1 / 129

Pairing-Based Non-interactive Proofs

Pairing-Based Non-interactive Proofs. Jens Groth University College London Joint work with Rafail Ostrovsky and Amit Sahai Thanks also to Brent Waters. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A. Motivation.

fahim
Download Presentation

Pairing-Based Non-interactive Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pairing-Based Non-interactive Proofs Jens Groth University College London Joint work with Rafail Ostrovsky and Amit Sahai Thanks also to Brent Waters TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAA

  2. Motivation Why does Bob want to know my password, bank statement, etc.? Did Alice honestly follow the protocol? No! Show me all your inputs! Alice Bob

  3. History • Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985 • First the paper was rejected a couple of times • ...then they won the Gödel award for it

  4. Interactive proof Statement OK, statement is true Prover Verifier

  5. Statements • Mathematical theorem: 2+2=4 • Identification: I am me! • Verification: I followed the protocol • Anything: X belongs to NP-language L

  6. Interactive proof Witness w (x,w)  RL Statement: xL OK, xL Prover Verifier

  7. Zero-knowledge:Verifier learns statement is true, but nothing else Zero-knowledge and witness indistinguishability Witness w (x,w)  RL Statement: xL OK, xL Witness-indistinguishable: Verifier does not learn which witness Prover has in mind Prover Verifier

  8. Zero-knowledge proofs in multi-party computation Yes, I followed the protocol, but my input is secret! I don’t trust you! Did you follow the protocol? Input: x Input: y Function: f ZK proof Output: f(x,y) OK, she followed the protocol

  9. History • Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985 • Many actions are non-interactive • Signature • Encryption • ...

  10. Non-interactive proofs Witness w (x,w)  RL Statement: xL OK, xL Proof  Prover Verifier

  11. Non-interactive zero-knowledge (NIZK) proofs • Completeness • Can prove a true statement • Soundness • Cannot prove false statement • Zero-knowledge • Proof reveals nothing (except truth of statement)

  12. NIZK proofs only for trivial languages (BPP) Sketch of proof: Decision algorithm for x in L: • Learn nothing from proof = can simulate proof • If xL: ZK and complete so verifier algorithm accepts • If xL: Sound so verifier algorithm rejects

  13. History • Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985 • Many actions are non-interactive • Signature • Encryption • ... • Blum, Feldman and Micali introduced non-interactive zero-knowledge proofs in the common reference string model in 1986

  14. Common reference string 0110110101000101110100101 • Key generation algorithm K • Uniformly at random • Specific distribution • Trusted generation • Trusted party • Secure multi-party computation • Multi-string model where t-out-of-n are trusted

  15. NIZK:Verifier learns statement is true, but nothing else NIZK and NIWI proofs Witness w (x,w)  RL CRS: 01101010101010101 Statement: xL OK, xL Proof NIWI: Verifier does not learn which witness Prover has in mind Prover Verifier

  16. Defining NIZK proofs • NP language L: xL if is witness w so (x,w)RL • NIZK proof consists of three probabilistic polynomial time algorithms (K,P,V) • K(1k): Generates common reference string σ • P(σ,x,w): Generates a proof  • V(σ,x,): Verifies the proof (outputs 1 or 0)

  17. Witness wso (x,w)R Completeness Common reference string σ K(1k) Statement xL V(σ,x,) →Accept/reject P(σ,x,w) →  Perfect completeness: Pr[Accept] = 1

  18. Soundness Common reference string σ K(1k) Statement xL  V(σ,x,) →Accept/reject Perfect soundness:  Adv: Pr[Reject] = 1 Computational soundness:  poly-time Adv: Pr[Reject]  1

  19. Witness indistinguishability Common reference string σ K(1k) Statement xL Witnesses w0,w1 (x,w0),(x,w1)RL b{0,1} P(σ,x,wb) →  Guess{0,1} Perfect witness-indistinguish.:  Adv: Pr[Guess = b] = ½ Computational WI:  poly-time Adv: Pr[Guess = b]  ½

  20. Zero-knowledge K(1k) → σ (x,w)  RL 0/1 P(σ,x,w) →  S1(1k) → σ (x,w)  RL 0/1 S2(σ,,x) →  Perfect ZK: Pr[Adv →1|Real ] = Pr[Adv→1|Simulation]Computational ZK:  poly-time Adv: Pr[Adv →1|Real ]  Pr[Adv→1|Simulation]

  21. Trade-off • Perfect soundness and perfect zero-knowledge only possible for trivial languages • Sketch of proof: • Perfect ZK implies real common reference string and simulated common reference string has same probability distribution • To decide whether x in L simulate common reference string, simulate proof, run verifier on simulated proof • If xL: By perfect ZK and completeness verifier accepts • If xL: By perfect soundness verifier rejects • Choice: • Perfect soundness and computational zero-knowledge • Computational soundness and perfect zero-knowledge

