1 / 19

Short Pairing-based Non-interactive Zero-Knowledge Arguments

Short Pairing-based Non-interactive Zero-Knowledge Arguments. Jens Groth University College London. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A. Motivation. Attaching encrypted vote to this e-mail.

Download Presentation

Short Pairing-based Non-interactive Zero-Knowledge Arguments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Short Pairing-basedNon-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

  2. Motivation Attaching encrypted vote to this e-mail We can only accept correctly formatted votes Voter Official

  3. Non-interactive zero-knowledge proof Attaching encrypted vote to this e-mail+ NIZK argument that correctly formatted Ok, we will count your vote Zero-knowledge: Vote remains secret Soundness: Vote is correct Voter Official

  4. Non-interactive zero-knowledge argument Common reference string Statement: xL (x,w)RL Proof:  Zero-knowledge: Nothing but truth revealed Soundness: Statement is true Prover Verifier

  5. Applications of NIZK arguments • Ring signatures • Group signatures • Anonymous credentials • Verifiable encryption • Voting • ...

  6. Our contribution • Common reference string with special distribution • Statement: C is satisfiable circuit • Very efficient verifier • Sub-linear (constant) size NIZK argument • Not Fiat-Shamir heuristic (no random oracle) • Perfect completeness • Computational soundness • Perfect zero-knowledge Adaptive soundness:Adversary sees CRS before attempting to cheat with false (C,)

  7. Pairings • G, GT groups of prime order p • Bilinear map e: GG  GT • e(ax,by) = e(a,b)xy • e(g,g) generates GT if g is non-trivial • Group operations, deciding group membership, computing bilinear map are efficiently computable

  8. Assumptions • Power knowledge of exponent assumption (q-PKE):Given (g,gx,…,gxq,g,gx,…,gxq) hard to compute (c,c) without knowing a0,…,aq such that c = ga0ga1x…gaqxq • Computational power Diffie-Hellman (q-CPDH):For all jhard to compute gxj given(g,gx,…,gxq,g,gx,…,gxj-1,gxj+1,…,gxq) • Both assumptions hold in generic group model

  9. Comparison

  10. Knowledge commitments • Commitment key: ck=(g,gx,…,gxq,g,gx,…,gxq) • Commitment to (a1,…,aq) using randomness rZpc = (g)r(gx)a1…(gxq)aq ĉ = (g)r(gx)a1…(gxq)aq • Verifying commitment: e(c,g) = e(ĉ,g) • Knowledge: q-PKE assumption says impossible to create valid (c,ĉ) without knowing r,a1,…,aq

  11. Homomorphic property • c = (g)r(gx)a1…(gxq)aq log(c) = r+a1x+…+aqxq • Homomorphic commit(a1,…,aq;r) ∙ commit(b1,…,bq;s)= commit(a1+b1,…,aq+bq;r+s) (r+aixi) + (s+bixi) = r+s+(ai+bi)xi

  12. Tools • Constant size knowledge commitments for tuples of elements (a1,…,aq)  (Zp)q • Homomorphic so we can add committed tuplescom(a1,…,aq)∙com(b1,…,bq) = com(a1+b1,…,aq+bq) • NIZK argument for multiplicative relationship com(a1,…,aq) com(b1,…,bq) com(a1b1,…,aqbq) • NIZK argument for known permutation  com(a1,…,aq) com(a(1),…,a(q))

  13. Circuit with NAND-gates a2 a1 b2 b1 • commit(a1,…,aN,b1,…,bN) • commit(b1,…,bN,0,…..,0) • commit(u1,…,uN,0,…..,0) • NIZK argument for uN = 1 • NIZK argument for everything else consistent u1 u2 a3 b3 u3 a4 b4 u4

  14. Consistency • Need to show valid inputs a1,…,aN,b1,…bN{0,1} • NIZK argument for multiplicative relationshipcommit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN)shows a1a1=a1, …, aNaN=aN, b1b1=b1, …, bNbN=bN • Only possible if a1{0,1}, …, aN{0,1}, b1{0,1}, …, bN{0,1}

  15. Consistency • Homomorphic property gives commit(1,…,1,0,…,0) / commit(u1,…,uN,0,…,0) = commit(1-u1,…,1-uN,0,…,0) • NIZK argument for multiplicative relationship incommit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…,0) commit(1-u1,…,1-uN,0,…,0)shows 1-u1=a1b1,…,1-uN=aNbN • This proves all NAND-gates are respected u1=(a1b1),…,uN=(aNbN)

  16. Consistency • Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever ai and bj correspond to the same wire ai = bj • We refer to the full paper for the details

  17. Circuit with NAND-gates a2 a1 b2 b1 • commit(a1,…,aN,b1,…,bN) • commit(b1,…,bN,0,…..,0) • commit(u1,…,uN,0,…..,0) • NIZK argument for uN = 1 • NIZK argument for everything else consistent u1 u2 a3 b3 u3 a4 b4 u4

  18. Conclusion • NIZK argument of knowledge • perfect completeness • perfect zero-knowledge • computational soundness • Short and efficient to verify q-PKE and q-CPDH CRS O(N2(1-ε)) and argument O(Nε)

  19. Thanks Full paper available at www.cs.ucl.ac.uk/staff/J.Groth

More Related