17532
>> Melissa Chase: So today we're very happy to have Jens Groth visiting us from the
University College London. Jens is an expert in zero-knowledge proofs. Also done work on ring signatures and group signatures and electronic voting. And today he's going to tell us about pairing-based noninteractive zero-knowledge proofs.
>> Jens Groth: Thank you. So I'll talk a lot about pairing-based noninteractive zero-knowledge proofs. And then I'll get to what that kind of thing is. So in this talk I'm trying to give you a bit of background and tell you what is the noninteractive zero-knowledge proof and have three topics I want to focus on. One is using pairing-based cryptography to construct noninteractive zero-knowledge proofs, which is a new technology for constructing noninteractive zero-knowledge proofs and talk about how to get perfect zero-knowledge, perfect everlasting privacy. And finally I'll focus on efficiency of noninteractive zero-knowledge proofs, how to make them efficient not to be used in practice.
Okay. So a bit of a history, back in '85 Goldwasser, Micali and Racoff came up with the idea of interactive zero-knowledge proofs. And the paper was rejected a couple of times. Then later on they won the Godel award for it. So an interactive proof is under the following form: So we have two parties. We'll call them the prover and verifier.
Obviously in real life there will be some computers or something like that talking over the
Internet. They have some type of statement. The statement could be a mathematical theorem, or it could be a statement of identity that the prover wants to convince the verifier that she's indeed her, could be she wants to convince the verifier that she's following a protocol, could be all kinds of things, statement.
And proof goes like this: They have some runs of interaction where they sent messages back and forth. And in the end verifier says, okay, the statement is indeed true. Okay.
Now, more general think of the statement being of the form that X belongs to some language. So this is language NP and the prover has a witness that the statement is true.
Okay. And they interact. And then in the end verifier says, yes, X belongs to the language. Okay. So we'll focus on zero-knowledge and witness indistinguishability as a security proposition we want here. And zero-knowledge is basically that the verifier learns that the statement is true, but doesn't learn anything else.
So, in particular, the verifier does not learn what the witness is. And you could think of a weaker type of security which is called witness indistinguishability. This is something that's relevant when the statement may have many different witnesses that testify to the truth. And witness indistinguishability says when there are many witnesses, the verifier will not learn which witness it was that the prover had in mind.
>>: [inaudible].
>> Jens Groth: So zero-knowledge says you don't learn anything at all. Witness indistinguishability just says you can't distinguish between when there are many witnesses. But suppose for instance there's a statement where there's only one witness,

and in that case it would be fine to just send the witness in the clear and you would still get witness indistinguishability, because you can't distinguish between one witness and one witness, right?
>>: Both weaknesses -- [inaudible].
>> Jens Groth: Exactly. Right. Zero-knowledge you don't learn anything. You don't learn anything about the witness, just learn that the statement is true.
Okay. And let me give some motivation for why we are interested in this thing. So suppose we have these two parties and we want to compute a function of some sort.
Could be an online bank and they want to compute whether she really is a customer or not. Could be any kind of protocol.
So they both have an input. They go through this protocol for computing the function and get out an output. Now at some point the verifier says, okay, but, hey, I don't trust you. How do I know that you followed the protocol?
And she says: Yes, I followed the protocol but I don't want to show you my inputs. That, of course, would be one way to convince the verifier that you followed protocol. Just reveal the input spot. That might be bank statements and health data and so forth. She doesn't want to leave all that. The solution here is to give zero-knowledge proof. It's really kind of a general tool you can use in lots and lots of security applications, whenever you want to verify something and at the same time have some level of privacy, then zero-knowledge proofs is the tool to use.
>>: [inaudible] the witness [inaudible] witnesses?
>> Jens Groth: Right.
>>: [inaudible].
>> Jens Groth: It really depends on the kind of application, whether you can use witness indistinguishability or not. So, again, in case that there were many different ways, many different inputs you could have to the function, for instance, that would give the same output, then witness indistinguishability would give you that -- it would not be possible to distinguish which one of them it was that she used, right? But it would not in general give you security -- if there's only one experience that would give this output, then witness indistinguishability might not protect that exit, might not keep it private. Where zero-knowledge proof would keep it private.
So verifier is happy. Followed the protocol. And she's happy because she didn't reveal anything. Okay. So let's continue with the history. Okay. So they introduce interactive zero-knowledge proofs. But there's lots of interactions that are noninteractive in nature.
Whenever you just compute something locally and attach it to an e-mail, that's basically, that has no interaction, you just compute everything locally and then you send it off and you go to sleep and hopefully some later point in time the other recipient will pick it up.
Okay. So there's no interaction. Examples in cryptography would be the digital signatures encryption, so forth. And in those cases it's nice to have zero-knowledge

