Short Pairing-based Non-interactive Zero
Download
Report
Transcript Short Pairing-based Non-interactive Zero
Short Pairing-based
Non-interactive Zero-Knowledge Arguments
Jens Groth
University College London
Motivation
Attaching encrypted
vote to this e-mail
Voter
We can only accept
correctly formatted
votes
Official
Non-interactive zero-knowledge proof
Attaching encrypted
vote to this e-mail
+ NIZK argument that
correctly formatted
Zero-knowledge:
Voter
Vote remains secret
Ok, we will count your
vote
Soundness:
Official
Vote is correct
Non-interactive zero-knowledge argument
Common reference string
Statement: xL
(x,w)RL
Proof:
Zero-knowledge:
Prover
Nothing but truth revealed
Soundness:
Verifier
Statement is true
Applications of NIZK arguments
•
•
•
•
•
•
Ring signatures
Group signatures
Anonymous credentials
Verifiable encryption
Voting
...
Our contribution
•
•
•
•
•
Common reference string with special distribution
Statement: C is satisfiable circuit
Very efficient verifier
Sub-linear (constant) size NIZK argument
Not Fiat-Shamir heuristic (no random oracle)
• Perfect completeness
• Computational soundness
• Perfect zero-knowledge
Adaptive soundness:
Adversary sees CRS
before attempting to
cheat with false (C,)
Pairings
• G, GT groups of prime order p
• Bilinear map e: G G GT
– e(ax,by) = e(a,b)xy
– e(g,g) generates GT if g is non-trivial
• Group operations, deciding group membership,
computing bilinear map are efficiently computable
Assumptions
• Power knowledge of exponent assumption (q-PKE):
q
q
Given (g,gx,…,gx ,g,gx,…,gx ) hard to compute
(c,c) without knowing a0,…,aq such that
q
a
a
x
a
x
0
1
q
c = g g …g
• Computational power Diffie-Hellman (q-CPDH):
j
x
For all j hard to compute g given
q
j-1
j+1
q
(g,gx,…,gx ,g,gx,…,gx ,gx ,…,gx )
• Both assumptions hold in generic group model
Comparison
Kilian-Petrank
GOS
Abe-Fehr
This work
CRS
Size
Prover comp.
Verifier comp.
(Nk) group
(Nk) group
(Nk) expo
(Nk) mult
Trapdoor permutations
Stat. Sound
Comp. ZK
O(1) group
O(N) expo
O(N) pairing
Subgroup decision
Perfect sound
Comp. ZK
O(1) group
O(N) expo
O(N) pairing
Dlog & knowledge of expo.
Comp. sound
Perfect ZK
O(N2) group
O(N2) mult
O(N) mult
Comp. sound
Perfect ZK
O(N) group
O(N) group
O(1) group
q-PKE and q-CPDH
O(N2/3) group O(N2/3) group O(N4/3) mult
O(N) mult
q-PKE and q-CPDH
Comp. sound
Perfect ZK
Interactive +
O(√N) group
O(N) mult
O(N) mult
Fiat-Shamir
Dlog and random oracle
Comp. sound
Perfect ZK
This work
O(√N) group
Knowledge commitments
q x
q
x
x
x
ck=(g,g ,…,g ,g ,g ,…,g )
• Commitment key:
• Commitment to (a1,…,aq) using randomness rZp
c=
ĉ=
q a
r
x
a
x
1
(g) (g ) …(g ) q
q
(g)r(gx)a1…(gx )aq
• Verifying commitment: e(c,g) = e(ĉ,g)
• Knowledge: q-PKE assumption says impossible to
create valid (c,ĉ) without knowing r,a1,…,aq
Homomorphic property
•
c=
q a
r
x
a
x
1
(g) (g ) …(g ) q
log(c) = r+a1x+…+aqxq
• Homomorphic
=
commit(a1,…,aq;r) ∙ commit(b1,…,bq;s)
commit(a1+b1,…,aq+bq;r+s)
(r+aixi) + (s+bixi) = r+s+(ai+bi)xi
Tools
• Constant size knowledge commitments for tuples
of elements (a1,…,aq) (Zp)q
• Homomorphic so we can add committed tuples
com(a1,…,aq)∙com(b1,…,bq) = com(a1+b1,…,aq+bq)
• NIZK argument for multiplicative relationship
com(a1,…,aq) com(b1,…,bq) com(a1b1,…,aqbq)
• NIZK argument for known permutation
com(a1,…,aq)
com(a(1),…,a(q))
Circuit with NAND-gates
b1 a2
a1
u1
a3
b2
u2
b3
u3
a4
b4
u4
• commit(a1,…,aN,b1,…,bN)
• commit(b1,…,bN,0,…..,0)
• commit(u1,…,uN,0,…..,0)
• NIZK argument for uN = 1
• NIZK argument for
everything else consistent
Consistency
• Need to show valid inputs a1,…,aN,b1,…bN{0,1}
• NIZK argument for multiplicative relationship
commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN)
commit(a1,…,aN,b1,…bN)
shows
a1a1=a1, …, aNaN=aN, b1b1=b1, …, bNbN=bN
• Only possible if
a1{0,1}, …, aN{0,1}, b1{0,1}, …, bN{0,1}
Consistency
• Homomorphic property gives
commit(1,…,1,0,…,0) / commit(u1,…,uN,0,…,0)
=
commit(1-u1,…,1-uN,0,…,0)
• NIZK argument for multiplicative relationship in
commit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…,0)
commit(1-u1,…,1-uN,0,…,0)
shows 1-u1=a1b1,…,1-uN=aNbN
• This proves all NAND-gates are respected
u1=(a1b1),…,uN=(aNbN)
Consistency
• Using NIZK arguments for permutation we prove
consistency of wires, i.e., whenever ai and bj
correspond to the same wire ai = bj
• We refer to the full paper for the details
Circuit with NAND-gates
b1 a2
a1
u1
a3
b2
u2
b3
u3
a4
b4
u4
• commit(a1,…,aN,b1,…,bN)
• commit(b1,…,bN,0,…..,0)
• commit(u1,…,uN,0,…..,0)
• NIZK argument for uN = 1
• NIZK argument for
everything else consistent
Conclusion
• NIZK argument of knowledge
– perfect completeness
– perfect zero-knowledge
– computational soundness
q-PKE and q-CPDH
• Short and efficient to verify
CRS
Argument
Prover comp.
Verifier comp.
Minimal argument
O(N2)
O(1)
O(N2) mults
O(N) mults
Balanced sizes
O(N2/3)
O(N2/3)
O(N4/3) mults
O(N) mults
CRS O(N2(1-ε)) and argument O(Nε)
Thanks
Full paper available at
www.cs.ucl.ac.uk/staff/J.Groth