groth sahai proof system
play

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure - PowerPoint PPT Presentation

Apr 06, 2023 •138 likes •879 views

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 1 / 38 Contents Introduction 1 Groth-Sahai proof system 2 Non-Interactive Zero-Knowledge

  1. Groth-Sahai proof system Olivier Blazy ´ Ecole normale sup´ erieure Jan. 21st 2011 O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 1 / 38

  2. Contents Introduction 1 Groth-Sahai proof system 2 Non-Interactive Zero-Knowledge proofs Bilinear maps Groth-Ostrovsky-Sahai Groth-Sahai (2008) O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 2 / 38

  3. Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. � Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 3 / 38

  4. Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. � Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 3 / 38

  5. Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. � Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 3 / 38

  6. Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S . Completeness: if S is true, the honest verifier will be convinced of this fact 1 Soundness: if S is false, no cheating prover can convince the honest verifier 2 that it is true Zero-knowledge: if S is true, no cheating verifier learns anything other than 3 this fact. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 4 / 38

  7. Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S . Completeness: if S is true, the honest verifier will be convinced of this fact 1 Soundness: if S is false, no cheating prover can convince the honest verifier 2 that it is true Zero-knowledge: if S is true, no cheating verifier learns anything other than 3 this fact. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 4 / 38

  8. Non-Interactive Zero-Knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S . Completeness: S is true � verifier will be convinced of this fact 1 Soundness: S is false � no cheating prover can convince the verifier that S 2 is true Zero-knowledge: S is true � no cheating verifier learns anything other than 3 this fact. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 5 / 38

  9. Non-Interactive Witness-Indistinguishable Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing which witness was used. Completeness: S is true � verifier will be convinced of this fact 1 Soundness: S is false � no cheating prover can convince the verifier that S 2 is true Witness indistinguishability: S is true � no cheating verifier can 3 distinguish between two provers that use different witnesses. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 6 / 38

  10. History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, 1988. ... De Santis-Di Crescenzo-Persiano, 2002. Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof � NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, 2006. Groth-Sahai, 2008. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 7 / 38

  11. History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, 1988. ... De Santis-Di Crescenzo-Persiano, 2002. Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof � NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, 2006. Groth-Sahai, 2008. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 7 / 38

  12. History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, 1988. ... De Santis-Di Crescenzo-Persiano, 2002. Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof � NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, 2006. Groth-Sahai, 2008. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 7 / 38

  13. History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, 1988. ... De Santis-Di Crescenzo-Persiano, 2002. Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof � NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, 2006. Groth-Sahai, 2008. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 7 / 38

  14. Applications of NIZK Proofs Fancy signature schemes group signatures ring signatures traceable signatures . . . Efficient non-interactive proof of correctness of shuffle Non-interactive anonymous credentials CCA-2-secure encryption schemes Identification E-voting E-cash . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 8 / 38

  15. Composite order bilinear structure: What ? ( e , G , G T , g , n ) bilinear structure: G , G T multiplicative groups of order n = pq n = RSA integer � g � = G e : G × G → G T � e ( g , g ) � = G T e ( g a , g b ) = e ( g , g ) ab , a , b ∈ Z  deciding group membership,   group operations, efficiently computable.   bilinear map O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 9 / 38

  16. Composite order bilinear structure: Why ? Deciding Diffie-Hellman tuples: given ( g , g a , g b , g c ) ∈ G 4 1 ⇒ e ( g a , g b ) = e ( g , g c ) c = ab ⇐ If h ∈ G q : 2 ∀ v ∈ G , e ( h , v ) q = 1 e ( g a h b , g ) q = e ( g , g ) aq Applications: “Somewhat homomorphic” encryption, Traitor tracing, Signatures, Attribute-based encryption, Fully secure HIBE, . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 10 / 38

  17. Composite order bilinear structure: Why ? Deciding Diffie-Hellman tuples: given ( g , g a , g b , g c ) ∈ G 4 1 ⇒ e ( g a , g b ) = e ( g , g c ) c = ab ⇐ If h ∈ G q : 2 ∀ v ∈ G , e ( h , v ) q = 1 e ( g a h b , g ) q = e ( g , g ) aq Applications: “Somewhat homomorphic” encryption, Traitor tracing, Signatures, Attribute-based encryption, Fully secure HIBE, . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 10 / 38