proofs as well. So Bloomfeldman and Micali introduced noninteractive zero-knowledge proofs. It came shortly after zero-knowledge proofs were introduced.
So it's more or less the same, right? You have a statement. The prover has a witness.
Okay. But now it's just one message to the proof; there's no interaction here. So this is the kind of thing you could attach to whatever digital signature in cypher text of whatever you would want to send by e-mail or some other noninteractive way. And again we have the proposition of zero-knowledge that the verifier learns nothing but the truth of the statement and we could have the weaker witness indistinguishable that the verifier does not learn which witness the prover had in mind.
>>: [inaudible].
>> Jens Groth: That is a very good point. Yeah. And yes. So actually, yeah, the verifier doesn't learn anything about the witness itself. It does learn a proof. And actually there's a whole body of theory involved with what can you do with that proof in particular there's a question of nonmalability that you might take that proof and modify it into something else a proof of something else and then you don't actually know anything about that something else but you know a proof of that something else. So there's a lot of complications you can go down in that. It's a very good point.
Okay. So there's one thing I would like to point out here that interactive proofs you can do without having any kind of setup in the beginning. If you want to do noninteractive zero-knowledge proofs you need a common reference or some other type of set-up. I'll focus on common reference string. We're assuming here there's an honestly generated string of bits that's available to both the prover and verifier that they trust.
>>: Constructed for this specific verifier or a verifier that verified it?
>> Jens Groth: Any verify could verify this proof. So that's also a good point. So noninteractive zero-knowledge proofs have an advantage compared to interactive zero-knowledge proofs. You can copy it and send it around, distribute, maybe there's many people that want to verify a particular statement. That's something you can't do with interactive proofs because how do you know that the verifier's message has been verified correctly?
>>: Are those examples complicated to give an idea how it's done?
>> Jens Groth: Okay. So you're saying okay is a simple example of a zero-knowledge proof.
>>: Noninteractive.
>> Jens Groth: Noninteractive. So there's one example which at least gives you some of the flavor. So this is Andy Neff, who did some work on voting, at least that's the way I saw the example. The example is you have a deck of cards, okay, and now you pick a random card from that deck say it's, I don't know, maybe the queen of spades. Now you say, "Hey, look I got a queen." And you're sitting with this secret card and saying this is a queen. So that's the statement. Now, I don't know whether that's true or not. I want confirmation whether it's a queen or not. You could of course show me the card but

you're giving me more information and you're showing it's not only a queen but it's a queen of spades. So you don't want to do that.
And the way you could instead of get proof is basically you could take all the non-queen cards, right. So you take 48 cards that are not queens. You review those. I can see there's only 40 cards left and all the other ones that are not queens have been real so it has to be a queen you're sitting with, but I don't know which one it is.
>>: I'm sorry, I don't follow. How do you know that he has a queen of spades?
>> Jens Groth: I don't know that he has a queen of spades. His statement is just I have a queen.
>>: His statement.
>> Jens Groth: The problem is how do you show that without revealing it's the queen of spades.
>>: [inaudible] has a point.
>> Jens Groth: I don't know how far that knowledge goes in that way.
>>: Assuming there's only one deck in the works, right?
>> Jens Groth: Yeah. So let's look a little at what are the ingredients of a noninteractive zero-knowledge proof. So there are basically three polynomial time algorithms. One which is used to generate the reference string. And then there's a proving algorithm that takes its input, the common reference string, the statement and a witness. And outputs a proof. And then there's a verification algorithm that takes input to common reference string the statement and the proof and outputs 1 of 0 depending whether it's accepting or rejecting.
And protocol works like this. So generate a common reference string. Get some statement, some witness to the prover. Prover generates a proof and the verifier runs the verification protocol. And we say that this protocol has completeness property, perfect completeness, if in this case where they're both honest, then the verifier will accept. So that's kind of one thing we want, to the protocol, if they're both honest then indeed the prover can convince the verifier. That's even the case if it's an adversary that generates a statement and the witness. So even for the worst case statement, worst case witness we want the protocol to go through and be able to convince the verifier.
Now let's think about what is the security that the verifier gets from this protocol? So generate common reference string honestly. Now the adversary is trying to come up with some statement that is false and a proof for it.
And the verifier runs the verification protocol and we want to in this case we would like the verifier to reject. It should not accept any proofs for false statements. And we say we have perfect soundness when it actually does reject whenever it's a false statement.
So this says that you can't find a proof for false statement.

