness and computational witness-indistinguishability

• Perfect completeness:– Perfect completeness of NIZK proofs and perfectly

complete related CRS generation.

• Perfect soundness:– Related CRS generation implies at least one NIZK proof

has perfect soundness

Computational witness-indistinguishability

{C,w0,w1}k poly-time Adv:

Pr[b{0,1} ; P(1k,C,wb) : Adv(C,w0,w1,)=1] ½

• Equivalently

Pr[(0,1,0,1) P(1k,C,w0): Adv(C,w0,w1,)=1]

Pr[(0,1,0,1) P(1k,C,w1): Adv(C,w0,w1,)=1]

Witness-indistinguishability

Given circuit C and two witnesses w0, w1

• Generate 0 perfect ZK and 1 perfect sound

NIZK proof using w0 on 0 NIZK proof using w0 on 1

Simulate proof on 0 NIZK proof using w0 on 1

NIZK proof using w1 on 0 NIZK proof using w0 on 1

• Switch to 0 perfect sound and 1 perfect ZK

NIZK proof using w1 on 0 Simulate proof on 1

NIZK proof using w1 on 0 NIZK proof using w1 on 1

• Switch back to 0 perfect ZK and 1 perfect sound

Adversary knows C,w0,w1

and sees (0,1,0,1)

Verifiability of common reference string

• All that is left is to construct related common reference strings such that guarantee that one is sound and we get NIWI proofs in the plain model!

• How?– Does h have order q?– Is n even a product of two primes?

• Use NIZK proof based on prime order groups.

Prime order bilinear group

• Gen(1k) generates (p,G,GT,e,g)

• G, GT finite cyclic groups of prime order p

• Generator g for G

• Pairing e: G G → GT

– e(g,g) generates GT

– e(ga,gb) = e(g,g)ab

• Deciding group membership, group operations, and bilinear pairing efficiently computable

• Publicly verifiable that is valid bilinear group

Decision Linear assumption

• The DLIN problem is to distinguish (f,h,g,fr,hs,gr+s) from (f,h,g,fr,hs,R)

• The DLIN assumption for Gen: poly-time Adv:

Pr[(p,G,GT,e,g)Gen(1k) ; f,h G* ; r,s,tZp :Adv(p,G,GT,e,f,h,g,fr,hs,gr+s)=1]

Pr[(p,G,GT,e,g)Gen(1k) ; f,h G* ; r,s,tZp :Adv(p,G,GT,e,f,h,g,fr,hs,gt)=1]

Linear encryption [Boneh-Boyen-Shacham 04]

• Public key: f,h,g f,h,gG*

• Secret key: x,y f=gx, h=gy

• Encryption: (u,v,w) = (fr,hs,gr+sm) r,sZp

• Decryption:m = wu-1/xv-1/y

• IND-CPA security: The ciphertext contains no poly-time computable information about plaintext

• Sketch of proof: Look at public key and ciphertext(f,h,g,fr,hs,gr+sm) (f,h,g,fr,hs,gtm) = (f,h,g,fr,hs,R)

Commitments from Linear encryption

• Public key: (n,G,GT,e,f,h,g,u,v,w)

• Commitment: (uafr,vahs,wagr+s) r,sZp

• Additively homomorphic:

commit(a;r,s) commit(b;R,S)

= (uafr,vahs,wagr+s) (ubfR,vbhS,wbgR+S)

= (ua+bfr+R,va+bhs+S,wa+bgr+R+s+S)

= commit(a+b;r+S,s+S)

Binding and hiding keys

• Perfectly binding key: (u,v,w) = (fR,hS,gR+S+T)

(uafr,vahr,wagr+s) = (fRa+r,hSa+s,g(R+S)a+(r+s)gTa)

• Perfectly hiding key: (u,v,w) = (fR,hS,gR+S)

(u1fr,v1hs,w1gr+s) = (u0fr+R,v0hs+S,w0gr+R+s+S)

• Hard to distinguish perfect binding keys from perfect hiding keys by the DLIN assumption

Related keys

• Relation: 0 = (u,v,w) and 1 = (u,v,wg)

• Either 0 = (fR,hS,gR+S) and 1 = (fR,hS,gR+S+1)

or0 = (fR,hS,gR+S-1) and 1 = (fR,hS,gR+S)

or0 = (fR,hS,gR+S+T) and 1 = (fR,hS,gR+S+T+1)

• Verifiable that at least one perfectly binding key• Hard to tell which of the keys is perfectly hiding

NIZK proof for Circuit SAT

• NIZK proof in common reference string model, which is perfectly complete, perfectly sound and composable zero-knowledge.

