short pairing-based non-interactive zero-knowledge arguments jens groth university college london...
TRANSCRIPT
![Page 1: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/1.jpg)
Short Pairing-basedNon-interactive Zero-Knowledge Arguments
Jens Groth
University College London
![Page 2: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/2.jpg)
Motivation
Voter Official
We can only accept correctly formatted
votes
Attaching encrypted vote to this e-mail
![Page 3: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/3.jpg)
Non-interactive zero-knowledge proof
Voter Official
Ok, we will count your vote
Attaching encrypted vote to this e-mail+ NIZK argument
that correctly formatted
Soundness:Vote is correct
Zero-knowledge:Vote remains secret
![Page 4: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/4.jpg)
Non-interactive zero-knowledge argument
Prover VerifierSoundness:Statement is true
Zero-knowledge:Nothing but truth revealed
Common reference string
Proof:
(x,w)RL
Statement: xL
![Page 5: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/5.jpg)
Applications of NIZK arguments
• Ring signatures• Group signatures• Anonymous credentials• Verifiable encryption• Voting• ...
![Page 6: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/6.jpg)
Our contribution
• Common reference string with special distribution • Statement: C is satisfiable circuit• Very efficient verifier• Sub-linear (constant) size NIZK argument• Not Fiat-Shamir heuristic (no random oracle)
• Perfect completeness• Computational soundness• Perfect zero-knowledge
Adaptive soundness:Adversary sees CRS before attempting to cheat with false (C,)
![Page 7: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/7.jpg)
Pairings
• G, GT groups of prime order p
• Bilinear map e: G G GT
– e(ax,by) = e(a,b)xy
– e(g,g) generates GT if g is non-trivial
• Group operations, deciding group membership, computing bilinear map are efficiently computable
![Page 8: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/8.jpg)
Assumptions
• Power knowledge of exponent assumption (q-PKE):Given (g,gx,…,gxq,g,gx,…,gxq) hard to compute (c,c) without knowing a0,…,aq such that
c = ga0ga1x…gaqxq
• Computational power Diffie-Hellman (q-CPDH):For all j hard to compute gxj given
(g,gx,…,gxq,g,gx,…,gxj-1,gxj+1,…,gxq)
• Both assumptions hold in generic group model
![Page 9: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/9.jpg)
Comparison
CRS Size Prover comp. Verifier comp.
Kilian-Petrank (Nk) group (Nk) group (Nk) expo (Nk) mult
Trapdoor permutations Stat. Sound Comp. ZK
GOS O(1) group O(N) group O(N) expo O(N) pairing
Subgroup decision Perfect sound Comp. ZK
Abe-Fehr O(1) group O(N) group O(N) expo O(N) pairing
Dlog & knowledge of expo. Comp. sound Perfect ZK
This work O(N2) group O(1) group O(N2) mult O(N) mult
q-PKE and q-CPDH Comp. sound Perfect ZK
This work O(N2/3) group O(N2/3) group O(N4/3) mult O(N) mult
q-PKE and q-CPDH Comp. sound Perfect ZK
Interactive + O(√N) group O(√N) group O(N) mult O(N) mult
Fiat-Shamir Dlog and random oracle Comp. sound Perfect ZK
![Page 10: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/10.jpg)
Knowledge commitments
• Commitment key: ck=(g,gx,…,gxq,g,gx,…,gxq)
• Commitment to (a1,…,aq) using randomness rZp
c = (g)r(gx)a1…(gxq)aq ĉ = (g)r(gx)a1…(gxq)aq
• Verifying commitment: e(c,g) = e(ĉ,g) • Knowledge: q-PKE assumption says impossible to
create valid (c,ĉ) without knowing r,a1,…,aq
![Page 11: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/11.jpg)
Homomorphic property
• c = (g)r(gx)a1…(gxq)aq
log(c) = r+a1x+…+aqxq
• Homomorphic
commit(a1,…,aq;r) ∙ commit(b1,…,bq;s)= commit(a1+b1,…,aq+bq;r+s)
(r+aixi) + (s+bixi) = r+s+(ai+bi)xi
![Page 12: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/12.jpg)
Tools
• Constant size knowledge commitments for tuples of elements (a1,…,aq) (Zp)q
• Homomorphic so we can add committed tuplescom(a1,…,aq)∙com(b1,…,bq) = com(a1+b1,…,aq+bq)
• NIZK argument for multiplicative relationship com(a1,…,aq) com(b1,…,bq) com(a1b1,…,aqbq)
• NIZK argument for known permutation com(a1,…,aq) com(a(1),…,a(q))
![Page 13: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/13.jpg)
Circuit with NAND-gates
• commit(a1,…,aN,b1,…,bN)
• commit(b1,…,bN,0,…..,0)
• commit(u1,…,uN,0,…..,0)
• NIZK argument for uN = 1
• NIZK argument for everything else consistent
a1 a2
a3
a4
b1 b2
b3
b4
u1
u3
u2
u4
![Page 14: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/14.jpg)
Consistency
• Need to show valid inputs a1,…,aN,b1,…bN{0,1}
• NIZK argument for multiplicative relationship
commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN)
shows a1a1=a1, …, aNaN=aN, b1b1=b1, …, bNbN=bN
• Only possible if a1{0,1}, …, aN{0,1}, b1{0,1}, …, bN{0,1}
![Page 15: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/15.jpg)
Consistency
• Homomorphic property givescommit(1,…,1,0,…,0) / commit(u1,…,uN,0,…,0)= commit(1-u1,…,1-uN,0,…,0)
• NIZK argument for multiplicative relationship incommit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…,0)
commit(1-u1,…,1-uN,0,…,0)shows 1-u1=a1b1,…,1-uN=aNbN
• This proves all NAND-gates are respected u1=(a1b1),…,uN=(aNbN)
![Page 16: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/16.jpg)
Consistency
• Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever ai and bj correspond to the same wire ai = bj
• We refer to the full paper for the details
![Page 17: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/17.jpg)
Circuit with NAND-gates
• commit(a1,…,aN,b1,…,bN)
• commit(b1,…,bN,0,…..,0)
• commit(u1,…,uN,0,…..,0)
• NIZK argument for uN = 1
• NIZK argument for everything else consistent
a1 a2
a3
a4
b1 b2
b3
b4
u1
u3
u2
u4
![Page 18: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/18.jpg)
Conclusion
• NIZK argument of knowledge– perfect completeness– perfect zero-knowledge– computational soundness
• Short and efficient to verify
CRS Argument Prover comp. Verifier comp.
Minimal argument O(N2) O(1) O(N2) mults O(N) mults
Balanced sizes O(N2/3) O(N2/3) O(N4/3) mults O(N) mults
CRS O(N2(1-ε)) and argument O(Nε)
q-PKE and q-CPDH
![Page 19: Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual](https://reader036.vdocuments.us/reader036/viewer/2022062619/5515dabe550346dd6f8b4a67/html5/thumbnails/19.jpg)
Thanks
Full paper available at
www.cs.ucl.ac.uk/staff/J.Groth