Add to collection(s) Add to saved
  1. No category

NIZK proof for encryption of 0 or 1

advertisement 
Perfect Non-interactive
Zero-Knowledge for NP
Jens Groth
Rafail Ostrovsky
Amit Sahai
University of California Los Angeles
Motivation
OK, I will make a zeroI’m aknowledge
woman. proofProve it!
Circuit C =
”I’m a woman”
Proof π
Completeness
Common reference string
K(1k)
Circuit C
Witness w
so C(w)=1
Proof π
Prover
Verifier
Perfect completeness: Pr[Accept] = 1
Accept
Soundness
Common reference string
K(1k)
Unsatisfiable C
Proof π
Adversary
Reject
Verifier
Perfect soundness: Pr[Reject] = 1
Zero-knowledge
S1(1k)
sk
S2(crs, sk, C)
Simulator
”Common reference string”
Circuit C
Witness w
0/1
Proof π
Adversary
Computational zero-knowledge:
Pr[A1|Simulated proofs (S1,S2)]
≈
Pr[A1|Real proofs (K,P)]
State of affairs



Computational NIZK proofs known but not
practical
Kilian-Petrank:
O(|C|k2)-bit common reference string
O(|C|k2)-bit proofs
Statistical/perfect NIZK arguments not known
No non-interactive UC ZK arguments secure
against adaptive adversaries known
Our contributions



NIZK proof for Circuit SAT
- Perfect completeness, perfect soundness, perfect
proof of knowledge, computational zeroknowledge
- O(k)-bit common reference string
- O(|C|k)-bit proofs
Perfect NIZK argument for Circuit SAT
- Perfect completeness, computational coNP
soundness, perfect zero-knowledge
UC NIZK argument for Circuit SAT with perfect
zero-knowledge secure against adaptive adversaries
Bilinear group of order n
G, G1 cyclic groups of order n = pq
g generator for G
bilinear map e: G  G  G1
e(ua, vb) = e(u, v)ab
e(g, g) generates G1
Decision subgroup problem
ord(h) = q or ord(h) = n ?
Boneh-Goh-Nissim cryptosystem
Key generation
pk = (n, G, G1, e, g, h)
ord(g) = n, ord(h) = q
sk = (pk, p, q)
Encryption of m
E(m; r) = gmhr
|m|=O(log k)
where r  Zn
Decryption
(gmhr)q = (gq)m
find m by polynomial time
exhaustive search
Homomorphic properties
Additively homomorphic
gm1hr1 gm2hr2 = gm1+m2hr1+r2
Multiplication-mapping
e(gm1hr1, gm2hr2) = e(g, g)m1m2 e(h, gm1r2+m2r1hr1r2)
NIZK proof for Circuit SAT
1
NAND
w4
NAND
w1
w2
w3
Circuit SAT is
NP complete
NIZK proof for Circuit SAT
g1
NIZK proof c1
encrypts 0 or 1
NAND
NIZK proof c2
encrypts 0 or 1
NIZK proof
w4 = (w1w2)
NIZK proof
1 = (w4w3)
gw4hr4
NAND
gw1hr1 gw2hr2 gw3hr3
NIZK proof c3
encrypts 0 or 1
NIZK proof c4
encrypts 0 or 1
NIZK proof for encryption of 0 or 1
Wish to prove c encrypts 0 or 1
Write c = gmhr (m uniquely determined mod p)
e(c, g-1c) = e(gmhr, gm-1hr)
= e(g, g)m(m-1) e(hr, g2m-1hr)
has order q if and only if
m = 0 mod p or m = 1 mod p
We wish to prove e(c, g-1c) has order q
NIZK proof for encryption of 0 or 1
Prover chooses s  Zn*
e(c, g-1c) = e(gmhr, gm-1hr) = e(hr, g2m-1hr)
= e(hs, (g2m-1hr)r/s)
Reveal π = (π1, π2, π3)
π1 = hs π2 = (g2m-1hr)r/s π3 = gs
Verifier checks
e(π1, g) = e(h, π3) and e(c, g-1c) = e(π1, π2)
NIZK proof for encryption of 0 or 1
Perfect soundness
h has order q  e(h, π3) has order q
e(π1, g) = e(h, π3)  e(π1, g) has order q
 π1 has order q  e(π1, π2) has order q
e(c, g-1c) = e(π1, π2)  e(c, g-1c) has order q
 m = 0 mod p or m = 1 mod p
Computational zero-knowledge
ord(h) = n
g = hγ
simulation key: γ
NIZK proof for NAND-gate
Given c0, c1, c2 ciphertexts containing bits b0, b1,
b2 wish to prove b2 = (b0b1)
b2 = (b0b1)
if and only if
b0 + b1 + 2b2 - 2  {0,1}
Make NIZK proof for c0c1c22g-2 encrypting 0 or 1
NIZK proof for Circuit SAT



Encrypt all wires wi as ci = gwihri
For each i make NIZK that ci contains 0 or 1
For each NAND-gate make NIZK proof that
c0c1c22g-2 contains 0 or 1
Perfect completeness
Perfect soundness
Computational zero-knowledge
Perfect knowledge extraction – decrypt ciphertexts
Perfect NIZK
Common reference string (g, h)
Choose g, h so ord(g) = ord(h) = n
Perfect completeness
Perfect zero-knowledge
Ciphertexts ci are perfectly hiding commitments
NIZK argument for 0/1 plaintexts perfect ZK
Adaptive coNP soundness
Common reference string
C, wco
Proof π
K(1k)
Reject
wco witness for C unsatisfiable
Computational coNP soundness: Pr[Reject] ≈ 1
FNIZK
(prove, C, w)
(proof, π)
(verify, C, π)
(verification, 0/1)
If C(w)=1
give C to S and get π
store (C,π)
If (C,π) not stored give
(C,π) to S and get w
if C(w)=1 store (C,π)
Return 1 if (C,π) stored
UC NIZK
There exists non-interactive protocol UC NIZK
such that
1.
2.
UC NIZK securely realizes FNIZK against
adaptive adversaries in the common reference
string model
UC NIZK is perfect zero-knowledge
Conclusion
New technique for NIZK proofs
1. Very efficient NIZK proofs with perfect
soundness
2. First construction of perfect zeroknowledge NIZK argument with coNP
soundness
3. First construction of UC NIZK
argument secure against adaptive
adversaries
Related documents
Slide - UCL Computer Science
Slide - UCL Computer Science
Short Pairing-based Non-interactive Zero
Short Pairing-based Non-interactive Zero
Theorem 1.1 (Claim) The sum of all natural numbers is
Theorem 1.1 (Claim) The sum of all natural numbers is
Geometry Honors “Practice” Final Exam Problem Point
Geometry Honors “Practice” Final Exam Problem Point
Child & Adolescent Psychiatry
Child & Adolescent Psychiatry
How to Write a Paragraph
How to Write a Paragraph
Errata for Transition to Higher Mathematics: Structure and Proof p
Errata for Transition to Higher Mathematics: Structure and Proof p
Download
advertisement