• Efficient: 9|w|+6|C| group elements• Observe: Prime order group elements may be

smaller than composite order group elements, so may be more efficient than composite order proof

NIZK proof for Circuit SAT (u1,v1,w1)

c1 commit(w1)

c2 commit(w2)

c4 commit(w4)

c3 commit(w3)

Prove w1 {0,1}

Prove w2 {0,1}

Prove w3 {0,1}

Prove w4 {0,1}

Prove w4 = (w1w2)

Prove 1 = (w4w3)

NAND

NAND

Observation

b2 = (b0b1)

if and only if

b0 + b1 + 2b2 - 2 {0,1}

b0 b1 b2 b0+b1+2b2-2

0 0 0 -2

0 0 1 0

0 1 0 -1

0 1 1 1

1 0 0 -1

1 0 1 1

1 1 0 0

1 1 1 2

Proof for NAND-gate

Given c0, c1, c2 containing bits b0, b1, b2

wish to prove b2 = (b0b1)

b2 = (b0b1) if b0 + b1 + 2b2 - 2 {0,1}

Additively homomorphic commitments so

c0c1c22commit(-2) = commit(b0+b1+2b2-2)

Prove c0c1c22g-2 contains 0 or 1

Proof for 0-commitment

• Commitment to 0:

(u0fr,v0hs,w0gr+s) = (fr,hs,gr+s)

• Proof for (c1,c2,c3) = (fr,hs,gt) satisfying t=r+s mod p

(1,2) = (Zr, Zs) for known Z≠1

• Verification:

e(Z,c1)=e(f,1) e(Z,c2)=e(h,2) e(Z,c3)=e(g,12)

Proof for 0/1-commitment

• Commitment (c1,c2,c3) of the form (uafr,vahr,wagr+s) with a{0,1}

• Idea: – Show (c1,c2,c3) or (u-1c1,v-1c2,w-1c3) contains 0

– Do this by showing a(a-1)=0 mod p

• Problem: We do not have a pairing G3 G3 ???• Solution: Build one!

Meta-pairing

To avoid notational clutter define(A,B,C) = (c1,c2,c3) and (X,Y,Z)=(u-1c1,v-1c2,w-1c3)

Look at map E:G3 G3 GT9

e(A,X) e(A,Y) e(A,Z)

e(B,X) e(B,Y) e(B,Z)

e(C,X) e(C,Y) e(C,Z)

Naive proof if a=0

Suppose (A,B,C)=(fr,hs,gr+s)

e(f,Xr) e(f,Yr) e(f,Zr)

e(h,Xs) e(h,Ys) e(h,Zs)

e(g,Xr+s) e(g,Yr+s) e(g,Zr+s)

Give proof = (Xr,Xs,Yr,Ys,Zr,Zs)

Naive proof if a=1

Suppose (X,Y,Z)=(fr,hs,gr+s)

e(f,Ar) e(h,As) e(g,Ar+s)

e(f,Br) e(h,Bs) e(g,Br+s)

e(f,Cr) e(h,Cs) e(g,Cr+s)

Give proof = (Ar,As,Br,Bs,Cr,Cs)

Problem

• Easy to see whether proof verifies down the columns (a=0) or across the rows (a=1) so not witness-indistinguishable

• This was not a problem in the composite order case because the proof (a single group element) was symmetric.

