1 / 31

Efficient Zero-Knowledge Proof Systems

Efficient Zero-Knowledge Proof Systems. Jens Groth University College London. Round complexity. I nteractive zero-knowledge proof Non-interactive zero-knowledge proof. Useful for non-interactive tasks Signatures Encryption …. . Non-interactive proofs. Witness w (x,w)  R L.

arlais
Télécharger la présentation

Efficient Zero-Knowledge Proof Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014

  2. Round complexity • Interactive zero-knowledge proof • Non-interactive zero-knowledge proof • Useful for non-interactive tasks • Signatures • Encryption • … 

  3. Non-interactive proofs Witness w (x,w)  RL L language in NP defined by RL OK, xL Statement: xL Proof  Prover Verifier

  4. Non-interactive zero-knowledge (NIZK) proofs • Completeness • Can prove a true statement • Soundness • Cannot prove false statement • Zero-knowledge • Proof reveals nothing (except truth of statement)

  5. Zero-knowledge = Simulation Witness w (x,w)  RL  Statement: xL Problem If proofs can be simulated, then anybody can create convincing proofs! Prover Verifier

  6. Non-interactive zero-knowledge proof [BFM88] Common reference string0100…11010 (x,w)RL Statement: xL Proof:  Prover Verifier

  7. Common reference string (CRS) 0110110101000101110100101 • Can be uniform random or specific distribution • Key generation algorithm K for generating CRS • Trusted generation • Trusted party • Secure multi-party computation • Multi-string model with majority of strings honest [GO07]

  8. Simulation trapdoor Zero-knowledge simulation Common reference string0100…11010  S    K (x,w)RL S(,x)   Statement: xL Prover Verifier

  9. Publicly verifiable NIZK proofs • NP language L • Statement xL if there is witness w so that (x,w)RL • An NIZK proof system for RL consists of three probabilistic polynomial time algorithms (K,P,V) • K(1k): Generates common reference string σ • P(σ,x,w): Generates a proof  • V(σ,x,): Outputs 1 (accept) or 0 (reject)

  10. Public vs. private verification Anybody can check the proof • Publicly verifiable • K generates CRS  • V checks proof given input (,x,) • Privately verifiable • K generates CRS  and private verification key  • V checks proof given input (,x,) Designated verifier with  can check proof

  11. Public vs. private verifiability Public verifiability Private verifiability Sometimes suffices CCA-secure public-key encryption, e.g., Cramer-Shoup encryption Cannot be transferred For designated verifier only Easier to construct • Sometimes required • Signatures • Universally verifiable voting • Reusability • Proof can be copied and sent to somebody else • Prover only needs to run once to create proof  that convinces everybody • Hard to construct

  12. Witness wso (x,w)R Completeness Common reference string σ K(1k) Statement xL V(σ,x,) →Accept/reject P(σ,x,w) →  Perfect completeness: Pr[Accept] = 1

  13. Soundness Common reference string σ K(1k) Statement xL  Adaptive soundness: The adversary first sees CRS and then cheats V(σ,x,) →Accept/reject Perfect soundness:  Adv: Pr[Reject] = 1Statistical soundness:  Adv: Pr[Reject] 1Computational soundness:  poly-time Adv: Pr[Reject]  1

  14. Zero-knowledge K(1k) → σ (x,w)  RL 0/1 P(σ,x,w) →    S1(1k) → σ (x,w)  RL 0/1 S2(σ,,x) →  Perfect ZK: Pr[Adv →1|Real ] = Pr[Adv→1|Simulation]Computational ZK:  poly-time Adv: Pr[Adv →1|Real ]  Pr[Adv→1|Simulation]

  15. Fiat-Shamir heuristic [FS86] • Take an interactive ZK argument where verifier’s messages are random bits (public coin argument) • Let the CRS describe a hash-function H • Replace the verifier’s messages with hash-values from the current transcript • NIZK argument  = (a,z) a a H(x,a) z z

  16. Fiat-Shamir heuristic • Efficient NIZK arguments that work well in practice • Hopefully they are secure • Can argue heuristically that they are computationally sound in the random oracle model [BR93], where we pretend H is a truly random function • But in real life H is a deterministic function and there are instantiations of the Fiat-Shamir heuristic [GK03] that yields insecure real-life schemes

  17. Encrypted random bits Statement xL CRS (x,w)RL Epk(0;r1) c1 01...0 c1 Epk(1;r2) c2 11…1 1 ; r2 Epk(0;r3) c3 00…1 c3 K(1k)  (pk,sk) pk Epk(1;r4) c4 10…0 0 ; r4

  18. Statistical sampling Probably remaining pairs of encrypted bits are 00 and 11 • Random bits not useful • Use statistical sampling to gethidden bits with structure • Give proof byrevealing certainstructures related to different parts of statement CRS 1 1 1 0 0 0 0 1

  19. NIZK proofs Statement: Here is a ciphertext and a document. The ciphertext contains a digital signature on the document. 1 GB Statistical sampling techniques Groth 2006 1 KB Groth-Ostrovsky-Sahai 2012 (2006) Groth-Sahai 2012 (2008)

  20. Boneh-Goh-Nissim encryption • Pairing-based cryptography • Algebraic geometry and elliptic curves • Double-homomorphic public key encryption • Additively homomorphic • Multiplicatively homomorphic (one-time only)  b a+b a  b a∙b a

  21. Circuit SAT NAND Circuit SAT is NP complete NAND

  22. NIZK proof for circuit SAT Prove Prove Prove Prove NAND NAND Prove Prove

  23. NIZK proof for  w -1 w-1 • Additive homomorphism • Multiplicative homomorphism • Proof  = • Shows , so or  w-1 w∙(w-1) w r  0 w∙(w-1) r

  24. NIZK proof for circuit SAT Prove Prove Prove Prove Proof size 2|W|+|C| ciphertexts NAND NAND Prove Prove

  25. NIZK proofs for Circuit SAT • Security level: 2-k • Trapdoor perm size: kT= poly(k) • Group element size: kG≈ k3 • Circuit size: |C| = poly(k) • Witness size: |w|  |C|

  26. Sublinear non-interactive zero-knowledge • Commitments instead of encryption • Parallel additive homomorphism • Parallel multiplication proofs • Complicated… • Split circuit into many parts and prove in parallel 

  27. NIZK Arguments for Circuit SAT • Bitansky, Canetti, Chiesa and Tromer 2013 • Techniques to make both CRS size and argument size independent of circuit size

  28. Verifiable computation Computation • Client is weak • Want small argument size and low cost of verification • Prover is powerful • Accept higher computation for prover, but must still be low enough for outsourcing to be economically viable Result

  29. Proof carrying data Program 2Outputs Program 1Outputs Program 3Outputs

  30. Pinnochio [PHGR13] Program in C(reduced instruction set) • Argument size • 288 bytes • Verifier time • 12ms(depends on statement) Circuit Quadratic arithmetic program Proof system

  31. Thank you • Questions?

More Related