Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles Motivation OK, I will make a zeroI’m aknowledge woman. proofProve it! Circuit C = ”I’m a woman” Proof π Completeness Common reference string K(1k) Circuit C Witness w so C(w)=1 Proof π Prover Verifier Perfect completeness: Pr[Accept] = 1 Accept Soundness Common reference string K(1k) Unsatisfiable C Proof π Adversary Reject Verifier Perfect soundness: Pr[Reject] = 1 Zero-knowledge S1(1k) sk S2(crs, sk, C) Simulator ”Common reference string” Circuit C Witness w 0/1 Proof π Adversary Computational zero-knowledge: Pr[A1|Simulated proofs (S1,S2)] ≈ Pr[A1|Real proofs (K,P)] State of affairs Computational NIZK proofs known but not practical Kilian-Petrank: O(|C|k2)-bit common reference string O(|C|k2)-bit proofs Statistical/perfect NIZK arguments not known No non-interactive UC ZK arguments secure against adaptive adversaries known Our contributions NIZK proof for Circuit SAT - Perfect completeness, perfect soundness, perfect proof of knowledge, computational zeroknowledge - O(k)-bit common reference string - O(|C|k)-bit proofs Perfect NIZK argument for Circuit SAT - Perfect completeness, computational coNP soundness, perfect zero-knowledge UC NIZK argument for Circuit SAT with perfect zero-knowledge secure against adaptive adversaries Bilinear group of order n G, G1 cyclic groups of order n = pq g generator for G bilinear map e: G G G1 e(ua, vb) = e(u, v)ab e(g, g) generates G1 Decision subgroup problem ord(h) = q or ord(h) = n ? Boneh-Goh-Nissim cryptosystem Key generation pk = (n, G, G1, e, g, h) ord(g) = n, ord(h) = q sk = (pk, p, q) Encryption of m E(m; r) = gmhr |m|=O(log k) where r Zn Decryption (gmhr)q = (gq)m find m by polynomial time exhaustive search Homomorphic properties Additively homomorphic gm1hr1 gm2hr2 = gm1+m2hr1+r2 Multiplication-mapping e(gm1hr1, gm2hr2) = e(g, g)m1m2 e(h, gm1r2+m2r1hr1r2) NIZK proof for Circuit SAT 1 NAND w4 NAND w1 w2 w3 Circuit SAT is NP complete NIZK proof for Circuit SAT g1 NIZK proof c1 encrypts 0 or 1 NAND NIZK proof c2 encrypts 0 or 1 NIZK proof w4 = (w1w2) NIZK proof 1 = (w4w3) gw4hr4 NAND gw1hr1 gw2hr2 gw3hr3 NIZK proof c3 encrypts 0 or 1 NIZK proof c4 encrypts 0 or 1 NIZK proof for encryption of 0 or 1 Wish to prove c encrypts 0 or 1 Write c = gmhr (m uniquely determined mod p) e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr) has order q if and only if m = 0 mod p or m = 1 mod p We wish to prove e(c, g-1c) has order q NIZK proof for encryption of 0 or 1 Prover chooses s Zn* e(c, g-1c) = e(gmhr, gm-1hr) = e(hr, g2m-1hr) = e(hs, (g2m-1hr)r/s) Reveal π = (π1, π2, π3) π1 = hs π2 = (g2m-1hr)r/s π3 = gs Verifier checks e(π1, g) = e(h, π3) and e(c, g-1c) = e(π1, π2) NIZK proof for encryption of 0 or 1 Perfect soundness h has order q e(h, π3) has order q e(π1, g) = e(h, π3) e(π1, g) has order q π1 has order q e(π1, π2) has order q e(c, g-1c) = e(π1, π2) e(c, g-1c) has order q m = 0 mod p or m = 1 mod p Computational zero-knowledge ord(h) = n g = hγ simulation key: γ NIZK proof for NAND-gate Given c0, c1, c2 ciphertexts containing bits b0, b1, b2 wish to prove b2 = (b0b1) b2 = (b0b1) if and only if b0 + b1 + 2b2 - 2 {0,1} Make NIZK proof for c0c1c22g-2 encrypting 0 or 1 NIZK proof for Circuit SAT Encrypt all wires wi as ci = gwihri For each i make NIZK that ci contains 0 or 1 For each NAND-gate make NIZK proof that c0c1c22g-2 contains 0 or 1 Perfect completeness Perfect soundness Computational zero-knowledge Perfect knowledge extraction – decrypt ciphertexts Perfect NIZK Common reference string (g, h) Choose g, h so ord(g) = ord(h) = n Perfect completeness Perfect zero-knowledge Ciphertexts ci are perfectly hiding commitments NIZK argument for 0/1 plaintexts perfect ZK Adaptive coNP soundness Common reference string C, wco Proof π K(1k) Reject wco witness for C unsatisfiable Computational coNP soundness: Pr[Reject] ≈ 1 FNIZK (prove, C, w) (proof, π) (verify, C, π) (verification, 0/1) If C(w)=1 give C to S and get π store (C,π) If (C,π) not stored give (C,π) to S and get w if C(w)=1 store (C,π) Return 1 if (C,π) stored UC NIZK There exists non-interactive protocol UC NIZK such that 1. 2. UC NIZK securely realizes FNIZK against adaptive adversaries in the common reference string model UC NIZK is perfect zero-knowledge Conclusion New technique for NIZK proofs 1. Very efficient NIZK proofs with perfect soundness 2. First construction of perfect zeroknowledge NIZK argument with coNP soundness 3. First construction of UC NIZK argument secure against adaptive adversaries