Okay. Witness indistinguishability is defined as follows. We generate the common reference string. Now we have a statement and we have two possible witnesses. And now the prover picks given a random one of those witnesses and the adversary tries to guess which witness was it that the prover used. And we say that we have witness indistinguishability when the adversary cannot guess whether it was the first witness or the second witness that was used in the proof.
Now, notice here that I'm talking about computational witness indistinguishability. The problem is you can't have all of the good things in the world, you can't have both perfect soundness and perfect witness indistinguishability at the same time. So we have to settle for getting witness indistinguishability against computationally bounded adversaries. So you can't -- it's infeasible to guess whether it's one witness or the other.
>>: Why is it adversary? 0 is [inaudible].
>> Jens Groth: That's a good point. So actually, yes, so you could actually imagine that you could have perfect witness indistinguishability and perfect soundness at the same time. Yes.
>>: How do you get perfect soundness, it's [inaudible] because you need a common random reference string. If you gamble on the reference, all zeros, it's not only random, it's the probability that you can get through.
>> Jens Groth: That's a really good point. So notice here I'm talking about a common reference string. Not a random string. And actually in the construction I'm going to talk about here it will not be completely random. It will have a particular distribution. So that's why you get perfect soundness. Because otherwise it's true, yeah, you could kind of guess something for where you could simulate and then you could cheat.
>>: The current you have both perfect soundness and perfect witness indistinguishability.
>> Jens Groth: No, what I'll get is perfect soundness --
>>: [inaudible].
>> Jens Groth: Ah, okay. Yeah. I suppose so, yeah. Yeah. Let's move on to the stronger notion of zero-knowledge. Here we compared two gains. One is a gain where we just carry out a real proof. Right? We generate common reference string. Prover gets a witness and the prover creates a proof using that witness.
Then we'll compare that with a game where we generate the common reference string in a different way using a simulator. Adversary comes up with the worst case scenario of statement and witness. And now the simulator simulates a proof using some trap door related to the common reference string. So the point here -- and the adversary is trying to distinguish whether it's in talking to a real prover or whether it's talking to the simulator. And we say that we have zero-knowledge if the adversary cannot guess whether it's talking to a real prover or simulator, simulator. So the point is why does this capture the notion of zero-knowledge, because the simulator doesn't use a witness at all,

right? So hence this simulator has no knowledge of what the witness is and cannot convey any such knowledge in its simulated proofs.
Okay. So that's it for definitions of noninteractive zero-knowledge. So there's been a lot of research in noninteractive zero-knowledge attempts both to generalize what kind of assumptions, cryptography assumptions do we need to construct zero-knowledge. You can do that from just trap door permutations and attempts to try to improve the efficiency, attempts to shorten the size of the common reference string, lots of other things that people have looked at.
The problem with all of these schemes back then were that they were very inefficient.
We're talking about many, many, many gigabytes to have sent noninteractive zero-knowledge proof even for a very simple statement.
What people did instead was they tried out some alternatives. So one alternative would be to take an interactive zero-knowledge proof which we know how to make quite efficient and use a cryptography hash function to compute the verifier's message to the prover. If you use the cryptography function to that the prover can compute everything itself.
And then there have been some examples that there are actually some of these schemes that if you use a cryptography hash function to compute the verifier's messages, then they actually turn out to be insecure no matter which kind of cryptography hash function you use. And it's kind of -- it's an open question whether this way of getting noninteractive zero-knowledge using cryptography hash function is secure or not for natural protocols.
Another thing people have done is using designated verifier proofs. So that's kind of the type of proofs where you cannot transfer it and copy it around and send it around. But it only works for one particular verifier. And I think for most applications of noninteractive zero-knowledge you need that public verifiability. It's not good enough to convince just one particular designated verifier.
>>: What about convincing verifier, how indeed you know verifier effects?
>> Jens Groth: So the way these work is, for instance, that the verifier has a registered public key, has registered particular cypher text, encrypting a challenge or something like that. And then the prover can do something, create a proof that basically uses that cypher text. So it's that the verifier can decrypt and check the proof but nobody else knows the decryption key for that proof and therefore they can't actually check it.
>>: Sounds like zero-knowledge with a minimal interaction.
>> Jens Groth: Yeah, you could say so. Yeah.
So these are some of the results I've had together with Rafail Ostrovsky and Amit Sahai.
And one thing is to give efficient noninteractive zero-knowledge proofs. Something that doesn't require gigabytes to transmit.

