Pairing-Based Non-interactive Proofs Jens Groth University College London Joint work with Rafail...
-
Upload
homer-fletcher -
Category
Documents
-
view
215 -
download
1
Transcript of Pairing-Based Non-interactive Proofs Jens Groth University College London Joint work with Rafail...
Pairing-Based Non-interactive Proofs
Jens Groth
University College London
Joint work with Rafail Ostrovsky and Amit Sahai
Thanks also to Brent Waters
Motivation
Alice Bob
Why does Bob want to know my password,
bank statement, etc.?
Did Alice honestly follow the protocol?Show me all your inputs!
No!
History
• Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985
• First the paper was rejected a couple of times• ...then they won the Gödel award for it
Interactive proof
Prover Verifier
Statement OK, statement is true
Statements
• Mathematical theorem: 2+2=4• Identification: I am me!• Verification: I followed the protocol• Anything: X belongs to NP-language L
Interactive proof
Prover Verifier
Statement: xL OK, xL
Witness w (x,w) RL
Zero-knowledge and witness indistinguishability
Prover Verifier
Statement: xL OK, xL
Witness w (x,w) RL
Zero-knowledge:Verifier learns statement is
true, but nothing else
Witness-indistinguishable: Verifier does not learn which witness Prover has in mind
Zero-knowledge proofs in multi-party computation
Function: f
Input: x Input: y
Output: f(x,y)
I don’t trust you!Did you follow the
protocol?
Yes, I followed the protocol, but my input
is secret!
ZK proof
OK, she followed the protocol
History
• Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985
• Many actions are non-interactive– Signature– Encryption– ...
Non-interactive proofs
Prover Verifier
Statement: xL OK, xL
Witness w (x,w) RL
Proof
Non-interactive zero-knowledge (NIZK) proofs
• Completeness– Can prove a true statement
• Soundness– Cannot prove false statement
• Zero-knowledge– Proof reveals nothing (except truth of statement)
NIZK proofs only for trivial languages (BPP)
Sketch of proof:
Decision algorithm for x in L:• Learn nothing from proof = can simulate proof• If xL: ZK and complete so verifier algorithm accepts• If xL: Sound so verifier algorithm rejects
History
• Goldwasser, Micali and Rackoff introduced interactive zero-knowledge proofs in 1985
• Many actions are non-interactive– Signature– Encryption– ...
• Blum, Feldman and Micali introduced non-interactive zero-knowledge proofs in the common reference string model in 1986
Common reference string
• Key generation algorithm K– Uniformly at random
– Specific distribution
• Trusted generation– Trusted party
– Secure multi-party computation
– Multi-string model where t-out-of-n are trusted
0110110101000101110100101
CRS: 01101010101010101
NIZK and NIWI proofs
Prover Verifier
Statement: xL OK, xL
Witness w (x,w) RL
NIZK:Verifier learns statement is
true, but nothing else
NIWI: Verifier does not learn which witness Prover has in mind
Proof
Defining NIZK proofs
• NP language L: xL if is witness w so (x,w)RL
• NIZK proof consists of three probabilistic polynomial time algorithms (K,P,V)
• K(1k): Generates common reference string σ• P(σ,x,w): Generates a proof • V(σ,x,): Verifies the proof (outputs 1 or 0)
Completeness
Perfect completeness: Pr[Accept] = 1
P(σ,x,w) → V(σ,x,) →Accept/reject
K(1k)Common reference string σ
Statement xL
Witness wso (x,w)R
Soundness
Perfect soundness: Adv: Pr[Reject] = 1
Computational soundness: poly-time Adv: Pr[Reject] 1
V(σ,x,) →Accept/reject
K(1k)Common reference string σ
Statement xL
Witness indistinguishability
Perfect witness-indistinguish.: Adv: Pr[Guess = b] = ½
Computational WI: poly-time Adv: Pr[Guess = b] ½
P(σ,x,wb) →
K(1k)Common reference string σ
Statement xL
Witnesses w0,w1 (x,w0),(x,w1)RL
b{0,1}
Guess{0,1}
Zero-knowledge
Perfect ZK: Pr[Adv →1|Real ] = Pr[Adv→1|Simulation]Computational ZK: poly-time Adv: Pr[Adv →1|Real ] Pr[Adv→1|Simulation]
P(σ,x,w) →
K(1k) → σ
0/1(x,w) RL
S2(σ,,x) →
S1(1k) → σ
0/1(x,w) RL
Trade-off
• Perfect soundness and perfect zero-knowledge only possible for trivial languages– Sketch of proof:
• Perfect ZK implies real common reference string and simulated common reference string has same probability distribution
• To decide whether x in L simulate common reference string, simulate proof, run verifier on simulated proof
• If xL: By perfect ZK and completeness verifier accepts• If xL: By perfect soundness verifier rejects
• Choice:– Perfect soundness and computational zero-knowledge– Computational soundness and perfect zero-knowledge
The world in 2005
• Much research in NIZK proofs– Blum-Feldman-Micali 88– Damgård 92– Feige-Lapidot-Shamir 99– Kilian-Petrank 98– De Santis-Di Crescenzo-Persiano 02
• Inefficient
• Alternatives– Fiat-Shamir heuristic transforms interactive zero-knowledge proof
into non-interactive scheme, however, there are examples of insecure Fiat-Shamir transformation
– Designated verifier proofs such as Damgård, Fazio, Nicolosi 05, however, the verification is not public
Applications
• Public-key encryption• Mix-nets for anonymous broadcast• Internet voting• Group signatures• Ring signatures• Identification• Verifying outsourced computation• ...
Practice
Circuit SAT Practical statements
Inefficient
Efficient
Kilian-Petrank 98
Groth-Ostrovsky-Sahai 06
Groth 06
Groth-Sahai 08
1 GB
1 KB
Statement: Here is a ciphertext and a document. The ciphertext contains a digital signature on the document.
