Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs
Jens Groth
University College London
Non-interactive zero-knowledge proof
Prover VerifierSoundness:Statement is true
Zero-knowledge:Nothing but truth revealed
Statement: xL
Proof:
(x,w)RL
Common reference string:0100…11010
Non-interactive zero-knowledge proofs
• Statement C is satisfiable circuit• Perfect completeness• Statistical soundness• Computational zero-knowledge
• Uniformly random common reference string• Efficient prover – probabilistic polynomial time• Deterministic polynomial time verifier
Adaptive soundness:Adversary sees CRS before attempting to cheat with false (C,)
Our results
• Security level: 2-k
• Trapdoor perm size: kT = poly(k)
• Circuit size: |C| = poly(k)• Witness size: |w| |C|
CRS in bits Proof in bits Assumption
Kilian-Petrank |C|∙kT∙k∙(log k) |C|∙kT∙k∙(log k) Trapdoor perms
This talk |C|∙kT∙polylog(k) |C|∙kT∙polylog(k) Trapdoor perms
CRS in bits Proof in bits Assumption
Gentry poly(k) |w|∙poly(k) Lattice-based + NIZK
G-Ostrovsky-Sahai k3/polylog(k) |C|∙k3/polylog(k) Pairing-based
This talk |C|∙polylog(k) |C|∙polylog(k) Naccache-Stern
Other work poly(k) |w| + poly(k) FHE + NIZK
Encrypted random bits
Statement: xL
CRS(x,w)RL
01...0
11…1
00…1
10…0K(1k) (pk,sk)
c1
c2
c3
c4
Epk(0;r1)
Epk(1;r2)
Epk(0;r3)
Epk(1;r4)
c1
1 ; r2
c3
0 ; r4
Using hidden random bits for NIZK
• Random bits not useful; need bits with structure• Use statistical sampling to get “good” blocks
10
11
00
01
Probably hidden pairs
are 00 and 11
Idea in Kilian-Petrank
• Interpret pairs of bits as truth values– T = {01,10} F = {00,11}
10
11
00
01
T
F
F
T
?0
1?
0?
?1
Zero-knowledge:Does ?1 correspond to T = 01 or F = 11?
Soundness:F can only be opened one way
Completeness:T can be opened as 0 or 1
Soundness
• If not a satisfying assignment there is a clause where all literals are false– x1 x2 x3 gives F F F
• There is 50% chance to catch a cheating prover– 11, 00, 00 has no opening to XOR = 0 so prover caught– 11, 00, 11 can be opened to XOR = 0 so prover lucky
• Will use repetition to decrease prover’s chance
Consistency problem
• Cannot let prover designate truth-value pairs to literals because a cheating prover might choose an inconsistent assignment
• Need to ensure prover chooses correct and consistent assignment
Consistency
• Interpret 12-blocks of bits as 6 truth values– Good block = TTTFFF or FFFTTT
TTTFFF
FTFTFF
FFFTTT
FTFFTF
I see many bad blocks. Statistically
the remaining hidden blocks are good.
Consistency
• Divide hidden random bit-string into 12-bit blocks• Call a block of 6 truth-value pairs for good if it is of
one of these two formsTTTFFF or FFFTTT
• Prover reveals all bits associated with bad blocks such that only good blocks remain
Using blocks
• Remaining good blocks
TTT FFF
FFF TTT
FFF TTT
TTT FFF
x1 = Fx2 = Tx3 = Fx4 = F
TT? FFF
FF? TTT
FFF TT?
TT? FFF
10? 011
01? 110
111 10?
01? 110
Unrevealed bit-pair shows positive/negative
literals for variable
Positive literalsNegative literals
Using blocks
• After discarding bad blocks the remaining hidden blocks are statistically speaking mostly good
• We assign each block to a variable xi in a deterministic way
• Each block has 6 truth-values TTTFFF or FFFTTT– If xi = T reveal 5 bits in TTTFF? or FF?TTT
– If xi = F reveal 5 bits in TT?FFF or FFFTT?
