non-interactive zero-knowledge proofs of non-membership · non-interactivezero-knowledgeproofsof...
TRANSCRIPT
![Page 1: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/1.jpg)
Non-Interactive Zero-Knowledge Proofs ofNon-Membership
O. Blazy, C. Chevalier, D. Vergnaud
XLim / Université Paris II / ENS
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22
![Page 2: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/2.jpg)
1 Brief Overview
2 Building blocks
3 Proving that you can not
4 Applications
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 2 / 22
![Page 3: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/3.jpg)
1 Brief Overview
2 Building blocks
3 Proving that you can not
4 Applications
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 3 / 22
![Page 4: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/4.jpg)
Proof of Knowledge
Alice Bob
Interactive method for one party to prove to another the knowledge of asecret S.
Classical Instantiations : Schnorr proofs, Sigma Protocols . . .
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 4 / 22
![Page 5: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/5.jpg)
Proving that a statement is not satisfied
Alice Bob
Interactive method for one party to prove to another the knowledge of asecret S that does not belong to a language L.
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 5 / 22
![Page 6: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/6.jpg)
ApplicationsCredentialsEnhanced Authenticated Key Exchange
Additional propertiesNon-InteractiveZero-KnowledgeImplicit
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22
![Page 7: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/7.jpg)
ApplicationsCredentialsEnhanced Authenticated Key Exchange
Additional propertiesNon-InteractiveZero-KnowledgeImplicit
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22
![Page 8: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/8.jpg)
ApplicationsCredentialsEnhanced Authenticated Key Exchange
Additional propertiesNon-InteractiveZero-KnowledgeImplicit
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22
![Page 9: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/9.jpg)
ApplicationsCredentialsEnhanced Authenticated Key Exchange
Additional propertiesNon-InteractiveZero-KnowledgeImplicit
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22
![Page 10: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/10.jpg)
ApplicationsCredentialsEnhanced Authenticated Key Exchange
Additional propertiesNon-InteractiveZero-KnowledgeImplicit
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 6 / 22
![Page 11: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/11.jpg)
1 Brief Overview
2 Building blocks
3 Proving that you can not
4 Applications
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 7 / 22
![Page 12: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/12.jpg)
Zero-Knowledge Proof Systems
Introduced in 1985 by Goldwasser, Micali and Rackoff.
; Reveal nothing other than the validity of assertion being proven
Used in many cryptographic protocolsAnonymous credentialsAnonymous signaturesOnline voting. . .
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 8 / 22
![Page 13: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/13.jpg)
Zero-Knowledge Proof Systems
Introduced in 1985 by Goldwasser, Micali and Rackoff.
; Reveal nothing other than the validity of assertion being proven
Used in many cryptographic protocolsAnonymous credentialsAnonymous signaturesOnline voting. . .
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 8 / 22
![Page 14: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/14.jpg)
Zero-Knowledge Proof Systems
Introduced in 1985 by Goldwasser, Micali and Rackoff.
; Reveal nothing other than the validity of assertion being proven
Used in many cryptographic protocolsAnonymous credentialsAnonymous signaturesOnline voting. . .
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 8 / 22
![Page 15: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/15.jpg)
Zero-Knowledge Interactive Proof
Alice Bob
interactive method for one party to prove to another that a statement S istrue, without revealing anything other than the veracity of S.
1 Completeness: if S is true, the honest verifier will be convinced of this fact
2 Soundness: if S is false, no cheating prover can convince the honest verifierthat it is true
3 Zero-knowledge: if S is true, no cheating verifier learns anything other thanthis fact.
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 9 / 22
![Page 16: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/16.jpg)
Zero-Knowledge Interactive Proof
Alice Bob
interactive method for one party to prove to another that a statement S istrue, without revealing anything other than the veracity of S.
1 Completeness: if S is true, the honest verifier will be convinced of this fact
2 Soundness: if S is false, no cheating prover can convince the honest verifierthat it is true
3 Zero-knowledge: if S is true, no cheating verifier learns anything other thanthis fact.
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 9 / 22
![Page 17: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/17.jpg)
Non-Interactive Zero-Knowledge Proof
Alice Bob
non-interactive method for one party to prove to another that a statement Sis true, without revealing anything other than the veracity of S.