Known for all
of NP?
Computational
zero-knowledge
Perfectzero-knowledge
(everlasting privacy)
Interactive proof
Non-interactive
proof ?
Yes[Goldreich-
Micali-Wigderson
1986]
Yes[Brassard-Crepeau
1986]
Yes[Blum-
Feldman-Micali 1988]
Yes[G-
Ostrovsky-Sahai 2006]
CRS-free proofs for all
of NP?Zero-
knowledgeWitness-
indistinguishability
Interactive proofs
Non-interactive proof ?
4 rounds 2 rounds
Impossible Yes
Goals
• Efficient NIZK and NIWI proofs• Perfect zero-knowledge
– Computational soundness
• Eliminating the common reference string– NIWI proofs (non-interactive zaps)
• New techniques from pairing based cryptography
Groth-Ostrovsky-Sahai 06
• NIZK proof for Circuit SAT• Perfect completeness, perfect soundness,
computational zero-knowledge• Common reference string size: O(k) bits• Proof size: O(|C|k) bits
Composite order bilinear group
• Gen(1k) generates (p,q,G,GT,e,g)
• G, GT finite cyclic groups of order n=pq
• G has generator g
• Pairing e: G G → GT
– e(g,g) generates GT
– e(ga,gb) = e(g,g)ab
• Deciding group membership, group operations, and bilinear pairing efficiently computable
Elliptic curves
Becoming familiar with the pairing
• Pairing e: G G → GT
– g generates G and has order n=pq
– e(g,g) generates GT
– e(ga,gb) = e(g,g)ab implies e(u,v)=e(v,u) and e(ux,v)=e(u,v)x=e(u,vx)
• Questions with answers:
e(ux,vy)e(uz,w) = e(u,vxywz)
e(u,vx)e(vy,u) = e(u,vx+y)
e(u-x,v)e(u,v)-1e(u-1,vy)z = e(u,v-1-x-yz)
If uq=1 then e(u,v)q=e(uq,v)=e(1,v)=e(g0,v)=e(g,v)0=1
If e(g,v)=e(h,u) then h=gx and v=ux (if ord(h)=n)
Subgroup decision problem
• Given hG decide whether h has order q or order n
• Subgroup decision assumption:
poly-time Adv:
Pr[ (p,q,G,GT,e,g)←Gen(1k); h ← G* : Adv(n,G,GT,e,g,h)=1]
Pr[ (p,q,G,GT,e,g)←Gen(1k); h ← Gq*: Adv(n,G,GT,e,g,h)=1]
BGN encryption [Boneh-Goh-Nissim 05]
Public key: g, h G h order q
Secret key: p, q n=pq
Encryption: c = gahr r ← Zn
Decryption: cq = (gahr)q = gqahqr = (gq)a
IND-CPA secure: Without secret key, ciphertext does not reveal poly-time computable information about plaintext.
Sketch of proof: By subgroup decision assumption public key looks the same as if h had order n. But if h had order n, ciphertext would have no information about the plaintext a.
BGN Commitment
Public key: g, h G h order q
Commitment: gahr r ← Zn
Perfectly binding: Unique a mod p
Computationally hiding: Indistinguishable from h order n
Addition: (gahr)(gbhs) = ga+bhr+s
Multiplication: e(gahr,gbhs)
= e(ga,gb) e(hr,gb) e(ga,hs) e(hr,hs)
= e(g,g)ab e(h,gas+rbhrs)
NIZK proof for Circuit SAT
1
w1
w4
w3w2
Circuit SAT is NP complete
NAND
NAND
NIZK proof for Circuit SAT g1
c1 := gw1hr1
c2 := gw2hr2
c4 := gw4hr4
c3 := gw3hr3
Prove w1 {0,1}
Prove w2 {0,1}
Prove w3 {0,1}
Prove w4 {0,1}
Prove w4 = (w1w2)
Prove 1 = (w4w3)
NAND
NAND
Proof for c containing 0 or 1
Write c = gwhr (unique w mod p since h has order q)
e(c,g-1c) = e(gwhr,gw-1hr)= e(gw,gw-1)e(hr,gw-1)e(gw,hr)e(hr,hr)= e(g,g)w(w-1) e(h,(g2w-1hr)r)
Proof := (g2w-1hr)r
Verifier checks: e(c,g-1c) = e(h,) → e(g,g)w(w-1) e(h,(g2w-1hr)r) = e(h,)
→ w = 0 or w = 1 (mod p)
Observation
b2 = (b0b1)
if and only if
b0 + b1 + 2b2 - 2 {0,1}
b0 b1 b2 b0+b1+2b2-2
0 0 0 -2
0 0 1 0
0 1 0 -1
0 1 1 1
1 0 0 -1
1 0 1 1
1 1 0 0
1 1 1 2
Proof for NAND-gate
Given c0, c1, c2 containing bits b0, b1, b2
wish to prove b2 = (b0b1)
b2 = (b0b1) if b0 + b1 + 2b2 - 2 {0,1}
c0c1c22g-2 = (gb0hr0)(gb1hr1)(gb2hr2)2g-2
= gb0+b1+2b2-2hr0+r1+2r2
Prove c0c1c22g-2 contains 0 or 1
NIZK proof for Circuit SAT g1
c1 := gw1hr1
c2 := gw2hr2
c4 := gw4hr4
c3 := gw3hr3
Prove w1 {0,1}
Prove w2 {0,1}
Prove w3 {0,1}
Prove w4 {0,1}
Prove w4 = (w1w2)
Prove 1 = (w4w3)
NAND
NAND
CRS = (n,G,GT,e,g,h)CRS size 3kProof size (2|W|+|C|)k
Zero-Knowledge
Subgroup decision assumption:
It is hard to distinguish random h of order q from random h of order n
Simulated common reference string
h order n by choosing g = h ← Zn*
The simulation trapdoor is
Commitments are now perfectly hiding trapdoor commitments
g0hr = g1hr-
Simulation g1
c1 := g1hr1
c2 := g1hr2
c4 := g1hr4
c3 := g1hr3
Simulate proofs for
w1 {0,1}
w2 {0,1}
w3 {0,1}
w4 {0,1}
Simulate proofs for
w4 = (w1w2)
1 = (w4w3)
NAND
NAND
Witness-indistinguishable 0/1-proof
Write c = g1hr (possible since we committed this way)
e(c,g-1c) = e(g1hr,g0hr)= e(h,(g1hr)r)
Proof := (g1hr)r
Verifier checks: e(c,g-1c) = e(h,)
Perfect witness-indistinguishable when h has order n since there is unique satisfying equation, no matter whether c contains 0 or 1
