Document Sample

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles Witness-indistinguishability Potential witnesses Burglar Witness-indistinguishability Witness Witness-indistinguishability One of the witnesses, but which one? Non-interactive zaps for Circuit SAT Poly-time algorithms P (prover) and V (verifier) No common reference string Perfect completeness: (C, w) so C(w)=1 π ← P(1k, C, w) : V(1k, C , π)=1 Perfect soundness: (C, π) with C unsatisfiable V(1k, C, π)=0 Computational witness-indistinguishability: (C, w0, w1) so C(w0)=1 and C(w1)=1 P(1k, C, w0) ≈ P(1k, C, w1) Comparison Dwork and Naor, FOCS 2000: 2-round zaps from trapdoor permutations Barak, Ong and Vadhan, Crypto 2003: Non-interactive zaps by derandomizing Dwork- Naor zaps (non-polynomial assumption) This talk: Non-interactive zaps based on decisional linear assumption Proof size O(|C|k) bits Bilinear groups G, GT cyclic groups of prime order p g generator for G bilinear map e: G G GT e(ga, gb) = e(g, g)ab e(g, g) generator for GT Decisional linear problem [Boneh et al. 04] f, h, g, u = fR, v = hS, w = gT T = R+S or T random ? Commitment scheme Public key f = gx, h = g y, u = fR, v = hS, w = gT pk = (p, G, GT, e, g, f, h, u, v, w) Commitment to m Zp c = (umfr, vmhs, wmgr+s) Perfect hiding trapdoor if T = R+S = (fmR+r, hmS+s, gm(R+S)+r+s) Commitment scheme Commitment to m Zp c = (umfr, vmhs, wmgr+s) Perfect binding if T ≠ R+S = (c1, c2, c3) because c3c2-1/xc1-1/y = (wu-1/xv-1/y)m = g(T/(R+S))m uniquely defines m Commitment scheme Commitment to m Zp c = (umfr, vmhs, wmgr+s) Homomorphic (umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S) = (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S) Witness indistinguishable proof of commitment to message 0 or 1 - Perfect sound on perfect binding key - Perfect WI on perfect trapdoor key Commitment scheme Homomorphic Two types of indistinguishable public keys: Perfect trapdoor Perfect binding Witness indistinguishable proof that commitment contains 0 or 1 Perfect soundness on perfect binding key Perfect WI on perfect trapdoor key NIZK proof for Circuit SAT 1 NAND Circuit SAT is w4 NP complete NAND w1 w2 w3 NIZK proof for Circuit SAT com(1) WI proof WI proof c1 w4 = (w1w2) commit to 0 or 1 WI proof NAND WI proof c2 1 = (w4w3) c = com(w ) commit to 0 or 1 4 4 WI proof c3 commit to 0 or 1 NAND WI proof c4 commit to 0 or 1 c1 = com(w1) c3 = com(w3) c2 = com(w2) WI proof for NAND-gate Given c0, c1, c2 commitments containing bits b0, b1, b2 wish to prove b2 = (b0b1) b2 = (b0b1) if and only if b0 + b1 + 2b2 - 2 {0,1} WI proof c0c1c22com(-2) commitment to 0 or 1 NIZK proof for Circuit SAT Commit to all wires wi as ci = com(wi) For each i make WI proof that ci contains 0 or 1 For each NAND-gate make WI proof that c0c1c22com(-2) contains 0 or 1 Perfect completeness Perfect binding key - perfect soundness Perfect trapdoor key - perfect zero-knowledge Perfect NIZK on perfect trapdoor key Simulation: Make trapdoor commitments Trapdoor-open relevant commitments to 0 and WI prove Proof that simulation works on C with w so C(w)=1: Can trapdoor-open commitments to wi’s and WI prove By perfect witness-indistinguishability of the WI proofs indistinguishable from simulation Can from the start make commitments to wi’s By perfect hiding of the commitments indistinguishable from previous method Corresponds to real proof on trapdoor key Non-interactive zaps Naïve idea: Prover chooses public key