• Ok, so let us try with a symmetric meta-pairing

Meta-pairing II

Try the symmetric map E:G3 G3 GT6

e(A,X)e(X,A) e(A,Y)e(X,B) e(A,Z)e(X,C)

e(B,X)e(Y,A) e(B,Y)e(Y,B) e(B,Z)e(Y,C)

e(C,X)e(Z,A) e(C,Y)e(Z,B) e(C,Z)e(Z,C)

Less naive proof if a=0

If (A,B,C)=(fr,hs,gr+s) and (X,Y,Z)=(u-1fr,v-1hs,w-1gr+s)

e(f,Xr)e(Xr,f) e(f,Yr)e(Xs,h) e(f,Z)e(Xr+s,g)

e(h,Xs)e(Yr,f) e(h,Ys)e(Ys,h) e(f,Z)e(Yr+s,g)

e(g,Xr+s)e(Zr,f) e(g,Yr+s)e(Zs,h) e(f,Zr+s)e(Zr+s,g)

Give proof = (Xr,Xs,Yr,Ys,Zr,Zs)

Less naive proof if a=1

If (A,B,C)=(u1fr,v1hs,w1gr+s) and (X,Y,Z)=(fr,hs,gr+s)

e(Ar,f)e(f,Ar) e(As,h)e(f,Br) e(Ar+s,g)e(f,Cr)

e(Br,f)e(h,As) e(Bs,h)e(h,Bs) e(Br+s,g)e(h,Cs)

e(Cr,f)e(g,Ar+s) e(Cs,h)e(g,Br+s) e(Cr+s,g)e(g,Cr+s)

Give proof = (Ar,As,Br,Bs,Cr,Cs)

Verification

Statement: (A,B,C) and (X,Y,Z)=(u-1A,v-1B,w-1C)

Proof: = (1,2,3,4,5,6)

Verification: Check that E((A,B,C),(X,Y,Z)) equals

e(f,1)e(f,1) e(h,2)e(f,3) e(g,12)e(f,5)

e(f,3)e(h,2) e(h,4)e(h,4) e(g,34)e(h,6)

e(f,5)e(g,12) e(h,6)e(g,34) e(g,56)e(g,56)

Witness-indistinguishable?

Consider a perfectly hiding key with (u,v,w)=(fR,hS,gR+S).

We have two different witnesses because (A,B,C)=(fR+r,hS+s,gR+S+r+s) and (X,Y,Z)=(fr,hs,gr+s)

The proofs are verified in the same way. Are they witness-indistinguishable?

= (XR+r,XS+s,YR+r,YS+s,ZR+r,ZS+s) = (Ar,As,Br,Bs,Cr,Cs)

Well, 1 = fr(R+r), 4 = hs(S+s), 56 = g(r+s)(R+S+r+s)

But, 2 = fr(S+s) or 2 = f(R+r)s

Which can be tested e(h,2)=e(B,X) or e(h,2)=e(A,Y)

Verification

Statement: (A,B,C) and (X,Y,Z)=(u-1A,v-1B,w-1C)

Proof: = (1,2,3,4,5,6)

Verification: Check that E((A,B,C),(X,Y,Z)) equals

e(f,1)e(f,1) e(h,2)e(f,3) e(g,12)e(f,5)

- e(h,4)e(h,4) e(g,34)e(h,6)

- - e(g,56)e(g,56)

Verification

Statement: (A,B,C) and (X,Y,Z)=(u-1A,v-1B,w-1C)

Randomized proof: = (1,ft2,h-t3,4,g-t5,gt6)

Verification: Check that E((A,B,C),(X,Y,Z)) equals

e(f,1)e(f,1) e(h,ft2)e(f,h-t3) e(g,ft12)e(f,g-t5)

- e(h,4)e(h,4) e(g,h-t34)e(h,gt6)

- - e(g,56)e(g,56)

Perfect witness-indistinguishability

• e(A,X)e(X,A) = e(f,1)e(f,1) unique 1

• e(B,Y)e(Y,B) = e(h,4)e(h,4) unique 4

• e(C,Z)e(Z,C) = e(g,56)e(g,56) unique 56

• e(B,Z)e(C,Y) = e(g,34)e(h,6)

• e(A,Z)e(C,X) = e(g,12)e(f,5)

• e(A,Y)e(B,X) = e(h,2)e(f,3)

• Randomization chooses 6 at random by setting 6 gt6 and then everything else is determined

• So either type of witness yields a uniformly random proof satisfying the above equations