Witness-indistinguishability
Write c = g0hr+ (possible since we know trapdoor )
e(c,g-1c) = e(g0hr+,g-1hr+)= e(h,(g-1hr+)r+)
Proof := (g-1hr+)r+ = (g-1h)r+ (hr+)r= (g1hr)r
Verifier checks: e(c,g-1c) = e(h,)
Perfect witness-indistinguishable since both the witness (1,r) and the witness (0,r+) lead to exactly the same proof
Witness-indistinguishable NAND-proof
Given c0, c1, c2 containing wish to simulate proof for b2 = (b0b1) (simulator committed to b0=b1=b2=1)
b2 = (b0b1) if b0 + b1 + 2b2 - 2 {0,1}
c0c1c22g-2 = (g1hr0)(g1hr1)(g1hr2)2g-2
= g2hr0+r1+2r2
= g1h+r0+r1+2r2
Proof for c0c1c22g-2 containing 0 or 1
Zero-knowledge
Sketch of proof:
Pr[Adv→1|Real proof]
Pr[Adv→1|Real proof on h with order n]
= Pr[Adv→1|Hybrid proof where h has order n and commitments to 1 trapdoor opened to witness and then real proofs]
= Pr[Adv→1|Hybrid proof where h has order n and commitments to 1 and trapdoor opening
when making 0/1-proofs]
= Pr[Adv→1|Simulated proof]
Composable zero-knowledge
• Real common reference stringcomputationally indistinguishable fromsimulated common reference string
• Real proof on simulated common reference stringperfectly indistinguishable fromsimulated proof on simulated common reference string
NIZK proof for Circuit SAT
• Commit to all wires wi as ci := gwihri
• For each i prove ci contains 0 or 1
• For each NAND-gate prove c0c1c22g-2 contains 0
or 1• Total size: 2|W|+|C| group elements
• Perfect completeness, perfect soundness, composable zero-knowledge
• Also, perfect proof of knowledgecq = (gwhr)q = (gwq)(hrq) = (gq)w(hq)r = (gq)w
Known for all
of NP?
Computational
zero-knowledge
Perfectzero-knowledge
(everlasting privacy)
Interactive proof
Non-interactive
proof ?
Yes[Goldreich-
Micali-Wigderson
1986]
Yes[Brassard-Crepeau
1986]
Yes[Blum-
Feldman-Micali 1988]
Yes(as we
shall see now)
Perfect zero-knowledge
• Instead of h with order q, use h with order n
• Easy to verify that we have perfect completeness• As argued earlier we have perfect zero-knowledge• What about soundness?
”Natural” computational soundness fails
• Natural way to prove soundness fails• Start with h of order n and Adv that produces false
statement and valid proof• Switch to h of order q, which Adv cannot
distinguish from order n. Here Adv cannot produce false statement and valid proof
• Problem: Consider the statement ”h has order q”
Adaptive co-soundness
Computational co-soundness: poly-time Adv: Pr[Reject] ≈ 1
C, wco
Proof
K(1k)Common reference string
wco witness for C unsatisfiable
Computational co-soundness
Sketch of proof:• Imagine poly-time Adv could break co-soundness.
I.e., after seeing CRS = (n,G,GT,e,g,h) where h has order n, Adv produces valid (C,wco,).
• By subgroup decision assumption approximately same success probability for Adv producing valid (C,wco,) when h has order q.
• But wco guarantees C is unsatisfiable and when h has order q the perfect soundness guarantees C is satisfiable.
Co-soundness the ”right” definition
• Abe-Fehr 07 show that impossible to achieve ”natural” soundness definition with standard direct black-box methods
• In many scenarios a co-witness exists. – Consider for instance verifiable encryption, where the
secret key can be a co-NP witness for false statement
• Computational co-soundness sufficient for constructing universally composable NIZK proofs
Perfect NIZK argument for Circuit SAT
• Common reference string with h of order n
• Commit to all wires wi as ci := gwihri
• For each i prove ci contains 0 or 1
• For each NAND-gate prove c0c1c22g-2 contains 0
or 1• Total size: 2|W|+|C| group elements• Perfect completeness, computational co-
soundness, perfect zero-knowledge
Groth-Ostrovsky-Sahai 06
• NIZK proof for Circuit SAT• Perfect binding key:
– Perfect completeness– Perfect soundness– Computational zero-knowledge
• Perfect hiding key:– Perfect completeness– Computational co-soundness– Perfect zero-knowledge
= (n,G,GT,e,g,h)where ord(h) = q
= (n,G,GT,e,g,h)where ord(h) = n
?
Non-interactive proofs in the plain model
• NIZK proofs rely on trusted setup of common reference string.
• What if no such setup exists?• Well, NIZK proofs do not exist in the plain model.• OK, how much privacy can we get in plain model?• NIWI proofs do exist in the plain model!
CRS-free proofs for all
of NP?Zero-
knowledgeWitness-
indistinguishability
Interactive proofs
Non-interactive proofs
?
