Transcript scws3 6696

New Techniques for
NIZK
Jens Groth
Rafail Ostrovsky
Amit Sahai
University of California Los Angeles
Motivation
OK, I will make a zeroI’m aknowledge
woman. proofProve it!
Circuit C =
”I’m a woman”
Proof π
Completeness
Common reference string
K(1k)
Circuit C
Witness w
so C(w)=1
Proof π
Prover
Verifier
Perfect completeness: Pr[Accept] = 1
Accept
Soundness
Common reference string
K(1k)
Unsatisfiable C
Proof π
Adversary
Reject
Verifier
Perfect soundness: Pr[Reject] = 1
Zero-knowledge
S1(1k)
sk
S2(crs, sk, C)
Simulator
”Common reference string”
Circuit C
Witness w
0/1
Proof π
Adversary
Computational zero-knowledge:
Pr[A1|Simulated proofs (S1,S2)]
≈
Pr[A1|Real proofs (K,P)]
NIZK proof for Circuit SAT
1
NAND
w4
NAND
w1
w2
w3
Circuit SAT is
NP complete
Homomorphic proof commitment
Two types of indistinguishable public keys:
 Perfect trapdoor (pk, tk) ← Khiding(1k)
 Perfect binding
pk ← Kbinding(1k)
Homomorphic
Message space size at least 4 (3 also ok)
Witness indistinguishable proof that commitment
contains 0 or 1
 Perfect soundness on perfect binding key
 Perfect WI on perfect trapdoor key
Bilinear group of order n
G, GT cyclic groups of order n = pq
g generator for G
bilinear map e: G  G  GT
e(ua, vb) = e(u, v)ab
e(g, g) generates GT
Decision subgroup problem
ord(h) = q or ord(h) = n ?
BGN-based commitment
Perfect binding key:
ord(g) = n, ord(h) = q
Perfect hiding key:
ord(g) = ord(h) = n and g=hx
Commitment:
Com(m; r) = gmhr
Homomorphic:
gm+Mhr+R = gmhr gMhR
where r  Zn
WI proof for commit to 0 or 1
Wish to prove c commitment to 0 or 1
Write c = gmhr (m mod p unique if h order q)
e(c, g-1c) = e(gmhr, gm-1hr)
= e(g, g)m(m-1) e(hr, g2m-1hr)
= e(h, (g2m-1hr)r ) = e(h,π)
Proof is: π = (g2m-1hr)r
Soundness when h has order q:
e(g, g)m(m-1) e(hr, g2m-1hr) = e(h,π) so m = 0,1 mod p
Witness indistinguishability when h has order n:
Unique π so e(c, g-1c) = e(h,π)
NIZK proof for Circuit SAT
WI proof
w4 = (w1w2)
com(1)
WI proof
NAND
1 = (w4w3) c = com(w )
4
4
NAND
WI proof c1
commit to 0 or 1
WI proof c2
commit to 0 or 1
WI proof c3
commit to 0 or 1
WI proof c4
commit to 0 or 1
c1 = com(w1)
c3 = com(w3)
c2 = com(w2)
WI proof for NAND-gate
Given c0, c1, c2 commitments containing bits b0,
b1, b2 wish to prove b2 = (b0b1)
b2 = (b0b1)
if and only if
b0 + b1 + 2b2 - 2  {0,1}
WI proof c0c1c22com(-2) commitment to 0 or 1
NIZK proof for Circuit SAT



Commit to all wires wi as ci = com(wi)
For each i make WI proof that ci contains 0 or 1
For each NAND-gate make WI proof that
c0c1c22com(-2) contains 0 or 1
Perfect completeness
Perfect binding key - perfect soundness
Perfect trapdoor key - perfect zero-knowledge
Perfect NIZK on perfect trapdoor key
Simulation:
Make trapdoor commitments
Trapdoor-open relevant commitments to 0 and WI prove
Proof that simulation works on C with w so C(w)=1:
Can trapdoor-open commitments to wi’s and WI prove
By perfect witness-indistinguishability of the WI
proofs indistinguishable from simulation
Can from the start make commitments to wi’s
By perfect hiding of the commitments indistinguishable
from previous method
Corresponds to real proof on trapdoor key
First result
Use Kbinding to generate pk
NIZK proof with
perfect completeness
perfect soundness
computational ZK
CRS size: O(k) bits
Proof size: O(|C|k) bits
Compare with: O(|C|k2) proofs [KP]
Second result
Use Khiding to generate pk
NIZK argument with
perfect completeness
computational co-soundness
perfect zero-knowledge
CRS size: O(k) bits
Proof size: O(|C|k) bits
Compare with: None
Adaptive co-soundness
common reference string
Khiding
C, wco
Proof π
wco witness for C unsatisfiable
Computational co-soundness: Pr[Reject] ≈ 1
Reject
Third result
Protocol:
Non-interactive
Statistical ZK
UC NIZK proof secure against
adaptive adversary
Compare with:
Interactive UC ZK proofs [DN, CLOS]
UC NIZK proofs secure against nonadaptive adversary [DDOPS]
Non-interactive zaps for Circuit SAT