– Revelations correspond to 5 appearances xi, xi, xi, xi, xi
• The last unrevealed truth-value uniquely determines the assignment of truth-values to literals
• The verifier now checks all clauses XOR to 0
Soundness
• The prover has several degrees of freedom– Can choose which false statement to prove– Can choose the public key for the encryption scheme,
each one of which will give different hidden random bits– Can choose the truth-value assignment– May leave a few bad blocks unrevealed
• Use repetition to lower risk of cheating– Instead of revealing single bits for each literal we will
reveal several bit-strings and in each clause all bit-strings most XOR to 0
• Statistical analysis shows with sufficient repetition a prover has negligible chance of cheating
Two new techniques
• More efficient use of hidden random bits– Kilian-Petrank: |C|∙k∙(log(k)) hidden random bits– This work: |C|∙polylog(k) hidden random bits
• More efficient implementation of hidden bits– Trapdoor permutations:
kT = poly(k) bits per hidden random bit
– Naccache-Stern encryption:O(log k) bits per hidden random bit
Traditional proofs
Statement: xL
(x,w)RL
Proof:The statement is true because bla bla bla bla bla bla bla bla. QED
I’d better read it very
carefully
Probabilistically checkable proofs
Statement: xL
(x,w)RL
Proof:The statement is true because bla bla bla bla bla bla bla bla. QED
Ok, let me spot check in random
places
Witness-preserving assignment tester
• Polynomial time algorithms f, fw:
f: C belongs to gap-3SAT5fw: w x if C(w)=1 then (x)=1
• With the most efficient probabilistically checkable proofs (Dinur 07 combined with BenSasson-Sudan 08) we have || = |C| polylog(k)
Strategy
• Want to prove C is satisfiable• Compute = f(C) and prove that it is satisfiable
using Kilian-Petrank techniques from before• With the most efficient assignment testers we
have || = |C| polylog(k) so statement is larger• However, since allows for a constant fraction of
“errors” less repetition is needed to make the overall soundness error negligible
• It is ok if the prover cheats on some clauses as long as cannot cheat on a constant fraction
Remarks
• Probabilistically checkable proofs have been used in interactive zero-knowledge proofs– Prover commits to PCP– Verifier chooses at random some parts to check– Prover opens and reveals those parts of the PCP
• We are using PCPs in a different way– The verifier will check all parts of the PCP– The checks have a small error probability– But unlikely that prover can cheat on a constant fraction
Implementing the hidden random bits model
Statement: xL
CRS(x,w)RL
01...0
11…1
00…1
10…0K(1k) (pk,sk)
c1
c2
c3
c4
Epk(0;r1)
Epk(1;r2)
Epk(0;r3)
Epk(1;r4)
c1
1 ; r2
c3
0 ; r4
Naccache-Stern encryption
• pk = (M,P,g) sk = (M)– M is an RSA modulus
– P = p1p2…pd where p1,…,pd are O(log k) bit primes
– P | ord(g) = (M)/4 and |P| = (|M|)
• Epk(m;r) = gmrP mod M
• Dsk(c): For each pi compute m mod pi
c(M)/pi = (gmrP)(M)/pi = (gm(M)/pi)(r(M)P/pi) = (g(M)/pi)m
Chinese remainder gives us m mod P
Naccache-Stern implementation of hidden bits
Statement: xL
CRS(x,w)RL
01...0
11…1
00…1
10…0K(1k) (pk,sk)
c1
c2
c3
c4
Epk(010;r1)
Epk(101;r2)
Epk(011;r3)
Epk(110;r4)
?1? ; 1
10? ; 2
??1 ; 3
??? ; 4
0 if m mod pi even1 if m mod pi odd if m mod pi is -1
Revealing part of Naccache-Stern plaintext
• Ciphertext c = gmrP
• How to prove that m = x mod pi?
• Prover reveals such that P = (cg-x)P/pi
• We can raise both sides to (M)/P• Gives us (M) = (gm-xrP)(M)/pi = (g(M)/pi)m-x • Implies 1 = (g(M)/pi)m-x
• Since the order of (g(M)/pi) is pi this shows m = x mod pi
Revealing part of Naccache-Stern plaintext
• Ciphertext c = gmrP
• How to prove that m = x mod pi?
• Prover reveals such that P = (cg-x)P/pi
• Can compute the proof as = (cg-x)(P-1 mod (M)/P)P/pi
• Can randomize proof by multiplying with s(M)/P
• Generalizes to reveal m = x mod iSpi with a proof consisting of one group element
Zero-knowledge
• Simulator sets up pk = (M,P,g) such that ord(g) = (M)/4P and g = hP mod M
• Simulator also sets up the CRS such that it contains ciphertexts of the form c = sP mod M
• For any m ZP we can compute r = h-ms mod M such that
sP = gm(g-m)sP = gmh-mPsP = gmrP mod M• This means the simulator can open each
ciphertext to arbitrary hidden bits using = r
Final step – showing the key is valid
• The public key is pk = (M,P,g)
• The verifier can easily check P is a product of small primes p1,…,pd
• But needs to be convinced M and g are ok
• Can do this with trapdoor permutation based NIZK– Statement is small so it does not affect total cost
– Trapdoor permutations implied by Naccache-Stern
• So we use a small seeder NIZK to build large scale NIZK from Naccache-Stern encryption
Summary
• Technique 1: Reduce soundness error with probabilistically checkable proofs
• Technique 2: Implement hidden random bit string with Naccache-Stern encryption
Hidden bits Proof in bits Assumption
Kilian-Petrank |C|∙kT∙k∙(log k) |C|∙kT∙k∙(log k) Trapdoor perms
This work |C|∙kT∙polylog(k) |C|∙kT∙polylog(k) Trapdoor perms
CRS in bits Proof in bits Assumption
Gentry poly(k) |w|∙poly(k) Lattice-based + NIZK
G-Ostrovsky-Sahai k3/polylog(k) |C|∙k3/polylog(k) Pairing-based
This talk |C|∙polylog(k) |C|∙polylog(k) Naccache-Stern
Other work poly(k) |w| + poly(k) FHE + NIZK