  22. The world in 2005 • Much research in NIZK proofs • Blum-Feldman-Micali 88 • Damgård 92 • Feige-Lapidot-Shamir 99 • Kilian-Petrank 98 • De Santis-Di Crescenzo-Persiano 02 • Inefficient • Alternatives • Fiat-Shamir heuristic transforms interactive zero-knowledge proof into non-interactive scheme, however, there are examples of insecure Fiat-Shamir transformation • Designated verifier proofs such as Damgård, Fazio, Nicolosi 05, however, the verification is not public

  23. Applications • Public-key encryption • Mix-nets for anonymous broadcast • Internet voting • Group signatures • Ring signatures • Identification • Verifying outsourced computation • ...

  24. Practice Statement: Here is a ciphertext and a document. The ciphertext contains a digital signature on the document. 1 GB 1 KB Kilian-Petrank 98 Groth 06 Groth-Ostrovsky-Sahai 06 Groth-Sahai 08

  25. Yes [Goldreich-Micali-Wigderson1986] Yes [Brassard-Crepeau 1986] Yes [Blum-Feldman-Micali 1988] Yes [G-Ostrovsky-Sahai 2006] ?

  26. 4 rounds 2 rounds ? Impossible Yes

  27. Goals • Efficient NIZK and NIWI proofs • Perfect zero-knowledge • Computational soundness • Eliminating the common reference string • NIWI proofs (non-interactive zaps) • New techniques from pairing based cryptography

  28. Groth-Ostrovsky-Sahai 06 • NIZK proof for Circuit SAT • Perfect completeness, perfect soundness, computational zero-knowledge • Common reference string size: O(k) bits • Proof size: O(|C|k) bits

  29. Composite order bilinear group • Gen(1k) generates (p,q,G,GT,e,g) • G, GT finite cyclic groups of order n=pq • G has generator g • Pairing e: G  G → GT • e(g,g) generates GT • e(ga,gb) = e(g,g)ab • Deciding group membership, group operations, and bilinear pairing efficiently computable

  30. Elliptic curves

  31. Becoming familiar with the pairing • Pairing e: G  G → GT • g generates G and has order n=pq • e(g,g) generates GT • e(ga,gb) = e(g,g)ab implies e(u,v)=e(v,u) and e(ux,v)=e(u,v)x=e(u,vx) • Questions with answers: • e(ux,vy)e(uz,w) = e(u,vxywz) • e(u,vx)e(vy,u) = e(u,vx+y) • e(u-x,v)e(u,v)-1e(u-1,vy)z = e(u,v-1-x-yz) • If uq=1 then e(u,v)q=e(uq,v)=e(1,v)=e(g0,v)=e(g,v)0=1 • If e(g,v)=e(h,u) then h=gx and v=ux (if ord(h)=n)

  32. Subgroup decision problem • Given hG decide whether h has order q or order n • Subgroup decision assumption: poly-time Adv: Pr[ (p,q,G,GT,e,g)←Gen(1k); h ← G* : Adv(n,G,GT,e,g,h)=1] Pr[ (p,q,G,GT,e,g)←Gen(1k); h ← Gq*: Adv(n,G,GT,e,g,h)=1]

  33. BGN encryption [Boneh-Goh-Nissim 05] Public key: g, h  G h order q Secret key: p, q n=pq Encryption: c = gahr r ← Zn Decryption: cq = (gahr)q = gqahqr = (gq)a IND-CPA secure: Without secret key, ciphertext does not reveal poly-time computable information about plaintext. Sketch of proof: By subgroup decision assumption public key looks the same as if h had order n. But if h had order n, ciphertext would have no information about the plaintext a.

  34. BGN Commitment Public key: g, h  G h order q Commitment: gahr r ← Zn Perfectly binding: Unique a mod p Computationally hiding: Indistinguishable from h order n Addition: (gahr)(gbhs) = ga+bhr+s Multiplication: e(gahr,gbhs) = e(ga,gb) e(hr,gb) e(ga,hs) e(hr,hs) = e(g,g)ab e(h,gas+rbhrs)

  35. NIZK proof for Circuit SAT 1 NAND Circuit SAT is NP complete w4 NAND w1 w2 w3

  36. NIZK proof for Circuit SAT g1 Prove w1 {0,1} Prove w2 {0,1} Prove w3 {0,1} Prove w4  {0,1} NAND c4 := gw4hr4 NAND Prove w4 = (w1w2) Prove 1 = (w4w3) c1 := gw1hr1 c3 := gw3hr3 c2 := gw2hr2

