Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of...

22
Perfect Non- Perfect Non- interactive Zero- interactive Zero- Knowledge for NP Knowledge for NP Jens Groth Jens Groth Rafail Ostrovsky Rafail Ostrovsky Amit Sahai Amit Sahai University of California University of California Los Angeles Los Angeles

Transcript of Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of...

Page 1: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Perfect Non-Perfect Non-interactive Zero-interactive Zero-

Knowledge for NPKnowledge for NP

Jens GrothJens Groth

Rafail OstrovskyRafail Ostrovsky

Amit SahaiAmit Sahai

University of California Los University of California Los AngelesAngeles

Page 2: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

MotivationMotivation

I’m a woman.

Prove it!OK, I will make a zero-knowledge

proof

Circuit C = ”I’m a woman”

Proof π

Page 3: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

CompletenessCompleteness

Perfect completeness: Pr[Accept] = 1

Proof π

Accept

K(1k)Common reference string

Circuit C

Witness wso C(w)=1 Prover Verifier

Page 4: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

SoundnessSoundness

Perfect soundness: Pr[Reject] = 1

Unsatisfiable CProof π

Reject

Adversary Verifier

K(1k)Common reference string

Page 5: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Zero-knowledgeZero-knowledge

Computational zero-knowledge:Pr[A1|Simulated proofs (S1,S2)]

≈ Pr[A1|Real proofs (K,P)]

Proof π

sk

S1(1k

)Circuit CWitness w

”Common reference string”

0/1S2(crs, sk, C)

Simulator Adversary

Page 6: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

State of affairsState of affairs

Computational NIZK proofs known but Computational NIZK proofs known but not practicalnot practical

Kilian-Petrank:Kilian-Petrank:O(|C|kO(|C|k22)-bit common reference string)-bit common reference stringO(|C|kO(|C|k22)-bit proofs)-bit proofs

Statistical/perfect NIZK arguments not Statistical/perfect NIZK arguments not knownknown

No non-interactive UC ZK arguments No non-interactive UC ZK arguments secure against adaptive adversaries secure against adaptive adversaries knownknown

Page 7: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Our contributionsOur contributions NIZK proof for Circuit SATNIZK proof for Circuit SAT

- Perfect completeness, perfect - Perfect completeness, perfect soundness, perfect proof of knowledge, soundness, perfect proof of knowledge, computational zero-knowledgecomputational zero-knowledge- O(k)-bit common reference string- O(k)-bit common reference string- O(|C|k)-bit proofs- O(|C|k)-bit proofs

Perfect NIZK argument for Circuit SATPerfect NIZK argument for Circuit SAT- Perfect completeness, computational - Perfect completeness, computational coNP soundness, perfect zero-coNP soundness, perfect zero-knowledgeknowledge

UC NIZK argument for Circuit SAT with UC NIZK argument for Circuit SAT with perfect zero-knowledge secure against perfect zero-knowledge secure against adaptive adversariesadaptive adversaries

Page 8: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Bilinear group of order nBilinear group of order n

G, G1 cyclic groups of order n = pq

g generator for G

bilinear map e: G G G1

e(ua, vb) = e(u, v)ab

e(g, g) generates G1

Decision subgroup problem

ord(h) = q or ord(h) = n ?

Page 9: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Boneh-Goh-Nissim Boneh-Goh-Nissim cryptosystemcryptosystem

Key generation

pk = (n, G, G1, e, g, h) ord(g) = n, ord(h) = q

sk = (pk, p, q)

Encryption of m |m|=O(log k)

E(m; r) = gmhr where r Zn

Decryption

(gmhr)q = (gq)m find m by polynomial time

exhaustive search

Page 10: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Homomorphic propertiesHomomorphic properties

Additively homomorphic

gm1hr1 gm2hr2 = gm1+m2hr1+r2

Multiplication-mapping

e(gm1hr1, gm2hr2) = e(g, g)m1m2 e(h, gm1r2+m2r1hr1r2)

Page 11: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

NIZK proof for Circuit NIZK proof for Circuit SATSAT

1

w1

w4

w3w2

Circuit SAT is NP complete

NAND

NAND

Page 12: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

NIZK proof for Circuit NIZK proof for Circuit SATSATg1

gw1hr

1

gw2hr

2

gw4hr

4

gw3hr

3

NIZK proof c1 encrypts 0 or 1

NIZK proof c2 encrypts 0 or 1

NIZK proof c3 encrypts 0 or 1

NIZK proof c4 encrypts 0 or 1

NIZK proof w4 = (w1w2)

