Non-interactive Non-interactive Zaps and New Zaps and New
Techniques for Techniques for NIZKNIZKJens GrothJens Groth
Rafail OstrovskyRafail Ostrovsky
Amit SahaiAmit Sahai
University of California Los University of California Los AngelesAngeles
Non-interactive zaps for Non-interactive zaps for Circuit SATCircuit SAT
Poly-time algorithms P (prover) and V Poly-time algorithms P (prover) and V (verifier)(verifier)
No common reference stringNo common reference string Perfect completeness:Perfect completeness:
(C, w) so C(w)=1(C, w) so C(w)=1
ππ ←← P(1 P(1kk, C, w) : V(1, C, w) : V(1kk, C , , C , ππ)=1)=1 Perfect soundness:Perfect soundness:
(C, (C, ππ) with C unsatisfiable V(1) with C unsatisfiable V(1kk, C, , C, ππ)=0)=0 Computational witness-Computational witness-
indistinguishability:indistinguishability:(C, w(C, w00, w, w11) so C(w) so C(w00)=1 and C(w)=1 and C(w11)=1)=1
P(1P(1kk, C, w, C, w00) ≈ P(1) ≈ P(1kk, C, w, C, w11))
ComparisonComparison Dwork and Naor, FOCS 2000:Dwork and Naor, FOCS 2000:
2-round zaps from trapdoor 2-round zaps from trapdoor permutationspermutations
Barak, Ong and Vadhan, Crypto 2003:Barak, Ong and Vadhan, Crypto 2003:Non-interactive zaps by Non-interactive zaps by derandomizing Dwork-Naor zaps derandomizing Dwork-Naor zaps (non-polynomial assumption)(non-polynomial assumption)
This talk:This talk:Non-interactive zaps based on Non-interactive zaps based on decisional linear assumptiondecisional linear assumptionProof size O(|C|k) bitsProof size O(|C|k) bits
Bilinear groupsBilinear groupsG, GT cyclic groups of prime order p
g generator for G
bilinear map e: G G GT
e(ga, gb) = e(g, g)ab
e(g, g) generator for GT
Decisional linear problem [Boneh et al. 04]
f, h, g, u = fR, v = hS, w = gT
T = R+S or T random ?
Commitment schemeCommitment schemePublic key
f = gx, h = gy, u = fR, v = hS, w = gT
pk = (p, G, GT, e, g, f, h, u, v, w)
Commitment to m Zp
c = (umfr, vmhs, wmgr+s)
Perfect hiding trapdoor if T = R+S
= (fmR+r, hmS+s, gm(R+S)+r+s)
Commitment schemeCommitment schemeCommitment to m Zp
c = (umfr, vmhs, wmgr+s)
Perfect binding if T ≠ R+S
= (c1, c2, c3)
because c3c2-1/xc1
-1/y = (wu-1/xv-1/y)m
= g(T/(R+S))m
uniquely defines m
Commitment schemeCommitment schemeCommitment to m Zp
c = (umfr, vmhs, wmgr+s)
Homomorphic
(umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S)
= (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S)
Witness indistinguishable proof of commitment to message 0 or 1
- Perfect sound on perfect binding key
- Perfect WI on perfect trapdoor key
Commitment schemeCommitment scheme HomomorphicHomomorphic Two types of indistinguishable public keys:Two types of indistinguishable public keys:
Perfect trapdoorPerfect trapdoor Perfect bindingPerfect binding
Witness indistinguishable proof that Witness indistinguishable proof that commitment contains 0 or 1commitment contains 0 or 1 Perfect soundness on perfect binding keyPerfect soundness on perfect binding key Perfect WI on perfect trapdoor keyPerfect WI on perfect trapdoor key
NIZK proof for Circuit NIZK proof for Circuit SATSAT
1
w1
w4
w3w2
Circuit SAT is NP complete
NAND
NAND
NIZK proof for Circuit NIZK proof for Circuit SATSATcom(1
)
c1 = com(w1) c2 = com(w2)
c4 = com(w4)
c3 = com(w3)
WI proof c1 commit to 0 or 1
WI proof c2 commit to 0 or 1
WI proof c3 commit to 0 or 1
WI proof c4 commit to 0 or 1
WI proof w4 = (w1w2)
WI proof 1 = (w4w3)
NAND
NAND
WI proof for NAND-gateWI proof for NAND-gate
Given c0, c1, c2 commitments containing bits b0, b1, b2 wish to prove b2 = (b0b1)
b2 = (b0b1)
if and only if b0 + b1 + 2b2 - 2 {0,1}
WI proof c0c1c22com(-2) commitment to 0 or
1
NIZK proof for Circuit NIZK proof for Circuit SATSAT
Commit to all wires wCommit to all wires wii as c as cii = com(w = com(wii))
For each i make WI proof that cFor each i make WI proof that cii contains 0 contains 0 or 1or 1
For each NAND-gate make WI proof that For each NAND-gate make WI proof that cc00cc11cc22