4 rounds 2 rounds
Impossible Yes
Intuition
• Naive idea: Let the prover choose the CRS.• Bad idea: The prover can just pick a simulation CRS.• Better idea: Let the prover choose two related CRS’s
– One CRS perfect sound, the other CRS perfect ZK– Verifiable that at least one is perfectly sound– Verifier cannot tell which one is sound
NIWI proof in plain model
• Statement: C• Proof:
(0,1,0) Krelated(1k)0 P(0,C,w)1 P(1,C,w)
The proof is = (0,1,0,1)
• Verification:Check (0,1) related so at least one is soundCheck (0,C,0) is valid proofCheck (1,C,1) is valid proof
Security
• NIWI proof in the plain model has perfect completeness, perfect soundness and computational witness-indistinguishability
• Perfect completeness:– Perfect completeness of NIZK proofs and perfectly
complete related CRS generation.
• Perfect soundness:– Related CRS generation implies at least one NIZK proof
has perfect soundness
Computational witness-indistinguishability
{C,w0,w1}k poly-time Adv:
Pr[b{0,1} ; P(1k,C,wb) : Adv(C,w0,w1,)=1] ½
• Equivalently
Pr[(0,1,0,1) P(1k,C,w0): Adv(C,w0,w1,)=1]
Pr[(0,1,0,1) P(1k,C,w1): Adv(C,w0,w1,)=1]
Witness-indistinguishability
Given circuit C and two witnesses w0, w1
• Generate 0 perfect ZK and 1 perfect sound
NIZK proof using w0 on 0 NIZK proof using w0 on 1
Simulate proof on 0 NIZK proof using w0 on 1
NIZK proof using w1 on 0 NIZK proof using w0 on 1
• Switch to 0 perfect sound and 1 perfect ZK
NIZK proof using w1 on 0 Simulate proof on 1
NIZK proof using w1 on 0 NIZK proof using w1 on 1
• Switch back to 0 perfect ZK and 1 perfect sound
Adversary knows C,w0,w1
and sees (0,1,0,1)
Verifiability of common reference string
• All that is left is to construct related common reference strings such that guarantee that one is sound and we get NIWI proofs in the plain model!
• How?– Does h have order q?– Is n even a product of two primes?
• Use NIZK proof based on prime order groups.
Prime order bilinear group
• Gen(1k) generates (p,G,GT,e,g)
• G, GT finite cyclic groups of prime order p
• Generator g for G
• Pairing e: G G → GT
– e(g,g) generates GT
– e(ga,gb) = e(g,g)ab
• Deciding group membership, group operations, and bilinear pairing efficiently computable
• Publicly verifiable that is valid bilinear group
Decision Linear assumption
• The DLIN problem is to distinguish (f,h,g,fr,hs,gr+s) from (f,h,g,fr,hs,R)
• The DLIN assumption for Gen: poly-time Adv:
Pr[(p,G,GT,e,g)Gen(1k) ; f,h G* ; r,s,tZp :Adv(p,G,GT,e,f,h,g,fr,hs,gr+s)=1]
Pr[(p,G,GT,e,g)Gen(1k) ; f,h G* ; r,s,tZp :Adv(p,G,GT,e,f,h,g,fr,hs,gt)=1]
Linear encryption [Boneh-Boyen-Shacham 04]
• Public key: f,h,g f,h,gG*
• Secret key: x,y f=gx, h=gy
• Encryption: (u,v,w) = (fr,hs,gr+sm) r,sZp
• Decryption:m = wu-1/xv-1/y
• IND-CPA security: The ciphertext contains no poly-time computable information about plaintext
• Sketch of proof: Look at public key and ciphertext(f,h,g,fr,hs,gr+sm) (f,h,g,fr,hs,gtm) = (f,h,g,fr,hs,R)
Commitments from Linear encryption
• Public key: (n,G,GT,e,f,h,g,u,v,w)
• Commitment: (uafr,vahs,wagr+s) r,sZp
• Additively homomorphic:
commit(a;r,s) commit(b;R,S)
= (uafr,vahs,wagr+s) (ubfR,vbhS,wbgR+S)
= (ua+bfr+R,va+bhs+S,wa+bgr+R+s+S)
= commit(a+b;r+S,s+S)
Binding and hiding keys
• Perfectly binding key: (u,v,w) = (fR,hS,gR+S+T)
(uafr,vahr,wagr+s) = (fRa+r,hSa+s,g(R+S)a+(r+s)gTa)
• Perfectly hiding key: (u,v,w) = (fR,hS,gR+S)
(u1fr,v1hs,w1gr+s) = (u0fr+R,v0hs+S,w0gr+R+s+S)
• Hard to distinguish perfect binding keys from perfect hiding keys by the DLIN assumption
Related keys
• Relation: 0 = (u,v,w) and 1 = (u,v,wg)
• Either 0 = (fR,hS,gR+S) and 1 = (fR,hS,gR+S+1)
or0 = (fR,hS,gR+S-1) and 1 = (fR,hS,gR+S)
or0 = (fR,hS,gR+S+T) and 1 = (fR,hS,gR+S+T+1)
• Verifiable that at least one perfectly binding key• Hard to tell which of the keys is perfectly hiding
NIZK proof for Circuit SAT
• NIZK proof in common reference string model, which is perfectly complete, perfectly sound and composable zero-knowledge.