and makes NIZK proof Problem: Can choose trapdoor key and prove anything Better idea: Prover chooses two public keys and makes an NIZK proof with each of them Makes choice so: One is trapdoor, one is perfect binding Verifiable that at least one key is perfect binding Verifier cannot tell which key is trapdoor Choosing two keys Generate group (p, G, GT, e, g) E.g., elliptic curve E: y2 = x3 +1 mod q, where q smallest suitable prime so E has order p subgroup. Easy to verify p is prime, p defines (G, GT, e), easy to verify that g is order p point on curve. Choose x,y ← Zp*, R,S ← Zp and set f = gx, h = g y, u = fR, v = hS, w = gR+S Output two public keys (p, G, GT, e, g, f, h, u, v, w) (p, G, GT, e, g, f, h, u, v, wg) At least one must be perfectly binding, but by decisional linear assumption hard to tell which one Witness-indistinguishability Circuit C and two witnesses w0, w1 • Generate pk0 perfect trapdoor and pk1 perfect binding • NIZK proof using w0 on pk0 NIZK proof using w0 on pk1 • Simulate proof on trapdoor pk0 NIZK proof using w0 on pk1 • NIZK proof using w1 on pk0 NIZK proof using w0 on pk1 • Switch to pk0 perfect binding and pk1 perfect trapdoor • NIZK proof using w1 on pk0 Simulate proof on trapdoor pk1 • NIZK proof using w1 on pk0 NIZK proof using w1 on pk1 • Switch back to pk0 perfect trapdoor and pk1 perfect binding WI proof for message 0 or 1 (c1, c2, c3) = (umfr, vmhs, wmgr+s) (c1, c2, c3) is commitment to 0 or 1 if and only if (c1, c2, c3) or (c1/u, c2/v, c3/w) contain 0 (c1, c2, c3) contains 0 if and only if (c1, c2, c3-1) = (fr, hs, g-(r+s)) Similarly for (c1/u, c2/v, c3/w) We’ll present a general proof that given (A=fa, B=hb, C=gc) and (X=fx, Y=hy, Z=gz) then (a+b+c)(x+y+z)=0 WI proof for message 0 or 1 Examine matrix: e(A, X) e(A, Y) e(A, Z) e(B, X) e(B, Y) e(B, Z) e(C, X) e(C, Y) e(C, Z) Note that verifier can generate this matrix WI proof for message 0 or 1 Suppose prover knows (a, b, c) e(f, Xa) e(f, Ya) e(f, Za) e(h, Xb) e(h, Yb) e(h, Zb) e(g, Xc) e(g, Yc) e(g, Zc) The right-hand entries convince the verifier that a+b+c =0 (each column multiplies to 1) Similarly, if prover knows (x, y, z) can reveal left-hand entries and rows multiply to 1 Bad: Tells verifier which witness used WI proof for message 0 or 1 Blind across diagonal e(f, Xa) e(f, htYa) e(f, g-tZa) e(h, f-tXb) e(h, Yb) e(h, gtZb) e(g, ftXc) e(g, h-tYc) e(g, Zc) If both a+b+c = 0 and x+y+z=0 then matrix is distributed identical to its transpose It hides perfectly whether we are looking at rows or columns Summary Homomorphic commitments with indistinguishable trapdoor/binding keys and WI proofs for message 0 or 1 NIZK proofs from such commitments Simple and efficient O(|C|k) bit-size non- interactive zaps Perfect completeness Perfect soundness Computational WI

DOCUMENT INFO

Shared By:

Categories:

Tags:

Stats:

views: | 3 |

posted: | 9/12/2011 |

language: | English |

pages: | 24 |

Docstoc is the premier online destination to start and grow small businesses. It hosts the best quality and widest selection of professional documents (over 20 million) and resources including expert videos, articles and productivity tools to make every small business better.

Search or Browse for any specific document or resource you need for your business. Or explore our curated resources for Starting a Business, Growing a Business or for Professional Development.

Feel free to Contact Us with any questions you might have.