Perfect Noninteractive ZeroKnowledge for NP

1
Perfect Non-interactive Zero-Knowledge for NP

• Jens Groth
• Rafail Ostrovsky
• Amit Sahai
• UCLA

On ePrint archivehttp//eprint.iacr.org/2005/290
2
Proof system
?
The moon is a green cheese!
That statement is in NP, so prove it!
3
Proof system
Common reference string
Uniform random string ?0,1l
Statement circuit C is satisfiable
Accept Reject
Prover Verifier
4
Completeness
Witness w so C(w)1
Common reference string
C
Accept
Completeness PrAccept 1 Perfect
completeness PrAccept 1
5
Soundness
Common reference string
Reject
Adversary Verifier
Soundness PrReject 1 Perfect soundness
PrReject 1
6
Knowledge extraction
Common reference string
sk
E
w so C(w) 1
Adversary Extractor
Knowledge extraction PrExtract w 1 Perfect
knowledge extraction PrExtract x 1
7
Zero-knowledge
Common reference string
sk
C
S
Simulator
Zero-knowledge PrA?1Real
PrA?1Simulated Perfect ZK PrA?1Real
proofPrA?1Simulated
8
State of affairs

• Even computational NIZK proofs/arguments are
  inefficient Kilian-Petrank O(Ck2)-bit common
  reference string O(Ck2)-bit proofs
• Statistical/perfect NIZK arguments not known
• No non-interactive UC ZK arguments secure against
  adaptive/dynamic adversaries known

9
Our contributions

• Computational NIZK proof for Circuit SAT-
  O(k)-bit common reference string- O(Ck)-bit
  proofs
• Perfect NIZK argument for Circuit SAT-
  non-adaptive soundness- adaptive soundness
  (restrictions)
• Perfect zero-knowledge UC NIZK argument for
  Circuit SAT

10
Bilinear group of order n
Setup G, G1 cyclic groups of order n pq g
generator for G bilinear map e G ? G ?
G1 e(ua, vb) e(u, v)ab e(g, g) generates
G1 Decision subgroup problem ord(h) q or
ord(h) n ?
11
BGN cryptosystem
Key generation pk (n, G, G1, e, g, h)
ord(g) n, ord(h) q sk (pk, p,
q) Encryption of m mO(log k) E(m r)
gmhr where r ? Zn Decryption (gmhr)q
(gq)m find m by polynomial size exhaustive
search
12
Homomorphic properties
Additively homomorphic gm1hr1 gm2hr2
gm1m2hr1r2 Multiplication-mapping e(gm1hr1,
gm2hr2) e(g, g)m1m2 e(h, gm1r2m2r1hr1r2)
13
NIZK proof for Circuit SAT
1
NAND
Circuit SAT is NP complete
w4
NAND
w1
w3
w2
14
NIZK proof for Circuit SAT
g1
NIZK proof E1 encrypts 0 or 1 NIZK proof E2
encrypts 0 or 1 NIZK proof E3 encrypts 0 or
1 NIZK proof E4 encrypts 0 or 1
NIZK proof w4 ?(w1?w2) NIZK proof 1 ?(w4?w3)
NAND
gw4hr4
NAND
gw1hr1
gw2hr2
gw3hr3
15
NIZK proof for encryption of 0 or 1

• Wish to argue c encrypts 0 or 1
• Write c gmhr (m uniquely determined mod p)
• e(c, g-1c) e(gmhr, gm-1hr)
  e(g, g)m(m-1) e(hr, g2m-1hr)
• has order q if and only if m 0 mod p or m 1
  mod p
• We wish to argue e(c, g-1c) has order q

16
NIZK proof for encryption of 0 or 1
Prover chooses R ? Zn e(c, g-1c) e(gmhr,
gm-1hr) e(hr, g2m-1hr) e(hR,
(g2m-1hr)r/R) Reveal p (p1, p2, p3) p1 hR
p2 (g2m-1hr)r/R p3 gR Verifier
checks e(c, g-1c) e(p1, p2) and e(g, p1)
e(h, p3)
17
NIZK proof for encryption of 0 or 1
Perfect completeness Perfect soundness h has
order q ? e(h, p3) has order qe(g, p1) e(h,
p3) ? e(g, p1) has order q ? p1 has order q ?
e(p1, p2) has order qe(c, g-1c) e(p1, p2) ?
e(c, g-1c) has order q ? m 0 mod p or m 1
mod p
18
NIZK proof for encryption of 0 or 1
Computational zero-knowledge Simulated reference
string (g, h) Choose ? ? Zn and let h?
g Simulator knows ? Choose R ? Zn and let
p1 cR p2 (g-1c)1/R p3 (p1)? e(c,
g-1c) e(p1, p2) and e(g, p1) e(h, p3)
19
NIZK proof for NAND-gate

• Given c0, c1, c2 ciphertexts containing bits b0,
  b1, b2 wish to argue b2 ?(b0?b1)
• Make NIZK proof for c0c1c22g-2 encrypting 0 or 1
• b0 b1 2b2 - 2 ? 0,1
• if and only if
• b2 ?(b0?b1)

20
NIZK proof for Circuit SAT

• Encrypt all wires wi as ci gwihri
• For each i make NIZK that ci contains 0 or 1
• For each NAND-gate make NIZK proof that
  c0c1c22g-2 contains 0 or 1
• Perfect completeness
• Perfect soundness
• Computational zero-knowledge
• Perfect knowledge extraction decrypt ciphertexts

21
Statistical NIZK

• Common reference string (g, h)
• Choose g, h so ord(g) ord(h) n
• Perfect completeness
• Computational ordinary soundness
• CRS indistinguishable from ord(h) q
• Perfect zero-knowledge
• Ciphertexts ci are perfectly hiding commitments
• NIZK proof 0 or 1 plaintexts is perfect ZK

22
Adaptive soundness?

• Learn common reference string (g, h)
• Produce unsatisfiable circuit C and proof p
• for instance C ord(h) lt n
• Consider indistinguishably switching CRS to (g,
  h) with ord(h) q, then C is suddenly true, so
  maybe adversary can prove false statement
• However, adversary cannot know statement is
  false, because that would make ord(h) n and
  ord(h) q distinguishable

23
Adaptive soundness

• Restrict ourselves to circuits C of size l
  (gates wires)
• There are at most ll different circuits of size l
• Suppose advantage in distinguishing ord(h) n
  and ord(h) q is at most l-l negl()
• Then we have computational adaptive soundness

24
Adaptive soundness

• Proof
• Probability of unsatisfiable C being used in
  sucessful attack on random CRS is at most l-l
  negl() (ordinary
  soundness)
• Total probability of attack on adaptive soundness
  is ?Cl PrC unsatisfiable, but proof for C
• ?Cl l-l negl() ll l-l negl() negl()

25
FNIZK

• On input (Prove, sid, ssid, C, w) from Pi if
  C(w) 1 send C to adversary S and get answer
  p store (C, p) and return (Proof, sid, ssid,
  p) to Pi
• On input (Verify, sid, ssid, C, p) from Pi if
  (C, p) stored return (Verification, sid, ssid,
  accept) to Pi else send (C, p) to adversary S
  and get answer w if C(w) 1 store (C,
  p) return (Verification, sid, ssid, accept) to
  Pi else return (Verification, sid, ssid,
  reject) to Pi

26
UC NIZK

• There exists non-interactive protocol UC NIZK
  such that
• UC NIZK securely realizes FNIZK in the common
  reference string model
• UC NIZK is perfect zero-knowledge