• Efficient: 9|w|+6|C| group elements• Observe: Prime order group elements may be
smaller than composite order group elements, so may be more efficient than composite order proof
NIZK proof for Circuit SAT (u1,v1,w1)
c1 commit(w1)
c2 commit(w2)
c4 commit(w4)
c3 commit(w3)
Prove w1 {0,1}
Prove w2 {0,1}
Prove w3 {0,1}
Prove w4 {0,1}
Prove w4 = (w1w2)
Prove 1 = (w4w3)
NAND
NAND
Observation
b2 = (b0b1)
if and only if
b0 + b1 + 2b2 - 2 {0,1}
b0 b1 b2 b0+b1+2b2-2
0 0 0 -2
0 0 1 0
0 1 0 -1
0 1 1 1
1 0 0 -1
1 0 1 1
1 1 0 0
1 1 1 2
Proof for NAND-gate
Given c0, c1, c2 containing bits b0, b1, b2
wish to prove b2 = (b0b1)
b2 = (b0b1) if b0 + b1 + 2b2 - 2 {0,1}
Additively homomorphic commitments so
c0c1c22commit(-2) = commit(b0+b1+2b2-2)
Prove c0c1c22g-2 contains 0 or 1
Proof for 0-commitment
• Commitment to 0:
(u0fr,v0hs,w0gr+s) = (fr,hs,gr+s)
• Proof for (c1,c2,c3) = (fr,hs,gt) satisfying t=r+s mod p
(1,2) = (Zr, Zs) for known Z≠1
• Verification:
e(Z,c1)=e(f,1) e(Z,c2)=e(h,2) e(Z,c3)=e(g,12)
Proof for 0/1-commitment
• Commitment (c1,c2,c3) of the form (uafr,vahr,wagr+s) with a{0,1}
• Idea: – Show (c1,c2,c3) or (u-1c1,v-1c2,w-1c3) contains 0
– Do this by showing a(a-1)=0 mod p
• Problem: We do not have a pairing G3 G3 ???• Solution: Build one!
Meta-pairing
To avoid notational clutter define(A,B,C) = (c1,c2,c3) and (X,Y,Z)=(u-1c1,v-1c2,w-1c3)
Look at map E:G3 G3 GT9
e(A,X) e(A,Y) e(A,Z)
e(B,X) e(B,Y) e(B,Z)
e(C,X) e(C,Y) e(C,Z)
Naive proof if a=0
Suppose (A,B,C)=(fr,hs,gr+s)
e(f,Xr) e(f,Yr) e(f,Zr)
e(h,Xs) e(h,Ys) e(h,Zs)
e(g,Xr+s) e(g,Yr+s) e(g,Zr+s)
Give proof = (Xr,Xs,Yr,Ys,Zr,Zs)
Naive proof if a=1
Suppose (X,Y,Z)=(fr,hs,gr+s)
e(f,Ar) e(h,As) e(g,Ar+s)
e(f,Br) e(h,Bs) e(g,Br+s)
e(f,Cr) e(h,Cs) e(g,Cr+s)
Give proof = (Ar,As,Br,Bs,Cr,Cs)
Problem
• Easy to see whether proof verifies down the columns (a=0) or across the rows (a=1) so not witness-indistinguishable
• This was not a problem in the composite order case because the proof (a single group element) was symmetric.
• Ok, so let us try with a symmetric meta-pairing
Meta-pairing II
Try the symmetric map E:G3 G3 GT6
e(A,X)e(X,A) e(A,Y)e(X,B) e(A,Z)e(X,C)
e(B,X)e(Y,A) e(B,Y)e(Y,B) e(B,Z)e(Y,C)
e(C,X)e(Z,A) e(C,Y)e(Z,B) e(C,Z)e(Z,C)
Less naive proof if a=0
If (A,B,C)=(fr,hs,gr+s) and (X,Y,Z)=(u-1fr,v-1hs,w-1gr+s)
e(f,Xr)e(Xr,f) e(f,Yr)e(Xs,h) e(f,Z)e(Xr+s,g)
e(h,Xs)e(Yr,f) e(h,Ys)e(Ys,h) e(f,Z)e(Yr+s,g)
e(g,Xr+s)e(Zr,f) e(g,Yr+s)e(Zs,h) e(f,Zr+s)e(Zr+s,g)
Give proof = (Xr,Xs,Yr,Ys,Zr,Zs)
Less naive proof if a=1
If (A,B,C)=(u1fr,v1hs,w1gr+s) and (X,Y,Z)=(fr,hs,gr+s)
e(Ar,f)e(f,Ar) e(As,h)e(f,Br) e(Ar+s,g)e(f,Cr)
e(Br,f)e(h,As) e(Bs,h)e(h,Bs) e(Br+s,g)e(h,Cs)
e(Cr,f)e(g,Ar+s) e(Cs,h)e(g,Br+s) e(Cr+s,g)e(g,Cr+s)
Give proof = (Ar,As,Br,Bs,Cr,Cs)
Verification
Statement: (A,B,C) and (X,Y,Z)=(u-1A,v-1B,w-1C)
Proof: = (1,2,3,4,5,6)
Verification: Check that E((A,B,C),(X,Y,Z)) equals
e(f,1)e(f,1) e(h,2)e(f,3) e(g,12)e(f,5)
e(f,3)e(h,2) e(h,4)e(h,4) e(g,34)e(h,6)
e(f,5)e(g,12) e(h,6)e(g,34) e(g,56)e(g,56)
Witness-indistinguishable?
Consider a perfectly hiding key with (u,v,w)=(fR,hS,gR+S).
We have two different witnesses because (A,B,C)=(fR+r,hS+s,gR+S+r+s) and (X,Y,Z)=(fr,hs,gr+s)
The proofs are verified in the same way. Are they witness-indistinguishable?