Another result we have is to get perfect zero-knowledge instead of just having computation of zero-knowledge. So this is nice because it gives you everlasting privacy.
It actually remains zero-knowledge no matter how far into the future and what kind of computation advantages there might be, quantum computers and so forth we can imagine.
So it's nice to have zero-knowledge that is not based on any cryptography assumption.
We've tried to eliminate the use of the common reference strings and it turns out you can't get zero-knowledge in that setting but you can actually get noninteractive witness indistinguishable proofs without any setup.
We worked on getting universal composability, so this means that not only is it noninteractive zero-knowledge in stand alone setting but it's actually noninteractive zero-knowledge even when you plug it in with any other types of protocols that are running concurrently.
And while some very recent work, even more efficient noninteractive zero-knowledge proofs.
Okay. So back to the talk. So the first thing I'm going to talk about now is how to use paring-based cryptography to get noninteractive zero-knowledge proofs. And I'm going to talk about a result which gives a noninteractive zero-knowledge proof for circuit satisfiability, which is NP complete. And we'll have perfect completeness, perfect soundness and computation zero-knowledge. The common reference string will be quite short. So K is a security parameter. So you can imagine this is something of the order of less than a kilo byte. And the proof size will grow linearly in a security parameter and the number of gates in the circuit.
And to do that we'll need a composite order bilinear group. So we have a generator that can generate a couple of finite cyclic groups of composite order. And you can think of N as being an RSA module here, product of two primes.
We have a G which is a generator for the group, and then we have what is called a paring, bilinear map. If you apply that bilinear map with G itself you get a generator for the target group. GT. The bilinear property is if you take two group elements here, then you get EGG raised to the product of A and B.
And I'm going to assume that the various group operations and computing the bilinear map and so forth that's something you can do efficiently on the computer. And I'm going to make a computational assumption here, which is that if we have an element H, then it's hard to decide whether H has order Q. So basically just generates a subgroup of G or whether it has full order and generates all of G.
I'm also going to need a commitment scheme by Boneh-Goh Nission. The scheme is as follows. The public key is G and H where H has order Q and G has order N. And to commit to element A, we compute G to A and H the to R where R is picked at random.
And this is perfectly binding because H has order Q. So that just cycles around in the order Q subgroup, right? And then since G is a generator for the entire group this uniquely determines A module P.

And it's also computationally hiding. That comes from the subgroup decision assumptions that we made that it's indistinguishable whether H has order Q or it has order N. Now if H had order N then this would be just a completely random element.
>>: Raise H and Q it's not that expensive order Q. If it's something else it's order N. So where is the --
>> Jens Groth: Right. So.
>>: How can you [indiscernible].
>> Jens Groth: So you're saying -- okay. So suppose we have H. So I mean the assumption is that it's hard to tell whether H has order Q or it has order N. The point is you don't know Q, right? You just know the product of P and Q.
Now, let's take two commitments, multiply them together in this group here, right? This is G to the H to the R and G to the B, H to the S. And the product of those two would give us G to the A plus B and H to the R plus S. And so this is an added homomorphic property. Multiply two commitments you get a commitment to the sum of the messages.
And now let's see what happens if we take the paring of these two commitments. Well, we do some computations, and what we find out is that we get the paring of GG raised to AB. And then we have a paring of H with something else.
Another point is this thing here is a generator for the group. And this one, since H has order Q, the paring here also has order Q. So in other words this thing here you need to terms A times B modular P. And this is kind of a key point in the construction I'll present because it means that we can have committed values and we can do both additions and multiplications on those committed values.
So the intuition is something you could think of in arithmetic circuits if you can do both additions and multiplications then you can prove better circuit is satisfiable. And this also shows, I mean, this is why pairings are so useful here.
I mean, it's been known for a long time how to construct homomorphic commitments with additive property but if you use paring-based cryptography then you can get both addition and the multiplication.
Okay. So the proof itself is quite simple. So let's look at an example of a circuit and without loss of generalities all constructed from NAND gates. So we have these wires.
Input wires and intermediate wire. And the construction works as follows.
First the prover commits to all these values for their wires, for the satisfying assignment.
And the commitment to the output, that's just a trivial commitment to one. So that's easy to check for verifier that the output is one.
Now, the prover will have a proof that the commitment contains true or false values here.
0 ones and then the prover will prove that these commitments here respect the NAND gate. So that's the strategy.