Perfect soundness

• Write the commitments as (A,B,C) = (fa,hb,gc) and (X,Y,Z) = (fx,hy,gz)

• The verification equations imply (modulo p)

a(x+y-z) + (x+y-z)a = d1+d3-d5

b(x+y-z) + (x+y-z)b = d2+d4-d6

c(x+y-z) + (x+y-z)c = d1+d2+d3+d4-d5-d6

Giving us

(a+b-c)(x+y-z) + (x+y-z)(a+b-c) = 0

Implying (a+b-c)(x+y-z)=0 so

c=a+b or z=x+y

Choosing two common reference strings

Generate bilinear group (p, G, GT, e, g)

Choose x,y ← Zp*, R,S ← Zp and set

f = gx, h = gy, u = fR, v = hS, w = gR+S

Output two public keys

(p, G, GT, e, f, h, g, u, v, w)

(p, G, GT, e, f, h, g, u, v, wg)

At least one must be perfectly binding, but by decisional linear assumption hard to tell which one

NIWI proof in plain model

• Statement: C• Proof:

(0,1) Krelated(1k)0 P(0,C,w)1 P(1,C,w)

The proof is = (0,1,0,1)

• Verification:Check (0,1) related so at least one is soundCheck (0,C,0) is valid proofCheck (1,C,1) is valid proof

•Perfect completeness•Perfect soundness•Computational witness-indistinguishability

Groth-Ostrovsky-Sahai 06

• NIZK proof for Circuit SAT• Perfect binding key:

– Perfect completeness– Perfect soundness– Computational zero-knowledge

• Perfect hiding key:– Perfect completeness– Computational co-soundness– Perfect zero-knowledge

= (n,G,GT,e,g,h)where ord(h) = q

= (n,G,GT,e,g,h)where ord(h) = n

?

Efficiency problems with non-interactive zero-knowledge proofs

• Non-interactive proofs for general NP-complete language such as Circuit SAT. Any practical statement such as ”the ciphertext c contains a signature on this message m” must go through a size-increasing NP-reduction.

A brief history of non-interactive zero-knowledge proofs continued

Circuit SAT Practical statements

Inefficient

Efficient

Kilian-Petrank 98

Groth-Ostrovsky-Sahai 06

Groth 06

Groth-Sahai 08Coming next

Our goal

• We want high efficiency. Practical non-interactive proofs!

• We want non-interactive proofs for statements arising in practice such as ”the ciphertext c contains a signature on m”. No NP-reduction!

Constructions in bilinear groups

a,c G , b,d Zn

t = b+yd (mod n)

tG = xyayct

tT = e(tG,ctGb)

Non-interactive cryptographic proofs for correctness of constructions

t = b+yd (mod n)

tG = xyayct

tT = e(tG,ctGb)

Are the constructions correct? I do not know

your secret x, y.

Proof

Yes, here is a proof.

Cryptographic constructions

• Constructions can be built from– public exponents and public group elements– secret exponents and secret group elements

• Using any of the bilinear group operations– Addition and multiplication of exponents– Multiplication of elements in G– Bilinear map e

– Multiplication in GT

• Our goal: Non-interactive cryptographic proofs for correctness of a set of bilinear group constructions (soundness holds for the order p subgroups of G and Zn)

Examples of statements we can prove

• Here is a ciphertext c and a signature s. They have been constructed such that s is a signature on the secret plaintext.

• Here are three commitments A,B and C to secret exponents a,b and c. They have been constructed such that c=ab mod p.

Applications of efficient NIWI and NIZK proofs

• Constant size group signaturesBoyen-Waters 07 (independently of our work)Groth 07