1 Completeness: S is true ; verifier will be convinced of this fact
2 Soundness: S is false ; no cheating prover can convince the verifier that Sis true
3 Zero-knowledge: S is true ; no cheating verifier learns anything other thanthis fact.
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 10 / 22
![Page 18: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/18.jpg)
Certification of Public Keys: SPHF [ACP09]
A user can ask for the certification of pk, but if he knows the associated sk only:
With a Smooth Projective Hash FunctionL: pk and C = C(sk; r) are associated to the same sk
U sends his pk, and an encryption C of sk;A generates the certificate Cert for pk, and sends it,masked by Hash = Hash(hk; (pk,C ));
U computes Hash = ProjHash(hp; (pk,C ), r)), and gets Cert.
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 11 / 22
![Page 19: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/19.jpg)
Certification of Public Keys: SPHF [ACP09]
A user can ask for the certification of pk, but if he knows the associated sk only:
With a Smooth Projective Hash FunctionL: pk and C = C(sk; r) are associated to the same sk
U sends his pk, and an encryption C of sk;A generates the certificate Cert for pk, and sends it,masked by Hash = Hash(hk; (pk,C ));
U computes Hash = ProjHash(hp; (pk,C ), r)), and gets Cert.
Implicit proof of knowledge of sk
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 11 / 22
![Page 20: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/20.jpg)
Smooth Projective Hash Functions [CS02]
Definition [CS02,GL03]Let {H} be a family of functions:
X , domain of these functionsL, subset (a language) of this domain
such that, for any point x in L, H(x) can be computed by usingeither a secret hashing key hk: H(x) = HashL(hk; x);or a public projected key hp: H ′(x) = ProjHashL(hp; x ,w)
Public mapping hk 7→ hp = ProjKGL(hk, x)
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 12 / 22
![Page 21: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/21.jpg)
SPHF Properties
For any x ∈ X , H(x) = HashL(hk; x)For any x ∈ L, H(x) = ProjHashL(hp; x ,w)
w witness that x ∈ L, hp = ProjKGL(hk, x)
SmoothnessFor any x 6∈ L, H(x) and hp are independent
Pseudo-RandomnessFor any x ∈ L, H(x) is pseudo-random, without a witness w
The latter property requires L to be a hard-partitioned subset of X .
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22
![Page 22: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/22.jpg)
SPHF Properties
For any x ∈ X , H(x) = HashL(hk; x)For any x ∈ L, H(x) = ProjHashL(hp; x ,w)
w witness that x ∈ L, hp = ProjKGL(hk, x)
SmoothnessFor any x 6∈ L, H(x) and hp are independent
Pseudo-RandomnessFor any x ∈ L, H(x) is pseudo-random, without a witness w
The latter property requires L to be a hard-partitioned subset of X .
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22
![Page 23: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/23.jpg)
SPHF Properties
For any x ∈ X , H(x) = HashL(hk; x)For any x ∈ L, H(x) = ProjHashL(hp; x ,w)
w witness that x ∈ L, hp = ProjKGL(hk, x)
SmoothnessFor any x 6∈ L, H(x) and hp are independent
Pseudo-RandomnessFor any x ∈ L, H(x) is pseudo-random, without a witness w
The latter property requires L to be a hard-partitioned subset of X .
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22
![Page 24: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/24.jpg)
SPHF Properties
For any x ∈ X , H(x) = HashL(hk; x)For any x ∈ L, H(x) = ProjHashL(hp; x ,w)
w witness that x ∈ L, hp = ProjKGL(hk, x)
SmoothnessFor any x 6∈ L, H(x) and hp are independent
Pseudo-RandomnessFor any x ∈ L, H(x) is pseudo-random, without a witness w
The latter property requires L to be a hard-partitioned subset of X .