No common reference string
Perfect completeness:
(C, w) so C(w)=1
π ← P(1k, C, w) : V(1k, C , π)=1
Perfect soundness:
(C, π) with C unsatisfiable V(1k, C, π)=0
Computational witness-indistinguishability:
(C, w0, w1) so C(w0)=1 and C(w1)=1
P(1k, C, w0) ≈ P(1k, C, w1)
Naïve idea:
Non-interactive zaps
Prover chooses public key and makes NIZK proof
Problem: Can choose trapdoor key and prove anything
Better idea:
Prover chooses two public keys and makes an NIZK
proof with each of them
Makes choice so:
One is trapdoor, one is perfect binding
Verifiable that at least one key is perfect binding
Verifier cannot tell which key is trapdoor
Witness-indistinguishability
Circuit C and two witnesses w0, w1
• Generate pk0 perfect trapdoor and pk1 perfect binding
• NIZK proof using w0 on pk0
NIZK proof using w0 on pk1
• Simulate proof on trapdoor pk0
NIZK proof using w0 on pk1
• NIZK proof using w1 on pk0
NIZK proof using w0 on pk1
• Switch to pk0 perfect binding and pk1 perfect trapdoor
• NIZK proof using w1 on pk0
Simulate proof on trapdoor pk1
• NIZK proof using w1 on pk0
NIZK proof using w1 on pk1
• Switch back to pk0 perfect trapdoor and pk1 perfect binding
Fourth result
Use verifiable pairs of public keys
At least one of two keys is perfect binding
The other is trapdoor
Indistinguishable which one is trapdoor
Non-interactive ZAP
Proof size O(|C|k) bits
Compare with:
2-move zaps [DN]
Non-interactive zaps [BOV]
huge proofs, non-standard assumption
Bilinear groups
G, GT cyclic groups of prime order p
g generator for G
bilinear map e: G  G  GT
e(ga, gb) = e(g, g)ab
e(g, g) generator for GT
Decisional linear problem [BBS]
f, h, g, u = fR, v = hS, w = gT
T = R+S
or T random ?
Commitment scheme
Public key
f = gx, h = g y, u = fR, v = hS, w = gT
pk = (p, G, GT, e, g, f, h, u, v, w)
Commitment to m  Zp
c = (umfr, vmhs, wmgr+s)
Perfect hiding trapdoor if T = R+S
= (fmR+r, hmS+s, gm(R+S)+r+s)
Commitment scheme
Commitment to m  Zp
c = (umfr, vmhs, wmgr+s)
Perfect binding if T ≠ R+S
= (c1, c2, c3)
because c3c2-1/xc1-1/y = (wu-1/xv-1/y)m
= g(T/(R+S))m
uniquely defines m
Commitment scheme
Commitment to m  Zp
c = (umfr, vmhs, wmgr+s)
Homomorphic
(umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S)
= (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S)
Witness indistinguishable proof of commitment to
message 0 or 1
- Perfect sound on perfect binding key
- Perfect WI on perfect trapdoor key
Choosing two keys
Elliptic curve E: y2 = x3 +1 mod q, where q smallest suitable
prime so E has order p subgroup. Easy to verify p is prime, p
defines (G, GT, e), easy to verify that g is order p point on
curve.
Choose x,y ← Zp*, R,S ← Zp and set
f = gx, h = g y, u = fR, v = hS, w = gR+S
Output two public keys
(p, G, GT, e, g, f, h, u, v, w)
(p, G, GT, e, g, f, h, u, v, wg)
At least one must be perfectly binding, but by decisional
linear assumption hard to tell which one