NIZK proof 1 = (w4w3)

NAND

NAND

Page 13: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

NIZK proof for encryption NIZK proof for encryption of 0 or 1of 0 or 1

Wish to prove c encrypts 0 or 1Write c = gmhr (m uniquely

determined mod p)e(c, g-1c) = e(gmhr, gm-1hr) = e(g, g)m(m-1) e(hr, g2m-1hr)

has order q if and only if m = 0 mod p or m = 1 mod p

We wish to prove e(c, g-1c) has order q

Page 14: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

NIZK proof for encryption NIZK proof for encryption of 0 or 1of 0 or 1

Prover chooses s Zn*

e(c, g-1c) = e(gmhr, gm-1hr) = e(hr, g2m-1hr) = e(hs, (g2m-1hr)r/s)

Reveal π = (π1, π2, π3)

π1 = hs π2 = (g2m-1hr)r/s π3 = gs

Verifier checks e(π1, g) = e(h, π3) and e(c, g-1c) = e(π1, π2)

Page 15: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

NIZK proof for encryption NIZK proof for encryption of 0 or 1of 0 or 1

Perfect soundnessh has order q e(h, π3) has order q

e(π1, g) = e(h, π3) e(π1, g) has order q

π1 has order q e(π1, π2) has order q

e(c, g-1c) = e(π1, π2) e(c, g-1c) has order q

m = 0 mod p or m = 1 mod pComputational zero-knowledge

ord(h) = n g = hγ simulation key: γ

Page 16: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

NIZK proof for NAND-NIZK proof for NAND-gategate

Given c0, c1, c2 ciphertexts containing bits b0, b1, b2 wish to prove b2 = (b0b1)

b2 = (b0b1)

if and only if b0 + b1 + 2b2 - 2 {0,1}

Make NIZK proof for c0c1c22g-2 encrypting 0

or 1

Page 17: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

NIZK proof for Circuit NIZK proof for Circuit SATSAT

Encrypt all wires wEncrypt all wires wii as c as cii = g = gwwiihhrrii

For each i make NIZK that cFor each i make NIZK that cii contains 0 or contains 0 or 11

For each NAND-gate make NIZK proof that For each NAND-gate make NIZK proof that cc00cc11cc22

22gg-2-2 contains 0 or 1 contains 0 or 1

Perfect completenessPerfect completenessPerfect soundnessPerfect soundnessComputational zero-knowledgeComputational zero-knowledgePerfect knowledge extraction – decrypt Perfect knowledge extraction – decrypt

ciphertextsciphertexts

Page 18: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Perfect NIZKPerfect NIZK

Common reference string (g, h)Common reference string (g, h)

Choose g, h so ord(g) = ord(h) = nChoose g, h so ord(g) = ord(h) = n

Perfect completenessPerfect completeness

Perfect zero-knowledgePerfect zero-knowledge

Ciphertexts cCiphertexts cii are perfectly hiding are perfectly hiding commitmentscommitments

NIZK argument for 0/1 plaintexts NIZK argument for 0/1 plaintexts perfect ZKperfect ZK

Page 19: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Adaptive coNP Adaptive coNP soundnesssoundness

Computational coNP soundness: Pr[Reject] ≈ 1

C, wco

Proof π Reject

K(1k)Common reference string

wco witness for C unsatisfiable

Page 20: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

FFNIZKNIZK

(prove, C, w)(proof, π)

(verify, C, π)(verification, 0/1)

If C(w)=1give C to S and get

πstore (C,π)

If (C,π) not stored give (C,π) to S and get

w if C(w)=1 store (C,π)Return 1 if (C,π) stored

Page 21: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

UC NIZKUC NIZK

There exists non-interactive protocol There exists non-interactive protocol UC NIZK such thatUC NIZK such that

1.1. UC NIZK securely realizes FUC NIZK securely realizes FNIZKNIZK against adaptive adversaries in the against adaptive adversaries in the common reference string model common reference string model

2.2. UC NIZK is perfect zero-knowledgeUC NIZK is perfect zero-knowledge

Page 22: Perfect Non-interactive Zero-Knowledge for NP Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

ConclusionConclusion

New technique for NIZK proofs

1. Very efficient NIZK proofs with perfect soundness

2. First construction of perfect zero-knowledge NIZK argument with coNP soundness

3. First construction of UC NIZK argument secure against adaptive adversaries