190 likes | 223 Views
Short Pairing-based Non-interactive Zero-Knowledge Arguments. Jens Groth University College London. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A. Motivation. Attaching encrypted vote to this e-mail.
E N D
Short Pairing-basedNon-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA
Motivation Attaching encrypted vote to this e-mail We can only accept correctly formatted votes Voter Official
Non-interactive zero-knowledge proof Attaching encrypted vote to this e-mail+ NIZK argument that correctly formatted Ok, we will count your vote Zero-knowledge: Vote remains secret Soundness: Vote is correct Voter Official
Non-interactive zero-knowledge argument Common reference string Statement: xL (x,w)RL Proof: Zero-knowledge: Nothing but truth revealed Soundness: Statement is true Prover Verifier
Applications of NIZK arguments • Ring signatures • Group signatures • Anonymous credentials • Verifiable encryption • Voting • ...
Our contribution • Common reference string with special distribution • Statement: C is satisfiable circuit • Very efficient verifier • Sub-linear (constant) size NIZK argument • Not Fiat-Shamir heuristic (no random oracle) • Perfect completeness • Computational soundness • Perfect zero-knowledge Adaptive soundness:Adversary sees CRS before attempting to cheat with false (C,)
Pairings • G, GT groups of prime order p • Bilinear map e: GG GT • e(ax,by) = e(a,b)xy • e(g,g) generates GT if g is non-trivial • Group operations, deciding group membership, computing bilinear map are efficiently computable
Assumptions • Power knowledge of exponent assumption (q-PKE):Given (g,gx,…,gxq,g,gx,…,gxq) hard to compute (c,c) without knowing a0,…,aq such that c = ga0ga1x…gaqxq • Computational power Diffie-Hellman (q-CPDH):For all jhard to compute gxj given(g,gx,…,gxq,g,gx,…,gxj-1,gxj+1,…,gxq) • Both assumptions hold in generic group model
Knowledge commitments • Commitment key: ck=(g,gx,…,gxq,g,gx,…,gxq) • Commitment to (a1,…,aq) using randomness rZpc = (g)r(gx)a1…(gxq)aq ĉ = (g)r(gx)a1…(gxq)aq • Verifying commitment: e(c,g) = e(ĉ,g) • Knowledge: q-PKE assumption says impossible to create valid (c,ĉ) without knowing r,a1,…,aq
Homomorphic property • c = (g)r(gx)a1…(gxq)aq log(c) = r+a1x+…+aqxq • Homomorphic commit(a1,…,aq;r) ∙ commit(b1,…,bq;s)= commit(a1+b1,…,aq+bq;r+s) (r+aixi) + (s+bixi) = r+s+(ai+bi)xi
Tools • Constant size knowledge commitments for tuples of elements (a1,…,aq) (Zp)q • Homomorphic so we can add committed tuplescom(a1,…,aq)∙com(b1,…,bq) = com(a1+b1,…,aq+bq) • NIZK argument for multiplicative relationship com(a1,…,aq) com(b1,…,bq) com(a1b1,…,aqbq) • NIZK argument for known permutation com(a1,…,aq) com(a(1),…,a(q))
Circuit with NAND-gates a2 a1 b2 b1 • commit(a1,…,aN,b1,…,bN) • commit(b1,…,bN,0,…..,0) • commit(u1,…,uN,0,…..,0) • NIZK argument for uN = 1 • NIZK argument for everything else consistent u1 u2 a3 b3 u3 a4 b4 u4
Consistency • Need to show valid inputs a1,…,aN,b1,…bN{0,1} • NIZK argument for multiplicative relationshipcommit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN)shows a1a1=a1, …, aNaN=aN, b1b1=b1, …, bNbN=bN • Only possible if a1{0,1}, …, aN{0,1}, b1{0,1}, …, bN{0,1}
Consistency • Homomorphic property gives commit(1,…,1,0,…,0) / commit(u1,…,uN,0,…,0) = commit(1-u1,…,1-uN,0,…,0) • NIZK argument for multiplicative relationship incommit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…,0) commit(1-u1,…,1-uN,0,…,0)shows 1-u1=a1b1,…,1-uN=aNbN • This proves all NAND-gates are respected u1=(a1b1),…,uN=(aNbN)
Consistency • Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever ai and bj correspond to the same wire ai = bj • We refer to the full paper for the details
Circuit with NAND-gates a2 a1 b2 b1 • commit(a1,…,aN,b1,…,bN) • commit(b1,…,bN,0,…..,0) • commit(u1,…,uN,0,…..,0) • NIZK argument for uN = 1 • NIZK argument for everything else consistent u1 u2 a3 b3 u3 a4 b4 u4
Conclusion • NIZK argument of knowledge • perfect completeness • perfect zero-knowledge • computational soundness • Short and efficient to verify q-PKE and q-CPDH CRS O(N2(1-ε)) and argument O(Nε)
Thanks Full paper available at www.cs.ucl.ac.uk/staff/J.Groth