= (XR+r,XS+s,YR+r,YS+s,ZR+r,ZS+s) = (Ar,As,Br,Bs,Cr,Cs)
Well, 1 = fr(R+r), 4 = hs(S+s), 56 = g(r+s)(R+S+r+s)
But, 2 = fr(S+s) or 2 = f(R+r)s
Which can be tested e(h,2)=e(B,X) or e(h,2)=e(A,Y)
Verification
Statement: (A,B,C) and (X,Y,Z)=(u-1A,v-1B,w-1C)
Proof: = (1,2,3,4,5,6)
Verification: Check that E((A,B,C),(X,Y,Z)) equals
e(f,1)e(f,1) e(h,2)e(f,3) e(g,12)e(f,5)
- e(h,4)e(h,4) e(g,34)e(h,6)
- - e(g,56)e(g,56)
Verification
Statement: (A,B,C) and (X,Y,Z)=(u-1A,v-1B,w-1C)
Randomized proof: = (1,ft2,h-t3,4,g-t5,gt6)
Verification: Check that E((A,B,C),(X,Y,Z)) equals
e(f,1)e(f,1) e(h,ft2)e(f,h-t3) e(g,ft12)e(f,g-t5)
- e(h,4)e(h,4) e(g,h-t34)e(h,gt6)
- - e(g,56)e(g,56)
Perfect witness-indistinguishability
• e(A,X)e(X,A) = e(f,1)e(f,1) unique 1
• e(B,Y)e(Y,B) = e(h,4)e(h,4) unique 4
• e(C,Z)e(Z,C) = e(g,56)e(g,56) unique 56
• e(B,Z)e(C,Y) = e(g,34)e(h,6)
• e(A,Z)e(C,X) = e(g,12)e(f,5)
• e(A,Y)e(B,X) = e(h,2)e(f,3)
• Randomization chooses 6 at random by setting 6 gt6 and then everything else is determined
• So either type of witness yields a uniformly random proof satisfying the above equations
Perfect soundness
• Write the commitments as (A,B,C) = (fa,hb,gc) and (X,Y,Z) = (fx,hy,gz)
• The verification equations imply (modulo p)
a(x+y-z) + (x+y-z)a = d1+d3-d5
b(x+y-z) + (x+y-z)b = d2+d4-d6
c(x+y-z) + (x+y-z)c = d1+d2+d3+d4-d5-d6
Giving us
(a+b-c)(x+y-z) + (x+y-z)(a+b-c) = 0
Implying (a+b-c)(x+y-z)=0 so
c=a+b or z=x+y
Choosing two common reference strings
Generate bilinear group (p, G, GT, e, g)
Choose x,y ← Zp*, R,S ← Zp and set
f = gx, h = gy, u = fR, v = hS, w = gR+S
Output two public keys
(p, G, GT, e, f, h, g, u, v, w)
(p, G, GT, e, f, h, g, u, v, wg)
At least one must be perfectly binding, but by decisional linear assumption hard to tell which one
NIWI proof in plain model
• Statement: C• Proof:
(0,1) Krelated(1k)0 P(0,C,w)1 P(1,C,w)
The proof is = (0,1,0,1)
• Verification:Check (0,1) related so at least one is soundCheck (0,C,0) is valid proofCheck (1,C,1) is valid proof
•Perfect completeness•Perfect soundness•Computational witness-indistinguishability
Groth-Ostrovsky-Sahai 06
• NIZK proof for Circuit SAT• Perfect binding key:
– Perfect completeness– Perfect soundness– Computational zero-knowledge
• Perfect hiding key:– Perfect completeness– Computational co-soundness– Perfect zero-knowledge
= (n,G,GT,e,g,h)where ord(h) = q
= (n,G,GT,e,g,h)where ord(h) = n
?
Efficiency problems with non-interactive zero-knowledge proofs
• Non-interactive proofs for general NP-complete language such as Circuit SAT. Any practical statement such as ”the ciphertext c contains a signature on this message m” must go through a size-increasing NP-reduction.
A brief history of non-interactive zero-knowledge proofs continued
Circuit SAT Practical statements
Inefficient
Efficient
Kilian-Petrank 98
Groth-Ostrovsky-Sahai 06
Groth 06
Groth-Sahai 08Coming next
Our goal
• We want high efficiency. Practical non-interactive proofs!
• We want non-interactive proofs for statements arising in practice such as ”the ciphertext c contains a signature on m”. No NP-reduction!
Constructions in bilinear groups
a,c G , b,d Zn
t = b+yd (mod n)
tG = xyayct
tT = e(tG,ctGb)
Non-interactive cryptographic proofs for correctness of constructions
t = b+yd (mod n)
tG = xyayct
tT = e(tG,ctGb)
Are the constructions correct? I do not know
your secret x, y.
Proof
Yes, here is a proof.
Cryptographic constructions
• Constructions can be built from– public exponents and public group elements– secret exponents and secret group elements
• Using any of the bilinear group operations– Addition and multiplication of exponents– Multiplication of elements in G– Bilinear map e
– Multiplication in GT
• Our goal: Non-interactive cryptographic proofs for correctness of a set of bilinear group constructions (soundness holds for the order p subgroups of G and Zn)
Examples of statements we can prove
• Here is a ciphertext c and a signature s. They have been constructed such that s is a signature on the secret plaintext.
• Here are three commitments A,B and C to secret exponents a,b and c. They have been constructed such that c=ab mod p.
Applications of efficient NIWI and NIZK proofs
• Constant size group signaturesBoyen-Waters 07 (independently of our work)Groth 07
• Sub-linear size ring signaturesChandran-Groth-Sahai 07
• Non-interactive NIZK proof for correctness of shuffleGroth-Lu 07
• Non-interactive anonymous credentialsBelienky-Chase-Kohlweiss-Lysyanskaya 08
• …
• Variables• Pairing product equations
• Multi-scalar multiplication equations in G
• Quadratic equations in Zn
Quadratic equations in the bilinear group
tT =mY
i=1
e(xi ;ai ) ¢mY
i=1
mY
j =1
e(xi ;xj )° i j
tG =mY
i=1
xi bi ¢nY
j =1
ayjj ¢mY
i=1
nY
j =1
x° i j yji
t =nX
i=1
biyi +nX
i=1
nX
j =1
°i j yiyj
xi 2 G;yj 2 Zn
Efficient NIWI and NIZK proofs for bilinear groups
• Statement S = (eq1,...,eqN) quadratic bilinear group equations
• Efficient NIWI proofs for satisfiability of all equations in S
• Efficient NIZK proofs for satisfiability of all equations in S if all tT=1
• Common reference string 3k bits• Each variable and each equation costs k bits
Each equation constant cost independent of number of public constants and secret variables. NIWI and NIZK proofs can have sub-linear size compared with statement!
