Transcript Slide 1
Efficient Zero-Knowledge Proof Systems
Jens Groth
University College London
FOSAD 2014
Round complexity
• Interactive zero-knowledge proof
• Non-interactive zero-knowledge proof
Useful for noninteractive tasks
• Signatures
• Encryption
• …
2
Non-interactive proofs
Witness w
(x,w) RL
L language in NP defined by RL
Statement: xL
OK, xL
Proof
Prover
Verifier
3
Non-interactive zero-knowledge (NIZK) proofs
• Completeness
– Can prove a true statement
• Soundness
– Cannot prove false statement
• Zero-knowledge
– Proof reveals nothing (except truth of statement)
4
Zero-knowledge = Simulation
Witness w
(x,w) RL
Statement: xL
Problem
If proofs can be
simulated, then
anybody can
create convincing
proofs! Prover
Verifier
5
Non-interactive zero-knowledge proof [BFM88]
Common reference string
0100…11010
(x,w)RL
Statement: xL
Proof:
Prover
Verifier
6
Common reference string (CRS)
0110110101000101110100101
• Can be uniform random or specific distribution
– Key generation algorithm K for generating CRS
• Trusted generation
– Trusted party
– Secure multi-party computation
– Multi-string model with majority of strings honest [GO07]
7
Zero-knowledge simulation
Simulation trapdoor
Common reference string
0100…11010
(x,w)RL
Statement: xL
Prover
S
K
S(,x)
Verifier
8
Publicly verifiable NIZK proofs
• NP language L
– Statement xL if there is witness w so that (x,w)RL
• An NIZK proof system for RL consists of three
probabilistic polynomial time algorithms (K,P,V)
– K(1k): Generates common reference string σ
– P(σ,x,w): Generates a proof
– V(σ,x,): Outputs 1 (accept) or 0 (reject)
9
Public vs. private verification
• Publicly verifiable
Anybody can check
the proof
– K generates CRS
– V checks proof given input (,x,)
• Privately verifiable
Designated verifier
with can check proof
– K generates CRS and private verification key
– V checks proof given input (,x,)
10
Public vs. private verifiability
Public verifiability
• Sometimes required
– Signatures
– Universally verifiable voting
• Reusability
– Proof can be copied and
sent to somebody else
– Prover only needs to run
once to create proof that
convinces everybody
• Hard to construct
Private verifiability
• Sometimes suffices
– CCA-secure public-key
encryption, e.g., CramerShoup encryption
• Cannot be transferred
– For designated verifier only
• Easier to construct
11
Completeness
Common reference string σ
K(1k)
Statement xL
Witness w
so (x,w)R
P(σ,x,w) →
V(σ,x,) →
Accept/reject
Perfect completeness: Pr[Accept] = 1
12
Soundness
Common reference string σ
K(1k)
Statement xL
Adaptive soundness:
The adversary first sees
CRS and then cheats
V(σ,x,) →
Accept/reject
Perfect soundness: Adv: Pr[Reject] = 1
Statistical soundness: Adv: Pr[Reject] 1
Computational soundness: poly-time Adv: Pr[Reject] 1
13
Zero-knowledge
K(1k) → σ
(x,w) RL
P(σ,x,w) →
S1(1k) →
σ
(x,w) RL
S2(σ,,x) →
0/1
0/1
Perfect ZK:
Pr[Adv →1|Real ] = Pr[Adv→1|Simulation]
Computational ZK:
poly-time Adv: Pr[Adv →1|Real ] Pr[Adv→1|Simulation]
Fiat-Shamir heuristic [FS86]
• Take an interactive ZK argument where verifier’s
messages are random bits (public coin argument)
• Let the CRS describe a hash-function H
• Replace the verifier’s messages with hash-values
from the current transcript
a
z
• NIZK argument = (a,z)
a
z
H(x,a)
15
Fiat-Shamir heuristic
• Efficient NIZK arguments that work well in practice
• Hopefully they are secure
– Can argue heuristically that they are computationally
sound in the random oracle model [BR93], where we
pretend H is a truly random function
– But in real life H is a deterministic function and there are
instantiations of the Fiat-Shamir heuristic [GK03] that
yields insecure real-life schemes
16
Encrypted random bits
Statement xL
(x,w)RL
CRS
E01...0
c1 1)
pk(0;r
E11…1
1pkc(1;r
; 2r2 2)
E00…1
(0;r
pkc
33 3)
K(1k) (pk,sk)
E10…0
0pkc(1;r
; 4r4 4)
pk
17
Statistical sampling
• Random bits not useful
• Use statistical sampling to get
hidden bits with structure
Probably
remaining pairs of
encrypted bits are
00 and 11
CRS
1
1
1
0
0
0
• Give proof by
0
1
revealing certain
structures related to different parts of statement
18
NIZK proofs
Statement: Here is a ciphertext and a document. The ciphertext
contains a digital signature on the document.
