Download - Short Non-interactive Zero-Knowledge Proofs
![Page 1: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/1.jpg)
Short Non-interactive Zero-Knowledge Proofs
Jens GrothUniversity College London
![Page 2: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/2.jpg)
Non-interactive zero-knowledge proof
Prover VerifierSoundness:Statement is true
Zero-knowledge:Nothing but truth revealed
CRS: 0100…11010 Statement: xL
Proof:
(x,w)RL
![Page 3: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/3.jpg)
Non-interactive zero-knowledge proofs
• Statement C is satisfiable circuit• Perfect completeness• Statistical soundness• Computational zero-knowledge
• Uniformly random common reference string• Efficient prover – probabilistic polynomial time• Deterministic polynomial time verifier
Adaptive soundness:Adversary sees CRS before attempting to cheat with false (C,)
![Page 4: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/4.jpg)
Our results
• Security level: 2-k
• Trapdoor perm size: kT = poly(k)• Circuit size: |C| = poly(k)• Witness size: |w| |C|
CRS in bits Proof in bits AssumptionKilian-Petrank |C|∙kT∙k∙(log k) |C|∙kT∙k∙(log k) Trapdoor perms
This work |C|∙kT∙polylog(k) |C|∙kT∙polylog(k) Trapdoor perms
CRS in bits Proof in bits AssumptionGentry poly(k) |w|∙poly(k) Lattice-based
G-Ostrovsky-Sahai k3/polylog(k) |C|∙k3/polylog(k) Pairing-based
This work |C|∙polylog(k) |C|∙polylog(k) Naccache-Stern
![Page 5: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/5.jpg)
Hidden random string - soundness
Statement: xL
(x,w)RL0
1
0
1
![Page 6: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/6.jpg)
Hidden random string – zero-knowledge
Statement: xL
0
1
![Page 7: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/7.jpg)
Two new techniques
• More efficient use of hidden random bits– Kilian-Petrank: |C|∙k∙(log(k)) hidden random bits– This work: |C|∙polylog(k) hidden random bits
• More efficient implementation of hidden bits– Trapdoor permutations:
kT = poly(k) bits per hidden random bit– Naccache-Stern encryption:
O(log k) bits per hidden random bit
![Page 8: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/8.jpg)
Implementing the hidden random bits model
Statement: xL
(x,w)RL01...0
11…1
00…1
10…0K(1k) (pk,sk)
c1
c2
c3
c4
Epk(0;r1)
Epk(1;r2)
Epk(0;r3)
Epk(1;r4)
c1
1 ; r2
c3
0 ; r4
![Page 9: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/9.jpg)
Naccache-Stern encryption
• pk = (M,P,g) sk = (M)– M is an RSA modulus– P = p1p2…pd where p1,…,pd are O(log k) bit primes– P | ord(g) = (M)/4 and |P| = O(|M|)
• Epk(m;r) = gmrP mod M
• Dsk(c): For each pi compute m mod pi
c(M)/pi = (g(M)/pi)m
Chinese remainder gives m mod P
![Page 10: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/10.jpg)
Naccache-Stern implementation of hidden bits
Statement: xL
(x,w)RL01...0
11…1
00…1
10…0K(1k) (pk,sk)
c1
c2
c3
c4
Epk(010;r1)
Epk(101;r2)
Epk(011;r3)
Epk(110;r4)
?1? ; 1
10? ; 2
??1 ; 3
??? ; 4
0 if m mod pi even1 if m mod pi odd if m mod pi is -1
![Page 11: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/11.jpg)
Revealing part of Naccache-Stern plaintext
• Ciphertext c = gmrP
• How to prove that m = x mod pi?• Prover reveals such that P = (cg-x)P/pi
• Shows (M) = (gm-xrP)(M)/pi = (g(M)/pi)m-x • Can compute the proof as = (cg-x)(P-1 mod (M)/P)P/pi
• Can randomize proof by multiplying with s(M)/P
• Generalizes to reveal m mod iSpi with a proof consisting of one group element
![Page 12: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/12.jpg)
Zero-knowledge
• Simulator sets up pk = (M,P,g) such that ord(g) = (M)/4P and g = hP mod M
• Simulator also sets up the CRS such that it only contains ciphertexts of the form gt mod M
• For any m ZP we can compute r = ht-m mod M such that
gt = gm(gt-m) = gmrP mod M• This means the simulator can open each ciphertext
to arbitrary hidden bits
![Page 13: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/13.jpg)
Efficient use of the hidden random bits
Statement: xL
(x,w)RL0
1
0
1
![Page 14: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/14.jpg)
Kilian-Petrank• Random bits not useful; need bits with structure• Use statistical sampling to get “good” blocks
10
11
00
01
Probably hidden pairs
are 00 and 11
![Page 15: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/15.jpg)
Kilian-Petrank continued
• Reveal blocks of bits so remaining “good” blocks of bits have a particular structure (statistically)
• Reduce C to a 3SAT formula • Assign remaining “good” blocks to variables in • For each clause reveal some bits in the blocks
assigned to the literals of the clause• An unsatisfied clause has some probability of the
revealed bits not satisfying certain criterion• Repeat many times to make the probability of
cheating negligible for each clause
![Page 16: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/16.jpg)
Probabilistically checkable proofs
• Polynomial time algorithms f, fw:
f: C belongs to gap-3SAT5fw: w x if C(w)=1 then (x)=1
is a gap-3SAT5 formula – All variables appear in exactly 5 clauses – thrice as
positive literal and twice as negative– Either all clauses are simultaneously satisfiable or a constant fraction are unsatisfiable
![Page 17: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/17.jpg)
Strategy
• Compute = f(C) and prove that it is satisfiable• With the most efficient probabilistically checkable
proofs (Dinur 07 combined with BenSasson-Sudan 08) we have || = |C| polylog(k)
• Seems counterintuitive to make statement larger• However, since allows for a constant fraction of
“errors” less repetition is needed to make the overall soundness error negligible
• It is ok if the prover cheats on some clauses as long as cannot cheat on a constant fraction
![Page 18: Short Non-interactive Zero-Knowledge Proofs](https://reader036.vdocument.in/reader036/viewer/2022062520/56815b6e550346895dc96578/html5/thumbnails/18.jpg)
Summary
• Technique 1: Reduce soundness error with probabilistically checkable proofs
• Technique 2: Implement hidden random bit string with Naccache-Stern encryption
Hidden bits Proof in bits AssumptionKilian-Petrank |C|∙kT∙k∙(log k) |C|∙kT∙k∙(log k) Trapdoor perms
This work |C|∙kT∙polylog(k) |C|∙kT∙polylog(k) Trapdoor perms
CRS in bits Proof in bits AssumptionGentry poly(k) |w|∙poly(k) Lattice-based
G-Ostrovsky-Sahai k3/polylog(k) |C|∙k3/polylog(k) Pairing-based
This work |C|∙polylog(k) |C|∙polylog(k) Nacache-Stern