  37. Proof for c containing 0 or 1 Write c = gwhr (unique w mod p since h has order q) e(c,g-1c) = e(gwhr,gw-1hr) = e(gw,gw-1)e(hr,gw-1)e(gw,hr)e(hr,hr) = e(g,g)w(w-1) e(h,(g2w-1hr)r) Proof  := (g2w-1hr)r Verifier checks: e(c,g-1c) = e(h,) → e(g,g)w(w-1) e(h,(g2w-1hr)r) = e(h,) → w = 0 or w = 1 (mod p)

  38. Observation b2 = (b0b1) if and only if b0 + b1 + 2b2 - 2  {0,1}

  39. Proof for NAND-gate Given c0, c1, c2 containing bits b0, b1, b2 wish to prove b2 = (b0b1) b2 = (b0b1) if b0 + b1 + 2b2 - 2  {0,1} c0c1c22g-2 = (gb0hr0)(gb1hr1)(gb2hr2)2g-2 = gb0+b1+2b2-2hr0+r1+2r2 Prove c0c1c22g-2 contains 0 or 1

  40. NIZK proof for Circuit SAT g1 Prove w1 {0,1} Prove w2 {0,1} Prove w3 {0,1} Prove w4  {0,1} CRS = (n,G,GT,e,g,h) CRS size 3k Proof size (2|W|+|C|)k NAND c4 := gw4hr4 NAND Prove w4 = (w1w2) Prove 1 = (w4w3) c1 := gw1hr1 c3 := gw3hr3 c2 := gw2hr2

  41. Zero-Knowledge Subgroup decision assumption: It is hard to distinguish random h of order q from random h of order n Simulated common reference string h order n by choosing g = h ← Zn* The simulation trapdoor is  Commitments are now perfectly hiding trapdoor commitments g0hr = g1hr-

  42. Simulation g1 Simulate proofs for w1 {0,1} w2 {0,1} w3 {0,1} w4  {0,1} NAND c4 := g1hr4 NAND Simulate proofs for w4 = (w1w2) 1 = (w4w3) c1 := g1hr1 c3 := g1hr3 c2 := g1hr2

  43. Witness-indistinguishable 0/1-proof Write c = g1hr (possible since we committed this way) e(c,g-1c) = e(g1hr,g0hr) = e(h,(g1hr)r) Proof  := (g1hr)r Verifier checks: e(c,g-1c) = e(h,) Perfect witness-indistinguishable when h has order n since there is unique  satisfying equation, no matter whether c contains 0 or 1

  44. Witness-indistinguishability Write c = g0hr+ (possible since we know trapdoor ) e(c,g-1c) = e(g0hr+,g-1hr+) = e(h,(g-1hr+)r+) Proof  := (g-1hr+)r+ = (g-1h)r+ (hr+)r= (g1hr)r Verifier checks: e(c,g-1c) = e(h,) Perfect witness-indistinguishable since both the witness (1,r) and the witness (0,r+) lead to exactly the same proof 

  45. Witness-indistinguishable NAND-proof Given c0, c1, c2 containing wish to simulate proof for b2 = (b0b1) (simulator committed to b0=b1=b2=1) b2 = (b0b1) if b0 + b1 + 2b2 - 2  {0,1} c0c1c22g-2 = (g1hr0)(g1hr1)(g1hr2)2g-2 = g2hr0+r1+2r2 = g1h+r0+r1+2r2 Proof for c0c1c22g-2 containing 0 or 1

  46. Zero-knowledge Sketch of proof: Pr[Adv→1|Real proof]  Pr[Adv→1|Real proof on h with order n] = Pr[Adv→1|Hybrid proof where h has order n and commitments to 1 trapdoor opened to witness and then real proofs] = Pr[Adv→1|Hybrid proof where h has order n and commitments to 1 and trapdoor opening when making 0/1-proofs] = Pr[Adv→1|Simulated proof]

  47. Composable zero-knowledge • Real common reference stringcomputationally indistinguishable fromsimulated common reference string • Real proof on simulated common reference stringperfectly indistinguishable fromsimulated proof on simulated common reference string

  48. NIZK proof for Circuit SAT • Commit to all wires wi as ci := gwihri • For each i prove ci contains 0 or 1 • For each NAND-gate prove c0c1c22g-2 contains 0 or 1 • Total size: 2|W|+|C| group elements • Perfect completeness, perfect soundness, composable zero-knowledge • Also, perfect proof of knowledge cq = (gwhr)q = (gwq)(hrq) = (gq)w(hq)r = (gq)w

  49. Yes [Goldreich-Micali-Wigderson1986] Yes [Brassard-Crepeau 1986] Yes [Blum-Feldman-Micali 1988] Yes (as we shall see now) ?

  50. Perfect zero-knowledge • Instead of h with order q, use h with order n • Easy to verify that we have perfect completeness • As argued earlier we have perfect zero-knowledge • What about soundness?

More Related