Short Pairing-based Non-interactive Zero-Knowledge Arguments
19
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London
description
Short Pairing-based Non-interactive Zero-Knowledge Arguments. Jens Groth University College London. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A. Motivation. Attaching encrypted vote to this e-mail. - PowerPoint PPT Presentation
Transcript of Short Pairing-based Non-interactive Zero-Knowledge Arguments
Short Pairing-basedNon-interactive Zero-Knowledge Arguments
Jens GrothUniversity College London
Motivation
Voter Official
We can only accept correctly formatted
votes
Attaching encrypted vote to this e-mail
Non-interactive zero-knowledge proof
Voter Official
Ok, we will count your vote
Attaching encrypted vote to this e-mail+ NIZK argument
that correctly formatted
Soundness:Vote is correct
Zero-knowledge:Vote remains secret
Non-interactive zero-knowledge argument
Prover VerifierSoundness:Statement is true
Zero-knowledge:Nothing but truth revealed
Common reference string
Proof:
(x,w)RL
Statement: xL
Applications of NIZK arguments
• Ring signatures• Group signatures• Anonymous credentials• Verifiable encryption• Voting• ...
Our contribution
• Common reference string with special distribution • Statement: C is satisfiable circuit• Very efficient verifier• Sub-linear (constant) size NIZK argument• Not Fiat-Shamir heuristic (no random oracle)
• Perfect completeness• Computational soundness• Perfect zero-knowledge
Adaptive soundness:Adversary sees CRS before attempting to cheat with false (C,)
Pairings
• G, GT groups of prime order p
• Bilinear map e: G G GT
– e(ax,by) = e(a,b)xy
– e(g,g) generates GT if g is non-trivial
• Group operations, deciding group membership, computing bilinear map are efficiently computable
Assumptions
• Power knowledge of exponent assumption (q-PKE):Given (g,gx,…,gxq,g,gx,…,gxq) hard to compute (c,c) without knowing a0,…,aq such that
c = ga0ga1x…gaqxq
• Computational power Diffie-Hellman (q-CPDH):For all j hard to compute gxj given
(g,gx,…,gxq,g,gx,…,gxj-1,gxj+1,…,gxq)
• Both assumptions hold in generic group model
ComparisonCRS Size Prover comp. Verifier
comp.Kilian-Petrank (Nk) group (Nk) group (Nk) expo (Nk) mult
Trapdoor permutations Stat. Sound Comp. ZKGOS O(1) group O(N) group O(N) expo O(N) pairing
Subgroup decision Perfect sound Comp. ZKAbe-Fehr O(1) group O(N) group O(N) expo O(N) pairing
Dlog & knowledge of expo. Comp. sound Perfect ZKThis work O(N2) group O(1) group O(N2) mult O(N) mult
q-PKE and q-CPDH Comp. sound Perfect ZKThis work O(N2/3) group O(N2/3) group O(N4/3) mult O(N) mult
q-PKE and q-CPDH Comp. sound Perfect ZK
Interactive + O(√N) group O(√N) group O(N) mult O(N) multFiat-Shamir Dlog and random oracle Comp. sound Perfect ZK
Knowledge commitments
• Commitment key: ck=(g,gx,…,gxq,g,gx,…,gxq) • Commitment to (a1,…,aq) using randomness rZp
c = (g)r(gx)a1…(gxq)aq ĉ = (g)r(gx)a1…(gxq)aq
• Verifying commitment: e(c,g) = e(ĉ,g) • Knowledge: q-PKE assumption says impossible to
create valid (c,ĉ) without knowing r,a1,…,aq
Homomorphic property
• c = (g)r(gx)a1…(gxq)aq
log(c) = r+a1x+…+aqxq
• Homomorphic
commit(a1,…,aq;r) ∙ commit(b1,…,bq;s)= commit(a1+b1,…,aq+bq;r+s)
(r+aixi) + (s+bixi) = r+s+(ai+bi)xi
Tools
• Constant size knowledge commitments for tuples of elements (a1,…,aq) (Zp)q
• Homomorphic so we can add committed tuplescom(a1,…,aq)∙com(b1,…,bq) = com(a1+b1,…,aq+bq)
• NIZK argument for multiplicative relationship com(a1,…,aq) com(b1,…,bq) com(a1b1,…,aqbq)
• NIZK argument for known permutation com(a1,…,aq) com(a(1),…,a(q))
Circuit with NAND-gates
• commit(a1,…,aN,b1,…,bN)
• commit(b1,…,bN,0,…..,0)
• commit(u1,…,uN,0,…..,0)
• NIZK argument for uN = 1• NIZK argument for
everything else consistent
a1 a2
a3
a4
b1 b2
b3
b4
u1
u3
u2
u4
Consistency
• Need to show valid inputs a1,…,aN,b1,…bN{0,1}• NIZK argument for multiplicative relationship
commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN)shows
a1a1=a1, …, aNaN=aN, b1b1=b1, …, bNbN=bN
• Only possible if a1{0,1}, …, aN{0,1}, b1{0,1}, …, bN{0,1}
Consistency
• Homomorphic property givescommit(1,…,1,0,…,0) / commit(u1,…,uN,0,…,0)= commit(1-u1,…,1-uN,0,…,0)
• NIZK argument for multiplicative relationship incommit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…,0)
commit(1-u1,…,1-uN,0,…,0)shows 1-u1=a1b1,…,1-uN=aNbN
• This proves all NAND-gates are respected u1=(a1b1),…,uN=(aNbN)
Consistency
• Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever ai and bj correspond to the same wire ai = bj
• We refer to the full paper for the details
Circuit with NAND-gates
• commit(a1,…,aN,b1,…,bN)
• commit(b1,…,bN,0,…..,0)
• commit(u1,…,uN,0,…..,0)
• NIZK argument for uN = 1• NIZK argument for
everything else consistent
a1 a2
a3
a4
b1 b2
b3
b4
u1
u3
u2
u4
Conclusion
• NIZK argument of knowledge– perfect completeness– perfect zero-knowledge– computational soundness
• Short and efficient to verify
CRS Argument Prover comp. Verifier comp.
Minimal argument O(N2) O(1) O(N2) mults O(N) mults
Balanced sizes O(N2/3) O(N2/3) O(N4/3) mults O(N) mults
CRS O(N2(1-ε)) and argument O(Nε)
q-PKE and q-CPDH
Thanks
Full paper available at
www.cs.ucl.ac.uk/staff/J.Groth
![Implicit Zero-Knowledge Arguments and Applications to the ...5 advantageofthestructureinlanguageshandledbytheGroth-Sahaimethodology[GS08],andnamely the ones defined by multi-exponentiations:](https://static.fdocuments.net/doc/165x107/611b9ad4ed41257fb506d7ce/implicit-zero-knowledge-arguments-and-applications-to-the-5-advantageofthestructureinlanguageshandledbythegroth-sahaimethodologygs08andnamely.jpg)