efficient non-interactive zero knowledge arguments for set operations prastudy fauzi, helger lipmaa,...
TRANSCRIPT
Efficient Non-Interactive Zero Knowledge Argumentsfor Set OperationsPrastudy Fauzi, Helger Lipmaa, Bingsheng Zhang
University of Tartu, University of Tartu, University of Athens,
Motivation: Secure Computation
E(x1),…,E(xn)
E(f(x1,…,xn))Ok if (x1,…,xn)S
Add N
IZK
proo
f
pk
Motivation: Secure Computation (2)
E(S)
E(f(S))
E(T)
E(g(T))
Ok if ST
Add N
IZK
proo
f
pk
Proofs for Set Operations
› Encrypted inputs satisfy certain set relations => security against malicious adversaries
› Or even multiset relations
– … ⊎ ¿
¿∪
Non-Interactive Zero-Knowledge Proofs
E(x1),…,E(xn)
Proof of Correctness
Complete Sound Zero-KnowledgeProof can be constructed
without knowing inputs
Contradiction?
pk
Common Reference String Model
E(x1),…
,E(x
n)
Proof of Correctness
pk,
sk
crs
td
Our results
› NIZK proof for one particular multiset operation– (PMSET)
› Applications to other (multi)set operations
› Non-interactive– No random oracle
› Efficient
¿
CRS length Proof length
Prover comp.
Verifier comp.
Θ(|S|) Θ(1) Θ(|S|) Θ(1)
Cryptographic Building Block: Pairings
› Bilinear operation– e(f1+f2,f3) = e(f1,f3) + e(f2,f3)– e(f1,f2+f3) = e(f1,f2) + e(f1,f3)
› With Hardness Assumptions– Given e(f1,f2), it is hard to compute f1– …
› Much wow
Commitments
We use a concrete succinct commitment scheme from 2013
Multiset Commitment
Too costly!
Multiset Commitment
• S => • polynomial that has S as null-set• Including multiplicities
• => • is secret key
Main Idea
¿
¿iff
• Commitments are randomized• Proof = a crib E that compensates for randomness• Enables to perform verification on commitments
Additional Obstacles› Soundness:
– We use knowledge assumptions› Guarantee that prover knows committed values
– Common in succinct NIZK construction– [Gentry Wichs 2011]: also necessary
› Zero Knowledge:– Simulator needs to create proof for given commitments
› Not created by simulator
– We let prover to create new random commitments for all sets› Add a NIZK proof of correctness
– Simulator creates fake commitments› Uses trapdoor to simulate
Applications
› Mostly use very simple set arithmetic
› Is-a-Sub(multi)set:– iff exists C such that
› Is-a-Set:– Multiset A is a set if for universal set U– In many applications, U is small
› Set-Intersection-And-Union:– and iff , , and A, B, and D are sets
› See paper for more…