22com(-2) contains 0 or 1com(-2) contains 0 or 1
Perfect completenessPerfect completeness
Perfect binding key - perfect soundnessPerfect binding key - perfect soundness
Perfect trapdoor key - perfect zero-Perfect trapdoor key - perfect zero-knowledgeknowledge
Perfect NIZK on perfect Perfect NIZK on perfect trapdoor keytrapdoor key
Simulation:Simulation:Make trapdoor commitmentsMake trapdoor commitmentsTrapdoor-open relevant commitments to 0 and WI Trapdoor-open relevant commitments to 0 and WI proveprove
Proof that simulation works on C with w so C(w)=1:Proof that simulation works on C with w so C(w)=1:
Can trapdoor-open commitments to wCan trapdoor-open commitments to wii’s and WI ’s and WI proveprove By perfect witness-indistinguishability of the By perfect witness-indistinguishability of the WI WI proofs indistinguishable from simulationproofs indistinguishable from simulation
Can from the start make commitments to wCan from the start make commitments to wii’s’sBy perfect hiding of the commitments By perfect hiding of the commitments
indistinguishable indistinguishable from previous methodfrom previous methodCorresponds to real proof on trapdoor keyCorresponds to real proof on trapdoor key
Non-interactive zapsNon-interactive zapsNaïve idea:
Prover chooses public key and makes NIZK proof
Problem: Can choose trapdoor key and prove anything
Better idea:
Prover chooses two public keys and makes an NIZK proof with each of them
Makes choice so:
One is trapdoor, one is perfect binding
Verifiable that at least one key is perfect binding
Verifier cannot tell which key is trapdoor
Choosing two keysChoosing two keysGenerate group (p, G, GT, e, g)
E.g., elliptic curve E: y2 = x3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, GT, e), easy to verify that g is order p point on curve.
Choose x,y ← Zp*, R,S ← Zp and set
f = gx, h = gy, u = fR, v = hS, w = gR+S
Output two public keys
(p, G, GT, e, g, f, h, u, v, w)
(p, G, GT, e, g, f, h, u, v, wg)
At least one must be perfectly binding, but by decisional linear assumption hard to tell which one
Witness-Witness-indistinguishabilityindistinguishability
Circuit C and two witnesses w0, w1
• Generate pk0 perfect trapdoor and pk1 perfect binding
• NIZK proof using w0 on pk0 NIZK proof using w0 on pk1
• Simulate proof on trapdoor pk0 NIZK proof using w0 on pk1
• NIZK proof using w1 on pk0 NIZK proof using w0 on pk1
• Switch to pk0 perfect binding and pk1 perfect trapdoor
• NIZK proof using w1 on pk0 Simulate proof on trapdoor pk1
• NIZK proof using w1 on pk0 NIZK proof using w1 on pk1
• Switch back to pk0 perfect trapdoor and pk1 perfect binding
WI proof for message 0 WI proof for message 0 or 1or 1
(c1, c2, c3) = (umfr, vmhs, wmgr+s)
(c1, c2, c3) is commitment to 0 or 1 if and only if(c1, c2, c3) or (c1/u, c2/v, c3/w) contain 0
(c1, c2, c3) contains 0 if and only if
(c1, c2, c3-1) = (fr, hs, g-(r+s))
Similarly for (c1/u, c2/v, c3/w)
We’ll present a general proof that given (A=fa, B=hb, C=gc) and (X=fx, Y=hy, Z=gz)then (a+b+c)(x+y+z)=0
WI proof for message 0 WI proof for message 0 or 1or 1
Examine matrix:
Note that verifier can generate this matrix
e(A, X) e(A, Y) e(A, Z)
e(B, X) e(B, Y) e(B, Z)
e(C, X) e(C, Y) e(C, Z)
WI proof for message 0 WI proof for message 0 or 1or 1
Suppose prover knows (a, b, c)
The right-hand entries convince the verifier that a+b+c =0 (each column multiplies to 1)
Similarly, if prover knows (x, y, z) can reveal left-hand entries and rows multiply to 1
Bad: Tells verifier which witness used
e(f, Xa) e(f, Ya) e(f, Za)
e(h, Xb) e(h, Yb) e(h, Zb)
e(g, Xc) e(g, Yc) e(g, Zc)
WI proof for message 0 WI proof for message 0 or 1or 1
Blind across diagonal
If both a+b+c = 0 and x+y+z=0 then matrix is distributed identical to its transpose
It hides perfectly whether we are looking at rows or columns
e(f, Xa) e(f, htYa) e(f, g-tZa)
e(h, f-tXb) e(h, Yb) e(h, gtZb)
e(g, ftXc) e(g, h-tYc) e(g, Zc)
Top Related