  18. Composite order bilinear structure: Why ? Deciding Diffie-Hellman tuples: given ( g , g a , g b , g c ) ∈ G 4 1 ⇒ e ( g a , g b ) = e ( g , g c ) c = ab ⇐ If h ∈ G q : 2 ∀ v ∈ G , e ( h , v ) q = 1 e ( g a h b , g ) q = e ( g , g ) aq Applications: “Somewhat homomorphic” encryption, Traitor tracing, Signatures, Attribute-based encryption, Fully secure HIBE, . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 10 / 38

  19. Boneh-Goh-Nissim Encryption Scheme Public key: ( e , G , G T , n ) bilinear structure with n = pq g ∈ G , h ∈ G q . Secret key: p , q Encryption: c = g m h r ( r $ ← Z n ) Decryption: c q = ( g m h r ) q = g mq h qr = ( g q ) m (+ DL) IND-CPA-secure under the: Subgroup Membership Assumption Hard to distinguish h ∈ G q from random h of order n O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 11 / 38

  20. Boneh-Goh-Nissim Commitment Scheme Public key: ( e , G , G T , n = pq ) bilinear structure g ∈ G , h ∈ G q . Commitment: c = g m h r ( r $ ← Z n ) Perfectly binding: unique m mod p Computationally hiding: indistinguishable from h of order n Somewhat homomorphic properties: ( g a h r ) · ( g b h s ) = g a + b h r + s e ( g a h r , g b h s ) e ( g a , g b ) e ( h r , g b ) e ( g a , h s ) e ( h r , h s ) = e ( g , g ) ab e ( h , g as + rb h rs ) = O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 12 / 38

  21. Groth-Ostrovsky-Sahai: NIZK Proof for Circuit SAT Groth, Ostrovsky and Sahai (2006) Perfect completeness, perfect soundness, computational zero-knowledge for NP Common reference string: O ( k ) bits Proof: O ( | C | k ) bits Circuit-SAT is NP-complete w 1 w 4 w 2 1 w 3 Idea: Commit w i using BGN encryption Prove the validity using homomorphic properties O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 13 / 38

  22. NIZK Proof for Circuit SAT c 4 = g w 4 h r 4 g w 1 h r 1 = c 1 g w 2 h r 2 = c 2 g 1 g w 3 h r 3 = c 3 Prove w i ∈ { 0 , 1 } for i ∈ { 1 , 2 , 3 , 4 } Prove w 4 = ¬ ( w 1 ∧ w 2 ) Prove 1 = ¬ ( w 3 ∧ w 4 ) O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 14 / 38

  23. Proof for c Containing 0 or 1 w mod p ∈ { 0 , 1 } ⇐ ⇒ w ( w − 1) = 0 mod p For c = g w h r we have e ( c , cg − 1 ) e ( g w h r , g w − 1 h r ) = e ( g w , g w − 1 ) e ( h r , g w − 1 ) e ( g w , h r ) e ( h r , h r ) = e ( g , g ) w ( w − 1) e ( h , ( g 2 w − 1 h r ) r ) = � �� � π π = g 2 w − 1 h r = proof that c contains 0 or 1 mod p . ( c detemines w uniquely mod p since ord ( h ) = q ) Randomizable proof ! O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 15 / 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the property that it reflects the methods by which humans commonly do mathematics, it is ill suited for use in automated reasoning, because of the infinite

590 views • 41 slides
EECS 290S: Network Information Flow Anant Sahai David Tse Logistics Anant Sahai: 267 Cory

EECS 290S: Network Information Flow Anant Sahai David Tse Logistics Anant Sahai: 267 Cory

EECS 290S: Network Information Flow Anant Sahai David Tse Logistics Anant Sahai: 267 Cory (office hours in 258 Cory), sahai@eecs. Office hours: Mon 4-5pm and Tue 2:30-3:30pm. David Tse, 257 Cory (enter through 253 Cory), dtse@eecs.

532 views • 18 slides
A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

Introduction Proof System Applications Experiments A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte Helmert University of Basel, Switzerland ICAPS 2018 Introduction Proof System Applications

325 views • 21 slides
Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai

Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai

Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai MSR UCLA UCLA Leakage Resilient Cryptography [Rivest1997, Boyko1999, Canetti-Dodis-Halevi-Kushilevitz-Sahai2000, Ishai-Sahai-Wagner2003, Micali-

716 views • 14 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
MG IPM 2019 Page 1 The $5 hole Start at the Nursery Planting the Plants Improper planting

MG IPM 2019 Page 1 The $5 hole Start at the Nursery Planting the Plants Improper planting

Integrated Pest Integrated Pest Management Management How did we get here? Problems will come up! Oregon IPM There is no silver bullet Gardening is a process Claudia Groth MG Program Instructor claudia.groth.us@gmail.com Good Garden