Commitment to group elements
• Common reference string: (n,G,GT,e,g,h)– Real common reference string: h order q
– Simulation common reference string: g = h with Zn*
• Commitment to xiG: ci = xihri ri ← Zn*
• Commitment to yjZn*:dj = gyjhsj sj← Zn*
• Real CRS: Perfect binding in order p subgroups• Simulation CRS: Perfect hiding commitments
– Perfect trapdoor for exponents: g0hs = gyhs-y
Homomorphic properties
• Commitments are homomorphic– cicj = (xihri) (xjhrj) = xixjhri+ri
– didj = (gyihsi) (gyjhsj) = gyi+yjhsi+sj
• Pairing commitments– e(ci,cj) = e(xihri,xjhrj) = e(xi,xj) e(h,xi
rjxjrihrirj)
– e(ci,dj) = e(xihri,gyjhsj) = e(xiyj,g) e(h,xi
sjgyjrihrisj)
– e(di,dj) = e(gyihsi,gyjhsj) = e(g,g)yiyj e(h,gyjsi+yisjhrisj)
Quadratic equation in Zn
t =nX
i=1
biyi +nX
i=1
nX
j =1
°i j yiyj
e(g;g)¡ t ¢nY
i=1
e(g;di )bi ¢nY
i=1
nY
j =1
e(di ;dj )° i j
= e(g;g)¡ t ¢nY
i=1
[e(g;g)bi yi e(g;hbi si )]¢nY
i=1
nY
j =1
[e(g;g)° i j yi yj e(h;gyi sj +yj si hsi sj )° i j )]
= e(g;g)¡ t+
P n
i =1bi yi+
P n
i =1
P n
j =1° i j yi yj e(h;g
P n
i =1bi yi +
P n
i =1
P n
j =1° i j (yi sj +yj si )h
P n
i =1° i j si sj )
• NIWI proof:
• Verifying the NIWI proof:
• Perfect completeness• Perfect soundness modulo p when h has order q• Perfect witness-indistinguishability when h has order n
Quadratic equation in Zn
¼=gP n
i =1bi yi +
P n
i =1
P n
j =1° i j (yi sj +yj si )h
P n
i =1° i j si sj
e(g;g)¡ t ¢Q n
i=1e(g;di )bi ¢
Q ni=1
Q nj =1e(di ;dj )
° i j =e(h;¼)
Multi-exponentiation equation
tG =mY
i=1
xbii ¢nY
j =1
ayjj ¢mY
i=1
nY
j =1
x° i j yji
e(t¡ 1G ;g) ¢mY
i=1
e(ci ;g)bi ¢nY
j =1
e(aj ;dj ) ¢mY
i=1
nY
j =1
e(ci ;dj )° i j
= e(t¡ 1G ¢mY
i=1
xbii ¢nY
j =1
ayjj ¢mY
i=1
nY
j =1
x° i j yji ;g)
¢e(h;gP m
i =1bi r i+
P m
i =1
P n
j =1r i yj ¢h
P m
i =1
P n
j =1° i j r i sj ¢
nY
j =1
asjj ¢mY
i=1
nY
j =1
x° i j sji )
• NIWI proof:
• Verifying the NIWI proof:
• Perfect completeness• Perfect soundness in order p subgroup when h has order q• Perfect witness-indistinguishability when h has order n
Multiexponentiation equation
¼=gP m
i =1bi r i +
P m
i =1
P n
j =1r i yj ¢h
P m
i =1
P n
j =1° i j r i sj ¢
nY
j =1
asjj ¢mY
i=1
nY
j =1
x° i j sji
e(t¡ 1G ;g) ¢mY
i=1
e(ci ;g)bi ¢nY
j =1
e(aj ;dj ) ¢mY
i=1
nY
j =1
e(ci ;dj )° i j =e(h;¼)
Pairing product equation
tT =mY
i=1
e(xi ;ai ) ¢mY
i=1
mY
j =1
e(xi ;xj )° i j
t¡ 1T ¢mY
i=1
e(ci ;ai ) ¢mY
i=1
mY
j =1
e(ci ;cj )° i j
= t¡ 1T ¢mY
i=1
e(xi ;ai ) ¢mY
i=1
mY
j =1
e(xi ;xj )° i j ¢e(h;hP m
i =1
P m
j =1° i j r i r j ¢
mY
i=1
ar ii ¢mY
i=1
mY
j =1
x° i j r j +° j i r ji )
• NIWI proof:
• Verifying the NIWI proof:
• Perfect completeness• Perfect soundness in order p subgroup when h has order q• Perfect witness-indistinguishability when h has order n
Pairing product equation
¼=hP m
i =1
P m
j =1° i j r i r j ¢
mY
i=1
ar ii ¢mY
i=1
mY
j =1
x° i j r j +° j i r ji
t¡ 1T ¢mY
i=1
e(ci ;ai ) ¢mY
i=1
mY
j =1
e(ci ;cj )° i j = e(h;¼)
Full NIWI proof for a set of equations
• Commit to each variable in G
• Commit to each variable in Zn
• Make NIWI proof for each quadratic equation• Make NIWI proof for each multi-expo. equation• Make NIWI proof for each pairing product equation
• Commitments and proofs each cost 1 group element
Properties of the NIWI proof
• Two types of common reference string– Real CRS: h has order q– Simulation CRS: h has order n– Real and simulation strings computationally indistinguishable
• Perfect completeness on both types of strings• Perfect soundness in order p subgroups on real CRS
– Commitments perfectly binding and equation proofs perfectly sound
• Perfect witness-indistinguishability on simulation CRS– Commitments perfectly hiding so can contain any valid witness– The equation proofs are perfectly witness-indistinguishable, so do
not reveal anything about which witness is inside commitments
NIZK proofs
• Is our NIWI proof zero-knowledge?• Problem: The simulator may not know a witness
• Answer:If all pairing product equations have tT=1, then the proof is perfect zero-knowledge on a simulation CRS where h has order n
Simulation common reference string
• The simulated CRS is set up so g = h
• The simulation trapdoor is • We can now make perfectly hiding trapdoor
commitmentsc = gyhs = g0hs+y
• A particular case isg = g1h0 = g0h
Quadratic equations in Zn
• We verify
• Interpret g as a commitment to 1• The verification now corresponds to the equation
• On a real CRS, h has order q, so commitments are perfectly binding and we have soundness modulo p
• On a simulation CRS, we can commit to 0 for all exponents and trapdoor-open the commitment g to 0. This gives a satisfying witness for the equation, so we can simulate the proof.