• Sub-linear size ring signaturesChandran-Groth-Sahai 07

• Non-interactive NIZK proof for correctness of shuffleGroth-Lu 07

• Non-interactive anonymous credentialsBelienky-Chase-Kohlweiss-Lysyanskaya 08

• …

• Variables• Pairing product equations

• Multi-scalar multiplication equations in G

• Quadratic equations in Zn

Quadratic equations in the bilinear group

tT =mY

i=1

e(xi ;ai ) ¢mY

i=1

mY

j =1

e(xi ;xj )° i j

tG =mY

i=1

xi bi ¢nY

j =1

ayjj ¢mY

i=1

nY

j =1

x° i j yji

t =nX

i=1

biyi +nX

i=1

nX

j =1

°i j yiyj

xi 2 G;yj 2 Zn

Efficient NIWI and NIZK proofs for bilinear groups

• Statement S = (eq1,...,eqN) quadratic bilinear group equations

• Efficient NIWI proofs for satisfiability of all equations in S

• Efficient NIZK proofs for satisfiability of all equations in S if all tT=1

• Common reference string 3k bits• Each variable and each equation costs k bits

Each equation constant cost independent of number of public constants and secret variables. NIWI and NIZK proofs can have sub-linear size compared with statement!

Commitment to group elements

• Common reference string: (n,G,GT,e,g,h)– Real common reference string: h order q

– Simulation common reference string: g = h with Zn*

• Commitment to xiG: ci = xihri ri ← Zn*

• Commitment to yjZn*:dj = gyjhsj sj← Zn*

• Real CRS: Perfect binding in order p subgroups• Simulation CRS: Perfect hiding commitments

– Perfect trapdoor for exponents: g0hs = gyhs-y

Homomorphic properties

• Commitments are homomorphic– cicj = (xihri) (xjhrj) = xixjhri+ri

– didj = (gyihsi) (gyjhsj) = gyi+yjhsi+sj

• Pairing commitments– e(ci,cj) = e(xihri,xjhrj) = e(xi,xj) e(h,xi

rjxjrihrirj)

– e(ci,dj) = e(xihri,gyjhsj) = e(xiyj,g) e(h,xi

sjgyjrihrisj)

– e(di,dj) = e(gyihsi,gyjhsj) = e(g,g)yiyj e(h,gyjsi+yisjhrisj)

Quadratic equation in Zn

t =nX

i=1

biyi +nX

i=1

nX

j =1

°i j yiyj

e(g;g)¡ t ¢nY

i=1

e(g;di )bi ¢nY

i=1

nY

j =1

e(di ;dj )° i j

= e(g;g)¡ t ¢nY

i=1

[e(g;g)bi yi e(g;hbi si )]¢nY

i=1

nY

j =1

[e(g;g)° i j yi yj e(h;gyi sj +yj si hsi sj )° i j )]

= e(g;g)¡ t+

P n

i =1bi yi+

P n

i =1

P n

j =1° i j yi yj e(h;g

P n

i =1bi yi +

P n

i =1

P n

j =1° i j (yi sj +yj si )h

P n

i =1° i j si sj )

• NIWI proof:

• Verifying the NIWI proof:

• Perfect completeness• Perfect soundness modulo p when h has order q• Perfect witness-indistinguishability when h has order n

Quadratic equation in Zn

¼=gP n

i =1bi yi +

P n

i =1

P n

j =1° i j (yi sj +yj si )h

P n

i =1° i j si sj

e(g;g)¡ t ¢Q n

i=1e(g;di )bi ¢

Q ni=1

Q nj =1e(di ;dj )

° i j =e(h;¼)

Multi-exponentiation equation

tG =mY

i=1

xbii ¢nY

j =1

ayjj ¢mY

i=1

nY

j =1

x° i j yji

e(t¡ 1G ;g) ¢mY

i=1

e(ci ;g)bi ¢nY

j =1

e(aj ;dj ) ¢mY

i=1

nY

j =1

e(ci ;dj )° i j

= e(t¡ 1G ¢mY

i=1

xbii ¢nY

j =1

ayjj ¢mY

i=1

nY

j =1

x° i j yji ;g)

¢e(h;gP m

i =1bi r i+

P m

i =1

P n

j =1r i yj ¢h

P m

i =1

P n

j =1° i j r i sj ¢

nY

j =1

asjj ¢mY

i=1

nY

j =1

x° i j sji )

• NIWI proof:

• Verifying the NIWI proof:

• Perfect completeness• Perfect soundness in order p subgroup when h has order q• Perfect witness-indistinguishability when h has order n

