Perfect Noninteractive ZeroKnowledge for NP

1
Perfect Non-interactive Zero-Knowledge for NP

• Jens Groth
• Rafail Ostrovsky
• Amit Sahai
• University of California Los Angeles

2
Motivation
OK, I will make a zero-knowledge proof
Im a woman.
Prove it!
Circuit C Im a woman Proof p
3
Completeness
K(1k)
Common reference string
Accept
Prover Verifier
Perfect completeness PrAccept 1
4
Soundness
K(1k)
Common reference string
Reject
Adversary Verifier
Perfect soundness PrReject 1
5
Zero-knowledge
S1(1k)
Common reference string
sk
Circuit CWitness w
0/1
S2(crs, sk, C)
Simulator Adversary
Computational zero-knowledge PrA?1Simulated
proofs (S1,S2) PrA?1Real proofs (K,P)
6
State of affairs

• Computational NIZK proofs known but not
  practical Kilian-Petrank O(Ck2)-bit common
  reference string O(Ck2)-bit proofs
• Statistical/perfect NIZK arguments not known
• No non-interactive UC ZK arguments secure against
  adaptive adversaries known

7
Our contributions

• NIZK proof for Circuit SAT- Perfect
  completeness, perfect soundness, perfect proof of
  knowledge, computational zero-knowledge-
  O(k)-bit common reference string- O(Ck)-bit
  proofs
• Perfect NIZK argument for Circuit SAT- Perfect
  completeness, computational coNP soundness,
  perfect zero-knowledge
• UC NIZK argument for Circuit SAT with perfect
  zero-knowledge secure against adaptive adversaries

8
Bilinear group of order n
G, G1 cyclic groups of order n pq g generator
for G bilinear map e G ? G ? G1 e(ua, vb)
e(u, v)ab e(g, g) generates G1 Decision
subgroup problem ord(h) q or ord(h) n ?
9
Boneh-Goh-Nissim cryptosystem
Key generation pk (n, G, G1, e, g, h)
ord(g) n, ord(h) q sk (pk, p,
q) Encryption of m mO(log k) E(m r)
gmhr where r ? Zn Decryption (gmhr)q
(gq)m find m by polynomial time exhaustive
search
10
Homomorphic properties
Additively homomorphic gm1hr1 gm2hr2
gm1m2hr1r2 Multiplication-mapping e(gm1hr1,
gm2hr2) e(g, g)m1m2 e(h, gm1r2m2r1hr1r2)
11
NIZK proof for Circuit SAT
1
NAND
Circuit SAT is NP complete
w4
NAND
w1
w3
w2
12
NIZK proof for Circuit SAT
g1
NIZK proof c1 encrypts 0 or 1 NIZK proof c2
encrypts 0 or 1 NIZK proof c3 encrypts 0 or
1 NIZK proof c4 encrypts 0 or 1
NIZK proof w4 ?(w1?w2) NIZK proof 1 ?(w4?w3)
NAND
gw4hr4
NAND
gw1hr1
gw2hr2
gw3hr3
13
NIZK proof for encryption of 0 or 1

• Wish to prove c encrypts 0 or 1
• Write c gmhr (m uniquely determined mod p)
• e(c, g-1c) e(gmhr, gm-1hr)
  e(g, g)m(m-1) e(hr, g2m-1hr)
• has order q if and only if m 0 mod p or m
  1 mod p
• We wish to prove e(c, g-1c) has order q

14
NIZK proof for encryption of 0 or 1
Prover chooses s ? Zn e(c, g-1c) e(gmhr,
gm-1hr) e(hr, g2m-1hr) e(hs,
(g2m-1hr)r/s) Reveal p (p1, p2, p3) p1 hs
p2 (g2m-1hr)r/s p3 gs Verifier
checks e(p1, g) e(h, p3) and e(c, g-1c)
e(p1, p2)
15
NIZK proof for encryption of 0 or 1
Perfect soundness h has order q ? e(h, p3) has
order qe(p1, g) e(h, p3) ? e(p1, g) has order
q ? p1 has order q ? e(p1, p2) has order
qe(c, g-1c) e(p1, p2) ? e(c, g-1c) has order
q ? m 0 mod p or m 1 mod p Computational
zero-knowledgeord(h) n g h? simulation key
?
16
NIZK proof for NAND-gate

• Given c0, c1, c2 ciphertexts containing bits b0,
  b1, b2 wish to prove b2 ?(b0?b1)
• b2 ?(b0?b1)
• if and only if
• b0 b1 2b2 - 2 ? 0,1
• Make NIZK proof for c0c1c22g-2 encrypting 0 or 1

17
NIZK proof for Circuit SAT

• Encrypt all wires wi as ci gwihri
• For each i make NIZK that ci contains 0 or 1
• For each NAND-gate make NIZK proof that
  c0c1c22g-2 contains 0 or 1
• Perfect completeness
• Perfect soundness
• Computational zero-knowledge
• Perfect knowledge extraction decrypt ciphertexts

18
Perfect NIZK

• Common reference string (g, h)
• Choose g, h so ord(g) ord(h) n
• Perfect completeness
• Perfect zero-knowledge
• Ciphertexts ci are perfectly hiding commitments
• NIZK argument for 0/1 plaintexts perfect ZK

19
Adaptive coNP soundness
K(1k)
Common reference string
Reject
wco witness for C unsatisfiable
Computational coNP soundness PrReject 1
20
FNIZK
(prove, C, w)(proof, p)
If C(w)1 give C to S and get p store (C,p) If
(C,p) not stored give (C,p) to S and get w if
C(w)1 store (C,p)Return 1 if (C,p) stored
(verify, C, p)(verification, 0/1)
21
UC NIZK

• There exists non-interactive protocol UC NIZK
  such that
• UC NIZK securely realizes FNIZK against adaptive
  adversaries in the common reference string model
• UC NIZK is perfect zero-knowledge

22
Conclusion
New technique for NIZK proofs 1. Very efficient
NIZK proofs with perfect soundness 2. First
construction of perfect zero-knowledge NIZK
argument with coNP soundness 3. First
construction of UC NIZK argument secure against
adaptive adversaries