Okay. So let's prove that commitment contains 01. So we have some commitment the verifier just sees a commitment and knows there's some unique A modular P. H has order Q.
And if we take the paring of the commitment and commit with divided by G, then we do some computations and we see that we get A times A minus one where A is the contender of the commitment. The point here is that if we have a 0 or 1 value, then this will be 0, and we'll have something that has order Q. If it's anything that's not 0 or 1, then we'll have something here which has order different from Q.
So the proof that the prover will send will just be this value here that you have to pair with the H, and now the verifier can simply check that, take this paring does indeed give the paring of H with the prover or not.
And if that is the case, then can deduce that this means that A is 0 or 1 module P. So this is the proof that a commitment contains 0 or 1. Okay. So now I'll move on to the proof that a NAND is satisfied and I'll just make an observation here.
>>: [indiscernible] how do you show that [indiscernible], does it reveal the proof? Does it tell you anything about the --
>> Jens Groth: Okay. So revealing this proof doesn't tell you anything about whether it's a 0 or 1. Which you can actually see. So this proof here is going to be witness indistinguishable. And I guess I'll wait a little before getting into why that is the case. So for now let's just focus on getting the soundness right.
Okay. So just by inspection on this table here, you get that B2 is the NAND of B0 and
B1, and if this simple linear equation is satisfied.
And now let's look at these commitments here where we wish to prove that the last one contains the NAND of the first two committed bits. Okay. And if we compute this product here, then using the homomorphic properties, we get exactly this type of sum of the committed values, right?
And now we just need to prove that this contains 01 and then we know that the last value is the NAND of the 2 first values. And this is something that we already know how to do, how to prove that something is 01 we just reduced it to the previous proof. So now we are done. This is the construction. So commit to the wires. Make sure that the output commitment is trivial so it's easy to check that it's a one. Get proofs that each of the wires is 01. Get proof that each of the NAND gates are respected by the committed values.
And the complexity of this proof, while the common reference string is very short because you basically just have to describe these bilinear group and how to make the commitment. And the proof size, well, you need to make commitments for each of the values in the wires, need to give a proof for each of the wires. So that's two times the wires. And then you need to give a proof for each of the gates. So you get the number of gates. So that's basically two times the number of wires plus the number of gates is the number of group elements in the proof.

Okay. Now let me briefly argue why this is zero-knowledge. The point is that it's hard to distinguish whether H has order Q or has order N. And what we do to get zero-knowledge, the simulator choose H instead of such has order N. And now since it has order N, it means that the commitments are perfectly hiding. So if we have commitment to 0, it might as well be a commitment to 1. We don't know. And actually the simulator can construct these commitments such that it can open them to any value that it wants to.
So a simulated proof works like this. Just commit to all zeros. Run the protocol from before to prove that the committed values are 0 or ones. Works just as when H has order Q. And then simulate these proofs here simply just by opening the output to the
NAND and then running the protocol from before.
And that's it. That's how you simulate proofs for this noninteractive zero-knowledge proof.
So to summarize we have a noninteractive zero-knowledge proof now for circuit satisfiability where we commit to all the gates. Proof that they contain 0 ones and give a proof for each of the NAND gates and quite sure, has perfect completeness, perfect soundness, composable zero-knowledge. Composable zero-knowledge it's a stronger version of zero-knowledge that it also has. And while it's also proof of knowledge, you could actually, if you see a proof and you have some decryption key you might even compute what the witness is that the prover had in mind.
So it has lots of nice properties. And it's fairly short. I think this is something like a factor of a thousand faster than the previous work or something like that. Common reference string, I don't know, may be a factor of one million shorter than the previous work.
Okay. So I'm not going to talk about perfect zero-knowledge. This just gave us computation zero-knowledge. And that's actually a really simple construction. Takes three slides or something like that. So first, again, let's return to a little bit of history of zero-knowledge proofs.
What did we know for NP? Well, very quickly discovered that for interactive proofs you can get computational zero-knowledge. And it was also in the same year, in '86, figured out how to get interactive proof with perfect zero-knowledge. For noninteractive proofs, came pretty fast, and that would give you computational zero-knowledge. And then there was the last one, perfect zero-knowledge which was open for many, many years.
And I'll give you how to resolve that problem and get perfect zero-knowledge.
>>: Question, everlasting privacy, so you mentioned [indiscernible].
>> Jens Groth: Right.
>>: But now there are many negative results, many things that cannot be computed.
>> Jens Groth: Right.
>>: Maybe there was nothing to be afraid of.

