Short Pairing-based
Non-interactive Zero-Knowledge Arguments
Jens Groth
University College London
Motivation
Attaching encrypted
vote to this e-mail
Voter
We can only accept
correctly formatted
votes
Official
Non-interactive zero-knowledge proof
Attaching encrypted
vote to this e-mail
+ NIZK argument that
correctly formatted
Zero-knowledge:
Voter
Vote remains secret
Ok, we will count your
vote
Soundness:
Official
Vote is correct
Non-interactive zero-knowledge argument
Common reference string
Statement: xL
(x,w)RL
Proof: 
Zero-knowledge:
Prover
Nothing but truth revealed
Soundness:
Verifier
Statement is true
Applications of NIZK arguments
•
•
•
•
•
•
Ring signatures
Group signatures
Anonymous credentials
Verifiable encryption
Voting
...
Our contribution
•
•
•
•
•
Common reference string with special distribution
Statement: C is satisfiable circuit
Very efficient verifier
Sub-linear (constant) size NIZK argument
Not Fiat-Shamir heuristic (no random oracle)
• Perfect completeness
• Computational soundness
• Perfect zero-knowledge
Adaptive soundness:
Adversary sees CRS
before attempting to
cheat with false (C,)
Pairings
• G, GT groups of prime order p
• Bilinear map e: G G  GT
– e(ax,by) = e(a,b)xy
– e(g,g) generates GT if g is non-trivial
• Group operations, deciding group membership,
computing bilinear map are efficiently computable
Assumptions
• Power knowledge of exponent assumption (q-PKE):
q
q
Given (g,gx,…,gx ,g,gx,…,gx ) hard to compute
(c,c) without knowing a0,…,aq such that
q
a
a
x
a
x
0
1
q
c = g g …g
• Computational power Diffie-Hellman (q-CPDH):
j
x
For all j hard to compute g given
q
j-1
j+1
q
(g,gx,…,gx ,g,gx,…,gx ,gx ,…,gx )
• Both assumptions hold in generic group model
Comparison
Kilian-Petrank
GOS
Abe-Fehr
This work
CRS
Size
Prover comp.
Verifier comp.
(Nk) group
(Nk) group
(Nk) expo
(Nk) mult
Trapdoor permutations
Stat. Sound
Comp. ZK
O(1) group
O(N) expo
O(N) pairing
Subgroup decision
Perfect sound
Comp. ZK
O(1) group
O(N) expo
O(N) pairing
Dlog & knowledge of expo.
Comp. sound
Perfect ZK
O(N2) group
O(N2) mult
O(N) mult
Comp. sound
Perfect ZK
O(N) group
O(N) group
O(1) group
q-PKE and q-CPDH
O(N2/3) group O(N2/3) group O(N4/3) mult
O(N) mult
q-PKE and q-CPDH
Comp. sound
Perfect ZK
Interactive +
O(√N) group
O(N) mult
O(N) mult
Fiat-Shamir
Dlog and random oracle
Comp. sound
Perfect ZK
This work
O(√N) group
Knowledge commitments
q  x
q
x
x
x
ck=(g,g ,…,g ,g ,g ,…,g )
• Commitment key:
• Commitment to (a1,…,aq) using randomness rZp
c=
ĉ=
q a
r
x
a
x
1
(g) (g ) …(g ) q
q
(g)r(gx)a1…(gx )aq
• Verifying commitment: e(c,g) = e(ĉ,g)
• Knowledge: q-PKE assumption says impossible to
create valid (c,ĉ) without knowing r,a1,…,aq
Homomorphic property
•
c=
q a
r
x
a
x
1
(g) (g ) …(g ) q
log(c) = r+a1x+…+aqxq
• Homomorphic
=
commit(a1,…,aq;r) ∙ commit(b1,…,bq;s)
commit(a1+b1,…,aq+bq;r+s)
(r+aixi) + (s+bixi) = r+s+(ai+bi)xi
Tools
• Constant size knowledge commitments for tuples
of elements (a1,…,aq)  (Zp)q
• Homomorphic so we can add committed tuples
com(a1,…,aq)∙com(b1,…,bq) = com(a1+b1,…,aq+bq)
• NIZK argument for multiplicative relationship
com(a1,…,aq) com(b1,…,bq) com(a1b1,…,aqbq)
• NIZK argument for known permutation 
com(a1,…,aq)
com(a(1),…,a(q))
Circuit with NAND-gates
b1 a2
a1
u1
a3
b2
u2
b3
u3
a4
b4
u4
• commit(a1,…,aN,b1,…,bN)
• commit(b1,…,bN,0,…..,0)
• commit(u1,…,uN,0,…..,0)
• NIZK argument for uN = 1
• NIZK argument for
everything else consistent
Consistency
• Need to show valid inputs a1,…,aN,b1,…bN{0,1}
• NIZK argument for multiplicative relationship
commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN)
commit(a1,…,aN,b1,…bN)
shows
a1a1=a1, …, aNaN=aN, b1b1=b1, …, bNbN=bN
• Only possible if
a1{0,1}, …, aN{0,1}, b1{0,1}, …, bN{0,1}
Consistency
• Homomorphic property gives
commit(1,…,1,0,…,0) / commit(u1,…,uN,0,…,0)
=
commit(1-u1,…,1-uN,0,…,0)
• NIZK argument for multiplicative relationship in
commit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…,0)
commit(1-u1,…,1-uN,0,…,0)
shows 1-u1=a1b1,…,1-uN=aNbN
• This proves all NAND-gates are respected
u1=(a1b1),…,uN=(aNbN)
Consistency
• Using NIZK arguments for permutation we prove
consistency of wires, i.e., whenever ai and bj
correspond to the same wire ai = bj
• We refer to the full paper for the details
Circuit with NAND-gates
b1 a2
a1
u1
a3
b2
u2
b3
u3
a4
b4
u4
• commit(a1,…,aN,b1,…,bN)
• commit(b1,…,bN,0,…..,0)
• commit(u1,…,uN,0,…..,0)
• NIZK argument for uN = 1
• NIZK argument for
everything else consistent
Conclusion
• NIZK argument of knowledge
– perfect completeness
– perfect zero-knowledge
– computational soundness
q-PKE and q-CPDH
• Short and efficient to verify
CRS
Argument
Prover comp.
Verifier comp.
Minimal argument
O(N2)
O(1)
O(N2) mults
O(N) mults
Balanced sizes
O(N2/3)
O(N2/3)
O(N4/3) mults
O(N) mults
CRS O(N2(1-ε)) and argument O(Nε)
Thanks
Full paper available at
www.cs.ucl.ac.uk/staff/J.Groth