Multiexponentiation equation

¼=gP m

i =1bi r i +

P m

i =1

P n

j =1r i yj ¢h

P m

i =1

P n

j =1° i j r i sj ¢

nY

j =1

asjj ¢mY

i=1

nY

j =1

x° i j sji

e(t¡ 1G ;g) ¢mY

i=1

e(ci ;g)bi ¢nY

j =1

e(aj ;dj ) ¢mY

i=1

nY

j =1

e(ci ;dj )° i j =e(h;¼)

Pairing product equation

tT =mY

i=1

e(xi ;ai ) ¢mY

i=1

mY

j =1

e(xi ;xj )° i j

t¡ 1T ¢mY

i=1

e(ci ;ai ) ¢mY

i=1

mY

j =1

e(ci ;cj )° i j

= t¡ 1T ¢mY

i=1

e(xi ;ai ) ¢mY

i=1

mY

j =1

e(xi ;xj )° i j ¢e(h;hP m

i =1

P m

j =1° i j r i r j ¢

mY

i=1

ar ii ¢mY

i=1

mY

j =1

x° i j r j +° j i r ji )

• NIWI proof:

• Verifying the NIWI proof:

• Perfect completeness• Perfect soundness in order p subgroup when h has order q• Perfect witness-indistinguishability when h has order n

Pairing product equation

¼=hP m

i =1

P m

j =1° i j r i r j ¢

mY

i=1

ar ii ¢mY

i=1

mY

j =1

x° i j r j +° j i r ji

t¡ 1T ¢mY

i=1

e(ci ;ai ) ¢mY

i=1

mY

j =1

e(ci ;cj )° i j = e(h;¼)

Full NIWI proof for a set of equations

• Commit to each variable in G

• Commit to each variable in Zn

• Make NIWI proof for each quadratic equation• Make NIWI proof for each multi-expo. equation• Make NIWI proof for each pairing product equation

• Commitments and proofs each cost 1 group element

Properties of the NIWI proof

• Two types of common reference string– Real CRS: h has order q– Simulation CRS: h has order n– Real and simulation strings computationally indistinguishable

• Perfect completeness on both types of strings• Perfect soundness in order p subgroups on real CRS

– Commitments perfectly binding and equation proofs perfectly sound

• Perfect witness-indistinguishability on simulation CRS– Commitments perfectly hiding so can contain any valid witness– The equation proofs are perfectly witness-indistinguishable, so do

not reveal anything about which witness is inside commitments

NIZK proofs

• Is our NIWI proof zero-knowledge?• Problem: The simulator may not know a witness

• Answer:If all pairing product equations have tT=1, then the proof is perfect zero-knowledge on a simulation CRS where h has order n

Simulation common reference string

• The simulated CRS is set up so g = h

• The simulation trapdoor is • We can now make perfectly hiding trapdoor

commitmentsc = gyhs = g0hs+y

• A particular case isg = g1h0 = g0h

Quadratic equations in Zn

• We verify

• Interpret g as a commitment to 1• The verification now corresponds to the equation

• On a real CRS, h has order q, so commitments are perfectly binding and we have soundness modulo p

• On a simulation CRS, we can commit to 0 for all exponents and trapdoor-open the commitment g to 0. This gives a satisfying witness for the equation, so we can simulate the proof.

0= ¡ t ¢1+nX

i=1

biyi +nX

i=1

nX

j =1

°i j yiyj

e(g;g)¡ t ¢Q n

i=1e(g;di )bi ¢

Q ni=1

Q nj =1e(di ;dj )

° i j =e(h;¼)

Multi-exponentiation equations

• We verify

• Interpret g as a commitment to 1• The verification now corresponds to the equation

• On a real CRS, h has order q, so commitments are perfectly binding in the order p subgroup and we have soundness in the order p subgroup

• On a simulation CRS, we commit to xi=1 and y_i=0 and trapdoor open the commitment g to 0. This gives us a satisfying witness so we can simulate the proof.

e(t¡ 1G ;g) ¢mY

i=1

e(ci ;g)bi ¢nY

j =1

e(aj ;dj ) ¢mY

i=1

nY

j =1

e(ci ;dj )° i j =e(h;¼)