>> Jens Groth: Yeah, that's a good point. So for these particular constructions, quantum computers would actually be bad, because they're basically relying on cyclic groups, right, and computing discrete logarithms. That's something that you can do with quantum computers. If you look at the construction I gave before, that would be something that a quantum computer could break and learn the witness.
Now, in general, the general constructions of noninteractive zero-knowledge I don't see readily some kind of quantum attack on those, and it's possible that you could implement them in such a way that quantum computer cannot break them.
>>: If you take everlasting seriously, then forever [inaudible].
>> Jens Groth: Yeah, sure. But I mean I really do take everlasting seriously here. This is not based on a computational assumption. It really gives you zero-knowledge.
>>: Maybe discuss these, even if quantum, it's built, discrete logs, there are some schemes which are still going to offer you privacy better commitment scheme. So the fact that you can calculate [indiscernible] likely to find which one of them is found by the particular user?
>> Jens Groth: Exactly. That's what's coming up now. The trick is really, really simple, right? Instead of using H with order Q, why not use a common reference string where H has order N, right?
And then you get perfect completeness and you get complete perfect zero-knowledge because now we're in the simulation case and the commitments are perfectly hiding.
And as Ady says we can't compute anything even we build these quantum computers far into the future.
What it gives you then is a trade-off, you get computation soundness. And I put a star here because I'm sweeping a few things under the rug. But you can think of it as getting computation in soundness.
And I think actually for practical purposes the cases where this is a good trade-off. I mean you have to trade do you want perfect soundness and zero-knowledge or do you want perfect zero-knowledge and computational soundness. And I think in many applications when you send proofs that's something that will be verified here and now within the next couple of days, weeks, something like that. So there you only need a cryptography assumption that holds for a short time. Whereas you could imagine that well an adversary stores those and later on when quantum computers come around then tries to extract some information from the zero-knowledge proof. And it's nice to have perfect zero-knowledge that goes way into the future.
>>: [indiscernible].
>> Jens Groth: You have examples of things where you want to protect data long time into the future. Census data and things --
>>: What's the difference composable and relational?

>> Jens Groth: Okay. Composable zero-knowledge is a stronger form of zero-knowledge. It says that basically you have, you cannot distinguish a simulated common reference string from a real common reference string. That's computational.
But once you have a simulated simulation common reference string, then there's perfect zero-knowledge on that one. Whereas the standard definition of zero-knowledge basically says you can't distinguish between real reference string, real proof and a simulated reference string and simulated proof. So it turns out that it has some, the design of cryptography protocol it has some advantages. It's simply conceptually simple that you only have to do computational indistinguishability at one point, when you shift common reference string.
Okay. Basically it works as before. Right? We used common reference string, commit to all the wires. Now it's a perfectly hiding commitment. Prove that each commitment contains 01. And prove each NAND gate contains 01 and the total size is very small and efficient proof.
>>: You really use proving that it contains 01, you use one of them as --
>> Jens Groth: Yeah. And here it's -- yeah, it's a weaker proof in the sense it's computational proof. Gives you perfect completeness, contains perfect zero-knowledge.
So that's it. So I'll now talk about efficiency, and you might say why must I talk about efficiency now, because I already gave you an efficient noninteractive zero-knowledge proof. And the reason is that there's really a question of what kind of languages is it that you're looking at. What I gave you was efficient noninteractive zero-knowledge proof for circuit satisfiability. But in real life when you're designing cryptographic protocols, you don't really want to use circuit satisfiability. You want to prove things very concretely about the cryptography that you're using, right? So you want to say, hey, we have a cypher text. It contains a signature on the message. You could go through it NP reduction and create a circuit that corresponds to that. But that would give you a blowup in the size of the circuit you have to prove and make it inefficient.
So what you really want is something that's more direct and goes directly to the kind of statements that you use in cryptography. Okay. So we want high efficiency. Something that's practical. And we want to give noninteractive proof for statements that come around in practice when you're designing cryptography protocols.
Okay. So let me again continue the construction. Okay. So we had attempts to create proofs for circuit satisfiability and they were quite efficient. One of the best was Kilian and [indiscernible] from '98, which was still very inefficient not for use in practical scenarios. Then we came about and gave an efficient construction for circuit satisfiability based on pairings. Then looking at these practical statements, I came up with a scheme in 2006, which did give you noninteractive proof for practical statements.
Unfortunately, the constants were quite large, talking something like a factor of a million or something like that. So it's not really efficient for practical purposes.
And now I'll talk about some Groth higher proofs which can be used for practical purposes. And I think Tom has been working on implementing some of that stuff.

