Slide 1

Efficient Zero-Knowledge Proof SystemsJens GrothUniversity College London

FOSAD 20141Round complexityInteractive zero-knowledge proof

Non-interactive zero-knowledge proof

Useful for non-interactive tasksSignaturesEncryption22Non-interactive proofs Prover Verifier

Statement: xLOK, xLWitness w (x,w) RLProof L language in NP defined by RL33Non-interactive zero-knowledge (NIZK) proofsCompletenessCan prove a true statementSoundnessCannot prove false statementZero-knowledgeProof reveals nothing (except truth of statement)44Zero-knowledge = Simulation Prover Verifier

Statement: xLWitness w (x,w) RL

5ProblemIf proofs can be simulated, then anybody can create convincing proofs!Non-interactive zero-knowledge proof [BFM88] ProverVerifier

Statement: xLProof: (x,w)RL Common reference string01001101066Common reference string (CRS)Can be uniform random or specific distributionKey generation algorithm K for generating CRSTrusted generationTrusted partySecure multi-party computationMulti-string model with majority of strings honest [GO07]011011010100010111010010177Zero-knowledge simulation ProverVerifier

Statement: xL(x,w)RL Common reference string010011010 K S Simulation trapdoorS(,x) 88Publicly verifiable NIZK proofsNP language LStatement xL if there is witness w so that (x,w)RL

An NIZK proof system for RL consists of three probabilistic polynomial time algorithms (K,P,V)K(1k): Generates common reference string P(,x,w): Generates a proof V(,x,): Outputs 1 (accept) or 0 (reject)99Public vs. private verificationPublicly verifiableK generates CRS V checks proof given input (,x,)

Privately verifiableK generates CRS and private verification key V checks proof given input (,x,)Designated verifier with can check proofAnybody can check the proof10Public vs. private verifiabilityPublic verifiabilitySometimes requiredSignaturesUniversally verifiable votingReusabilityProof can be copied and sent to somebody elseProver only needs to run once to create proof that convinces everybodyHard to constructPrivate verifiabilitySometimes sufficesCCA-secure public-key encryption, e.g., Cramer-Shoup encryption

Cannot be transferredFor designated verifier only

Easier to construct11CompletenessPerfect completeness: Pr[Accept] = 1P(,x,w) V(,x,) Accept/rejectK(1k)

Common reference string Statement xLWitness wso (x,w)R

1212SoundnessPerfect soundness: Adv: Pr[Reject] = 1Statistical soundness: Adv: Pr[Reject] 1Computational soundness: poly-time Adv: Pr[Reject] 1 V(,x,) Accept/rejectK(1k)

Common reference string Statement xL

Adaptive soundness:The adversary first sees CRS and then cheats1313Zero-knowledgePerfect ZK: Pr[Adv 1|Real ] = Pr[Adv1|Simulation]Computational ZK: poly-time Adv: Pr[Adv 1|Real ] Pr[Adv1|Simulation]P(,x,w) K(1k)

0/1(x,w) RLS2(,,x) S1(1k)

0/1(x,w) RL14Fiat-Shamir heuristic [FS86]Take an interactive ZK argument where verifiers messages are random bits (public coin argument)Let the CRS describe a hash-function HReplace the verifiers messages with hash-values from the current transcript

NIZK argument = (a,z)

H(x,a)aazz15Fiat-Shamir heuristicEfficient NIZK arguments that work well in practiceHopefully they are secureCan argue heuristically that they are computationally sound in the random oracle model [BR93], where we pretend H is a truly random functionBut in real life H is a deterministic function and there are instantiations of the Fiat-Shamir heuristic [GK03] that yields insecure real-life schemes16Encrypted random bits

Statement xL

CRS(x,w)RL01...0111001100K(1k) (pk,sk) c1 c2 c3 c4Epk(0;r1)Epk(1;r2)Epk(0;r3)Epk(1;r4) c1 1 ; r2 c3 0 ; r417pk11000011Statistical samplingRandom bits not usefulUse statistical sampling to gethidden bits with structure

Give proof byrevealing certainstructures related to different parts of statement

Probably remaining pairs of encrypted bits are 00 and 11CRS18NIZK proofsCircuit SATPractical statementsInefficientEfficientStatistical sampling techniquesGroth-Ostrovsky-Sahai 2012 (2006)Groth 2006Groth-Sahai 2012 (2008)1 GB1 KBStatement: Here is a ciphertext and a document. The ciphertext contains a digital signature on the document.1919Boneh-Goh-Nissim encryptionPairing-based cryptographyAlgebraic geometry and elliptic curvesDouble-homomorphic public key encryptionAdditively homomorphic

Multiplicatively homomorphic (one-time only)20aba+bababCircuit SAT is NP completeNANDNANDCircuit SAT2121NANDNANDNIZK proof for circuit SAT222223ww-1w(w-1)w-1w-1r0w(w-1)rNANDNANDNIZK proof for circuit SAT24Proof size2|W|+|C| ciphertexts24NIZK proofs for Circuit SATSecurity level: 2-kTrapdoor perm size: kT = poly(k)Group element size: kG k3 Circuit size: |C| = poly(k)Witness size: |w| |C|CRS in bitsProof in bitsAssumptionG-Ostrovsky-Sahai 12O(kG)O(|C|kG)Pairing-basedGroth 10|C|kTpolylog(k)|C|kTpolylog(k)Trapdoor permsGroth 10|C|polylog(k)|C|polylog(k)Naccache-SternGentry et al. 14poly(k)|w|+poly(k)FHE + NIZK2525Sublinear non-interactive zero-knowledgeCommitments instead of encryption

Parallel additive homomorphism

Parallel multiplication proofsComplicatedSplit circuit into many parts and prove in parallel26NIZK Arguments for Circuit SATBitansky, Canetti, Chiesa and Tromer 2013Techniques to make both CRS size and argument size independent of circuit size27Reference string in group elementsArgument in group elementsGroth 2010O(|C|2)O(1)Lipmaa 2012O(|C|1+o(1))O(1)Gennaro, Gentry, Parno, Raykova 2013O(|C| log2|C|)O(1)Verifiable computationClient is weakWant small argument size and low cost of verificationProver is powerfulAccept higher computation for prover, but must still be low enough for outsourcing to be economically viable28

ComputationResultProof carrying data29

Pinnochio [PHGR13]Argument size288 bytesVerifier time12ms(depends on statement)30Program in C(reduced instruction set)CircuitQuadratic arithmetic programProof systemThank youQuestions?31