1= (t¡ 1G )1mY

i=1

xbii ¢nY

j =1

ayjj ¢mY

i=1

nY

j =1

x° i j yji

Pairing product equations

• We restrict to pairing product equations with tT=1

• This means (x1=1,...,xm=1) is a satisfying witness

Perfect zero-knowledge

• For all three types of equations, we use witness xi=1 and yj=0, so the three types of simulation fit together

• The perfect witness-indistinguishability of the NIWI proof implies perfect zero-knowledge; the real witness cannot be distinguished from the witness we get when trapdoor opening g to 0

Generalizing to other bilinear groups

• G1, G2, GT finite cyclic groups of order n

• g1 generates G1, g2 generates G2

• e: G1 G2 → GT

– e(g1,g2) generates GT

– e(g1a,g2

b) = e(g1,g2)ab

• Deciding membership, group operations, bilinear map efficiently computable

Prime order or composite order

G1 = G2 or G1 ≠ G2

Many possible assumptions: Subgroup Decision, Symmetric External Diffie-Hellman, Decison Linear, ...

Size of NIWI and NIZK proofs

Cost of each variable/equation

Subgroup Decision

Symmetric External DH

Decision Linear

Variable in G1, G2 or Zn

1 2 3

Pairing product(NIZK all tT = 1)

1 8 9

Multiscalar mult. 1 6 9

Quadratic in Zn 1 4 6

Each equation constant cost. Cost independent of number of public constants and secret variables. NIWI proofs can have sub-linear size compared statement!

Bilinear groups as bilinear modules

• View bilinear groups as special cases of modules with a bilinear map

• Commutative ring R• R-modules A1, A2, AT

• Bilinear map f: A1 A2 → AT

• Map to another set of R-modules B1, B2, BT

• Bilinear map F: B1 B2 → BT

Bilinear groups as bilinear modules

• Make commitments to xiA1, yiA2 in B1, B2, BT

• Homomorphic properties carry over to B1, B2, BT

A1 £ A2 ! AT

f¶1 #" p1 ¶2 #" p2 ¶T #" pT

B1 £ B2 ! BT

F

Example: Multi-exponentiation equations

G £ Zn ! G# # exp #

¶1(xi ) = xi ¶2(yi ) = gyi ¶T (tG ) = e(tG ;g)# # #G £ G ! GT

e

Generality continued

• All four types of bilinear group equations can be seen as example of quadratic equations over modules with bilinear map

• The assumptions Subgroup Decision, Symmetric External Diffie-Hellman, Decision Linear, etc., can be interpreted as assumptions in modules with bilinear map as well

Summary

• Practical:– Efficient NIWI and NIZK proofs for practical statements

arising in pairing-based cryptography

• Theoretical:– Perfect zero-knowledge– Witness-indistinguishability in the plain model

• Upcoming: – Quasi-linear size NIZK proofs without pairings– NIZK arguments with smaller size than circuit

Context

Trapdoor permutations: |C| polylog |C| k + poly(k)

Naccache-Stern: |C| polylog |C| + poly(k)

Bilinear groups: |C| k

Fully homomorphic crypto: |w| poly(k)

Bilinear groups + KEA: |C|2/3 k

Random oracle model: polylog |C| k

Open problems

• Even more efficient NIZK proofs• Efficient post-quantum NIZK proofs• NIZK proofs from one-way functions• Non-interactive witness-hiding proofs in plain model• Construct cryptographically useful modules with

bilinear map that are not based on bilinear groups• Continuous NIZK arguments

References

• Chapman et al.: Life of Brian. BBC 1979.• Groth, Sahai: Efficient Non-interactive Proofs for Bilinear

Groups. EUROCRYPT 2008.• Groth, Sahai, Ostrovsky: New Techniques for Non-

interactive Zero-Knowledge. EWSCS 2010.• Lipmaa: Collected works. Springer 1998 -• Rhinehart: The Dice Man. HarperCollins 1971.• Tolkien: Lord of the Rings. Allen and Unwin 1954-1955.• Zhang: Fuzzy Private Matching and Privacy Preserving

Information Retrieval. UCL MSc thesis 2008.

Thanks

?

Any (more) questions?