Okay. So the idea is that we want to look at bilinear groups that we constructed these proofs for and this is lots of cryptography going on using paring-based cryptography. So let's look at what kind of constructions would a cryptographic designer use in bilinear groups.
We can imagine constructions where you add or multiply exponents over some fields.
So let's say N. You can imagine doing exponentiations of group elements and you can imagine doing pairings of various group elements. And in those constructions, some of the values might be public and some of them might be secret.
So we have some cryptographic protocol. Now somebody is coming along and is interested, are those values actually correct? And that verify does not know some of the secret values. And the idea is for such constructions we want to be able to give short noninteractive zero-knowledge proof.
Okay. So more generally if you look at cryptographic constructions over bilinear groups, you can have public exponents and public group elements, secret elements, secret group elements and you can do additions and multiplications of exponents and multiplications in the group, you can do multiplications in the target group and you can use a bilinear map. Those are the operations available to the protocol designer.
And the goal is we want to give noninteractive proofs for correctness of these kind of bilinear group constructions.
>>: Question, you want the proof to say that construction was carried out according to the specification of the protocol.
>> Jens Groth: Right.
>>: Now, there is a problem of whether you're committed or not committed to the inputs, because maybe I'm given a particular set of XY and I'm proving to you that I followed the protocol exactly except that the proof involves X5 Y 5, which has nothing to do with my real variables. Does your proof include any reference to the issue of you having some commitment, a commitment to me and you want to check that I constructed it respect to those commitments?
>> Jens Groth: Right. You can go both ways. So I mean so the construction involves actually first committing to the values, then proving that those are the ones that have been used. Now taking your question just a little bit further, right, I mean you could still commit to some different values, right? So you could instead imagine saying on the side you have some committed values and now you want to prove that they satisfy something. And then you could, for that thing, you could also give a noninteractive zero-knowledge.
>>: [inaudible] now you want to prove to noninteractive, I know it's optimization, the factors are uniquely defined in terms of publicly --
>> Jens Groth: Right.

>>: But most constructions are constructions which start from some crazy numbers and end up in crazy numbers. There's no mathematical proof in there.
>> Jens Groth: Yeah.
>>: So then you have to be very careful in defining the semantics of what is being proven.
>> Jens Groth: Right. So all I will claim here is that I proved that the statement is true in the sense there exists some inputs to the protocol --
>>: [indiscernible] with respect to which [indiscernible].
>> Jens Groth: Yeah. Okay. So the statements you could want to prove is something like you have a cypher text and a signature and they've been constructed such that the signatures is a signature on the plain text or maybe you have some commitments and you want to prove that the last commitment contains a product of the first two commitments. Those are things that designers would want to prove.
And there are lots of applications of this. Constant size group signature. Sublinear size ring signatures and proof of shuffle and anonymous credentials and so forth.
I'm not going to give you the construction, but I want to give kind of the intuition of how can you do these kinds of more advanced statements. Let's as an example look at a very simple statement which says okay we have these X and Y such that a paring of those gives us this element, the target element.
And the idea in the construction is that first we will commit to the group element X and the group element Y. And it looks like the commitment we had before but now we're using group elements instead of taking G raised to something here. Right? These commitments, if H has order Q uniquely determine X in the order P subgroup and you need to determine why in the order P subgroup.
And then the proof would look something like this and to verify, well, we'll take the commitments here and pair them with one another, doing some computations you see that this actually gives us X, the paring for X and Y times the paring of H with something else, right?
And this is something that verifier can check whether it's target element and the paring of
H with the proof. Okay. And seen from the verifier's perspective, what does this show?
It shows that the paring of X and Y, which are uniquely determined module P in the order
P subgroup does actually give the target element in the order P subgroup and then we have something that messes up the order Q subgroup.
>>: Question [indiscernible] so you say all you want to prove that there exists X and Y.
>> Jens Groth: Right.
>>: But don't you want to prove a little more, not only that there exists X and Y but that you actually know what --

>> Jens Groth: Right.
>>: Because maybe even you don't know.
>> Jens Groth: Yeah, yeah. So this is a proof of knowledge. So actually I am proving this construction gives you more, it gives you proof that I know X and Y such that...and so forth. And I think most constructions of noninteractive zero-knowledge proofs are proofs of knowledge.
Now, more generally, what one can do is use this technique where you commit to variables in the groups, commit to variables in z N when you want to prove that you have made some construction. And then you can have various types of equations over these things. So you could have equations that just involve exponents and basically you can build that from quadratic equations over the exponents and you can give proofs for those and you can have constructions that involve exponentiations, so it involves both group elements and exponents, and you can give proofs for those. And then you can have statements that involve pairings of group elements and you can give proofs for those.
So more generally we would look at some kind of statement which contains a number of equations, quadratic equations of exponents, multi-exponentiations and paring products and now we can use this construction where we first commit to the verifier and do a proof for each equation, that those committed values satisfy those equations.
>>: Can you go back to the previous slide, you said something -- suppose that I don't know X and Y but somebody gives me just X times Y or something like this. And now I can read by choosing [indiscernible] so couldn't you run the protocol? I just think about it. But it will not prove that I know X separately and Y separately, but I could be given some combination of X and Y. I could commit in a particular way that will enable me to
[inaudible] using just X times Y that I know. But I have no idea how to separate X separately or Y separately. So I have to choose S and R equals tau. I think this prevents me from running the protocol from the knowledge of X times Y.
>> Jens Groth: First of all, that's kind of a definitional issue what does it mean that you know something. And the definition here that I would use here is that, okay, you can associate with a common reference string some kind of extraction key that allows you to extract a witness. And in this case here that extraction key would be the order of the factors P and Q. So if you have P and Q, you can basically raise this to Q and you can kill off the H element because it has order Q. And you're left with the X raised to Q and then raised to module P and you can get out the X in order subgroup and Y you can get that out. You can't actually extract X and Y from the proof.
>>: What prevents me from running the whole calculation from X times Y if I is the prover choose S equals R, how do you? [indiscernible].
>> Jens Groth: I mean --
>>: The question is whether I give you the commitment or the commitment will be calculated by someone other than the prover who chose uniquely --