Circuit SAT
1 GB
Inefficient
Efficient
Practical
statements
Statistical sampling
techniques
Groth 2006
Groth-OstrovskySahai 2012 (2006)
Groth-Sahai
2012 (2008)
1 KB
19
Boneh-Goh-Nissim encryption
• Pairing-based cryptography
– Algebraic geometry and elliptic curves
• Double-homomorphic public key encryption
• Additively homomorphic
b
a+b
a
• Multiplicatively homomorphic (one-time only)
a
b
a∙b
20
Circuit SAT
1
NAND
Circuit SAT is NP
complete
𝑤4
NAND
𝑤1
𝑤2
𝑤3
21
NIZK proof for circuit SAT
1
Prove 𝑤1 ∈ {0,1}
Prove 𝑤2 ∈ {0,1}
Prove 𝑤3 ∈ {0,1}
NAND
Prove 𝑤4 ∈ {0,1}
𝑤4
Prove
𝑤4 = ¬(𝑤1 𝑤2 )
NAND
𝑤1
𝑤2
𝑤3
Prove
1 = ¬(𝑤3 𝑤4 )
22
NIZK proof for 𝒘 ∈ {𝟎, 𝟏}
• Additive homomorphism
w
-1
w-1
• Multiplicative homomorphism
w
w-1
w∙(w-1)
0
w∙(w-1)
• Proof = r
r
• Shows 𝑤 𝑤 − 1 = 0 , so 𝑤 = 0 or 𝑤 = 1
23
NIZK proof for circuit SAT
1
Proof size
2|W|+|C|
ciphertexts
Prove 𝑤1 ∈ {0,1}
Prove 𝑤2 ∈ {0,1}
𝜋NAND2
Prove 𝑤3 ∈ {0,1}
NAND
𝜋4
Prove 𝑤4 ∈ {0,1}
𝑤4
𝜋NAND1
Prove
𝑤4 = ¬(𝑤1 𝑤2 )
NAND
𝜋1
𝑤1
𝜋2
𝑤2
𝜋3
𝑤3
Prove
1 = ¬(𝑤3 𝑤4 )
24
NIZK proofs for Circuit SAT
• Security level: 2-k
• Trapdoor perm size: kT = poly(k)
• Group element size: kG ≈ k3
CRS in bits
G-Ostrovsky-Sahai 12 O(kG)
• Circuit size: |C| = poly(k)
• Witness size: |w| |C|
Proof in bits
Assumption
O(|C|∙kG)
Pairing-based
Groth 10
|C|∙kT∙polylog(k)
|C|∙kT∙polylog(k)
Trapdoor perms
Groth 10
|C|∙polylog(k)
|C|∙polylog(k)
Naccache-Stern
Gentry et al. 14
poly(k)
|w|+poly(k)
FHE + NIZK
25
Sublinear non-interactive zero-knowledge
• Commitments instead of encryption
𝑎1 , 𝑎2 , … , 𝑎𝑛
• Parallel additive homomorphism
𝑎1 , … , 𝑎𝑛
𝑏1 , … , 𝑏𝑛
𝑎1 + 𝑏1 , … , 𝑎𝑛 + 𝑏𝑛
• Parallel multiplication proofs
– Complicated…
• Split circuit into many parts and prove in parallel
26
NIZK Arguments for Circuit SAT
Reference string
in group elements
Argument in
group elements
Groth 2010
O(|C|2)
O(1)
Lipmaa 2012
O(|C|1+o(1))
O(1)
Gennaro, Gentry, Parno, Raykova 2013
O(|C| log2|C|)
O(1)
• Bitansky, Canetti, Chiesa and Tromer 2013
– Techniques to make both CRS size and argument size
independent of circuit size
27
Verifiable computation
Computation
Result , 𝜋
• Client is weak
– Want small argument size and low cost of verification
• Prover is powerful
– Accept higher computation for prover, but must still be
low enough for outsourcing to be economically viable
28
Proof carrying data
Program 1
Outputs 𝑧1
𝜋1
Program 2
Outputs 𝑧2
𝜋2
Program 3
Outputs 𝑧3
𝜋3
29
Pinnochio [PHGR13]
Program in C
(reduced instruction set)
• Argument size
– 288 bytes
• Verifier time
Circuit
– 12ms
(depends on
statement)
Quadratic arithmetic
program
Proof system
30
Thank you
• Questions?
31