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 13 / 22
![Page 25: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/25.jpg)
1 Brief Overview
2 Building blocks
3 Proving that you can not
4 Applications
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 14 / 22
![Page 26: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/26.jpg)
Global Idea
π: Proof that W ∈ Lπ: Randomizable, Indistinguishability of Proofπ′: Proof that π was computed honestly
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22
![Page 27: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/27.jpg)
Global Idea
π: Proof that W ∈ Lπ: Randomizable, Indistinguishability of Proofπ′: Proof that π was computed honestly
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22
![Page 28: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/28.jpg)
Global Idea
π: Proof that W ∈ Lπ: Randomizable, Indistinguishability of Proofπ′: Proof that π was computed honestly
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22
![Page 29: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/29.jpg)
Global Idea
π: Proof that W ∈ Lπ: Randomizable, Indistinguishability of Proofπ′: Proof that π was computed honestly
To prove that W 6∈ LTry to prove that W ∈ L which will output a ππ will not be validCompute π′ stating that π was computed honestly
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22
![Page 30: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/30.jpg)
Global Idea
π: Proof that W ∈ Lπ: Randomizable, Indistinguishability of Proofπ′: Proof that π was computed honestly
To prove that W 6∈ LTry to prove that W ∈ L which will output a ππ will not be validCompute π′ stating that π was computed honestly
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22
![Page 31: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/31.jpg)
Global Idea
π: Proof that W ∈ Lπ: Randomizable, Indistinguishability of Proofπ′: Proof that π was computed honestly
To prove that W 6∈ LTry to prove that W ∈ L which will output a ππ will not be validCompute π′ stating that π was computed honestly
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 15 / 22
![Page 32: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/32.jpg)
From a very high level
If an adversary forges a proof, this means that both π and π′ are validEither π was not computed honestly, and under the Soundness of π′ thisshould not happenOr π was computed honestly but lead to an invalid proof, and under theCompleteness of π this should not happen
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 16 / 22
![Page 33: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/33.jpg)
From a very high level
If an adversary forges a proof, this means that both π and π′ are validEither π was not computed honestly, and under the Soundness of π′ thisshould not happenOr π was computed honestly but lead to an invalid proof, and under theCompleteness of π this should not happen
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 16 / 22
![Page 34: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/34.jpg)
From a very high level
If an adversary forges a proof, this means that both π and π′ are validEither π was not computed honestly, and under the Soundness of π′ thisshould not happenOr π was computed honestly but lead to an invalid proof, and under theCompleteness of π this should not happen
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 16 / 22
![Page 35: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/35.jpg)
Possible Instantiations
Proof π Proof π′ Interactive PropertiesGroth Sahai Groth Sahai No Zero-Knowledge
SPHF SPHF Yes ImplicitGroth Sahai SPHF Depends ZK, Implicit
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 17 / 22
![Page 36: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/36.jpg)
1 Brief Overview
2 Building blocks
3 Proving that you can not
4 Applications
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 18 / 22
![Page 37: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/37.jpg)
Anonymous Credentials
Allows user to authenticate while protecting their privacy.
Recent work, build non-interactive credentials for NANDBy combining with ours, it leads to efficient Non-Interactive CredentialsNo accumulators are needed
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 19 / 22
![Page 38: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/38.jpg)
Anonymous Credentials
Allows user to authenticate while protecting their privacy.
Recent work, build non-interactive credentials for NANDBy combining with ours, it leads to efficient Non-Interactive CredentialsNo accumulators are needed
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 19 / 22
![Page 39: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/39.jpg)
Anonymous Credentials
Allows user to authenticate while protecting their privacy.
Recent work, build non-interactive credentials for NANDBy combining with ours, it leads to efficient Non-Interactive CredentialsNo accumulators are needed
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 19 / 22
![Page 40: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/40.jpg)
Language Authenticated Key Exchange
Alice Bob→ C(MB)
C(MA), hpB ←→ hpA
HB · H ′A H ′
B · HA
Same value iff languages are as expected, and users know witnesses.
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 20 / 22
![Page 41: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/41.jpg)
Summing up
Proposed a generic framework to prove negative statement *Gives several instantiation of this framework, allowing some modularityWorks outside pairing environment
Open ProblemsBe compatible with post-quantum cryptographyWeaken the requirements, on the building blocks
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 21 / 22
![Page 42: Non-Interactive Zero-Knowledge Proofs of Non-Membership · Non-InteractiveZero-KnowledgeProofsof Non-Membership O.Blazy,C.Chevalier,D.Vergnaud XLim / Université Paris II / ENS O](https://reader036.vdocument.in/reader036/viewer/2022081402/604a97c806ee3e3e4c12debe/html5/thumbnails/42.jpg)
Summing up
Proposed a generic framework to prove negative statement *Gives several instantiation of this framework, allowing some modularityWorks outside pairing environment
Open ProblemsBe compatible with post-quantum cryptographyWeaken the requirements, on the building blocks
O. Blazy (XLim) Negative-NIZK CT-RSA 2015 21 / 22