short pairing-based non-interactive zero-knowledge arguments
DESCRIPTION
Short Pairing-based Non-interactive Zero-Knowledge Arguments. Jens Groth University College London. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A. Motivation. Attaching encrypted vote to this e-mail. - PowerPoint PPT PresentationTRANSCRIPT
Short Pairing-basedNon-interactive Zero-Knowledge Arguments
Jens Groth
University College London
Motivation
Voter Official
We can only accept correctly formatted
votes
Attaching encrypted vote to this e-mail
Non-interactive zero-knowledge proof
Voter Official
Ok, we will count your vote
Attaching encrypted vote to this e-mail+ NIZK argument
that correctly formatted
Soundness:Vote is correct
Zero-knowledge:Vote remains secret
Non-interactive zero-knowledge argument
Prover VerifierSoundness:Statement is true
Zero-knowledge:Nothing but truth revealed
Common reference string
Proof:
(x,w)RL
Statement: xL
Applications of NIZK arguments
• Ring signatures• Group signatures• Anonymous credentials• Verifiable encryption• Voting• ...
Our contribution
• Common reference string with special distribution • Statement: C is satisfiable circuit• Very efficient verifier• Sub-linear (constant) size NIZK argument• Not Fiat-Shamir heuristic (no random oracle)
• Perfect completeness• Computational soundness• Perfect zero-knowledge
Adaptive soundness:Adversary sees CRS before attempting to cheat with false (C,)
Pairings
• G, GT groups of prime order p
• Bilinear map e: G G GT
– e(ax,by) = e(a,b)xy
– e(g,g) generates GT if g is non-trivial
• Group operations, deciding group membership, computing bilinear map are efficiently computable
Assumptions
• Power knowledge of exponent assumption (q-PKE):Given (g,gx,…,gxq,g,gx,…,gxq) hard to compute (c,c) without knowing a0,…,aq such that
c = ga0ga1x…gaqxq
• Computational power Diffie-Hellman (q-CPDH):For all j hard to compute gxj given
(g,gx,…,gxq,g,gx,…,gxj-1,gxj+1,…,gxq)
• Both assumptions hold in generic group model
Comparison
CRS Size Prover comp. Verifier comp.
Kilian-Petrank (Nk) group (Nk) group (Nk) expo (Nk) mult
Trapdoor permutations Stat. Sound Comp. ZK
GOS O(1) group O(N) group O(N) expo O(N) pairing
Subgroup decision Perfect sound Comp. ZK
Abe-Fehr O(1) group O(N) group O(N) expo O(N) pairing
Dlog & knowledge of expo. Comp. sound Perfect ZK
This work O(N2) group O(1) group O(N2) mult O(N) mult
q-PKE and q-CPDH Comp. sound Perfect ZK
This work O(N2/3) group O(N2/3) group O(N4/3) mult O(N) mult
q-PKE and q-CPDH Comp. sound Perfect ZK
Interactive + O(√N) group O(√N) group O(N) mult O(N) mult
Fiat-Shamir Dlog and random oracle Comp. sound Perfect ZK
Knowledge commitments
• Commitment key: ck=(g,gx,…,gxq,g,gx,…,gxq)
• Commitment to (a1,…,aq) using randomness rZp
c = (g)r(gx)a1…(gxq)aq ĉ = (g)r(gx)a1…(gxq)aq
• Verifying commitment: e(c,g) = e(ĉ,g) • Knowledge: q-PKE assumption says impossible to
create valid (c,ĉ) without knowing r,a1,…,aq
Homomorphic property
• c = (g)r(gx)a1…(gxq)aq
log(c) = r+a1x+…+aqxq
• Homomorphic
commit(a1,…,aq;r) ∙ commit(b1,…,bq;s)= commit(a1+b1,…,aq+bq;r+s)
(r+aixi) + (s+bixi) = r+s+(ai+bi)xi
Tools
• Constant size knowledge commitments for tuples of elements (a1,…,aq) (Zp)q
• Homomorphic so we can add committed tuplescom(a1,…,aq)∙com(b1,…,bq) = com(a1+b1,…,aq+bq)
• NIZK argument for multiplicative relationship com(a1,…,aq) com(b1,…,bq) com(a1b1,…,aqbq)
• NIZK argument for known permutation com(a1,…,aq) com(a(1),…,a(q))
Circuit with NAND-gates
• commit(a1,…,aN,b1,…,bN)
• commit(b1,…,bN,0,…..,0)
• commit(u1,…,uN,0,…..,0)
• NIZK argument for uN = 1
• NIZK argument for everything else consistent
a1 a2
a3
a4
b1 b2
b3
b4
u1
u3
u2
u4
Consistency
• Need to show valid inputs a1,…,aN,b1,…bN{0,1}
• NIZK argument for multiplicative relationship
commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN)
shows a1a1=a1, …, aNaN=aN, b1b1=b1, …, bNbN=bN
• Only possible if a1{0,1}, …, aN{0,1}, b1{0,1}, …, bN{0,1}
Consistency
• Homomorphic property givescommit(1,…,1,0,…,0) / commit(u1,…,uN,0,…,0)= commit(1-u1,…,1-uN,0,…,0)
• NIZK argument for multiplicative relationship incommit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…,0)
commit(1-u1,…,1-uN,0,…,0)shows 1-u1=a1b1,…,1-uN=aNbN
• This proves all NAND-gates are respected u1=(a1b1),…,uN=(aNbN)
Consistency
• Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever ai and bj correspond to the same wire ai = bj
• We refer to the full paper for the details
Circuit with NAND-gates
• commit(a1,…,aN,b1,…,bN)
• commit(b1,…,bN,0,…..,0)
• commit(u1,…,uN,0,…..,0)
• NIZK argument for uN = 1
• NIZK argument for everything else consistent
a1 a2
a3
a4
b1 b2
b3
b4
u1
u3
u2
u4
Conclusion
• NIZK argument of knowledge– perfect completeness– perfect zero-knowledge– computational soundness
• Short and efficient to verify
CRS Argument Prover comp. Verifier comp.
Minimal argument O(N2) O(1) O(N2) mults O(N) mults
Balanced sizes O(N2/3) O(N2/3) O(N4/3) mults O(N) mults
CRS O(N2(1-ε)) and argument O(Nε)
q-PKE and q-CPDH
Thanks
Full paper available at
www.cs.ucl.ac.uk/staff/J.Groth