248 views • 12 slides
The bank-lending channel: The IS-BL model Christian Groth University of Copenhagen November 21,

The bank-lending channel: The IS-BL model Christian Groth University of Copenhagen November 21,

The bank-lending channel: The IS-BL model Christian Groth University of Copenhagen November 21, 2016 C. Groth (University of Copenhagen) 11/2016 1 / 10 directly granted f inancial saving credit credit indirect credit intermediated credit

110 views • 10 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
Explicit vs Implicit CommunicaGon in Control Anant Sahai UC

Explicit vs Implicit CommunicaGon in Control Anant Sahai UC

Explicit vs Implicit CommunicaGon in Control Anant Sahai UC Berkeley Joint with Se Yong Park and Pulkit Grover Thanks to NSF for funding this

1.03k views • 46 slides
Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer

Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer

Background Proof assistants in education Arend System description Implementation Future work Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer science education Andrew V. Clifton

564 views • 52 slides
The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy & INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 The TLA + proof system Stephan Merz (INRIA

646 views • 25 slides
The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell

The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell

The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell University Ithaca, NY 14853 http://www.nuprl.org The Nuprl Project at Computational formal logics Type Theory Proof &

1.24k views • 93 slides
Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Jens Groth,

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Jens Groth,

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Jens Groth, Markulf Kohlweiss, Mary Maller, Sarah Meiklejohn, Ian Miers. Crypto - 23/08/2018 Our Goal Find a better method than trusted setups for generating the

889 views • 59 slides
Lars Groth Master in Dr. oecon., NHH organizational Norwegian School sociology, UiO of

Lars Groth Master in Dr. oecon., NHH organizational Norwegian School sociology, UiO of

Lars Groth Master in Dr. oecon., NHH organizational Norwegian School sociology, UiO of Economics 1970 1980 1990 2000 2010 2020 Prof. II Nylands Morgen- Media Avenir Verksted bladet Vision NTNU UiO Department of Department

1.67k views • 42 slides
Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on Admissible Rules and Unification II Les Diablerets, February 2, 2015 1 / 12 Proof systems An old question: When does a logic have a decent proof system? 2

624 views • 50 slides
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. 3. Each statement is derived via the derivation rules. Zero Knowledge Protocols 4. The proof is fixed, i.e, in any time,

642 views • 14 slides
An Extended GHKM Algorithm for Inducing -SCFG Peng Li, Yang Liu and Maosong Sun THUNLP&CSS

An Extended GHKM Algorithm for Inducing -SCFG Peng Li, Yang Liu and Maosong Sun THUNLP&CSS

An Extended GHKM Algorithm for Inducing -SCFG Peng Li, Yang Liu and Maosong Sun THUNLP&CSS Tsinghua University, China Outline l Background l Rule extraction algorithm l Modeling l Experiments l Conclusion 2 Outline l

664 views • 40 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Higher order Fourier analysis and algebraic property testing Hamed Hatami School of Computer

Higher order Fourier analysis and algebraic property testing Hamed Hatami School of Computer

Higher order Fourier analysis and algebraic property testing Hamed Hatami School of Computer Science McGill University July 22, 2019 Hamed Hatami (McGill Universities) Higher order Fourier analysis and algebraic property testing July 22,

824 views • 78 slides
in Property Testing and Local List Decoding Sofya Raskhodnikova Boston University Joint work

in Property Testing and Local List Decoding Sofya Raskhodnikova Boston University Joint work

Erasures vs. Errors in Property Testing and Local List Decoding Sofya Raskhodnikova Boston University Joint work with Noga Ron-Zewi ( Haifa University ) Nithin Varma ( Boston University ) 1 Goal: study of sublinear algorithms resilient to

593 views • 25 slides
Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser

Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser

Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser Department of Computer Science, Columbia University New York, NY 10027 {jbell, swapneel, kaiser}@cs.columbia.edu 1. There is no connection

367 views • 17 slides
Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2 , 3 Hemanta K. Maji 4 Amit Sahai 3 Alexander A. Sherstov 3 1 Microsoft Research, India 2 Technion 3 University of California, Los Angeles 4 Purdue

488 views • 21 slides
How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara

How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara

How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara Krehbiel , Chris Peikert Georgia Institute of Technology June 26, 2013 ACNS 2013, Banff, Alberta, Canada 1/11 Threshold Cryptography Setting: A

678 views • 39 slides
Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of

Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of

Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 1 / 22 Zero-Knowledge Proof

531 views • 22 slides

More recommend