0= ¡ t ¢1+nX
i=1
biyi +nX
i=1
nX
j =1
°i j yiyj
e(g;g)¡ t ¢Q n
i=1e(g;di )bi ¢
Q ni=1
Q nj =1e(di ;dj )
° i j =e(h;¼)
Multi-exponentiation equations
• We verify
• Interpret g as a commitment to 1• The verification now corresponds to the equation
• On a real CRS, h has order q, so commitments are perfectly binding in the order p subgroup and we have soundness in the order p subgroup
• On a simulation CRS, we commit to xi=1 and y_i=0 and trapdoor open the commitment g to 0. This gives us a satisfying witness so we can simulate the proof.
e(t¡ 1G ;g) ¢mY
i=1
e(ci ;g)bi ¢nY
j =1
e(aj ;dj ) ¢mY
i=1
nY
j =1
e(ci ;dj )° i j =e(h;¼)
1= (t¡ 1G )1mY
i=1
xbii ¢nY
j =1
ayjj ¢mY
i=1
nY
j =1
x° i j yji
Pairing product equations
• We restrict to pairing product equations with tT=1
• This means (x1=1,...,xm=1) is a satisfying witness
Perfect zero-knowledge
• For all three types of equations, we use witness xi=1 and yj=0, so the three types of simulation fit together
• The perfect witness-indistinguishability of the NIWI proof implies perfect zero-knowledge; the real witness cannot be distinguished from the witness we get when trapdoor opening g to 0
Generalizing to other bilinear groups
• G1, G2, GT finite cyclic groups of order n
• g1 generates G1, g2 generates G2
• e: G1 G2 → GT
– e(g1,g2) generates GT
– e(g1a,g2
b) = e(g1,g2)ab
• Deciding membership, group operations, bilinear map efficiently computable
Prime order or composite order
G1 = G2 or G1 ≠ G2
Many possible assumptions: Subgroup Decision, Symmetric External Diffie-Hellman, Decison Linear, ...
Size of NIWI and NIZK proofs
Cost of each variable/equation
Subgroup Decision
Symmetric External DH
Decision Linear
Variable in G1, G2 or Zn
1 2 3
Pairing product(NIZK all tT = 1)
1 8 9
Multiscalar mult. 1 6 9
Quadratic in Zn 1 4 6
Each equation constant cost. Cost independent of number of public constants and secret variables. NIWI proofs can have sub-linear size compared statement!
Bilinear groups as bilinear modules
• View bilinear groups as special cases of modules with a bilinear map
• Commutative ring R• R-modules A1, A2, AT
• Bilinear map f: A1 A2 → AT
• Map to another set of R-modules B1, B2, BT
• Bilinear map F: B1 B2 → BT
Bilinear groups as bilinear modules
• Make commitments to xiA1, yiA2 in B1, B2, BT
• Homomorphic properties carry over to B1, B2, BT
A1 £ A2 ! AT
f¶1 #" p1 ¶2 #" p2 ¶T #" pT
B1 £ B2 ! BT
F
Example: Multi-exponentiation equations
G £ Zn ! G# # exp #
¶1(xi ) = xi ¶2(yi ) = gyi ¶T (tG ) = e(tG ;g)# # #G £ G ! GT
e
Generality continued
• All four types of bilinear group equations can be seen as example of quadratic equations over modules with bilinear map
• The assumptions Subgroup Decision, Symmetric External Diffie-Hellman, Decision Linear, etc., can be interpreted as assumptions in modules with bilinear map as well
Summary
• Practical:– Efficient NIWI and NIZK proofs for practical statements
arising in pairing-based cryptography
• Theoretical:– Perfect zero-knowledge– Witness-indistinguishability in the plain model
• Upcoming: – Quasi-linear size NIZK proofs without pairings– NIZK arguments with smaller size than circuit
Context
Trapdoor permutations: |C| polylog |C| k + poly(k)
Naccache-Stern: |C| polylog |C| + poly(k)
Bilinear groups: |C| k
Fully homomorphic crypto: |w| poly(k)
Bilinear groups + KEA: |C|2/3 k
Random oracle model: polylog |C| k
Open problems
• Even more efficient NIZK proofs• Efficient post-quantum NIZK proofs• NIZK proofs from one-way functions• Non-interactive witness-hiding proofs in plain model• Construct cryptographically useful modules with
bilinear map that are not based on bilinear groups• Continuous NIZK arguments
References
• Chapman et al.: Life of Brian. BBC 1979.• Groth, Sahai: Efficient Non-interactive Proofs for Bilinear
Groups. EUROCRYPT 2008.• Groth, Sahai, Ostrovsky: New Techniques for Non-
interactive Zero-Knowledge. EWSCS 2010.• Lipmaa: Collected works. Springer 1998 -• Rhinehart: The Dice Man. HarperCollins 1971.• Tolkien: Lord of the Rings. Allen and Unwin 1954-1955.• Zhang: Fuzzy Private Matching and Privacy Preserving
Information Retrieval. UCL MSc thesis 2008.
Thanks
?
Any (more) questions?