>> Jens Groth: Good.
>>: Prove to you my knowledge of X and Y. Commits to a version of X and commits to a version of Y.
>> Jens Groth: I think Melissa could answer that question because she was involved in a very nice paper to crypto about rerandomizable proofs. So you can actually -- so the construction I'm proposing here this is the part of the proof that you send those commitments. It's part of the proof. So the prover creates those.
>>: But people are choosing [inaudible].
>> Jens Groth: Yeah, you could do that.
>>: [indiscernible].
>> Jens Groth: I mean, the only problem with you choosing R equals S is that you would -- if I know that you're doing that then you would actually be leaking things in the proof. But otherwise it's fine, you could do that if you're the prover.
But so what they constructed was actually showing that okay suppose you're given a proof that contains, I mean that satisfy these equations and so forth, then you can actually rerandomize that proof and do various homomorphic operations on those proofs and there you could say the one that does that rerandomization and so forth. Doesn't really know the X and Y. That's secret stuff. And that has some nice applications as well.
>>: There's also [indiscernible] if you say it's extraction [indiscernible] window, there is a way to extract a bit using which the protocol was executed that the prover could just erase the bit and doesn't capture the knowledge [indiscernible] but you are still extracting it. So that level of extracting says it is expected.
>> Jens Groth: Okay. So this gets us basically noninteractive witness indistinguishable for practical statements. Now, more generally I'm talking about composite order bilinear groups but there's nothing that says that it has to be composite order. So more general we could think of finite cyclic groups where it could be prime or it could be composite order with any number of prime factors. We could have the groups here that could be identical, they could be different.
And we can use a lot of different assumptions to construct these proofs. It doesn't have to be this distinguishable where H has order Q order N, it could be other types of assumptions as well.
So in this slide here shows the exact complexity of the size of the proof that you're going to get. So in the example I gave was a subgroup decision assumption and composite order groups. Basically each variable will cost one group element. And then for each equation that you have, whether it's exponents or exponentiation or pairings will cost one group element each. So simply using this table you can compute exactly how much, what will the size of the noninteractive zero-knowledge proof will be. If you use the other assumptions, you're getting some different numbers. It will be different size of the proof.

But still I mean these are small numbers, right? Something that's very reasonable. And these assumptions you can use with prime order groups, you can choose some smaller primes. If you use primer order groups you need to have a large composite. It has to be
1,000, 1500, or 2,000 bits, something like that, where the primes could be smaller. Even though the numbers here are larger they might in practice might be more efficient than this one.
Okay. In some cases we actually even get sub linear sized groups. For instance, I had with Chandran and [indiscernible] and ring signature that used this kind of noninteractive zero-knowledge proof and there the noninteractive zero-knowledge proof was actually smaller than the statement.
So final remarks, quick summary: I've given you some efficient noninteractive zero-knowledge proofs, statements in bilinear groups and in very general use and the second main point is it's possible to have perfect zero-knowledge. And that's it. Thank you.
[applause]
>> Melissa Chase: Any questions?
>>: Bilinear group does not compute linear group. [chuckling].
>> Jens Groth: Yeah.
>>: So actually when you do this proof you get commitments, you use everything?
>> Jens Groth: Uh-huh.
>>: See any way of using [inaudible] functions because they're a single property?
Except we don't know how to prove the commitment to 0.
>> Jens Groth: We looked a little at it and we didn't come up with anything. So not at least off the top of my head I don't see any way to use those. But we had an intuition that somehow the right things were there. But I don't know how to turn it into something useful.
>> Melissa Chase: Thank you.
[applause]